Risk Management File Compliance for 510k and CE Marking

This article compares risk management file FDA requirements for CE Marking and 510k submission requirements.

Risk Management File Risk Management File Compliance for 510k and CE Marking

The FDA only requires documentation of risk management in a 510k submission if the product contains software and the risk is at least a “moderate concern.” Even then, the 510k submission only requires submission of a design risk analysis. Knee implants do not require submission of a risk analysis, even though manufacturers are required to perform risk analysis in accordance with ISO 14971, because knee implants do not contain software. Therefore, it is not uncommon for a product that is already 510k cleared to receive audit nonconformities related to the risk management documentation during a technical file review by a Notified Body.

The FDA recognizes ISO 14971:2007 as the standard for risk management of medical devices. CE Marking also requires compliance with ISO 14971, but specifically the European national version of the standard (i.e., EN ISO 14971:2012). The most common technical file deficiencies related to risk management during a CE Marking application include the following:

  1. compliance with ISO 14971:2007 instead of EN ISO 14971:2012
  2. reduction of risks as low as reasonably practicable (ALARP) instead of reducing risks as far as possible (AFAP)
  3. reducing risks by notifying users and patients of residual risks in the IFU
  4. only addressing unacceptable risks with risk controls instead of all risks–including negligible risks

Each of these deficiencies is also explained in Annex ZA, ZB and ZC of EN ISO 14971:2012.

7 Deviations

Notified Body auditors are supposed to be reviewing your risk management process and sampling your risk management files to verify that you conform with the requirements for risk management as defined in EN ISO 14971:2012 and in the applicable European directive. Most manufacturers with CE Certificates have updated their procedures for compliance with the European National version, but the updates are not always complete or done correctly. Therefore, auditors need to be systematic in their review for compliance. I recommend creating a three column table in your audit notes for each of the 7 deviations. The first column would state the requirement from the applicable annex of EN ISO 14971:2012. The second column is used to document where in the risk management procedure each of the seven requirements is addressed. If you can’t find it quickly during your review–as the person you are auditing to find it for you. The third column is used to document which risk management file you sampled and where in the risk management file the auditor was able to find compliance with one of the deviations. If the auditor can’t find an example of compliance in the procedure or the risk management file, then there is a minor nonconformity that needs to be corrected and recurrence needs to be prevented.

Note: Remember that auditing is about verifying compliance–not scouring 100% of the records for nonconformity.

Procedure Review

The first step in responding to correcting deficiencies in your risk management process is to update your procedure. The following basic elements need to be included in the procedure:

  • risk management plan
  • hazard identification
  • risk analysis
  • risk control option analysis
  • verification of risk control effectiveness
  • risk / benefit analysis
  • risk management report

Many of the procedures I review focus on the risk analysis process, and the most common tool for risk analysis is a failure modes and effects analysis. This is an excellent tool for process risk analysis, but it is only one of many possible tools and it is not ideally suited for design risk analysis. In addition, your procedure is not adequate as a risk management plan. You need risk management plans that are product-specific or specific to a product family. Your risk management plan must also change and adapt as products progress from the design and development process to post-market surveillance. Finally, many of the procedures only require a risk / benefit analysis to be performed when risks are not acceptable, while the European MDD requires that all CE Marked products include a risk / benefit analysis for each risk identified in the risk analysis and the overall risk of the product or product family.

Risk Management Plans

Risk management is required throughout product realization, but the activities are quite different during the pre-market and post-market phases. Therefore, I recommend including a risk management plan as part of the design and development plan to address pre-market needs for risk management. Once a product development project reaches the design transfer phase, then a post-market risk management plan needs to be written. I incorporate this plan into the post-market surveillance plan for the product or product family. This approach ensures that the the risk analysis will be linked directly with post-market surveillance after the product is released.

Hazard Identification

Many companies do create a specific document that identifies all the hazards associated with a product. This is an important step that should occur early in the design and development process before design inputs are finalized. During the development process these hazards may need to be updated as materials and production processes are developed. Some companies may choose to identify hazards at a different time or in a different way, but the proposed European Medical Device Regulations (EMDR) requires that the hazards are identified as one of the essential requirements. The ISO 14971:2007 standard suggests that design teams should identify as many hazards as possible, estimate the risks and then implement risk controls for any risks that are unacceptable. The EN ISO 14971:2012 standard requires that risk controls be implemented for hazards–regardless of acceptability. For this reason, I recommend companies restrict their identification of hazards to the most likely product malfunctions and hazards of high severity. This list should include any hazards already identified in the FDA’s MAUDE database.

Risk / Benefit Analysis & Risk Traceability Matrix

In order to perform a risk / benefit analysis you have to know the likelihood of potential hazards resulting in harm and the clinical benefits of a product. Unfortunately, reduced cost cannot be used to justify the acceptability of a device. Risk / benefit analysis must be performed for each risk and the overall residual risks. Therefore, it is important to identify clinical benefits that outweigh each of the risks. I recommend using a risk traceability matrix in order to document each risk / benefit analysis. This can be a separate risk management document or it can be incorporated into a design requirements matrix. It is also important to identify any warnings, precautions or contraindications that should be documented in information provided to patients and users when risks cannot be completely eliminated. This may be the last column of your risk traceability matrix.

Risk Management Report

The risk management report should be a summary technical document (i.e., STED). The STED should reference the procedure that was used and indicate all the risk management activities that were performed specific to the product or product family defined in the scope of the risk management report. The dates of activities, changes made and cross-references to any controlled documents should be included in the risk management report. I recommend maintaining the risk management report as a controlled document and revising the document to reference additional risk management activities when they occur. The bulk of details should be contained in the referenced risk management documents within the report.

Procedures & Templates

If you are looking for a procedure (SOP) for risk management please click here.

Posted in: Risk Management

Leave a Comment (2) ↓


  1. Oscar Banz October 20, 2015

    Dear Rob
    Excellent article! There is really a big difference how Europe and FDA regard the Risk Analysis.
    The “Notified Bodies Recommendation Group” wrota a paper on this Topic. Perhaps you lnow it already. It’s named “Consensus Paper for the Interpretation and Application of Annexes Z in EN ISO 14971: 2012” and you can find it here:
    It’s still only a draft, but it reflects the way Notified Bodies will interprete the Annexes.
    Kind regards
    Oscar Banz
    Head of Quality Management & Regulatory Affairs
    HAAG-STREIT AG, Gartenstadtstrasse 10, 3098 Koeniz, Switzerland
    Phone: +41 31 978 01 48 / Fax: +41 31 978 02 82
    Skype: oscar_haag-streit

    • Rob Packard November 6, 2015

      Thank you Oscar. The consensus document you recommended is only a draft, because it does not have the support of the EU Commission. I was even asked to contribute to the document. I did not waste my time, because I know that the Notified Bodies have no say in this matter. The NBs are against the 7 deviations, but the EU Commission is not negotiating or allowing any room for interpretation.


Leave a Comment

Time limit is exhausted. Please reload the CAPTCHA.


Get every new post on this blog delivered to your Inbox.

Join other followers:

Simple Share Buttons
Simple Share Buttons