ISO 14971 And The Relevance Of Risk Management To Medical Devices

ISO 14971 And The Relevance Of Risk Management To Medical Devices


Risk – or more precisely, risk management – is an important aspect of any marketable product. For medical devices, where patient and user safety is paramount, it’s especially important to manage and mitigate potential risks. That’s because a malfunctioning or faulty device could result in harm or even death. 

Although compliance with standards in principle is not mandatory for the EU market, meeting the requirements of the EU harmonized ISO 14971 'Application of risk management to medical devices' standard is considered essential. Authorities or Notified Bodies will check your implementation of the standard as a manufacturer of medical devices and whether you are managing risks and are able to ensure the safety of your products. As a result, ISO 14971 forms the basis for regulatory compliance and safety evaluations.

What is ISO 14971?

ISO 14971 sets out the requirements for the application of risk management to medical devices throughout their full lifecycle, from design and development through the manufacturing phase to use and disposal. It also covers post-market risk management. 

It provides guidance to medical device manufacturers on how to identify the hazards associated with a medical device; how to estimate and evaluate the associated risks; how to control these risks; and how to monitor the effectiveness of the controls.

How ISO 14971 benefits medical device companies

For medical devices destined for the EU market, compliance with the MDR is essential. As a harmonized standard, ISO 14971 matches many of the MDR requirements and is therefore hugely useful for medical device companies. It sets out what’s needed for risk management  in a phased approach and ensures conformity with the MDR. 

Products that come under the higher risk classes (Class IIb and Class III) will come under closer scrutiny from a Notified Body. Not only do they check that the correct paperwork is in place – they also need to see evidence of risk management being implemented. 

ISO 14971 – and the accompanying ISO 24971 – give medical device companies a systematic approach for setting up a risk management process. That includes establishing clear policies, identifying potential hazards, evaluating the risks, and putting in place risk control measures. It also supports the continuous review and monitoring of risks once the product is on the market.  

The standard provides guidance on different aspects of risk management such as the severity of potential harm, the probability of occurrence, and the usability of the device. It also encourages the use of design controls, protective measures, and risk reduction techniques.

Importantly for medical devices for the EU market – or any jurisdiction where the MDR sets the benchmark for compliance – ISO 14971 helps companies document their risk management process and produce a risk management report. 

How to get risk management right

A risk management file is a core component of the technical dossier needed for the MDR. It serves as a reference for the Notified Bodies and other stakeholders to evaluate the safety and effectiveness of a medical device. 

The file contains a risk management plan that describes all the activities that will take place. It names the person responsible as well as the team of people around the product who will give their input on the different risks, including a medical expert, a technical expert, and a manufacturing expert. In our experience, having a risk management facilitator to oversee everything can be very helpful in keeping the team on track and focussed.

Another important step is to perform a risk analysis of both normal use and any foreseeable misuse or faulty use. This is based on current knowledge, state-of-the-art research, and previous experience with other products. It’s then a case of calculating the likelihood of a risk occurring, and the impact.

Guidance on ISO 14971, such as the explanations and examples from ISO 24971, provides a valuable starting point for identifying potential hazards based on different categories – such as biocompatibility, and electrical and mechanical properties.

Your risk management file must list all the residual risks. Importantly, it’s down to you as a medical device company to determine which risks are deemed acceptable by weighing up the clinical benefit against the residual risk. For example, a high-risk product that has the potential to save lives.  

Getting this balance right is no easy feat. That’s why it’s beneficial to bring in an external expert to perform guided work sessions around risk. Often, designers and developers are very good at knowing the benefits, but it can be challenging to speak openly about the risks of the product without feeling uncomfortable. 

When it comes to risk management for medical devices, having an open culture is invaluable, alongside having an external consultant to help you document risks in the right way. That’s where Peercode Regulatory Consultancy can help. Speak to a specialist