Navigating Risk Management Requirements under the EU MDR

Peter Boxall
Two helicopters look as if they are about to collide: An analogy for risk.

Risk management is a cornerstone of EU MDR 2017/745, requiring a continuous, well-documented approach to ensure patient safety. This article unpacks the key requirements and provides actionable strategies for compliance.

Risk management is a significant component of the EU MDR 2017/745 and is vital to ensure the safety of patients and medical device users. A thorough approach to risk management activities is essential for medical device manufacturers to demonstrate conformity with the requirements of the EU MDR. In this article, we will explore the requirements placed on medical device manufacturers by the EU MDR and provide an overview on how to address them.

What are the requirements?

Article 10, point 2 of the EU MDR stipulates that manufacturers are required to establish, document, implement and maintain a system for risk management. It can therefore be clearly interpreted that risk management must be an ongoing process throughout the lifecycle of a device, rather than a ‘one-off’ exercise. A continuous approach to risk management is pivotal in ensuring compliance with regulatory complaints and, moreover, safeguarding patients and device users from avoidable harm.

A more detailed breakdown of risk management requirements can be found in Annex I, points 2-8 of the EU MDR. In summary, the points stipulate that manufacturers must:

  • Reduce risks as far as possible without negatively affecting the benefit/risk profile of a device.
  • Establish, document, implement and maintain a risk management system throughout the entire lifecycle of a device. This process includes:
    • Development of a risk management plan
    • Identification of known and foreseeable hazards associated with the device
    • Evaluation of risks associated with the device during intended and reasonably foreseeable misuse
    • Implementation of measures to control or eliminate identified risks
    • Incorporation of information gathered during device production and post-market surveillance (PMS) regarding the frequency of identified risks
    • Implementation/amendment of risk control measures to address new risks, or risks with greater frequency than initially forecast, based on information obtained through PMS activities.
  • Manage risks to an extent that the residual risk associated with each hazard, and the overall residual risk of a device, is acceptable.
  • Inform users of any residual risks
  • Reduce or eliminate risks relating to user error
  • Ensure that the safety of patients and device users is not affected by the impact of stresses and environmental factors on device performance under normal conditions of use throughout the lifetime of the device.
  • Design, manufacture and package devices in a manner that ensures their characteristics and performance are not affected during storage and transport.
  • Ensure that all foreseeable risks and undesirable side effects are reduced as far as possible and deemed acceptable when weighed against the benefit of a device to patients and users.

Annex I, point 9 refers to the requirement for devices without an intended medical purpose, as outlined in Annex XVI, to present no risk at all or a risk that is no greater than the maximum acceptable risk related to the device’s use. Interpretation of this statement would infer that, for devices without an intended medical purpose that remain governed by MDR, the level of acceptable risk is minimal. Devices falling under this bracket include:

  • Contact lenses and other products intended to be introduced onto or into the eye
  • Products intended to be totally or partially inserted into the body through surgically invasive means for modifying anatomy or the fixation of body parts, excluding tattooing products and piercings
  • Facial, dermal or mucous membrane fillers
  • Equipment for the destruction, reduction of removal of adipose tissue, such as those used in liposuction and lipolysis
  • Equipment emitting high-intensity electromagnetic radiation for use on the human body, such as lasers and pulsed light equipment used in skin resurfacing, tattoo or hair removal
  • Equipment intended to modify neuronal activity in the brain by applying electrical currents or magnetic or electromagnetic fields that penetrate the cranium

How do we meet the requirements?

One approach to meeting the requirements for risk management is to align risk management procedures with BS EN ISO 14971, since the standard is aligned with the General Safety and Performance Requirements of the EU MDR.

BS EN ISO 14971 describes 6 distinct steps in the overall risk management process, as demonstrated below:

A diagram of a risk management process
A risk management process

Risk Management Plan

It is essential that all activities conducted during risk management are planned and that this plan is documented. A robust risk management plan will describe the following:

  • Assignment of responsibilities and authorities for risk management processes.
  • A roadmap for risk management activities to be conducted, based on the 6 defined process steps in BS EN ISO 14971.
  • A procedure for the identification and analysis of risks associated with the device throughout its lifetime.
  • Criteria for determination of risk acceptability.
  • A procedure for the identification and implementation of appropriate risk control measures.

A procedure for the evaluation of individual and overall residual risks following the implementation of risk control measures.

A process for the collection and review of production and post-production information.

Risk Assessment

Risk assessment involves the analysis of risks by identifying all relevant hazards, hazardous situations and harms, and estimating the probability and severity of identified risks. In order to provide a framework for the identification of risks, it is beneficial to consider the following:

  • Definition of intended use:
    • Intended medical indication and target medical condition
    • Target patient population
      • Demographics
      • Disease state and stage
    • Part of body/type of tissue the device interacts with
    • Device user profile
      • Age
      • Medical professionals and/or laypersons
    • Use environment
  • Definition of reasonably foreseeable misuse:
    • Accidental use error
    • Use under the wrong conditions
    • Impact of intentional misuse
    • Use for non-intended clinical indications
  • Characteristics related to safety

A comprehensive list of hazards, hazardous situations and associated harms can be identified following the definition of intended use, reasonably foreseeable misuse and characteristics related to safety. According to the definitions in BS EN ISO 14971, a hazard cannot result in harm until a sequence of events or circumstances (including normal use and reasonably foreseeable misuse) leads to a hazardous situation. Each hazard (e.g. device size too small) can be associated with several hazardous situations (e.g. pressure of device against skin), each associated with several potential harms (e.g. skin abrasion). Once a risk has been followed through from hazard to harm, it can be assessed by estimating both severity and probability of occurrence of harm that could result. A pre-determined criteria of risk acceptability, as documented in the risk management plan, can then be applied based on the estimated risk probability and severity.

Risk control

The application of appropriate risk control measures to reduce the probability and/or severity of each identified potential harm, regardless of initial evaluation of acceptability, is required. This process ensures that each identified risk has been reduced as far as possible, without negatively affecting the overall benefit-risk profile of the device.

BS EN ISO 14971 sets out 3 broad risk control options for medical device manufacturers, in descending order of effectiveness, as described below:

  • Elimination of risk through design of the device. Examples include:
    • Design without sharp edges
    • Make dangerous electrical equipment inaccessible
  • Reduction of risk through the addition of protective measures in the medical device itself or in the manufacturing process. Examples include:
    • Alarms
    • Protective covers
  • Reduction of risk through the provision of information for the safety of device users/operators. Examples include:
    • Warnings/precautions
    • Promotion of use of protective equipment
    • Instructions for use

Evaluation of Residual Risk

Following the implementation of control measures to each identified risk, the probability and severity of each individual risk can be re-estimated, and the previously documented risk acceptability criteria re-applied to determine individual residual risks.

Risk management requirements under the EU MDR place an onus on manufacturers to also assess overall residual risk, whereby the acceptability of all residual risks taken together must be determined. As is the case when determining the acceptability of individual risks, a pre-determined criteria of acceptability must be documented and followed when evaluating overall residual risk. The assessment of overall residual risk should consider the distribution of individual residual risks by acceptability category. For example, even in the absence of any unacceptable individual risks, if a significant proportion of individual risks are considered ‘borderline’ the overall residual risk associated with a device may be deemed unacceptable. If this is the case, manufacturers must implement additional risk control measures, consider modifying the device design and manufacturing process, or place restrictions on the intended use or users, before re-evaluating individual and overall residual risks.

Manufacturers are required to disclose any significant residual risks by providing relevant information in the device labelling and Instructions for Use documentation. The disclosure of residual risks should not be confused with information for safety, which forms part of the risk control process. The disclosure of residual risk does not in itself provide information which can reduce the probability or severity of a given risk, instead providing users with an overview of the risks associated with a device that remain after risk control measures have been implemented. Further guidance on the disclosure of residual risk, and information for safety, can be found in ISO/TR 24971.

Risk Management Review

Once all the risk management activities described above have completed, manufacturers are required to conduct a risk management review. The review must assess whether all procedures in the Risk Management Plan were adhered to and a robust conclusion that the overall residual risk of the device is acceptable must be made. Finally, practices for the collection and assessment of production and post-production information relating to the risk of the device must be decided on and documented. The processes and conclusions of the risk management review must be documented in a Risk Management Report.

Production and Post-Production Activities

BS EN ISO 14971 describes the requirement for manufacturers to implement, document and maintain a system to collect and analyse information relating to the safety of a medical device during its production and post-production phases.

The collection of relevant information should encompass feedback and data from a variety of sources, including:

  • Information from the supply chain relating to production and distribution of the device.
  • Information gathered during the production process.
  • Information from those responsible for installation and maintenance of the device.
  • Information from users of the device.
  • Information relating to the device or similar devices which is publicly available.
  • Information regarding updates to the state of the art.

When the relevant information has been collected, it must be subject to a formal review, with a focus on relevance of the information to the safety of the subject device. The review should identify the following:

  • Any hazards or hazardous situations that were not addressed during initial risk management procedures.
  • Previously addressed hazardous situations which have become unacceptable due to the impact of collected information.
  • If the overall residual risk remains acceptable or is now unacceptable.
  • Updates to the acknowledged state of the art which may impact the safety profile of the device.

Following a review of information gathered during production and post-production activities, manufacturers must determine whether any action is required. This process should include:

  • Review of the risk management file and reassessment of previously identified risks for appropriateness of the estimated severity and probability.
  • Evaluation of new identified risks with a determination of risk acceptability, implementation of risk control measures and assessment of residual risk as previously carried out.
  • Reassessment of overall residual risk of the device.
  • Determination of whether actions related to already marketed devices, such as device recall, are required based on new information.
  • Evaluation of the impact of new information on previous risk management activities.
  • A determination of the suitability of risk management procedures by top management.

Conclusion

The EU MDR places significant risk management requirements on manufacturers of all medical devices. In order to demonstrate compliance, a detailed, well-documented. procedure-driven approach to all aspects of risk management must be implemented. In addition, risk management procedures must be viewed as an ongoing process throughout the lifetime of a device, rather than a one-off exercise.

Though risk management compliance may seem daunting for manufacturers, embracing the requirements is an opportunity for manufacturers to support the safety of their device, and to utilise the data gathered to adopt a strong position in the market.

At Mantra Systems, we have a dedicated team of clinical and regulatory professionals ready to help you with all aspects of risk management for your medical device. Want to learn more? Why not book in a consultation with one of our experts today?

Back to top

Related articles

  1. A photograph of a literal maze that we're using as a clever metaphor.

    Mastering the EU MDR: Essential Steps for Compliance-Ready Docs

    If you're uncertain about the readiness of your EU MDR documentation, this article provides an overview of the essential steps to ensure you’re on track.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  2. An illustration showing scientists at work.

    A Guide to Electronic Instructions for Use (eIFU)

    Electronic Instructions for Use (eIFUs) are set to revolutionise how medical device instructions are delivered. We explore what this means for you.

    Dr Will Brambley Dr Will Brambley Lead Medical Writer
  3. A doctor operates a tablet computer.

    Beyond the Acronyms: Understanding SaMD and SiMD

    As software advancements continue, the line between traditional hardware-centric medical devices and software-driven solutions becomes increasingly blurred.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  4. A team of profesional-looking people sit around a table, congratulating themselves.

    Extending the Validity of your IVDD Certificates – Key Dates

    The EU and the MHRA have extended the validity of IVDD certificates, allowing you more time to transition to the IVDR. We explain what this means for manufacturers.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  5. A team of profesional-looking people sit around a table, congratulating themselves.

    GSPR 1: A New Era of Performance with Safety at the Core

    This regulation emphasizes risk management, durable design & biocompatibility to ensure medical devices are safe and effective. GSPR 1 protects users while driving innovation in medical technology.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer

  6. Cybersecurity Vulnerabilities in Medical Devices: FDA Alerts on Contec and Epsimed Monitors

    Patients can be exposed to risks when devices are online. We explore implications for EU MDR/IVDR cybersecurity requirements, including MDCG guidance

    Dr Clare Dixon Dr Clare Dixon Regulatory Specialist
  7. A futuristic-looking factory full of labelled cardboard boxes.

    Decoding UDI: Your Ultimate Guide to Smarter Medical Device Labelling

    The Unique Device Identifier (UDI) ensures medical device traceability and compliance. We break down its structure, Device Identifier (UDI-DI), Production Identifier (UDI-PI) and its role in EUDAMED.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  8. A medical team discuss performance data at their desktop computer.

    Key Updates for Navigating EMDN: MDCG 2024-2 Rev.1 & 2021-12 Rev.1

    Release of the updated guidance helps manufacturers navigate the EMDN system for accurate device classification, ensuring market access.

    Ron Sangal Ron Sangal Lead Medical Writer
  9. A dated monitor for medical equipment.

    Understanding Clinical Evidence Requirements with MDCG 2020-6

    How can manufacturers ensure legacy devices meet MDR's stringent requirements? Discover how MDCG 2020-6 guidance simplifies the path to compliance.

    Dr Clare Dixon Dr Clare Dixon Regulatory Specialist
  10. A stethoscope laid on a desk of regulatory documentation.

    Clinical benefits of an in vitro diagnostic medical device

    How to determine the clinical benefit of an IVD and successfully incorporate it into regulatory documentation.

    Dr Gayle Buchel Dr Gayle Buchel Chief Medical Writer
  11. EU flags

    Regulation (EU) 2024/1860 - Its impact on EU MDR and IVDR

    How does the recent Regulation (EU) 2024/1860 amendment affect the EU MDR & IVDR?

    Shona Richardson Shona Richardson Regulatory Medical Writer
  12. EU flag

    MDCG 2024-10 - Orphan medical devices

    How to apply MDR pre-market clinical evidence requirements to medical devices intended for limited usage.

    Dr Simon Cumiskey Dr Simon Cumiskey Senior Lead Medical Writer
  13. Considering a medical device's intended purpose

    A medical device's intended purpose - what is the point?

    How do you define intended purpose, indication for use, intended clinical benefits, and claims?

    Dr Simon Cumiskey Dr Simon Cumiskey Senior Lead Medical Writer
  14. Mantra Systems presents EnableChat, your AI-powered MDR & MDCG chatbot

    EnableChat - Your AI-powered MDR and MDCG chatbot

    Search the MDR and MDCG documents in seconds by asking EnableChat your questions.

    Dr Simon Cumiskey Dr Simon Cumiskey Senior Lead Medical Writer
  15. Searching adverse event databases for vigilance data

    Staying vigilant - A guide to searching for adverse events data

    We discuss the pros and cons of existing adverse event databases for vigilance data searching.

    Dr Simon Cumiskey Dr Simon Cumiskey Senior Lead Medical Writer
  16. A doctor reading an SSCP document with a patient

    What is Summary of Safety and Clinical Performance (SSCP)?

    We explain what the SSCP is, when you'll need it and what its objectives are.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  17. A pile of question marks

    Medical Device 'Significant Changes' – Navigating EU MDR Article 120(3) using MDCG 2020-3 rev. 1

    Understand what changes to your medical device are considered 'significant' under EU MDR (2017/745).

    Shen May Khoo Shen May Khoo Junior Regulatory Specialist
  18. A signpost giving unsure directions

    MDR or IVDR - A sibling rivalry?

    A guide to easily understanding whether your device is a medical device or an in vitro diagnostic medical device (IVD).

    Dr Gayle Buchel Dr Gayle Buchel Chief Medical Writer
  19. An EU and UK flag

    What the latest Brexit U-turn means for CE Marking of medical devices in Great Britain

    Will Great Britain continue to allow the use of the CE mark for medical devices beyond the 2024 deadline?

    Dr Hanna Gul Dr Hanna Gul Lead Medical Writer
  20. A woman writing her own medical device regulation documentation

    Gain confidence, reassurance and control over your EU MDR strategy

    Find out how to build your own technical files within a guided framework while minimising financial outlays.

    Dr Gayle Buchel Dr Gayle Buchel Chief Medical Writer
  21. Racing to achieve MDR compliance

    Still racing to achieve MDR compliance? A transition period update

    On January 6th 2023, the EU commission has adopted the proposal to extend the transition rules of the EU MDR.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  22. A 7-step guide to navigating regulatory requirements for medical device start-ups

    A medical device regulations guide for start-up companies

    We present a 7-step guide to navigating regulatory requirements on a budget.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  23. An update on UKCA Marking of Medical Devices

    UKCA Marking of Medical Devices – An update on the status quo

    We review recently updated requirements for UKCA marking and what it means for your regulatory strategy.

    Dr Hanna Gul Dr Hanna Gul Lead Medical Writer
  24. How to choose a CER writer for your MDR Clinical Evaluation

    Choosing a CER writer for your MDR Clinical Evaluations

    We've compiled a list of considerations that will help you make the right choice when choosing a CER writer.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  25. Achieving MDR Compliance for Class I medical devices

    How to achieve MDR Compliance for Class I medical devices

    We outline a strategy for the regulatory compliance of Class I medical devices.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  26. Literature Search, SOTA Review and Clinical Evaluation

    Literature Search, SOTA Review process and Clinical Evaluation

    We help to demystify the process of systematic search & review of literature for Clinical Evaluation.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  27. Literature Search Protocols & SOTA Reviews for medical devices and what to know before you start

    Literature searches and reviews for medical devices - what to know before you start

    We explain what you should know before beginning a literature search & review for your medical device.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  28. Five useful resources when writing a medical device CER

    Five useful resources when writing a medical device CER

    We outline five of the most useful and trustworthy Clinical Evaluation Report writing resources.

    Dr Victoria Cartwright Dr Victoria Cartwright Relationship Manager
  29. Avoid pitfalls when writing a Clinical Evaluation Report

    Five common pitfalls when writing a Clinical Evaluation Report

    We illustrate five pitfalls when writing CERs and give you some tips to overcome them.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  30. How to make a medical device equivalence claim under the MDR

    Five tips for making a medical device equivalence claim under the MDR

    We'll show you what to keep in mind with regards to equivalance and Clinical Evaluation.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  31. Keeping medical devices in market and maintaining CE-marks - a guide to effective data collection

    Keeping medical devices in market and maintaining CE-marks

    The 4 golden rules to drive regulatory compliance with PMCF and vigilance data collection.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  32. How PMCF goes beyond simple compliance - improving products and engaging customers

    How PMCF goes beyond simple compliance

    The wider benefits of a well-designed PMCF system include improving your products and your relationship with your clients.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  33. PMCF systems for medical devices

    Why you'll almost certainly need a PMCF system for your medical devices

    We tell you what to be aware of under the EU MDR regarding PMCF and your medical devices.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  34. Ensure medical device regulatory compliance of your devices through Brexit

    The impact of Brexit on medical device regulatory compliance

    How to ensure regulatory alignment of your devices in the territories affected by Brexit.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  35. Use medical device regulatory consulting services to supercharge your MDR transition

    Is outside consulting support the answer to your MDR transition?

    Getting ready for the MDR is a demanding process. Outsourcing might be your solution.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  36. Increasing data entry compliance in PMCF studies

    Increasing data entry compliance in PMCF studies

    5 methods every medical device manufacturer should know to improve their Post-Market Clinical Follow-up studies.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  37. Why medical doctors can drive MDR compliance

    Why medical doctors can drive MDR compliance

    Working with the MDR requires knowing how to work with clinical evidence. Medical doctors are perfectly positioned to meet this requirement.

    Dr Victoria Cartwright Dr Victoria Cartwright Relationship Manager
  38. Software as a Medical Device

    Software as a Medical Device

    Unless you have spent time working with medical device legislation in the past, the idea that software could be a medical device may be rather unexpected.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  39. clinical investigator for pmcf eu mdr compliance

    Ensuring that clinical investigations work in practice

    How can medical device manufacturers ensure valid clinical investigations when access to medical expertise remains limited?

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  40. Coronavirus and medical device regulations

    Relaxing medical device regulatory requirements during a healthcare crisis

    During the coronavirus pandemic, how far should we go when relaxing medical device regulatory requirements?

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  41. The new MDR compliance challenge

    The new MDR compliance challenge

    Across the industry, medical device companies are facing challenges in meeting the demands of the new Medical Device Regulations (MDR) 2017/745 framework.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer
  42. Sources of Real World Evidence for MDR compliance

    Sources of Real World Evidence for MDR compliance

    At Mantra Systems our objective is to make sure that our clients choose the method of real world data harvesting that is right for them.

    Dr Paul Hercock Dr Paul Hercock Chief Executive Officer

More articles

Do you need support with your medical device approval strategy?

Contact us today