[email protected]

Risk Management under EU MDR

Risk Management under EU MDR

RISK MANAGEMENT FOR EU MDR COMPLIANCE

EU MDR 2017/745 requires medical device manufacturers to manage risks systematically to ensure patient and user safety. Article 10 of the MDR makes it mandatory to establish and maintain a risk management system throughout the entire life cycle of the device from design and manufacturing to post-market use. This risk management process must be part of the manufacturer’s Quality Management System (QMS).

While the MDR defines the legal requirements, ISO 14971 is the internationally accepted standard that explains how to perform risk management for medical devices. For EU compliance, manufacturers should use the harmonized version, EN ISO 14971, which aligns the standard with MDR safety requirements. ISO/TR 24971 provides practical guidance and examples to help apply ISO 14971 correctly.

Risk management starts with a Risk Management Plan, where the manufacturer defines responsibilities, risk acceptance criteria, and review activities. The next step is risk analysis, which involves identifying hazards, estimating their severity and likelihood, and evaluating whether the risks are acceptable. If risks are not acceptable, they must be reduced as far as possible (AFAP), primarily through safe design and protective measures rather than warnings alone.

Risk management continues even after the device is on the market.Manufacturers must monitor real-world performance through Post-Market Surveillance (PMS), Post-Market Clinical Follow-up (PMCF), and vigilance reporting. Any new information must be used to update the risk assessment and confirm that the benefits of the device continue to outweigh the risks throughout its lifecycle.
EU MDR risk management process aligned with ISO 14971

INTRODUCTION

EU MDR 2017/745 establishes strict requirements for risk management as part of the regulatory framework for medical devices and emphasizes the importance of a comprehensive risk management system.As per Article 10 of the EU MDR, manufacturers are required to establish, document, implement, and maintain a system for risk management. This process must be maintained and updated throughout the device’s entire lifecycle, including Post-Market Surveillance (PMS), and must be integrated into the manufacturer’s Quality Management System (QMS). While the MDR provides the legal requirements, the “state of the art” method for achieving compliance is the international standard ISO 14971 (Medical devices — Application of risk management to medical devices) and its guidance document ISO/TR 24971 (Guidance on the application of ISO 14971).

Need help with EU MDR risk management? Talk to Morulaa’s regulatory experts

THE ROLE OF ISO 14971 AND ISO/TR 24971 IN EU MDR

Although the EU MDR is a regulation and ISO 14971 is a standard, they are inextricably linked.

Document

Role

Key Takeaway

EUMDR 2017/745

The Regulation (Law)

Mandates the “As Far As Possible” (AFAP) reduction of risk.

ISO 14971:2019

The Standard (Process)

The systematic process for managing risk. Use the EN version for EU compliance.

ISO/TR 24971:2020

The Guidance (Help)

Practical tips and examples on how to implement the standard effectively.

For European compliance, manufacturers should refer to the Harmonized Standard (EN ISO 14971). This version includes Annex Z, which specifically outlines how the clauses of ISO 14971 map to the General Safety and Performance Requirements (GSPRs) of the MDR.

RISK MANAGEMENT PLAN

The first step in compliance is establishing a Risk Management Plan. According to ISO 14971 and the MDR, this plan must define the scope of the risk management activities and include:

  • The lifecycle phases covered by the plan.

  • Assignment of responsibilities and authorities.

  • Requirements for the review of risk management activities.

  • Criteria for risk acceptability (based on the manufacturer’s policy).

  • A method to evaluate the overall residual risk.

  • Activities for verification of the implementation and effectiveness of risk control measures.

RISK ANALYSIS AND EVALUATION

Once the plan is in place, the manufacturer must perform a risk analysis for the specific medical device. This involves:

  1. Intended Use & Misuse: Defining the intended use and reasonably foreseeable misuse.

  2. Hazard Identification: Identifying known and foreseeable hazards associated with the device (e.g., electrical, biological, or software hazards).

  3. Risk Estimation: Estimating the probability of occurrence and the severity of harm for each hazardous situation.

Following analysis, Risk Evaluation is performed to determine if the risk is acceptable based on the criteria defined in the plan.

RISK CONTROL AND THE "AFAP" REQUIREMENT

If a risk is deemed unacceptable, risk control measures must be implemented. A key difference in the EU MDR compared to older standards is the requirement to reduce risks “As Far As Possible” (AFAP).

Manufacturers must implement risk controls in the following priority order (as per MDR Annex I, Chapter I):

  1. Inherent Safety: Eliminate or reduce risks through safe design and manufacture.

  2. Protective Measures: Implement alarms or protection measures for risks that cannot be eliminated.

  3. Information for Safety: Provide warnings and precautions to users.

Note: Under the EU MDR, providing “information for safety” (labeling) is not considered a risk reduction measure for the purpose of lowering the residual risk score.

BENEFIT-RISK ANALYSIS

When a residual risk is not judged acceptable using the criteria in the risk management plan, a Benefit-Risk Analysis must be performed. The manufacturer must gather data and literature to demonstrate that the medical benefits of the device outweigh the remaining residual risks. The EU MDR places a heavy emphasis on clinical data to support these claims.

PRODUCTION AND POST-PRODUCTION ACTIVITIES

Risk management does not end when the device is launched. The EU MDR mandates a proactive approach to gathering information from the market. This includes:

  • Post-Market Surveillance (PMS): Systematically collecting data on device performance.

  • Post-Market Clinical Follow-up (PMCF): Proactively collecting clinical data to update the clinical evaluation.

  • Vigilance: Reporting serious incidents and field safety corrective actions.

This information must be fed back into the risk management process to update the risk analysis and evaluate if the benefit-risk profile remains favorable

CONCLUSION

A robust risk management system is the backbone of EU MDR compliance. By aligning your processes with ISO 14971 and following the guidance in ISO/TR 24971, you can ensure your device meets the rigorous safety standards required for the European market. Remember, risk management is a living process; it requires continuous monitoring and updating to ensure patient safety throughout the device’s lifecycle.

HOW MORULAA CAN HELP

Morulaa supports medical device manufacturers in building and maintaining EU MDR–compliant risk management systems aligned with ISO 14971 and ISO/TR 24971. We assist in preparing Risk Management Plans, Risk Analysis, Risk Control documentation, and Benefit–Risk Analysis that meet MDR and Notified Body expectations. We also help integrate risk management with Clinical Evaluation, PMS, PMCF, and Vigilance activities to ensure consistency across technical documentation. By providing structured, regulation-driven support, Morulaa enables manufacturers to achieve and maintain EU MDR compliance efficiently throughout the device lifecycle.

Ensure ISO 14971-aligned risk management for your device—connect with Morulaa today

Category

Let’s Talk

Call us today, or fill out the form and we will get right back to you!

Let’s Talk

Call us today, or fill out the form and we will get right back to you!