|
Keeping IVD Devices Safe: Risk Management Under IVDR
|
|---|
|
Risk management is basically a structured way to make sure an IVD test is safe, works as intended, and stays that way over its whole life (design → manufacturing → use in the field). Under IVDR 2017/746, the manufacturer must set up and maintain a risk management system inside their quality system. This isn’t a one-time document: it’s an ongoing process that gets updated when you learn new things (complaints, performance trends, vigilance cases, etc.). |
INTRODUCTION
Risk management plays a central role in ensuring the safety and performance of in vitro diagnostic (IVD) medical devices. The In Vitro Diagnostic Regulation (IVDR) 2017/746 establishes strict requirements for manufacturers to apply a structured and ongoing process of identifying, evaluating, and controlling risks throughout the entire lifecycle of a device. To achieve this, the international standard EN ISO 14971:2019 provides the recognized framework for systematically managing risks, from design and development through to post-market surveillance. Supporting this standard, the guidance document EN ISO/TR 24971:2020 offers detailed explanations and practical recommendations for implementing EN ISO 14971 in real-world scenarios. When applied together, IVDR, EN ISO 14971, and EN ISO/TR 24971 create a harmonized approach that ensures risks are not only minimized but also balanced against the expected clinical benefits. This integration strengthens compliance, enhances patient safety, and builds confidence among regulators, clinicians, and end users.
REGULATORY BASIS FOR RISK MANAGEMENT
Article 10 – General Obligations of Manufacturers
- Article 10(2) explicitly requires that manufacturers “establish, document, implement and maintain a system for risk management as described in Section 3 of Annex I.”
- In addition, Article 10 mandates that the manufacturer’s quality management system (QMS) must cover risk management among other elements.
- The full text of Article 10 states that manufacturers shall also keep technical documentation up to date, manage modifications, perform post‑market surveillance, vigilance, etc.
Thus, Article 10 provides that it is mandatory for manufacturers placing IVDs on the EU market to have and maintain a risk management system, and to integrate it into their QMS.
Annex I – Core Requirements for Safety and Performance
- Annex I of the IVDR contains the General Safety and Performance Requirements (GSPRs) the detailed substantive rules that risk management must satisfy.
- The relevant parts are mainly in Chapter I, Sections 1 to 8 which deal with general requirements and risk management.
Key Requirements for Risk Management in Annex I, Chapter I (GSPR Sections 1 to 8)
Some of the core obligations in Annex I concerning risk management include:
Risk Management Plan / Documentation
- Manufacturers must establish and document a risk management plan for each device.
- The risk management plan must define how risks are identified, analyzed, mitigated, and reviewed throughout the lifecycle.
Identification and Analysis of Hazards
- All known and foreseeable hazards must be identified (those arising during intended use and reasonably foreseeable misuse).
- For each hazard, the manufacturer must estimate and evaluate the associated risks (i.e. probability × severity).
Risk Control (Elimination / Mitigation / Residual Risk)
- Risks must be eliminated or controlled in accordance with Section 4 of Annex I (risk control) using state-of-the-art design, protective measures, and information for safety (warnings, instructions).
The order of priority is:
a) safe design / manufacture to remove or reduce risks where possible,
b) protective measures (e.g. alarms, guarding),
c) information for safety (labelling, user instructions). - The residual risk (after applying controls) must be acceptable, and the overall residual risk must be weighed against the benefits of the device. Even for non‑unacceptable risks, a benefit‑risk analysis must be done.
Use‑related Risks and Human Factors
- The manufacturer must consider risks arising from use error, including ergonomic factors, user knowledge/training, environment of use, etc.
- The design must account for user characteristics (e.g. professional vs lay users, education/training) and the environment in which the device will be used.
Lifespan / Durability / Stress / Storage / Transport
- The device must maintain its safety and performance throughout its lifetime, considering stresses from normal use, maintenance, environmental conditions, storage and transport.
- The manufacturer must ensure that neither transport nor storage adversely affects safety or performance.
Post‑market Feedback and Updates
- Information from the production and post‑market surveillance systems must be evaluated to identify new hazards, changed frequencies, new risks, or changes in the benefit‑risk balance.
- Based on that evaluation, risk control measures must be updated or amended as needed.
Thus, Annex I (especially its Section 3 and the surrounding parts) defines how a risk management system must function (plan, identify, evaluate, mitigate, monitor) in order to satisfy the GSPRs.
KEY REQUIREMENTS UNDER IVDR ARTICLE 10 AND ANNEX I
- Article 10(9): mandates that manufacturers maintain an ongoing risk management process integrated within their quality management system (QMS).
- Annex I, Section 3: obliges manufacturers to eliminate or reduce risks wherever possible through decisions made during design and manufacturing.
- Annex I, Section 4: requires that any remaining (residual) risks must be communicated to users, e.g. via instructions, warnings, or training materials.
- Annex I, Section 8: stipulates that the device must be safeguarded against mechanical and environmental hazards (e.g. impacts, temperature, humidity).
INTERACTION WITH HARMONIZED STANDARDS (E.G. EN ISO 14971:2019)
While IVDR does not require a specific standard, EN ISO 14971 (medical devices application of risk management) is generally accepted as the state-of-the-art framework that can satisfy the regulatory requirements, including in the IVD domain.
- Many manufacturers adopt EN ISO 14971 (or its deviations/interpretations) as the internal risk management methodology, then ensure that their implementation aligns with additional IVDR-specific requirements (e.g. requiring benefit-risk evaluation for all risks, not only unacceptable ones).
- EN ISO/TR 24971:2020 provides guidance on applying EN ISO 14971 in medical devices; Annex H of EN ISO/TR 24971 offers guidance specific to IVDs.
Hence, the IVDR regulatory basis is typically fulfilled by aligning the internal risk management framework (often EN ISO 14971) to the IVDR’s legal and specific requirements.
EN ISO 14971:2019 – FOUNDATION OF RISK MANAGEMENT
EN ISO 14971:2019 establishes the internationally recognized framework for managing risks associated with medical devices and in vitro diagnostic (IVD) devices. It provides a structured, lifecycle‑oriented process that aligns with the risk management obligations in the EU IVDR.
Key process elements defined in Clauses 4 to 10 include:
- Risk Analysis (Clause 5)
Identify known and foreseeable hazards, determine the possible causes, and estimate the associated risks (probability and severity). - Risk Evaluation (Clause 6)
Decide whether each identified risk is acceptable, based on pre‑defined criteria. - Risk Control (Clause 7)
Apply control measures to reduce risks to an acceptable level; verify that these measures are implemented and effective. - Evaluation of Overall Residual Risk (Clause 8)
Review the collective residual risk of the device after all controls and determine whether the overall benefit‑risk profile remains favorable.
Production and Post‑Market Monitoring (Clause 10)
Establish mechanisms to collect production and post‑market data (feedback, complaints, vigilance), feed this information into the risk management process, and update risk assessments accordingly.
DEFINITION AND SCOPE OF RISK MANAGEMENT UNDER IVDR
Under the IVDR framework, risk management is not limited to purely technical hazards, but also encompasses clinical, biological, usability (human factors), and software-related risks. In other words, manufacturers must consider a broad range of risk types when implementing risk management.
This obligation spans all phases of a device’s lifecycle:
- Design & Development: Anticipate and identify potential hazards both from intended use and from foreseeable misuse.
- Manufacturing & Production: Ensure that the device is produced consistently and reliably, with controls that prevent deviations and defects that could lead to risk.
- Post‑Market Phase: Continuously monitor real‑world use (via post‑market surveillance and vigilance), detect emerging safety issues or performance deviations, and assess their impact on the risk profile.
Because of this, risk management under IVDR must be lifecycle‑wide. The manufacturer must maintain and update a risk management file (or system) as new information (for example, adverse event reports, field complaints, performance issues) becomes available. The evolving nature of usage, environment, or user interaction means that risk assumptions and controls may need revision over time.
The approach of lifecycle-wide risk management is aligned with EN ISO 14971:2019, which explicitly states that the risk management process applies across all phases of a medical device’s life cycle (Clause 4).
STRUCTURE OF THE RISK MANAGEMENT REPORT (RMR)
A well-structured Risk Management Report (RMR), as required under EN ISO 14971:2019 Clause 9, consolidates the results of the risk management process and serves as a key part of the technical documentation for both internal review and external audits by notified bodies or regulatory authorities.
The typical contents of a compliant RMR include:
- Device Overview and Intended Purpose
A concise description of the medical or IVD device, including its intended medical use, target patient population, users, and environment of use. - Reference to the Risk Management Plan
A link or citation to the specific risk management plan (as per EN ISO 14971 Clause 4.4), which outlines the scope, responsibilities, criteria for risk acceptability, and methodology applied. - Summary of Risk Analysis and Hazard Identification
Key findings from the risk analysis phase, including identified hazards, their causes, sequences of events leading to harm, and estimated risk levels. - Risk Control Measures and Effectiveness Verification
Documentation of the measures taken to mitigate identified risks and evidence (e.g., test results, design validation) confirming their effectiveness. - Evaluation of Residual Risks and Benefit-Risk Justification
A comprehensive assessment of residual risks post-control, and a clear demonstration that the overall benefits of the device outweigh the remaining risks (EN ISO 14971 Clause 8). - Connections to Other Technical Documentation
Clear linkage to supporting evidence in the technical file, such as the clinical evaluation report (CER), post-market surveillance (PMS) plan, or usability engineering documentation. - Final Conclusion on Risk Acceptability
A formal statement declaring whether the device meets the manufacturer’s criteria for risk acceptability and is safe for its intended use.
INTEGRATION WITH OTHER TECHNICAL DOCUMENTATION
Technical Document | Key Contribution to Risk Management | Relevant IVDR Reference |
Risk Management Report (RMR) | Summarizes identified risks, control measures, and overall benefit-risk conclusion. | EN ISO 14971:2019 Clause 9 |
Clinical Evidence (Annex XIII) | Supports and justifies benefit-risk conclusions with clinical data. | Annex XIII, Part A, (section 1.3) |
Performance Evaluation (Annex XIII) | Validates risk assumptions through analytical and clinical performance data. | Annex XIII, Parts A & B |
Post-Market Surveillance (Annex III) | Provides real-world data to continuously update risk evaluations and control measures. | Annex III, Section 1 (Article 78 ) |
Instructions for Use (IFU) & Labeling (Annex I) | Communicates residual risks and safe use instructions to users. | Annex I, Sections 21 to 22 |
CONCLUSION
Risk management under IVDR 2017/746 and EN ISO 14971:2019 represents far more than a regulatory formality. It is an ongoing, structured, and evidence-driven process designed to safeguard patients and ensure reliable device performance. By applying the additional guidance provided in EN ISO/TR 24971, keeping risk documentation transparent and up to date, and linking risk management outputs with clinical evidence, performance evaluation, post-market surveillance, and user information, manufacturers create a cohesive compliance framework. This integrated approach not only demonstrates conformity with legal requirements but also strengthens confidence among regulators, notified bodies, healthcare professionals, and the wider market.
HOW WE CAN HELP
At Morulaa, we help global medical device and IVD manufacturers navigate the regulatory complexities of IVDR (EU 2017/746) and EN ISO 14971:2019 risk management by building and maintaining compliant risk management frameworks, preparing audit-ready technical documentation, and aligning risk files with clinical evidence, performance evaluation, PMS plans, and labeling. Our team conducts detailed gap assessments, implements corrective actions to meet Annex I and XIII requirements, and establishes robust post-market surveillance and vigilance systems to keep risk management current. Beyond Europe, we also support registration and distribution setup in India, the USA, and other key markets, ensuring a seamless global compliance strategy. By working with Morulaa, manufacturers strengthen regulatory compliance while earning lasting trust from regulators, notified bodies, healthcare professionals, and the wider market.