intland-software-iso-14971-2019The development of medical technology has always relied heavily on adequate risk management processes to ensure patient safety. Following the release of the third version of ISO 14971, we’re revisiting the fundamentals of medical device risk management, and analyzing what has changed in this international standard with the 2019 version of ISO 14971!

It goes without saying that the reliability and safety of medical technology can directly impact patient health. Therefore, medical device developers have always focused heavily on aspects of their products that could potentially cause harm in operation. First released in 2000, the international standard ISO 14971 was designed to standardize the application of risk management to medical device development.

ISO 14971 defines the generic risk management framework that applies to all medical devices. The standard covers the design, development, production, and post-production phases. Its third edition, replacing the 2007 version, was released in Dec 2019. Before analyzing what has changed in this latest release of the standard, let’s go through the basic risk management procedure it outlines!

Watch our 2019 Experts Talk webinar series on MedTech development:

Part 1: Balancing Innovation, Risks, and Compliance in Medical Device Development

Part 2: Integrated MedTech Delivery from Requirements through Design to Quality Documentation 

Risk Management Process as per ISO 14971

As a piece of general, globally applied regulation on medical device risk management (including software as a medical device and in vitro diagnostic medical devices), ISO 14971:2019 defines the

following steps of the risk management process:

  1. Risk management plan
  2. Risk assessment
  3. Risk control
  4. Evaluation of overall residual risk
  5. Risk mgmt review
  6. Production and post-production activities

Step 1: Risk Management Plan

Any medical device’s risk management process starts with planning the activities to be carried out. This document serves as a roadmap for risk activities. It also includes the criteria for risk acceptability (based on the risk management policy the creation of which is management’s responsibility), which will help the evaluation of (residual) risks later on in the process.

This risk management plan should be reviewed at the final stages of design & development before the product is commercially distributed. The findings of this review will serve as the input for a risk management report – this report, along with the plan itself, goes into the risk management file. It is imperative that this risk management file is maintained throughout the entire risk management lifecycle with any and all other risk data (records and documents) created during the process.

Related webinar:

Setting up Medical Device Software Development Projects in Compliance with IEC 62304 and ISO 14971 (in collaboration with adesso AG)

Besides providing a single source of truth on risk activities, this risk management file also provides the traceability that ISO 14971 requires developers to ensure. Each identified hazard has to be followed through the stages of risk analysis, evaluation, and the risk control measures implemented to mitigate it.

Step 2: Risk Assessment

The two key parts of this step are risk analysis and risk evaluation. During the analysis phase, you’ll clearly document the medical device’s intended use, and identify any characteristics of the device that may affect its safety in use.

It’s important to note that safety needs to be considered not only for the intended use of the product but also for reasonably foreseeable misuse! As we’ll see later, that’s a key term introduced in ISO 14971:2019, referring to various types of abnormal use (misuse) patterns that stem from “predictable human behavior” and that may lead to hazardous situations. Similarly, defects and faults will have to be taken into account.

These hazardous situations will then need to be analyzed and assigned a severity and a probability value. It makes a lot of sense to visualize these in a risk matrix or risk chart:


Next up, you’ll need to evaluate risks using the probability of occurrence and severity of the harm if the hazardous situation occurs. For each risk, the results of this evaluation will need to be documented in the risk management file. This is where the risk matrix comes in handy, as it provides quick insights into risk acceptability. Acceptable risks (as defined by the risk management plan) will contribute to the overall residual risk level of your product. On risks that are not acceptable, you will need to perform risk control activities.

Step 3: Risk Control

The purpose of this step is to reduce risks to an acceptable level. This may be done by either eliminating risk through adjusting the design of the product, implementing protective measures to reduce risk probability or occurrence. If those don’t work to sufficiently mitigate risks, it is necessary to provide safety information in user instructions and, in certain cases, training.

During risk control, it is imperative that you consider any new risks that your risk control measures may introduce! Your risk reduction efforts could also negatively affect other risks, so impact analysis is of vital importance. You will also need to check the completeness of your risk control activities to make sure all identified hazardous situations are covered.

Related reading:

Medical Device Development: Common Mistakes in Risk Management

The implementation of risk control measures will need to be documented and verified for effectiveness. You may need to conduct a benefit-risk analysis for any risks whose controlling is not feasible to see if the device’s design will have to be modified, or its intended use explicitly limited. Risk acceptability criteria will have to be applied to any residual risks.

Step 4: Evaluation of Overall Residual Risk

The fact that residual risks are considered acceptable independently doesn’t mean that the totality of them is also acceptable! Once you have a definite list of what these small residual risks are, it’s time to combine their contributions to have a clear picture of your overall residual risk level. The aim of this exercise is to rule out that these smaller risks together create an unexpected bigger risk.

This again is a topic that has undergone significant change in the 2019 edition of ISO 14971. In this edition, overall residual risk evaluation is a one-step process that takes into account all individual risks, and the overall risk level is evaluated against the medical device’s intended use. Naturally, the entire evaluation process (including the method and the criteria for acceptability, as well as the overall residual risk) will need to be documented thoroughly.

Step 5: Risk Management Review

In the next step, you’ll go right back to your risk management plan, and conduct a detailed review to make sure the plan was adequately executed. As per the standard, information on residual risk and its acceptability will have to be provided in the documentation accompanying the medical device product.

The output of this step is a risk management report. This report documents that the risk management plan was executed, and verifies that its objectives were achieved (including production and post-production activities, see next step). The risk management report shall be signed off by persons in the organization with the appropriate authority.

Step 6: Production and Post-production Activities

In the last step, you will first define and document the system (methods) you’re relying on to collect and review production and post-production information. This, too, will form part of your risk management report. Statistical methods, monitoring and feedback systems as required by the Quality Management System, publicly available literature, etc may all be relevant information for your medical device.

You will need to review all the information that’s deemed relevant to the safety of your medical device for correctness and take action if necessary. Specifically, you will need to review the risk management file to determine whether new risks need to be taken into account, or whether the reassessment of previously identified risks is warranted. Also determine if executing a new benefit-risk analysis is necessary.

Related reading:

Medical Device Risk Management in Compliance with ISO 14971

What is new in ISO 14971:2019?

This new version of the standard introduces the following three key terms:

Reasonably foreseeable misuse: Any misuse of the device that results from “predictable human behavior”. It includes unintentional and intentional misuse scenarios by both lay users and professional users.

Benefit: As we have seen in the above description of the risk management process laid out by the 2019 edition of ISO 14971, this version places more emphasis on articulating the benefits of the medical device being developed. It is defined as any positive outcome that the medical device’s use will have on an individual’s health, patient management, or public health. The accompanying ISO/TR 24971 Technical Report provides guidance and examples for defining these benefits.

State of the art: Does this term look familiar? Yep, it pops up in EU MDR too, but it doesn’t provide a clear definition. ISO 14971’s 2019 edition borrows the definition found in ISO/IEC Guide 63:2019: “Developed stage of technical capability at a given time as regards products, processes and services, based on the relevant consolidated findings of science, technology and experience.”

Another significant change (found in Annex F ISO/TR 24971:2020) is that the introduction of cybersecurity concerns in medical device development! Specifically, the guidance requires that developers apply the risk management approach to IoMT-connected products, and to cybersecurity risks that are fully independent of the misuse of the device.

This latest edition of ISO 14971 also brings a change in the method applied for evaluating overall residual risk. Both the methods used to gather and review data and criteria for acceptability are affected and differ from those used in the case of individual risks. The new standard also updates the requirement for the clear disclosure of residual risk.

Most changes in this standard affect production and post-production activities, and the collection and reviewing of information about these topics. ISO 14971:2019 is better aligned with the QMS standard ISO 13485:2016 in its requirements. The standard requires developers to use all this postmarket information as a basis for taking action around the risk management of their devices.