Medical Device Risk Management under EU MDR
INTRODUCTION
EU MDR 2017/745 establishes strict requirements for risk management as part of the regulatory framework for medical devices and emphasizes the importance of a comprehensive risk management system. As per Article 10 of the EU MDR, manufacturers are required to establish, document, implement, and maintain a system for risk management. This process must be maintained and updated throughout the device’s entire lifecycle, including Post-Market Surveillance (PMS), and must be integrated into the manufacturer’s Quality Management System (QMS). While the MDR provides the legal requirements, the "state of the art" method for achieving compliance is the international standard ISO 14971 (Medical devices — Application of risk management to medical devices) and its guidance document ISO/TR 24971 (Guidance on the application of ISO 14971).
THE ROLE OF ISO 14971 AND ISO/TR 24971 IN EU MDR
Although the EU MDR is a regulation and ISO 14971 is a standard, they are inextricably linked.
Document | Role | Key Takeaway |
EU MDR 2017/745 | The Regulation (Law) | Mandates the "As Far As Possible" (AFAP) reduction of risk. |
ISO 14971:2019 | The Standard (Process) | The systematic process for managing risk. Use the EN version for EU compliance. |
ISO/TR 24971:2020 | The Guidance (Help) | Practical tips and examples on how to implement the standard effectively. |
For European compliance, manufacturers should refer to the Harmonized Standard (EN ISO 14971). This version includes Annex Z, which specifically outlines how the clauses of ISO 14971 map to the General Safety and Performance Requirements (GSPRs) of the MDR.
RISK MANAGEMENT PLAN
The first step in compliance is establishing a Risk Management Plan. According to ISO 14971 and the MDR, this plan must define the scope of the risk management activities and include:
The lifecycle phases covered by the plan.
Assignment of responsibilities and authorities.
Requirements for the review of risk management activities.
Criteria for risk acceptability (based on the manufacturer's policy).
A method to evaluate the overall residual risk.
Activities for verification of the implementation and effectiveness of risk control measures.
RISK ANALYSIS AND EVALUATION
Once the plan is in place, the manufacturer must perform a risk analysis for the specific medical device. This involves:
Intended Use & Misuse: Defining the intended use and reasonably foreseeable misuse.
Hazard Identification: Identifying known and foreseeable hazards associated with the device (e.g., electrical, biological, or software hazards).
Risk Estimation: Estimating the probability of occurrence and the severity of harm for each hazardous situation.
Following analysis, Risk Evaluation is performed to determine if the risk is acceptable based on the criteria defined in the plan.
RISK CONTROL AND THE "AFAP" REQUIREMENT
If a risk is deemed unacceptable, risk control measures must be implemented. A key difference in the EU MDR compared to older standards is the requirement to reduce risks "As Far As Possible" (AFAP).
Manufacturers must implement risk controls in the following priority order (as per MDR Annex I, Chapter I):
Inherent Safety: Eliminate or reduce risks through safe design and manufacture.
Protective Measures: Implement alarms or protection measures for risks that cannot be eliminated.
Information for Safety: Provide warnings and precautions to users.
Note: Under the EU MDR, providing "information for safety" (labeling) is not considered a risk reduction measure for the purpose of lowering the residual risk score.
BENEFIT-RISK ANALYSIS
When a residual risk is not judged acceptable using the criteria in the risk management plan, a Benefit-Risk Analysis must be performed. The manufacturer must gather data and literature to demonstrate that the medical benefits of the device outweigh the remaining residual risks. The EU MDR places a heavy emphasis on clinical data to support these claims.
PRODUCTION AND POST-PRODUCTION ACTIVITIES
Risk management does not end when the device is launched. The EU MDR mandates a proactive approach to gathering information from the market. This includes:
Post-Market Surveillance (PMS): Systematically collecting data on device performance.
Post-Market Clinical Follow-up (PMCF): Proactively collecting clinical data to update the clinical evaluation.
Vigilance: Reporting serious incidents and field safety corrective actions.
This information must be fed back into the risk management process to update the risk analysis and evaluate if the benefit-risk profile remains favorable.
CONCLUSION
A robust risk management system is the backbone of EU MDR compliance. By aligning your processes with ISO 14971 and following the guidance in ISO/TR 24971, you can ensure your device meets the rigorous safety standards required for the European market. Remember, risk management is a living process; it requires continuous monitoring and updating to ensure patient safety throughout the device's lifecycle.
HOW MORULAA CAN HELP
Morulaa supports medical device manufacturers in building and maintaining EU MDR–compliant risk management systems aligned with ISO 14971 and ISO/TR 24971. We assist in preparing Risk Management Plans, Risk Analysis, Risk Control documentation, and Benefit–Risk Analysis that meet MDR and Notified Body expectations. We also help integrate risk management with Clinical Evaluation, PMS, PMCF, and Vigilance activities to ensure consistency across technical documentation. By providing structured, regulation-driven support, Morulaa enables manufacturers to achieve and maintain EU MDR compliance efficiently throughout the device lifecycle.