Risk Management Under EU Medical Device Regulation
Risk management is a continuous iterative process throughout the entire lifecycle of a medical device, and it requires regular systematic updating. According to EU Medical Device Regulation (EU MDR) Article 10(2), all Manufacturers are obligated to establish, document, implement and maintain a risk management system.

How is risk management documentation organized?

The documentation developed in the scope of the risk management system is organized in a risk management file. This archive should include a risk management plan for each device, a risk management matrix and a risk management report.

The risk management plan is a key element of the risk management system and it describes:

  1. the risk management process throughout the lifecycle of the device
  2. the responsibilities and authorities of the personnel
  3. the requirements for revision of risk management activities
  4. the risk management policy
  5. the method for evaluating the overall residual risk
  6. the verification of implementation of risk control measures
  7. the identification of sources of production and post-production information

Establishing a risk management policy is of particular importance because it provides a framework for the definition of criteria for risk acceptability, by determining levels for risk probability and severity which will be used to estimate risk in the risk matrix. It is the responsibility of top management to define and document the risk management policy.

The risk management matrix is linked to the respective risk management plan and report, functioning as worksheet for the risk management process allowing risk traceability.

 When new information emerges, in case of any change to the design, development and manufacture of the device or anytime the person responsible for regulatory compliance (PRRC) considers it necessary, a risk management report comprising the results from the review of risk management activities should be developed. The risk management report contains:

  1. the results of risk evaluation
  2. the risk control measures implemented
  3. the risk acceptability and benefit/risk analysis of the unacceptable risks
  4. the acceptability evaluation of overall residual risk and additional control measures
  5. the revision of production and post-production information

How is the risk management process developed and maintained?

A systematic framework to develop and maintain a risk management process is presented in standard ISO 14971:2019, which supersedes EN ISO 14971:2012. The standard ISO 14971:2019 is not yet harmonized under EU MDR, but the European Commission already published a draft of the standardization request to the European Standards organizations (CEN and CENELEC).

The application of ISO 14971:2019 is guided by the technical report ISO/TR 24971:2020. The ISO 14971:2019 is correlated with the standard IEC 62366-1:2015, regarding the application of usability engineering to medical devices.

According to ISO 14971:2019, the risk management process comprehends: risk analysis, risk evaluation, risk control, evaluation of overall residual risk, risk management review and production and post-production activities (Figure 1).

Figure 1. Risk management process steps, adapted from ISO/TR 24971:2020.

Risk analysis

The first step of risk analysis is to document the intended use and the reasonably foreseeable misuse of the device and identify the quantitative and qualitative characteristics related to its safety. The intended use takes into account the medical indication, the patient population, the part of the body interacting with the device, the user profile, the use environment and the operating principle of the device. The reasonably foreseeable misuse is a new feature presented in ISO 14971:2019, and it is defined as the use of the medical device in a way not intended by the Manufacturer, but which can result from predictable human behaviour, such as use errors, intentional acts of misuse, and use of the medical device for other non-intended medical applications. Cases of reasonably foreseeable misuse can be determined by applying a usability engineering process, according to IEC 62366-1:2015.

The Manufacturer shall then analyse the foreseeable hazards and examine sequences of events which can result in hazardous situations. The probability of occurrence of a hazardous situation is given by the product of probabilities of occurrence of each independent event (Figure 2).

Figure 2. Relationship of hazard, sequence of events and hazardous situation, adapted from ISO/TR 24971:2020

Finally, the risks are estimated, by assigning levels of probability and severity for each hazardous situation according to the risk policy criteria. When sufficient data are available, the probability is expressed quantitatively, otherwise, a qualitative method is preferrable. Although the probability is a continuous variable, it can be decomposed in discrete levels and when it cannot be estimated, the risk is evaluated based on severity alone. The severity of a harm is a continuum, but it can also be decomposed in discrete levels. The Manufacturer decides the number of levels for both probability and severity, whereas the resulting risk matrix is often 3×3 or 5×5.

Risk evaluation

The Manufacturer evaluate each estimated risk and determine the acceptability based on the criteria defined in the risk management policy, documented in the risk management plan. In case the risk is acceptable, no further control measure will be necessary and the risk will be treated as residual.

Risk control

In case the risk is unacceptable or conditionally acceptable, it must be mitigated. There are two approaches to risk control.

The Manufacturer can approach the risk control based on the practicability of the risk measures, making trade-offs between accepting certain risks and the availability of devices on the market.

Another approach is based on the magnitude of the residual risk in which the Manufacturer tries to reduce the risk as far as possible without adversely affecting the benefit-risk ratio. There are three risk control options, which are implemented by priority order. First, the Manufacturer designs and manufacture the device inherently safe. Second, the Manufacturer adopts protective measures either on the device or in the manufacturing process. Third, the Manufacturer issues information for safety or training to users.

After implementation of risk control measures, the individual residual risks are evaluated, also using the acceptability criteria defined in the risk management policy. In case the risk remains unacceptable, and no other control measure is applicable, a benefit-risk analysis based on data and literature is performed. If the benefit does not outweigh the risk, the Manufacturer may consider modifying the device or its intended use.

Some control measures can introduce new risks or affect risks already identified, so the Manufacturer shall review the effects of risk control measures.  

Evaluation of overall residual risk

After implementation and verification of risk control measures, the Manufacturer evaluates the overall residual risk, using the method and criteria defined in the risk management plan. The method to evaluate the overall residual risk can include: weighing the benefits against the overall residual risk, a visual representation of the residual risks, a comparison to similar medical devices, an expert evaluation and further investigations.

If the overall residual risk is still judged unacceptable, the Manufacturer may consider implementing additional risk control measures or modifying the device or its intended use.

Risk management review

Before releasing the device to commercial distribution, the Manufacturer confirms that the risk management has been properly executed and the results recorded as the risk management report, that the overall residual risk is considered acceptable and that appropriate methods to collect and review relevant production and post-production information are in place.

Production and post-production activities

The Manufacturer actively collects and reviews production and post-production information, including information generated during production and monitoring of production process, information generated by the user, information of installation, use and maintenance of the device, information generated by the supply chain, publicly available information and information related to the state of the art.

If the information collected is determined to be relevant to safety, the Manufacturer may apply actions concerning the medical device itself or the risk management process. The actions address devices already distributed, devices already manufactured but not distributed or devices to be manufactured.

How standards IEC 62366 correlates with ISO 14971:2019?

Section 5 of Chapter 1 of Annex I of EU MDR, requires the Manufacturer to reduce as far as possible the risks related to the ergonomic features of the device and the environment in which the device is intended to be used, and to consider the technical knowledge, experience, education, training, use environment, and the medical and physical conditions of the intended users.

Therefore, the standard IEC 62366-1:2015 assists the Manufacturer to analyse, specify, develop and evaluate the usability related to safety of a medical device. This usability engineering process allows the Manufacturer to assess and mitigate risks associated with the normal use of the device, which includes the correct use and use errors. It can also be used to identify but does not assess or mitigate risks associated with abnormal use.

The technical report IEC 62366-2:2016 has a broader focus. It focuses not only on usability related to safety, but also on usability related to attributes such as task accuracy, completeness and efficiency, and user satisfaction.

If you need more information regarding this subject, feel free to contact us at  info@criticalcatalyst.com.


  1. Regulation (EU) 2017/745, on medical devices;
  2. ISO 14971:2019, on application of risk management to medical devices;
  3. ISO/TR 24971:2020, guidance on the application of ISO 14971;
  4. IEC 62366-1:2015, on application of usability engineering to medical devices.


medical devices

Amendments to the Transitional Provisions of the European Union MDR and IVDR

The proposed amendments aim to maintain patients’ access to a wide range of medical devices while ensuring the transition to the new framework. The ammendments proposal aims to extend the current transition period (Article 120 of the MDR), and it also deletes the ‘sell-off’ deadlines of both MDR and IVDR. The extension is staggered depending on the risk class of the device – until December 2027 for high-risk devices and December 2028 for medium and lower-risk devices.

Read More »
medical devices

EU MDR – Proposal for Extension of Transition Period

The transition to MDR has been slower than anticipated by the European Commission. Insufficient capacity of notified bodies and the low level of preparedness of manufacturers led to a proposal for extension of current MDR transition period with deadlines depending on the risk class of the devices.

Read More »
medical devices

MDCG 2022-18 – EU MDR Article 97

EU MDR Article 97 may be a temporary solution to avoid disruption of supply of Medical Devices on the EU Market. The MDCG 2022-18 presents a uniform approach for application of MDR Article 97 on non-compliant legacy devices under the conditions set by the competent authorities, while limiting the impact on the supply of safe and effective devices.

Read More »
cosmetic products

EU to set Labelling Requirements for 56 additional Fragrance Allergens in Cosmetic Products

World Trade Organization (WTO) has been notified by the European Commission of a draft amendment to Regulation (EC) No 1223/2009 as regards labelling of fragrance allergens in Cosmetic Products. The proposed date of adoption of the new regulation is expected to be in the first half of 2023 and the propose date of entry in force 20 days from the publication in the Official Journal of the European Union.

Read More »
cosmetic products

New Amendments to the European Cosmetics Regulation – CMR Substances

The European Commission published the Commission Regulation (EU) 2022/1531, which amends Regulation (EC) No 1223/2009 in regards to the use in cosmetic products of certain substances classified as CMR. This amendment introduces new entries to Annex II and Annex III and revises an entry to Annex V to Regulation (EC) No 1223/2009.

Read More »
medical devices

EUDAMED – harmonized practices and alternative solutions for IVDR until the database is fully functional

EUDAMED is one of the key aspects of the new rules on in vitro diagnostic medical devices – Regulation (EU) 2017/746. However, it is only expected to achieve full functionality by the second quarter of 2024. Until then, how is the information submitted and/or exchanged between manufacturers, notified bodies and competent authorities?

Read More »
medical devices

EUDAMED – update on timelines

EUDAMED is one of the key aspects of the new rules on medical devices (Regulation (EU) 2017/745) and in vitro diagnostic medical devices (Regulation (EU) 2017/746), and it is expected to achieve full functionality by the second quarter of 2024.

Read More »
cosmetic products

UK OPSS call for data on six cosmetic ingredients

On 14 July 2022, the Office for Product Safety and Standards (OPSS – the UK regulator for cosmetic products) issued a call for data on the safety of the following six cosmetic ingredients to investigate any suspected endocrine disrupting properties. 

Read More »