PLAIN ENGLISH MEDICAL DEVICE RISK MANAGEMENT
document is one that is formally
connected with a
medical device and is distributed to the user or the
operator of that device
and to those accountable for its
installation, use, and maintenance. The
purpose of an
accompanying document is to ensure
that the medical
device is used safely and that it is properly
installed and maintained.
Harm occurs when people are injured
physically or their health is
compromised or when property or the
environment is damaged.
A hazard is a potential source of
harm. Annex E.2 categorizes hazards
in the following way:
energy hazards, chemical hazards, biological
hazards, and informational hazards.
A hazardous situation occurs when
people are exposed to a hazard or
when property or the environment is
threatened. A hazardous situation
exists when a vulnerable
entity is exposed to a hazard.
A product’s intended use is what it
is supposed to be used for according
to the manufacturer’s
specifications, instructions, and other information.
product’s intended purpose. The United States tends to use the
intended use while Europe prefers the term intended purpose.
Both terms mean essentially the same thing.
An in vitro diagnostic medical device
is a manufactured product that has
been designed to be used to
examine specimens derived from the human
body and to provide
information that is used for diagnostic or monitoring
purposes or to
IVD medical devices include
reagents, calibrators, and
specimen collection and storage devices, as
well as control materials and related instruments, apparatuses, or
These devices can be used alone or in combination as a
The life-cycle of a medical device
includes all phases from
initial concept and design to production
and includes final decommissioning and disposal.
A manufacturer is a natural or legal
person who is responsible for
designing, producing, packaging,
labelling, or adapting medical devices
before they are put into
service or brought to market, or assembling the
The term manufacturer also includes third parties
been given these responsibilities.
A manufactured product is defined
medical device if it is used to:
Medical devices can include:
- In vitro reagents
- Related articles.
that achieve results by pharmacological,
immunological, or metabolic
means are not medical devices.
the results achieved by medical devices may be assisted by
In some jurisdictions, the following
products may be thought of as
medical devices: products used to
assist disabled or handicapped people,
products used to diagnose and
treat animal injuries and diseases, products
used as medical device
accessories, products used as disinfectants, and
products that incorporate animal
or human tissues.
ISO 14971 applies to accessories that
facilitate the use of a “parent”
medical device and enable it to
fulfill its intended use or purpose.
Objective evidence is data that
shows or proves that something exists or
is true. Objective
evidence can be collected by performing observations,
measurements, tests, or by performing observations, measurements,
tests, or by using any other suitable method.
The life-cycle of any medical device can be
divided into two phases:
production and post-production. The
post-production phase starts
after the design has been
completed and the medical device has
been manufactured. The post-production phase includes product
transportation, storage, installation, use, maintenance, and repair
and also covers all product modification, decommissioning, and
A procedure is a way of carrying out
a process or activity.
Procedures may be documented or not
A process is a set of activities
that are interrelated or that interact with
Processes use resources to transform inputs into outputs.
A record is a type of document.
Records provide evidence that
activities have been performed or
results have been achieved.
Residual risk is the risk left over
after you’ve taken risk control measures.
It’s the risk remaining
after you’ve done one or more of the following:
accepted the risk,
avoided the risk, reduced the risk, modified the
changed the probabilities.
According to ISO 14971, the concept of
risk combines two
variables: the probability of harm and the
severity of harm.
For example, if a particular hazardous situation
is very likely
to cause harm and would be very harmful if it
then it would be a high risk situation.
Conversely, if it’s very
unlikely to cause harm and would be only
if it actually occurred, then it would be a trivial
Risk analysis is a systematic
process that is used to identify hazards
and to estimate risk. It
includes an examination of every reasonably
foreseeable sequence or combination of events that could produce
hazardous situation and cause harm.
Risk assessment is a process that
is, in turn, made up of two
risk analysis and
Risk analysis is a process that is
used to identify hazards and to
estimate risk. Risk evaluation
is a process that is used to examine
the estimated risk for each
hazardous situation and then to use risk
acceptability criteria to
determine whether or not the estimated risk
is acceptable and to
decide if risk reduction is required.
Risk control is a process that is
used to consider risk control
options and to select and implement
risk control measures that
will reduce risk or maintain risk within
specified levels. ISO 14971
expects you to consider the following
risk control options and,
if possible, to apply them in the
1. Design safety into the product.
Establish protective measures.
3. Provide safety information.
Risk estimation is a process that is
used to assign qualitative or
quantitative probability values and
severity values to each hazardous
situation. These values are then
used to estimate risk.
For example, if a specific hazardous
situation is very likely to cause harm
and would be very harmful if
it actually occurred, then it would be a high
Conversely, if it’s very unlikely to cause harm and would
slightly harmful if it actually occurred, then it would be a trivial
risk. Of course, this is just a simple example. You can use any
appropriate probability and severity categories.
Risk evaluation is a process that is
used to examine the estimated
risk for each hazardous situation and
then to use risk acceptability
criteria to determine whether or not
the estimated risk is acceptable
and to decide if risk reduction is
Risk management uses policies, procedures, and practices
to systematically analyze,
evaluate, control, and monitor risk.
A risk management file must be
created for each medical device.
Your risk management file should
include all of the records and
documents that your risk management
files should contain risk management
are used to record risk analyses, risk evaluations,
risk control measures,
and residual risk evaluations. Risk
management files are also used to
facilitate traceability and to
check whether or not your organization
complies with this ISO 14971
Safety is freedom from unacceptable
risk. Risk acceptability criteria
are used to help decide whether or
not a risk is unacceptable.
Severity is a measure of the
possible harmful consequences
that a hazard could potentially cause.
The term top management refers to a
person or a group of people
at the highest level within an
organization. In the context of ISO 14971,
it refers to the people
who coordinate, direct, and control organizations
A use error is an act or omission
that results in a medical device
response that is either not
expected by the user or unintended by
the manufacturer. Use
errors include slip-ups, lapses, and mistakes.
Verification is a process. It uses
objective evidence to confirm
that specified requirements have been
met. Whenever specified
requirements have been met, a verified status
is achieved. There are
many ways to verify that requirements have
been met. For example,
you could do tests, perform demonstrations,
carry out alternative
calculations, compare a new design
specification with a proven
design specification, or you could
inspect documents before
you issue them.
Also see our
ISO 13485 Medical Device Quality