Risk Management Review, Reporting and Postmarket Planning

May 1, 2020

As part of the risk review process, you’ll need to assess your risk management activities against the risk management plan on three levels:

1 – Has the plan been implemented appropriately?
2 – Is the overall residual risk acceptable?
3 – Are production and post-production information collection methods implemented?

The summation of answers to these questions becomes your risk management report, which is part of your larger risk management file. The report documents the conduct and results of your risk management activities. Your risk management file includes or references all required documents and provides traceability for each hazard and is what you will use to demonstrate compliance with standards and regulations.


This is a four-part series on risk management. Download all four parts as a single PDF.

Be judicious with the amount of information contained in the risk management report – it’s a useful internal reference, but it may contain more information than you need to show auditors. Instead we recommend that you prepare a risk management summary. This should be a standalone document, not a prologue to your larger risk management file. The summary provides an overview for auditors, contains a synopsis for executives and references detailed information. It complements your detailed risk management report which should be reserved for internal use and as a working living document.

Production and post-production activities

Once your device is for sale on the market, congratulations: your risk management work is done. Ok, just kidding – your work is never done! Risk management is an ongoing process for as long as the device is in service. Typically, you will find yourself dealing with two types of post-production issues as shown in the table below.

Post-production Risk Management


Your risk management process should document both pathways for analysis. As part of your ongoing efforts, you should be evaluating complaints, incidents, product failures, and design process changes for potential safety impact. You will also take into account any changes in installation, use, and servicing. Are previously unrecognized hazards present? Is the estimated risk no longer acceptable? Is the original assessment still valid? Possible incident-driven triggers include:

  • Design/materials changes
  • Manufacturing changes
  • Vendor changes
  • Individual complaints
  • Medical device record
  • Incidents
  • Malfunctions
  • Standards changes

You are required to analyze all incidents, near-incidents, and malfunctions to categorize their risk level. The triggers can also be review-driven and prompted by:

  • Management review information including complaints, audits, CAPA
  • Postmarket surveillance report
  • Clinical evaluation report
  • Ongoing supplier evaluation report
  • Predefined risk management plan review intervals

Whatever the trigger, your assessment must be documented, becomes part of your risk management file, and may result in a corrective and preventive action (CAPA) or having to file a vigilance report or other regulatory notification.

Production and post-production information collection

As we have mentioned, risk management is best managed as a process and a series of projects. That means it is ongoing and the continuous collection of information is essential and required. This collection should include information about device performance, device patient populations, reasonably foreseeable misuse and previously unknown hazards and risks. You can gather this data from users of the devices, installation/maintenance records, your supply chain, or public information relevant to your device. All of this collected information must be reviewed for potential application to the safety of the device. Here are some examples of specific things to consider during that review:

  • Has intended use of the device been modified?
  • Are the expected benefits of the device still valid?
  • Is there a new risk or a risk not considered before?
  • Has the benefit-risk ratio changed?
  • Have new misuses been identified?
  • Are the estimated severities of harm appropriate?
  • Have risk control measures performed as expected?
  • Have any changes taken place in the state of the art for
    the device?
  • Is there evidence that the overall residual risk is still acceptable?

After this initial review has been done, you may come to one of the following conclusions:

  • Overall residual risk remains acceptable with no new hazards or hazardous situations identified
  • Overall residual risk has changed and no longer is acceptable – action is required
  • A new hazard was identified and requires further action
  • State of the art related to the device has changed and must be evaluated for further action

Make sure your review is documented in your risk management file even if no changes are needed!

Also use the information you collect and review for the device to see if there are opportunities to improve the risk management process itself.  For example, did a complaint from the field highlight a gap in how you originally identified the hazards associated with the device – maybe a missing type of expertise on your risk management teams?   Be sure to look at the collected information from the process improvement perspective, too.

Pulling it all together

Risk management plays a vital role in promoting the safety of medical devices. A well-designed program of risk management is an ongoing exercise in proactive problem solving that saves headaches in the long run. It also benefits patients or users and can result in higher user satisfaction and more insights into how you make your products better. Top-tier companies take the responsibility very seriously.

Want to learn more?

If you enjoyed this series and you’re ready to take the next step in strengthening your knowledge of risk management, check out our ISO 14971:2019 training class available as instructor-led virtual or classroom formats.

Our team is here to help. Call 1.800.472.6477 or contact us online ›