Industrial standards that regulate the medical device industry are vital in ensuring the safety of users of the medical device. One of such standards is ISO 14971. ISO 14971 particularly deals with risk management associated with medical devices. An organization that understands the basics of the risk management process is more likely to be successful in marketing its products globally.
What is ISO 14971:2019?
The complete name of ISO 14971 is ISO 14971:2019 (Medical devices: Application of risk management to medical devices). The current version of this standard in use was published in 2019. This standard deals with the risk management of medical devices.
When it comes to basics, the new edition of this assignment is the same as its predecessor. However, it contains some changes such as the movement of guidance materials to ISO TR 24971.
Risk Management Process According to ISO 14971:2019

Risk Analysis & Identification of Hazard (Clause-4)
Clause 1 of ISO 14971:2019 states the following
- Performing risk analysis, which is completed for each medical device.
- Documentation of hazards associated with the medical device.
- Risk evaluation for each hazardous situation.
- Identification of features that can potentially affect the medical devices.
- Combination of hazardous events that can lead to a severe hazard situation, and
- Analysis of those possible events.

Risk Evaluation (Clause-5)
Clause 5 of ISO 14971 states requirements regarding risk evaluation of the medical device. This clause requires the following:
- Evaluation of all hazardous possibilities and decision of mitigation of risk.
- Use of the organization’s risk acceptability criteria to reach a conclusion.

Risk Control (Clause-6)
In this step, several measures are taken to reduce the risk which was identified in Risk Evaluation. Different types of controls are used to minimize the risk. To determine the integrity of control, re-evaluation is performed on residual risk. Control can become ineffective if it leads to a new hazard instead of reducing the risk.
An organization can select any of the following risk control measures within its criterion of risk management:
- Practicality: How suitable is the control action?
- Simplicity: How easily it can be applied?
- Control cost: How financially viable is the control? Such that it does not compromise profitability.
Residual Risk Evaluation (Clause-7)
This step is performed after assigning and implementing all controls. The records of evaluation are documented in a file. In case any modification is made in controls or manufacturing setup, a re-evaluation of residual risks may be needed. If the residual risk is not acceptable, a risk-benefit analysis is performed. In case the addition of more controls is unreasonable, guidance from risk-benefit analysis should be taken. The illustration below shows results of benefits-risk analysis performed on a device that emits radiations:

Note: The draft of the upcoming 3rd edition of ISO 14971 has put its emphasis on proving that benefits prevail over risks.
Risk Management Report (Clause-8)
Risk management report comprises of the outcome of the review that is conducted for the device. This risk management report is prepared after the conclusion of the review. This review is needed to be done before the availability of medical device in the market.
Production and Post-production Report (Clause-9)
The risk management file should also contain:
- The results of performance monitoring of the device.
- Any complains or deficiencies reported during the clinical trial of the device., and
- Post-production reports containing complaints, product returns, and product failures related to a specific hazard.
Duties of the Top Management as per Clause 9 of ISO 14971:2019
The top management of medical device manufacturing organization must devise a risk management process by:
- Establishing a policy
- Criteria for risk acceptance, and
- Participating in the risk review process.
Maintenance of Traceability File as per Clause 9 of ISO 14971:2019
The organization must maintain a file to ensure traceability for risk management.

Note: The drafted edition of the 3rd version of ISO 14971 has put its emphasis on input for risk management in the post-market phase and therefore, the upcoming version shall focus more on post-market updates.
Want to Incorporate FDA-compliant Risk Management System for your Organization?
Incorporating an FDA-compliant risk management system helps a medical device manufacturing organization to thrive faster than its counterparts. TSQ Asia & Middle East has been offering its services to the medical device manufacturing industry all across the world. With our professional consultation, you can develop and incorporate an ISO 14971:2019-compliant risk management system for your organization.
To get more information about TSQ Asia & Middle East’s Risk Management System, visit our website https://tsqasia.com/ or call us at +39 351 516 9734.