The risk management plan is one of the most important documents in technical documentation. Accordingly, authorities and notified bodies examine this plan intensively.
However, it is not only from a regulatory perspective that medical device manufacturers benefit from a precise risk management plan. This article
In a risk management plan, a manufacturer documents information on procedures, activities, methods, and tools for the risk management of a specific device throughout its entire life cycle.
This information is usually available as a controlled document. It is also possible to store this information as structured data, as with the real-time compliance system.
Chapter 3 of this article lists the contents of a risk management plan.
Standards such as ISO 14971, Chapter 4.4, and laws require risk management plans. For example, the MDR and IVDR have identical wording in Annex I Section 3:
In carrying out risk management manufacturers shall: (a) establish and document a risk management plan for each device
MDR Annex I, Section 3
If manufacturers meet this requirement, they avoid regulatory hassles with approvals, inspections of technical documentation, and audits, for example, and possible consequences such as delayed approval.
If a plan is in place, everyone involved knows what needs to be done and when. This is particularly important for successful risk management, to which many different roles contribute:
A plan ensures that all activities are coordinated and take place at the right time. It helps to avoid uncoordinated activities and blind performance.
If all risk management activities are carried out by the right people, using the proper methods and at the right time (this is precisely what the risk management plan determines), these activities are particularly effective. This means that risks are identified and controlled with particular reliability. This results in safe devices.
The risk management plan is also necessary in order to derive the product-specific requirements for risk management from the often generally applicable standard operating procedure for risk management. Only the product-specific activities lead to the safety of the device being optimized.
The general risk management plan requires risks to be identified and alternative technologies and architectures to be evaluated during the development of the device.
The risk management plan for standalone software requires that the software libraries used during development must be selected depending on the speed with which their manufacturer delivers patches, among other things.
The risk management plan also helps at the meta-level: it is part of the PDCA cycle ("Plan-Do-Check-Act"). Without a plan, nothing can be done ("Do") and checked ("Check"). The deviation from the status quo to the plan results in the necessary actions ("Act") to improve not only the specific plan but also the entire risk management process.
The risk management plan requires that security vulnerabilities in software must be avoided during its architecture phase and searched for during the system test phase by means of penetration tests.
It turns out that the penetration tests identify many vulnerabilities that could have been avoided during the architecture phase.
For this reason, the manufacturer of software products adds the requirement for threat modeling during the architecture phase to its standard operating procedure for risk management.
The minimum requirements for the content of risk management plans are set out in
ISO 14971 requires the following elements:
The following sections contain further information.
The scope of application has various dimensions that the risk management plan should consider:
The persons and departments affected by the document must be specified here. These should also be involved in the creation and release of the risk management plan.
Suppliers carry out many activities in the development and production of medical devices. The plan must, therefore, regulate whether it also relates to them.
The plan should specify which device or devices it relates to. In the case of systems, this can also relate to only part of the system, possibly only accessories for a device or consumables.
Make sure that the interfaces to other devices or components are also aligned with the interfaces of the documents (in this case, plans).
It should be clarified which processes and life cycle phases the plan covers. Does it only apply to the initial development or also to later design changes? Does it cover the post-market phase?
There is usually a separate post-market surveillance plan, which is referenced in the initial risk management plan.
It should be noted that the post-market plan, according to MDR, does not include the manufacturing phase, whereas the risk management plan, according to 14971, does.
Risk management is a team sport. Typical roles have already been mentioned above. The risk management plan ensures that no roles are forgotten and that all necessary competencies are available.
Various activities must be carried out as part of risk management, e.g., hazard analysis, risk evaluation, definition of risk-minimizing measures, and review of their effectiveness.
Manufacturers must define requirements for each of these activities. This is usually done by defining methods, for example, the PHA for the hazard analysis.
If a higher-level process or standard operating procedure already specifies this, the risk management plan can overwrite it or specify it in another project-specific way.
The risk management plan can provide answers to the following questions:
Further specifications of the risk management plan concern the risk acceptance criteria, for example,
Please note our tips on deriving risk acceptance.
The risk management plan regularly contains references to documents that also apply and must be observed.
The Johner Institute's risk management team has compiled frequently occurring complaints from authorities and notified bodies regarding the risk management plan:
Make sure that you can rule out the deviations mentioned above in Chapter 4 that are identified during audits.
A risk management plan is not a static document. It is revised and must be updated continuously as new information becomes available. These revisions should be attached to the risk management file.
A manufacturer should check whether the risk management plan specifies all the risk management activities described in ISO 14971:2019 in Chapters 5 to 10. For each of these activities, the risk management plan should specify:
A representative of top management should approve the RM plan to ensure consistency with the established risk policy.
Design reviews can be used to check whether risk management is being carried out in accordance with the plan. The plan also provides the input for the final risk management assessment.
In both cases, it must be checked whether
This means that the structured and systematic approach to the analysis should not only be planned but also documented accordingly. This has a positive effect on the efficiency of the implementation, prevents gaps and deviations, and also serves later as proof that a systematic approach was actually taken.
A manufacturer shows the auditor the risk table as part of the technical documentation. The auditor looks for three specific risks in the table but does not find them. He hypothesizes that a lack of structure and system is the reason for the absence; therefore, he suspects even greater gaps and ultimately refuses the certificate.
Because the manufacturer has not documented its procedure anywhere, it cannot prove the opposite and has to go through the analysis again in full.
A manufacturer must draw up a risk management plan for each device. Standards and laws define the contents of these plans.
Like all plans, the risk management plan must also specify who does what, when and how, and which inputs are converted into which outputs. Like all plans, the risk management plan is not a static document but can be developed further. This is because risk management does not end with development.
It is important to fulfill the minimum requirements of the plan and stick to it later. In this way, manufacturers can not only avoid problems in audits and approvals. A risk management plan is an important building block for the efficient development and production of safe medical devices.
The Johner Institute offers all the support you need to develop and implement audit-proof risk management plans:
Contact us for a free consultation, during which the experts will give you some initial practical tips.