Risk Management for Medical Devices: ISO 14971

The use of medical devices is always associated with risks for patients and users. These risks must be as low as possible compared to the benefits of a medical device. Manufacturers of medical devices must therefore carry out a risk management. This risk management process is described for medical devices in the ISO 14971 standard.

What is the legal basis?

If manufacturers want to market a medical device in Europe, they must comply with the Medical Devices Regulation (EU) 2017/745 (MDR) or the In Vitro Diagnostics Regulation (EU) 2017/746 (IVDR). Both regulations came into force on 25 May 2017. At present, the “old” EU directives still apply. However, the transitional period for medical devices ends on 25 May 2021, for IVD devices on 26 May 2022, so you should get ready with the new regulations.

The EU regulations require medical device manufacturers to introduce, implement and update a risk management system. Manufacturers must keep risk management up-to-date throughout the entire life cycle of a product.

The ISO 14971 standard is the central standard for risk management of medical devices. It explains in detail how the process must be structured and maintained. Manufacturers are therefore well advised to understand and apply ISO 14971. If medical device manufacturers follow an ISO 14971 compliant risk management process, it is generally assumed that the corresponding requirements of the EU regulations are fulfilled.

Why is a benefit/risk profile important?

If medical devices are used, desired and adverse effects occur. The desired effects are part of the intended use of medical devices. The adverse effects are “side effects”.

Unexpected events can also occur, which can lead to adverse effects. In the risk assessment, the manufacturer must systematically analyze these effects and assign severity levels.

In addition to the severity, the probability of occurrence is key, i.e. the probability of the occurrence of an undesired effect in connection with the probability that an undesired effect leads to harm.

The risk posed by a medical device is the combination of severity and probability of adverse effects.

The manufacturer must relate the risks to the expected benefit. A product is sufficiently safe only if the benefits outweigh the risks. In this way, the manufacturer defines his risk acceptance criteria.

At this point, the relationship between risk management and clinical evaluation becomes clear. Here, too, the (clinical) benefit/risk profile is at the center of consideration. The MDR and the IVDR therefore expressly call for both processes to be linked appropriately.

The definition of a sufficient benefit/risk profile by the manufacturer is very important for the later marketing of the product. For a company it is ultimately a matter of risks with regard to reputation, liability and financial loss.

Manufacturers are therefore well advised not to leave this decision to individual persons. It is important to include different technical points of view and top management at this point.

Manufacturers should also be aware that benefit/risk profiles may change. Risks that were acceptable in the past are no longer acceptable today.

The following points can help to define a sufficient benefit/risk profile:

  • consideration of product-relevant safety standards,
  • comparison with existing products,
  • analysis of data from clinical evaluations, and
  • consideration of the state of the art.

What does the ISO 14971 standard describe?

ISO 14971 describes a systematic approach to risk management for medical devices. It is generally accepted as the basic standard for the development of medical devices. Many other standards relevant to medical devices refer to ISO 14971 and require the application of the risk management process described therein.

ISO 14971 also defines the term “safety”. This is the “absence of unacceptable risks “. Thus, if there is a sufficient benefit/risk profile, a product can be considered safe.

ISO 14971 requires a risk management process for the entire product life cycle. This includes planning and execution of all relevant tasks, activities, procedures and responsibilities both during product development and marketing.

Risk management is not a static process. New findings, problems or changing risk acceptance may require corrections even after years of marketing a product.

ISO 14971 requires 4 elements as part of the risk management process:

  • risk analysis,
  • risk assessment,
  • risk control, and
  • information from the production and manufacture of downstream phases.

In addition, the manufacturer must prepare a risk management plan and risk management files. The risk management plan covers risk acceptance criteria. ISO 14971 also explicitly specifies requirements for “top management” and qualification of personnel.

How do you analyze and evaluate risks?

First of all, the manufacturer must identify hazards, i.e. those related to the intended use of the product. For example, hazards arise from physical, chemical, biological and functional properties of the product. However, hazards can also be based on the mere existence of a device or a function.

Hazards caused by medical software usually have something to do with their functional characteristics. For example, performance, availability or data integrity may be affected. In addition, operating errors, misjudgments of display values or unforeseen external events play a role.

The manufacturer then assesses the resulting risks. This can be qualitative or quantitative. The manufacturer can use the following sources of information, for example:

  • standards
  • scientific-technical data
  • market data for similar medical devices
  • reports on incidents involving similar medical devices
  • usability tests
  • examination data, in particular clinical data
  • expert report
  • quality data from external sources.

The manufacturer compares the results with the risk acceptance criteria and decides whether to implement risk reduction measures.

How does risk control work?

In order to reduce risks, the manufacturer must define risk control measures. These are:

  • integrated safety through design,
  • protective measures in the medical device itself or in the manufacturing process, and
  • safety information.

The manufacturer must check the measures in the order given and, if necessary, implement them. Design changes can still be implemented relatively easily at the beginning of product development. This changes considerably later on.

In most cases, however, protective measures do not change the basic design of a product and can be implemented more easily or even realistically at a later stage.

Safety information is of course the easiest to implement. The best example is information in the instructions for use. However, the actual benefits of such changes are controversial in standardization circles. There is a corresponding discussion in the expert committees.

Manufacturers should also bear in mind that risk control measures can themselves lead to further risks. If, for example, a grille is installed as a protective measure, this could injure a user when the grille is folded down.

The manufacturer must also prove that he has actually implemented risk control measures and verified their function. He then assesses the residual risk. As part of a final risk-benefit analysis, the manufacturer must professionally justify any residual risk if he nevertheless wishes to market his product. If this is not possible, a product with a corresponding intended purpose cannot be placed on the market.

What happens in the production and marketing phase?

ISO 14971 requires a manufacturer to systematically collect and review information about his medical device and similar medical devices. This must be done proactively throughout the entire product life cycle.

Here are some examples of information sources:

The manufacturer shall continuously assess the relevance of the information for risk management and take action as appropriate. Changes to the relevant standards can also have consequences for risk management and must be taken into account.


Risk management is one of the most fundamental steps in the approval of a medical device. Many other processes relate to it. The safety of a medical device is defined by risk management. The basis for this is the ISO 14971 standard.

In summary, manufacturers must implement the following steps:

  • Define risk acceptance criteria
  • Determine the hazards of a product
  • Estimate risks as a combination of severity and probability
  • Decide whether risks appear acceptable
  • Checking and implementing risk control measures
  • Identify new risks and decide whether they appear acceptable
  • Determine residual risk and decide whether this appears justifiable
  • Continued risk management through market observation
  • Continuous documentation of risk management (risk management report).

And: Risk management is a matter for the top management. For a company, product risks ultimately mean risks with regard to reputation, liability and financial damage.