QA/RA Consulting, Auditing & Training


Let's get started

ISO 14971 and the Basics of Medical Device Risk Management Explained

This is the first installment of a 3-part blog series on risk management. If you already know the basics, skip to the second post on risk management planning. We’ve combined all three posts into one easy-to-read PDF, plus added some extras. Download it here.

From a distance, risk management seems straightforward. You have a device, evaluate its potential risks, mitigate those risks, monitor them over time, and you are done. Seems easy, right? Ah, if only life were so straightforward. The reality is that risk management is one of the more complex aspects of regulatory compliance, simply because risk comes in so many flavors and perceptions of severity, and probability can be interpreted quite differently.

The thing that makes risk management tricky is that we often don’t have enough real-world data to accurately quantify risks, especially for new devices. Fortunately, there is a systematic process you can establish to estimate, evaluate, control, and monitor risks. Before we get into that, let’s step back and talk about the regulations and standards that dictate how you should approach risk management.


Risk Management Cycle


Medical device risk and risk management defined

  • Risk is the combination of probability of occurrence of harm and the severity of that harm.
  • Risk management is the systematic application of management policies, procedures, and practices to the tasks of analyzing, controlling, and monitoring risk.


Why is risk management needed?

Simply put, we have a collective interest in ensuring that medical devices are safe and effective. Risk management is not optional it is a regulatory requirement worldwide. The US FDA mandates it in the Quality System Regulation (21 CFR Part 820). Europe requires it in the new Medical Device Regulation (MDR 2017/745). Likewise, Japan, Canada, Australia, Brazil, and all other major markets require the application of risk management, which is either referenced in their national regulations and/or ISO 13485:2016.


The role of the ISO 14971 standard

Fortunately, national governments have NOT created their own guidelines telling you how to how to perform risk management. Instead, they all defer to ISO 14971, the global standard for medical device risk management. The intent of the standard is to identify hazards associated with medical devices at all stages in its life cycle, from product design to procurement to production and postmarket use. In all cases, the goal is to estimate, evaluate, control, and monitor the risks associated with each life-cycle stage. There are two versions of this standard in use today:

  • ISO 14971:2007 The US FDA and most other markets recommend this version of the standard to meet national risk management requirements.
  • ISO 14971:2012 This version is required to meet CE Marking requirements for medical devices sold in Europe. It differs only the front matter describing how ISO 14971:2007 deviates from the device directives in Europe.

If you are just getting started implementing risk management for your company, purchase the ISO 14971:2012 standard and its guidance ISO 24971:2013. You will also want to buy and read the ISO/TR 24971:2013 standard. It is brief but provides excellent guidance for dealing with specific areas of ISO 14971. Both are copyrighted documents and you can purchase them online from ISO.


ISO 14971 Timeline

ISO 14971 was first introduced in 1998 and has expanded in scope during subsequent releases. Work on an updated version is underway.

An updated dated ISO 14971 is underway and expected to be complete sometime in 2019. The focus of the revision is not on revising the risk management process but rather to improve the information on implementation of the life cycle risk management process.


Sections of ISO 14971

Although risk management can be complex, the main body of the ISO 14971 standard is a scant 14 pages and consists of 9 clauses:

  1. Scope
  2. Terms and conditions
  3. General requirements for risk management
  4. Risk analysis
  5. Risk evaluation
  6. Risk control
  7. Evaluation of overall risk acceptability
  8. Risk management report
  9. Production and post-production information

And these are the key annexes supporting those clauses:

  • Annex A Rationale for requirements
  • Annex B Overview of risk management process for medical devices
  • Annex C Questions that can be used to identify medical device characteristics that could impact safety
  • Annex D Risk concepts applied to medical devices
  • Annex E Examples of hazards, foreseeable sequences of events, and hazardous situations
  • Annex F Risk management plan
  • Annex G Information on risk management techniques
  • Annex H Guidance on risk management for in-vitro diagnostic medical devices
  • Annex I Guidance on risk analysis process for biological hazards
  • Annex J Information for safety and information about residual risk


Basic steps in the medical device risk management process

So where to begin? It helps to think about risk management as a process that starts with a plan. While the end deliverable is a report, your work in controlling risk is never done. We will talk in detail about each of these areas later, but here are the steps.


Risk Management Steps - ISO 14971:2019


  • Create a risk management plan: Document activities that will take place, assign responsibilities, determine risk review requirements, establish risk acceptability levels, plan verification activities, and plan production/post-production activities.
  • Assemble your risk management team: Assemble a qualified team of people who know how your device is constructed, its manufacturing processes, how it is used in the field, etc.
  • Use risk analysis tools to identify risks: Choose the tools you will use to measure risk (discussed more later) and then use them to identity risks posed by your processes, users, suppliers, maintenance tasks, shipping, production equipment, etc.
  • Weigh the risks versus the benefits: This is fairly self-explanatory, but the end goal is to ensure that the medical benefits of your device outweigh residual risks.
  • Eliminate or mitigate risks: The goal here is to reduce risks to an acceptable level. Well talk more about risk reduction later and address how this varies between the 2007 and 2012 versions of ISO 14971.


Want to learn more?

If you enjoyed this article, be sure to read the second post in this series focusing on risk management planning. If you’re ready to take the next step, check out our intensive risk management training class.

Our team is here to help. Contact us online
Get answers right now. Call

US OfficeWashington DC


EU OfficeCork, Ireland

+353 21 212 8530