Why Focus on Residual Risk Rather Than Initial Risk?

Shifting Focus from Initial Risk to Residual Risk — Why Should You Pay Attention?

When we hear the term “risk management,” our minds typically conjure up images of economic risks associated with stock investments or corporate management. However, today we focus on risk management in the context of medical device product development. The key concept to understand is “residual risk.” So, what exactly is residual risk?

Explanation for Beginners: “Residual Risk” Defined

“Residual risk” refers to the risk that remains after all risk management measures have been implemented during the medical device product development process. This stands in contrast to “initial risk,” which is the risk identified at the stage before any mitigation strategies are put in place. These concepts are clearly defined in the international standard ISO 14971, “Risk Management for Medical Devices,” and form the fundamental framework for evaluating medical device safety.

Within ISO 14971, the core of the risk management process encompasses a series of steps: hazard identification and risk assessment at the initial stage, implementation of risk management measures, and finally, residual risk evaluation. The importance of residual risk assessment is further emphasized in the EU Medical Device Regulation (MDR) 2017/745, In Vitro Diagnostic Regulation (IVDR) 2017/746, the FDA Quality Management System Regulation (QMSR), and the guidance issued by the PMDA (Pharmaceuticals and Medical Devices Agency) of Japan.

Why Focus on “Residual Risk”?

So, why should we focus on “residual risk”? The fundamental reason is that during the initial stage of risk assessment, it is difficult to accurately estimate the probability of occurrence or severity of hazards. During the early stages of development, design specifications, use scenarios, and the diverse behavioral patterns of users are not fully understood. Consequently, there is a tendency to evaluate initial risk based on theoretically worst-case scenarios. For this reason, conservative risk assessment methodologies—evaluating initial risk at its maximum value—were historically the standard approach.

However, this approach carries the risk of over-evaluating risk perception. For example, when considering hazards related to medical device use (such as malfunction due to user error), if every use scenario is evaluated under worst-case conditions, a disconnect emerges between the theoretical assessment and the actual clinical environment or practical use situations. This can result in investment in excessively complex and impractical risk management measures, while the truly critical issues that should be addressed are deferred.

This is where the concept of “residual risk” becomes crucial. By implementing feasible risk management measures—such as design optimization, inclusion of precautions in instructions for use, user training, and hardware/software controls—and then focusing on the risk that remains after these measures are implemented, a more realistic and accurate safety assessment becomes possible. This approach clarifies how medical devices are actually used in clinical settings and what harm risks genuinely exist.

An important distinction is that residual risk evaluation is not merely a recognition that “risk remains,” but rather a determination of whether that risk is “acceptable.” As required by EU MDR and FDA QMSR, medical device manufacturers must establish risk acceptability criteria in advance and demonstrate that the residual risk after implementation of management measures falls below these predetermined thresholds. This determination incorporates medical knowledge, clinical evidence, and experience with similar products.

Disclosure to Users and Practical Application

Residual risk information must be appropriately disclosed to users—including healthcare professionals, patients, and other stakeholders—in the device’s labeling, instructions for use, or other product documentation. This enables users to understand known residual risks and make informed decisions about safely and effectively using the medical device. Notably, EU MDR requirements mandate explicit communication of information regarding “known and foreseeable hazards,” and FDA QMSR applies similar principles. Japanese PMDA guidance also requires continuous disclosure of medical device safety information.

Furthermore, within medical device organizations, a shift in perspective from initial risk evaluation to residual risk evaluation leads to more strategic and efficient risk management activities organization-wide. Among development teams, quality assurance departments, clinical and safety departments, and post-market surveillance divisions, the truly critical risk factors requiring attention become clearly shared. This enables more effective allocation of limited resources.

Recent developments underscore this importance: increasingly complex medical devices utilizing artificial intelligence and machine learning, as well as devices requiring cybersecurity measures, are becoming more prevalent. In these domains, predicting risk at the initial stage becomes even more challenging. Managing residual risk continuously through risk management at the design stage, clinical validation, and ongoing post-market surveillance has become more essential than ever.

Conclusion

The ultimate objective of medical device risk management is to demonstrate that the “residual risk” remaining after implementation of risk management measures is below a predetermined acceptable level. Because initial risk assessment typically involves difficulty in estimating probability of occurrence and severity, and tends to rely on theoretical worst-case scenarios, focusing on residual risk after implementing feasible risk management measures is extremely important. This approach enables medical device safety assessment to be more realistic and accurate, facilitates appropriate and trustworthy information disclosure to users, and simultaneously renders enterprise risk management activities more strategic and efficient.

Residual risk management, grounded in the regulatory requirements of ISO 14971, EU MDR/IVDR, FDA QMSR, and PMDA guidance, represents a fundamental and essential process for medical device manufacturers to establish credibility in the marketplace.