5 Things You Need To Know About Medical Device Risk Management

Feb 11, 2020 | Risk Management

It may have escaped your notice, in the run up to Christmas and year end, that there have been some substantial changes to the way we manage risks when we develop or manufacture medical devices.

As you read that sentence, you may have sighed.

It’s an understandable reaction, given that the last few years saw changes to regulations and key standards that we all work to in medical device and combination product development.

Sigh no more!

We’ve written this article to give you in just a few minutes an understanding of what has changed. We hope this helps you focus your efforts on making any changes that are needed, so you can get back to doing what you do best.

What’s not changed

A new version of ISO 14971 “Medical Devices – Application of Risk Management To Medical Devices” was published during December 2019.

Rest assured, the fundamental process of Risk Management hasn’t changed.

Let’s cut to the chase

To cut a long story short, here are 5 things you need to be aware of.

Thing One

This third version of ISO 14971, is aligned with the General Safety and Performance Requirements of the EU Medical Device Regulation (MDR) and In vitro Diagnostic Device Regulation (IVDR). That means there’s no need to cross-check for any deviations between the standard and regulatory requirements for any product you are (or plan to) market in the EU.

[Of course, you’ll already be aware that the MDR and IVDR already require you to have a Quality Management System in place that addresses risk management – here’s the simplest way of ensuring that is done, and done right first time.]

It is expected that this version of ISO 14971 will become a harmonised standard under the MDR and IVDR without any content deviations.

Thing Two

To remove confusion, we now have definitions of benefit and reasonably foreseeable misuse built in to the standard. You’ll read shortly that reasonably foreseeable misuse must form part of your consideration of risk.

Benefit: “Positive impact or desirable outcome of the use of a medical device n the health of an individual, or a positive impact on patient management or public health”

Reasonably foreseeable misuse: “Use of a product or system in a way not intended by the manufacturer, but which can result from readily predicable human behaviour” (from all types of users, intentional or unintentional)

Thing Three

The biggest change we’ve seen is to the way you go about evaluation of residual risk.

Previously, a two step approach was acceptable, an approach that started with evaluating the overall risk against the acceptability criteria you’d previously defined. Then, if the overall residual risk was not acceptable, you could gather data and literature to determine if the risks of device use were outweighed by the benefits its use provided. Many people found the approach unclear, especially with regard to what you did with individual residual risks and the overall residual risk.

The clouds have been parted, to give us a single step for overall residual risk:

All individual residual risks are considered to evaluate the overall residual risk, always in relation to the benefits of the Intended Use of your medical device.

You must include in your Risk Management Plan the method you’re going to use, as well as the acceptability criteria you will apply. You can have different criteria for individual residual risks and the overall residual risk.

If the result of your evaluation is that the residual risk is not acceptable, you must go back and apply additional risk control measures.

Thing Four

A lot has changed about what you’re expected to do once your product is on the market. There’s now more detail about what you need to do to collect and review information whilst your product is in use, including 4 steps:

  1. Set up a system to collect and review relevant data from production and post-production information sources
  2. Collect data for your device and similar products on the market (by similar, we mean not just medical devices but also other products with similar non-medical applications or similar operating principles). You’re expected to actively seek this information out.
  3. Review the relevance of these data for the safety of your device, especially for:
    • previously unidentified hazards or hazardous situations
    • whether a risk estimation is still acceptable, or not
    • whether the benefits provided by use of the device no longer outweigh the overall residual risk
    • a change in the “state of the art”
  4. If any of these have been identified, you are expected to review the risk management file, determine any new or revised risk analysis items and implement any necessary risk control measures.

Thing Five

If all this seems overwhelming, you’re not alone in having that feeling.  Other people who have been worried, have found it useful to work with experts to get it right. If you’d like to find out more, or would appreciate some help, do get in touch today.


So there you have it, five things you need to put in place to ensure you comply with both EU regulations for medical devices, and globally accepted risk management principles.

Further reading

There’s more information about Risk Management in recent articles posted to our website, including:

Balancing Risk and Reward

How to Make Sure Your Project Doesn’t Fail

Medical Device Risk Management