What is a Risk Mitigation Requirement and How to Write It?

22 May 2018
by Marion Lepmets

Medical device risk mitigation actions aim at reducing the occurrence and/or the severity of the potential harm.

Risk mitigations are equivalent to requirements. But unlike requirements coming from user needs or other higher level requirements, risk mitigations need special attention.

Of course “Requirements shall be complete, unambiguous, able to be verified or validated, and not in conflict with each other.” (ref. ISO 13485:2016 7.3.3) Basically all principles that apply to other requirements apply also to risk mitigation actions.

But there are other best practices that you can employ to write effective, practical and compliant risk mitigation actions or risk controls.

1. Keep them high level.

Risk analysis requires the collaboration of different functions, typically developers and quality. Developers, when asked how to control a specific risk, tend to provide very specific, detailed solutions. On their side, QAs tend to grab these answers and report them verbatim in their analyses, which eventually find their way into the list of requirements. And all of a sudden developers will be held accountable for solutions they had already discarded weeks earlier.

Unless a specific technical solution is key to the overall safety of the device, do not mix requirements with design. Leave the details to the developers.

2. Keep them relevant.

Most likely a risk is mitigated by a number of design features. But only a few of them carry the bulk of the mitigation or are added specifically to reduce risk.

Don’t list any small detail that may, incidentally, help mitigate a risk, instead identify the core controls and focus on them.

3. Make them verifiable.

Remember that verification can consist of not only tests, but also inspection, demonstration, review or in certain cases even validation.

Define acceptance criteria early in the project.

4. Use accepted solution.

You do not need to reinvent the wheel every time. Actually, using known and proven controls can make your life easier and improve compliance. Typical solutions in this category are CRCs, encryption, compliance to international standards (e.g. IEC 60601) and more.

Once you have implemented the risk control measure you should make sure that you have not accidentally introduced any new potentially hazardous situation.

Lastly, you should make sure that all you requirements and risks, mitigation actions and test cases are linked to each other enabling a full traceability.

SoftComply Risk Manager is an add-on for Jira that automates your medical device risk management with full traceability and compliant risk reporting.

For regular updates about medical device regulations, events and SoftComply products, please subscribe to SoftComply Newsletter.

Try us out on

SoftComply apps are available on Atlassian Marketplace – you can try them all out for free!