Medical device Risk Management analysis

A detailed guide and analysis on the benefits to medical device Risk Management assessments under the Medical Device Regulation.

What is medical device Risk Management?

Medical device Risk Management is the structured process of identifying, analysing, mitigating, eliminating and drawing conclusions from medical risks associated with use of a medical device.

All medical devices have inherent risks. It is a fact of healthcare that every patient interaction carries with it a risk of harm, and the use of medical devices is in no way an exception.

Medical device Risk Management is not the process of eliminating every conceivable risk that could emanate from use of a device. Rather, it is the elimination of unacceptable risks, along with the mitigation of any risks that cannot reasonably be eliminated.

Performed correctly, medical device Risk Management allows the formulation of a risk benefit assessment (expressed as “benefit-risk” in the text of the EU MDR) that will determine whether the potential benefits of using a device outweigh any residual risks.

What is a medical device risk?

The formal definition of a medical device risk is provided in Article 2 MDR, where it is stated that a medical device risk is:

“…the combination of the probability of occurrence of harm and the severity of that harm.”

Therefore, acceptability of a medical device risk and processes required to ensure its elimination or mitigation will differ according to a function of both severity and frequency.

Medical device risks must not be confused with other categories of risk such as business risks or commercial risks. Medical device risk analysis is concerned only with risks as defined in Article 2 MDR.

What role does Risk Management play within The MDR?

Medical device Risk Management is a central component of MDR compliance. Risk Management is a direct component of clinical evaluation and a benefit-risk analysis is one of the required technical documents specified in Annex II MDR.

Risk Management

Article 10 MDR requires all manufacturers to establish, document, implement and maintain a system for Risk Management. Annex I provides greater detail about requirements for medical device Risk Management stating that Risk Management shall be a continuous iterative process that is conducted throughout the entire lifecycle of a device.

Annex I states that manufacturers must:

  • establish and document a Risk Management plan for each device
  • identify and analyse the known and foreseeable hazards associated with each device
  • estimate and evaluate the risks associated with, and occurring during, the intended use of the device and those resulting from any reasonably foreseeable misuse of the product
  • eliminate or control identified risks
  • evaluate the impact benefit-risk ratio and overall risk acceptability of any information arising from the production phase of the device and, in particular, from the post-market surveillance system
  • if necessary, implement suitable changes to risk control measures

Annex I also requires that devices are designed to be able to withstand stresses, strains, temperature fluctuations, conditions of storage and transport, and environmental conditions to which they can be expected to be subject. Risk analysis therefore becomes a component of product design and must be documented from the initial product realisation phase onwards.

How to plan and develop a Risk Management strategy for medical devices

A solid medical device Risk Management strategy can be developed through an application of a process common to many requirements under the MDR: Plan, document, implement, maintain, update, report.

Planning a Risk Management strategy will require a combination of technical, regulatory and clinical knowledge. Detailed product knowledge and an understanding of the clinical context to which it will be applied will allow an initial risk matrix to be developed. The plan must:

  • outline any assumptions made and provide justification for them
  • detail strategies for confirming or refuting assumptions
  • contain a plan for accurately determining frequency and severity of identified risks
  • detail a plan for collating information about new or emerging product risks
  • outline methods for determining risk acceptability
  • detail a risk mitigation and risk elimination plan
  • outline roles, responsibilities and reporting lines for members within the organisation whose activities may have a bearing on Risk Management

Risk Management documentation will form a component of the technical documents (Annex II MDR) that will be submitted as a component of the device conformity assessment process. Alongside the substantive Risk Management files it is necessary to document procedures for updating, maintaining, archiving and retrieving Risk Management documents.

Implementing a Risk Management strategy includes ensuring that activities documented with the Risk Management plan are undertaken in the correct manner. Risk Management activities interface with those conducted in running Vigilance systems, Post-Market Surveillance (PMS), and Clinical Evaluation, and so Risk Management activities are inherently cross-organisational.

Maintaining and updating a Risk Management strategy requires scheduled review and appraisal sessions to analyse system suitability. The clinical evaluation cycle offers an opportunity to assimilate Risk Management data collected and to re-perform a benefit-risk analysis of the device. Any updates or changes to the process must be reflected in documentation and disseminated across the organisation to ensure the changes are implemented.

What is ISO 14971?

ISO 14971:2019 - “Application of Risk Management to medical devices” is the most up-to-date version of the ISO 14971 standard. It has been updated to reflect changes to Risk Management imposed by the MDR.

As with all internationally-recognised ISO standards relating to medical devices, ISO 14971 is regarded as a harmonised standard meaning that compliance with the ISO standard will lead to a rebuttable presumption of conformity with aspects of MDR relating to Risk Management.

ISO 14971:2019 outlines a process for Risk Management and extends its coverage to software as a medical device and in-vitro diagnostic medical devices. It can be applied to all phases of a product’s life cycle.

Need help with your MDR strategy?

Complete PMS systems for your medical devices

Post Market Surveillance services for EU MDR compliance of your medical devices.

  • Full / modular service
  • Tailored development
  • Ongoing maintenance
  • Technical documentation

Find out more

Call us now to discuss your MDR requirements:

(+44) 0114 386 3349

Or send us your details and we will contact you:

MDR Consulting

Our team of MDR professionals are medical device regulatory consulting specialists offering tailored MDR compliance services.

MDR Training

Our comprehensive training services are delivered by experts and address all aspects of MDR compliance.

Who we work with

Our clients come from across the industry and range from pre-start businesses to stockmarket-listed multinationals. We also have key strategic partners based in the UK and Denmark.

  • It was a pleasure working with you. We are completely satisfied with your service and look forward to working with you again.

    CEO, EU medical software company
  • Your service surpassed our expectations and added value across our organisation. We now feel much better placed to prepare for the MDR.

    Chief Executive, MedTech pre-start
  • A comprehensive, detailed and highly professional service.

    Regulatory Manager, UK device manufacturer
  • International

    We work with medical device manufacturers based in the UK, Europe, the US and Asia, developing MDR strategies for both physical devices and software as a medical device.

  • Diversified

    Working with us gives you access to our growing international team of MDR-trained healthcare professionals from a wide variety of clinical backgrounds.

Read more about our team and philosophy

Get our free White Paper: Mastering the MDR — A comprehensive summary of the EU MDR



We have compiled some of our frequently asked questions. If you'd like to know anything else about what we do, feel free to ask us a question.

  1. We can work with the majority of medical device manufacturers seeking compliance of their devices in accordance with Medical Device Regulation (EU) 2017/745, including both hardware and software devices. We also offer a free, no-obligation consultation, so please feel confident about discussing your requirements with a member of our team.

  2. No. We will work with you to produce systems and to support your EU MDR compliance, but we do not conduct research ourselves. We will provide tools for you to conduct your own Post-Market Surveillance. Our range of services are designed to assist you in this matter.

  3. Yes. We adhere to the highest standards of professionalism and regard maintaining confidentiality and data security as a cornerstone of our practice. We also comply fully with the requirements of GDPR.

  4. Our medical device regulatory consulting is built around a strict quality framework and we only work with clients who share this commitment to quality. Our CEO is a medical doctor with years of experience in the medical device industry and assumes personal responsibility for every project. Our product development process integrates client feedback throughout product production, ensuring a constant focus on your needs.

  5. We work with clients of all sizes and at all stages of their regulatory compliance journey. Our team are here to help and are happy to respond to general enquiries, even if you don't feel like you know where to start. We are experts at 'tuning in' to your requirements and will guide you through the entire process. Our free MDR Compliance Guide and suite of MDR downloads stand as proof of our commitment to help you understand your obligations under the MDR.

  6. Yes. Software as a Medical Device is an increasingly-important segment of the medical device market. We have extensive experience in building regulatory systems for medical software and offer a special application of all our MDR services for software products. We also offer unique downloads and white papers that focus specifically on Software as a Medical Device.

  7. At its core, working with the MDR is about working with clinical evidence. Whether you need to generate evidence for PMCF, analyse data for writing a CER, or build an MDR-ready PMS system, our medical experts have the clinical acumen to ensure that your clinical evidence is produced and interpreted with the highest levels of professionalism. Medical professionals work with clinical evidence all day. We bring their specialist capabilities directly to your MDR strategy.

  8. We believe in transparency and aim to build long-term relationships with our clients. This commitment is demonstrated by our customer-focused pricing strategy. You pay a small deposit upfront, only paying the balance when the work has been completed to your total satisfaction. For higher-value projects we offer flexible payment packages on an individual basis — please contact a member of our team to find out more.

  9. Yes. Our unique business model allows us to scale to accommodate almost any amount of work. Many of our medical professionals remain clinically active, meaning that we have trained more than we presently need. This system allows us to have ready availability of redundant capacity that can be called upon in the event of a surge in demand. Whatever your requirements, our unique business model allows us to step in faster than any of our competitors.

  10. Yes. We run a number of events throughout the year focusing on specific aspects of MDR compliance. We also offer a limited number of free webinars on a limited basis — subscribe to our newsletter to be notified early when we publish new events. Of course, we also have our extensive MDR Compliance Guide and free MDR downloads suite, both of which offer extensive training on all aspects of MDR compliance.

Do you need help with your MDR strategy?

Contact us