The Leaders in Quality and
Regulatory Training & Consulting

Let's get started

Mar 21, 2023

How Medical Device Risk Management and ISO 14971:2019 Work

From a distance, risk management seems straightforward. You have a device, evaluate its potential risks, mitigate those risks, monitor them over time, and you’re done. Seems easy, right? Ah, if only life were so straightforward. The reality is that risk management is one of the more complex aspects of regulatory compliance simply because risk comes in so many flavors and perceptions of severity. Plus, the probability of harm actually occurring can be estimated quite differently.

The thing that makes risk management tricky is that we often don’t have enough real-world data to accurately quantify risks, especially for new devices. Fortunately, there is a systematic process you can establish to analyze, evaluate, control, and monitor risks. Before we get into that, let’s step back and talk about the regulations and standards that dictate how you should approach risk management.

For medical devices, risk and risk management are defined as:

Risk – the combination of probability of occurrence of harm and the severity of that harm.

Risk management – the systematic application of management policies, procedures, and practices to the tasks of analyzing, controlling, and monitoring risk.

Why is risk management needed?

Simply put, we have an optional collective interest in ensuring that medical devices are safe and effective. For that reason, risk management is not optional – it is a regulatory requirement worldwide. US FDA mandates it in the Quality System Regulation (21 CFR Part 820). Europe requires it in the Medical Device Regulation (MDR 2017/745). All countries have some requirement for risk management referenced in their national regulations and / or ISO 13485:2016.

The role of ISO 14971

Fortunately, national governments have not created their own unique guidelines telling you how to how to perform risk management. Instead, they defer to ISO 14971, the global standard for medical device risk management. If you are just getting started implementing risk management for your company, purchase the standard and its guidance ISO/TR 24971:2020, which provides support to implementing risk management. Both are copyrighted documents, and you can purchase them online from and other sources.

The intent of ISO 14971 is to define a standard process for identifying risks associated with medical devices at all stages in a device’s life cycle, from product design to procurement to production and postmarket use. In all cases, the goal is to analyze, evaluate, control, and monitor the risks associated with each life-cycle stage.

The most recent version – ISO 14971:2019 – was published by ISO and published as EN ISO 14971:2019 by CEN/CENELEC. These versions replaced ISO 14971:2007 and EN ISO 14971:2012, respectively, and while no tectonic shifts have occurred in the risk management process, there are important changes and updates to be aware of. Read our blog post to get up to speed on changes in ISO 14971:2019.

Evolution of ISO 14971 and the elevation of ISO/TR 24971:2020

Structure of ISO 14971:2019 and ISO/TR 24971:2020

The main body of the ISO 14971 standard is surprisingly scant with only 18 pages plus 3 annexes. However, the reason this version is shorter than its predecessors is that many annexes from the 2007 revision have been moved into guidance document ISO/TR 24971:2020, which has ballooned to nearly 100 pages with 8 annexes.

ISO 14971:2019 and ISO/TR 24971

Creating your risk management procedure

So, now that you have downloaded these two critical documents, where to begin? It’s important to think about risk management as a process that you must define and manage in your quality management system (QMS) just like any other QMS process. In fact, ISO 13485:2016 Clause 7.1 tells you that you must have “one or more [documented] processes for risk management.” The best place to start is a documented risk management procedure. But what should be included in that procedure?

First, ISO 14971 Clause 4.2 details two important responsibilities for your top management that you need to talk about in your procedure. Management must:

    • Ensure the right resources are available and responsible for conducting risk management activities, and
    • Define a risk policy that guides how the company sets up the risk acceptability criteria for each of its devices.

The company’s risk policy serves as a single reference point that teams working on risk management can use to make sure they set up risk acceptability criteria for a device. The policy includes information that ensures the acceptability criteria meets all the applicable national or regional regulations and relevant international standards, and considers topics like the generally acknowledged state of the art and the interests of stakeholders for the device. The risk policy is where you usually find statements like “reduce the risk as far as possible” or “reduce the risk as low as reasonably practicable.”

Make sure you also include information on how top management will review (usually happens in management review) the suitability of the risk management process.

Next, Clause 4.1 of ISO 14971:2019 states that you must have an ongoing process for doing the following things for each device or device family you manufacture:

    • Identifying hazards and hazardous situations associated with a medical device
    • Estimating and evaluating the associated risks
    • Controlling these risks
    • Monitoring the effectiveness of the risk control measures

These are the basic steps that you’ll follow throughout the life cycle of all the devices you make.  A big thing to remember – risk management never stops for your device!

Basic steps in the medical device risk management process

You will go through these same basic steps for each device / device family you have.


1 – Create a risk management plan for your device

Just like any good process, we want to start our activities with a plan. If you have just one device or device family in your company, you may use your risk management procedure as your risk management plan. But if you manufacture multiple types of devices, your risk management plan needs to be specific to each device / device family. The information in your plan should include all the appropriate steps you defined in the risk management procedure.

The plan defines what detailed steps you’ll take for risk management for a particular device including all of the risk analysis, risk evaluation, risk control, and review and reporting. Document activities that will take place, assign responsibilities, establish your risk acceptability criteria; plan risk control verification activities, determine risk review requirements, and plan production / post-production activities.

  • Assemble your risk management team: Assemble a qualified team of people who know how your device is constructed, its manufacturing processes, how it is used in the field, etc.

2 – Perform risk activities

Based on the intended use and reasonably foreseeable misuse, identify hazards that could lead to hazardous situations and harm.

  • Use risk analysis tools to identify risks: Choose the tools you will use to measure risk (discussed more later) and then use them to identify risks posed by your processes, users, suppliers, maintenance tasks, shipping, production equipment, etc.
  • Control risks: The goal here is to reduce risks to an acceptable level, as defined in your risk policy, using design features, protective measures like alarms, and, of course, information such as warning labels.
  • Weigh the risks versus the benefits: This is fairly self-explanatory, but the end goal is to ensure that the clinical benefits of your device outweigh the residual risks. This needs to be reassessed throughout the life of the device.

3 – Review the risk management outcomes and create a report

This is where you take credit for all your work. Tie it all back to your original plan. Did you follow the plan? Did you document and justify any deviations? It is important that you write clear and simple conclusions, some as simple and obvious as: “The risk management process outcomes support that the implemented risk control measures reduce the residual risks of my device as compared to the clinical benefits.” This goes a long way toward giving credibility to your process. We’ll discuss the report contents later.

At this point, it’s a good idea to firm up your plans for monitoring risk throughout the device life cycle. One last detail to mention: All of the documentation that you create throughout these three basic steps becomes the content of the risk management file for your device.

Creating a medical device risk management plan and conducting a risk analysis

Your risk management plan outlines the process of how you will conduct risk management for a particular device, and it becomes part of your risk management file. Importantly, the process should be repeated throughout the life cycle of the device. The overall risk management process usually is documented in a general procedure containing common risk management activities for all devices. Then, one or more individual risk management plans “personalize” the content of the procedure to provide more exact details for managing the project for a particular device or device family.

Several activities should be part of your risk management plan, and we will talk more about them later. First, you need to define the scope of what you will be evaluating, including a detailed device description and its life cycle. This is also the time to clearly lay out your:

    • Risk acceptability criteria
    • Specific assessment, control, and verification activities
    • Production and post-production plans

This is where you can leverage the process outlined in your risk management procedure, referencing that procedure for elements of the process that aren’t changing in the specific plan. For example, the procedure outlines the organization’s risk policy and general acceptability criteria. These may not change for an individual device risk management plan, so simply summarize it in your plan. Your procedure, plan, and all other documentation need to be controlled as they become part of the risk management file, which is part of the technical documentation of the device.

Putting together your risk management team

About your team . . . they need to be well qualified. What does that mean? It means you need to make sure you select people who truly understand how your device works, how it’s made, and how it’s used. This is not simply a collection of friendly colleagues who play no real role in risk management. All team members need to be qualified to perform their risk management role, and you must provide objective evidence of their qualifications. After all, your team will be charged with determining what could happen, how likely it is to happen, how bad it will be if it does happen, and how you can reduce the likelihood that it will happen. Don’t take this lightly. Since you will need to provide evidence of competency, your plan should document the actual people on the team while the procedures may call out functional areas of responsibility (e.g., R&D, QA, RA). Additionally, there should be a representative on the team who has clinical / medical experience. This is important when determining severity of the harm and benefit of the product over the risk. It doesn’t have to be a doctor but should be someone with clinical experience.

Risk management flow chart (ISO 14971:2019)

Performing a risk analysis of your medical device

Now that you have a plan and a team, it’s time to conduct an initial risk analysis. This is the point at which you document intended use and characteristics related to device safety under normal and fault conditions. Then, based on these inputs, identify known and foreseeable hazards, and the sequence of events that might result in a hazard leading to a hazardous situation. Note that not all hazards will result in a hazardous situation.

Risk Analysis ISO 14971

The first step in the analysis is to start by asking questions. Annex A in ISO/TR 24971:2020 has a long list of questions to get you started on identifying characteristics for safety and even some preliminary hazards in the design concept phase. Think about the ways a user might inadvertently misuse the device, or how the device might fail. Are there other similar products on the market? What has gone wrong with them? FDA databases (MAUDE), published journal articles, online product reviews (consumer devices), and user interviews are good sources for such information. The extent to which you perform this analysis largely depends on the risk classification of your device.

After you have identified hazardous situations, you need to estimate the risks associated with the situation. This includes the probability that the hazardous situation will occur, probability that the situation will lead to harm, and the severity of that harm. Sometimes the probability of harm cannot be estimated because of the role of the user in recognizing the situation, so be sure to document the possible consequences in these cases. Put yourself in the shoes of the user or patient. What could go wrong during typical use situations? Could the device be misused in a way that would cause harm? What environmental factors need to be considered? Is the device used at home? In a noisy, chaotic area of a hospital or lab?

Here’s an example. Let’s suppose you make a blood glucose meter. Your product displays the most important readings in very large text. If you examine the screen while sitting in your office, you might assume that the probability of a misread by the user is quite low. But what happens when you take it outside into bright sunlight? Is the display screen highly reflective? Can you clearly read everything using sunglasses? How about in low light? Is the battery meter clearly visible and does it provide adequate warning of battery depletion? These are potentially hazardous situations, and your mission is to estimate the probability of those situations. Regulators expect you to anticipate these issues. Never blame the user.

Let’s go back to the battery indicator issue we just mentioned. In this case, the “hazard” might be a battery indicator that is too small on the LED screen and without any supplemental warning light to signal that the battery is very low. A “hazardous situation” that might result involves users who need to check their insulin level right away, only to find their glucose meter is out of power. If the users do not have a way to recharge the meter for 2 hours, they may simply guess how much insulin they need based on how they are feeling. The harm that could result is hypo- or hyperglycemia caused by improper dosing of insulin. This risk can be mitigated by making the battery meter larger and / or by adding a supplemental visual or audible indicator by which the battery warns users that recharging is needed.

Estimating the probability of harm

Risk is a combination of the severity of a harm and the probability that it will occur. ISO 14971 requires you to estimate the probability of harm. But how is that done? You can reference historical data or published FDA data and try to better understand typical use scenarios. A qualitative probability table similar to the one shown below will help you tackle this process of evaluating potential hazardous situations. You can also do something similar using a numerical system, rating the severity of the harm. Annex D provides some guidance on risk analysis concepts, including risk estimation, but you can create your own scale and descriptors as long as you define them in your risk management procedure. Keep in mind that harms can have levels of severity. An example of this would be burns.

Qualitative risk acceptability matrix

A risk matrix such as the one shown below helps the organization make objective decisions on actions to take if a risk shifts from one box to another, based on a change in probability or severity.



Ultimately, risk estimation should be viewed as a data-driven process. Gather as much quantitative information as possible from your complaint-handling files, published standards, technical data, clinical data, results of investigations, expert opinion, field data, medical device reports, and test data. You can document it using Excel, software tools, or a simple list.

Medical device risk control and risk management tools

A big portion of risk management is evaluating and reducing risk. However, sometimes the likelihood of harm resulting from a hazard is quite low, and mitigating that hazard may not provide any tangible reduction in risk –  in fact, it may diminish your device’s benefits. Here’s a quick example. Let’s say you produce a blood glucose meter. To improve visibility, you consider making the display in color. However, doing so would introduce a new hazard: color screens require more power and this would decrease battery life. If the current monochromatic display is quite readable, you may actually increase overall risk by adding this new “feature.”

To avoid making the wrong decision, evaluate risks using a disciplined, planned process. In your risk management file, document the hazards you identify and the rationale behind the decision to control or not control those risks. Remember, you cannot trade safety for cost!

Once you have identified the risks, analyzed their severity, and assessed their likelihood of occurrence, it’s time to look at how those risks can be controlled. Clause 7 of ISO 14971 is all about risk control. You will confront the following questions:

    • Can we reduce the risk?
    • What is the best way to do it?
    • Did the risk control work?
    • Is the residual risk acceptable?

Your risk management file must include evidence that you have conducted a risk analysis and risk evaluation for each identified hazard, including foreseeable risks. This also includes implementation and verification of risk control measures, and an assessment of the acceptability of residual risk.

Commonly used risk management tools

Unless you have prior experience with risk management, it can be perplexing to figure out which risk evaluation tools are best suited to your situation. There are many options, each with pros and cons. The one(s) you use will depend on your product and company culture, among other things. It would take far too long to go into depth about the options available to you. The tables below show some common tools you can use to evaluate risk. A powerful combination of tools is the Failure Mode and Effects Analysis (FMEA) and fault tree analysis (FTA), which combine the bottom-up and top-down approaches, providing a robust and thorough risk analysis. See Annex B of ISO/TR 24971 for more information on the application of several techniques noted below.


Commonly Used Risk Evaluation Tools

Residual risk: avoiding analysis paralysis

The number of possible hazardous scenarios is limited only by imagination. Does that mean you must document all possible risks, including the likelihood that Godzilla will invade your city and crush your manufacturing plant? No.

Clauses 7.4 and 8 of ISO 14971:2019 emphasize the need to evaluate residual risk. Likewise, Annex I of the European Medical Device Regulation (2017/745) says that you should “reduce risks as far as possible” without adversely impacting the benefit-risk ratio.

Annex I of the EU MDR and ISO 14971:2019 3.15 also require you to minimize all known and foreseeable risks to an acceptable level when weighed against the medical device benefits. This includes intentional and unintentional misuse of your device.

To ensure that you do not go overboard in analyzing residual risks, establish a systematic process and focus on the risks that are within your control. For example, you shouldn’t fixate on the device risks posed by a new global pandemic. That’s completely out of your control. However, you should identify organizational risks posed by potential supply chain issues.

This process will reveal the strengths (or blind spots) of the team you have assembled. You need to assemble people who fully understand how your device is manufactured, distributed, and used. Someone without any knowledge of how your device is manufactured will not be able to foresee scenarios that could create hazardous situations.

How low should you go in evaluating risk?

An important part of the risk analysis process is to ensure that you do not introduce new hazards in your quest to eliminate or minimize hazards. FDA describes its expectations about risk-based decisions in the preamble of 21 CFR Part 820. FDA states that if any risk is judged to be unacceptable, it should be reduced to acceptable levels by the appropriate means, which may include a redesign or warnings. ISO 14971:2019 refers you to your own risk acceptability policy to determine risk control options. Your risk policy establishes criteria for the level of control and may employ one of the following two approaches.

ALARP — As Low As Reasonably Practicable

    • ALARP refers to controls that are considered viable or capable of being implemented and has two components
    • First, look at technical practicability in reducing risks, ensuring that the controls do not reduce the effectiveness of the device and are not overly complex or confusing for users
    • Then, consider the economic practicability, ensuring risk controls do not reduce the availability of the device to protect human health by making it too expensive for users
    • Note that “practicable” (versus practical) means something that can actually be put into practice

AFAP — As Far As Possible

    • AFAP is the policy of reducing risk as far as possible without adversely affecting the benefit-risk of the device
    • Takes into account the generally acknowledged “state of the art”
    • Required by EU MDR General Safety and Performance Requirements (GSPR) Annex I

If you sell in the US and Europe, we recommend you adopt AFAP as your risk control approach. While Section 4.1 (Note 1) of ISO 14971:2019 mentions the general concept of reducing risk to ALARP and Annex D of ISO/TR 24971:2020 mentions the “cost of further reduction” in the definition of practicability, it is never acceptable to trade device safety against cost. The rationale for your decision must be documented in your risk management file so don’t even think about mentioning cost in your justification.

Don’t forget to evaluate benefits!

ISO 14971:2019 does not change the risk management process, but it finally defines “benefits” – something ISO 14971:2007 and EN ISO 14971:2012 did not do. Benefit is now defined as: “Positive impact or desirable outcome of the use of a medical device on the health of an individual, or a positive impact on patient management or public health.”

US FDA also publishes an excellent guidance document discussing the benefit-risk evaluation process for medical devices. Also, see this FDA guidance titled, Factors to Consider When Making Benefit-Risk Determinations for Medical Device Investigational Device Exemptions. Ultimately, FDA recommends that you take the following factors into account:

    • Type of benefit – quality of life, relief from symptoms, reduced probability of death, etc.
    • Magnitude of benefit – anticipated change in condition or clinical management
    • Probability of benefit – can be based on prior investigations, demographics, health status, etc.
    • Duration of benefit – curative or repeated interventions required
    • Availability of alternatives – safety and effectiveness of other options

Notice that the definition of benefit and the factors above extend beyond the impact on the patient. Finally, just remember that the benefit-risk analysis is not a calculatable ratio. There is no formula for determining the correct balance. Let common sense drive your analysis.

Risk management review, reporting, and postmarket planning

As part of the risk review process, you’ll need to assess your risk management activities against the risk management plan on three levels:

1 – Has the plan been implemented appropriately?

2 – Is the overall residual risk acceptable?

3 – Are production and post-production information collection methods implemented?

The summation of answers to these questions becomes your risk management report, which is part of your larger risk management file. Your risk management file includes or references all required documents, provides traceability for each hazard, and is what you will use to demonstrate compliance with standards and regulations.

risk manage

Your risk management process should document both pathways for analysis. As part of your ongoing efforts, you should be evaluating complaints, incidents, product failures, and design process changes for potential safety impact. You should also take into account any changes in installation, use, and servicing. Are previously unrecognized hazards present? Is the estimated risk no longer acceptable?

Be judicious with the information contained in the risk management report. Consider two levels of documentation. The report summary provides an overview of activities, analysis of the raw data, and conclusions related to the benefit-risk analysis.

Separate documents (or set of documents) should be used to capture the details of the analysis:

    • Characterization of the product
    • Identification of hazards, hazardous situations, and harms
    • Risk acceptability (individual level, control measures)

This approach gives appropriate documentation for auditors demonstrating the risk management activities and conclusions as well as the detailed analysis.

Production and post-production activities

Once your device is for sale on the market, congratulations! Your risk management work is done! OK, just kidding – your work is never done! Risk management is an ongoing process for as long as the device is in service. Typically, you will find yourself dealing with two types of post-production issues as shown in the table below.

Post-production Risk Management

Your risk management process should document both pathways for analysis. As part of your ongoing efforts, you should be evaluating complaints, incidents, product failures, and design process changes for potential safety impact. You will also take into account any changes in installation, use, and servicing. Are previously unrecognized hazards present? Is the estimated risk no longer acceptable? Is the original assessment still valid? Possible incident-driven triggers include:

    • Design/materials changes
    • Manufacturing changes
    • Vendor changes
    • Individual complaints
    • Medical device record
    • Incidents
    • Malfunctions
    • Standards changes

You are required to analyze all incidents, near-incidents, and malfunctions to categorize their risk level. The triggers can also be review-driven and prompted by:

    • Management review information including complaints, audits, CAPA
    • Postmarket surveillance report
    • Clinical evaluation report
    • Ongoing supplier evaluation report
    • Predefined risk management plan review intervals

Whatever the trigger, your assessment must be documented and become part of your risk management file, and may result in a corrective and preventive action (CAPA) or having to file a vigilance report or other regulatory notification.

Production and post-production information collection

As we have mentioned, risk management is best managed as a process and a series of projects. That means it is ongoing, and the continuous collection of information is essential and required. This collection should include information about device performance, device patient populations, reasonably foreseeable misuse, and previously unknown hazards and risks. You can gather this data from users of the devices, installation / maintenance records, your supply chain, or public information relevant to your device. All of this collected information must be reviewed for potential application to the safety of the device. Here are some examples of specific things to consider during that review:

    • Has intended use of the device been modified?
    • Are the expected benefits of the device still valid?
    • Is there a new risk or a risk not considered before?
    • Has the benefit-risk ratio changed?
    • Have new misuses been identified?
    • Are the estimated severities of harm appropriate?
    • Have risk control measures performed as expected?
    • Have any changes taken place in the state of the art for
      the device?
    • Is there evidence that the overall residual risk is still acceptable?

After this initial review has been done, you may come to one of the following conclusions:

    • Overall residual risk remains acceptable with no new hazards or hazardous situations identified
    • Overall residual risk has changed and no longer is acceptable – action is required
    • A new hazard was identified and requires further action
    • State of the art related to the device has changed and must be evaluated for further action

Pulling it all together

Risk management plays a vital role in promoting the safety of medical devices. A well-designed program of risk management is an ongoing exercise in proactive problem solving that saves headaches in the long run. It also benefits patients or users and can result in higher user satisfaction and more insights into how you make your products better. Top-tier companies take the responsibility very seriously.

Want to learn more?

If you enjoyed this article and you’re ready to take the next step in strengthening your knowledge of risk management, check out our ISO 14971:2019 training class available as instructor-led virtual or classroom formats.

Our team is here to help. Contact us online


Get answers right now. Call

US OfficeWashington DC


EU OfficeCork, Ireland

+353 21 212 8530