Risk Management Plan Template - ISO 14971:2007 Compliant

Hello all.

Some time ago someone asked me about a risk management plan template.

I´ve compiled a first version of a template in english with some guidance, with a focus on being compliant with ISO 14971 requirements. it´s a first version so it´s really ugly .

Please note that I generally have concerns related to templates because people usually think that these activities and processes are like a cake recipe. They are not. This template will be compliant with ISO 14971 requirements if you:

1 - correctly understand ISO 14971 requirements
2 - use the template as a guidance for compiling a risk management plan
3 - create the correct, expected information
4 - review the plan you created against ISO 14971 to verify if there´s a need to add any other information due to your medical devices/processes

I think I will also create some other templates to documents required by medical device standards, but it will take some time.

Comments are welcome!

One comment: I Think the Management responsibilities should be one part of the risk managment plan.

Hello Louis 6161 and welcome to the Cove.

Thanks for your comment.

The risk management plan is for a device, meaning, it´s device-specific.

The management responsibilities requirements of ISO 14971 (3.2) is for the general risk management process, not directly linked to any device. This is also true to 3.1 and 3.3.

First of all thank you for the template.
However, i should note, this template indicates me that it based on some organizational and cultural pre-assumption and as such could give an impression for the Reader coming from different organizational and cultural background, that his/her way is not appropriate.
But it could be absolutely okay, regardless this template far not applicable to his/her recent practice as regard to Risk Management.
Regards!

Hello Sagai

No, it's not based on any organizational or cultural background, I created it from scract following the requiremens of the standard.

And yes, I'm pretty sure that a lot of poeple will think it's different from their recent practice in risk management (that's exactly why I crrated it )

What if, there is no named Risk Manager?
What if there is no named Risk Management Process Team?
What if there is no communication between RM team and others, because there is no such distinction?
What if Risk Acceptable Criteria is really can not be set universally for the total product?

So if there is a company not having such elements (and have passed several audits over the years), than ... we should have just to comply with this template?

Regards!

What if, there is no named Risk Manager?

Click to expand...

This is a filled example.

What if there is no named Risk Management Process Team?

Click to expand...

Not the name, but the standard requires that you define people which performs risk management activities - this is what I called the RM Team (which can be 1 person)

What if there is no communication between RM team and others, because there is no such distinction?

Click to expand...

So you are saying the risk management process is the only proces in the manufacturer? Didn't understand your comment.

What if Risk Acceptable Criteria is really can not be set universally for the total product?

Click to expand...

The standard requires that you define the risk acceptability criteria for the product under the plan.

So if there is a company not having such elements (and have passed several audits over the years),

Click to expand...

Passing an audit does not mean that you comply with the standard - this is a common general misconception. In the case of risk management, this is so true that a lot of research has showed that, in the EU, most of the manufacturers do not comply with ISO 14971 (alghouth claiming compliance).

Dear Marcelo,

I've been following your posts, searching for answers regarding the risk management process. In our recent audit, we had a minor NC for risk management process flow and residual risk.

From what the auditor asked me, I understand that a customer complaint (or any post-production information) should feed back into the risk management process.

My question is where does it feedback to? Back to Residual risk, where I assess whether the failures identified in the complaint have been covered in the residual risk? And if they have what would be my next step?

What if it is not covered in the residual risk?

Please help me. I've been at this for days and no where near a complete understanding of the process.

Hi Mor628
The way we treat PMS is to evaluate the failure and see if it it covered by any hazard identified during the initial RM (4.3 ISO 14971:2012), if not the the risk management report requires updating with the new hazard introduced, following through risk estimation, risk evaluation, risk control etc etc. Now this might mean a design change if the risk is deemed to be severe in which case we would start a new risk management process for the new design.
If there is no new hazard or risk posed, the information is noted in the RM file and a justification for no further RM action is placed in the CAPA (or complaint) file.
I hope this helps.

Thank you so much Rob!!!! That's really helpful.

What if instead of product complaint, it's about final inspections or receiving & incoming inspections from suppliers? Does that also feedback into the RM process? At the moment none of my potential risks cover anything other than the product itself. Will I need to create a RM file just for inspections?