The risk management file is a part of the technical documentation that proves that a medical device meets the regulatory requirements for risk management.
Content
This page summarizes the most essential information on the risk management file and links to further articles.
ISO 14971, the standard on risk management for medical devices, requires in Chapter 4.5 that
“the manufacturer must establish and maintain a risk management file.”
As the standard is harmonized under the MDR and IVDR, it represents the state of the art and is therefore binding.
The standard defines this term as follows:
Set of records and other documents generated in risk management.
Source: ISO 14971, 3.25
The standard specifies which records and documents these are. The second section of this article summarizes these content elements.
The standard only refers to a “set of documents and records.” How manufacturers distribute the contents of these records and documents and how they create directories is up to them.
However, the requirements of the MDR, Annex II (analogous to IVDR) demand an “organized, easily searchable and unambiguous form” of the technical documentation:
Manufacturers can manage this content both in documents and in tools. However, notified bodies insist on being able to store a versioned snapshot. Contact us if you wish support in this regard.
To meet the requirements of ISO 14971, the risk management file must include the following content:
| Content (incl. link) | Description | Documentation |
| Intended use | Intended purpose and normal use, including characterization of users, use environment, and patients | This is usually a separate document. |
| Risk acceptance | Manufacturers usually distinguish between a company-wide risk policy and product-specific criteria for risk acceptance. | The risk policy is either a stand-alone document or the manufacturer combines it with the risk acceptance criteria. Manufacturers almost always express the latter through a risk acceptance matrix.
This is usually a component of the risk management plan. |
| Risk management plan | The planning of all activities and roles in risk management, including people, timing, methods, and, if necessary, tools | The risk management plan is often a stand-alone document. It can be adapted and is then available in several versions. |
| Risk analysis | Description of the individual hazards with causes and risks, i.e., combinations and severities of possible harm | The risk analysis almost always comprises a table (“risk table”) with the columns ID, cause, hazard or hazardous situation and/or harm, probability, severity, and risk.
The manufacturer notes any comments or further explanations in the table or a separate document. |
| Risk control | Description of the measures and evidence that these measures have been implemented and are effective | These measures can be documented in the “risk table.” Manufacturers add further columns for the measures and references to the verifications, e.g., tests.
Here, manufacturers also note comments or further explanations in the table or a separate document. |
| Risk management report | Summary assessment of the benefit-risk ratio and outputs of the review of compliance with the plan | This report is almost always available as a separate document. |
Do you have questions about the risk management file or risk management in general? You can get answers in our free micro-consulting.
In the risk Management & ISO 14971 seminar, you will learn about the legal requirements for risk management and how to comply with them.
The Medical Device University uses video training to show you how to create a lean and ISO 14971-compliant risk management file. In addition, it takes a lot of work off your hands with a complete set of templates for a risk management file.
You can also benefit from the knowledge of the experts at the Johner Institute. The risk management team will help you write or review your files and prepare you for audits and reviews.
Get in touch right away so that we can discuss the next steps. This will ensure that your “approval” is successful and your devices are quickly launched.
The risk management plan is one of the most important documents in technical documentation. Accordingly, authorities and notified bodies examine this plan intensively. However, it is not only from a regulatory perspective that medical device manufacturers benefit from a precise risk management plan. This article 1. What a risk management plan is In a risk…
DetailsThis article identifies the seven most common risk management errors that Johner Institute and its auditors encounter most often. It also offers advice on how to avoid these errors. Risk management is among the most important requirements medical device manufacturers must meet. Therefore, it is important that they avoid risk management errors. 1st error class:…
DetailsLaws and standards require organizations to prepare a risk management report. Notified bodies and authorities examine these reports intensively because risk management is a key regulatory requirement. Therefore, it is important (not only) for manufacturers to prepare precise, complete, and correct risk management reports. This article provides assistance in this regard. 1. What is a…
DetailsThe MDR and IVDR require either a “Post-Market Surveillance Report” or a “Periodic Safety Update Report” from medical device manufacturers. The Periodic Safety Update Report is abbreviated as “PSUR”, the Post-Market Surveillance reports as “PMS report”. PSUR and PMS report: Regulatory background and objectives The European Commission has significantly increased the requirements for monitoring devices…
DetailsThe process FMEA (pFMEA) is a method for the systematic analysis of risks resulting from failure modes in processes, such as device production and cleaning. Laws, such as the MDR, and standards, such as ISO 13485, require medical device manufacturers to identify and control such process risks. 1. What the pFMEA is a) The pFMEA is a…
DetailsSoftware risk analysis depends on the following: Software itself cannot cause harm. It always happens via hardware or people. However, this does not mean there is no need for risk analysis in software. The opposite is the case! What distinguishes risk analysis for software from other medical devices In the case of (standalone) software, harm…
DetailsFault Tree Analysis is a procedure used to search for unknown causes of known effects (in the case of medical devices, harms or hazards). It, therefore, counts as a top-down procedure in risk analysis. Fault Tree Analysis: Notation The name Fault Tree Analysis already clarifies how it is represented graphically: As a tree. Both mind…
Details
Privacy Preference
We need your consent before you can continue on our website. If you are under 16 and wish to give consent to optional services, you must ask your legal guardians for permission. We use cookies and other technologies on our website. Some of them are essential, while others help us to improve this website and your experience. Personal data may be processed (e.g. IP addresses), for example for personalized ads and content or ad and content measurement. You can find more information about the use of your data in our privacy policy. You can revoke or adjust your selection at any time under Settings.
Privacy Preference
If you are under 16 and wish to give consent to optional services, you must ask your legal guardians for permission. We use cookies and other technologies on our website. Some of them are essential, while others help us to improve this website and your experience. Personal data may be processed (e.g. IP addresses), for example for personalized ads and content or ad and content measurement. You can find more information about the use of your data in our privacy policy. Here you will find an overview of all cookies used. You can give your consent to whole categories or display further information and select certain cookies.