ISO 14971: Application of Risk Management to Medical Devices

  • ISO 14971: Application of Risk Management to Medical Devices

    Posted by Mark Anderson on October 25, 2022 at 7:00 am

    ISO 14971:2007 specifies a process for a manufacturer to identify the hazards associated with medical devices, including In Vitro Diagnostic (IVD) medical devices, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls. The requirements of ISO 14971:2007 are applicable to all stages of the life-cycle of a medical device.

    The ISO Technical Committee responsible for the maintenance of this standard is ISO TC 210 working with IEC/SC62A through Joint Working Group one (JWG1). This standard is the culmination of the work starting in ISO/IEC Guide 51, and ISO/IEC Guide 63. The latest significant revision was published in 2007 with a minor update published in 2009. In 2013, a technical report ISO/TR 24971 was published by ISO TC 210 to provide expert guidance on the application of this standard.

    This standard establishes the requirements for risk management to determine the safety of a medical device by the manufacturer during the product life cycle. Such activity is required by higher level regulation and other quality management system standards such as ISO 13485. Specifically, ISO 14971 is a nine-part standard which first establishes a framework for risk analysis, evaluation, control, and management, and also specifies a procedure for review and monitoring during production and post-production.


    Medical device companies must have established risk management processes that comply with iso 14971 and it doesn’t matter if you are developing medical devices in the u.s., eu, canada, and so on. Every international regulatory agency you’ve ever heard of accepts iso 14971.

    Section 2 of ISO 14971 provides a thorough list of key terms and definitions relating to risk management.

    RISK – combination of the probability of occurrence of harm and the severity of that harm

    HAZARD – potential source of harm

    HAZARDOUS SITUATION – circumstance in which people, property, or the environment are exposed to one or more hazard(s)

    HARM – physical injury or damage to the health of people, or damage to property or the environment

    SEVERITY – measure of the possible consequences of a hazard

    RISK ANALYSIS – systematic use of available information to identify hazards and to estimate the risk

    RISK ESTIMATION – process used to assign values to the probability of occurrence of harm and the severity of that harm

    RISK EVALUATION – process of comparing the estimated risk against given risk criteria to determine the acceptability of the risk

    RISK ASSESSMENT – overall process comprising a risk analysis and a risk evaluation

    RISK CONTROL – process in which decisions are made and measures implemented by which risks are reduced to, or maintained within, specified levels

    RESIDUAL RISK – risk remaining after risk control measures have been taken.

    Optimize ISO 14971 Risk Management System

    ISO 14971 defines the international requirements of risk management systems for medical devices, defining best practices throughout the entire life cycle of a device. To ensure your company gets a safe, effective product to market on time and within budget, you need a successful implementation of your risk management system. Risk management is a key component in demonstrating regulatory compliance for medical devices. The requirements for medical devices, including the Medical Device Directive (93/42/EEC), the Active Implantable Medical Device Directive (90/385/EEC) and the In-Vitro Diagnostics Directive (98/79/EC), detail the requirement for risk management. In addition, the Medical Device Directives require manufacturers to implement a Quality Management System (QMS), for which the harmonized standard is EN ISO 13485:2012. This QMS Standard also details requirements for demonstration of risk management. EN ISO 14971:2012 is the harmonized standard for risk management; meeting the requirements of the Standard can help you to demonstrate compliance to the requirements.

    ISO 14971 Update

    ISO 14971 for medical device risk management is in the final stages of an important update slated for publication this year. While ISO has specifically said the intent of the revision isn’t to rework the risk management process, subtle changes in the latest version could impact medical device manufacturers in a variety of ways.

    The changes include a significant reorganization of content, new terms, and more detailed requirements around evaluating residual risks and collecting production and post-production information. It also refocuses the standard on benefit-risk evaluation, which is in line with changing regulatory requirements such as the EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR).

    Another key change is ISO 14971’s language around how to handle residual risks remaining after implementation of controls.

    The standard requires manufacturers to:

    • Describe the method for evaluating overall residual risk
    • Define criteria for acceptability of individual risks and overall residual risk
    • Perform a benefit-risk analysis on individual residual risks not meeting the criteria, as well as on the overall residual risk
    • Implement processes to continuously update risk management documentation, including with production and post-production data

    Sections of ISO 14971

    Although risk management can be complex, the main body of the ISO 14971 standard consists of 9 clauses:

    • Scope
    • Terms and conditions
    • General requirements for risk management
    • Risk analysis
    • Risk evaluation
    • Risk control
    • Evaluation of overall risk acceptability
    • Risk management report
    • Production and post-production information

    And these are the key annexes supporting those clauses:

    • Annex A – Rationale for requirements
    • Annex B – Overview of risk management process for medical devices
    • Annex C – Questions that can be used to identify medical device characteristics that could impact safety
    • Annex D – Risk concepts applied to medical devices
    • Annex E – Examples of hazards, foreseeable sequences of events, and hazardous situations
    • Annex F – Risk management plan
    • Annex G – Information on risk management techniques
    • Annex H – Guidance on risk management for in-vitro diagnostic medical devices
    • Annex I – Guidance on risk analysis process for biological hazards
    • Annex J – Information for safety and information about residual risk

    Basic steps in the medical device risk management process

    What does ISO 14971 require?

    ISO 14971 helps your company establish, document, and maintain a systematic process to manage the risks associated with the use of a medical device. This includes ongoing monitoring of field experience, thereby embracing the concepts of continuous improvement and state of the art device performance. To maximize the effectiveness of your risk management system, ISO 14971 can and should be an integral part of your quality management system (QMS) as required by ISO 13485.

    Specific requirements of ISO 14971 include:

    • Provision of adequate resources
    • Assignment of qualified personnel
    • Establishment of a policy for risk acceptability criteria
    • Management reviews of the Risk Management System


    Mark Anderson replied 1 year, 7 months ago 1 Member · 0 Replies
  • 0 Replies

Sorry, there were no replies found.


Enjoy this site? Please spread the word :)