ISO 14971 and Risk Management

The ISO 14971 is the standard for the "Application of Risk Management for Medical Devices". It describes a risk management process to ensure that the risks are known and dominated by medical and are acceptable when compared to benefits. This process intends to include the following steps:

The risk management process according to ISO 14971. (Click to enlarge)
  1. Define risk policy (risk acceptance criteria). This is often done in the form of a risk acceptance matrix.
  2. Perform hazard analysis: Identify the hazards of the medical device derived from the intended use 
  3. Perform risk analysis: probabilities, severity of harms and thus risk estimate. Decide on the acceptability of those risks
  4. Define and implement risk mitgation measures, if the risks are not acceptable
  5. Analyze new risks resulting from these measures
  6. Decide on the acceptability of risks
  7. Market surveillance: watch the product in the market and continuously analyze risks and update risk acceptance criteria (according to the state-of-the-art)

There are software specific considerations in risk management to be considered. Read more…

Additional Information

Read more about how to integrate the risk management in the product development process.

The Harmonized Standard ISO 14971

The standard for the application of risk management for medical devices

The standard ISO EN DIN ISO 14971 requires that

  • in medical devices, the risk policy is defined
  • a risk analysis is performed (here you can apply methods for risk analysis such as FMEA, FTA and PHA method)
  • the risks must be assessed according to the risk policy
  • the risks must be minimized as much as possible
  • the effectiveness of risk mitigation measures must be examined.

The ISO 14971 is published as a harmonized standard by the national standardization body as DIN 14971 (Germany) and OE 14971 (Austria). 

Additional Information

Here you will find information on the changes by the ISO 14971:2012 (Annex ZA).

ISO 14971:2012 The New Standard for Risk Management

Example for a risk acceptance matrix

Virtually overnight, from 31.08.2012 to 01.09.2012 the ISO 14971: 2012 was published without a transition period as a harmonized standard for risk management for medical devices. This article introduces you to these changes.

Read more…

Harm and Severity

The criteria for severity and probability classes must be defined precisely.

The ISO 14971, the standard for risk management for medical devices, defines the term severity as a "measure of the potential impact of a hazard". 

The risk acceptance matrix serves manufacturers in assessing the risks based on the probability and severity of harm.

Read more…

Hazard and Hazardous Situation

Even though the ISO 14971 defines the terms hazard and hazardous situation, it is still often not so easy for medical products manufacturers to differentiate these two terms. This article will help understand these terms clearly.

Read more…

Risk Acceptance

The risk acceptance matrix expresses the manufacturer's risk policy. Benefits must be determined quantitatively.

Each medical device comes with risks. Manufacturers must determine which risks they deem acceptable and which unacceptable. This is usually expressed in the form of a risk acceptance matrix.

Read more…

Risk Mitigation and Risk Control

The Medical Device Directive / Regulation requires this sequence of measures for risk control

If a manufacturer identifies (unacceptable) risks at the risk analysis, he must minimize them. The Medical Device Regulation requires that manufacturers, proceed in the following order: inherent safety, risk control, information about residual risks.

Read more…

Risk Analysis

Risk analysis is  a search of hazards and an assessment of the possibilities and severities resulting damages. The aim of risk analysis is to identify risks. Usually medical device manufacturers act in the following way in terms of risk analysis: First, search for hazards, second, estimate the probabilities and severities of damages, third, decide on the approval of those risks.

Read more…

Software Specifics

Example of hazards (Source: ISO 14971:2012, Table E.1)

The medical device manufacturers define software risk management either the risk management, which they need to operate for the standalone software, or the part of risk management, that an embedded software entails.

Read more…