Design with Risk in Mind: Crafting a Comprehensive Risk Management Plan for Medical Devices

When performing risk management activities for a medical device, those activities shall be planned according to the ISO 14971 risk management standard. The risk management process, if conforming to the standard, should include provisions for creating a Risk Management Plan to guide and govern the various steps involved in assessing the risk of the product.

The risk management standard does not specify significantly how to perform risk management activities other than defining what “risk” actually means. Companies are generally free to assess risk as they see fit. One aspect of the process the standard requires, in concert with many medical device regulations, is that the risk management activities be planned out in advance. Assessing the risk of a device against the safety of the patients and users is not an activity to be taken lightly or performed “on the fly” with snap decisions about whether that risk is acceptable. The company should determine well in advance how it will conduct risk assessments, how risk acceptability is determined, and how the product risk will be continually monitored throughout its life cycle to ensure that the risk is not increasing. This advance planning shall be documented in a Risk Management Plan.

So, what elements are part of the Risk Management Plan, and how is the Plan put together? According to the risk management standard, the Risk Management Plan includes the following:

  • Scope of the planned risk management activities
  • Assignment of responsibilities and authorities
  • Requirements for review of risk management activities
  • Criteria for risk acceptability
  • A method for evaluating overall residual risk and determining whether that risk is acceptable
  • Activities for verification of the implementation and effectiveness of risk control measures
  • Activities related to collection and review of production and post-production information

Let’s explore these elements in more detail:

Scope of the Planned Risk Management Activities

Describe the medical device and which part of the product life cycle phases applies to the plan’s activities. Whether a single plan is used or multiple documents form the plan, each activity belongs to certain aspects of the life cycle of the device, including:

  • Design and development
  • Production
  • Post-Launch Surveillance
  • Product Retirement

Assignment of Responsibilities and Authorities

The plan identifies who participates in the risk management process

  • This can be individuals or corporate functions, or both
  • Approvers of the risk management deliverables are also identified here

Requirements for Review of Risk Management Activities

After the risk management activities are completed, the standard calls for the outputs to be reviewed for completeness and applicability per the plan. The results of the review form the Risk Management Report (more on that document later).

Formal risk management review may be included in other product development quality reviews if desired, such as phase reviews or other quality system requirements.

Criteria for Risk Acceptability

Before risk management activities ever begin, the criteria for risk acceptability for that product must be established by the manufacturer. 

  • If a company’s products are similar, risk acceptability can be defined by a single SOP or policy. In most cases, the risk management plan can simply reference the relevant SOP to define the acceptance criteria.
  • For non-similar products, such as disposable plastics vs. Installed electro-mechanical diagnostic equipment, risk acceptability might be very much different for each of the types of devices. In those cases, acceptability criteria different from the SOP is defined directly in the risk management plan.
    • Of course, a variety of different acceptability criteria can be defined in the procedures as well. But regardless of the existence of pre-defined criteria in the procedures, risk acceptability is always formally defined in the risk management plan.

A Method for Evaluating Overall Residual Risk and Determining Whether That Risk is Acceptable

While the manufacturer’s policy defines risk acceptability criteria, exactly how the risk is deemed acceptable is also defined in the risk management plan.

  • At the most basic, a determination of measuring the residual risk against the benefits of the device forms the minimal pathway toward determining risk acceptability.
  • It is not advisable to define acceptability in the SOP or policy as a result of pure risk assessment calculations. Regardless of how low the residual risk may be, a benefit-risk analysis must be performed to determine final acceptability of the risk and consequent approval to launch the product on the market.
  • Most methodologies of determining risk acceptability involve comparisons to existing on-market products and some sort of clinical evaluation of the device’s potential benefits by qualified medical personnel.

Activities for Verification of the Implementation and Effectiveness of Risk Control Measures

Risk control measures identified as part of the risk assessment must be verified for both implementation in the product design, and their effectiveness at actually reducing the risk of the product as claimed.

In the risk management plan, it is common to reference the product’s Design Verification and Validation Plan(s) as the method for verification of the risk control measures. If desired, of course, the methodology can be written directly in the risk management plan or one of its annexes or sub-plans, but if the tests are going to be defined elsewhere, it’s not efficient to repeat that information in the risk management plan as well.

  • Product requirements, specifications, and/or drawings may be used to show the implementation of the risk control for physical design features. If the control is defined in the product requirements, that’s good evidence that the control is actually part of the product.
  • If written correctly, V&V testing for product design requirements can at the same time demonstrate the effectiveness of the risk controls. This is commonly achieved via some type of functional or reliability testing of the product feature in question. Separate effectiveness check testing may be defined as well if desired or required by the nature of the control mechanisms.

Activities related to collection and review of production and post-production information

In nearly every regulated medical device market, there is a requirement to follow up on product quality issues with the post-market product after launch. The various medical device standards require this as well, and the risk management standard is no exception. If the company didn’t have a defined post-market surveillance system in place, it needs to have one now in order to conform with the 14971 standard.

  • As EU MDR, ISO 13485, 21 CFR part 820, and most other countries’ regulatory laws require post-market surveillance and adherence to the risk management standard, the quality system’s existing post-launch complaint handling system is most likely sufficient for conforming to all of these requirements. As such, this section of the risk management plan is most commonly expressed as a reference to the company’s existing post-market surveillance processes.
  • But as with most aspects of risk management planning, if the device in question demands unique methods of gathering post-launch data, those should be listed in the plan.

Post-market surveillance can and should include the following, as applicable to the device in question:

  • Complaints from users
  • Active solicitation of product performance
  • Clinical trial data
  • Production performance
  • Adverse event reporting

Information gathered from the post-market data can and should be analyzed to determine whether there are any trends of behavior that could negatively affect the risk of the product.

  • Statistical analysis of some type is typical for such activities.

The level of surveillance can be commensurate with the risk level of the product

  • Bandages and gauze pads would not require as much monitoring as an X-ray machine, for example.


Reflecting the aphorism “Fail to plan, plan to fail,” planning for risk management activities as required by the ISO 14971 standard ensures that all the relevant risk assessment and control activities are performed as expected during the product’s life cycle. While many of the planned activities may already be covered by the company’s procedures, the existence of a product-specific Risk Management Plan allows for customizing the process as needed for products with unique characteristics.

In subsequent posts, we will explore the components of a successful risk assessment to get you started on your risk management journey.  Stay tuned and join our newsletter to get the latest updates!