Medical Device Risk Control and Risk Management Tools

May 1, 2020

A big portion of risk management is evaluating and reducing risk. However, sometimes the likelihood of harm resulting from a hazard is quite low and mitigating that hazard may not provide any tangible reduction in risk – in fact, it may diminish your device’s benefits. Here’s a quick example. Let’s say you produce a blood glucose meter. To improve visibility, you consider making the display color. However, doing so would introduce a new hazard: color screens require more power, and this would decrease battery life. If the current monochromatic display is quite readable you may actually increase overall risk by adding this new “feature.”


This is a four-part series on risk management. Download all four parts as a single PDF.


To avoid making the wrong decision, evaluate risks using a disciplined, planned process. In your risk management file, document the hazards you identify and the rationale behind the decision to control or not control those risks. Remember, you cannot trade off safety for cost!

Once you have identified the risks, analyzed their severity, and assessed their likelihood to occur, it’s time to look at how those risks can be controlled. Clause 7 of ISO 14971 is all about risk control. You will confront the following questions:

  • Can we reduce the risk?
  • What is the best way to do it?
  • Did the risk control work?
  • Is the residual risk acceptable?

Your risk management file must include evidence that you have conducted a risk analysis and risk evaluation for each identified hazard, including foreseeable risks. This also includes implementation and verification of risk control measures, and an assessment of the acceptability of residual risk.

Commonly used risk management tools

Unless you have prior experience with risk management, it can be perplexing to figure out which risk evaluation tools are best suited to your situation. There are many options, each with pros and cons. The one(s) you use will depend on your product and company culture, among other things. It would take far too long to go into depth about the options available to you. The tables below show some common tools you can use to evaluate risk. A powerful combination of tools is the FMEA and FTA which combine the bottom-up and top-down approaches, providing a robust and thorough risk analysis. See Annex B of ISO/TR 24971 for more information on the application of several techniques noted below.

Commonly Used Risk Evaluation Tools

Residual risk: Avoiding analysis paralysis

The number of possible hazardous scenarios is limited only by imagination. Does that mean you must document all possible risks, including the likelihood that Godzilla will invade your city and crush your manufacturing plant? No.

Clauses 7.4 and 8 of ISO 14971:2019 emphasize the need to evaluate residual risk. Likewise, Annex I of the European Medical Device Regulation (2017/745) says that you should “reduce risks as far as possible” without adversely impacting the benefit-risk ratio.

Annex I of the EU MDR and ISO 14971:2019 3.15 also require you to minimize all known and foreseeable risks to an acceptable level when weighed against the medical device benefits. This includes intentional and unintentional misuse of your device.

To ensure that you do not go overboard in analyzing residual risks, establish a systematic process and focus on the risks that are within your control. For example, you shouldn’t fixate on the device risks posed by a new global pandemic. That’s completely out of your control. However, you should identify organizational risks posed by potential supply chain issues.

This process will reveal the strength (or blind spots) of the team you have assembled. You need to assemble people who fully understand how your device is manufactured, distributed, and used. Someone without any knowledge of how your device is manufactured will not be able to foresee scenarios that could create hazardous situations.

How low should you go?

An important part of the risk analysis process is to ensure that you do not introduce new hazards in your quest to eliminate or minimize hazards. FDA describes their expectations about risk-based decisions. In the preamble of 21 CFR Part 820, FDA states that if any risk is judged to be unacceptable, it should be reduced to acceptable levels by the appropriate means, which may include a redesign or warnings. ISO 14971:2019 refers you to your own risk acceptability policy to determine risk control options. Your risk policy establishes criteria for the level of control and may employ the one of the following two approaches.

ALARP – As Low As Reasonably Practicable

  • ALARP refers to controls that are considered viable or capable of being implemented and has two components
  • First, look at technical practicability in reducing risks, ensuring that the controls do not reduce the effectiveness of the device and are not overly complex or confusing for users.
  • Then, consider the economic practicability, ensuring risk controls do not reduce the availability of the device to protect human health by making it too expensive for users.
  • Note that “practicable” (versus practical) means something that can actually be put into practice.

AFAP – As Far As Possible

  • Policy of reducing risk as far as possible without adversely affecting the benefit-risk
  • Takes into account the generally acknowledged “state of the art”
  • Required by EU MDR General Safety and Performance Requirements (GSPR) Annex I.

If you sell in the US and Europe, we recommend you adopt AFAP as your risk control approach. While Section 4.1 (Note 1) of ISO 14971:2019 mentions the general concept of reducing risk to ALARP and Annex D of ISO/TR 24971:2020 does mention the “cost of further reduction” in the definition of practicability, it is never acceptable to trade off device safety against cost. The rationale for your decision must be documented in your risk management file so don’t even think about mentioning cost in your justification.

Don’t forget to evaluate benefits!

ISO 14971:2019 does not change the risk management process, but it does finally define “benefits” – something ISO 14971:2007 and EN ISO 14971:2012 did not. Benefit is now defined as:

“Positive impact or desirable outcome of the use of a medical device on the health of an individual, or a positive impact on patient management or public health.”

The US FDA also publishes an excellent guidance document discussing the risk-benefit evaluation process for medical devices. Ultimately, FDA recommends that you take the following factors into account:

  • Type of benefit – quality of life, relief from symptoms, reduced probability of death, etc.
  • Magnitude of benefit – anticipated change in condition or clinical management
  • Probability of benefit – can be based on prior investigations, demographics, health status, etc.
  • Duration of benefit – curative or repeated interventions required
  • Availability of alternatives – safety and effectiveness of other options

Notice that the definition of benefit and the factors above extend beyond the impact on the patient. See this article on how to properly evaluate benefits. Finally, just remember that the benefit-risk analysis is not a calculatable ratio. There is no formula for determining the correct balance. Let common sense drive your analysis.

Want to learn more?

If you enjoyed this article, be sure to read the final post in this series focusing on risk management review, reporting and post-market planning. If you’re ready to take the next step, check out our risk management training class available as instructor-led virtual or classroom formats.

Our team is here to help. Call 1.800.472.6477 or contact us online ›