ISO 14971 Explained.

iso 14971 risk management

Before diving into ISO 14971 Medical device – Application of risk management to medical devices, we must first understand risk management. Unlike business risk management, ISO 14971 risk management is a process of identifying, analysing, controlling, and preventing failures that can have dangerous consequences in the usage of medical devices.

Organisations must conduct risk management for medical devices as associated risks related to a failure in medical devices can result in dire consequences not only to the patients who went for a medical procedure but also to the organisations themselves.

Suppose your medical device companies plan to sell medical devices in the United States or Europe. In that case, your organisations need to have a risk management system implemented as part of the regulatory requirements by Quality System Regulation (QSR) and Medical Device Regulation (MDR), respectively. ISO 14971 risk management is an international standard adopted by regulatory agencies that the medical devices company establishes in their risk management activities throughout the product life cycle.

What Is ISO 14971?

ISO 14791 document specifies terminology and principles and provides a risk management framework for medical devices, including in vitro diagnostic medical devices, which help organisations identify hazards, perform risk estimation, examine risk analysis and exert control measures to reduce risk.

The intended usage of the risk management process from ISO 14791 is catered to the entire product lifecycle from the initial conception to final decommissioning and disposal. Your organisation may apply ISO 14971 while implementing your organisation’s quality management systems, such as ISO 13485.

According to ISO 14971, the standard does not apply to:

  • decision making on the use of a medical device for any particular clinical procedure
  • business risk management

ISO 14971 document requires manufacturers to establish objective criteria for risk acceptability; however, acceptable risk levels are not specified. This risk management system’s requirements are integral to ISO 13485 – Quality Management Systems.

ISO 14971 risk management for medical devices is a comprehensive process whereby your risk management team must consider every part of the medical devices life cycle for risk evaluation, not necessarily medical devices. This includes external and internal processes such as suppliers, procurement, sales, business development, quality system procedures and consumers should be an integral part of the risk management for the medical device industry.

ISO 14971 risk management for medical devices

What are the components of ISO 14971?

The ISO 14971 risk management process includes eight components which should be documented in a risk management file:

  • Risk management plan
  • Risk Analysis
  • Risk Evaluation
  • Risk Control
  • Evaluation Of Overall Residual Risks
  • Risk Management Review
  • Production and Post Production Information

Your company may establish each component of the ISO 14971 risk management system by providing adequate and appropriate resources as evidence of the company’s commitment to risk controls.

components of ISO 14971

Risk Management Plan

Your organisation shall plan foreseeable medical device risk management activities throughout its life cycle. The plan shall identify risks, define roles and responsibilities, and the product’s risk acceptability, including methods to verify the implementation of risk control measures and define ways to review post-production information. A single risk management plan could change during the medical device life cycle and should be updated accordingly to remain compliant.

Risk Analysis

Your organisation must identify your medical devices’ inherent safety characteristics during risk analysis. After that, your organisation will need to define the hazardous situation and foreseeable sequences of events. The last step would be to estimate the risk based on the severity and occurrence of the harm before and after implementing safety characteristics.

Risk Evaluation

After identifying the hazardous situation, your organisation shall evaluate the risks related to the medical device using the risk acceptability matrix to understand if these risks are within the acceptable risk levels or if there is a need to reduce risk.

Risk Evaluation

Risk Control

Your organisation shall determine appropriate risk control measures to mitigate the identified risks associated with your medical device to acceptable risk levels. Your organisation will verify risk controls after implementation, and you will need to evaluate the residual risk to judge its effectiveness and if the team shall implement further risk controls. You shall consider risk controls in this ranking of priority order:

  • Inherent safety by design
  • Protective measures in the medical device and/or production process
  • Information for safety such as warnings and instructions for usage

Evaluation of overall Residual Risks

After implementing risk controls, your organisation shall conduct a risk evaluation on your medical device’s overall residual risk acceptability.

If the overall residual risk is acceptable, your organisation shall document the necessary information in the risk management report and include it in the risk management file. Suppose the overall residual risk is not acceptable upon conducting the benefit-risk analysis for all residual risks related to the medical device. In that case, your organisation might need to implement additional measures to manage risk or modify the medical device’s intended use.

Evaluation of overall Residual Risks

Risk Management Review

Before commercialising your medical device, your organisation shall ensure all the steps in the risk management plan are completed, the overall residual risk is acceptable, and risk management systems are implemented to account for risks from the production and post-production phases. These results will be noted under the risk management report and included in the risk management file.

Production and Post Production Information

Your organisation must establish a risk management system to collect and document production-related risk events. Also, your organisation needs to ensure that post-production processes are included in the quality management system feeding into the risk management process.

Production and Post Production Information

What is the purpose of ISO 14971?

The purpose of ISO 14971 is to identify hazards and implement risk-based processes throughout the life cycle of the medical device product. It guides the application of risk management systems as part of the regulatory requirements recognised by the medical device regulatory agency.

Compliance is vital so that consumers undergoing a particular clinical procedure are confident that the medical devices or in vitro diagnostic medical devices are safe and verified, stabilising the company’s reputation.

Is ISO 14971 required?

In the medical device industry, compliance with ISO 14791 risk management is not mandatory, and no certificates will be issued. More specifically, ISO 13485 requires a documented risk management process with reference to ISO 14971.

Since ISO 14971 risk management is an integral part of ISO 13485, ISO 13485 refers to ISO 14971 for detailed guidance on implementing risk management. Medical device regulators will only audit ISO 13485 quality management system. Still, compliance with ISO 14971 is essential for good manufacturing practice, and it suggests that your organisation is committed to providing safe and quality medical devices.

Is ISO 14971 required

What is the current ISO 14971 standard?

ISO 14971: 2019 – Medical devices – Application of risk management to medical devices is the current revision of this international standard published in 2019.

This ISO 14971 risk management scope applies to medical devices, including software as a medical device and in vitro diagnostic medical devices. The latest version of the ISO 14971 document requires manufacturers to consider software systems’ security risks.

What is a hazard in ISO 14971?

The hazards in ISO 14971 are defined as potential sources of harm. Your organisation needs to identify all the possible hazards of your product which requires you to understand the medical device’s intended use. Annex C.2 of ISO 14971 provides some examples of hazards which can be classified into the following:

  • Energy hazards – leakage current, high-pressure fluid injection, ionising radiation and cryogenic effects etc.
  • Biological and chemical hazards – bacteria, viruses, corrosive, flammable, toxic etc.
  • Performance-related hazards – data systems security, diagnostic information and functionality etc.
safety checklist

What is the difference between ISO 14971 and EN ISO 14971?

The ISO 14971 document is an international standard, and it is intended to be applicable worldwide. However, the EN ISO 14971 document is more of a regional standard designed to be adopted in the European Union. Therefore, if you are planning on commercialising your medical device in the European Union, you must adhere to EN ISO 14971 and the additional risk management requirements required by the EU Medical Device Regulations.


In conclusion, the risk management process for the medical device life cycle is comprehensive. It requires your organisation’s effort in defining risk acceptability, identifying hazards, performing risk analysis and implementing risk mitigation measures.

Your organisation shall document all risk management processes in a risk management file. A quality management system will allow easier tracking and implementation the ISO 14971 risk management process. Feel free to contact us if you require our consultancy services to help kickstart your risk management system.

Learn More

our Academy e-learning course:

Do you have any questions?

Drop us an inquiry now!