Risk mitigation through information?

Whether risk mitigation through information is permitted regularly leads to discussions. The answer to this question is important because it determines the conformity and non-conformity of medical devices.

This article provides the answer and thus resolves a "historical misunderstanding."

1. Regulatory framework

All manufacturers are obliged to minimize the risks posed by their medical devices. In relation to the benefit of the device, the residual risks must be acceptable.

To minimize the risks, there are several types of measures. Laws such as MDR and IVDR and the risk management standard ISO 14971 specify these types and the order in which they must be applied (see Fig. 1).

Thus, there is no general prohibition of risk control or risk mitigation through information.

2. Types of information

To answer the question of whether risk mitigation through information is permitted, an overview of the different types helps:

  • Warnings on the device, e.g., labels or pop-ups on software interfaces
  • Information in instructions for use and other accompanying materials about the correct use of the device
  • Information in instructions for use about residual risks
  • Training of users

3. Trigger of the confusion

When harmonizing ISO 14971:2012, the harmonization service provider lawyers wrote in Annex Z:

… manufacturers shall not attribute additional risk reduction to the information given to the users…

Annex Z of ISO 14971

In doing so, the lawyers, unfortunately, lumped together two types of information:

  • Information that "only" lists any residual risks. This is a requirement of the MDR Annex I, Section 4 ("Manufacturers shall inform users of any residual risks.").
  • Information that presents concrete and specific measures to minimize risks. These contain specific instructions for persons to take action when handling the device.

4. The resolution

The list of residual risks is ...

  • comparable to the package insert with the side effects of drugs,
  • is a regulatory requirement and
  • no (!) risk minimizing measure.

Instructions for action for the users ...

  • are regulatory required, if risks can be minimized with it,
  • then count as risk-minimizing measures and
  • are also allowed as such.

Team-NB also shared this assessment in a consensus paper in 2014.


With every electrically operated medical device, there is a risk of electric shock. This (residual) risk exists even if the manufacturer complies with all measures prescribed by IEC 60601-1 (e.g., on clearance and creepage distances). The manufacturer must enter and publish this risk in the list of residual risks.

The user can consider this information when making a risk-based decision for or against the use of the device. He cannot prevent the electric shock itself (e.g., in the event of a product defect). Accordingly, providing this information to the user is not a risk-minimizing measure.

If, on the other hand, the manufacturer specifies in the instructions for use that the technician must disconnect the mains plug before carrying out repairs and before opening the enclosure, then this is a clear instruction for action that, if fulfilled, minimizes the risk, namely, the risk of getting an electric shock when coming into contact with electrical components inside the device.

5. Conclusion

Risk mitigation through information is, therefore, perfectly permissible. A distinction must be made between:

  • Information listing all residual risks
    Publication of the list of residual risks is required by regulation and is not a risk mitigation measure.
  • Instructions for users
    They are required by regulation if they can be used to minimize risks. They are permitted as a risk-minimizing measure.


The manufacturers must prove the implementation and effectiveness of risk-minimizing measures. Usability tests usually review risk-minimizing measures by information.

Training documents and instructions for use are part of the user interface and are, therefore, subject to the regulatory requirements for usability and within the scope of IEC 62366-1.

Do you still have questions about risk management? Then benefit from

This will ensure that there are no problems with audits and inspections of your technical documentation and no delays in the approval of your devices.

Further information

Read more about risk mitigation and more about risk management in general.


Christian Rosenzweig

Find out what Johner Institute can do for you

A quick overview: Our


Learn More Pfeil_weiß

Always up to date: Our


Learn More Pfeil_grau

Privacy settings

We use cookies on our website. Some of them are essential, while others help us improve this website and your experience.