Risk management for tools not categorised as medical devices


This SOP is relevant only to tools not categorised as medical devices. Please refer to the SOP on Medical Device Regulations for information on how to determine whether a tool is a medical device, and on requirements for risk management for medical devices.

Information governance and information security risks are outwith the scope of this SOP. You should follow your organisational policies to ensure compliance with the General Data Protection Regulations (GDPR) and information security standards.

Assess and mitigate clinical risk

To provide assurance of the safety of your decision support tool, you should work with key stakeholders to carry out a risk assessment which:

  • Looks at each of the decision support tool’s functions and architecture and the possible ways in which functions could fail.
  • Identifies the risks to patients if something went wrong with the software.
  • Identifies existing controls to prevent those risks occurring or to mitigate their impact.
  • Evaluates the current level of risk.
  • If the level of risk is unacceptable, identify and implement further controls.

The results of this risk assessment and mitigation should be documented in a hazard log and report, using a structured template such as the Internal Link Failure Modes and Effects Analysis template.  An example of a generic FMEA risk assessment with common issues relevant to toolkits providing static content is provided below.

Download Example FMEA Risk Assessment

Maintaining and updating the hazard log

You should continue to update your hazard log when your decision support tool is live. New risks may emerge as the tool is upgraded and expanded, and as it gets increasing use in the real world.

Last reviewed: 04/09/2023

Next review date: 30/04/2024

Author(s): Ann Wales.

Version: 1.0

Author email(s): ann.wales3@nhs.net.

Approved By: Healthcare Improvement Scotland Evidence Directorate Senior Management Team

Reviewer name(s): Ann Wales.