Laws and standards require organizations to prepare a risk management report. Notified bodies and authorities examine these reports intensively because risk management is a key regulatory requirement.
Therefore, it is important (not only) for manufacturers to prepare precise, complete, and correct risk management reports. This article provides assistance in this regard.
The risk management report is a part of the risk management file. According to Chapter 9 of ISO 14971, it must contain the "outputs of the review" of the risk management activities, in particular:
Chapter 4 of this article provides further details on the contents of this risk management report.
The risk management report is often a stand-alone document. However, this is neither required by regulation nor is it the most pragmatic approach in any case. More on this in chapter 4 as well.
In Chapter 4.2, ISO 14971 requires an organization's top management to review the suitability [and effectiveness] of the risk management process at planned intervals. Organizations must document the outputs of this review.
However, these reports on the effectiveness of the risk management process should be distinct from risk management reports. The former is at the management level (e.g., as part of the management review, ISO 13485:2016, Chapter 5.6), and the latter at the product level.
Report on risks from the post-production phase
In this presentation, FDA describes the "Risk Management Report" as a document that contains an assessment of post-production phase information relevant to risk. Such a narrowing of focus is unusual.
ISO 9001 also sets requirements for dealing with risks. The organizations must also recognize and deal with these risks (Chapters 0.1 and 0.3.2) or consider them in their quality system (Chapters 4.4 and 6.1).
Reports on these analyses and measures are also not a "risk management report". These contents would rather be part of a management report.
The regulatory requirements are the most important reason for many organizations to prepare a risk management report.
ISO 13485 requires manufacturers to document the risk management process and risk management activities. The latter would be part of a risk management report.
The FDA's considerations in the guidance document Factors to Consider Regarding Benefit-Risk in Medical Device Product Availability, Compliance, and Enforcement Decisions are interesting.
The risk management report helps to implement the PDCA concept. This is because it contains the check whether the risk management activities are following the plan.
Regardless of regulatory requirements, a risk management report is an important document for authorities and notified bodies. They want to benefit from it as an "executive summary" for risk management because there is usually not enough time to evaluate the complete risk management file.
Using the risk management report, manufacturers can ensure that they have done everything possible to
Risk management reports, in the sense of this article, are required (at least) by all organizations that must comply with the requirements of ISO 14971. This also concerns the organizations that declare conformity with ISO 13485 because ISO 13485 requires risk management and recommends one in accordance with ISO 14971.
These organizations include:
These organizations require a risk management report for each medical device.
The MDR allows manufacturers to create the technical documentation (TD) for all devices in a base UDI-DI. The risk management files are part of this TD.
If one restricts oneself to the requirements of ISO 14971, then the risk management report contains only the outputs of the inspection as to whether
This report contains only the "judgments" and justifications for them. That is, the ISO 14971 risk management report is a meta-level document (see fig. 1).
Manufacturers can use a spreadsheet to demonstrate that the plan has been implemented:
Activity according to plan
Activity carried out
Description of the activity
[ ] yes [ ] no
Reference to documents and records
e.g., notes on why the plan was deviated from
ISO 24971 contains little additional information on the risk management report. It seems to follow the approach of limiting this report to the three pieces of information mentioned above.
In fact, the risk management report is often expected to provide an "executive summary" of the overall risk management process. Therefore, organizations may supplement the report with additional information:
In some cases, manufacturers go so far as to prepare only three documents:
1. risk management plan
2. risk table
3. risk management report (contains everything else)
A risk assessment matrix can be used to demonstrate how the risks have changed as a result of the measures.
Manufacturers must define and review the competencies of the persons involved in risk management and document both. In Chapter 7.3.2, ISO 13485 requires these specifications for the respective development project.
This makes sense when writing the risk management plan. For example, for the benefit-risk evaluation, the responsible persons must know and evaluate the following:
The manufacturers document their risk acceptance criteria in the form of a risk acceptance matrix (see fig. 2). This matrix is well suited for deciding on the justifiability of individual risks. However, it is not suitable to the same extent for justifying why
Manufacturers should define the criteria for these justifications.
c) Update reports as needed
A reviewed and approved version of the risk management report before the first placing on the market of the device is mandatory. However, this does not mean that this report will no longer be changed. ISO 24971 writes in this regard:
There can be a need to revise or update the risk management report if new information becomes available, for example during the production and post-production phases.
ISO 24971, Chapter 9
The risk management report is an indispensable part of any technical documentation.
ISO 14971 prescribes the "minimum contents" of this report.
Manufacturers can divide the contents into different documents:
Many manufacturers find it most difficult to justify why the remaining residual risk is acceptable in view of the benefits and the state of the art.
The Johner Institute supports medical device manufacturers in structuring and creating risk management files, formulating valid benefit-risk arguments, and evaluating the acceptance of risks and the effectiveness of measures. Feel free to get in touch, e.g., via our contact form.