QA/RA Consulting, Auditing & Training


Let's get started

ISO 14971:2019: Understanding the Current Version of ISO 14971

The third edition of ISO 14971 was released in December 2019 and replaced ISO 14971:2007. Although the risk management process itself remains largely unchanged, there are important clarifications and updates in ISO 14971:2019 to be aware of. The third edition is structured with 10 clauses and three annexes and is aligned with the EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR). In general, the standard reorganizes content, provides new definitions, provides more details for evaluating residual risks, and provides detailed requirements for production and post-production activities. Additionally, the focus on benefit / risk evaluation aligns with the EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR).

In reviewing the ISO 14971:2019 standard, pay particular attention to the highlighted sections below.

ISO/TR 24971:2020 Is an Essential Companion Guide

ISO/TR 14971:2020 is a rewrite of the previous version and is the companion guide or technical report for ISO 14971:2019.  This document provides guidance on the development, implementation, and maintenance of a risk management system for medical devices according to ISO 14971:2019. The clauses and subclauses in the companion guide have the same structure and numbering as the clauses and subclauses of the ISO 14971:2019 standard and can be considered a guideline for the implementation of ISO 14971:2019.  ISO/TR 14971:2020 does not add any requirements and provides supplemental guidance and clarification to the informative annexes of ISO 14971:2019 with approaches that organizations can use to develop and maintain an ISO 14971:2019 based risk management system.

Important Definitions Have Been Included in ISO 14971:2019

Three important definitions have been introduced in ISO 14971:2019 and are noted below. Other minor changes were made to the following terms: accompanying documentation, harm, IVD, manufacturer, and use error.

  • Reasonably foreseeable misuse(3.15) – The new definition states that if misuse of a product can result from predictable human behavior, then you need to take this into account in your risk analysis. Reasonably foreseeable can be unintentional or intentional. This analysis applies to lay users and professional users.
  • Benefit(see 3.2). This term was not defined in ISO 14971:2007 or EN ISO 14971:2012, but it is addressed for the first time in the third edition as: Positive impact or desirable outcome of the use of a medical device on the health of an individual, or a positive impact on patient management or public health. The definition of benefit extends beyond the impact to the patient to include public health.
  • State of the art(3.28) This term appears 12 times in the EU MDR and 20 times in the IVDR but is not defined in either regulation.  ISO 14971:2019  aligns the term with the definition found in ISO/IEC Guide 63:2019. That guide defines state of the art as: Developed stage of technical capability at a given time as regards products, processes and services, based on the relevant consolidated findings of science, technology and experience. In that context, ISO 14971:2019 could be considered the state of the art when it comes to risk management for medical devices. 

More Requirements for Production and Post-Production Activities

Most of the additions to requirements content were made related to production and post-production activities with restructured clauses. This section now dovetails more closely with the ISO 13485:2016 section 8 requirements for feedback, analysis of data and CAPA.  Explicit requirements were added concerning collection and review of information about the device, plus requirements for using that information for the risk management process.

More Attention is Focused on Articulating the Benefits of Your Device

ISO 14971:2019 is a risk management standard but is not just about risk reduction. Increasingly regulators want to know about the benefits that the medical device offers. ISO 14971:2019 defines benefits in a way ISO 14971:2007 and EN ISO 14971:2012 did not.  ISO/TR 24971 provides guidance on determining benefits and includes examples. You may also want to read this informative blog post on evaluating medical device benefits from an FDA perspective.

Risk Management Should Be Applied to Cybersecurity

Risk comes in all forms. As medical devices are increasingly connected to the internet and networks, new security risks need to be evaluated and documented. For most manufacturers, this issue is nothing new, but Annex F of ISO/TR 24971:2020 acknowledges and reinforces the need for medical device companies to address the very real risks posed to users or patients in addition to misuse of the device.

The Method for Evaluating Overall Residual Risk Has Changed

ISO 14971:2019 refocuses attention on the benefit-risk analysis of medical devices which is in alignment with the changes made in EU MDR (2017/745) and IVDR (2017/746). Section 4.4 (risk management plan) of ISO 14971:2019 emphasizes the necessity of conducting an assessment of overall residual risk and the criteria for determining the device acceptability. The method can include gathering and reviewing data and literature for the medical device and other similar products on the market. The criteria for the acceptability of the overall residual risk can be different from the criteria for acceptability of individual risks. The requirements to disclose residual risks have merged into one requirement, after the overall residual risk has been evaluated and judged acceptable.

Next Steps to Prepare for Transition

Companies that have followed ISO 14971:2007 and EN ISO 14971:2012 should not find ISO 14971:2019 to be an onerous upgrade. However, it is vital to take the time to assess any gaps you may have and update them accordingly. If you already have a working knowledge of ISO 14971:2007 and EN ISO 14971:2012 revisions and would like to get a deep understanding of the changes, consider our medical device risk management training class. Our team of consultants is also available to assist with specific risk management issues that affect your company. 

Our team is here to help. Contact us online
Get answers right now. Call

US OfficeWashington DC


EU OfficeCork, Ireland

+353 21 212 8530