Creating a Medical Device Risk Management Plan and Conducting a Risk Analysis

May 1, 2020

Your risk management plan outlines the process of how you will conduct risk management for a particular device, and it becomes part of your risk management file. Importantly, the process should be repeated throughout the life cycle of the device. The overall risk management process usually is documented in a general procedure containing common risk management activities for all devices. Then one or more individual risk management plans “personalize” the content of the procedure to provide more exact details for managing the project for a particular device or device family.


This is a four-part series on risk management. Download all four parts as a single PDF.

Several activities should be part of your risk management plan, and we will talk more about them later. First, you need to define the scope of what you will be evaluating, including a detailed device description and its life cycle. This is also the time to clearly lay out your risk acceptability criteria, specific assessment, control, and verification activities, and production and post-production plans. This is where you can leverage the process outlined in your risk management procedure, referencing that procedure for elements of the process that aren’t changing in the specific plan. For example, the procedure outlines the organization’s risk policy and general acceptability criteria. These may not change for an individual device risk management plan, so simply summarize it in your plan. Your procedure, plan, and all other documentation need to be controlled as they become part of the risk management file which is part of the technical documentation of the device.

Putting together your risk management team

About your team…they need to be well qualified. What does that mean? It means you need to make sure you select people who truly understand how your device works, how it’s made, and how it’s used. This not simply a collection of friendly colleagues who play no real role in risk management. All team members need to be qualified to perform their risk management role, and you must provide objective evidence of their qualifications. After all, your team will be charged with determining what could happen, how likely it is to happen, how bad it will be if it does happen, and how you can reduce the likelihood that it will happen. Don’t take this lightly. Since we need to provide evidence of competency, the plan documents the actual people on the team, while the procedure may call out functional areas of responsibility (e.g. R&D, QA, RA).

Performing a risk analysis of your medical devices

Now that you have a plan and a team, it’s time to conduct an initial risk analysis. This is the point at which you document intended use and characteristics related to device safety under normal and fault conditions. Then, based on these inputs, identify known and foreseeable hazards, and the sequence of events that might result in a hazard leading to a hazardous situation. Note that not all hazards will result in a hazardous situation.
Risk Analysis ISO 14971The first step in the analysis is to start by asking questions. Annex A in ISO/TR 24971:2020 has a long list of questions to get you started on identifying characteristics for safety and even some preliminary hazards in the design concept phase. Think about the ways a user might inadvertently misuse the device, or how the device might fail. Are there other similar products on the market? What has gone wrong with them? FDA databases (MAUDE), published journal articles, online product reviews (consumer devices), and user interviews are good sources for such information. The extent to which you perform this analysis largely depends on the risk classification of your device.

After you have identified hazardous situations, you need to estimate the risks associated with the situation. This includes the probability that the hazardous situation will occur, probability that the situation will lead to harm, and the severity of that harm. Sometimes the probability of harm cannot be estimated because of the role of the user in recognizing the situation, so be sure to document the possible consequences in these cases. Put yourself in the shoes of the user or patient. What could go wrong during typical use situations? Could the device be misused in a way that would cause harm? What environmental factors need to be considered? Is the device used at home? In a noisy, chaotic area of a hospital or lab?

Here’s an example. Let’s suppose you make a blood glucose meter. Your product displays the most important readings in very large text. If you examine the screen while sitting in your office, you might assume that the probability of a misread by the user is quite low. But what happens when you take it outside into bright sunlight? Is the display screen highly reflective? Can you clearly read everything using sunglasses? How about in low light? Is the battery meter clearly visible and does it provide adequate warning of battery depletion? These are potentially hazardous situations and your mission is to estimate the probability of those situations. Regulators expect you to anticipate these issues. Never blame the user.

Let’s go back to the battery indicator issue we just mentioned. In this case, the “hazard” might be a battery indicator that is too small on the LED screen and without any supplemental warning light to signal that the battery is very low. A “hazardous situation” that might result involves users who need to check their insulin level right away, only to find their glucose meter is out of power. If the users do not have a way to recharge the meter for 2 hours, they may simply guess how much insulin they need based on how they are feeling. The harm that could result is hypo- or hyperglycemia caused by improper dosing of insulin. This risk can be mitigated by making the battery meter larger, and/or by adding a supplemental visual or audible indicator by which the battery warns users that recharging is needed.

Estimating the probability of harm

Risk is a combination of the severity of a harm and the probability that it will occur. ISO 14971 requires you to estimate the probability of harm. But how is that done? You can reference historical data or published FDA data, and try to better understand typical use scenarios. A qualitative probability table similar to the one shown below will help you tackle this process of evaluating potential hazardous situations. You can also do something similar using a numerical system, rating the severity of the harm. Annex D provides some guidance on risk analysis concepts, including risk estimation, but you can create your own scale and descriptors as long as you define them in your risk management procedure. Keep in mind that harms can have levels of severity. An example of this would be burns.

Qualitative risk acceptability matrix

A risk matrix such as the one shown below helps the organization make objective decisions on actions to take if a risk shifts from one box to another, based on a change in probability or severity.

Ultimately, risk estimation should be viewed as a data-driven process. Gather as much quantitative information as possible from your complaint-handling files, published standards, technical data, clinical data, results of investigations, expert opinion, field data, MDRs, and test data. You can document it using Excel, software tools, or a simple list.

Want to learn more?

If you enjoyed this article, be sure to read the third post in this series focusing on risk control and risk management tools. If you’re ready to take the next step, check out our risk management training class available as instructor-led virtual or classroom formats.

Our team is here to help. Call 1.800.472.6477 or contact us online ›