Risk Control and Risk Minimization

Risk Minimization: General Requirements

For medical devices, the benefits must outweigh the risks, i.e. the risks must be controlled. If a manufacturer provides unacceptable risks at the risk analysis, he must minimise these. The Medical device directive requires that manufacturers, proceed in the following order:

  1. Inherent safety: make medical inherently safe
  2. Precautions: If this is not possible, take risk-minimizing measures
  3. Notes: If this is not possible or sufficient information then note remaining risks
MDR and MDD demand risk mitigation in the given order.

Development Phases, in Which Risks are Minimized

Risks can be minimized at all levels of product development:

  • Restriction or change of purpose
  • Requirements of the system (system specification)
  • Suitable choice of system architecture


Most companies document risk control measures in a table that they call the "FMEA table".

"FMEA Table" with Risk Analysis and Risk Control

Risk Minimization Through Testing?

What do you think, is the most frequently cited measure? The title of this entry suggests the answer: Test. Test as a measure for reducing risks. Does that work? 

To do this we must look at the definition of risk: A risk is defined according to ISO 14971 as: A combination of the probability of HARM occurring and the SEVERITY of that HARM

Does testing change the probability or the severity? As you don’t change anything when the product is tested, it’s not likely that you will change the probability of harm occurring or the severity, that would stem from a defective product. Tests do not minimize risks! However they may justify the assumption of a certain probability.

Risks Through Risk Minimization Measures

In our discussions on the concepts of risk management my Medsoto partner Sven Wittorf has drawn attention to a tragic example of a measure to control risks that induced new risks.

As part of the risk analysis of the Airbus, it was noted that a hazard is created when you accidentally press the thrust reverser in the air. As a measure to control risk, they therefore chose a mechanism that only allows the thrust reverser to function when the aircraft is no longer in the air, which was recognized by the wheelspin. Unfortunately, this led to the wheels touching the ground, but not immediately starting to spin (aquaplaning), because the runway in Warsaw was flooded. The aircraft could no longer break and shot past the the runway and there were fatal consequences.

Today, we no longer evaluate the rotation of the wheels, but the weight on the chassis in order to determine whether the aircraft is on the ground.

In many risk analyses little thought has been put into the risks that can be introduced by risk control measures. Even the risks that are originally identified are rarely evaluated completely and correctly.


Prof. Dr. Christian Johner


A quick overview: Our


Learn More Pfeil_weiß

Always up to date: Our


Learn More Pfeil_grau