Elements of Medical Device Risk Management ISO 14971

If you’re designing, marketing, or selling a medical device, you’re surely familiar with the fact that risk management is an ever increasingly important regulatory requirement and topic.  The international ISO standard for risk management is 14971:2019; with few exceptions, regulating bodies worldwide recognize ISO 14971 as the requirement for a risk management process that will ensure compliance with its national regulations. Here we explore the basic concepts of ISO 14971 and the requirements of compliance.

ISO 14971 is the standard for the execution of risk management across the entire product lifecycle. Risk management begins with the concept of the device in question and continues through the use of the device and finally its retirement from the market. The risk management lifecycle can be described in the following phases:

  • Planning
  • Risk Assessment
  • Risk Control
  • Post-Launch Surveillance

In the regulated world of medical devices, the recognition and management of risk is required by nearly every public health agency in the world. The EU MDR and US FDA regulations explicitly mandate the practice of risk management and the use of risk ratings to determine how the company responds to design, use error, manufacturing issues, and post-launch events involving medical devices.

  • Risk documentation is not merely a one-and-done activity; rather, these are living documents, to be updated whenever the company learns something new about the risk associated with their products.
  • Various quality system standards and regulations, such as ISO 13485 and the EU MDR, require that any quality decisions about a company’s products (whether for clinical decisions, CAPA tasks, or other activities) utilize “risk-based decision making”. Comparing the product’s events with the data in the risk files is a solid method of demonstrating “risk-based decisions” about the product.

Another aspect of the standards and regulations involves the periodic review of product risk files against recent performance in the market, to determine if any product changes might be needed to lower the residual risk. The analysis of post-market events will follow the same process as used for new risk analysis. The international standard for Risk Management processes, ISO 14971, defines risk management as the “systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, controlling and monitoring risk.” Risk management is much more than determining the rate of failure or the severity of harm; it describes how a compliant company identifies, analyzes, and tracks the risk of its products from initial concept through development and launch, the life of the product on market, and the eventual removal from use.

If the company has assessed its risk through a tool such as Hazard Analysis or Fault-Tree Analysis, congratulations; the first step in managing risk is to actually determine how the use of the product could lead to harm. The challenge then becomes how to use that information to lessen patients’ and users’ exposure to that risk; this could involve additional design changes to prevent product failures that lead to harm, prioritization of investigations involving product issues, determination of sampling plans in manufacturing to ensure product quality, and in (hopefully) rare cases, making the decision whether to recall a product from the market. Using the company’s knowledge of the product risk in making such determinations is the heart of the regulatory requirements for “risk-based decisions”; in doing so, the company is on the right path to compliance and a successful product life cycle.

Let’s take a look at the main elements of the ISO 14971 standard, and what it means to follow or be in compliance with that standard:


Risk Management Process

A defined process for analyzing and estimating the risk of your products in regard to patient and environmental safety is the heart of the risk management standard. Such a process is the first requirement of the ISO 14971 standard.

Management Responsibilities

Risk Management is not an isolated activity, limited to some poor engineer stuck in a basement cubicle churning out risk assessments. The company is expected to incorporate full management support, approval, and review of the risk management process in its quality system, and top management shall be accountable for all decisions regarding the acceptability of risk for your products.

In practice, of course, such work gets delegated through the risk management process and SOPs, but in the end, top management (or “Management with Executive Responsibility” in the EU realm) has the ultimate responsibility for how the company determines, from a risk perspective, whether the product is safe to launch.

It is not uncommon for the risk management process to be included as an agenda item in every Management Review meeting as a way of demonstrating active, ongoing approval of the way the company determines the acceptability of risk.

Competence of Personnel

Risk Management should be practiced and executed by individuals with enough product and process knowledge to thoroughly analyze the risk to patient safety using the product in question.

This is not an activity for the brand-new college graduate (without extensive cross-functional support) or a “punishment” assignment for your, shall we say, less-than-high-performing associates.

  • In order for the risk to be properly analyzed, there must be representation on the risk management team by knowledgeable engineering, quality, regulatory, and medical functions to identify all the product performance, failure effects, and clinical practice around your product that could affect patient safety. Sales and marketing team members can also be very helpful to gain insights into product failure modes observed in the market and with providing input into product user error risk analyses.  

Depending on the scope and complexity of the product, this can be a daunting task for those individuals for whom risk assessment is but one part of their day-to-day responsibilities. You may wish to designate a risk management subject matter expert group in your organization that can facilitate and coordinate the various activities around risk management. This approach also helps drive consistency in the way risk assessments are presented and better conformity to your risk management process.

  • For maximum efficiency, it is highly recommended that a single individual should facilitate the risk file creation for each project team. An individual well-versed in the risk management process, with excellent communication skills and cross-functional manufacturing experience, will keep your risk analyses organized and moving toward successful completion by keeping the team focused and able to resolve conflicting information in the process. When creating a risk management file, it is very common for there to be a lot of conflicting inputs from all the various stakeholders, for example, differences of opinions on the rate of a failure mode or the severity of patient harm arising from a specific hazardous situation. This is where having an individual with strong communication and leadership skills, along with being well versed in risk management, will maximize the efficiency and quality of the creation of a risk management file.

Risk Management Plan

The risk management activities throughout the life cycle of your product must be detailed in a Risk Management Plan before the activities commence.

The Risk Management Plan informs the risk management team and its auditors/notified bodies/regulatory authorities about the following:

  • Scope of the activities
  • Who is responsible for executing risk management for that product
  • How the risk management outputs will be reviewed
  • Criteria for risk acceptability. You can’t wait until the risk analyses are completed before you determine whether the product is acceptable; the acceptance criteria should be known before the analysis takes place.
  • Method and criteria for overall product residual risk; this includes benefit-risk analysis and comparison of your product’s risk against similar on-market products
  • Activities for verification of the implementation and effectiveness of risk controls
  • Activities for collection of production and post-production information that can impact the product risk. That is how will the company monitor manufacturing issues as well as customer feedback about products from a risk-based perspective?

Note that, for many organizations, much of the above information is spelled out in various SOPs or work instructions, and the Risk Management Plan can many times be a “boilerplate” listing of those relevant documents as they apply to your product. Indeed, some companies successfully utilize a single Risk Management Plan for ALL their products.

  • That said, it’s important to realize how one product might differ from another, and that acceptable risk criteria for, say, a one-time-use disposable device might be very different from that of a multi-use, custom-installed electromechanical diagnostic machine. If your company markets many different types of medical devices, be cautious whether they are all expected to conform to the same acceptability criteria if that’s not reasonable for the products. This is also true for combination products that have similar device constituents but different drug constituents. 

Boilerplate or not, the RM Plan template needs to be flexible enough to accommodate a future product that may or may not have unique characteristics or regulatory requirements compared to most products in your company’s portfolio, and which requires its own risk acceptability considerations.

Risk Management File 

Simply put, the Risk Management File (RMF) is the collection of documents that contains the results of the risk management activities outlined in the RM Plan.

This need not be a physical file; as long as the documentation can be accessed when needed and remains in control with proper traceability, the various elements of the Risk Management File may be stored anywhere and, in any format, as your organization sees fit. One efficient way to keep all the risk management documents organized and easily accessible is through a risk management file index document which can also be integrated into your design history file index document.


Risk Analysis Process 

How are hazards and harms related to the product determined? What methodologies will be used? How will you be certain that all the relevant requirements and stakeholder needs are addressed? This should be spelled out in your procedures long before you begin your actual analyses.

Intended Use and Reasonably Foreseeable Misuse 

The standard explicitly requires that the designer considers all the ways that a user can misuse the product, either by accident or deliberately.

“Reasonably foreseeable” doesn’t mean everything possible under the sun, just those issues that have or are expected to arise during the product lifecycle.

Safety Characteristics 

Each medical device has various qualitative and quantitative characteristics that could affect the safety of the medical device. The standard requires the identification of these characteristics.

  • The companion document ISO/TR 24971 offers a list of questions that can aid in identifying these characteristics, and indeed many companies simply answer those questions to comply with the standard’s requirements.
  • However, any method used to derive the characteristics is acceptable per the standard.
    • Focusing on materials, nature of the device (implantable vs. skin application, etc.), and the intended population will go a long way toward identifying the safety characteristics
    • For electro-mechanical devices, safety characteristics may be equivalent, or complimentary, to essential performance as defined by IEC 60601, especially if the characteristics are traced to the resulting risk analysis.

Hazards and Hazardous Situations 

A Hazard is a potential source of harm. Whether as a general category or a specific effect of failure or environmental concern, without a hazard there can be no harm. Identifying hazards is the key to any risk management process.

A Hazardous Situation is a circumstance in which a person or the environment is exposed to the hazard.

  • This is not a failure mode, nor the effect of a failure mode. Rather, this is what the person (or the environment) experiences when the hazard, through a specified sequence of events, manifests itself fully to the user.
  • Writing a hazardous situation as “exposure to” the circumstance helps to determine whether the event in question is a hazardous situation or something else in the risk analysis.

Risk Estimation 

Defined as the process used to assign values to the probability of occurrence of harm and the severity of the harm.

In Risk Estimation, ratings are assigned to the various risk line items and thus complete the risk analysis. The methodology and definitions of what the ratings mean are to be defined in the Risk Management Plan (usually a reference to your existing procedures which say the same thing).


After completing the risk analysis, so what? At this point, determine whether the risk is acceptable or not. This is the risk evaluation.

  • The process for determining the acceptability of risk is, as with many other facets of risk management, defined in the Risk Management Plan and may reference a related SOP.


Option Analysis 

There are 3 types of risk controls, or how the design is executed to minimize the risk to the user:

  • Inherent safe design – don’t allow the product to create the hazard. For example, round off any sharp edges where the user handles the device to prevent cuts.
  • Protective measures – contain the portion of the device that could create a hazard, so that if it manifests itself, it won’t create a hazardous situation for the user. A good example is a safety syringe where the needle retracts into the device after use.
  • Information for safety – the use of labeling, alarms, or other caution/warning indicators that tell the user to be careful when using the device. Training on the proper use of the device also falls into this category of control

The standard expects that control measures are addressed in the order as listed above. Designing a problem out of the device is more effective than a protective measure, which itself is far more effective than informing the user of the potential risk.

Implementation of Risk Control Measures 

The presence of the risk control measure, regardless of type, needs to be verified

  • An approved requirement or product specification is a good way to show that the product does, indeed, contain the controlling feature.

The effectiveness of controls needs to be verified as well; after all, there’s no sense in having the control if it doesn’t actually help mitigate the risk.

  • Effectiveness verification is often performed by testing, but in certain cases, the same test can achieve verification of both the implementation and the effectiveness of the control, depending on how the product requirements are written.

Residual Risk Evaluation 

This is the same process as Risk Evaluation above but performed after the risk controls have been implemented.

Benefit Risk Analysis

For each hazardous situation where the risk is analyzed, if the residual risk is not judged acceptable, the manufacturer can compile evidence to show that this risk is outweighed by the benefits of the device.

  • If this cannot be demonstrated, then the risk remains unacceptable for that hazardous situation.

Risks Arising from Control Measures 

Any given control could cause a hazard or other risk by its existence. An example would be a pump alarm that stops the unit to prevent overdose; the overdose harm is avoided, but a delay in critical therapy is now in place.

Any such identified risk is analyzed the same way as all the other risks. It can be helpful to notate whether a given risk is derived from controls, as an aide to demonstrating conformity to this part of the standard.

Completeness of Risk Control 

A fancy term for reviewing all the risk controls and determining that risk controls have been considered, implemented, and demonstrated to be effective for all hazardous situations.


Once the residual risk of the product is known, whether that risk is actually acceptable for the product is determined by performing a Benefit Risk Analysis. The benefits of using the product are compared against the residual risk, and if the benefits outweigh the risks, the risk is considered acceptable.

This analysis is generally performed by a medical expert schooled in the benefits of the product and with knowledge of the target patient population.


Once the risk assessments are finished, the outputs are reviewed to confirm that all the activities spelled out in the Risk Management Plan have been successfully completed.



A system for monitoring post-launch issues should be in place for the product before it’s launched on the market.

  • Normally this is already part of a company’s procedures, but if not then such a system must be created to accommodate this product.
  • Not all collection schemes are alike; data collected for a digital application may be very different from that collected by the users of disposable plastic tubing-based devices.

Information Collection

Any issues that arise during the testing and use of the product should be collected, as best as possible, by the manufacturer for analysis of any potential problems

  • User complaints are the most common type of feedback information, but issues generated from any source are in scope for this collection

Information Review

Once the post-launch information is collected, the manufacturer should review the information to determine if:

  • Any previously unknown risks are occurring
  • The risk of the product is no longer acceptable
  • The risk now outweighs the benefit of using the device
  • The generally acknowledged state of the art for the product has demonstrably changed


Depending on the Information Review, some of the actions the manufacturer may have to take are as follows:

  • Reassess the product risk
  • Re-evaluate the design and/or manufacturing process to bring the risk back into an acceptable realm

ISO 14971 defines risk as the “combination of the probability of occurrence of harm and the severity of that harm.” While this seems to be a straightforward concept, in practice many companies struggle to consistently state their product risks in the proper fashion. In subsequent posts, we will explore the components of a successful risk assessment to get you started on your risk management journey.  Stay tuned and join our newsletter to get the latest updates!