How Cutting Edge Technology Is Changing Risk Management In the EU

Risk management has always been one of the cornerstones of the EU’s medtech regulations, equally critical in the context of the medical device directives and the EU’s Medical Device and IVD Regulations.

But technological progress has been relentless and new devices tend to operate on entirely different technology to 10 or 20 years ago.

This raises the question as to how manufacturers should be keeping up to date by introducing changes into their risk management systems.

Just ahead of the Amsterdam Risk Management International Conference on Medical Device Safety, Medtech Insight invited eight of the speakers to give their views on the future direction of risk management for medical devices in the context of the EU’s Medical Device and IVD Regulation.

Significant Adaptation Needed By All Stakeholders

To put the subject in context, Giacomo Erani, Product Service Division at the Medical Health Service Department of TÜV SÜD notified body, explained how the pre-market risk management of a medical device relies on estimates linked to data from literature, scientific studies etc. of similar or equivalent devices.

Then, post-market, risk management evolves through continuous updates based on data on the device in question.

The aim, he noted, is to ensure that the benefits outweigh the risks of the device in comparison to its state of the art, and on an ongoing basis.

It is important to understand, Erani added, that risk management, among other processes, must progress alongside the increasingly stringent and complex EU regulatory system and that this demands significant adaptation from all stakeholders.

This can best be achieved, the TÜV SÜD spokesperson said, through a deeper understanding of regulatory requirements, the strategic use of emerging technologies such as artificial intelligence, and closer collaboration among all stakeholders, he told Medtech Insight.

Do EU Risk Rules Need Changing?

On the topic of whether changes need to be made in any of the EU regulations to better help mitigate the evolving risks inherent in medical devices, Karandeep Badwal, founder and director at quality and regulatory affairs consultancy director at QRA Medical consultancy, argued that the EU needs “smarter, more harmonized” regulation but “not necessarily more regulation.”

He voiced some of the challenges in the way of companies carrying out straight-forward risk management in the EU.

Variability in how different notified bodies and competent authorities interpret the regulations’ requirements are among the biggest risk issues in EU medtech right now which Badwal puts down, partly, to the different languages being used around the EU’s testing and certification bodies.

That inconsistency creates uncertainty, which can delay products or result in over-engineered risk controls that do not match the actual clinical context, he argued, advocating clearer guidance, especially on risk-benefit evaluation and post-market surveillance.

Also, the interfaces between MDR and adjacent legislation like the EU AI Act need streamlining, he said. Badwal added: “Right now,” developers spend “too much energy navigating the grey zones instead of focusing on meaningful risk mitigation.”

Biggest Factors Influencing Risk Management Changes

Michelle Lott, meanwhile, principal and founder, leanRAQA, concurred with Erani and Badwal that risk management in EU medtech is evolving due to stricter regulatory requirements.

She highlighted several major influences on its evolution, including cybersecurity threats, AI integration, supply chain vulnerabilities, sustainability concerns and global harmonization efforts.

Lott also noted that the EU MDR and IVDR impose stricter requirements for clinical evidence, post-market surveillance and lifecycle risk management, making proactive risk assessment essential.

Geopolitical disruptions have further exposed supply chain risks, necessitating improved traceability and diversification, she observed. Consequently, medtech companies “must adopt continuous, data-driven risk assessment models that integrate cybersecurity, sustainability, and regulatory intelligence,” she said.

This dynamic landscape demands adaptive risk strategies, enhanced collaboration across supply chains, and robust post-market monitoring to ensure compliance and patient safety. And companies that proactively address these evolving risks will gain a competitive edge in the European medtech market, she argued.

Impact On Risk Management Of EU/US Differences

When asked about the potential impact of US deregulation in areas such as devices and AI, Lott explained that despite efforts towards industry harmonization, additional US deregulation would further diverge these efforts. Medical device companies are anxiously observing the MDR, viewing it as a significant barrier to market entry.

The MDR’s heightened expectations for risk management throughout a product’s lifecycle, along with increased demands for clinical data and post-market surveillance, have made the US a more attractive option for initial market entry. Companies entering the EU market must develop additional design requirements, conduct rigorous risk analysis, and meet stringent MDR standards.

Both post-market surveillance and clinical evaluation reports are crucial for risk management. Companies will require substantially more data when entering the EU market compared to the US, potentially resulting in two different levels of compliance programs.

Post-Market Risk Management

Turning to post-market risk management, Naveen Agarwal, principal and founder at the US healthcare consultancy, Creative Analytics Solutions, said that because medical devices go through many changes during their lifecycle, medical device post-market risk management proves to be more challenging than that for pharmaceuticals, and lasts through a device’s lifetime.

The process involves gathering information that may be relevant for safety, including, for example: complaints from doctors and patients and quality issues in production or supply chain.

Changes in the state of the art must also be reviewed to assess if risk level has changed or if new risks are realized. And any design changes that occur, Agarwal said, must be rigorously tested before releasing into the market. Indeed, a new regulatory submission is generally required, Agarwal told Medtech Insight.

Post-Market Risk Management: Some Practical Tips

Still on the topic of post-market risk management, Tina Krenc, principal consultant at KTA Compliance Consulting in the US, explained that post-market data collection is essential for evaluating the device’s performance and safety in real-world conditions.

This data may accumulate quickly for early analysis or more slowly, requiring a longer period to gather useful insights. Regardless of the pace, post-market data helps reassess the device’s risk profile in users’ hands, she said.

A comprehensive post-market data plan should proactively gather data from reliable sources and reactively capture feedback through customer complaints, Krenc added. After analysis, the device’s overall benefit-risk profile needs to be reevaluated. Based on the findings, the device may remain acceptable or undergo modifications to reduce risks or enhance benefits.

Post-market monitoring and risk management need to continue at a planned frequency throughout the device’s lifecycle until the product is retired, Krenc added.

In summary, she said, risk management is an ongoing process throughout a medical device’s lifecycle, starting during the design and development phases. Early risk management is typically based on scientific or engineering theories rather than real-world data. Once the device is developed, validated and launched, real-world data becomes available. This data is crucial for assessing the product’s risk when used by a wider population beyond those involved in design validation or clinical trials.

Ensuring Risk Management Policy Is Up To Date In The US

In response to the question of how manufacturers should now ensure that their risk management process is up to date, Krenc noted three areas that have been recently cited in FDA warning letters.

The first involves determining criteria for risk acceptability, which should be based on regulations and product standards. However, many organizations lack a clear rationale for what is deemed acceptable, she advised. Additionally, different medical devices may have varying acceptability levels based on their intended use.

The second area is assessing potential harm for all morbidities and mortalities among the intended user population.

“It is insufficient to only consider the worst-case scenario, as there may be less severe harms occurring more frequently that are unacceptable at that level,” Krenc noted. Real-world data should therefore be utilized to accurately reflect actual harms and their frequency.

The third area emphasizes that risk management should not merely be a modified Failure Modes and Effects Analysis (FMEA). FMEA only addresses device failures, not normal operating conditions. The analysis should, therefore, she explained, encompass both normal and fault conditions, as required by regulations and the key international risk management standard, ISO 14971.

Top Management Involvement Critical

On the topic of ISO 14971, Jos van Vroonhoven, senior manager of standardization at Royal Philips explained that ISO 14971 was recently reconfirmed for another five years until 2030.

A broad range of stakeholders contributed to the latest work, he said, with representation from many countries across the world, including US experts. He expects the US to continue its commitment.

Vroonhoven explained that an important starting point of ISO14971 is top management commitment. This is not a new requirement but sometimes insufficiently addressed, he said.

Top management needs to establish the company policy for risk management and ensure that adequate resources are available to perform proper risk management. Without its commitment, any risk management process will ultimately fail, so good company policy is essential.

Risk Management In The AI Era

Turning now to the greatest risks for medtech manufacturers in their AI-enabled devices and how should manufacturers be adapting to manage these risks, Pat Baird, senior regulatory specialist at Philips, said that the two biggest risks are related to issues where the developers might not have experience of those challenges.

There are many stories of “unwanted bias” in the training and test data – usually due to a difference in patient populations that the developer had not considered as important, he said. One example is cancer-detecting software where the training and test data did not include people of color. Tissue density varies by race, he explained, but the developers were not aware of this fact, and focused on other areas of data quality, not realizing how they had created a biased application.

The other concern is that giant sets of data are a very attractive target for cybersecurity attacks. There are many new vulnerabilities with machine learning (ML) systems, and people need to be aware of those new considerations, Baird warned.

Specific Risks Among AI Medtech Users

Yu Zhao, president and principal advisor at Bridging Consulting in the US, also commented on what he considered are the greatest risks for medtech manufacturers with respect to AI-enabled devices and how should manufacturers be adapting to manage these risks

One major risk for medtech manufacturers is the possibility that end-users are not fully aware of an AI-enabled device’s capabilities and limitations, particularly when different AI models from multiple manufacturers are integrated into a single clinical workflow, he said.

Each model may have its own unique functionalities, performance range and risk profile, leading to confusion or misuse if users lack adequate knowledge.

To mitigate this, manufacturers must ensure transparency around intended use, clearly communicate a model’s strengths and boundaries, and regularly remind users of these critical details, Zhao advised.

Performance Drift And Other Shifts

Another key concern is the phenomenon of model performance drift, where an AI’s effectiveness degrades over time due to real-world changes, said.

Factors such as the introduction of new data input devices, shifts in patient demographics, and evolving clinical practices can all skew an AI model’s results, Zhao said.

The self-learning, self-adjusting potential of adaptive ML algorithms can help mitigate these issues, allowing the device to quickly recognize and correct for performance deviations. But this needs to be planned for.

For a locked ML algorithm or an adaptive algorithm alike, robust post-market surveillance — supported by active performance monitoring, back-end data analytics, and user feedback — remains essential, Zhao noted, for ensuring that any potential performance drift will be detected and addressed in a timely manner.

Cybersecurity Is A Major Concern

Zhao agreed with Baird that cybersecurity risks remain a major concern for all networked medical devices, but how AI/ML-enabled devices can face unique and more complex vulnerabilities. There must be strong risk management in this area, he stressed.

Moreover, because AI/ML devices continuously process new data from multiple sources, the range of potential vulnerabilities widens considerably, expanding their “attack surface” compared to traditional, less data-intensive devices, he warned.

Worryingly, each pathway for data collection, integration and transmission represents a potential entry point for malicious actors. By tampering with incoming data, Zhao cautioned, attackers can influence or even corrupt a device’s AI-driven decision, thereby posing direct risks to patient safety.

ML models also require ongoing retraining to maintain accuracy and adapt to real-world changes.

This creates an opportunity for bad actors to insert corrupted or “poisoned” data, Zhao forewarned. Such data which may skew the model’s outputs, leading to compromised decision support and patient care.

Defence Measures

As part of their risk management, to counter these threats, manufacturers may encrypt both stored and transmitted data, establishing strict version control for AI model updates, and continuously monitoring for data inputs or performance issues that may indicate tampering, he said.

Manufacturers must also adopt secure data pipelines, enforce rigorous checks on all training datasets, and continuously monitor model integrity across every version update.

Although many cybersecurity vulnerabilities are still largely theoretical, the potential for “multi-patient harms” — where a single attack could affect hundreds or even thousands of users — means that even small gaps in security can carry significant consequences, Zhao warned.

We must take every potential vulnerability seriously, he concluded, especially as AI/ML-enabled devices continue to collect and process large volumes of sensitive data.

Risk Management For Combination Products Involving AI

Commenting on the specific risk challenges that exist for drug/device medical devices, and especially those where AI is used, Badwal said that combination products already come with complexity blending two regulatory worlds with different expectations around evidence, risk management and lifecycle control.

Add AI and you’ve got a third dimension of risk: dynamic behavior, he said.

Traditional risk frameworks assume a device behaves consistently over time.

AI can learn or adapt, so risks may evolve post-market.

That raises big questions about transparency, explainability and ensuring ongoing safety, Badwal noted.

Regulators are attempting to catch up, but the challenge is building a system that supports innovation and enforces accountability without defaulting to blanket prohibitions or unrealistic expectations.