An ISO 13485 Risk Management Plan Example You Can Steal and Use


    When it comes to getting regulatory approval, creativity is rarely, if ever, a good thing.

    Medical device organizations have the opportunity to exercise innovation in product development and process improvement. However, creativity and innovation aren't the best approaches to take if you're creating a formal ISO 13485 Risk Management Plan.

    A Risk Management Plan is intended to be a product-level document which identifies the risk activities that occur throughout your organization's product lifecycle. Risk management activities are intended to operate as living documents and receive updates each time your organization adopts new processes or controls against risk. The smartest approach you can take is simple—to create a document that's easy to use as part of your risk management file and update it frequently.

    An ISO 13485 risk management document should address your organization's systems for applying policy and procedure to the various activities involved in analyzing, evaluating, controlling, and measuring risk throughout the product lifecycle. Each device is a little different, which can require some customization of this template format. However, we'll show you the major components of a great Risk Management Plan to get you started.

    An Example ISO 13485 Risk Management Plan

    An ISO 13485 Risk Management Plan is a document which provides a framework for adopting a risk-based approach to product development and the quality management system.

    Download our ISO 13485 Risk Management Plan Example.

    Clause 4.2.1 of the standard for medical device manufacturers clarifies that risk management plays a more significant role in the latest update than the previous version, ISO 13485:2003: "Anything that affects the quality system needs to be viewed from that risk perspective.” This plan should provide a high-level framework which prescribes how risk-based decisions are applied to product realization and other aspects of operations, including document management, training, purchasing, and supplier relationships.

    A risk is defined within the standard as anything which could impact the safety or performance of the device, or the device's ability to achieve market approval. The Risk Management Plan is not intended to be a comprehensive record of risk mitigation activities within a medical device manufacturing organization. Instead, it exists as one piece of documentation within the risk management file. The file is generally a series of linked electronic documents which contain all risk-related data and documentation for every product within the organization's portfolio, including:

    • Risk Analyses
    • Risk Evaluations
    • Risk Control Measures
    • Residual Risk Evaluations

    The best ISO 13485 Risk Management Plans are robust enough to help your organization achieve regulatory compliance and certification. They are also simple enough to be edited and improved regularly. While no two organizations or devices are the same, the following plan components can comprise a basic template for the industry.

    1.0 Scope of Plan

    The scope should define the range of risk management activities, including all products included within the Risk Management Plan. It is possible to add more than one product within a single Risk Management Plan at organizations with more than one product in the portfolio, although each of these products will require a distinct risk management file.

    A typical scope of plan section should:

    • Define the product and quality management system
    • Briefly describe the intended use of the product
    • Explain the purpose of the risk management process within the organization
    • Reference related SOPs for formal risk management within the organization

    Sample Scope Language

    This plan identifies the risk management activities and responsibilities required for the project, from the design phase through market release, per SOP-17, Design Control.

    A risk management process is in place to provide a system for risk management; to identify the hazards associated with medical devices, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls. This process is documented in SOP-20, Risk Management.

    The development team will identify the hazards posed by the devices, estimate the risks of the hazard, the likelihood of occurrence, evaluation/mitigation of the risks and verification the effectiveness of any mitigation by process or product validation.

    At market release, the Risk Management Plan will be reviewed and updated as required to assure the appropriate measures are in place for collecting on-going post-production information about the performance of the product.

    Related Reading: What is the Best ISO 13485 Quality Management System Software?

    2.0 Assignment of Responsibilities and Authorities

    ISO 13485:2016 placed a greater emphasis on the role of management in the risk mitigation process. The assignment of responsibilities should address all individuals within the organization who are involved in risk management activities and project phase connected to each organizational role.

    Defining duties and powers in the Risk Management Plan allows organizations to update this document instead of the Project Plan, which is typically updated at the end of each phase.

    3.0 Review of Risk Management Activities

    This section is dedicated to identifying all risk management activities involved in the product lifecycle and the quality management system, including clear links to risk management documentation and templates used within the organization. 

    4.0 Criteria for Risk Acceptability

    This section provides clear standards for acceptable risk for each product and deviations. For many organizations, this section of the Risk Management Plan will provide links to SOPs which prescribe quality standards and acceptable margins of deviation, if applicable.

    Sample Criteria Language

    The risk acceptability criteria for the risk management deliverables for this product are planned to correspond to those contained in SOP-20. Alternative methods, rankings and acceptability criteria may be developed if required. SOP-20 describes the approval requirements for these deviations.

    5.0 Verification Activities

    Verification activities are the quality assurance activities used to ensure risk control measures are implemented and product quality standards are achieved. The verification activities can be named instead of described, with references or links to the supporting SOPs.

    Sample Verification Language and Inclusions

    Design verification, validation or assessment activities for the <Product Name> will include, at a minimum:

    • Design Verification testing
    • Design Validation testing
    • Biocompatibility testing
    • Product Shelf Life testing
    • Shipping/packaging integrity testing
    • Process Validation

    Note: Each of these items is defined in SOP-17. The Project Plan (DR####) lists specific verification, validation, and assessment activities for the project. The completed documents are listed in the DHF Index for the products.

    RELATED READING: What An ISO 13485 Quality Manual For Medical Devices Should Look Like

    6.0 Post-Production Information

    Create a clear definition of how the organization will continue to pursue quality improvement efforts and risk management after the product is complete. This section should address the sources of data that are used to manage risk post-completion, collection methods, and link to SOPs which address the analysis of product data and the inclusion of post-production risk in management reviews.

    Sample Post-Production Language

    SOP-37 Feedback provides the process for routine gathering and analyzing of post-production information. Use of post-production information for monitoring and evaluation of product risk is described in SOP-20 Risk Management. Sources of data include product complaints, from CAPAs, internal audits or NCRs.

    The risk management report will list specific concerns or risks and provide for the collection of any additional post-production information required to monitor the risk of the device. The risk management report is reviewed, at a minimum, before each Management Review.

    7.0 References

    This section is intended to act similarly to a table of contents for all plans, policies, and procedures referenced in the Risk Management Plan. The references can be organized in the order they are mentioned in another way or using an alternative approach, such as alphabetical or numeric order.

    Sample References

    1. Project Plan
    2. Document Control
    3. Management Review
    4. Risk Management
    5. Design Control
    6. Feedback

    8.0 Review and Update of Risk Management Plan

    Regular reviews of the Risk Management Plan are essential to ensure the document remains a valuable tool for compliance and active risk management. This section should address the importance of regular updates to the content, and define how often a formal review of the document should occur. Formal review sessions may coincide with management review.

    Sample Review and Update Language

    This plan may be revised during the course of the project, but at a minimum, it shall be reviewed at each design review. After Phase IV, the Risk Management Report will become the living document to document the ongoing life of the device, changes, and updates to the risk profile.

    Improve Medical Device Quality Today

    ISO 13485:2016 introduced several changes and improvements from the 2003 version of the standard. The new role of risk management in the latest version is likely the biggest change. Medical device manufacturers are guided to adopt a global mindset for risk management. Instead of building risk mitigation into the product realization process, organizations are guided to use risk-based thinking throughout the entire quality management system.

    Creating your first ISO 13485 Risk Management Plan can be overwhelming, but there's no need to create a custom template. Keeping it simple is generally the most effective approach to building a document which is valuable and easy-to-maintain. The best plans for managing risk in the medical device organization within the ISO 13485:2016 framework address the eight primary sections and include clear references and links to related documents.

    Your organization can achieve remarkable quality benefits by setting your sights higher than just achieving compliance. Aim for continual improvement and maximum quality, and you’ll nail compliance along the way. To learn how the most effective organizations have achieved a quality driven culture, download the free eBook: 7 Things You Can Do Now to Improve Product Quality in Medical Device Product Development.