Risk Management Under EU Medical Device Regulation
Risk management is a continuous iterative process throughout the entire lifecycle of a medical device, and it requires regular systematic updating. According to EU Medical Device Regulation (EU MDR) Article 10(2), all Manufacturers are obligated to establish, document, implement and maintain a risk management system.

How is risk management documentation organized?

The documentation developed in the scope of the risk management system is organized in a risk management file. This archive should include a risk management plan for each device, a risk management matrix and a risk management report.

The risk management plan is a key element of the risk management system and it describes:

  1. the risk management process throughout the lifecycle of the device
  2. the responsibilities and authorities of the personnel
  3. the requirements for revision of risk management activities
  4. the risk management policy
  5. the method for evaluating the overall residual risk
  6. the verification of implementation of risk control measures
  7. the identification of sources of production and post-production information

Establishing a risk management policy is of particular importance because it provides a framework for the definition of criteria for risk acceptability, by determining levels for risk probability and severity which will be used to estimate risk in the risk matrix. It is the responsibility of top management to define and document the risk management policy.

The risk management matrix is linked to the respective risk management plan and report, functioning as worksheet for the risk management process allowing risk traceability.

 When new information emerges, in case of any change to the design, development and manufacture of the device or anytime the person responsible for regulatory compliance (PRRC) considers it necessary, a risk management report comprising the results from the review of risk management activities should be developed. The risk management report contains:

  1. the results of risk evaluation
  2. the risk control measures implemented
  3. the risk acceptability and benefit/risk analysis of the unacceptable risks
  4. the acceptability evaluation of overall residual risk and additional control measures
  5. the revision of production and post-production information

How is the risk management process developed and maintained?

A systematic framework to develop and maintain a risk management process is presented in standard ISO 14971:2019, which supersedes EN ISO 14971:2012. The standard ISO 14971:2019 is not yet harmonized under EU MDR, but the European Commission already published a draft of the standardization request to the European Standards organizations (CEN and CENELEC).

The application of ISO 14971:2019 is guided by the technical report ISO/TR 24971:2020. The ISO 14971:2019 is correlated with the standard IEC 62366-1:2015, regarding the application of usability engineering to medical devices.

According to ISO 14971:2019, the risk management process comprehends: risk analysis, risk evaluation, risk control, evaluation of overall residual risk, risk management review and production and post-production activities (Figure 1).

Figure 1. Risk management process steps, adapted from ISO/TR 24971:2020.

Risk analysis

The first step of risk analysis is to document the intended use and the reasonably foreseeable misuse of the device and identify the quantitative and qualitative characteristics related to its safety. The intended use takes into account the medical indication, the patient population, the part of the body interacting with the device, the user profile, the use environment and the operating principle of the device. The reasonably foreseeable misuse is a new feature presented in ISO 14971:2019, and it is defined as the use of the medical device in a way not intended by the Manufacturer, but which can result from predictable human behaviour, such as use errors, intentional acts of misuse, and use of the medical device for other non-intended medical applications. Cases of reasonably foreseeable misuse can be determined by applying a usability engineering process, according to IEC 62366-1:2015.

The Manufacturer shall then analyse the foreseeable hazards and examine sequences of events which can result in hazardous situations. The probability of occurrence of a hazardous situation is given by the product of probabilities of occurrence of each independent event (Figure 2).

Figure 2. Relationship of hazard, sequence of events and hazardous situation, adapted from ISO/TR 24971:2020

Finally, the risks are estimated, by assigning levels of probability and severity for each hazardous situation according to the risk policy criteria. When sufficient data are available, the probability is expressed quantitatively, otherwise, a qualitative method is preferrable. Although the probability is a continuous variable, it can be decomposed in discrete levels and when it cannot be estimated, the risk is evaluated based on severity alone. The severity of a harm is a continuum, but it can also be decomposed in discrete levels. The Manufacturer decides the number of levels for both probability and severity, whereas the resulting risk matrix is often 3×3 or 5×5.

Risk evaluation

The Manufacturer evaluate each estimated risk and determine the acceptability based on the criteria defined in the risk management policy, documented in the risk management plan. In case the risk is acceptable, no further control measure will be necessary and the risk will be treated as residual.

Risk control

In case the risk is unacceptable or conditionally acceptable, it must be mitigated. There are two approaches to risk control.

The Manufacturer can approach the risk control based on the practicability of the risk measures, making trade-offs between accepting certain risks and the availability of devices on the market.

Another approach is based on the magnitude of the residual risk in which the Manufacturer tries to reduce the risk as far as possible without adversely affecting the benefit-risk ratio. There are three risk control options, which are implemented by priority order. First, the Manufacturer designs and manufacture the device inherently safe. Second, the Manufacturer adopts protective measures either on the device or in the manufacturing process. Third, the Manufacturer issues information for safety or training to users.

After implementation of risk control measures, the individual residual risks are evaluated, also using the acceptability criteria defined in the risk management policy. In case the risk remains unacceptable, and no other control measure is applicable, a benefit-risk analysis based on data and literature is performed. If the benefit does not outweigh the risk, the Manufacturer may consider modifying the device or its intended use.

Some control measures can introduce new risks or affect risks already identified, so the Manufacturer shall review the effects of risk control measures.  

Evaluation of overall residual risk

After implementation and verification of risk control measures, the Manufacturer evaluates the overall residual risk, using the method and criteria defined in the risk management plan. The method to evaluate the overall residual risk can include: weighing the benefits against the overall residual risk, a visual representation of the residual risks, a comparison to similar medical devices, an expert evaluation and further investigations.

If the overall residual risk is still judged unacceptable, the Manufacturer may consider implementing additional risk control measures or modifying the device or its intended use.

Risk management review

Before releasing the device to commercial distribution, the Manufacturer confirms that the risk management has been properly executed and the results recorded as the risk management report, that the overall residual risk is considered acceptable and that appropriate methods to collect and review relevant production and post-production information are in place.

Production and post-production activities

The Manufacturer actively collects and reviews production and post-production information, including information generated during production and monitoring of production process, information generated by the user, information of installation, use and maintenance of the device, information generated by the supply chain, publicly available information and information related to the state of the art.

If the information collected is determined to be relevant to safety, the Manufacturer may apply actions concerning the medical device itself or the risk management process. The actions address devices already distributed, devices already manufactured but not distributed or devices to be manufactured.

How standards IEC 62366 correlates with ISO 14971:2019?

Section 5 of Chapter 1 of Annex I of EU MDR, requires the Manufacturer to reduce as far as possible the risks related to the ergonomic features of the device and the environment in which the device is intended to be used, and to consider the technical knowledge, experience, education, training, use environment, and the medical and physical conditions of the intended users.

Therefore, the standard IEC 62366-1:2015 assists the Manufacturer to analyse, specify, develop and evaluate the usability related to safety of a medical device. This usability engineering process allows the Manufacturer to assess and mitigate risks associated with the normal use of the device, which includes the correct use and use errors. It can also be used to identify but does not assess or mitigate risks associated with abnormal use.

The technical report IEC 62366-2:2016 has a broader focus. It focuses not only on usability related to safety, but also on usability related to attributes such as task accuracy, completeness and efficiency, and user satisfaction.

If you need more information regarding this subject, feel free to contact us at  info@criticalcatalyst.com.


  1. Regulation (EU) 2017/745, on medical devices;
  2. ISO 14971:2019, on application of risk management to medical devices;
  3. ISO/TR 24971:2020, guidance on the application of ISO 14971;
  4. IEC 62366-1:2015, on application of usability engineering to medical devices.


medical devices

Safety Reporting in Clinical Investigations: a Gap Analysis of Guidance Documents 

Safety reporting in clinical investigations of medical devices shall be performed in line with Article 80(2) of the EU MDR. On May 2020, it was published the MDCG 2020-10/1, outlining the procedures for safety reporting in clinical investigations of medical devices under the EU MDR. However, on October 2022 the Medical Device Coordination Group (MDCG) published an updated version of the MDCG 2020-10/1, the MDCG 2020-10/1 Rev 1. This article highlights the updates included in the new revision, analysing the gaps between both documents.

Read More »
medical devices

Roles and Responsibilities of an Authorised Representative under EU MDR and IVDR 

If a medical device manufacturer is not established in a Member State, the devices can only be placed on the Union market if the manufacturer designates an authorised representative. The authorised representative plays a pivotal role in ensuring the compliance of the devices with EU regulation, serving as point of contact. The obligations and responsibilities of authorised representative are outlined on Article 11 of both MDR and IVDR, but clarification of relevant requirements is described in MDCG 2022-16 of October 2022.

Read More »
medical devices

Understanding the ISO Standards Lifecycle

ISO Standards cover a huge range of activities, representing the distilled wisdom of people with expertise in their subject matter and providing the regulators with a sound basis to develop better legislation. ISO Standards are diverse, addressing from the shoe size we wear to the quality of air we breathe. The medical device sector is no exception. ISO has many International Standards and guidance documents aimed at helping the sector ensure safe and effective medical devices while meeting the multitude of national, regional and international regulatory requirements. But how exactly is a Standard developed, reviewed and withdraw?

Read More »
medical devices

Amendments to the Transitional Provisions of the European Union MDR and IVDR

The proposed amendments aim to maintain patients’ access to a wide range of medical devices while ensuring the transition to the new framework. The ammendments proposal aims to extend the current transition period (Article 120 of the MDR), and it also deletes the ‘sell-off’ deadlines of both MDR and IVDR. The extension is staggered depending on the risk class of the device – until December 2027 for high-risk devices and December 2028 for medium and lower-risk devices.

Read More »
medical devices

EU MDR – Proposal for Extension of Transition Period

The transition to MDR has been slower than anticipated by the European Commission. Insufficient capacity of notified bodies and the low level of preparedness of manufacturers led to a proposal for extension of current MDR transition period with deadlines depending on the risk class of the devices.

Read More »
medical devices

MDCG 2022-18 – EU MDR Article 97

EU MDR Article 97 may be a temporary solution to avoid disruption of supply of Medical Devices on the EU Market. The MDCG 2022-18 presents a uniform approach for application of MDR Article 97 on non-compliant legacy devices under the conditions set by the competent authorities, while limiting the impact on the supply of safe and effective devices.

Read More »
cosmetic products

EU to set Labelling Requirements for 56 additional Fragrance Allergens in Cosmetic Products

World Trade Organization (WTO) has been notified by the European Commission of a draft amendment to Regulation (EC) No 1223/2009 as regards labelling of fragrance allergens in Cosmetic Products. The proposed date of adoption of the new regulation is expected to be in the first half of 2023 and the propose date of entry in force 20 days from the publication in the Official Journal of the European Union.

Read More »
cosmetic products

New Amendments to the European Cosmetics Regulation – CMR Substances

The European Commission published the Commission Regulation (EU) 2022/1531, which amends Regulation (EC) No 1223/2009 in regards to the use in cosmetic products of certain substances classified as CMR. This amendment introduces new entries to Annex II and Annex III and revises an entry to Annex V to Regulation (EC) No 1223/2009.

Read More »