What you need to know about risk management for Software as (or in) a Medical Device.

Following on from previous blogs, What you need to know about traceable requirements for medical devices and How much documentation does my Software as a Medical Device regulatory submission really need?, it’s time to now think about how to organise the complementary risk management, particularly for Software as a Medical Device (SaMD) and Software in a Medical Device (SiMD).

For developers of SaMD or SiMD looking to deploy their software within the United Kingdom’s National Health Service, it is essential to understand how medical device risk management aligns with the clinical safety case required for "health IT systems", a category that includes both SaMD and devices incorporating SiMD.*

Given the importance of information security in SaMD and SiMD, how can top-down and bottom-up risk analysis techniques be effectively applied respectively to an information security risk treatment plan? Additionally, where relevant, how can these techniques be used to develop an artificial intelligence risk treatment plan?

* This may become more generally applicable due to the publication on 31st January 2025 by the International Organisation for Standardisation (ISO) of their publicly available document (PD) technical standard (TS) PD ISO/TS 81001-2-1:2025 Health software and health IT systems safety, effectiveness and security - Coordination. Guidance and requirements for the use of assurance cases for safety and security.

Understanding the standards 

The key standard for risk management is ISO 14971:2019 Medical devices — Application of risk management to medical devices or, in the guise in which it should be applied in the UK and EU, BS EN ISO 14971:2019+A11:2021 Medical devices. Application of risk management to medical devices. This standard is used in both the UK and EU because it is a harmonised standard in the EU and will become a designated standard in the UK. This means it aligns with and supports compliance with the respective medical device regulations in both regions. It is also a recognised consensus standard in the USA, meaning that the FDA allows its voluntary use when medical device submissions are made to them (as opposed to standards incorporated by reference, which are mandatory in their use, such as the upcoming incorporation of ISO 13485 into the Quality Management System Regulation.

ISO 14971:2019 provides some key definitions:

• Harm – injury or damage to the health of people, or damage to property or the environment

• Hazard – potential source of harm

• Hazardous situation – circumstance in which people, property or the environment is/are exposed to one or more hazards

• Intended use/ intended purpose – use for which a product, process or service is intended according to the specifications, instructions and information provided by the manufacturer

• Note: The intended medical indication, patient population, part of the body or type of tissue interacted with, user profile, use environment, and operating principle are typical elements of the intended use.

• Reasonably foreseeable misuse – use of a product or system in a way not intended by the manufacturer, but which can result from readily predictable human behaviour

• Risk analysis – systematic use of available information to identify hazards (3.4) and to estimate the risk

• Risk estimation – process used to assign values to the probability of occurrence of harm and the severity of that harm

• Safety – freedom from unacceptable risk

Top-down risk analysis (device hazard analysis)

Top-down risk analysis focuses on identifying hazards, hazardous situations, and potential harms based on the system’s functionality. In contrast, bottom-up risk analysis examines threats and vulnerabilities within the system’s components and their interconnections. In digital systems, threats typically enter through attack vectors from the external environment, while vulnerabilities within the system can also create risks for the surrounding environment. At Hardian Health we recommend that risk analysis of digital health technology covers both the top-down and bottom-up aspects.

ISO 14971:2019 defines a sequence of activities for risk analysis, namely:

1. To write a Risk Management Plan (RMP) that describes how to perform the steps below

2. To document intended use and reasonably foreseeable misuse 

3. To identify characteristics related to safety

4. To identify hazards and hazardous situations

5. To perform risk estimation

6. To analyse options for risk control

7. To implement risk control measures

8. To evaluate residual risk

9. Possibly to perform benefit-risk analysis

10. To review risks arising from risk control measures

11. To ensure that all risks arising from all hazardous situations have been considered and all risk control activities have been completed

12. To evaluate overall residual risk 

13. To review the risk management and document the result in a Risk Management Report (RMR)

The Hardian approach 

To enable effective top-down risk analysis for our clients, we provide a Risk Management Plan (RMP) template that covers all required topics, with mentoring support for completion. This includes, where applicable, the clinical risk management plan required for the NHS, following the structures outlined in Annexes B and C of PD ISO/TS 81001-2-1:2025.

We offer an Intended Use Statement (IUS) template, which defines the intended purpose, intended use, and reasonably foreseeable misuse of the software. The IUS is referenced in the RMP to guide subsequent risk management activities. For risk estimation, we use a 5×5 matrix, with a five-point scale for both likelihood (or probability) and impact (or severity). By default, the terminology we use aligns with NHS standards (DCB 0129 and 0160), making our documentation DTAC compliant seamlessly and simplifying NHS market entry for clients where relevant.

Risk control measures are defined as design input requirements that can be implemented in the SaMD or SiMD itself, within accompanying documentation, or as part of company processes. These measures are then incorporated into the software and/or supporting documentation.

To evaluate risk reduction, we use the same 5×5 matrix to assess whether the likelihood and/or impact of a risk has been reduced to an acceptable level, which in EU Medical Device Regulations terms is “as far as possible without adversely affecting the benefit-risk ratio” (AFAP).

In summary, software risk estimation should focus primarily on severity and the relative probability of harm if a failure should occur rather than on attempts to estimate the probability of each possible software failure.

Bottom-up risk analysis (security risk analysis)

Top-down risk analysis for SaMD and SiMD is effectively complemented by bottom-up risk analysis, which focuses on the software’s components – whether developed in-house, purchased, or open source – as well as their interconnections and interoperability with the operating environment (e.g., operating systems, server hardware).

In the bottom-up risk analysis of software, we concentrate on cybersecurity, considering its impact on safety, effectiveness, and data protection. Data protection covers not only personal identifiable information (PII) in operational instances of SaMD and SiMD, but also in the machine learning or generative artificial intelligence workflows that take training and validation data, and parameter sets, to build a model that is accessed in the deployed SaMD or SiMD.

Ever since the US FDA mandated certain artefacts in their 510(k), de novo and PMA submissions for ‘cyber’ devices starting in 2023, namely Cybersecurity Management Plan (SMP), Security Risk Analysis (SRA), Security Risk Management Report (SMR), we at Hardian Health have templated these to cover these and have performed several submissions to the FDA as well as to EU Notified Bodies which give us confidence that we’ve validated our approach. 

At Hardian Health our approach is based on §4 of the Association for the Advancement of Medical Instrumentation (AAMI)’s Technical Information Report (TIR) AAMI TIR57:2016/(R)2023 Principles for medical device security – Risk management:

1. Consider in the SMP the characteristics related to security with respect to intended use

2. Identify threats, vulnerabilities, and assets

3. Identify adverse impacts

4. Estimate risks, in the SRA, for which we use the Common Vulnerability Scoring System (CVSS) in the form defined in the international standard ISO/IEEE 11073-40101:2022 Health informatics. Device interoperability – Part 40101: Foundational – Cybersecurity – Processes for vulnerability assessment

5. Control risk both proactively and reactively

• Proactively – implement requirements that are risk controls and verify their effectiveness, particularly against two best practice frameworks as appropriate to the SaMD or SiMD in question: 

1. Open web application security project (OWASP) Top 10 vulnerability criteria, recognised in the US FDA guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions as well as the NHS Digital Technology Assessment Criteria (DTAC) §C3.2

2. MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems), recognised in European Association of Notified Bodies guidance

• Reactively – perform third-party vulnerability/ penetration testing to independently assess residual risk, which is then fed into a revision of steps 1 to 4 and also per DTAC §C3.2

6. Once all the CVSS scores are below 4.0, complete the SMR, including attesting review of the security risk management process, per §4 of AAMI TIR57.

Clinical safety case

Having done all the above, particularly as the manufacturer should consider operational use of the SaMD or SiMD in the device hazard analysis, a clinical safety case is inherently provided from the manufacturer’s viewpoint. 

Information security and artificial intelligence risk treatment plans

For manufacturers wanting to be ISO 27001-compliant, they should consider how the requirements fit into medical device risk management.  Observing that BS EN ISO/IEC 27001:2023+A1:2024 Information security, cybersecurity and privacy protection. Information security management systems. Requirements contains the concept of a Statement of Applicability (SoA) and a Risk Treatment Plan (RTP), and that the similarly-structured standard BS ISO/IEC 42001:2023 Information technology. Artificial intelligence. Management system contain these same concepts. It can be seen that some of the controls that would need to be defined can and should be treated as requirements of the medical device itself and so are conveniently treated the same as the rest of the device hazard analysis and security risk analysis:

Hardian Health is a clinical digital consultancy focused on leveraging technology into healthcare markets through clinical strategy, scientific validation, regulation, health economics and intellectual property.