The risk management plan is one of the key document for the risk management process for a medical device manufacturers and it is essential to understand the requirements that are necessary to cover according to ISO 14971:2019 and ISO/TR 24971:2020.

An Introduction to the Risk Management Plan

The risk management plan is a document that defines the activities, responsibilities and criteria for risk acceptability for the risk management process. It is usually part of the technical documentation of a medical device.

It is a document that needs to be updated during the whole lifecycle of the device and it interacts with different other processes of the quality system of the organization such as clinical evaluation, post-market surveillance, vigilance reporting, and of course design and development.

What is the scope of the Risk Management Plan

It is essential to document the life cycle of the medical device along with the risk management activities to be performed.

An example of product life cycle with the related phase of the risk management process can be the one defined below:

Product Life Cycle Risk Management Activities
Design Risk Analysis, Risk Evaluation, Risk Control and Residual Risk Acceptability
Manufacturing, Logistic and Shelf Life Production and post-production risk management
Use and device end of lifeProduction and post-production risk management

Responsibilities and authorities

Responsibilities for the execution of specific risk management activities shall be defined in the risk management plan. Furthermore, it is essential to identify responsibilities for the review and approval of risk management decisions. In case of medical devices containing software, specific competencies both in software development and risk management are needed.

Review of Risk Management Activities

The risk management plan shall include specific methodologies for the review of risk management activities. In the scheme below, more details on the review process are highlighted.

Risk Acceptability

Risks acceptability criteria are of central importance in the risk management plan. The medical device manufacturer shall define the criteria for risk acceptability based on a specific policy for risk acceptability. It is up to the organization to device whether the same risk acceptability policy shall be applied to a specific medical device or the same criteria can be applied to all medical devices.

For software-based medical devices, a different risk acceptability criteria might be needed, because the probability of the harm cannot be estimated. In this case the risk acceptance criteria should be based on the severity of the harm.

In these situations where where probability cannot be estimated, the risk acceptance criteria for residual risk, should take into account the risk control measures that have been implemented and the effectiveness of those risk control measures in reducing the probability of occurrence of harm.

Verification of Risk Control Measures

Verification of risk control measures shall also be defined in the risk management plan for medical devices according to ISO 14971.

According to ISO 14971:2019, two types of verification activities need to be performed:

  • Verification of implementation of risk control measures 
  • Verification of the effectiveness of risk control measures 

Both these verification activities can be performed in different ways, for example through design review, design specifications or design and development verification in a quality management system.

Production and Post-Production Risk Management

It is of fundamental importance to establish a solid process for the collection of production and post-production information that can be used to feed the risk management process. The amount of information could be substantially big thus the organization shall have a soldi process in place to handle the analysis of this information and to actively identify trends. Statistical techniques should be considered to assist in the processing of the collected data.

Post-market surveillance plays of course the main role for the collection of information in the post-production phase, and the ISO 20416 could be extremely helpful in the organisation of an efficient post-market surveillance process. Sometimes, for some medical devices, it is essential to conduct post-market clinical follow-up studies, the result of which can be used to identify novel or unidentified risks.


In conclusions, the risk management plan is one of the essential document for the risk management plan. In this post we have been discussing in details what should be addressed within the risk management plan and the interactions of this process with other quality management system processes such as clinical validation and post-market surveillance.

Leave a Reply

Your email address will not be published. Required fields are marked *