Skip to content
FBT
Deep Research

Medical Device Risk Management
per ISO 14971

A comprehensive analysis of the international standard for systematic risk management throughout the entire lifecycle of medical devices, including IVDs, SaMD, and active implantables.

ISO 14971:2019

Mandatory benefit-risk, post-market focus

Regulatory alignment

EU MDR/IVDR, FDA QMSR

Device-specific

IVD, SaMD, implantables

01

Executive Summary

ISO 14971:2019 establishes the international framework for systematic risk management throughout the medical device lifecycle, encompassing in vitro diagnostics (IVDs), software as a medical device (SaMD), active implantables, and combination products.

2019 revision emphasis

The 2019 revision places substantially enhanced emphasis on benefit-risk analysis, expands requirements for production and post-production activities, and achieves stronger alignment with major regulatory frameworks worldwide.
Update Area20072019Impact
Benefit-risk analysisImplicitMandatory for residual risksMDR/IVDR alignment
Overall residual riskRecommendedMandatory in RMPAggregate assessment
Post-market surveillanceGeneralClause 10 structuredLifecycle focus
02

Risk Management Plan (RMP)

The RMP is the foundational strategic document. ISO 14971:2019 Clause 4.4 mandates that manufacturers establish this plan at the outset, tailored to the device and organization.

Scope of Activities

Boundaries, device coverage, lifecycle phases, risk types.

Responsibilities

Allocation to qualified personnel and competencies.

Review Requirements

Scheduled reviews and triggering events.

Acceptability Criteria

Objective, predefined criteria before evaluation.

IVD plans must address pre-analytical, analytical, and post-analytical variables. For companion diagnostics, address risks related to patient selection and false positive/negative consequences.

SaMD plans must address updates, algorithmic complexity, and cybersecurity; criteria for defects, data quality, interoperability, and AI/ML risks. Integration with IEC 62304 and IEC 81001-5-1 is required.

03

Risk Management File (RMF)

The RMF is the comprehensive repository of all records and documentation, providing objective evidence that risk management has been planned, executed, and verified per ISO 14971:2019.

Living document

The RMF is dynamic and must be updated in response to design changes, new hazard information, post-market surveillance findings, and corrective actions.
ContentDescription
Intended UsePurpose, users, environment, patients
Risk Acceptance CriteriaPolicy and product-specific criteria
Risk AnalysisHazards, causes, situations, harm, probability, severity
Risk ControlMeasures and evidence of implementation
Risk Management ReportBenefit-risk and plan compliance
04

Risk Analysis

Risk analysis encompasses intended use, reasonably foreseeable misuse, safety-related characteristics, hazard identification, and risk estimation. Probability of harm can be qualitative, semi-quantitative, or quantitative.

Process flow

Risk Analysis Process Planning
Intended Use Characterization
Reasonably Foreseeable Misuse
Safety-Related Characteristics
Hazard Identification
Risk Estimation
TermDefinitionExample
HazardPotential source of harmElectrical energy in power supply
Hazardous SituationExposure to one or more hazardsUser contacts live conductor during maintenance
HarmPhysical injury or damageElectric shock, cardiac arrest
IVD Analysis

Analytical vs. Clinical Performance

SaMD Analysis

AI/ML-Specific Considerations

Active Implantables

Long-term Risk Assessment

Combination Products

Interface Risk Analysis

05

Risk Evaluation

Risk evaluation compares estimated risks against acceptability criteria in the RMP to determine whether risk control is required—the critical decision point between analysis and control.

ALARP vs. “As far as possible”

ISO 14971 does not explicitly mandate ALARP. MDR/IVDR require reducing risks “as far as possible” without qualification, which may imply a more stringent interpretation than traditional ALARP.
06

Risk Control

ISO 14971:2019 establishes a mandatory hierarchy for risk control options. Manufacturers must document that each level has been considered before the next.

Mandatory hierarchy (Clause 7.1)

The sequence is mandatory. Document consideration at each level before moving to the next.
1

Inherent Safety by Design

Modify design to eliminate hazards or reduce risks intrinsically.

  • Biocompatible materials
  • Reduced energy levels
  • Fail-safe architectures
2

Protective Measures

Add safety features to device or manufacturing process.

  • Physical guards
  • Safety interlocks
  • Alarms and automatic shutdown
3

Information for Safety

Warnings, precautions, contraindications, training.

  • Labeling
  • Instructions for use
  • User training

Identify and evaluate new risks introduced by controls: e.g. interlocks (workarounds), alarms (fatigue), barriers (access, heat), software safety (complexity, interactions).

07

Implementation and Verification

Verification confirms that planned measures have been correctly incorporated; effectiveness verification addresses whether the right controls achieve the intended risk reduction.

Inspection & documentation

Design docs, production samples, manufacturing records

Testing & validation

Bench testing, aging, fault injection, software verification

Clinical evaluation

Safety outcomes and usability testing

08

Residual Risk Analysis

Clause 7.3 requires residual risks to be evaluated against RMP criteria. Each must be documented; individual risks are aggregated for overall residual risk evaluation using a method defined in the plan.

09

Risk-Benefit Analysis

Clause 7.4 addresses benefit-risk analysis when residual risk is not acceptable and further control is not practicable. Regulatory frameworks often require benefit-risk for all risks. Methodology includes benefits, probability and duration, and patient perspective and unmet need.

10

Overall Residual Risk Acceptability

Clause 8 requires evaluation of overall residual risk using a method in the RMP. Acceptable overall risk allows market proceed with surveillance; unacceptable requires additional controls or design changes.

11

Risk Management Report

The report (Clause 9) must confirm plan implementation, justify overall residual risk acceptability, and identify methods for post-production information collection and review.

12

Comparison with Related Standards

ISO 14971 integrates with IEC 62366-1 (usability), FDA design controls and benefit-risk guidance, and MDR/IVDR GSPRs. EN ISO 14971:2019+A11:2021 Annexes ZA/ZB map requirements and gaps.

13

Device Type Applications

Risk management is adapted for IVDs, SaMD (IMDRF, AI/ML), active implantables, and combination products (interface risks).

IVD

Analytical & Clinical Performance

SaMD

AI/ML & Cybersecurity

Active Implantables

Long-term Risk

Combination Products

Interface Risk

14

Post-Market Surveillance

Clause 10 defines production and post-production activities: collection and review of production records, complaints, adverse events, field service, literature; update of the RMF. Integration with CAPA and management review. IVDR mandates PSUR for Class C and D IVDs.

15

Implementation and Best Practices

Effective implementation integrates risk management from concept through post-market: preliminary hazard analysis, risk-based requirements, system hazard analysis, design FMEA, verification, validation, and ongoing surveillance. Cross-functional teams and tools (RMP templates, FMEA/FTA/HAZOP) support traceability.

16

References and Regulatory Sources

ISO 14971:2019 & ISO/TR 24971:2020

  • Application of risk management
  • Guidance on ISO 14971

IEC 62366-1, IEC 81001-5-1

  • Usability engineering
  • SaMD security lifecycle

EU MDR 2017/745, IVDR 2017/746

  • Medical devices
  • In vitro diagnostics

FDA Guidance

  • Benefit-risk, SaMD, cybersecurity
  • Human factors

Need Medical Device Risk Management Expertise?

Our research informs our consulting. We help manufacturers implement ISO 14971–aligned risk management and regulatory strategies.

Discuss Your ProjectView All Research