ISO 14971 Risk Management in Under 5 Minutes

Posted by Sierra Labs on May 14, 2019 9:51:50 AM

Defining medical device risk while taking a sneak peek into ISO 14971:2019.



Why Do We Need Risk Management?

Imagine a loved one you know needs to use a new medical device; you would probably want to know if that medical device is safe for them or not. You would hope that the manufacturing and production of this medical device is regulated and up to code, avoiding any and all possibilities of malfunction. That is why industry standards such as ISO 14971 are vital!

Risk management of a medical device is a critically sensitive process, considering these risks can be life threatening to a patient. It is crucial for Medical device manufacturers and suppliers to understand the different risk categorizations, and to make sure that patient safety is not compromised in any part of the supply chain. Therefore, organizations need a robust risk management system.

See how easily a QMS can automate your risk management process!

What is ISO 14971?

ISO 14971:2007 (Medical devices – Application of risk management to medical devices) is the current international standard when dealing with the risk management of medical devices. The new edition of ISO 14971 is in-process and is available as a draft international standard. If it is published later in 2019, it will be available as ISO 14971:2019.

The basic crux of the standard will remain the same, however there are supplementary changes to follow. The guidance materials have been moved to ISO TR 24971. ISO 13485:2016 (Quality Management System Standard for medical devices) also references the framework of ISO 14971 to manage risks associated with medical devices.

Has your medical device company switched to the cloud? Check out our blog on how to achieve GxP Cloud Compliance!

Risk Management Framework


Below we will dive deeper into each section of this Risk Management Framework. Any changes to the current framework that may be altered in the future transition to the third edition of ISO 14971 will be highlighted in blue. To download a full side-by-side list of all of the changes to ISO 14971, download the ISO 14971 Revisions Index below. Let’s get started! 

ISO 14971 Revisions Index


1. Analysis of Risk - Identification of hazard

Asset 15@2x-80 Factors to Factor
  • Hazard category
  • Foreseeable sequence of events
  • Hazardous situation
  • Types of harm

Analysis of Risk – Completed for each medical device, and associated hazards are listed. Risk is evaluated for every hazardous situation. Features that can likely affect the safety of the medical device are also identified. Risk analysis should also involve a compound impact of hazardous events that can yield in a more severe hazardous situation. Such possible combination of events should also be analyzed as far as it is reasonable.  

 The draft third edition of ISO 14971 categorically incorporates two important changes:

  • IT security threat in the medical device will also be considered in the scope of risk management.
  • The risk management will now analyze reasonably foreseeable misuse of the medical device for eg. use of the device without reading instruction for use. 


2. Evaluation of Risk

Asset 16@2x-80 Factors to Factor
  • Severity of hazard
  • Likelihood of occurrence
  • Risk level determination

Evaluation of Risk – All hazardous possibilities are evaluated, and the decision to mitigate a risk is taken here. The organization’s risk acceptability criteria are used to reach a conclusion.

Risk evaluation typically incorporates the likelihood of said occurrence and the severity of the hazard. However organizations can define its evaluation scale as per industry needs.




3. Risk Control

Asset 17@2x-80 Factors to Factor
  • Corrective and preventive actions
  • Control measures
  • Re-evaluation

Control of Risk – A risk reduction process in which an unacceptable risk (Identified in Risk Evaluation) is minimized. There are different types of controls that are taken to minimize the risk of a medical device hazard. The integrity of the control is assessed by re-evaluation of residual risk (risk present after the application of control).

At times, controls assigned to reduce a risk lead to a new hazard, deeming these controls as ineffective. When the new risks are within acceptable range of organization’s criterion for risk management, a risk control is selected from the presented options established on these factors:

  • Practicality - how suitable the application of control is.
  • Simplicity - how effortlessly it can be applied.
  • Financial viability - the control cost does not compromise profitability.


4. Evaluation of Residual Risk

Asset 18@2x-80 Factors to Factor
  • Benefits
  • Immediate recipients
  • Means to be used

Evaluation of Residual risk – Performed when all controls are assigned and implemented. The records of evaluation of residual risk are maintained in the file. Any modification in controls or manufacturing setup may need re-evaluation of residual risks.

The upcoming third edition of ISO 14971:2019 draft standard claims to have more emphasis on proving that the benefits outweigh the risks.

A risk benefit analysis is performed when the residual risk is not acceptable. If adding more controls are not reasonable, then the risk benefit analysis should guide whether the medical advantages of the device prevail over the residual risk.



5. Report of Risk Management

Asset 19@2x-80 Factors to Factor
  • Pre-market risk review
  • Summary reports

Report of Risk management – As management reviews are opted for the Quality Management System, similarly, risk management reviews should also be opted for the risk management system. A review should be performed before a medical device appears in the commercial market. The outcome of this review is a risk management report. The report should be prepared after the review is concluded. 


6. Reports from Production & Post Production

Asset 20@2x-80 Factors to Factor
  • Post-market surveillance
  • Performance evaluation
  • Trend analysis
  • Continuous improvement

Updates from production, post-production & post-market – The risk management approach should also incorporate a system for monitoring the performance of the medical device. The performance reports should be incorporated in the risk management file.

Updates coming from production could incorporate deficiencies or failures during clinical trials. Reports of post-production, incorporate complaints, product returns or product failures for specific hazard. Such reports increase the risk associated with medical device hazard (since the likelihood of occurrence has increased).

The third edition of ISO 14971:2019 draft emphasizes inputs for risk management in the post-market phase. Therefore, post-market updates will be given more importance in the new upcoming edition.

Top management must exhibit commitment in managing a robust risk management process by establishing a policy, risk acceptance criteria, and taking part in the risk review processes. The organization is required to maintain a file (to ensure traceability) for risk management containing results of risk analysis and evaluation, controls, evaluation of residual risk, review reports, and changes etc.


Risk Management in a Quality Management System (QMS)

Now that you have learned all about risk management and ISO 14971, let’s talk about ways to actually incorporate it into your organization!

The optimized solution to reduce risk, maintain quality, and speed innovation is by utilizing an FDA compliant medical device quality management application. Sierra Quality Management System (QMS) allows you to easily integrate risk management into your production process.

Sierra QMS is designed for organizations who are looking to market medical devices in a global regulated environment. It is built for engineering teams to operate with their preferred tool-sets while automating the compliance with medical device QMS principles for global markets.


Want to see how Sierra QMS can help your organization with risk management?

Download our FREE White Paper to learn more!

White Paper


Topics: FDA, Medical Device, risk, Compliance, ISO, ISO 14971

Recent Posts


See all

Subscribe Here