Risk Management Process

  • To fulfill the requirements of international standard and ensure your company gets a safe, effective product to market on time and within budget, you need a successful implementation of your risk management system. We can assist and help Your Company do it in the right way.

    We offer the following services:

    • Creation of risk file in compliance to ISO 14971:2019 for newly developed devices

    • Remediation of existing risk management files (for medical devices and combination products)

    • Gap Analysis services to check and improve the actual level of compliance of your risk management process to ISO 14971:2019

    Contact us / Ask A quote


    In the medical device industry, risk management goes beyond development and manufacturing; it is a vital part of all your company’s processes. ISO 14971 defines the international requirements of risk management systems for medical devices, defining best practices throughout the entire life cycle of a device.

    EN ISO 14971:2019

    Overview of a typical quality risk management process (source: GMP annex 20).

    The manufacturer, in the face of MDD/MDR is required to perform a risk analysis in order to avoid or minimize the possibility of accidents.
    ISO 14971:2019 specifies a process for a manufacturer to identify the hazards associated with medical devices, to estimate and evaluate the associated risks, to control and reduce these risks, to monitor the effectiveness of the controls, to evaluate residual risks and to perform reviews using production and post-production information

    Important definitions for risk management process

    Following some definitions important to understand the risk management process:

    The requirements of ISO 14971:2019 apply to all stages of the life-cycle of a medical device.

    Risk management is the systematic application of management policies, procedures and practices to the tasks of identifying, analyzing, evaluating, controlling, monitoring and reviewing risk

    Contact us / Ask A quote

    Risk analysis

    A risk analysis shall include at least:

    1. a description and identification of the medical device that was analyzed;
    2. identification of the person(s) and organization who carried out the risk analysis;
    3. scope and date of the risk analysis

    The manufacturer shall also identify and document qualitative and quantitative characteristics that could affect the safety of the medical device and, where appropriate, their defined limits. The manufacturer shall document incorrect and improper use of medical device, foreseeable hazards associated with the medical device in both normal and fault conditions; the manufacturer shall analyze the probability of occurrence of hazardous situations and the consequences.

    Fig.2 Example of risk chart

    Table 1: Example of severity levels

    Table 2: Example of probability occurrence

    Risk management is the overall quality management process by which risks are identified, evaluated, controlled, monitored and reviewed. Risk can be estimated basing on the following: 

    • Severity (Impact) = the degree of harm
    • Probability/occurrence/possibility = the likely rate of occurrence

     Risk = impact x probability 

    Table 3: Example of risk matrix

    Contact us / Ask A quote

    Risk evaluation

    For each identified hazardous situation, the manufacturer shall decide, using the criteria defined in the risk management plan, if risk reduction is required.

    Risk control

    If risk reduction is required, the manufacturer shall identify risk control measure(s) for reducing the risk(s) to an acceptable level.

    The manufacturer shall use one or more of the following risk control options in the priority order listed:

    1. inherent safety by design;
    2. protective measures in the medical device itself or in the manufacturing process;
    3. information for safety.

    After the risk control measures are applied, any residual risk shall be evaluated using the criteria defined in the risk management plan. If the residual risk is not judged acceptable using these criteria, further risk control measures shall be applied. The manufacturer shall perform a risk/benefit analysis to demonstrate if benefits outweigh the residual risk. For residual risks that are judged acceptable, the manufacturer shall decide which residual risks to disclose and what information is necessary to include in the accompanying documents in order to disclose those residual risks.

    The effects of the risk control measures shall be reviewed with regard to:

    1. the introduction of new hazards or hazardous situations;
    2. whether the estimated risks for previously identified hazardous situations are affected by the introduction of the risk control measures.

    The manufacturer shall ensure that the risk(s) from all identified hazardous situations have been considered.

    Evaluation of overall residual risk acceptability

    If the overall residual risk is not judged acceptable using the criteria established in the risk management plan, the manufacturer may gather and review data and literature to determine if the medical benefits of the intended use outweigh the overall residual risk. If this evidence supports the conclusion that the medical benefits outweigh the overall residual risk, then the overall residual risk can be judged acceptable. Otherwise, the overall residual risk remains unacceptable.

    Risk management report

    Prior to release for commercial distribution of the medical device, the manufacturer shall carry out a review of the risk management process. This review shall at least ensure that:

    • the risk management plan has been appropriately implemented;
    • the overall residual risk is acceptable;
    • appropriate methods are in place to obtain relevant production and post-production information.

    The results of this review shall be recorded as the risk management report.

    Production and post-production information

    The manufacturer shall establish, document and maintain a system to collect and review information about the medical device or similar devices in the production and the post-production phases.

    When establishing a system to collect and review information about the medical device, the manufacturer should consider among other things:

    1. the mechanisms by which information generated by the operator, the user, or those accountable for the installation, use and maintenance of the medical device is collected and processed;


    1. new or revised standards. The system should also collect and review publicly available information about similar medical devices on the market.

    This information shall be evaluated for possible relevance to safety, especially the following:

    • if previously unrecognized hazards or hazardous situations are present or
    • if the estimated risk(s) arising from a hazardous situation is/are no longer acceptable.

    If any of the above conditions occur:

    • the impact on previously implemented risk management activities shall be evaluated and shall be fed back as an input to the risk management process and

    a review of the risk management file for the medical device shall be conducted; if there is a potential that the residual risk(s) or its acceptability has changed, the impact on previously implemented risk control measures shall be evaluated

    The risk analysis is an important tool that allows you to optimize the design, considering the possible risks associated with a new product. Risk analysis is a document that must be set in the earliest stages of project definition.

    In this way it is possible to evaluate the appropriate countermeasures to reduce the risk.

    The risk analysis must demonstrate that the risks have been assessed and has acted to reduce the impact.

    Contact us / Ask A quote

  • Ask a Quote or Contact Us

This post is also available in: German Italian