ISO 14971 is the international standard for risk management of medical devices (including in vitro diagnostics and software as a medical device). It provides a systematic process to identify hazards, estimate and evaluate risks, implement risk controls, and monitor the effectiveness of those controls throughout the product’s lifecycle.
It is required or strongly referenced by regulators worldwide (FDA, EU MDR, UK MHRA, TGA, Health Canada, etc.), and it is tightly linked to ISO 13485 (quality management systems for medical devices).
What Is Risk Management in a Medical Device Context?
Risk management is the process of:
-
Identifying hazards
-
Determining risk (severity × probability)
-
Controlling risk
-
Ensuring the benefits outweigh residual risks
-
Monitoring risk post-market
In medical devices, “risk” refers to harm to the patient, user, or environment, not business or financial risk.
Examples of risks:
-
Electrical shock from a faulty infusion pump
-
Incorrect reading from diagnostic software
-
Biocompatibility issues from an implant
-
Software malfunction leading to incorrect therapy delivery
What ISO 14971 Covers
ISO 14971 gives manufacturers a framework for performing risk management, including:
1. Risk Management Plan
Before any assessment begins, you must define:
-
Scope of the device
-
Responsibilities
-
Risk acceptability criteria
-
Methods / tools
-
Post-market activities
2. Hazard Identification
You must consider all types of hazards:
-
Biological (toxicity, contamination)
-
Mechanical (breakage, moving parts)
-
Electrical
-
Software (algorithm errors, cybersecurity)
-
Usability / human factors
-
Radiation, thermal, chemical
3. Risk Analysis
Determine:
-
Sequence of events that could lead to harm
-
Severity of harm
-
Probability of occurrence
4. Risk Evaluation
Compare the risk levels to your predefined acceptability criteria.
5. Risk Control
If a risk is unacceptable, implement controls:
-
Inherent safety by design (best)
-
Protective measures (guards, alarms, redundancy)
-
Information and training (least effective)
After controls are applied:
-
Estimate residual risk
-
Ensure each is acceptable
-
Conduct a risk/benefit analysis if not
6. Evaluation of Overall Residual Risk
Even if individual risks are acceptable, the overall residual risk must also be acceptable.
7. Production and Post-Market Monitoring
Risk management is continuous:
-
Complaint analysis
-
Field reports
-
Clinical follow-up
-
CAPA (Corrective and Preventive Action)
-
Trend analysis
Why ISO 14971 Matters
Regulatory
-
EU MDR and IVDR require full compliance with ISO 14971.
-
FDA recognizes and recommends its use.
-
Essential for CE marking, UKCA, TGA, and Health Canada approval.
Operational
-
Prevents harm to patients and users
-
Reduces recalls, complaints, and liability
-
Drives safer design through systematic thinking
Business
-
Required for most international markets
-
Integrates tightly with ISO 13485 QMS
-
Supports faster regulatory submission and smoother audits
Example: Applying ISO 14971 to a Device
Device: Blood glucose meter
Hazard: Software miscalculates glucose level
-
Severity: High (could cause incorrect insulin dosing)
-
Probability: Medium
Risk Controls:
-
Algorithm validation
-
Redundant checks
-
Alerts for out-of-range sensor values
-
Clear UI to prevent user error
Residual Risk: Acceptable only if probability is reduced sufficiently and user information is provided.
Relationship to Other Standards
-
ISO 13485 – requires risk management throughout design and manufacturing
-
IEC 62304 – software lifecycle; uses ISO 14971 for software risk management
-
IEC 60601-1 – electrical safety; references ISO 14971
-
IEC 62366 – usability engineering; addresses use-related risks
In One Sentence
ISO 14971 is the globally accepted framework that ensures medical devices are designed, produced, and monitored with risks controlled to protect patients and users throughout the entire device lifecycle.
Leave a Reply