Risk Management Report as per MDR Requirements


Starting to get Involved
Where in the MDR is there a requirement for a risk management report? I've never seen any anywhere.
Below listed are risk management requirements as per MDR Annex I - SECTION 3, 4 & 5

3. Manufacturers shall establish, implement, document and maintain a risk management system. Risk management shall be understood as a continuous iterative process throughout the entire lifecycle of a device, requiring regular systematic updating. In carrying out risk management manufacturers shall: (a) establish and document a risk management plan for each device; (b) identify and analyse the known and foreseeable hazards associated with each device; (c) estimate and evaluate the risks associated with, and occurring during, the intended use and during reasonably foreseeable misuse; (d) eliminate or control the risks referred to in point (c) in accordance with the requirements of Section 4; (e) evaluate the impact of information from the production phase and, in particular, from the post-market surveillance system, on hazards and the frequency of occurrence thereof, on estimates of their associated risks, as well as on the overall risk, benefit-risk ratio and risk acceptability; and (f) based on the evaluation of the impact of the information referred to in point (e), if necessary amend control measures in line with the requirements of Section 4.

4. Risk control measures adopted by manufacturers for the design and manufacture of the devices shall conform to safety principles, taking account of the generally acknowledged state of the art. To reduce risks, Manufacturers shall manage risks so that the residual risk associated with each hazard as well as the overall residual risk is judged acceptable. In selecting the most appropriate solutions, manufacturers shall, in the following order of priority: (a) eliminate or reduce risks as far as possible through safe design and manufacture; (b) where appropriate, take adequate protection measures, including alarms if necessary, in relation to risks that cannot be eliminated; and (c) provide information for safety (warnings/precautions/contra-indications) and, where appropriate, training to users. Manufacturers shall inform users of any residual risks.

5. In eliminating or reducing risks related to use error, the manufacturer shall: (a) reduce as far as possible the risks related to the ergonomic features of the device and the environment in which the device is intended to be used (design for patient safety), and (b) give consideration to the technical knowledge, experience, education, training and use environment, where applicable, and the medical and physical conditions of intended users (design for lay, professional, disabled or other users).

Marcelo Antunes

Addicted to standards
Staff member
I know the requirements. And they don't have a requirement for a "risk management report", which is a very specific requirement introduced by ISO 14971.


Staff member
Super Moderator
Setting the discussion of whether the report is driven by the MDR or not aside, 14971 requires conclusions regarding the following in a Risk Management Report:

⎯ the risk management plan has been appropriately implemented;
⎯ the overall residual risk is acceptable;
⎯ appropriate methods are in place to obtain relevant production and post-production information

Reviewers are getting rather strict on providing justification for any conclusions so you shouldn't just have a 3-line report saying all is good with respect to each of those.

I update the report at least annually to summarize related activities occurring after release.

I also put conclusions (with rationale) regarding the overall risk benefit analysis (section 6.5 but mostly driven by the :2012 version) & completeness of risk control (per section 6.7).

If you're under IEC 62366, I find that the Risk Management Report is a good place to make the conclusions about the UI promoting safe and effective use.

If you have software in the product, I find that the Risk Management Report is a good place to summarize those aspects from 62304 (including ongoing suitability / issue assessment of SOUP).

If your product is electrical, 60601 drives a number of risk-related documentation requirements; e.g., combinations of simultaneous independent faults, least-favorable working conditions for type tests, etc. These might be suitable for the report but may end up making the report too bulky.

Top Bottom