ISO 14971Medical devices — Application of risk management

ISO 14971:2019 is the international standard that defines the risk-management process a medical-device manufacturer must apply across the entire product lifecycle. It is not a checklist of risks to mitigate. It is a process specification: how to identify hazards, how to estimate the risks they generate, how to evaluate whether those risks are acceptable, how to control them, how to verify the controls work, how to capture residual risk, how to weigh benefit against residual risk, and how to keep doing all of this after the product is on the market.

It is the standard that everyone reads as 'risk management for devices'. EU MDR and IVDR require a risk-management system per the state of the art — and the state of the art is unambiguously ISO 14971. The FDA recognises ISO 14971 as a consensus standard and accepts compliance with it as the demonstration of risk-management process required by 21 CFR 820 / QMSR. ISO 13485 §7.1 ties product realisation planning to risk management; every other clause that mentions risk inherits the 14971 framework.

Risk management is not a department in a device manufacturer. It is the throughline that connects design controls, verification & validation, usability engineering, software lifecycle, manufacturing, complaint handling, post-market surveillance, vigilance reporting and CAPA. Every other QMS process either feeds the risk file (post-production signals, complaints, audits) or executes against it (design verification proves the risk controls work, manufacturing controls implement them, post-market surveillance monitors residual risk in the real world).

What inspectors and Notified Bodies look for is not the Risk Management File on its own. They look for the linkage: each identified hazard linked to risk controls, each risk control linked to the verification or validation evidence that proves it works, each residual risk linked to the benefit-risk justification that says it is acceptable, each post-production complaint linked to a re-evaluation of the risk file. Breaks in the chain are findings. EU MDR Annex I §3 makes this explicit by requiring 'continuous iterative process throughout the entire lifecycle' — the word 'continuous' is the inspection cue.

The 2019 revision of ISO 14971 (replacing the 2007 version, which had a 2012 EN amendment) tightened the language around benefit-risk, removed the ALARP language that had created EU/US divergence, and bound the risk-management process more tightly to the production and post-production phases. Anyone still operating under EN ISO 14971:2012 is technically out of date — EU MDR/IVDR expect EN ISO 14971:2019+A11:2021.

ISO 14971 is referenced — explicitly or implicitly — by every device-regulatory regime worldwide. The wording differs; the requirement is structurally identical.

The Risk Management File (RMF) is the central artefact ISO 14971 requires. It is not a single document — it is the structured collection of records that, together, demonstrate the risk-management process was applied. ISO 14971 §4.5 names the required contents:

• Risk management plan — scope, lifecycle phases covered, allocation of responsibilities, criteria for risk acceptability, verification activities, post-production information review activities.
• Hazard analysis — list of foreseeable hazards across normal use, foreseeable misuse and fault conditions.
• Risk estimation and evaluation — for each hazard, the foreseeable sequence of events, the hazardous situation, the harm, the severity, the probability, the resulting risk, the evaluation against acceptability criteria.
• Risk control measures — the controls chosen (by priority: inherent safe design → protective measures → information for safety), the verification of implementation, the verification of effectiveness.
• Residual risk evaluation — evaluation of each residual risk and of the overall residual risk against acceptability criteria.
• Benefit-risk analysis — for residual risks not reduced as low as possible, the demonstration that benefits outweigh residual risks.
• Risk management report — produced before release, signed by responsible party, confirming the risk-management plan was executed and overall residual risk is acceptable.
• Production and post-production information — the records of monitoring, complaints, field-safety events, and how each fed back into the risk file.

The RMF is a living artefact. Every change to the device, the manufacturing process, the indications for use, the user population, or the post-production data — and every complaint, field-safety notice, vigilance report or audit finding that touches a risk control — must trigger a documented review of the RMF. A 'frozen' RMF that has not been updated since first release is one of the easiest Notified Body findings.

ISO 14971 §5–§10 lay out the lifecycle. The shorthand is eight phases, run iteratively. Phases 7 and 8 are where most organisations leak — the early-design work is well-resourced, the post-production loop is not.

1. Risk-management planning (§4) — scope, criteria for acceptability, responsibilities. Approved before substantive risk analysis begins.
2. Risk analysis (§5) — intended use, foreseeable misuse, characteristics that could affect safety, hazard identification, estimation of risks for each hazardous situation. ISO TR 24971 Annex C is the canonical hazard checklist.
3. Risk evaluation (§6) — compare each estimated risk against the pre-defined acceptability criteria. Decide which require control.
4. Risk control (§7) — choose and implement control measures, following the priority: (1) inherent safe design, (2) protective measures in the device or manufacturing, (3) information for safety (labelling, IFU, training). Verify implementation and effectiveness of each control.
5. Evaluation of overall residual risk (§8) — after all controls, evaluate overall residual risk and apply benefit-risk where any residual risk is not acceptable in isolation.
6. Risk-management review (§9) — before release: review RMF, confirm plan executed, confirm overall residual risk acceptable, confirm production + post-production monitoring is in place. Output is the signed Risk Management Report.
7. Production information (§10) — collect data from manufacturing (deviations, NCRs, in-process trends) and feed back into the risk file when it changes the picture.
8. Post-production information (§10) — collect data from the field (complaints, field-safety events, vigilance, literature, PMS/PSUR/PMPF) and review against the RMF. Update controls if new hazards emerge or if existing risk estimates were wrong.

ISO 14971 prescribes a process but does not mandate a specific analytical technique. ISO/TR 24971 Annex B lists the common ones; the right choice depends on the device and the question.

ISO 14971 §4.4 requires the manufacturer to define the criteria for risk acceptability — and the criteria must be defined in the risk-management plan before risks are evaluated against them. Defining acceptability after the analysis is reverse-engineered to a pass and an obvious audit finding.

Most organisations use a risk matrix that combines severity (e.g. negligible / minor / serious / critical / catastrophic) with probability (e.g. improbable / remote / occasional / probable / frequent), with each cell coloured for acceptability (broadly acceptable / requires further control / not acceptable). The 2019 revision removed the ALARP ('as low as reasonably practicable') language that had been EU-specific, so the matrix must be defined locally with a written rationale — citing analogous devices, clinical evidence, regulatory precedent and state-of-the-art for similar products.

Probability estimation is the hardest part. For mature devices, post-market data anchors it. For novel devices, manufacturers use combinations of: failure rates from component datasheets, accelerated-life test data, literature on analogous devices, simulated-use studies, and explicit conservative assumptions. The rationale for each probability estimate must be recorded; 'probability = remote because we believe so' is not acceptable. Where probability cannot be reasonably estimated, ISO 14971 §5.5 allows manufacturers to evaluate based on severity alone with documented justification.

ISO 14971 §7.1 mandates a strict priority order for risk controls. Choosing a lower-priority control without demonstrating the higher-priority option was considered and rejected is a finding. The hierarchy:

1. Inherently safe design and manufacture — eliminate the hazard at source. (Replace a sharp edge with a rounded one. Use a connector geometry that physically prevents mis-connection. Choose a biocompatible material that removes the cytotoxicity hazard.)
2. Protective measures in the device or in the manufacturing process — keep the hazard but contain or mitigate it. (Add a pressure-relief valve. Add a software guard that prevents simultaneous activation. Add a sterilisation step.)
3. Information for safety — accept the hazard exists and inform the user. (IFU warning. Training requirement. Symbol on the device.)

Information for safety is the weakest control because it depends on the user reading and acting on it. ISO 14971 specifically warns against over-reliance on labelling. The Notified Body question is always 'what inherent-safe design or protective measure did you consider before choosing information for safety, and why was it not adopted?'.

ISO 14971 §10 — production and post-production information — is the clause organisations most often under-resource and Notified Bodies most often cite. The requirement: actively collect and review information from production (manufacturing deviations, NCRs, in-process trend signals, batch failures, supplier quality data) and from post-production (complaints, field-safety notices, vigilance reports, FSCAs, literature, PMCF/PMPF data, customer support contacts, regulatory inspection observations, PSURs, market reviews). Each piece of information must be evaluated against the existing RMF to determine whether: a new hazard has emerged, probability estimates were wrong, severity estimates were wrong, or risk controls are not as effective as assumed.

The output of this review is documented and, if the picture has changed, updates to the RMF, the risk-management plan, the labelling, the design, the manufacturing controls, the training materials, or a combination — sometimes triggering a recall or field-safety corrective action. The review cadence must be defined in the risk-management plan; common cadences are continuous for complaint streams, monthly for production data, quarterly for aggregated post-production review, annually for full RMF re-baseline.

MDR and IVDR PMS, PMCF/PMPF and PSUR obligations were specifically designed to enforce this loop. A PMS plan that does not feed back into the risk-management process is a Notified Body finding. A complaint trend that has not triggered an RMF review is a finding. A field-safety corrective action that was not preceded by an RMF update is a finding.

ISO 14971 does not stand alone. It is the spine that design controls, usability engineering and software lifecycle hang off.

• Design controls (21 CFR 820.30 / ISO 13485 §7.3): design inputs include risk-control requirements derived from the RMF. Design verification proves the controls work. Design validation confirms the device meets user needs given residual risk. Design changes trigger RMF review.
• Usability engineering (IEC 62366-1): use-related hazards identified in usability work feed into the RMF. Summative evaluation evidence verifies use-error risk controls. Use specifications and IFU are themselves risk controls.
• Software lifecycle (IEC 62304): software safety class (A/B/C) is derived from the RMF — what harm could software failure cause? Class drives the rigour of lifecycle activities. Software hazards identified through 62304 feed back to the RMF.
• Biological evaluation (ISO 10993): biocompatibility risk is a 14971 input. Material changes trigger 10993 re-evaluation, which triggers RMF update.
• Production: pFMEA outputs feed manufacturing controls (SPC, in-process checks, supplier quality). Manufacturing deviations and NCRs feed back to the RMF.
• CAPA: risk-management activities are a CAPA data source per 21 CFR 820.100(a)(1). CAPAs that change risk controls must update the RMF and re-verify effectiveness.
• PMS / Vigilance: post-production information per §10. PMS plan and RMF are explicitly cross-referenced in MDR.

• 'Risk Management File is an FMEA spreadsheet with no risk-management plan, no benefit-risk analysis and no post-production review' — the most common 14971 finding.
• 'Risk acceptability criteria were not defined in the risk-management plan prior to risk evaluation' — easy date-arithmetic finding.
• 'Risk control priority order not followed — information for safety chosen without documented consideration of inherent safe design or protective measures'.
• 'Verification of risk controls demonstrated implementation but not effectiveness' — common when verification stops at 'control was added' rather than 'control reduces risk'.
• 'Residual risk evaluation not performed for the overall device — only for individual hazards' — §8 specifically requires overall residual-risk evaluation.
• 'Benefit-risk analysis not documented for residual risks above broadly-acceptable threshold' — required by §8 and reinforced by MDR Annex I §1.
• 'Production and post-production information not reviewed against the Risk Management File' — §10 loop broken.
• 'Complaint trend triggered no RMF update' — the post-production failure mode regulators look for first.
• 'Field-safety corrective action issued without prior RMF update' — implies the FSCA was a surprise to the risk-management process.
• 'RMF dated before 2019 revision; still operating under 14971:2007' — out-of-date standard, particularly for EU MDR.
• 'Software safety class not derived from RMF' — IEC 62304 §4.3 specifically requires this; mis-classification is a frequent Notified Body finding.
• 'No documented review of foreseeable misuse' — focus only on intended use is incomplete per §5.1.

• RMF review cycle time vs plan — how long from a post-production signal to a documented RMF review? Target ≤30 days for complaints, ≤90 days for trend data.
• % of complaints triggering RMF re-evaluation — should not be zero; if it is, the trigger logic is broken.
• % of design changes with documented RMF impact assessment — target 100%.
• RMF re-baseline date — how recent is the last full RMF review? Target ≤12 months.
• Residual-risk acceptability rate — % of identified risks closed as broadly acceptable vs requiring benefit-risk justification. A sudden change indicates a methodology shift worth understanding.
• Risk-control verification effectiveness pass rate — % of risk controls whose effectiveness verification passed first time. Failures should feed CAPA.
• Repeat-hazard rate — % of post-production events that match a previously-identified hazard. High repeat rate is healthy (the analysis was comprehensive); zero repeats is suspicious (the analysis was shallow).
• Notified Body / FDA findings on risk management subsystem — target zero per audit.

Risk management in V5 is structured around the Risk Management File as a first-class object, with the linkage to design controls, manufacturing controls, complaints and CAPA enforced by the data model rather than maintained in spreadsheets. The capabilities, end to end:

• RMF is a structured record: risk-management plan, hazard analysis, risk-evaluation matrix, risk-control entries with priority tags, residual-risk evaluation, benefit-risk justifications, risk-management report — every section a controlled record under document-control with version, audit trail, two-person e-signature on approval.
• Hazard → control → verification linkage is enforced. A risk control cannot be marked verified without attached verification evidence; a residual risk cannot be marked acceptable without a benefit-risk note when above the broadly-acceptable threshold.
• Production information loop: pFMEA outputs are linked to manufacturing-control records; deviations, NCRs and SPC out-of-control signals against any control flagged 'safety-relevant' auto-create RMF-review tasks.
• Post-production loop: complaints, field-safety events and vigilance records are tagged against hazards in the RMF. When a complaint matches an existing hazard, the RMF entry surfaces 'post-production data available' for the next review.
• Design-change impact assessment: any design-control change request requires explicit RMF-impact assessment (no impact / control change / new hazard / residual-risk change) before approval, with the impact carried into the change-control record.
• Software safety class derived from RMF: the IEC 62304 software classification is computed from the highest-severity software-attributable hazard in the RMF — change the hazard, the class updates and the lifecycle rigour expectations update with it.
• Usability hazards: use-related hazards captured in the usability engineering file (IEC 62366-1) are pushed into the RMF as a distinct hazard class, so the use-error and physical-fault hazards are never mixed.
• RMF re-baseline reminder: the system tracks last full RMF review date against the SOP-defined cadence and flags overdue baselines on the QA dashboard and the management-review pack.
• All of the above operates under Part 11 / Annex 11 controls — audit trail on every RMF edit, two-person e-signature on approvals, locked-after-approval state on the risk-management report.