Risk Management Under the New EU Medical Device Regulation

The new EU Medical Device Regulation (Regulation 2017/745) adopts a more universally risk-based approach compared to the EU Medical Device Directive (93/42/EEC, the “MDD”).  The new regulation also aligns requirements for medical devices more closely with the harmonized standard for risk management (EN ISO 14971:2012).  More explicit requirements for manufacturers are laid out regarding the maintenance of a risk management program and life-cycle risk management.  Responsibilities and authority for both Notified Bodies and member states are defined. For example, the standard requires that notified body auditors must have knowledge and experience in risk management as well as device-related standards and guidance.  And, Competent Authorities will perform market surveillance which will include risk assessment and management.  This surveillance may include a review of documentation, evaluation of device samples, or announced and unannounced inspections of economic operators (review this definition and the associated regulatory requirements in detail!).  With the increased scrutiny on Notified Bodies and their increased responsibilities, manufacturers will likely find that Notified Bodies are less lenient on compliance to the requirements as they relate to risk.  For these reasons and to ensure continued device performance and safety, compliance to the more detailed regulatory requirements for risk management is imperative. 

The general requirements for risk management in the new regulation are familiar from the MDD and ISO 14971 albeit more explicitly described than in the MDD.  As before, devices are required to achieve the performance intended and must be designed and manufactured to fulfill their intended purpose. The devices must not compromise safety and the individual and cumulative risks must be outweighed by the clinical benefit.  Risk management is emphasized in the regulation as an iterative process throughout the entire lifecycle of a device (a key input in developing the new regulation was to implement more of a lifecycle approach).  The following are required for each device:

-          a risk management plan for each device

-          identification and analysis of possible hazards associated with each device

-          estimation of risk associated with the intended use and misuse of the device

-          risk mitigation (reduction or elimination of risk)

-          assessment of production and post-market information on the documented risk assessment

-          changes to control measures (e.g. safety by design, alarms, safety information) when required based on the assessment of production and post-market information

The first four points are currently addressed in the risk management files maintained by most manufacturers for their devices. However, weak linkages between production and post-market information and the risk management file are common. Additionally, where a “checkbox approach” to risk management is employed, device design (specifically, control measures) may not be adequately evaluated in response to production and post-market information. Consider strengthening procedures around risk management and production and post-market information to comply with these requirements.  Also ensure that you are evaluating the device design in response to post-market information.

Per the regulation, the manufacturer must establish, document, implement and maintain a system for risk management as part of the quality system.  Therefore, thorough documentation of requirements and procedures for risk management is required.  In other words, your risk management and related procedures (clinical evaluation, post-market surveillance, etc.) must provide clear instructions that are consistent with the regulation and contain the applicable elements.  If you currently have very basic procedures and forms and must verbally describe how your risk activities are performed, you will need to update your risk program.  For example, if you use Failure Modes and Effects Analysis (FMEA) with a rating system based on the combination of severity, occurrence, and/or detection, you must describe in your procedure how this document is generated, define the scoring system, and state how this document is linked to other documents (e.g. design inputs/outputs, hazard/harm listing, and historical data for the device or similar devices). The technical file for each device must include the results of the risk management process including the benefit-risk analysis, the solutions adopted to address risks, and the updated PSUR (see section below titled CLINICAL EVALUATION AND POST-MARKET SURVEILLANCE for more information regarding the PSUR).  All risk documentation for each product must be maintained and readily available per record retention requirements.


Annex I contains the most detailed information for manufacturers regarding risk management during design. A side note: re-processors assume risk management responsibilities to ensure the device properties are not changed with reprocessing and to address the use of the reprocessed device (essentially, preprocessors are treated as manufacturers in this regard).  Risk control measures must be state of the art and adopted in the following order of priority:

1.       Eliminate or reduce risks as far as possible through safe design and manufacture

2.       Adequate protection measures for risks that cannot be eliminated (e.g. alarms)

3.       Provide information or user training for safety and disclose any residual risks

Item 3, above, diverges slightly from the requirement of EN ISO 14971:2012 which allows the manufacturer to determine which residual risks are to be disclosed (for residual risks deemed acceptable).  The EU MDR simply states that the manufacturer “shall inform users of any residual risks” (refer to the section below titled RESIDUAL RISK for more information regarding this requirement).

As with the MDD, Annex 1 of the MDR provides general requirements for medical devices such as sterilization, material characteristics, performance requirements, etc.  All risks associated with device characteristics must be eliminated or mitigated and individual and cumulative risks must be acceptable when weighed against the benefit of the device.  Each applicable technical aspect addressed in Annex I should be represented in the risk management file for your device.  For example, if your device is provided sterile you should consult areas addressing sterility in Annex I when assessing risks for your device.  Of note, the regulation specifies that risk be evaluated for the device when used under the conditions and for the purposes intended. One does not need to wildly imagine scenarios where the device may cause risks when used in a manner that is grossly inconsistent with the labeled indication and instructions; however, for reasonably foreseeable misuse, those risks should be evaluated.


Earlier, I mentioned the disclosure of risks to users as it relates to the current requirements in ISO 14971. The new regulation specifically prohibits manufacturers from “failing to inform the user or the patient of a likely risk associated with the use of the device in line with its intended purpose”. The regulation also allows manufacturers to use a pictogram following the CE Mark to identify any special risk.  I recommend defining the symbol in the labeling, especially if it is not defined in the harmonized standard ISO 15223-1. The use of risk mitigation is also applied to distributed devices as the regulation discusses corrective action taken for devices that have already been placed on the market. Therefore, residual risks must be addressed at every stage of the device lifecycle, including when those risks are identified after distribution.


Risk management and clinical evaluation are interdependent and thus must be cross-referenced and updated concurrently and regularly.  Clinical risks must be identified in the risk management file and addressed as part of clinical investigations, the clinical evaluation and post-market clinical follow up (PMCF).  During the post-market phase, manufacturers must systematically and actively gather post-market information and update the technical documentation relating to risk assessment and clinical evaluation.  The clinical evaluation must be performed according to a plan and include an assessment of nonclinical testing, clinical investigation results, and post-market information.  Post-market information includes but is not limited to feedback, complaints, field corrective actions, recalls, etc.  The PMCF plan should expand on these inputs to also include pro-active solicitation of post-market information - consider clinical trials, clinical registries, or detailed and thorough solicitation of feedback from frequent users (for example, user surveys where you may account for the overall experience with your device at one or more specified facilities).  Like the clinical evaluation plan, the PMCF plan must also be linked to the risk management processes. You must specify methods and procedures for identifying and analyzing emergent risks based on post-market evidence and referencing the risk management activities/documents for the device. 

Data gathered through post-market surveillance must be used to update the benefit-risk determination and improve risk management.  Further to an increase in serious adverse events, any statistically significant increase in the frequency or severity of any incidents (incidents that are not serious or expected side-effects) that could may lead to unacceptable risks or benefit-risk profile should be acted upon and reported to the Competent Authorities.  This increased occurrence is established in comparison to the foreseeable frequency and severity as specified in the technical file (this likely refers to the clinical history for similar devices leading to the estimated frequency and severity in the risk file).  If you do not already identify risk thresholds and tie your post-market surveillance back to those limits, now is the time to start.

In addition to the requirement for a PMCF, manufacturers of class IIa, class IIb and class III devices must also prepare a periodic safety update report (PSUR) for each device (and groups of devices where relevant).  The PSUR includes the results and conclusions of the post-market surveillance analysis and any corrective or preventive action taken, and the updated benefit-risk determination.  The PSUR must also include the “denominator” for the data in the form of sales volume or estimated usage of the device. The PSUR must be updated periodically (timeframe is based on device risk class) and must be done so with consideration for risk activities.

Another new requirement specifically for implantable and Class III devices is the Summary of safety and clinical performance.  Residual risks, undesirable effects, warnings and precautions must all be included in the Summary of safety and clinical performance which is submitted to the Notified Body (NB) during conformity assessment and uploaded by the NB to EUDAMED.

CE marking without clinical evidence for your device or an equivalent device will no longer be possible for many devices. Where clinical data is not used to demonstrate safety and performance, the notified body will be rigorously inspecting your risk management file to ensure that risks are adequately characterized and mitigated without clinical data.  There must be adequate linkages between clinical evaluation and risk management to ensure that the clinical evaluation includes an assessment of risk.  To ensure that risk is adequately assessed as part of the clinical valuation, your clinical evaluation plan must identify the parameters used to evaluate risks and the benefit-risk ratio, assessment against the state-of-the-art (refer to MEDDEV 2.7/1 Rev. 4 for more information), and an evaluation of specific risks related to medicinal, animal-origin, or human-origin materials incorporated in your device.  Additionally, procedures for clinical evaluation must clearly describe risk management activities as they relate to the clinical evaluation.

In summary, your risk management, clinical evaluation, PMCF, and PSUR procedures and plans must all be synchronized, and each resulting report must each consider the data and results of the others.


As you may now realize, clinical investigations will be required for more medical devices under the new medical device regulation. The regulation specifically identifies the use of clinical investigations as a method of assessing the benefit-risk ratio of medical devices.   Additionally, risk assessment must be used in justifying any foreseeable risks to trial subjects when weighed against the benefits. A robust evaluation of the risks to subjects and the benefits must be documented in the clinical investigation plan. The plan must also include an ongoing monitoring strategy for the risks and the benefit-risk ratio. The new regulation also requires that subjects are notified of risks by way of the informed consent and outlines requirements for possible risks to incapacitated and minor subjects. Investigators must also be notified of the benefit-risk analysis and summary of risk management in the investigator’s brochure. Specific risks must be identified in the investigator’s brochure including those related to medicinal, human-derived, or animal-derived substances incorporated in the device.  For clinical trial applications, member states are required to assess the minimization of risks and the risks compared to the clinical benefits of the device. 


The transition to the new medical device regulation also comes with the potential for additional requirements for your devices after you have demonstrated compliance to the MDR.  In addition to the continued use of harmonized standards, the regulation introduces a new regulatory concept for medical devices: Common Specifications. Common Specifications will be implemented by the European Union Commission and will address requirements for both products and quality system management. That is, there will be Common Specifications for safety and performance requirements for devices (specifically, high-risk devices such as implantable and class III devices) and quality system requirements (for technical documentation and risk management, among other areas). You will need to ensure that you search for Common Specifications when you perform your periodic review of new or revised regulatory requirements.  This review is typically performed at least once a year (and preferably more often) to identify new or revised regulations applicable to your devices or QMS.  When a Common Specification is implemented for risk management, you will want to ensure that your risk management processes and documentation are compliant.


The new requirements described in this document represent a small portion of the work needed to comply with the EU MDR. While the task of becoming compliant may seem daunting, I recommend the following simple steps to get you started:

-          Review the EU MDR and highlight new requirements and differences between the new regulation in the existing regulations and standards with which you comply.

-          Develop a general plan for revising your procedures and other documented Quality Management System requirements. This plan should include assignments for responsible parties within your organization.

-          Hold regular meetings with the involved parties to verify activities are performed to schedule.

-          If you haven’t already discussed the transition with your Notified Body, do so now.

-          Attend any training opportunities you can regarding the EU MDR.

Of course, Brosseau Consulting is available to assist you with the transition.  Hiring an expert may very well be your quickest and most sure path to compliance.