What is Risk Management, and How to Create a Risk Management Plan?

Learn what a medical device risk management plan is and how to create one. 

medical device risk management plan

What is risk management?

According to ISO 14971, as a medical device manufacturer, you must have a documented process for risk management and provide the specifications for such a process. Risk management is a planned and systematic process of identifying, classifying, assessing and controlling risks. It includes management policies, procedures and practices associated with risk-related tasks. It also has several purposes:

  • identify the risks associated with a medical device
  • estimate and evaluate the associated risks
  • control the associated risks
  • monitor the effectiveness of the implemented risk controls. 

You must implement risk management in any product development project, from inception to completion. And, if a risk analysis for a product similar to yours is available, relevant and adequate, you can apply it to the study of your medical device.

The risk management process is applicable for:

  • each new medical device or derivative device
  • each change (in a part) of an already released device
  • new indications for an existing device
  • discovery of mislabeled or non-conforming products
  • each change (in a part) of a realization process of a released product, including changes to manufacturing sites and suppliers
  • CAPA (corrective and preventive actions) events with potential risk to patient safety.

A good approach for risk management is using the BMX method, which includes hazard identification, risk estimation, risk control, risk evaluation and monitoring. The process starts with forming a risk management file and writing a risk management plan (RMP).

What is a medical device risk management plan?

A risk management plan represents a written document detailing the risk management process of a particular medical device. It is part of your risk management file, together with other documents. Having a risk management plan is also one of the MDR requirements you need to fulfil to obtain CE marking for medical devices.  

Your medical device risk management plan should include several activities, and you can find more information about each one of them in the next section of this article. Additionally, keep in mind that you should revise the RMP during the course of the entire project, preferably at each design review.

How to create a medical device risk management plan?

ISO 14971 requires that you create a medical device risk management plan at the start of the risk management process. To do so, you need to make sure that your RMP contains all of the following elements:

#1. Purpose and scope

Your medical device risk management plan’s scope should identify all the risk management activities and all responsibilities required for the new project, from the design stage through market release. It is possible to initially write a plan for the early stages of the product development process and later update the risk management plan to include the remaining phases. At market release, you should review and update the RMP as required to ensure that the appropriate measures are in place for collecting ongoing post-market information about the medical device’s performance.

#2. Overview of the medical device

Here, you should describe the product, its functions, elements, indications, intended purpose, user and use environment. You should also identify what is included in the analysis. It’s a common mistake to go beyond the scope of analysis and include other peripheral devices that are not part of the medical device.

ce marking medical devices

#3. Risk management strategy

Describe what your primary risk management strategy is to make the medical device as safe as possible for the end-user. For instance, you may keep physicians in the decision-making loop for accurate diagnosis and treatment.

#4. Risk management activities

List your planned risk management activities, such as PHA, Fault Tree Analysis, Benefit-risk analysis, etc. Don’t forget to specify the phase required for initiating and/or updating each activity. If you plan to use particular tools, such as FDA software, describe this information here.

#5. Assign responsibilities

Identify people/roles who will be responsible for the risk management activities, and their authorities. Make sure you include the person responsible for the maintenance of the risk management framework (RMF).

#6. Requirements for review of risk management activities

Spell out all the requirements for the review of your risk management activities. For example, a risk management report will be created for <Product Name> to document a final evaluation of the aggregate risk management documents, risk acceptability, and residual risk. Include clear links to risk management documentation and any templates used within the organization.

Make day-to-day product compliance easy with the compliance management software of Clever Compliance!

#7. Risk acceptance criteria

Define and document the policy for establishing and reviewing the criteria for risk acceptability. Your policy should ensure that the risk acceptance criteria are based upon relevant national regulations and international standards. You should also consider available information, such as generally accepted SOTA (state-of-the-art) and known stakeholder concerns. The criteria provide guidance for the determination of end-points for risk reduction. Lastly, you can apply the policy to your entire range of medical devices or focus it on different groupings of medical devices.

#8. Verification activities and deliverables

Verification activities are the quality assurance activities you plan to use to ensure risk control procedures are implemented and product quality standards are fulfilled. Thus, it would be best to describe both the verification of the risk controls’ implementation and verification of the risk controls’ effectiveness.

#9. Production and post-production information

In this section, you need to explain the methods you will use to capture production and post-production information and feed it back into the risk management process. For instance, you can use the following data sources to collect such information: product complaints, internal audits, NCRs or CAPAs. The collected information is then used for monitoring and evaluation of medical device risk.

create and manage compliance documentation digitally

#10. References

Create a table of contents for all plans, procedures and policies referenced in your medical device risk management plan. You can organize the references in the order they are cited or using an alternative approach (e.g. alphabetical or numeric order).

#11. Additional information

Describe how your risk management will affect other aspects of the product development process.


  1. Elahi, B. “Safety risk management for medical devices”, Elsevier, 2018
  2. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0745

Related Articles