Risk Management in Medical Devices: Evaluation, Mitigation & Management


Ensuring risk management in Medical device is a continuous process, and medical device manufacturers have a difficult task at hand while ensuring that their products (be it instruments, apparatus or materials) are safe for continued use in or by humans (in patients/ by users).

Here, Kolabtree’s freelance scientist Aditi Kandlur elaborates on how ensuring product safety and efficiency comes through a process of risk management in medical devices 

Hazard or Risk Management in medical devices involves identifying, evaluating and establishing measures to prevent hazards by the product, especially during the design and development of medical devices across industries such as medtech and healthcare. The higher the concern, the stronger the measures that must be undertaken by the manufacturer, with the help of competent risk management experts and regulatory consultants, to bring it to an acceptable range.

Workflow – Risk Management in Medical Devices

Risk management is a compulsory requirement worldwide. The global markets have different specifications of compliance based on geographical regions. Canada, Australia, Japan, Brazil and other major global markets refer to ISO 13485:2016, which gives particular focus on the design, production, installation and servicing of medical devices (while the latest clauses show increased attention towards risk management in the supply chain). 

The US FDA and the EMA, through their quality management regulations- 21 CFR Part 820 and MDR 2017/745, respectively, direct manufacturers to focus on risk management. Under the MDR, Article 10/2 states “the manufacturers must establish, document, implement and maintain a product safety risk management system” throughout the lifecycle of their medical device/product. The detailed requirements are in Annex I Chapter I, clauses 2-9. The MDR is in alignment with EN ISO 14971:2019 and EN ISO 13485:2016. 

Establishing the risk-benefit analysis through a risk analysis plan and a risk analysis report, as per these two ISO standards, allows for compliance with the MDR from the manufacturer’s end.

The medical device Risk Management lifecycle must include planning, risk analysis, risk evaluation, setting up of risk controls, establishing overall residual risk acceptability, review, production and post-production information collection as well as analysis.

ISO 14971 permits many approaches to performing risk management. It is, however, the company’s choice and decision to take up the option that best fits its culture, requirements and business goals. A few risk management methodologies that are followed include:

– a top-down approach, Fault tree analysis (FTA) – bottom-up approaches such as Failure modes and effects analysis (FMEA) and failure modes, effects, and criticality analysis (FMECA).

The final steps of identifying hazards associated with the medical device include determining the areas of risk while reviewing the sections of potential hazards mentioned in table C.1 in Annex C of ISO 14971:2019 (including thermal energy, electromagnetic energy, mechanical energy, biological and chemical hazards). Post identification of risks, their level is evaluated to see which comes under the acceptable risk category. To perform the classification of acceptable risks vs. non-acceptable risks, a risk evaluation matrix is drawn. 

After the additional brackets of hazards and hazardous situations are identified while referring to the IEC 60601, these lists should be updated to contain all possible hazards/situations and they must align with the items in table C.1. The manufacturer should also enlist explanations regarding whether it is concluded that a particular hazard is relevant to their medical device/product or not. The IEC 60601-1, Medical electrical equipment – Part 1 was one of the first of its kind standard made for medical devices in 1970. This has turned out to be an internationally recognized standard that covers the basic safety and functionality of medical devices. The most recent version was released in 2020.

Additionally, medical device risk management policies need to be incorporated across all the stages of medical device design and development, and should be also associated with design control. A lot of importance is given to the complete lifecycle of medical device risk management since, if it is not executed correctly, it can affect the resources of the company- such as the budget and time to market. All resources would have to be deployed to redesign, redevelop and retest the device/product, which might result in losses to the company. All this points to the significance of the risk management lifecycle being performed diligently. 

Criteria are defined during the risk identification process. If a risk/hazard/hazardous situation identified during the risk management process for medical devices is beyond the defined criteria, then the situation would demand a risk mitigation plan to be set up. Hazard/risk analysis early on can be used to check which standards would best suit the device. Initial assessments and management of risks can be based on the framework of the Preliminary Hazard Analysis (PHA) under the ISO 14971 standard. The PHA envelops risk analysis and evaluation to classify the risk levels. The PHA comprises lists of risks/hazards/ hazardous situations based on the medical devices’ construction/raw material, interfaces- human with device or manual, the usage environments or use cases among others.

Risk can also stem from supply chain vulnerabilities- longer lead generation times, higher levels of cyclicity etc, this would in turn mean a delay in receiving materials and an imbalance in the stock material inventory maintenance and hence impact business continuity. In these situations, the optimal risk mitigation strategy would be to reduce reliance on single-sourced components. There is increased stress on maintaining flexibility in operations in the supply chain to enable business critical options to move as planned. This can mean that the manufacturers can make use of multiple sources/plants to ensure an uninterrupted production flow even in the times of crises.

Risk management of medical devices is innately a probabilistic field. Companies must focus on unpredictable crises and have resilient strategies in the supply chain to back them up. These strategies are to be regularly checked and updated using quality management systems and regular audits to be ever ready to face a disruptive crisis. Apart from the supply chain, the company must also look into potential failures in the production process as well. Here, they must look into the product’s efficacy, reliability and safety. The future development of the product relies on the knowledge gained from risk assessments.

The Role of AAMI Certifications (to Follow the ISO Standards)

The Association for the Advancement of Medical Instrumentation is an ANSI accredited (American National Standards Institute) standards development institution. They play a major role in developing the National standards in the US to meet the basic and essential level of openness, harmony, consensus, and due process set by the ANSI. The AAMI oversees several international technical committees of the ISO (International Organization for Standardization)as well as the IEC (International Electrotechnical Commission (IEC). 

If the target market for the company to sell the medical device is the US, it must comply with FDA regulations. Medical devices that were designed based on other standards including ISO have a higher risk of not being approved by the FDA. This is due to the FDA having adaptations from international and regional standards, one such standard applicable to medical devices-

ANSI/AAMI/ISO 14971 has been a harmonized standard followed by regulatory bodies and manufacturers. The aim of such regulations is supporting the production of medical devices/products that give assurance of the patient’s safety. 

What is ISO 14971:2019 and Its Significance?

ISO 14971:2019 is the latest edition of global regulations for medical devices to guide manufacturers in the process of risk/hazard identification, risk assessments and finally, establish control measures. While it also ensures the company is able to monitor the effectiveness of the risk management protocols set in place.

The ISO 14971 standards apply throughout the product life cycle, including the post-production phase. It also is in line with the European Union Medical Device Regulation (EU MDR) and In Vitro Diagnostic Regulation (IVDR). The regulations have included a definition that is more specific and focused on predictable misuse of the product. The broad inclusion of such “reasonably foreseeable” risks applies to professional and lay users of the medical device/product. 

ISO 14971 defines a standard process for identifying risks associated with medical devices at all stages of their life cycle. In all cases, the goal is to analyze, evaluate, control, and monitor the risks associated with each lifecycle stage. The ISO standard is shorter than its predecessors. Many of the annexes from the 2007 version have been shifted into guidance document ISO/TR 24971:2020, which provides support for implementing risk management.

 This new edition comprises ten clauses and three annexes.

If the medical device company is considering the European Union as the target market to sell, there are similar standards that have been adopted from the ISO by the European Committee for Standardization (CEN) and from the IEC by the European Committee for Electrotechnical Standardization (CENELEC).

CEN has modified the device as per requirement from ISO and written with an “EN” prefix, such as e.g.:

  • EN ISO 14971:2019, Medical devices — Application of risk management to medical devices
  • EN ISO 13485:2016, Medical devices — Quality management systems — Requirements for regulatory purposes.

How Can Kolabtree Freelancers Guide You Through Medical Device Risk Management?

The global rise in the market for medical devices has grown with an innate complexity to ensure their safe and efficient use and functioning of them. This has led to the formulation of standards and regulations that differ across various regions and countries. Manufacturers would need to consult risk management experts to ensure compliance with the regulations based on the target market geographies. This would be key in gaining access to a broader range of international markets.

Efficient medical device risk management is one where it is applied early on and throughout the process of design and development. Throughout the process even after release into the market, feedback helps in modifying steps in the design and development of the medical device. There is always a chance that at any stage risks/hazards can come up, so putting together an efficient risk management panel would be essential.

Here’s where platforms like Kolabtree can provide cost-effective solutions, helping businesses tap into independent risk management experts available for on-demand consulting. This helps firms hire these experts for short-term consulting, make sure foolproof risk management solutions are implemented, and consult them as and when their expertise is required.

These experts help companies assess the potential risks pertaining to the medical device and later decide on what risk control protocols are to be implemented. A vital move for the company would be to employ efficient and competent individuals from varied disciplines who understand each aspect of the medical device — from its construction to its proper usage scenarios. 

The panel would need a mosaic representation from various departments- the regulatory department, quality control, engineering, manufacturing, human factors engineering, marketing and also risk analysts.


  1. Medical Device Design Risk Management Basic Principles — Wipro
  2. ISO — ISO 13485 — Medical devices
  3. Medical Device Technical File Checklist: The Ultimate Guide (kolabtree.com)
  4. ISO 14971 Risk Management for Medical Devices: The Definitive Guide (greenlight.guru)
  5. The What Why When And How Of Risk Management For Medical Device Manufacturers (meddeviceonline.com)
  6. Areas To Consider In Medical Device Risk Management | Medical Product Outsourcing (mpo-mag.com)
  7. How to Start a Medical Device Risk Management Plan (mindflowdesign.com)
  8. ISO – IEC 60601-1-11:2015 – Medical electrical equipment — Part 1-11: General requirements for basic safety and essential performance — Collateral standard: Requirements for medical electrical equipment and medical electrical systems used in the home healthcare environment
  9. Medical Device Risk Management (sterlingmedicaldevices.com)
  10. ISO 14971 Harnessing Preliminary Hazard Analysis (PHA) To Develop Safer Medical Devices (meddeviceonline.com)
  11. Medical Device Design: The Essential, Step-by-Step Guide (kolabtree.com)
  12. Creating a Medical Device Risk Mitigation Strategy (quasar-med.com)
  13. AAMI Standards Development | AAMI
  14. ARRAY | News (aami.org)
  15. What’s new for medical device manufacturers in iso 14971:2019? (cognidox.com)
  16. ISO – ISO 14971:2019 – Medical devices — Application of risk management to medical devices
  17. ISO – ISO/TR 24971:2020 – Medical devices — Guidance on the application of ISO 14971
  18. How to Start a Medical Device Risk Management Plan (mindflowdesign.com)
  19. Performing medical device risk evaluation – Medical Device HQ

Kolabtree helps businesses worldwide hire freelance scientists and industry experts on demand. Our freelancers have helped companies publish research papers, develop products, analyze data, and more. It only takes a minute to tell us what you need done and get quotes from experts for free.

Unlock Corporate Benefits

• Secure Payment Assistance
• Onboarding Support
• Dedicated Account Manager

Sign up with your professional email to avail special advances offered against purchase orders, seamless multi-channel payments, and extended support for agreements.


About Author

Leave A Reply