How to Create a Risk Management Plan – Medical Devices

  • Post author:

by John Lafferty, SQT Life Sciences Programme Director

John Lafferty, SQT Life Sciences Programme Director

Read time: 4 minutes

Risk management standard ISO 14971:2019 has specific requirements for a Risk Management Plan, in order to comply with the standard, it is important that medical device manufacturers address these requirements in their own plans. In this blog, we outline eight key elements of a Risk Management Plan. If you are interested in  training  on Risk Management for Medical Devices, see our Quality Risk Management and ISO 14971 Training (2-Day Course).

1. Identify and describe the life cycle phases

Identify the complete life cycle phases that are within scope for the Medical Device under review. These phases may range from Device Design & Development, Manufacturing and Distribution right through to Device Use and eventual Device Disposal. The life cycle must also cover changes to the device during its lifetime.

2. Assign Responsibilities and Authorities – e.g., Reviewers, Experts, Independent Verification etc.

Key among these, is determination of the individuals within the organisation who have the authority for approval of the acceptance of the residual risk.

It is also important to identify key responsibilities for items such as clinical input, review of risk management activities and performance of production and post production activities.

3. Establish Requirements for Review of Risk Management Activities.

These requirements include checking that:

  1. the risk management plan has been appropriately implemented;
  2. the overall residual risk is acceptable; and
  3. methods are in place for production and post-production activities.

4. Define the Criteria for Risk Acceptability – this includes where occurrence cannot be estimated.

The criteria for risk acceptability must be in line with the company’s stated policy on the risk acceptability. If the device is required to comply with the EU MDR/IVDR then the criteria for risk acceptability must include that the risks must be reduced as far as possible given the state of the art.

The criteria for risk acceptability must also address risks where the probability of risk cannot be estimated. Guidance on ISO 14971:2019 contained in ISO TR 24971:2021 identifies the risks of software failure and use error, as examples of risks where it may not be possible, or prudent, to estimate the probability of occurrence. If the probability of occurrence cannot be estimated, the company must detail how these risks will be handled.

5. Establish the method for evaluation of the acceptability of the overall residual risk.

This method should include consideration of all residual risks in relation to the benefits of the intended use of the device. If the device is required to comply with the EU MDR/IVDR, then the manufacturer must ensure that the individual risks and the combined total risk are outweighed by the benefits.

6. Verify the Implementation and Effectiveness of Risk Control Measures 

For design risks, the company Design & Development process can easily be used to ensure that this requirement is fulfilled.

For process risks, the Risk Management system and/or the Quality Management System must incorporate a mechanism, such as Change Control or Control Plans to ensure that any risk controls are implemented.

Also, for process risks, the effectiveness of risk controls should be verified through process validation or test method validation, or other appropriate means.

7. List the methods for production and post-production information

These must include methods for collection of information, review of information and implementation of actions arising from the review. For most manufacturers, this may be achieved by the inclusion of references to their procedures on Control of Non-conforming Product, Complaints Handling, Post Market Surveillance etc.  The methods for production and post-production information must also include methods for a review of the State of the Art.

8. Keep Records of Changes to the Plan

Plans were meant to change, if the plan changes during the product life cycle, then records of any changes must be kept. The most effective way to achieve this is to update the plan. Manufacturers should ensure that the risk management activities actually carried out are in accordance with the most up-to-date version of the plan.

Find out more: Quality Risk Management and ISO 14971 Training (2-Day Course).