News & Commentary on ISO Management System Standards

    Managing Residual Risk and Risk Tolerance in Medical Devices

    Risk 02 (7)-1-1


    ISO 13485:2016 is an international standard that outlines the requirements for a quality management system (QMS) in the medical device industry. Managing residual risk and understanding risk tolerance are crucial aspects of ISO 13485.

    ISO 13485 and ISO 14971

    The standard ISO 14971:2019, application of risk management to medical devices, provides guidance and risk management methods frequently applied to managing risk throughout a medical device's lifecycle.

    Note: deGRANDSON offers a choice of Risk Management Courses.

    Here are some key considerations:

    Residual Risk Management

    1. Risk Identification:
      • Identify and document potential risks associated with your medical devices throughout their lifecycle, from design and development to manufacturing, distribution, and post-market activities.
    2. Risk Assessment:
      • Conduct risk assessments to evaluate the severity, probability, and detectability of identified risks. Use tools such as Failure Mode and Effects Analysis (FMEA) to assess and prioritize risks systematically.
      • Other tools, such as Preliminary Hazard Analysis at the design stage and HACCP applied during manufacturing, are much underutilized in practice.
    3. Risk Mitigation:
      • Implement risk mitigation strategies to reduce the likelihood and impact of identified risks. Such mitigation could involve design changes, process improvements, or the introduction of safety features.
    4. Monitoring and Control:
      • Regularly monitor and control identified risks. Establish controls and procedures to minimize the likelihood of risks occurring and promptly respond if they do.
    5. Documentation:
      • Document all aspects of risk management, including risk assessments, mitigation strategies, and ongoing monitoring. This documentation is essential for compliance with ISO 13485.
    6. Post-Market Surveillance:
      • Implement a robust post-market surveillance system to monitor the performance of medical devices once they are in the market. This helps identify and address emerging risks, which for new devices may only emerge after product launch.
      • Preventing Field Safety Corrective Actions (FSCA) for devices already placed on the market saves on costs and resources long-term and assures the well-being of patients, users, and the environment.

    Learn about out ISO 14971 Risk Management - Foundation Course

    Risk Tolerance

    1. Define Risk Tolerance:
      • Clearly define the organization's risk tolerance. This involves determining the acceptable level of risk for various aspects of your QMS, considering factors such as patient safety, regulatory compliance, and business objectives.
      • A complication arises under EU Medical Device Regulations (MDR/2017/745). The ALARP approach (as-low-as-reasonably-practibale) is not permitted. MDR Annex I clearly states that risks (related to harm to patients/users/third parties) are only acceptable if they are "minimized as much as possible" and "reasonable compared to the benefits." Note: ISO TR 24971:2020 provides several approaches to resolving matters).  Here, the MDR's legal requirements out-rank the standard's requirements and must be applied to the European marketplace..
    2. Risk Acceptance Criteria:
      • Establish criteria for accepting or rejecting risks based on the defined risk tolerance. Clearly communicate these criteria to relevant stakeholders.
      • A risk matrix is a tool medical device engineers use to quantify the risk level associated with a medical device. Risk matrices are helpful because they offer standardized criteria and consistent methodology for assessing the risk of medical devices and classifying them appropriately in support of good decision-making.
    3. Decision-Making Processes:
      • Integrate risk tolerance considerations into decision-making processes. Ensure that decisions related to design changes, process improvements, and other QMS aspects align with the organization's risk tolerance.
    4. Periodic Review:
      • Regularly review and reassess risk tolerance based on changes in the business environment, regulatory requirements, and the performance of the QMS.
    5. Communication:
      • Communicate the organization's risk tolerance to all relevant stakeholders. This includes employees, suppliers, and regulatory authorities.
    6. Training and Awareness:
      • Ensure that employees are trained and aware of the organization's risk tolerance. This helps in fostering a risk-aware culture within the organization.

    By effectively managing residual risks and aligning activities with defined risk tolerance, organizations can enhance the quality and safety of their medical devices in accordance with ISO 13485 requirements. Regular audits and reviews can be conducted to ensure ongoing compliance and continuous improvement in the risk management process.

    Risk Management image

    Click image for details.

    Related Articles

    deGRANDSON Global is an ISO Certified Educational Organization


    ISO Compound Logo-2-1 - compressedIn October 2021, we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.

    We have Offices in Didsbury, Manchester, UK, and Pembroke Pines, Florida, USA. Our Head-office is in Limassol, Cyprus 


    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts