EU MDR Risk Management Requirements

Navigating European Union Medical Device Regulations (EU MDR) 2017/745

EU MDR 2017/745 establishes strict requirements for risk management as part of the regulatory framework for medical devices and emphasizes the importance of a comprehensive risk management system. As per Article 10 of EU MDR, manufacturers are required to establish, document, implement and maintain a system for risk management. This process must be maintained and updated throughout the device’s entire lifecycle, including Post-Market Surveillance (PMS) and must be integrated into the manufacturer’s Quality Management System (QMS) to comply with ISO 13485:2016 or equivalent standards. The EU MDR states that risk management requirements also apply to the list of devices present in Annex XVI i.e., for devices without an intended medical purpose.

The following is the thirteenth in the series of EU MDR related blogs. To learn more about the EU MDR changes you can view some of the previous posts in the series:

• Medical Device Equivalence vs Demonstration of Equivalence
• Post-market Clinical Follow-up Requirements for EU MDR
• The New European Union MDR: Impact on Technical Files
• Low-risk Device Challenges
• Selecting and Working with your Notified Body
• Medical Devices with Ancillary Medicinal Substances
• Regulatory Challenges Writing EU MDR Compliant Clinical Evaluation Reports (CER)
• International Medical Device Regulators Forum (IMDRF) & Summary of Recent Changes to Clinical Evaluation Guidance
• Remote Medical Audits During COVID-19
• Celegence Webinar: Taking advantage of the EU MDR Delay in Uncertain Times
• Components of an Effective Post-Market Surveillance for Medical Devices
• Medical Device Labeling Changes & Challenges under EU MDR

Risk management is a systematic process for identifying, evaluating, controlling, and monitoring risks associated with a medical device throughout its entire lifecycle. The EU MDR requires manufacturers to implement a robust risk management system as per ISO 14971 (Medical devices — Application of risk management to medical devices), and the technical report ISO/TR 24971 (Guidance on the application of ISO 14971). The ISO/TR 24971 provides guidance on the application of ISO 14971, the international standard for risk management of medical devices.

The risk management process described in ISO 14971 consists of several steps, as illustrated in Figure 1, which apply to the design, development and production of every medical device. Each of these steps need to be documented in procedures in the manufacturer’s organization.

• Lifecycle Integration

The EU MDR mandates that risk management must be embedded within the entire lifecycle of a medical device. This includes the initial design, manufacturing, clinical evaluation report, market release, and ongoing PMS. Manufacturers are required to continuously monitor and mitigate risks, adapt to new data and real-world performance of their devices.

• General Safety and Performance Requirements (GSPRs)

Annex I Chapter I of the EU MDR outlines the General Safety and Performance Requirements (GSPRs) that all medical devices must meet (GSPR 2, 3, 4, 5 and 8). The regulation requires manufacturers to eliminate or reduce risks as much as possible, primarily through safe design and manufacturing processes. In addition, Annex I provides the order of priority that the manufacturers must consider while selecting the most appropriate solutions:

• Eliminate or reduce risks as far as possible through safe design and manufacture
• Adequate protection measures for risks that cannot be eliminated (e.g. alarms)
• Provide information or user training for safety and disclose any residual risks

According to the EU MDR, the manufacturer “shall inform users of any residual risks”.

• Benefit-Risk Analysis

A key aspect of EU MDR is the need for a thorough benefit-risk analysis. Manufacturers must demonstrate that the benefits of the device outweigh any residual risks. This analysis is crucial, especially for high-risk devices, and must be continually reassessed based on clinical data and post-market information.

As per the guidance, benefits are defined as the positive impact of the medical device on patient health or well-being. These can include therapeutic, diagnostic, and operational benefits. ISO/TR 24971 suggests considering both direct benefits (e.g., clinical improvement, life-saving interventions) and indirect benefits (e.g., improved quality of life, reduced need for other medical interventions). The standard does not prescribe a specific threshold for when benefits outweigh risks but instead suggests that this determination is context dependent. Manufacturers need to consider factors such as the severity of the medical condition being treated, the availability of alternative treatments, and the expectations of patients and healthcare providers.

ISO/TR 24971 provides detailed guidance on performing benefit-risk analysis, which is crucial when dealing with residual risks that cannot be further reduced. It provides illustrative examples/ various scenarios and considerations for special cases as detailed below:

• Illustrative Examples: A life-saving device might have a different benefit-risk profile compared to a device that improves quality of life.
• Scenarios with High Residual Risks: There could be scenarios where high residual risks may still be acceptable, such as in life-threatening conditions where no alternative treatments are available. It also explores situations where even low residual risks might be unacceptable if the benefits are minimal.
• Vulnerable Populations: The need for special consideration when the device is intended for vulnerable populations, such as children, the elderly, or immunocompromised patients. The benefit-risk analysis in these cases should be particularly thorough and sensitive to the specific needs and vulnerabilities of these groups.
• Innovative Devices: For innovative or novel medical devices, where clinical experience may be limited, a more cautious approach should be taken for benefit-risk analysis. Manufacturers should be prepared to adjust their analysis as new data becomes available through PMS.

The benefit-risk analysis should be revisited and updated as new information becomes available, particularly during PMS. Changes in the clinical environment, clinical investigations, new adverse event data, or updated clinical evidence can all influence the benefit-risk ratio.

• Post-Market Surveillance (PMS) and Vigilance

Post-market surveillance is an ongoing process that feeds into the risk management system. Manufacturers must establish a PMS Plan that monitors the device’s performance and safety after it has been released to the market. PMS Report (PMSR) and Periodic Safety Update Report (PSUR) summarizes the results and conclusions of the PMS data analysis. The PMSR/PSUR must include a review of the benefit-risk analysis and should feed into the risk management process, ensuring that the new risks are identified and mitigated as necessary.

• Documentation and Traceability

Comprehensive documentation is required to support the risk management process. This includes a plan, risk analysis, control measures, residual risk evaluation, and the benefit-risk analysis collated in the form of report as detailed below.

1. Risk Management Plan:
   • The plan outlines the strategy for identifying and mitigating risks. It includes procedures for risk analysis, risk evaluation, and the implementation of risk control measures. The plan also defines the criteria for risk acceptability, aligned with the device’s intended use and the manufacturer’s policy.
2. Risk Analysis and Evaluation:
   • Risk analysis involves identifying potential hazards associated with the device and assessing the severity and likelihood of these risks. Risk evaluation then compares these risks against predefined acceptability criteria to determine which risks require mitigation.
3. Risk Control Measures:
   • Risk control involves implementing measures to reduce or eliminate identified risks. These measures can include design changes, protective features, or providing clear instructions for use. The goal is to reduce risks to an acceptable level, ensuring that any residual risks are outweighed by the device’s benefits.
4. Risk Management Report:

• The report documents all risk management activities, including risk analysis, risk control, and the evaluation of residual risks. This report is a crucial part of the technical documentation required for regulatory submissions

As per Annex II of EU MDR, the technical file must contain all relevant risk management documentation, ensuring traceability and providing evidence of compliance.

Article 61 of EU MDR emphasize the requirement of conducting clinical evaluation and feeding the data to risk management. The clinical evaluation and risk management are deeply interconnected processes that must work together to ensure the safety and efficacy of medical devices.

1. Informed Risk Management Through Clinical Data:
   • Clinical evaluation (EU MDR Annex XIV, Part A) provides the evidence needed to identify and assess risks accurately. The clinical data gathered through clinical evaluation informs the risk management process by highlighting potential hazards, side-effects, and other safety concerns that need to be addressed.
2. Benefit-Risk Analysis:
   • One of the critical outcomes of the clinical evaluation is the benefit-risk analysis. This analysis compares the identified risks against the clinical benefits of the device. Risk management processes use this analysis to determine whether the device’s risks are acceptable and to justify the device’s continued use.
3. Feedback Loop Between Post Market Clinical Follow-up (PMCF) and Risk Management:
   • PMCF (EU MDR Annex XIV, Part B) is a key aspect of both clinical evaluation and risk management. It provides ongoing data that can reveal new risks or confirm the effectiveness of risk control measures. This continuous feedback loop ensures that both clinical evaluation and risk management processes are updated and aligned with real-world device performance.
4. Documentation and Compliance:

• Both clinical evaluation and risk management require thorough documentation, which is critical for regulatory compliance. The Clinical Evaluation Report (CER) and Risk Management Report must be aligned and should consistently demonstrate that the device meets the safety and performance standards established according to EU MDR.

To successfully implement ISO 14971 and meet EU MDR requirements, manufacturers should consider the following best practices:

• Start risk management early in development.
• Involve cross-functional teams for a comprehensive risk assessment.
• Use post-market data to inform risk decisions.
• Maintain rigorous and traceable documentation.
• Continuously monitor and update risk management processes.

The stringent requirements of the EU MDR for clinical evaluation and risk management are designed to ensure that medical devices are safe, effective, and provide a favorable benefit-risk profile.

If you have any questions or concerns about risk management for your medical device under the EU MDR then get in touch with us for a compliance consultation.