Or use the contact form below
MDR and IVDR state in no uncertain terms that risk management activities should be planned. Therefore, for every single medical device, the manufacturer should establish and document a Risk management plan in accordance with the manufacturer's risk management process. The risk management plan shall be a part of the risk management file, which is a part of the Technical Documentation.
The purpose of a Risk management plan is to describe the process to identify the hazards associated with the medical device, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls according to ISO 14971:2019 and ISO TR 24971:2020.
The Risk management plan applies to all stages of the product life-cycle including all activities such as design, verification, validation, production and post-market activities.
1. Identification of Risks and Hazards
The first step in the risk management process is the identification of potential risks and the associated hazards that may arise from the use of a medical device. This involves a thorough analysis of the device's design, intended use, and the environments in which it will be employed. It also considers any relevant clinical data, user behaviors, and foreseeable misuse scenarios.
2. Risk Estimation
Once the risks and hazards are identified, the next step is to assess their potential impact. The most common approach here is using the Failure Mode and Effects Analysis (FMEA) based method. This assessment involves two key elements:
a) Determination of Occurrence of Harm (O). This evaluates the likelihood of a risk leading to harm. It considers factors such as the probability of exposure to the hazard and the probability of harm occurring as a result.
b) Determination of Severity of Harm (S). This assesses the potential consequences of a risk materializing. It involves determining the level of harm that could occur, ranging from minor inconvenience to severe injury or even loss of life.
That said, there are a number of other methods for risk estimation apart from FMEA. To find out which method is the best for your particular medical device, please refer to ISO/TR 24971.
3. Risk Control through Mitigation Measures
Based on the estimation of occurrence and severity, risk control measures are implemented to reduce or eliminate identified risks. These measures may include design modifications, the addition of safety features, incorporating warnings or instructions for users, or providing protective equipment. All these measures should be documented.
4. Risk Benefit Analysis for Residual Risks
After applying risk control measures, some residual risks may still exist. A risk benefit analysis is conducted to weigh these remaining risks against the benefits of using the medical device. This involves a careful evaluation of the potential benefits to patients and healthcare providers in comparison to the remaining level of risk.
5. Evaluation of Overall Residual Risk
The final step in the risk management process is the assessment of the overall residual risk. This involves considering the combined impact of all identified risks, even after applying mitigation measures. The goal is to ensure that the residual risk is at an acceptable level, taking into account the benefits provided by the device.
Below is the standard content of the Risk Management Plan. However, it's essential to assess its suitability for your specific medical device and modify it accordingly.
Clinical
evaluation
Contact us >>
PRRC
Contact us >>
Post-market
surveillance
Contact us >>
CE-marking process under MDR
Contact us >>
CE-marking process under IVDR
Contact us >>
MDR checklist
Contact us >>
Learn more >>
MDR and IVDR state in no uncertain terms that risk management activities should be planned. Therefore, for every single medical device, the manufacturer should establish and document a Risk management plan in accordance with the manufacturer's risk management process. The risk management plan shall be a part of the risk management file, which is a part of the Technical Documentation.
The purpose of a Risk management plan is to describe the process to identify the hazards associated with the medical device, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls according to ISO 14971:2019 and ISO TR 24971:2020.
The Risk management plan applies to all stages of the product life-cycle including all activities such as design, verification, validation, production and post-market activities.
1. Identification of Risks and Hazards
The first step in the risk management process is the identification of potential risks and the associated hazards that may arise from the use of a medical device. This involves a thorough analysis of the device's design, intended use, and the environments in which it will be employed. It also considers any relevant clinical data, user behaviors, and foreseeable misuse scenarios.
2. Risk Estimation
Once the risks and hazards are identified, the next step is to assess their potential impact. The most common approach here is using the Failure Mode and Effects Analysis (FMEA) based method. This assessment involves two key elements:
a) Determination of Occurrence of Harm (O). This evaluates the likelihood of a risk leading to harm. It considers factors such as the probability of exposure to the hazard and the probability of harm occurring as a result.
b) Determination of Severity of Harm (S). This assesses the potential consequences of a risk materializing. It involves determining the level of harm that could occur, ranging from minor inconvenience to severe injury or even loss of life.
That said, there are a number of other methods for risk estimation apart from FMEA. To find out which method is the best for your particular medical device, please refer to ISO/TR 24971.
3. Risk Control through Mitigation Measures
Based on the estimation of occurrence and severity, risk control measures are implemented to reduce or eliminate identified risks. These measures may include design modifications, the addition of safety features, incorporating warnings or instructions for users, or providing protective equipment. All these measures should be documented.
4. Risk Benefit Analysis for Residual Risks
After applying risk control measures, some residual risks may still exist. A risk benefit analysis is conducted to weigh these remaining risks against the benefits of using the medical device. This involves a careful evaluation of the potential benefits to patients and healthcare providers in comparison to the remaining level of risk.
5. Evaluation of Overall Residual Risk
The final step in the risk management process is the assessment of the overall residual risk. This involves considering the combined impact of all identified risks, even after applying mitigation measures. The goal is to ensure that the residual risk is at an acceptable level, taking into account the benefits provided by the device.
Below is the standard content of the Risk Management Plan. However, it's essential to assess its suitability for your specific medical device and modify it accordingly.
CE-Certificate vs. EC-Certificate
Basic UDI-DI (bUDI) - what is it, where to obtain it, and what to do with it
EUDAMED registration - a brief guide
Contract with the Authorised Representative in the European Union (Authorised Representative Mandate)
GSPR – General Safety and Performance Requirements for medical devices in the European Union
How to obtain CE marking for medical software under the EU MDR or IVDR?
Technical documentation for Medical Device Software in the EU
IEC 62304 - the pivotal standard for software medical devices
Medical Device Regulation (MDR) - basics
ISO and IEC standards for medical device software
Clinical Evaluation, PMCF, and PMS in Medical Device Lifecycle
Notified Bodies and their role in certification of medical devices
What is NANDO and why medical device companies should know about it?
Labeling and UDI requirements for medical devices in the EU
Understanding the roles of Authorised Representatives and Importers under MDR/IVDR
MDR implementation - challenges and solutions
Post-market surveillance under MDR and IVDR - requirements and best practices
Notified Body audit - a manufacturer's guide
Risk management plan - guide for medical device companies
Should my medical device comply with GDPR?
EC-certificate for a medical device - Q&A
How long does it take to CE-mark a medical device?
What is a PRRC?
All articles >>
Or use the contact form below