We place cookies to ensure essential functionalities, measure audience, and offer you personalized content. Learn more

Blog

Explore our articles

Find all the latest Certeafiles news and our regular watch on the medical device universe.

Retour
MDR risk management

Behind the scenes of risk management

Risk Management
Shedding light on an activity too often kept in the shadows.

Introduction – Why Talk About Risk Management

Often seen as a mere documentation exercise, risk management remains a misunderstood discipline. Many manufacturers still underestimate the relevance of this process and fail to leverage its full potential. Yet, when done properly, it becomes a powerful driver of quality system robustness and device compliance.

Let’s take a closer look at this underused activity and identify the key habits that can turn it into a true tool of control and performance.

The key requirements you shouldn’t miss

What the MDR says

Through Regulation (EU) 2017/745 (MDR) – and the ISO 13485:2016 standard (see our article ISO 13485 vs MDR: Complementarity or Complexity?) – risk management emerges as a connecting thread, coherently linking all activities surrounding the medical device.

The MDR sets the foundations:

  • Article 10(2): Establishment and maintenance of a risk management system
  • Article 10(9): Integration of the risk management system within the quality management system
  • Annex I, points 3 to 9: Continuous updating of the risk management system, reduction of risks as far as possible, and demonstration of a positive benefit/risk balance

Risk management is not a one-time evaluation. It is a transversal, continuous process, integrated from the early design stages through to the very end of the device’s lifecycle.

Beyond establishing a risk management system, the MDR requires manufacturers to keep it regularly updated – particularly by reassessing the benefit/risk balance in light of new information gathered through post-market surveillance (PMS).

In essence, risk management is omnipresent. It underpins the device’s compliance at every stage and reflects the manufacturer’s understanding of their product, the hazards surrounding it, and how those hazards are controlled throughout its lifecycle.

Advice: Don’t think of risk management as a document, but as a living engine — a system continuously fed with new product data (manufacturing, use, vigilance, clinical feedback, competitors…) that allows for ongoing updates to risk control results.

Link with the technical documentation

The MDR doesn’t just require a risk management system. It also mandates that this process be fully integrated into the device’s technical documentation (see our article MDR Technical Documentation: Requirements and Practical Challenges for more details).

Each section of the technical file (design, validation, clinical evaluation, PMS, etc.) must be aligned with the conclusions of the risk management process.

This documentary consistency is a critical point of attention for notified bodies. A risk analysis disconnected from the technical documentation – or vice versa – is one of the most frequent causes of non-conformity during MDR technical documentation assessment.

ISO 14971: The compass for risk management

Purpose and Scope

Just as ISO 13485:2016 provides the framework for quality management, ISO 14971:2019 serves as the international reference for implementing and maintaining a risk management system in medical devices.

If the MDR defines why risk management is necessary, ISO 14971 defines how to implement it. Its purpose is to provide manufacturers with a clear, structured methodology for identifying, assessing, controlling, and monitoring risks throughout the device lifecycle.

Reminder: Like all standards, ISO 14971 does not replace the MDR but complements it. It translates regulatory requirements into a structured, documented, and auditable process, easily integrated within an ISO 13485-compliant QMS.

The main stages of the process

The standard structures the risk management process into six main stages, all documented in the Risk Management File (RMF) – the manufacturer’s proof of product control. While the format may differ between manufacturers, the goal remains the same: to demonstrate that all risks associated with the use of the device are acceptable in view of the expected benefits.

  • Planning: The process begins with a Risk Management Plan (RMP) defining the scope of analysis, responsibilities, assessment methods, acceptability criteria, and follow-up mechanisms.
  • Hazard identification: The manufacturer identifies all potential sources of risk related to design, materials, use, environment, maintenance, etc.
  • Risk estimation and evaluation: For each hazard, both the probability of occurrence and potential severity are estimated. These two parameters help prioritise risks and determine which require control actions.
  • Risk control: Risks must be reduced to an acceptable level following a strict order of priority:
    • Design modifications to eliminate or reduce the risk
    • Protective measures in the device or manufacturing process
    • Safety information and, where necessary, user training
  • Evaluation of overall residual risk: Once controls are applied, remaining risks are reassessed. The manufacturer must demonstrate that residual risk is acceptable compared with the device’s benefits.
  • Production and post-production: Risk management doesn’t stop at CE marking. Continuous monitoring through production data, complaints, vigilance, and PMS feedback is required. These data feed the risk management file and allow the benefit/risk balance to be adjusted.

Advice: Think of risk management as a loop, not a straight line. Every new piece of information should feed back into and strengthen the process, ensuring living and lasting compliance.

Bonus: The standard ISO/TR 24971 supports manufacturers in applying ISO 14971 by providing methods, examples, and implementation advice. Using it will make your system more robust and defensible during a notified body audit.

A lifecycle approach

The risk management process applies at every stage of the device lifecycle. It’s a dynamic activity, constantly evolving as new data emerge:

  • Design: Early identification of design, material, use, and environmental hazards. Links with standards such as IEC 62366-1 (usability engineering) and ISO 10993 (biocompatibility).
  • Production: Monitoring of process, batch, and supplier-related risks. Link with ISO 13485 section 7.1 (product realisation planning).
  • Market Phase: Post-market surveillance, data collection, and risk management file updates.
  • End-of-Life: Anticipation of risks related to disposal or decommissioning.

Advice: Adopt a “dynamic risk” mindset. What is acceptable today may not be tomorrow in light of post-market data.

Common mistakes to avoid

Even with a well-structured risk management system, it’s easy to fall into traps that undermine its value:

  • Treating the RMF as a static deliverable: CE marking isn’t the finish line. Risk management continues until the device is withdrawn from the market. Regular and systematic updates are mandatory.
  • Working in silos: Risk management is inherently cross-functional. Build a multidisciplinary team (R&D, Marketing, QA/RA, Clinical, Production, etc.) to ensure all perspectives are represented and risks are properly evaluated.
  • Disconnecting risks from technical documentation: vigilance: is the associated risk already included in the analysis? Product specifications: what does the risk matrix say? Design changes: what are the impacts on my risk management file? During MDR audits, notified bodies require complete traceability between identified risks, general safety and performance requirements (GSPR), control measures, and corresponding validation evidence.
  • Justification of risk acceptability not documented: Many risk management files show risk matrices but omit the rationale behind decisions. Why was a risk deemed acceptable? On what basis? Using which criteria? Lack of clear reasoning makes the file difficult to defend in an audit.

Advice: Inconsistent documentation between the RMF, clinical evaluation, and PMS remains one of the main causes of non-compliance identified during MDR audits. The collaborative platform Certeafiles helps you easily to create and maintain links between documentation, risks, GSPRs, and control measures, while ensuring continuous and effortless updates.

Conclusion – Risk Management: The Common Thread of Compliance

Risk management is not an administrative step, it is the central thread of compliance. From the initial concept to post-market surveillance, it ensures the device’s safety, performance, and credibility. When properly implemented, it becomes a strategic management tool, turning compliance into a mark of quality and trust.

📧 Looking to structure, maintain, and confidently defend your MDR risk management process?
Contact us for digital and personalized support.