What is risk management for medical devices and in vitro diagnostic devices (IVDs)?

Risk management is a structured process used to identify, assess, control, and monitor risks throughout the entire lifecycle of a medical device or IVD. Its main goal is to minimize potential hazards, such as mechanical failures, software errors, or biological risks, ensuring safety for patients and users.

According to the MDR 2017/745 and IVDR 2017/746 regulations, risk management is a mandatory element of the device’s technical documentation. Manufacturers must demonstrate that the risks have been reduced to an acceptable level and that clinical benefits outweigh the residual risk. Risk management applies to newly designed products, legacy devices, and innovative technologies.

The role of risk management in ensuring device safety

Risk management plays a fundamental role in ensuring device safety by systematically identifying potential hazards and implementing mitigation measures. It covers:

  • design-related mechanical and structural issues,
  • user errors and use-related risks,
  • software functionality risks, including Software as a Medical Device (SaMD),
  • hazards arising from system integration or interoperability.

Without a robust risk management system, clinical evaluation and performance evaluation for IVDs cannot be properly conducted.

Regulatory compliance under MDR and IVDR

Both MDR and IVDR require risk management to be a continuous and iterative process. Article 10 of the MDR and relevant IVDR sections mandate a systematic approach that includes:

  • hazard identification related to design, manufacturing, and use,
  • analysis of hazardous situations and their potential consequences,
  • risk estimation and evaluation,
  • verification that residual risks are acceptable,
  • monitoring of the effectiveness of control measures.

Regulatory compliance also demands regular updates of the risk documentation based on data collected from post-market surveillance (PMS), clinical studies, performance testing, and preclinical testing.

Applicable risk management standards

  • ISO 14971: the primary standard outlining the structure of risk management for both MDs and IVDs.
  • ISO 24971: guidance providing practical interpretation and examples for implementing ISO 14971.
  • ISO 13485: requires the integration of risk management into the quality management system.
  • IEC 62304: focused on software lifecycle and associated risks.
  • ISO 22367: specific to IVDs, addressing diagnostic and analytical risks.

Risk analysis stages for medical and IVD devices

  1. Scope definition: technical and clinical boundaries of analysis.
  2. Hazard identification: physical, chemical, biological, mechanical, usability-related.
  3. Hazardous situations definition: scenarios leading to injury or diagnostic error.
  4. Risk estimation: assigning probability and severity values.
  5. Risk evaluation and control: using design, technical, procedural, or information-based mitigations.
  6. Residual risk evaluation: assessment of remaining risks after controls are applied.
  7. Risk acceptability check: comparison against acceptability thresholds.
  8. Documentation and review: updating the risk register and verifying effectiveness.

User error as a risk source

The MDR and IEC 62366-1 require all reasonably foreseeable use errors to be treated as identifiable risks. The device must be designed to eliminate or reduce the probability of user misinterpretation, inattention, or misuse through usability engineering.

Categories of hazards

  • Physical: mechanical failure, electromagnetic fields, temperature sensitivity.
  • Chemical: reactivity, toxic materials, residual substances.
  • Biological: contamination, allergic reactions, sterility issues.
  • Mechanical: instability, component degradation, pressure-related risks.
  • Software-related: logic errors, calculation bugs, cybersecurity vulnerabilities.
  • Use-related: errors due to non-intuitive user interfaces or unclear instructions.

Risk evaluation matrix (P × S)

Manufacturers often use a two-dimensional matrix:

  • P – Probability: 1 (rare) to 5 (frequent)
  • S – Severity: 1 (minor) to 5 (catastrophic)

The calculated risk level (P × S) is then assessed against predefined thresholds within the company’s risk policy. These are documented within the risk management plan.

Risk management for medical device software

For innovative technologies and SaMD, manufacturers must comply with IEC 62304 and ISO 14971. Risk management includes:

  • identification of algorithm-related risks and input/output data issues,
  • validation of software architecture and code quality,
  • functional and environmental testing,
  • version control, cybersecurity management, and post-market updates.

The manufacturer must demonstrate that the software remains within safe risk limits even under system failure or overload. This includes cybersecurity vulnerabilities and data integrity threats.

Risk probability and consequence analysis in medical devices

Risk evaluation is based on two pillars: the likelihood of occurrence and the severity of consequences. These are assessed using:

  • historical data (e.g., incident reports, field feedback),
  • scientific literature and public databases (e.g., EUDAMED, MAUDE),
  • laboratory tests, stress simulations, and real-world usage scenarios.

Examples of risk consequences

  • Clinical: injuries, hospitalization, serious deterioration, death.
  • Diagnostic: false positives/negatives, missed diagnoses, treatment delays.
  • Economic: product recalls, reputational damage, litigation costs.

Residual risk acceptability

Residual risks must be compared against predefined acceptability criteria. If not acceptable, further mitigation is required, or justification must be provided through a benefit-risk analysis.

  1. Risk identification
  2. Risk evaluation (using risk matrix)
  3. Comparison with acceptance criteria
  4. Mitigation and control
  5. Residual risk assessment
  6. Overall risk aggregation

Risk control measures in medical and IVD devices

ISO 14971 requires a risk control hierarchy to be applied:

  1. Design controls: inherently safe design (e.g., rounded edges, stronger materials).
  2. Technical protections: alarms, shields, locks, safety interlocks.
  3. Procedural controls: process validation, production controls, maintenance plans.
  4. Information for safety: user manuals, IFUs, labels, training programs.
  5. Organizational measures: surveillance plans, quality audits, CAPA processes.

Examples of effective controls

  • Use of biocompatible, certified materials (design control)
  • Sound and visual alarms for malfunction (technical)
  • Sterilization validation and traceability (procedural)
  • Graphical warnings on packaging (information-based)
  • Emergency response protocols and post-market systems (organizational)

Design and manufacturing strategies for risk reduction

Risk-based design is a core principle under MDR and IVDR. During development, manufacturers must proactively eliminate or reduce risk:

  • Streamlined user interfaces to reduce interaction complexity,
  • Safety redundancies and fail-safes,
  • Design validation aligned with harmonised standards,
  • Software logic constraints to prevent misuse.

In manufacturing, Good Manufacturing Practice (GMP) and validated critical processes must be followed. Real-time process monitoring and environmental controls (e.g., humidity, particle count) are essential. Final product verification, functional testing, and traceability complete the cycle.

Risk management documentation and control procedures

Comprehensive documentation is essential for conformity assessment and must be maintained throughout the product lifecycle. It includes:

  • Risk management plan – scope, responsibilities, criteria, tools, review schedule.
  • Risk register – full list of hazards, risk scores, mitigation status, and reviews.
  • Risk evaluation report – conclusions on residual risk acceptability.
  • PMS, PMCF, PMPF documentation – post-market findings and risk reassessment data.

Control procedures include:

  1. Systematic risk identification across the lifecycle,
  2. Implementation and verification of mitigation actions,
  3. Effectiveness evaluation and documentation updates,
  4. Internal and external audits under ISO 13485.

What is residual risk?

Residual risk refers to the risk that remains after all reasonable mitigation measures have been applied. According to ISO 14971 and EU regulations, residual risks must:

  • be justified clinically and technically,
  • be transparently documented,
  • be outweighed by proven clinical benefits.

Examples include minor allergic reactions, rare misuse scenarios despite clear instructions, or infrequent software glitches that do not impact safety.

How is residual risk evaluated?

The residual risk assessment involves:

  1. Verifying all relevant controls are in place,
  2. Ensuring the remaining risk aligns with acceptance criteria,
  3. Demonstrating clinical benefit over residual risk in the technical file.

Acceptance process for IVD residual risks

IVD manufacturers must follow IVDR and ISO 22367 to confirm that all residual diagnostic risks are:

  • as low as reasonably achievable,
  • clinically justified, and
  • monitored through an active PMPF plan.

This includes evaluating risks like false negatives in diagnostic outcomes, especially for Class C and D IVDs.

Post-market surveillance (PMS)

PMS is an ongoing process required under EU law to monitor real-world performance and uncover emerging risks. It includes:

  • incident reports and customer feedback,
  • data from clinical studies and field performance,
  • scientific literature and vigilance reporting.

For medical devices, PMCF ensures continuous validation of safety and performance. For IVDs, PMPF verifies long-term diagnostic reliability. Both inform future updates of risk documentation and technical files.

The role of the notified body

The notified body is responsible for assessing whether the manufacturer’s risk management system:

  • covers the full device lifecycle,
  • includes effective, traceable mitigation actions,
  • demonstrates residual risk acceptability, and
  • is updated regularly with PMS, PMCF, and PMPF data.

Failure to demonstrate adequate risk control may result in certificate delays, corrective actions, or rejection.

Benefits of risk management

  • Improved patient safety: hazards are proactively identified and minimized.
  • Faster market access: robust documentation supports smoother audits.
  • Higher product quality: systematic design and production safeguards.
  • Regulatory readiness: compliance with ISO 14971 and EU regulations.

Challenges in risk management

  • Complexity: requires input from clinical, technical, and regulatory teams.
  • Constant updates: risk files must reflect current post-market findings.
  • Balancing innovation and caution: overcontrol can delay device improvements.

How Pure Clinical can support risk management

Pure Clinical supports manufacturers of medical devices and IVDs in implementing, reviewing, and improving their risk management systems. We offer:

  • development of ISO 14971-compliant risk management plans,
  • risk file integration into the technical documentation and QMS,
  • support for clinical evaluation and performance evaluation alignment,
  • preparation for audits and notified body reviews,
  • strategic guidance tailored to device class and market access route.

We assist throughout the product lifecycle—from early design to post-market monitoring—ensuring full compliance with EU regulations and international standards.

FAQ

How often should the risk documentation be updated?

At least annually or whenever a change occurs—such as a design update, new supplier, or signal from PMS. The frequency must be defined in the risk management plan.

Should supply chain risks be included in the risk file?

Absolutely. MDR and IVDR require assessment of risks linked to component sourcing, supplier reliability, and the impact of variability on product performance.