What is the Best Way to Structure a Risk Management File?

The medical device risk management process relies heavily on the use of documentation. Whether the activity is conducted onsite or offsite, during design or after manufacturing, the procedures used to ensure devices are free of hazardous risk must be tracked by the medical device manufacturer.

Enter the need for a risk management file, which stores records of all you do to keep patients and other end-users safe. However, with extensive documentation, it’s not enough to simply collect this information; it’s equally important to structure your risk management file carefully and thoughtfully. This article will explain how you can do so at your medical device company.

BONUS RESOURCE: Click here to download your free copy of our previously confidential Risk Management Plan Template.

What is a Risk Management File?

A risk management file (RMF) is the collection of documents, files, and records produced during the risk management process. This applies throughout all risk management activities and should include the following elements: 

• risk management plan

• risk analysis

• risk evaluation

• risk controls

• evaluation of overall risk acceptability

• risk management review

• any production and post-production risks

At a high level, risk management files are used as an organizational tool. They’re also particularly important for internal and external audits. But beyond this basic functionality, risk management files are a valuable opportunity for insight as to the effectiveness of an organization’s risk management efforts.

When documents in the RMF are properly stored and connected, it creates traceability between each identified risk to an organization's manufacturing processes. 

Traceability is hugely impactful in medical device quality and safety; by effectively linking hazards to specific risk management activities like risk analysis, risk evaluations, and the implemented risk control measures, companies are able to evaluate completeness of the process and efficacy of the risk management procedures in place.

What are the medical device regulations for a risk management file?

Managing and mitigating risk in medical devices has become a focus of regulatory bodies across the globe, and can be seen across a wide variety of medical device regulations and standards. 

The requirements for a risk management file are most prominently outlined in ISO 14971:2019. The international standard defines a risk management file as “a set of records and other documents that are produced by risk management.” 

ISO 14971 also defines the RMF as a living document. In practice, this means risk management files must not only be compiled but also maintained by the medical device manufacturer. This means ensuring regular access and updates to all relevant documentation throughout the entire product lifecycle.

ISO 14971 goes on to specify the exact and extensive requirements for a risk management file’s contents. According to the text, risk management files must contain, or have reference to:

• The policy for establishing criteria for risk acceptability

• Risk management plan

• Thorough risk analysis

• The intended use and reasonably foreseeable misuse

• Qualitative and quantitative characteristics that could affect the safety of the medical device

• Hazards, the reasonably foreseeable sequences or combinations of events that can result in a hazardous situation, and the resulting hazardous situation

• Risk estimations

• System used for qualitative or quantitative categorization of probability of occurrence of harm and severity of harm

• Risk evaluation

• Risk control measures

• Verification of implementation of the risk control measures

• Evaluation of residual risk

• Result of the benefit-risk analysis

• Traceability for each identified hazard to the risk analysis, the risk evaluation, the implementation and verification of the risk control measures

• Review of completeness of risk controls

• Evaluation of overall residual risk

• Results of the review of the post-production information

• Decision arising from the review of post-production information

This risk management file structure may be long, but it should come at little surprise, as it reflects the new “risk based approach” from ISO 13485 for quality management systems. 

As such, ISO 14971 is acknowledged by FDA in the 21 CFR Part 820 quality system regulation for medical devices, as well as by the EU Medical Device Regulation as part of its pathway to CE marking.

What are the best ways to structure a risk management file?

Risk management is more than a box to check, it’s a company-wide practice that involves the input of all departments throughout an entire product’s lifecycle. So, with so many different activities involved in risk management, structuring a risk management file should be done with great care.

First, you’ll want to decide the scope of the risk management file, specifically whether the RMF will be organized by an individual product or for a product family. This choice will differ based on your company’s product offerings, both in terms of the complexity of individual devices as well as the breadth of device types. 

For instance, a company offering parts for a CPAP ventilation device for sleep apnea may find that some or all of the medical device product family feature the same categorizations for risk. 

On the other hand, a large medical enterprise making a variety of general surgical tools may be better off structuring risk management files on an individual product-by-product basis. 

Another consideration for structuring your medical device’s risk management file is the ease of which making regular updates can be done. As mentioned, medical device risk management is a total product lifecycle activity, and thus must continue through manufacturing, distribution, and all post-development phases. 

This means that risk management files must be accessible by many different employees and stakeholders. For instance, if manufacturing activities are outsourced to a third-party vendor, they too will need to complete necessary RMF checklists and update risks to ensure that they are mitigated or at acceptable levels. 

In order to keep permissions open for the right individuals, documents should be stored in a single location. This is far preferable to structuring risk management files to be a pointer or reference doc, in which a tag is created to identify the individual location of each document without actually linking the documentation in a single, safe place.

BONUS RESOURCE: Click here to download your free copy of our previously confidential Risk Management Plan Template.

Keep your risk management file up-to-date and fully traceable with Greenlight Guru’s Risk Solutions 

In the past, assessing risk for a medical device began with weeks or even months of pre-work—scouring regulatory and research databases to find potential hazards and harms for your device and assessing their probability and severity. From there, maintaining and updating the risk management file became a time-consuming and fraught exercise in ensuring traceability and access.

Greenlight Guru’s Risk Solutions changes all of that. Risk Intelligence uses AI and advanced statistical modeling to deliver tailored insights on device hazards, patient harms, and their respective probabilities based on real-world adverse event data. What took months of work now takes moments. 

Risk Management, the other side of the Risk Solutions coin, is an intuitive, purpose-built workflow that makes it easy to collaborate across teams, generate risk acceptability matrices, and maintain records for a paperless Risk Management File.

Together, Risk Intelligence and Risk Management will transform the way you build and maintain risk across your medical device lifecycle.

If you’re ready to see how it works, then get your free demo of Greenlight Guru today!

Looking for a design control solution to help you bring safer medical devices to market faster with less risk? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software