Basics of Medical Device Risk Management and ISO 14971:2019

May 1, 2020

From a distance, risk management seems straightforward. You have a device, evaluate its potential risks, mitigate those risks, monitor them over time, and you’re done. Seems easy, right? Ah, if only life were so straightforward. The reality is that risk management is one of the more complex aspects of regulatory compliance, simply because risk comes in so many flavors and perceptions of severity. Plus, the probability of harm actually occurring can be estimated quite differently.


This is a four-part series on risk management. Download all four parts as a single PDF.

The thing that makes risk management tricky is that we often don’t have enough real-world data to accurately quantify risks, especially for new devices. Fortunately, there is a systematic process you can establish to analyze, evaluate, control, and monitor risks. Before we get into that, let’s step back and talk about the regulations and standards that dictate how you should approach risk management.

For medical devices, risk and risk management are defined as:

Risk – the combination of probability of occurrence of harm and the severity of that harm.

Risk management – the systematic application of management policies, procedures, and practices to the tasks of analyzing, controlling, and monitoring risk.

Why is risk management needed?

Simply put, we have a collective interest in ensuring that medical devices are safe and effective. For that reason, risk management is not optional – it is a regulatory requirement worldwide. The US FDA mandates it in the Quality System Regulation (21 CFR Part 820). Europe requires it in the Medical Device Regulation (MDR 2017/745). Likewise, Japan, Canada, Australia, Brazil, and all other major markets require the application of risk management, which is either referenced in their national regulations or ISO 13485:2016.

The role of ISO 14971

Fortunately, national governments have not created their own unique guidelines telling you how to how to perform risk management. Instead, they defer to ISO 14971, the global standard for medical device risk management. If you are just getting started implementing risk management for your company, purchase the ISO 14971:2019 standard and its guidance ISO/TR 24971:2020, which provides support to implementing risk management. Both are copyrighted documents and you can purchase them online from and other sources.

The intent of ISO 14971 is to define a standard process for identifying risks associated with medical devices at all stages in a device’s life cycle, from product design to procurement to production and postmarket use. In all cases, the goal is to analyze, evaluate, control, and monitor the risks associated with each life-cycle stage.

The most recent version – ISO 14971:2019 – was published by ISO and as EN ISO 14971:2019 by CEN/CENELEC. This version replaces ISO 14971:2007 and EN ISO 14971:2012 and while no tectonic shifts have occurred in the risk management process, there are important changes and updates to be aware of. Read our blog post to get up-to-speed on changes in ISO 14971:2019.

Evolution of ISO 14971 and the elevation of ISO/TR 24971:2020

Structure of ISO 14971:2019 and ISO/TR 24971:2020

The main body of the ISO 14971 standard is surprisingly scant with only 18 pages plus 3 annexes. However, the reason this version is shorter than its predecessors is that many annexes from the 2007 revision have been moved into guidance document ISO/TR 24971:2020 which has ballooned to nearly 100 pages with 8 annexes.

ISO 14971:2019 and ISO/TR 24971

Creating your risk management procedure

So, now that you have downloaded these two critical documents, where to begin?  It’s important to think about risk management as a process that you must define and manage in your quality management system just like any other QMS process.  In fact, ISO 13485:2016 clause 7.1 tells you that you must have “one or more [documented] processes for risk management”.  The best place to start is a documented risk management procedure.  But what should be included in that procedure?

First, ISO 14971 clause 4.2 details two important responsibilities for your top management that you need to talk about in your procedure. Management must:

  • Ensure the right resources are available and responsible for conducting risk management activities, and
  • Define a risk policy that guides how the company sets up the risk acceptability criteria for each of their devices.

The company’s risk policy serves as a single reference point that teams working on risk management can use to make sure they set up risk acceptability criteria for a device.  The policy includes information that ensures the acceptability criteria meets all of the applicable national or regional regulations and relevant International Standards and considers topics like the generally acknowledged state of the art and the interests of stakeholders for the device.  The risk policy is where you usually find statements like “reduce the risk as far as possible” or “reduce the risk as low as reasonably practicable”.

Make sure you also include information on how top management will review (usually happens in Management Review) the suitability of the risk management process.

Next, Clause 4.1 of ISO 14971:2019 states that you must have an ongoing process for doing these things for each device or device family you manufacture:

  • Identifying hazards and hazardous situations associated with a medical device
  • Estimating and evaluating the associated risks
  • Controlling these risks
  • Monitoring the effectiveness of the risk control measures.

These are the basic steps that you’ll follow throughout the lifecycle of all the devices you make.  A big thing to remember – risk management never stops for your device!

Basic steps in the medical device risk management process

You will go through these same basic steps for each device/device family you have.


1 – Create a risk management plan for your device

Just like any good process, we want to start our activities with a plan. If you have just one device or device family in your company, you may use your risk management procedure as your risk management plan.  But, if you manufacture multiple types of devices, your risk management plan needs to be specific to each device/device family.  The information in your plan should include all of the appropriate steps you defined in the risk management procedure.

The plan defines what detailed steps we’ll take for risk management for a particular device including all of the risk analysis, risk evaluation, risk control, and review and reporting.  Document activities that will take place, assign responsibilities, establish your risk acceptability criteria, plan risk control verification activities, determine risk review requirements, and plan production/post-production activities.

  • Assemble your risk management team: Assemble a qualified team of people who know how your device is constructed, its manufacturing processes, how it is used in the field, etc.

2 – Perform risk activities

Based on the intended use and reasonably foreseeable misuse, identify hazards that could lead to hazardous situations and harm.

  • Use risk analysis tools to identify risks: Choose the tools you will use to measure risk (discussed more later) and then use them to identity risks posed by your processes, users, suppliers, maintenance tasks, shipping, production equipment, etc.
  • Control risks: The goal here is to reduce risks to an acceptable level, as defined in your risk policy, using design features, protective measures like alarms, and, of course, information such as warning labels.
  • Weigh the risks versus the benefits: This is fairly self-explanatory, but the end goal is to ensure that the clinical benefits of your device outweigh residual risks. This needs to be reassessed throughout the life of the device.

3 – Review the risk management outcomes and create a report

This is where you take credit for all your work. Tie it all back to your original plan. Did you follow the plan? Did you document and justify any deviations? It is important that you write clear and simple conclusions, some as simple and obvious as: “The risk management process outcomes support that the implemented risk control measures reduce the residual risks of my device as compared to the clinical benefits.” This goes a long way toward giving credibility to your process. We’ll discuss the report contents later.

At this point, it’s a good idea to firm up your plans for monitoring risk throughout the device life-cycle. One last detail to mention:  All of the documentation that you create throughout these three basic steps becomes the content of the risk management file for your device.

Want to learn more?

If you enjoyed this article, be sure to read the second post in this series focusing on risk management planning. If you’re ready to take the next step, check out our risk management training class available as instructor-led virtual or classroom formats.

Our team is here to help. Call 1.800.472.6477 or contact us online ›