Medical Device Risk Management Under ISO 13485

Why Risk Management is Central to Medical Devices

Unlike many industries where quality failures mean customer complaints or warranty costs, medical device failures can cause patient harm or death. This fundamental difference shapes everything about how medical device manufacturers must approach quality—and risk management sits at the center.

ISO 13485 requires risk management throughout the product lifecycle. ISO 14971 provides the detailed framework. Together, they ensure that patient safety drives decision-making at every stage.

ISO 14971: The Risk Management Standard

What It Covers

ISO 14971 specifies a process for manufacturers to identify hazards, estimate and evaluate risks, control those risks, and monitor the effectiveness of controls. It applies to all stages of the product lifecycle.

Key Concepts

Hazard: A potential source of harm. For medical devices, this includes everything from electrical shock to biocompatibility issues to use errors.

Harm: Physical injury or damage to health, including harm from delay in appropriate treatment.

Risk: The combination of probability of occurrence of harm and severity of that harm.

The Risk Management Process

1. Risk Analysis

The process begins with systematic identification of hazards and their causes:

Intended Use and Foreseeable Misuse

• What is the device intended to do?
• Who will use it (professionals, patients, caregivers)?
• What are the conditions of use?
• How might users deviate from intended use?

Hazard Identification

• Energy hazards (electrical, thermal, mechanical, radiation)
• Biological hazards (biocompatibility, infection)
• Chemical hazards (toxicity, flammability)
• Operational hazards (use error, misdiagnosis)
• Information hazards (labeling errors, inadequate instructions)

Risk Estimation

For each hazard, estimate:

• Probability of harm occurring
• Severity of potential harm

2. Risk Evaluation

Using criteria established in your risk management plan, determine which risks are acceptable and which require reduction. This typically involves a risk matrix or risk acceptability criteria.

3. Risk Control

For unacceptable risks, implement controls in this order of priority:

1. Inherent safety by design: Eliminate the hazard or reduce risk through design changes
2. Protective measures: Guards, barriers, alarms in the device or manufacturing process
3. Information for safety: Warnings, contraindications, instructions for use

Important: Information (labeling and instructions) is the least effective control. Relying solely on warnings for significant risks is generally not acceptable.

4. Evaluation of Residual Risk

After implementing controls, evaluate remaining risk:

• Is each individual residual risk acceptable?
• Is the overall residual risk acceptable considering all hazards?
• Do the medical benefits outweigh the residual risk?

5. Risk Management Review

Before commercial release, verify that:

• The risk management plan was implemented
• Overall residual risk is acceptable
• Appropriate methods are in place to collect production and post-production information

The Risk Management File

ISO 14971 requires maintaining a Risk Management File containing:

• Risk management plan
• Risk analysis documentation
• Risk evaluation documentation
• Risk control measures and verification
• Evaluation of overall residual risk acceptability
• Risk management report

This file is subject to regulatory review and must be maintained throughout the product lifecycle.

Integration with ISO 13485

Design and Development

ISO 13485 requires that design and development planning include risk management activities. Design inputs must include risk management requirements. Design outputs must address risk control measures.

Production and Service

Risk management continues into production:

• Process validation for risk-critical processes
• Control of production and service provision
• Validation of processes for production and service provision

Post-Production Monitoring

The quality management system must include processes for collecting and analyzing post-production information, including:

• Complaint handling
• Adverse event reporting
• Field performance data

This information feeds back into risk management, potentially triggering risk re-evaluation.

FDA Alignment

For U.S. market access, risk management requirements align with FDA expectations:

21 CFR Part 820 (Quality System Regulation)

The FDA QSR requires risk analysis as part of design controls. The updated QMSR (Quality Management System Regulation) brings explicit ISO 14971 requirements.

Premarket Submissions

Risk analysis is a required component of 510(k) submissions and PMA applications. Reviewers evaluate whether risks have been adequately identified and controlled.

Design History File

Risk management activities must be documented in the Design History File, demonstrating that risk was considered throughout development.

Common Risk Management Failures

Starting Too Late

Risk management should begin with product concept, not after design is complete. Retroactive risk analysis misses the opportunity to design out hazards.

Inadequate Hazard Identification

Teams often focus on obvious hazards while missing use errors, environmental factors, or failure modes in supporting systems. Systematic approaches and diverse perspectives are essential.

Over-Reliance on Information Controls

Labeling a hazard with a warning is not the same as controlling it. Regulators expect design-based controls for significant risks.

Static Risk Files

Risk management is not a one-time activity. The risk file must be updated when:

• Design changes occur
• New hazards are identified
• Post-production data reveals new information
• Standards or regulatory requirements change

Disconnected from QMS

Risk management should be integrated with CAPA, complaints, design controls, and production processes—not maintained as a separate paperwork exercise.

Practical Implementation Tips

Build Cross-Functional Teams

Effective hazard identification requires perspectives from:

• Design engineering
• Manufacturing
• Quality assurance
• Clinical/medical affairs
• Regulatory affairs
• Service/field support

Use Established Techniques

Common risk analysis techniques include:

• FMEA: Failure Mode and Effects Analysis (systematic failure mode evaluation)
• FTA: Fault Tree Analysis (top-down analysis of failure causes)
• HAZOP: Hazard and Operability Study (process deviation analysis)

Choose techniques appropriate to your device and development stage.

Define Clear Criteria

Establish risk acceptability criteria before analysis. This prevents subjective judgments and ensures consistent evaluation.

Document Rationale

It's not enough to record decisions—document the reasoning. Regulators and auditors want to see how you reached conclusions.

Connect to Design Controls

Risk control measures should become design inputs. Verification and validation should confirm that controls are effective.

Audit Perspective

As auditors, we look for evidence that risk management is:

• Planned and systematic, not ad hoc
• Integrated with design and development
• Updated when information changes
• Driving real decisions, not just paperwork
• Supported by competent personnel

We also verify traceability from hazards to controls to verification activities.

Getting Risk Management Right

Effective risk management protects patients, satisfies regulators, and reduces business risk from recalls and liability. It requires commitment, competence, and integration with your quality management system.

Exceleor brings deep experience in medical device quality systems and ISO 13485 implementation. Our consultants understand both the regulatory requirements and the practical challenges of building effective risk management processes.

Contact us to discuss your medical device risk management needs, whether you're building a system from scratch or improving existing practices.