The expectation of Notified Bodies has for many years been that Manufacturers have a risk management system which conforms to EN ISO 14971. However, the current Medical Device Directive (MDD) does not explicitly require that. While the current MDD Annex I Chapter I (2) does require that the risks associated with an individual device be eliminated or reduced, that adequate protection measures are taken in relation to risks that cannot be eliminated, and that users are informed about any residual risks. The current MDD does not contain an explicit requirement to employ risk management, other than for software devices. There is no Article of the current MDD that requires manufacturers to have a risk management system for example.
In contrast with the MDD, the new EU Medical Device Regulation (MDR) contains an explicit obligation in the new Article 10 (2), that Manufacturers establish, document, implement and maintain a system for risk management. The detailed requirements of which are listed in the new Annex I Chapter I (3).
Under the new EU MDR, for each device, Manufacturers must have a documented risk management plan, identify and analyse the known and foreseeable hazards, estimate and evaluate the associated risks and eliminate or control those risks. Additionally, in the “production phase”, evaluate the impact of new information and if necessary amend control measures accordingly.
If all of the above reads like a paraphrasing of the requirements of EN ISO 14971, it clearly is. Even to the point of adopting terms like “production phase” rather than post market phase. But it’s not a verbatim copy and paste of EN ISO 14971, because that wouldn’t allow the use of other approaches or for the risk management solutions to be developed and improved over time. Nevertheless, the new Article 10 (2) obligation on Manufacturers to establish a risk management system, combined with the explicit requirements for each device contained in the new Annex I Chapter I (3), mean that the current state of the art in device risk management (EN ISO 14971) will become the new minimum standard for device risk management under the new EU MDR.