FTA: Fault Tree Analysis
Fault Tree Analysis is a procedure used to search for unknown causes of known effects (in the case of medical devices, harms or hazards). It, therefore, counts as a top-down procedure in risk analysis.
The risk management file is a part of the technical documentation that proves that a medical device meets the regulatory requirements for risk management.
Content
This page summarizes the most essential information on the risk management file and links to further articles.
- Regulatory requirements
- Content of the risk management file
- Support in creating and checking the file
1. Regulatory requirements
ISO 14971 requires a risk management file
ISO 14971, the standard on risk management for medical devices, requires in Chapter 4.5 that
“the manufacturer must establish and maintain a risk management file.”
As the standard is harmonized under the MDR and IVDR, it represents the state of the art and is therefore binding.
It defines the term …
The standard defines this term as follows:
Definition: Risk management file
Set of records and other documents generated in risk management.
Source: ISO 14971, 3.25
The standard specifies which records and documents these are. The second section of this article summarizes these content elements.
… but does not insist on a physical file
The standard only refers to a “set of documents and records.” How manufacturers distribute the contents of these records and documents and how they create directories is up to them.
However, the requirements of the MDR, Annex II (analogous to IVDR) demand an “organized, easily searchable and unambiguous form” of the technical documentation:
- The file must be available electronically (otherwise, it cannot be easily searched).
- The file needs at least one central entry point from which it is easy to navigate through all content.
Manufacturers can manage this content both in documents and in tools. However, notified bodies insist on being able to store a versioned snapshot.
2. Content and form of the risk management files
To meet the requirements of ISO 14971, the risk management file must include the following content:
| Content (incl. link) | Description | Documentation |
| Intended use | Intended purpose and normal use, including characterization of users, use environment, and patients | This is usually a separate document. |
| Risk acceptance | Manufacturers usually distinguish between a company-wide risk policy and product-specific criteria for risk acceptance. | The risk policy is either a stand-alone document or the manufacturer combines it with the risk acceptance criteria. Manufacturers almost always express the latter through a risk acceptance matrix.
This is usually a component of the risk management plan. |
| Risk management plan | The planning of all activities and roles in risk management, including people, timing, methods, and, if necessary, tools | The risk management plan is often a stand-alone document. It can be adapted and is then available in several versions. |
| Risk analysis | Description of the individual hazards with causes and risks, i.e., combinations and severities of possible harm | The risk analysis almost always comprises a table (“risk table”) with the columns ID, cause, hazard or hazardous situation and/or harm, probability, severity, and risk.
The manufacturer notes any comments or further explanations in the table or a separate document. |
| Risk control | Description of the measures and evidence that these measures have been implemented and are effective | These measures can be documented in the “risk table.” Manufacturers add further columns for the measures and references to the verifications, e.g., tests.
Here, manufacturers also note comments or further explanations in the table or a separate document. |
| Risk management report | Summary assessment of the benefit-risk ratio and outputs of the review of compliance with the plan | This report is almost always available as a separate document. |
3. Support
Do you have questions about the risk management file or risk management in general? You can get answers in our free micro-consulting.
In the risk Management & ISO 14971 seminar, you will learn about the legal requirements for risk management and how to comply with them.
The Medical Device University uses video training to show you how to create a lean and ISO 14971-compliant risk management file. In addition, it takes a lot of work off your hands with a complete set of templates for a risk management file.
You can also benefit from the knowledge of the experts at the Johner Institute. The risk management team will help you write or review your files and prepare you for audits and reviews.
Get in touch right away so that we can discuss the next steps. This will ensure that your “approval” is successful and your devices are quickly launched.
