What is a Risk Mitigation Requirement and How to Write It?

May 22, 2018

Medical device risk mitigation actions aim at reducing the occurrence and/or the severity of the potential harm.

Risk mitigations are equivalent to requirements. But unlike requirements coming from user needs or other higher level requirements, risk mitigations need special attention.

Of course “Requirements shall be complete, unambiguous, able to be verified or validated, and not in conflict with each other.” (ref. ISO 13485:2016 7.3.3) Basically all principles that apply to other requirements apply also to risk mitigation actions.

But there are other best practices that you can employ to write effective, practical and compliant risk mitigation actions or risk controls.

1. Keep them high level.

Risk analysis requires the collaboration of different functions, typically developers and quality. Developers, when asked how to control a specific risk, tend to provide very specific, detailed solutions. On their side, QAs tend to grab these answers and report them verbatim in their analyses, which eventually find their way into the list of requirements. And all of a sudden developers will be held accountable for solutions they had already discarded weeks earlier.

Unless a specific technical solution is key to the overall safety of the device, do not mix requirements with design. Leave the details to the developers.

2. Keep them relevant.

Most likely a risk is mitigated by a number of design features. But only a few of them carry the bulk of the mitigation or are added specifically to reduce risk.

Don’t list any small detail that may, incidentally, help mitigate a risk, instead identify the core controls and focus on them.

3. Make them verifiable.

Remember that verification can consist of not only tests, but also inspection, demonstration, review or in certain cases even validation.

Define acceptance criteria early in the project.

4. Use accepted solution.

You do not need to reinvent the wheel every time. Actually, using known and proven controls can make your life easier and improve compliance. Typical solutions in this category are CRCs, encryption, compliance to international standards (e.g. IEC 60601) and more.

Once you have implemented the risk control measure you should make sure that you have not accidentally introduced any new potentially hazardous situation.

Lastly, you should make sure that all you requirements and risks, mitigation actions and test cases are linked to each other enabling a full traceability.

SoftComply Risk Manager is an add-on for Jira that automates your medical device risk management with full traceability and compliant risk reporting.

For regular updates about medical device regulations, events and SoftComply products, please subscribe to SoftComply Newsletter.

Table of Contents

Ready to get started?

Contact us to book a demo and learn how SoftComply can cover all your needs

Information Security Jira
Picture of Marion Lepmets

Marion Lepmets

CEO
February 20, 2025

Like with any compliance journey, you should first establish why you need to be compliant with a certain regulation. ISO 27001 certification is widely used to build trust and credibility with customers and stakeholders. Similarly, in the Atlassian ecosystem, the requirement of obtaining ISO 27001 certificate applies to Marketplace Partners...

eat your own dog food
Picture of Monika Isak

Monika Isak

Head of Growth
February 20, 2025

Atlassian’s updated Marketplace Partner Program underscores the need for robust security management. With increasing customer expectations around data protection, security, and compliance transparency, Gold and Platinum Marketplace Partners are required to demonstrate adherence to compliance framework like SOC 2 or globally recognised standards such as ISO 27001. This shift is...

RMP Automation
Picture of Marion Lepmets

Marion Lepmets

CEO
February 19, 2025

Risk Manager Plus on Jira Cloud is the most advanced risk management app supporting a wide range of risk management frameworks. You can easily customize the built-in Risk Models or build your own Risk Model from scratch, e.g. 2- or 3-dimensional Risk Matrix or Risk Score based ones. You can...