Guide to Risk Management for ISO 13485:2016

and your Medical Device

Written by: Brian Newbery on March 20, 2023

Founder of Fast-Track QMS Consultants

I still recall early in my career, when I was formally introduced to, and required to perform
by a corporate QMS procedure, a risk analysis of the design I was working on. This was
before moving into the quality management world, and I was heading up a design and
development team at the time and I remember my initial skepticism. My attitude was,
“hey I know the risks, why do I need to conduct this formal documented risk analysis”, I
have already considered the risks for the use of this product by the customer.

The good news is I learned very quickly as a result of this very first risk analysis the
purpose, intent and true benefits of using a formal Risk Management process

This first experience included completing with a cross functional team a DFMEA. To our
surprise we found a risk involving potential for a major product failure due to component
fatigue, that no one on the team had thought of, and as the design was unique there was
no history to guide us. We ran a test and sure enough it failed. The result was that this
risk analysis enabled us to modify the design so that there was no failure during
validation and no customer harm. Convinced me of the importance of risk management.

In this article we will look briefly at each of the risk related requirements in
ISO 13485:2016, elements 4, 6, 7 and 8, and then review the details of the risk
management process as required by ISO 14971:2019

Risk mentioned in 10 clauses of ISO 13485:2016

4 5 6 7 8
Quality Management Resource Product Measurement
management responsibility management realization analysis &
system improvement

https://fasttrackiso13485.com 1 of 14 P019
Guide to Risk Management for ISO 13485:2016 and your Medical Device

Contents
Page No.

3 Introduction

4 Risk Requirements to meet ISO 13485:2016

Section 4 Quality Management System
Section 6 Resource Management
Section 7 Product Realization
5 Section 8 Measurement, Analysis Improvement

5 ISO 14971 Risk Management

6 Definitions

7 Risk Management Process

7 Risk Management Plan

9 Risk Analysis

9 Risk Evaluation

11 Risk Controls

11 Overall Residual Risk Acceptability

12 Risk Management Review

12 Production and Post-Production Review

13 Final Thoughts

14 Contact Fast-Track QMS Consultants

https://fasttrackiso13485.com 2 of 14 P019
Introduction
A good place to start is with the definition of risk and risk management from ISO 13485:2016
Section 3 Terms and Definitions:

(Source ISO 14971)

Risk: Combination of the probability of occurrence of harm and the severity of that harm

Risk Management: Systematic application of management policies, procedures and practices

to the tasks of analysing, evaluating, controlling and monitoring risk.

When a patient requires surgery or any treatment using a medical device, they are not going to
think about the quality or risks involved with the medical device, and they place their trust with
the surgeons and medical staff.

Risk Management and Quality is the responsibility of the device manufacturer who designs,
manufactures and markets the device.

That is why risk management is such a critical part of the medical device world and the quality
management system. It should never be just another “check-the-box” activity and needs to
have full support of management and be a priority within the QMS. Top management and team
leaders, need to be involved, and starting from ensuring there are adequate, trained resources
to conduct risk management and to raise the awareness of its importance.

One best practice I have seen from executive management was with the first medical device
company I worked with, and which had a lasting impression on how I thought about medical
device quality and the risk management required. This was where the executive management
would invite surgeons from local hospitals to give a talk to all employees on the importance of
their product quality.

Part of that presentation was the doctors asking employees to just imagine it was members of
their families, or themselves, being treated with the use of the medical device they had helped
to design and build.

As you might imagine that was very effective and something that has stayed with me
throughout my medical device quality management career. Perhaps you can also keep this in
mind as you read this guide to risk management.

https://fasttrackiso13485.com 3 of 14 P019
Risk requirements to meet ISO 13485:2016
The following is a summary of the requirements for a risk-based approach that are set out in
ISO 13485:2016:
(For complete requirements refer to the ISO 13485:2016 Standard)

Section 4 Quality Management System

• Under general requirements 4.1.2; It states the organization shall apply a risk based
approach to the control of the appropriate processes for the quality management system.

Note: This requirement is for a risk based approach for the control of appropriate
processes and depending on the medical device can go beyond those specifically called
for in the other sections of the Standard.

• For outsourced processes 4.1.5; When the organization selects to outsource any
processes that affects product conformity to requirements, the controls shall be
proportionate to the risk involved and the ability of the supplier to meet requirements.

• 4.1.6; Requires validation of the application of computer software used in the quality
management system prior to use. The specific approach and validation activities shall be
proportionate to the risks associated with the use of the software.

Section 6 Resource Management

• Under 6.2; checking the effectiveness of training for personnel performing work affecting
product quality, the methodology used to check effectiveness to be proportionate to the
risk associated with the work.

Section 7 Product Realization

• 7.1; Requirement to document one or more processes for risk management for product
realization and to maintain records.

• Design and development inputs 7.3.3; To be determined and records maintained to include
applicable output(s) of risk management.

• Control of design and development changes 7.3.9; shall include evaluation of the effect on
the inputs or outputs of risk management.

https://fasttrackiso13485.com 4 of 14 P019
• 7.4.1; Purchasing process and the criteria for the evaluation and selection of suppliers
shall be proportionate to the risk associated with the medical device. Under 7.4.3
Verification of purchased product the inspection to be based on the supplier evaluation and
proportionate to the risk associated with the purchased product.

• 7.5.6; Validation of the application of computer software used in production and service
prior to use and to be proportionate to the risk associated with the use of the software,
including the effect on the ability of the product to conform to specifications.

• 7.6; Validation of the application of computer software used for monitoring and measuring
of requirements. The specific approach and activities associated with software validation
and revalidation shall be proportionate to the risk associated with the use of the software.

Section 8 Measurement, Analysis and Improvement

• 8.2.1; Feedback requires that information gathered in the feedback process shall serve as
potential input into risk management for monitoring and maintaining the product
requirements as well as the product realization or improvement processes.

ISO 14971 Risk Management

ISO 14971:2019 Medical devices – Application of risk management to medical devices, is the
Standard for risk management referenced in the ISO 13485:2016 Standard.

This document should be included in your controlled external documents and is an excellent
standard for explaining the requirements, expectations, and the stages of a risk management
process for medical device companies.

It includes terminology, principles and a process for risk management, including software as a
medical device and in vitro diagnostic medical devices.

Another useful document is ISO/TR 24971:2020 Medical devices – Guidance on the application of
ISO 14971. This document provides guidance on the development, implementation and
maintenance of a risk management system for medical devices according to ISO 14971:2019.

https://fasttrackiso13485.com 5 of 14 P019
Definitions
It is important to understand definitions under Risk Management as defined in ISO 14971 as
the terminology can sometimes be used incorrectly, i.e. Risk Management and Risk Analysis
Use correct definitions consistently as shown below to ensure clear communication.

Risk Management: Systematic application of management policies, procedures, and

practices to the tasks of analyzing, evaluating, controlling and monitoring risk.

Risk: Combination of the probability of occurrence of harm and the severity of that harm.

Hazard: Potential source of harm.

Hazardous Situation: Circumstances in which people, property, or the environment are

exposed to one or more hazards.

Harm: A physical injury or damage to the health of people, or damage to the property or the
environment.

Severity: Measure of the possible consequences of a hazard.

Risk Analysis: Systematic use of available information to identify hazards and to estimate the
risk.

Risk Estimation: Process used to assign values to the probability of occurrence of harm and
the severity of that harm.

Risk Evaluation: Process of comparing the estimated risk against given risk criteria to
determine the acceptability of the risk.

Risk Assessment: Overall process comprising a risk analysis and a risk evaluation.

Risk Control: Process in which decisions are made and measures implemented by which
risks are reduced, or maintained within, specified levels.

Risk Management Plan: A product level document that identifies the risk management
activities anticipated and planned throughout the products life cycle.

Risk Management File: File to keep risk management activities, documentation, and records.

Residual Risk: Risk remaining after risk control measures have been taken

https://fasttrackiso13485.com 6 of 14 P019
Risk Management Process
For medical device design, development and manufacturing it is essential to have a defined
and documented Risk Management process fully implemented. It must have support of top
management, and those involved should include a cross-functional engagement in the risk
management process.

Also it is best practice to have at a minimum the risk management process leader for each
project formally trained in the whole risk management process, and all participants trained in
the requirement of the companies procedure.

The Risk Management process includes:

• Risk Management Planning

• Risk Analysis
• Risk Evaluation
• Risk Controls
• Overall Residual Risk Acceptability
• Risk Management Review
• Production and Post-Production information and review

Risk Management Plan

The Risk Management Plan is a product level document, and the need for risk identification is
determined for new designs, changes to current designs and processes, or can also be on the
basis of information and trends regarding the performance and effectiveness of the QMS.

Once the need for Risk Management has been identified and depending on the magnitude and
scope of the project or need, a Risk Management Plan should be initiated.

This plan should identify the Risk Management activities anticipated and planned throughout
the project’s life cycle. The Risk Management plan is dynamic and should be reviewed and
updated as required.

https://fasttrackiso13485.com 7 of 14 P019
The Risk Management Plan to include:

• Scope of the Risk Management activities and definition of the product or process. It is
possible to have multiple similar products or processes in a single Risk Management Plan.

• Description of the intended use of the product(s) or process(s).

• Identify all Risk Management activities planned throughout the product/process life cycle.

• Define roles and responsibilities of the Risk Management team that will be participating,
reviewing and approving risk documentation.

• Criteria for the product or process risk acceptability.

• Methods to verify Risk Control measures after implementation and reduction of risks to the
pre-established acceptable levels.

• How post-production information will be captured and fed into Risk Management activities
for the product/process.

Risk Management Plans should be reviewed and updated throughout the products life cycle.

Risk Management File:

A Risk Management File (RMF) is generated and maintained to keep all of the risk
management activities, documentation, and records.

A Risk Management File contains evidence of the following:

• Risk Management Plan

• Risk Analysis
• Risk Evaluation
• Risk Controls
• Evaluation of Overall Risk Acceptability
• Risk Management Review
• Production and Post- Production Risks

https://fasttrackiso13485.com 8 of 14 P019
Risk Management Files may as an alternative refer to the location of such records, i.e. DHR’s,
CAPA’s etc. This can be a challenge if using a paper based approach and control of these
documents and records can certainly be one of the advantages of using an eQMS system.

Our website Fast-Track QMS Consultants has contact information for approved partners where
you can learn more on this.

Risk Analysis
Risk Analysis and Risk Evaluation are in my experience, normally carried out at the same time
and using different techniques including FMEA’s, preliminary hazards analysis and fault tree
analysis, as appropriate.

FMEA’s are a reliability tool that assumes single-fault failures as part of the analysis. Risk
Management is broader than just failures; risks exist when medical devices are used without
failure modes.

Any Risk Analysis conducted must identify the medical device or process, the intended use, the
team members involved, scope and date. It is also important to consider off-label hazards as
well as those from the intended use.

This is where it can be extremely beneficial to obtain input from functional areas outside of just
design and process engineers, and include marketing, sales and end users.

Risk Evaluation
Once all the known and/or anticipated risks have been identified and estimated, these risks
need to be evaluated to determine if risk reduction is required. Using the results of the Risk
Analysis and with reference to the tables below determine and identify which risk zones are
acceptable and which require risk reduction.

For the US Market the low zone is normally acceptable and the high zone unacceptable. The
medium zone can fit into “as low as reasonably practical”. Items in the high-risk zone require
risk reduction and those in the medium zone should also be considered for risk reduction. For
product sold in the EU the MDR requires reduction of risks as far as possible for all levels.

https://fasttrackiso13485.com 9 of 14 P019
 Severity Description
Critical Loss of limb; life-threatening injury
Major Severe, long-term injury; potential disability
Serious Short-term injury or impairment requiring additional medical
intervention to correct (e.g. reoperation)
Minor Slight customer inconvenience; little to no effect on product
performance, non-vital fault
Negligible No or negligible risk to patient or user

Occurrence Level Description

Frequent 1 in 100
Probable 1 in 1,000
Occasional 1 in 10,000
Remote 1 in 100,000
Improbable 1 in 1,000,000

The table below shows the occurrence and severity levels with risk levels defined as either
“low”, “medium”, or “high”:

Frequent Low Medium High High High

Probable Low Medium Medium High High
Occasional Low Low Medium Medium High
Remote Low Low Low Medium High
Improbable Low Low Low Low Medium
Negligible Minor Serious Critical Catastrophic

https://fasttrackiso13485.com 10 of 14 P019
Risk Controls
Once the Risk Analysis and Risk Evaluation are completed the next step is to identify Risk
Controls. Items identified as requiring Risk Reduction are about reducing those identified risks
to acceptable levels.

Risk control options should be considered in the following priority order:

• By modifying the design to build in safety and this is always the preferred option
• Protective measures in the actual medical device and/or in the manufacturing process
• Information for safety such as labeling and instructions for use

Where possible it is best practice to include multiple Risk Controls to reduce risk, i.e. by design
and information on labeling.

After the risk controls are identified they need to be implemented, verified, and the
effectiveness determined. Records of these actions to be documented. Where appropriate also
need to evaluate if new risk controls introduce any new hazards.

If the first priority risk control option is used and incorporated into the design, then using the
design and development steps of Design Outputs, Design Verification and Design Validation
will make verifying the effectiveness of these controls part of your Design Controls process.

Overall Residual Risk Acceptability

In addition to the evaluation of individual risks the overall device risk acceptability is to be
evaluated.

If it is determined that the overall residual risk is acceptable the decision is documented in the
Risk Management Report along with the rationale.

If you determine that the overall residual risk is not acceptable you may want to go back and
determine if every possible measure has been taken to reduce the risk first through Risk
Controls. You can also conduct and document a benefit-risk analysis.

https://fasttrackiso13485.com 11 of 14 P019
Benefit-Risk Analysis

After completing identification of Risk Controls and evaluating residual risks, it maybe that
some risks still remain that fall into the unacceptable range. It may then be appropriate to
consider conducting a benefit-risk analysis, but only after every possible measure to reduce
risks has been taken.

This analysis is to consider if the medical benefits of the medical device outweigh the residual
risk. The analysis if conducted must be documented along with objective evidence and rational
for why the medical benefits outweigh the unacceptable risks. The key here is medical benefits
and never to include financial business factors.

Risk Management Review

On completion of all the steps in the risk management process all activities are to be
documented in a Risk Management Report, reviewed and approved, and I would recommend
include approval by executive management.

The report should include the plan for evaluating risks in production and post-production. The
review plan for post-production would normally be first conducted no later than 6 months after
the launch of the product, but should be targeted as appropriate for your medical device.

Production and Post-Production Review

Risk Management is a total product life cycle process, and the Risk Management File is a living
document, to be reviewed on a regular documented basis, or as activities and events determine
a need for action and update.

Examples where updates to the RMF may be required include:

• Consider and document production related risk management activities and events.

• Ensure post-production processes put in place to support the QMS are feeding into the
Risk Management process.

https://fasttrackiso13485.com 12 of 14 P019
• Feedback and customer complaints tied into where appropriate, the risk management
process. Including verification that any occurrence of harm aligns with what was estimated
and any new hazard or hazardous situation is identified.

• Non-conformances and CAPA’s tied into the risk management process.

• Negative quality trends.

Final Thoughts
Risk Management can be a challenging and sometimes difficult process to get embedded and
consistently applied, in your quality management system. I highly recommend you give this a
high priority and seek out guidance if you need it.

Hopefully this guide helped you with the understanding the fundamentals of Risk Management.
If this is a process, you need to implement or will be involved in some way with its application
you should use ISO 14971 to make it easier.

Remember the Risk Management process includes:

• Risk Management Planning

• Risk Analysis
• Risk Evaluation
• Risk Controls
• Overall Residual Risk Acceptability
• Risk Management Review
• Production and Post-Production information and review

All to be documented in the Risk Management File

Risk Management needs to be an integral part of Design and Development as well as the other
quality management elements listed under the ISO 13485 Risk Requirements section of this
article.

https://fasttrackiso13485.com 13 of 14 P019
Risk Management needs to be active throughout the entire product lifecycle

Risk Management needs to be a priority for start-up medical device companies.

If you would like to learn more from our available eBooks which include application of Risk
Management, the following are 3 that we have available for free download from our website:

Priority QMS Procedures for Start-Up Medical Device Companies

Complete Guide: Medical Device Design and Development

How to Control Design Changes for Your Medical Device

Need training or coaching on Risk Management or any part of your ISO 13485:2016
quality management system? You can check out our Fast-Track QMS Consultants
website to learn more on the consulting services and products we offer, and you can
also contact us with any questions.

Click Here

We also have available a proven Risk Management SOP Template including support
forms for PFMEA, DFMEA, and Risk Management Plan for purchase and quick
download.

https://fasttrackiso13485.com 14 of 14 P019
https://fasttrackiso13485.com 15 of 14 P019