Risk management standard ISO 14971:2019 has specific requirements for a Risk Management Plan. In order to comply with the standard, it is important that medical device manufacturers address these requirements in their own plans. In this blog, John Lafferty, our Life Sciences Programme Director, outlines eight key elements of a Risk Management Plan.
If you are interested in training on Risk Management for Medical Devices, see our Quality Risk Management and ISO 14971 Training (2-Day Course).
- Identify and describe the life cycle phases
Identify the complete life cycle phases that are within scope for the Medical Device under review. These phases may range from Device Design & Development, Manufacturing and Distribution right through to Device Use and eventual Device Disposal. The life cycle must also cover changes to the device during its lifetime.
- Assign Responsibilities and Authorities – e.g., Reviewers, Experts, Independent Verification etc.
Key among these is determination of the individuals within the organisation who have the authority for approval of the acceptance of the residual risk. It is also important to identify key responsibilities for items such as clinical input, review of risk management activities and performance of production and post production activities.
- Establish Requirements for Review of Risk Management Activities.
These requirements include checking that:
-
- the risk management plan has been appropriately implemented;
- the overall residual risk is acceptable; and
- methods are in place for production and post-production activities.
- Define the Criteria for Risk Acceptability – this includes where occurrence cannot be estimated.
The criteria for risk acceptability must be in line with the company’s stated policy on the risk acceptability. If the device is required to comply with the EU MDR/IVDR, then the following apply:
The criteria for risk acceptability must be in compliance with General Safety and Performance Requirements (GSPR) 1, 2, 3, 4, 5, 8, 9, 10, 11, 14, 16, 17, 18, 19, 20, 21 and 22 of the EU MDR or GSPR 1, 2, 3, 4, 5, 8, 10, 11, 13, 15, 16, 17, 18 and 19 of the EU IVDR as applicable.The policy should make it clear that ‘risk control measures adopted … for the design and manufacture of the devices shall conform to safety principles, taking account of the generally acknowledged state of the art’. The policy should include that the risks will be ‘reduced as far as possible’, ‘reduced to a level as low as reasonably practicable’, ‘reduced to the lowest possible level’, ‘reduced as far as possible and appropriate’, ‘removed or reduced as far as possible’, ‘eliminated or reduced as far as possible’, ‘prevented’ or ‘minimized’, according to the wording of the corresponding GSPR.The policy should make it clear that ‘the residual risk associated with each hazard as well as the overall residual risk is judged acceptable’ [GSPR 4] only when they ‘constitute acceptable risks when weighed against the benefits to the patient and are compatible with a high level of protection of health and safety, taking into account the generally acknowledged state of the art’ [GSPR 1].The criteria for risk acceptability must also address risks where the probability of risk cannot be estimated.Guidance on ISO 14971:2019 contained in ISO TR 24971:2021 identifies the risks of software failure and use error, as examples of risks where it may not be possible, or prudent, to estimate the probability of occurrence. If the probability of occurrence cannot be estimated, the company must detail how these risks will be handled.
- Establish the method for evaluation of the acceptability of the overall residual risk.This method should include consideration of all residual risks in relation to the benefits of the intended use of the device. If the device is required to comply with the EU MDR/IVDR, then the manufacturer must ensure that the individual risks and the combined total risk are outweighed by the benefits.
- Verify the Implementation and Effectiveness of Risk Control Measures
For design risks, the company Design & Development process can easily be used to ensure that this requirement is fulfilled.For process risks, the Risk Management system and/or the Quality Management System must incorporate a mechanism, such as Change Control or Control Plans to ensure that any risk controls are implemented.Additionally for process risks, the effectiveness of risk controls should be verified through process validation or test method validation, or other appropriate means.
- List the methods for production and post-production information
These must include methods for collection of information, review of information and implementation of actions arising from the review. For most manufacturers, this may be achieved by the inclusion of references to their procedures on Control of Non-conforming Product, Complaints Handling, Post Market Surveillance etc. The methods for production and post-production information must also include methods for a review of the State of the Art.
- Keep Records of Changes to the Plan
Plans were meant to change. If the plan changes during the product life cycle, then records of any changes must be kept. The most effective way to achieve this is to update the plan. Manufacturers should ensure that the risk management activities actually carried out are in accordance with the most up-to-date version of the plan.
Find out more about our Quality Risk Management and ISO 14971 Training (2-Day Course).
About the Author