Home
Services
Clinical evaluation EU Authorized representative Notified bodies Post-market surveillance PRRC Quality management system Risk management Technical documentation
Devices
General devices and equipment In vitro diagnostics Medical software
Articles About Contact us

Send us an email:
info@mdrc-services.com

Or use the contact form below

 
Technical documentation EU Authorized representative Clinical evaluation PRRC services Risk management Notified bodies Quality management system Post-market surveillance
General medical devices and equipment In vitro diagnostics (IVD) Medical Device Software (MDSW)
CE-marking process for medical devices CE-marking process for in vitro diagnostics MDR technical documentation checklist IVDR technical documentation checklist Technical documentation checklist for MDSW PRRC under MDR or IVDR
CE-Certificate vs. EC-Certificate Basic UDI-DI (bUDI) EUDAMED registration - a brief guide Read more >>

Risk management plan - guide for medical device companies

MDR and IVDR state in no uncertain terms that risk management activities should be planned. Therefore, for every single medical device, the manufacturer should establish and document a Risk management plan in accordance with the manufacturer's risk management process. The risk management plan shall be a part of the risk management file, which is a part of the Technical Documentation.


The purpose of a Risk management plan is to describe the process to identify the hazards associated with the medical device, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls according to ISO 14971:2019 and ISO TR 24971:2020.

The Risk management plan applies to all stages of the product life-cycle including all activities such as design, verification, validation, production and post-market activities.

Risk management plan in line with ISO 14971 and ISO/TR 24971

  • The scope of the planned risk management activities, identifying and describing the medical device and the life-cycle phases for which each element of the plan is applicable
  • Assignment of responsibilities and authorities including the definition of the Risk Management Work Group (RMWG)
  • Requirements for review of risk management activities
  • Criteria for risk acceptability, based on the manufacturer’s policy for determining acceptable risk, including criteria for accepting risks when the probability of occurrence of harm cannot be estimated
  • Verification activities
  • Activities related to collection and review of relevant production and post-production information
  • Risk management process
  • Management responsibilities
  • Qualification of personnel
  • Risk management file
  • Risk analysis
  • Intended use and identification of characteristics related to the safety of the medical device
  • Identification of hazards
  • Estimation of the risk(s) for each hazardous situation
  • Risk evaluation
  • Risk control
  • Risk reduction
  • Risk control option analysis
  • Implementation of risk control measure(s)
  • Residual risk evaluation
  • Risk/benefit analysis
  • Risks arising from risk control measures
  • Completeness of risk control
  • Evaluation of overall residual risk acceptability
  • Risk management report
  • Production and post-production information

Risk management process steps to be documented in Risk management plan

1. Identification of Risks and Hazards

The first step in the risk management process is the identification of potential risks and the associated hazards that may arise from the use of a medical device. This involves a thorough analysis of the device's design, intended use, and the environments in which it will be employed. It also considers any relevant clinical data, user behaviors, and foreseeable misuse scenarios.

2. Risk Estimation

Once the risks and hazards are identified, the next step is to assess their potential impact. The most common approach here is using the Failure Mode and Effects Analysis (FMEA) based method. This assessment involves two key elements:

a) Determination of Occurrence of Harm (O). This evaluates the likelihood of a risk leading to harm. It considers factors such as the probability of exposure to the hazard and the probability of harm occurring as a result.

b) Determination of Severity of Harm (S). This assesses the potential consequences of a risk materializing. It involves determining the level of harm that could occur, ranging from minor inconvenience to severe injury or even loss of life.

That said, there are a number of other methods for risk estimation apart from FMEA. To find out which method is the best for your particular medical device, please refer to ISO/TR 24971.

3. Risk Control through Mitigation Measures

Based on the estimation of occurrence and severity, risk control measures are implemented to reduce or eliminate identified risks. These measures may include design modifications, the addition of safety features, incorporating warnings or instructions for users, or providing protective equipment. All these measures should be documented.

4. Risk Benefit Analysis for Residual Risks

After applying risk control measures, some residual risks may still exist. A risk benefit analysis is conducted to weigh these remaining risks against the benefits of using the medical device. This involves a careful evaluation of the potential benefits to patients and healthcare providers in comparison to the remaining level of risk.

5. Evaluation of Overall Residual Risk

The final step in the risk management process is the assessment of the overall residual risk. This involves considering the combined impact of all identified risks, even after applying mitigation measures. The goal is to ensure that the residual risk is at an acceptable level, taking into account the benefits provided by the device.

Typical content of the Risk Management Plan

Below is the standard content of the Risk Management Plan. However, it's essential to assess its suitability for your specific medical device and modify it accordingly.

  1. Overview
  2. Validity of this Risk Management Plan
  3. Definitions and abbreviations
  4. Identification of subject device
    1. MDSW description
    2. Device risk-based classification
  5. Risk management process
  6. Product life cycle
  7. Management responsibility
  8. Qualification of personnel
  9. Scope of planned risk management activities
  10. Assignment of responsibilities and authorities
  11. Requirements for review of risk management activities
  12. Verification activities
  13. Production and post-production
  14. Risk Control Strategy
  15. Risk Management Process Flow
  16. Risk Management Process Description
  17. Documents & Records
  18. Detailed description of risk management process steps
    1. Identification of hazards
    2. Identified hazards
  19. Criteria for risk estimation
    1. Determination of Occurrence (O)
    2. Determination of Severity (S) and severity levels
    3. Determination of Risk Priority Number
  20. Risk control record
  21. Possibility of reduction of Occurence during mitigation process
  22. Criteria for risk estimation and acceptability
  23. Risk-Benefit Analysis for residual risks
  24. Evaluation of overall residual risk

What you need to have to succeed in certification and sell your products in the EU:

Notified body
certificate
Learn more >>

EUDAMED
registration
Learn more >>

EC REP mandate

Learn more >>

Basic UDI

Learn more >>

We are ready to act as your PRRC

Learn more >>

What you need to know to succeed in certification and sell your products in the EU:

CE-marking process under MDR

Learn more >>

CE-marking process under IVDR

Learn more >>

MDR checklist
Learn more >>

What else you need to have to succeed in certification and sell your products in the EU:

PRRC

Learn more >>

Clinical
evaluation
Learn more >>

Post-marketing
surveillance
Learn more >>

Risk management plan - guide for medical device companies

MDR and IVDR state in no uncertain terms that risk management activities should be planned. Therefore, for every single medical device, the manufacturer should establish and document a Risk management plan in accordance with the manufacturer's risk management process. The risk management plan shall be a part of the risk management file, which is a part of the Technical Documentation.


The purpose of a Risk management plan is to describe the process to identify the hazards associated with the medical device, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls according to ISO 14971:2019 and ISO TR 24971:2020.

The Risk management plan applies to all stages of the product life-cycle including all activities such as design, verification, validation, production and post-market activities.

Risk management plan in line with ISO 14971 and ISO/TR 24971

  • The scope of the planned risk management activities, identifying and describing the medical device and the life-cycle phases for which each element of the plan is applicable
  • Assignment of responsibilities and authorities including the definition of the Risk Management Work Group (RMWG)
  • Requirements for review of risk management activities
  • Criteria for risk acceptability, based on the manufacturer’s policy for determining acceptable risk, including criteria for accepting risks when the probability of occurrence of harm cannot be estimated
  • Verification activities
  • Activities related to collection and review of relevant production and post-production information
  • Risk management process
  • Management responsibilities
  • Qualification of personnel
  • Risk management file
  • Risk analysis
  • Intended use and identification of characteristics related to the safety of the medical device
  • Identification of hazards
  • Estimation of the risk(s) for each hazardous situation
  • Risk evaluation
  • Risk control
  • Risk reduction
  • Risk control option analysis
  • Implementation of risk control measure(s)
  • Residual risk evaluation
  • Risk/benefit analysis
  • Risks arising from risk control measures
  • Completeness of risk control
  • Evaluation of overall residual risk acceptability
  • Risk management report
  • Production and post-production information

Risk management process steps to be documented in Risk management plan

1. Identification of Risks and Hazards

The first step in the risk management process is the identification of potential risks and the associated hazards that may arise from the use of a medical device. This involves a thorough analysis of the device's design, intended use, and the environments in which it will be employed. It also considers any relevant clinical data, user behaviors, and foreseeable misuse scenarios.

2. Risk Estimation

Once the risks and hazards are identified, the next step is to assess their potential impact. The most common approach here is using the Failure Mode and Effects Analysis (FMEA) based method. This assessment involves two key elements:

a) Determination of Occurrence of Harm (O). This evaluates the likelihood of a risk leading to harm. It considers factors such as the probability of exposure to the hazard and the probability of harm occurring as a result.

b) Determination of Severity of Harm (S). This assesses the potential consequences of a risk materializing. It involves determining the level of harm that could occur, ranging from minor inconvenience to severe injury or even loss of life.

That said, there are a number of other methods for risk estimation apart from FMEA. To find out which method is the best for your particular medical device, please refer to ISO/TR 24971.

3. Risk Control through Mitigation Measures

Based on the estimation of occurrence and severity, risk control measures are implemented to reduce or eliminate identified risks. These measures may include design modifications, the addition of safety features, incorporating warnings or instructions for users, or providing protective equipment. All these measures should be documented.

4. Risk Benefit Analysis for Residual Risks

After applying risk control measures, some residual risks may still exist. A risk benefit analysis is conducted to weigh these remaining risks against the benefits of using the medical device. This involves a careful evaluation of the potential benefits to patients and healthcare providers in comparison to the remaining level of risk.

5. Evaluation of Overall Residual Risk

The final step in the risk management process is the assessment of the overall residual risk. This involves considering the combined impact of all identified risks, even after applying mitigation measures. The goal is to ensure that the residual risk is at an acceptable level, taking into account the benefits provided by the device.

Typical content of the Risk Management Plan

Below is the standard content of the Risk Management Plan. However, it's essential to assess its suitability for your specific medical device and modify it accordingly.

  1. Overview
  2. Validity of this Risk Management Plan
  3. Definitions and abbreviations
  4. Identification of subject device
    1. MDSW description
    2. Device risk-based classification
  5. Risk management process
  6. Product life cycle
  7. Management responsibility
  8. Qualification of personnel
  9. Scope of planned risk management activities
  10. Assignment of responsibilities and authorities
  11. Requirements for review of risk management activities
  12. Verification activities
  13. Production and post-production
  14. Risk Control Strategy
  15. Risk Management Process Flow
  16. Risk Management Process Description
  17. Documents & Records
  18. Detailed description of risk management process steps
    1. Identification of hazards
    2. Identified hazards
  19. Criteria for risk estimation
    1. Determination of Occurrence (O)
    2. Determination of Severity (S) and severity levels
    3. Determination of Risk Priority Number
  20. Risk control record
  21. Possibility of reduction of Occurence during mitigation process
  22. Criteria for risk estimation and acceptability
  23. Risk-Benefit Analysis for residual risks
  24. Evaluation of overall residual risk

Similar Articles

IEC 62304 – the pivotal standard for software medical devices

Language requirements for IFUs and labels under the MDR and IVDR

Labeling and UDI requirements for medical devices in the EU

Should my medical device comply with GDPR?

Medical Device Regulation (MDR) – basics

Legal Manufacturer and Original Equipment Manufacturer in medical devices

Notified Bodies and their role in certification of medical devices

GSPR – General Safety and Performance Requirements for medical devices in the European Union

Further reading

CE-Certificate vs. EC-Certificate

Basic UDI-DI (bUDI) - what is it, where to obtain it, and what to do with it

EUDAMED registration - a brief guide

Contract with the Authorised Representative in the European Union (Authorised Representative Mandate)

GSPR – General Safety and Performance Requirements for medical devices in the European Union

How to obtain CE marking for medical software under the EU MDR or IVDR?

Technical documentation for Medical Device Software in the EU

IEC 62304 - the pivotal standard for software medical devices

Medical Device Regulation (MDR) - basics

ISO and IEC standards for medical device software

Clinical Evaluation, PMCF, and PMS in Medical Device Lifecycle

Notified Bodies and their role in certification of medical devices

What is NANDO and why medical device companies should know about it?

Labeling and UDI requirements for medical devices in the EU

Understanding the roles of Authorised Representatives and Importers under MDR/IVDR

MDR implementation - challenges and solutions

Post-market surveillance under MDR and IVDR - requirements and best practices

Notified Body audit - a manufacturer's guide

Risk management plan - guide for medical device companies

Should my medical device comply with GDPR?

EC-certificate for a medical device - Q&A

How long does it take to CE-mark a medical device?

What is a PRRC?

Essential requirements for importers and distributors under MDR and IVDR

Language requirements for IFUs and labels under the MDR and IVDR

Legal Manufacturer and Original Equipment Manufacturer in medical devices

How to structure a PRRC contract for effective compliance

How to Create a Declaration of Conformity According to MDR or IVDR

All articles >>

Get in touch

We're ready to help you. Contact us whether you have a question about our solutions or need help with regulatory issues

Our EU office

MedDev Compliance Ltd
Souliou 1, Strovolos, 2018 Nicosia, Cyprus
Phone: +357 22253765
Email: info@mdrc-services.com
 

©2024 MDRC - Medical Devices Regulatory Compliance

Solutions

EU Authorised Representative (EC REP)

PRRC

Technical documentation

Risk management

Clinical evaluation

Notified bodies

Quality management system

Post-market surveillance system

Your products

Medical devices and medical equipment

In vitro diagnostic medical devices

Medical software

Resources

Medical Device Regulation (MDR) - basics

CE-marking process for medical devices

CE-marking process for in vitro diagnostic medical devices

MDR technical documentation checklist

IVDR technical documentation checklist

Technical documentation checklist for medical device software (MDSW)

MDR-compliant quality system documentation checklist

MDR-compliant quality system documentation checklist for medical device software

Useful information

CE-Certificate vs. EC-Certificate

Basic UDI-DI (bUDI)

EUDAMED registration - a brief guide

Authorised Representative Mandate

GSPR – General Safety and Performance Requirements

How to obtain CE marking for medical software under the EU MDR or IVDR?

Technical documentation for Medical Device Software in the EU

Read more >>


Cookie Policy

We only use essential cookies that enable core functionality and proper operation of the website. These cookies do not store any personally identifiable data. By continuing to use this website, you consent to the use of the essential cookies. You may disable these cookies by changing your browser settings, but this may affect how the website functions.
We do not use our own or third-party analytical, preferences, statistics, marketing, functional, advertisement, performance or any other non-essential cookies.

Send us an email:
info@mdrc-services.com

Or use the contact form below

 

Solutions

EU Authorised Representative (EC REP)

EU PRRC

Technical documentation

Risk management

Clinical evaluation

Notified Bodies

Quality management system

Post-market surveillance

Resources

Medical Device Regulation (MDR) - basics

CE-marking process for medical devices

CE-marking process for in vitro diagnostic medical devices

MDR technical documentation checklist

IVDR technical documentation checklist

Technical documentation checklist for medical device software (MDSW)

MDR-compliant quality system documentation checklist

MDR-compliant quality system documentation checklist for medical device software

PRRC under MDR or IVDR

Articles

CE-Certificate vs. EC-Certificate

Basic UDI-DI (bUDI)

EUDAMED registration - a brief guide

Authorised Representative Mandate

GSPR – General Safety and Performance Requirements

More articles >>

Devices

General medical devices and equipment

In vitro diagnostics (IVD)

Medical software

Cookie Policy

We only use essential cookies that enable core functionality and proper operation of the website. These cookies do not store any personally identifiable data. By continuing to use this website, you consent to the use of the essential cookies. You may disable these cookies by changing your browser settings, but this may affect how the website functions.
We do not use our own or third-party analytical, preferences, statistics, marketing, functional, advertisement, performance or any other non-essential cookies.