Definition — And Why It Matters

Risk management is a systematic process for identifying hazards, estimating and evaluating risks, implementing risk controls, and monitoring effectiveness throughout the device lifecycle. Done right, it keeps devices safe, effective, and reliable—and keeps your submissions defensible.

• Patient safety: Reduces likelihood and severity of harm.
• Regulatory compliance: Required by MDR/IVDR and expected by FDA; embedded in ISO 13485.
• Business resilience: Fewer recalls, smoother audits, clearer design decisions.

Regulatory Expectations at a Glance

• EU MDR/IVDR: Manufacturers must apply a comprehensive, lifecycle risk management process and demonstrate conformity with General Safety & Performance Requirements (MDR Annex I §3; IVDR Annex I §3). QMS obligations are set out in Article 10; information on residual risk appears in Annex I §23.
• US FDA: Risk management is integral to design controls and premarket submissions; maintain traceable risk analyses and verification/validation under quality system requirements (21 CFR Part 820).
• ISO 14971:2019: Global standard detailing the risk management process; complementary to ISO 13485.

ISO 14971 Process — Step by Step

1. Plan: Create a Risk Management Plan (scope, responsibilities, criteria for risk acceptability, methods, PMS inputs).
2. Identify hazards: Energy, biological/chemical, software/algorithmic, cybersecurity, usability, data integrity, environment.
3. Define sequences → hazardous situations: Foreseeable events leading to exposure.
4. Define harms & rate severity: Clinical outcomes aligned with medical significance.
5. Estimate probability of harm: Evidence-based likelihood considering protection layers and detectability.
6. Evaluate risk: Compare to predefined acceptability criteria.
7. Control risk (hierarchy 1→2→3): (1) Inherent safety by design; (2) Protective measures; (3) Information for safety.
8. Assess residual risk & benefit–risk: Justify, disclose, or further control.
9. Verify effectiveness: Objective tests show controls work; re-estimate risk.
10. Report & maintain: Risk Management Report; keep the file current with PMS/complaints/field data.

PRRC Oversight — Making It Stick

• PRRC approves the Risk Management Plan and acceptability criteria before analysis.
• PRRC verifies traceability from hazard → control → verification → IFU warnings.
• PRRC can block release if controls or effectiveness checks are incomplete.

Evidence & Records You Need

Practical Examples

SaMD — Diagnostic Decision Support

• Hazard: Algorithmic misclassification; stale input data.
• Sequence: Data mapping error → incorrect risk score → clinician action.
• Harm: Delayed or inappropriate therapy.
• Controls: Input validation, model V&V with clinical datasets, confidence indicators, human-in-the-loop gating, usability testing, cybersecurity controls.
• Effectiveness: Sensitivity/specificity targets met; usability success rate ≥ X%; pen-test issues closed.

Electro-Mechanical Device

• Hazard: Electrical energy; pinch points.
• Sequence: Insulation defect → user contact; hand in motion path.
• Harm: Shock; crush injury.
• Controls: Double insulation, interlocks/guards, leakage current limits, warning labels.
• Effectiveness: Type testing passed; guard verification; labeling matches residual risks.

Copy/Paste Templates

Post-Market Surveillance Interface

• Feed complaints, adverse events, service data, and literature into risk files.
• Trend harms and near-misses; adjust probability estimates and controls.
• Trigger CAPA and design changes when signals exceed thresholds.

Common Pitfalls (and How to Avoid Them)

• Unclear definitions: Mixing hazard, hazardous situation, and harm—train teams and standardize terms.
• No acceptability criteria upfront: Decide criteria before scoring to avoid bias.
• Controls without verification: Always add objective tests for effectiveness.
• Weak traceability: Ensure every hazard maps to controls, tests, and labeling.
• Static files: Risk documents must update with field data and software versions.

Audit-Ready Checklist

1. Approved Risk Management Plan and criteria in place.
2. Complete hazard inventory (hardware, software, usability, cybersecurity).
3. End-to-end traceability matrix maintained and reviewed.
4. Objective evidence for control effectiveness attached.
5. Residual risks justified and reflected in IFU/warnings.
6. PRRC release sign-off recorded; PMS feedback loop active.

Bottom Line

Risk management connects design reality to clinical safety. Use ISO 14971 rigor, enforce PRRC gates, and keep files living with PMS inputs. That’s how you build safer devices, pass audits, and protect patients.