Peter Linders, chair of ISO/TC 210, stated at the time of the release of ISO 14971:2019, that it was the manufacturer’s responsibility to reduce the risks associated with medical devices. How can a systematic approach help manufacturers reduce risk during production?

The consequences of failure in medical devices can be catastrophic, not only for the patient but also potentially for the operator and other people. In addition, there might be damage to property and the environment. Adopting a systematic approach to risk management can significantly reduce the potential for these negative events.

ISO 14971

Originally released in 1998, ISO 14971 – Medical devices — Application of risk management to medical devices – provides a framework to identify potential hazards and estimate the associated risks. It enables the implementation of risk control measures and creates a mechanism for monitoring their effectiveness.

In December 2019, the International Organization for Standardization (ISO) published the latest version – ISO 14971:2019. This was developed by a joint working group incorporating ISO/TC 210 – Quality management and corresponding general aspects for medical devices – and IEC/TC 62 – Electrical equipment in medical practice – from the International Electrotechnical Commission (IEC).

ISO 14971:2019 updates the 2007 iteration in several ways. It adopts a new chapter structure, clarifies the standard’s technical requirements, updates normative references, and introduces a focus on the benefit-risk ratio. The new version is also wider in its frame of reference, placing a stronger focus on information gained during production and from downstream phases.

The focus on the benefit-risk ratio has required a new medicine-related definition of ‘benefit’. It is defined as, a positive impact or desired outcome on the health of an individual, or a positive impact on patient management or public health (Clause 3).

This is one of many new or redefined terms in ISO 14971. Others include:

  •  ‘Reasonably foreseeable misuse’ – use of a product or system in a way not intended by the manufacturer but which can result from readily predictable human behavior
  •  ‘State of the art’ – developed stage of technical capability at a given time as regards to products, processes, and services – based on the relevant consolidated findings of science, technology, and experience


There are also updated definitions for: ‘accompanying documentation’, ‘harm’, ‘use error’, ‘manufacturer’, and ‘In Vitro diagnostic medical device’.

To achieve its goals, ISO 14971 has a new six stage process:

  1. Risk analysis
  2. Risk evaluation
  3. Risk control
  4. Evaluation of overall residual risk
  5. Risk management review
  6. Production and post-production


Risk Analysis

Manufacturers need to clearly understand the parameters relating to their product. For example, they must consider:

  • Design, function, and reasonably foreseeable misuse of the medical device
  • Who holds responsibility at each part of the process?
  • What is the scope of the analysis?

Risk analysis should also identify the safety characteristics of the product. The focus on downstream phases means risk analysis should also consider the loss or degradation of the medical device’s clinical performance, as a result of unacceptable use, as well as reasonable foreseeable events, or sequences of events, that can result in hazardous situations.

Risk Estimation

The manufacturer should then estimate, both qualitatively and quantitatively, the probability of occurrence for each potential hazard and hazardous situation. This is achieved by looking at published standards, scientific and technical investigations, field data from similar devices, usability tests, clinical evidence, expert opinion, and the results from investigations and simulations. If no probability of occurrence can be estimated, then possible consequences should be listed.

Risk Control

Once the risks have been identified and the severity estimated, the next stage is the implementation of control to mitigate the risks. This should begin at the design stage, go through production, before looking at use and reasonably foreseeable misuse. Control measures should be instigated for each risk. For example, for the post-production phase, this might include safety instructions or training. The aim is to address each hazard and hazardous situation.

If it is determined that risk reduction is not practicable, then a benefit-risk analysis must be performed on the residual risk. It is imperative that benefits outweigh risk. If this is not the case, then the risk is considered unacceptable and modifications must be enacted.

Control measure may also introduce new risks, and these should also be considered, alongside whether the control is effective at reducing risk. Upon completion of the risk control stage, the manufacturer must confirm that all risks from all hazardous situations have been considered and all risk control activities have been completed.

Evaluation of Overall Residual Risk

The manufacturer should now use benefit-risk analysis to determine whether the residual risk is acceptable, based upon the acceptability criteria defined in the risk management plan. If the overall residual risk is considered acceptable, the manufacturer must inform users of the significant residual risks and supply relevant safety information. If the overall residual risk is judged unacceptable, the manufacturer must either implement additional control measures, modify the medical device, or modify its intended use.

Risk Management Review

The manufacturer is then required to review whether:

  • The risk management plan has been implemented appropriately
  •  The overall residual risk is acceptable
  • Methods are in place to collect and review information from the production and post-production phases


Production and Post-Production

Manufacturers must establish a system to collect relevant data during productions and post-production. This must be reviewed for whether:

  • Previously unrecognized hazards or hazardous situations have been identified
  • Estimated risk arising from a hazardous situation is still acceptable
  • Overall residual risk is still acceptable
  • ‘State of the art’ has changed

ISO 14971:2019 provides a framework against which manufacturers can introduce continuous improvements in their risk management. A core tenet of ISO standards is the importance of management involvement, with responsibilities being assigned at an early stage of the process.

SGS Solutions

SGS offers a range of solutions to help manufacturers design and manufacture safe and compliant medical devices for markets all over the world. Based on ISO 14971, our training provides manufacturers with a systematic approach to risk management in the medical device sector.

Learn more about ISO 14971 – Medical Devices Risk Management Training.



Your name

Your e-mail

Name receiver

E-mail address receiver

Your message




Sign up