Standards

ISO 14971:2019 — Risk Management for Medical Devices — Plain-English Guide

The single most important risk management standard in medtech. Published by ISO, recognised by every major regulatory authority, and required for CE marking under EU MDR.

Last updated:

What is ISO 14971?

ISO 14971:2019 is the international standard for applying risk management to medical devices. It defines a systematic process for identifying hazards, estimating and evaluating associated risks, implementing controls, and monitoring effectiveness — from initial concept through to post-market surveillance and eventual device decommissioning.

The standard applies to all medical device manufacturers regardless of device class, type, or technology — including in vitro diagnostics (IVDs) and software as a medical device (SaMD). It is recognised by FDA, EU MDR/IVDR, Health Canada, TGA, PMDA, and virtually every other regulatory authority. In the EU, compliance with the harmonised version (EN ISO 14971:2019/A11:2021) provides a legal presumption of conformity with relevant General Safety and Performance Requirements.

Critically, ISO 14971 is a process standard, not a product standard. It does not define what level of risk is acceptable for any specific device. Instead, it tells you how to identify, analyse, evaluate, and control risks systematically — and requires you to define your own acceptability criteria. The standard is also tool-agnostic: FMEA, fault tree analysis, HAZOP, and other methods are all acceptable, provided they are applied systematically and the results are documented in a risk management file.

2019 Edition

What Changed in the 2019 Edition

The third edition addressed gaps in benefit-risk analysis, post-production monitoring, and EU MDR alignment. Here are the key changes from ISO 14971:2007.

Benefit-Risk Analysis Formalised

The most significant addition. The 2007 edition mentioned benefit-risk in passing (Clause 6.5), but the 2019 edition gives it a structured, explicit process in Clauses 7.4 and 8. When residual risk exceeds your acceptability criteria and further risk reduction is not practicable, you must now formally assess whether the medical benefits of the device outweigh the residual risk.

This change was driven directly by EU MDR, which requires manufacturers to demonstrate that overall residual risk is acceptable when weighed against clinical benefits (Annex I, Chapter I, Section 1). For teams updating from 2007, this means creating or formalising benefit-risk documentation — especially for devices with known residual risks that were previously accepted without formal justification.

Alignment with EU MDR/IVDR

The 2019 revision was substantially shaped by the need to harmonise with the EU Medical Devices Regulation (2017/745) and In Vitro Diagnostic Regulation (2017/746). Key alignment points include the explicit definition of "state of the art" (MDR requires devices to reflect current knowledge), the use of "intended purpose" alongside "intended use" to match EU regulatory vocabulary, and the expanded post-production requirements that map to MDR Articles 83 and 86.

The European harmonised version, EN ISO 14971:2019/A11:2021, adds Z-annexes that formally map standard clauses to specific MDR and IVDR requirements. Compliance with the harmonised standard provides a legal presumption of conformity with covered General Safety and Performance Requirements (GSPRs).

Informative Annexes Moved to ISO/TR 24971

The 2007 edition contained extensive informative Annexes C through J with practical guidance: hazard examples, risk estimation techniques, the ALARP (As Low As Reasonably Practicable) concept, guidance for IVDs, and more. The 2019 edition stripped all of these out, keeping the normative standard lean.

The removed content was revised, expanded, and republished as ISO/TR 24971:2020 — a companion technical report. This separation means the normative requirements and the practical guidance can be updated independently. If your team relied on those annexes for day-to-day work, you now need ISO/TR 24971 as a separate document.

Expanded Post-Production Requirements

The 2007 Clause 9 was brief on post-production monitoring. The 2019 Clause 10 is substantially expanded with explicit sub-clauses for information collection (10.2), information review (10.3), and required actions (10.4). You must now have a documented system for gathering field data — complaints, public information about similar devices, new standards, changes in state of the art — and a defined process for reviewing that data and feeding it back into risk management.

This aligns with the EU MDR's emphasis on post-market surveillance as a continuous obligation, not a reactive afterthought. Notified body auditors specifically look for evidence that production and post-production data is actively driving risk management updates.

Strengthened Overall Residual Risk Evaluation

The 2007 edition addressed overall residual risk evaluation somewhat vaguely in Clause 6.7. The 2019 edition gives it a dedicated Clause 8 with explicit requirements. After all individual risk controls are implemented, you must evaluate whether the aggregate of all residual risks is acceptable — a holistic, device-level assessment, not just a sum of individual hazard decisions.

If overall residual risk is not acceptable, you must perform a benefit-risk analysis at the device level. This reflects EU MDR Annex I, Section 1, which requires devices to be designed and manufactured so that overall residual risk is acceptable in relation to evaluated benefits. This is one of the most common audit findings for companies transitioning from 2007 to 2019.

Updated Terminology and Definitions

Three new definitions were added: "benefit" (positive impact on health), "benefit-risk analysis" (systematic assessment weighing benefits against risks), and "state of the art" (current level of technical capability). Existing definitions for "reasonably foreseeable misuse" and "residual risk" were tightened. The total number of defined terms increased from approximately 22 to 26.

For teams updating their risk management files, this means reviewing and updating all documents to use the 2019 definitions consistently. "State of the art" is particularly important — it creates an explicit expectation that risk management decisions reflect current medical and technical knowledge, not what was known when the device was first designed.

Top Management Responsibility Clarified

The 2019 edition explicitly states that top management SHALL ensure provision of adequate resources for risk management (Clause 4.1) and SHALL assign qualified personnel with relevant knowledge and experience. This aligns with ISO 13485:2016 management responsibility requirements and closes a gap where risk management was sometimes delegated without adequate oversight or resourcing.

Clause-by-Clause Overview

What each section of the standard requires, in practical terms. Use this alongside the official document.

Clause 1

Scope

Defines what ISO 14971 covers: all phases of the medical device lifecycle, including in vitro diagnostics (IVDs). The standard applies to risks related to biocompatibility, data security, electricity, moving parts, radiation, and usability. It does not cover clinical decision-making or business risk.

Clause 2

Normative References

In the 2019 edition, this clause was simplified. There are no indispensable normative references — the standard is self-contained. ISO 31000 (Risk management — Principles and guidelines) is referenced for general context only.

Clause 3

Terms and Definitions

Defines approximately 26 key terms. Notable additions in 2019 include "benefit" (positive impact on health), "benefit-risk analysis" (weighing benefits against risks in context of state of the art), and "state of the art" (current level of technical capability based on consolidated findings of science and experience).

Clause 4

General Requirements for the Risk Management System

The foundation clause. Requires the manufacturer to establish, document, and maintain an ongoing risk management process. Top management must ensure adequate resources, assign qualified personnel, and define a documented policy for acceptable risk — including criteria for situations where probability cannot be estimated. This clause also defines the risk management plan (scope, responsibilities, acceptability criteria, verification activities) and the risk management file (the collection of records providing traceability from each hazard through analysis, evaluation, control, and verification).

4.1 Risk management process4.2 Risk management plan4.3 Risk management file4.4 Risk management activities
Clause 5

Risk Analysis

Where the technical work begins. You must document the intended use (and reasonably foreseeable misuse), identify safety-related device characteristics, systematically identify hazards and hazardous situations in both normal and fault conditions, and estimate each risk by evaluating severity and probability of harm. Risk estimation can be qualitative or quantitative — the standard does not prescribe a specific method. All results go into the risk management file.

5.1 Risk analysis process5.2 Intended use and reasonably foreseeable misuse5.3 Identification of characteristics related to safety5.4 Identification of hazards and hazardous situations5.5 Risk estimation
Clause 6

Risk Evaluation

For each identified hazardous situation, compare the estimated risk against the acceptability criteria defined in your risk management plan. The output is a decision: is risk reduction required? If the risk is already acceptable, move to Clause 8 (overall residual risk evaluation). If risk reduction is needed, proceed to Clause 7 (risk control). Record all results.

Clause 7

Risk Control

The action clause. When risk reduction is required, identify and apply controls in a strict priority order: (1) inherent safety by design — eliminate the hazard or reduce risk through design, (2) protective measures in the device or manufacturing process — alarms, barriers, fail-safes, (3) information for safety — labeling, instructions, training. After implementing controls, evaluate residual risk. If it still exceeds criteria, perform a benefit-risk analysis: do the medical benefits of the device outweigh the residual risk? Check whether controls introduced new hazards, and confirm completeness.

7.1 Risk control option analysis7.2 Implementation of risk control measures7.3 Residual risk evaluation7.4 Benefit-risk analysis7.5 Risks arising from risk control measures7.6 Completeness of risk control
Clause 8

Evaluation of Overall Residual Risk

After all individual risk controls are in place, step back and evaluate the device as a whole. Individual risks may each be acceptable, but combined they may not be. If overall residual risk exceeds criteria, gather data and literature to determine whether the medical benefits outweigh the aggregate risk. This holistic evaluation is a critical audit point — notified bodies specifically look for it.

Clause 9

Risk Management Review

Before commercial distribution, review execution of the entire risk management plan. Verify that the plan has been fully implemented, overall residual risk is acceptable, and appropriate methods are in place for collecting production and post-production information. This is the final gate before market release. Record the review in the risk management file.

Clause 10

Production and Post-Production Activities

Risk management does not end at market release. You must establish a documented system for collecting and reviewing information from production, post-market surveillance, complaints, public information about similar devices, and changes in standards or state of the art. If new hazards are discovered or existing risks change, feed that information back into the risk management process. This clause aligns directly with EU MDR Article 83 (post-market surveillance) and Article 86 (periodic safety update reports).

10.1 General10.2 Information collection10.3 Information review10.4 Actions

The Risk Management Process

ISO 14971 defines a continuous, iterative process — not a one-time exercise. Here is the flow from planning through post-production.

  1. 1

    Clause 4.2

    Risk Management Planning

    Define the scope, assign responsibilities, set risk acceptability criteria, specify verification activities, and plan how production and post-production information will be collected. The risk management plan is the blueprint for everything that follows.

  2. 2

    Clause 5

    Risk Analysis

    Document intended use and foreseeable misuse. Identify safety-related device characteristics. Systematically identify hazards and hazardous situations. Estimate each risk (severity × probability). This is where most teams use FMEA.

  3. 3

    Clause 6

    Risk Evaluation

    Compare each estimated risk against your acceptability criteria. Decide whether risk reduction is required. Acceptable risks move forward to overall residual risk evaluation; unacceptable risks move to risk control.

  4. 4

    Clause 7

    Risk Control

    Select and implement controls in priority order: inherent safety by design → protective measures → information for safety. Verify implementation. Evaluate residual risk. Perform benefit-risk analysis if needed. Check for new hazards introduced by controls.

  5. 5

    Clause 8

    Overall Residual Risk Evaluation

    Step back and evaluate the device as a whole. Individual risks may each be acceptable, but combined they may not be. Perform device-level benefit-risk analysis if aggregate risk exceeds criteria.

  6. 6

    Clause 9

    Risk Management Review

    Before market release, review the entire risk management plan execution. Confirm completeness, overall acceptability, and readiness for post-production monitoring. This is the final gate.

  7. 7

    Clause 10

    Production and Post-Production

    Collect field data (complaints, surveillance reports, standards changes). Review for safety relevance. When triggers are met — new hazards discovered, risks change, state of the art evolves — feed back into the risk management process. The cycle continues throughout the product lifecycle.

The Risk Management File

Everything produced by this process goes into the risk management file (Clause 4.3). It is not necessarily a single document — it can be a binder, an electronic folder, a database, or any collection of records. What matters is traceability: for each identified hazard, you must be able to trace through analysis, evaluation, control implementation, verification, and residual risk assessment. The file is maintained throughout the entire product lifecycle and is reviewed by regulators and notified bodies during audits and submissions.

Risk Management Tools Referenced by ISO 14971

The standard is tool-agnostic, but ISO/TR 24971 provides guidance on methods. FMEA is by far the most common in medical devices.

Failure Mode and Effects Analysis

In Mitigon

FMEA / FMECA

Bottom-up analysis of how each component or process step can fail and the effect on the system. The most widely used risk analysis tool in the medical device industry — surveys consistently show 80–90% of manufacturers use FMEA as their primary method. FMECA extends FMEA with criticality scoring.

Best for: Design FMEA, process FMEA, use FMEA — systematic failure mode identification across the device lifecycle

Fault Tree Analysis

In Mitigon

FTA

Top-down deductive method. Start from an undesired event (e.g., patient harm) and work backward to identify root causes using Boolean logic gates (AND/OR). Particularly useful for analysing how combinations of events lead to a hazardous situation.

Best for: Critical safety systems, root cause analysis, design verification of redundant safety features

Preliminary Hazard Analysis

PHA

High-level, early-stage hazard identification performed before detailed design is finalised. Uses prior experience and knowledge to broadly identify potential hazards. Often the starting point in the risk management process.

Best for: Concept/feasibility stage, new device programmes, initial project scoping

Hazard and Operability Study

HAZOP

Systematic brainstorming technique using guide words ("no," "more," "less," "reverse") applied to process parameters to discover deviations from design intent. Originally from chemical/process industries, applicable to medical devices with fluid-handling or process-driven functions.

Best for: Process design review, facility commissioning, fluid-handling device evaluation

Mitigon implements the ISO 14971 risk analysis and evaluation workflow — hazard identification, severity/probability scoring, risk matrix, and risk control traceability.

Try the free RPN Calculator

ISO 14971 and EU MDR/IVDR

If you're doing CE marking under the Medical Devices Regulation, ISO 14971 is not optional.

ISO 14971:2019 is harmonised under both EU MDR (Regulation 2017/745) and IVDR (Regulation 2017/746), listed in the Official Journal of the European Union. The European harmonised version, EN ISO 14971:2019/A11:2021, includes Z-annexes that formally map standard clauses to specific MDR and IVDR requirements. Compliance provides a legal presumption of conformity with covered General Safety and Performance Requirements (GSPRs).

Key MDR alignment points: GSPR 1 requires that devices be designed so that overall residual risk is acceptable when weighed against benefits — this maps directly to ISO 14971 Clauses 7.4 and 8. GSPR 2 requires risk control in a specific priority order (inherent safety → protective measures → information for safety) — this maps to Clause 7.1. MDR Article 83 requires post-market surveillance systems — Clause 10 provides the framework. MDR Annex II requires risk management documentation as part of the technical file — the ISO 14971 risk management file satisfies this.

Notified body auditors specifically look for: a documented risk management plan with defined acceptability criteria, complete hazard-to-control traceability, evidence of benefit-risk analysis (especially where residual risks remain above initial thresholds), an overall residual risk evaluation as a standalone assessment, and evidence that post-market data feeds back into risk management. Benefit-risk documentation and overall residual risk evaluation are among the most common audit findings for companies transitioning from 2007 to 2019.

ISO 14971 vs ICH Q9

Both are risk management frameworks, but they serve different industries with different regulatory expectations.

Comparison of ISO 14971:2019 and ICH Q9(R1) risk management frameworks
AspectISO 14971:2019ICH Q9(R1)
Type of documentInternational Standard (normative) — uses "SHALL" (mandatory)ICH Guideline (informative) — uses "SHOULD" (recommended)
IndustryMedical devices (all classes, IVDs, SaMD)Pharmaceuticals (drug substances, products, biologics)
Primary focusPatient and user safety during device useProduct quality, patient safety, and supply availability
Benefit-risk analysisExplicit, structured process (Clauses 7.4 and 8)Considered but less formalised; R1 added formality spectrum guidance
Risk management fileFormal, mandatory — with defined contents and full traceabilityNo mandatory equivalent; documentation formality varies with risk level
Risk toolsTool-agnostic; FMEA, FTA, HAZOP, PHA described in companion TR 24971Annex I lists FMEA, FTA, HAZOP, PHA, risk ranking, and filtering
FormalityHigh — specific documentation requirements at each stepSpectrum — effort and formality commensurate with risk level
Post-market requirementsExplicit Clause 10 with mandatory collection, review, and actionConsidered but less prescriptive
Regulatory basisHarmonised under EU MDR/IVDR; recognised by FDA (21 CFR 820)Adopted by FDA, EMA, PMDA as guidance; referenced in ICH Q8, Q10
Combination productsApplies to the device constituent partApplies to the drug constituent part; both may apply simultaneously

For combination products (drug-device), both frameworks may apply simultaneously. See our ICH Q9(R1) guide for the pharmaceutical perspective.

ISO/TR 24971:2020 — The Companion Guidance

ISO/TR 24971:2020 is the technical report that contains the practical guidance material removed from ISO 14971 when the 2019 edition was published. If ISO 14971 tells you what you shall do, ISO/TR 24971 shows you how to do it — with worked examples, templates, and detailed techniques.

The report covers: risk management plan examples, hazard identification techniques with device-specific examples, risk estimation guidance (including how to handle situations where probability is unknown), risk evaluation matrix examples, benefit-risk analysis methods, overall residual risk assessment approaches, software risk management guidance (linking to IEC 62304), biological hazard management (linking to ISO 10993), IVD- specific guidance, and cybersecurity/data security considerations.

If your team is implementing ISO 14971 for the first time or transitioning from the 2007 edition, ISO/TR 24971 is essential reading. Notified body auditors are familiar with its content and expect practices consistent with it. Because the TR is published separately from the standard, ISO can update practical guidance without changing normative requirements — keeping the standard stable while the guidance evolves.

Related Standards and Frameworks

ISO 14971 integrates with a broader ecosystem of medical device standards.

ISO/TR 24971:2020 — Guidance on ISO 14971 Application

The companion technical report that contains practical guidance, worked examples, hazard identification techniques, benefit-risk analysis methods, software risk management guidance, and all the informative annexes removed from the 2019 edition. Read it alongside ISO 14971.

ISO 13485:2016 — Quality Management Systems

The medical device quality management system standard. ISO 14971 risk management integrates directly into the ISO 13485 quality system — particularly design controls, purchasing, production, and CAPA processes. Most regulatory frameworks require both.

IEC 62304 — Medical Device Software Lifecycle

Defines software development lifecycle processes for medical device software. Risk management activities from ISO 14971 feed into IEC 62304 software classification, architecture, and testing requirements. Essential for SaMD and embedded software.

IEC 62366-1 — Usability Engineering

Defines usability engineering processes for medical devices. Use-related hazards identified through ISO 14971 drive usability requirements and testing. Clause 5.4 hazard identification should consider use errors and the information in IEC 62366-1.

ICH Q9(R1) — Quality Risk Management (Pharma)

The pharmaceutical equivalent of risk management guidance. Different scope (drugs vs devices), different formality (guideline vs standard), but shared tools and principles. For combination products, both frameworks may apply.

Frequently Asked Questions

ISO 14971 Risk Management in Mitigon

Severity–probability risk matrices, traceability from hazard to control, and audit-ready documentation — built around the ISO 14971 workflow.

Start free