Risk management plans and the new ISO 14971

The risk management process described in the new ISO 14971 consists of several steps:

• Risk management plan
• Risk assessment
• Risk control
• Evaluation of overall residual risk
• Risk management review
• Production and post-production activities

The focus of this blog post is the first of these six steps: the risk management plan.

All risk management activities must be planned. The plan provides a roadmap for the risk management activities to be conducted during the life cycle of the medical device. The risk management plan must include among others the criteria for risk acceptability for the medical device to be developed. These criteria are established based on the policy defined by top management. The inclusion of the criteria in the risk management plan is helpful in ensuring an objective evaluation of the residual risks later in the process. Moreover, having a plan ensures an organized approach to risk management and prevents essential activities from being forgotten. For this purpose, a review of the execution of the risk management plan must be performed at the end of the design and development process and before commercial distribution of the medical device. This review is required to ensure that the risk management plan is properly executed so far, and that the final medical device is safe. The risk management plan further includes activities for the verification of the implementation and effectiveness of the risk control measures and activities for the collection and review of information during the production and post-production phases.

A risk management file needs to be created and maintained. Important parts of the risk management file are the risk management plan and the risk management report, which is created after the review of the execution of the plan. The risk management file further contains (references to) all records and other documents that are produced during the risk management process. The risk management file needs to provide traceability for each identified hazard to the risk analysis, the risk evaluation and the implemented risk control measures, including the evaluation of the residual risks. Traceability is necessary to ensure completeness of the risk management process, i.e. that all hazards are appropriately addressed and that every risk is adequately controlled.

This is an excerpt from the BSI medical devices white paper Risk management for medical devices and the new ISO 14971. To download our other medical device white papers, please visit the Insight page on the Compliance Navigator website.