Medical Device Risk Management: ISO 13485 and ISO 14971 Compliance


ISO 14971:2019 defines the international requirements of risk management systems for medical devices. How does it dovetail with ISO 13485 to identify potential hazards and mitigate risk to patients throughout the product lifecycle?

Why does ISO 14791 matter to medical device developers?

Before ISO 14971, there was no universally accepted method for risk management in the medical device industry. ISO 14971 introduced a standardised process that could be consistently applied across the industry and the world, ensuring that doctors and patients could have confidence in the shared safety standards of all the devices they procure.

It also formalised a shared risk management vocabulary to help medical device developers understand and implement consistent risk control measures in their design and manufacturing process. Follow this link for a short glossary of some key terms in medical device risk management. 

What’s inside ISO 14971:2019?

ISO 14971 provides a structured methodology for managing risk throughout the lifecycle of medical devices, from design and development through to production and post-production.

The standard (and its accompanying guidelines ISO TR 24971: 2019) outlines the critical steps for identifying potential hazards, estimating and evaluating associated risks, implementing effective control measures, and continuously monitoring their effectiveness.

Document control for medical device developers

How does ISO 14971:2019 differ from previous iterations

Compared to previous iterations, the latest version, ISO 14971:2019, introduced new requirements such as:

  • Risk/Benefit analysis
  • Evaluating residual risks
  • Collecting production and post-production Information

The increasing importance of Medical Device Risk Management

The complexity of medical devices is rapidly increasing, driven by advances in technology, the rise of Software as a Medical Device (SaMD), and the integration of artificial intelligence (AI). These developments have introduced new potential hazards, such as software bugs, algorithmic errors, data security vulnerabilities, and unintended consequences of AI decisions.

Given these evolving risks, it is crucial to systematically assess and manage risks from the early stages of development through the entire product lifecycle.

It’s also worth noting that while AI can introduce risk, it also offers opportunities for enhanced risk identification and assessment. AI can assist in modeling scenarios of foreseeable misuse, plus suggest ways of mitigating risk in exhaustive ways.

The six-step process of ISO 14971

ISO 14971 provides a formal six-step process for identifying, assessing, controlling, and continually reviewing risk, helping you create a dynamic risk management strategy that can address emerging hazards throughout the product’s lifecycle.

1. Risk Management Plan

The first step in the ISO 14971 risk management process is to develop a comprehensive risk management plan. This plan acts as a blueprint for the entire risk management process and includes several key components:

  • Risk Acceptability Criteria: These are the predefined criteria that determine what level of risk is acceptable for the medical device. These criteria are often based on regulatory requirements, industry standards, and company policies.
  • Scope of the Risk Management Process: Defining the boundaries and scope of the risk management activities, including which products or processes are covered.
  • Roles and Responsibilities: Clearly assigning roles and responsibilities for risk management activities. This ensures that every aspect of the process is overseen by qualified personnel.
  • Resources and Tools: Identifying the necessary resources, tools, and methodologies to be used in the risk management process.
  • Milestones and Deliverables: Setting specific milestones and deliverables to track progress and ensure timely completion of risk management activities.

2. Risk Assessment

Risk assessment is a critical step in the risk management process and involves the following sub-steps:

  • Hazard Identification: Identifying all potential hazards associated with the medical device. Hazards can be related to the device itself, its use environment, or how it is used by patients or healthcare professionals.
  • Risk Estimation: For each identified hazard, estimating the risk by determining the probability of occurrence and the severity of the potential harm. This can be done qualitatively or quantitatively.
  • Risk Evaluation: Comparing the estimated risks against the risk acceptability criteria established in the risk management plan.

3. Risk Control

Once the risks have been assessed, the next step is to implement risk control measures to mitigate any unacceptable risks. This step involves:

  • Risk Control Options Analysis: Identifying and evaluating various risk control options to determine the most effective measures for reducing risks to acceptable levels.
  • Implementation of Risk Controls: Applying the selected risk control measures, which could include design modifications, protective measures, or providing additional information and training to users.
  • Verification of Risk Controls: Verifying that the implemented risk control measures are effective in reducing the risks as intended. This may involve testing, inspection, or other verification activities.

4. Evaluation of Residual Risk

After risk control measures have been implemented, it is essential to evaluate any residual risks:

  • Residual Risk Analysis: Assessing the risks that remain after the application of risk control measures. This involves determining whether these residual risks are acceptable according to the risk acceptability criteria.
  • Risk-Benefit Analysis: In cases where residual risks are still significant, performing a risk-benefit analysis to determine if the benefits of the medical device outweigh the remaining risks.
  • Documentation: Documenting the evaluation process and decisions made regarding residual risks, ensuring traceability and accountability.

Evaluating residual risk is important as it helps an organisation understand and document the nature of the risks still posed by a device and if they are acceptable. In the EU MDR (Medical Device Regulation) Manufacturers must demonstrate that the benefits of the device outweigh any residual risks. This analysis must be documented and be part of the technical documentation.

5. Risk Management Review

Regular review of the risk management process is crucial to ensure its ongoing effectiveness and your compliance with regulation:

  • Periodic Reviews: Conducting regular reviews of the risk management activities and outcomes to ensure they remain effective and relevant.
  • Management Review: Engaging top management in the review process to ensure their commitment and support for the risk management activities.
  • Continuous Improvement: Identifying opportunities for improvement in the risk management process and implementing necessary changes to enhance its effectiveness.

6. Production and Post-Production Activities

Risk management does not end with the design and development of the medical device; it continues throughout the product’s lifecycle:

  • Production Monitoring: Continuously monitoring production processes to identify and address any new risks that may arise during manufacturing.
  • Post-Production Surveillance: Implementing post-production surveillance activities to gather data on the device’s performance in the real world. This includes monitoring adverse events, customer feedback, and other relevant information.
  • Post-Market Vigilance: Actively managing risks identified during post-production and post-market phases. This may involve updating risk assessments, implementing additional risk control measures, and ensuring regulatory compliance.
  • Feedback Loop: Establishing a feedback loop to ensure that information from production and post-production activities is fed back into the risk management process. This helps in continuously improving the safety and performance of the medical device.

What is the difference between ISO 13485 and 14971?

Both ISO 14971 and ISO 13485 are integral to ensuring the safety, quality, and effectiveness of medical devices. While ISO 14971 focuses on risk management, ISO 13485 encompasses the broader quality management system (QMS) and creates the mechanisms for controlling risk across the organisation. The integration of these standards ensures a risk becomes a central focus of medical device development and lifecycle management.

Does ISO 13485 require risk management?

ISO 13485 explicitly requires the implementation of risk management processes as an integral part of the QMS. Clause 7.1 of ISO 13485 states that the organisation must establish a risk management process that meets the requirements of ISO 14971. This ensures that risk management is a foundational element of the QMS, driving the consistent application of risk management practices across all stages of the product lifecycle.

ISO 13485 and ISO 14971: Risk management in medical device development

Documented Procedures

ISO 13485 mandates that organisations document their risk management activities. This includes having documented procedures for risk management throughout the product lifecycle, as defined in ISO 14971. Documentation must cover risk analysis, risk evaluation, risk control, and the results of these activities. This ensures transparency, traceability, and accountability in the risk management process.

Integration with Design and Development

Clause 7.3 of ISO 13485 focuses on design and development. It requires that risk management activities be carried out during these phases and that the outputs of these activities be documented as part of the design and development records. This aligns with the steps in ISO 14971, which necessitate identifying and mitigating risks during product development. By integrating risk management into the design and development phases, organisations can proactively address potential issues before they become critical problems.

Post-Production Information

ISO 13485 emphasises the importance of post-production feedback and its role in the risk management process. Clause 8.2.1 requires organisations to collect and analyse data from post-production activities and feed this information back into the risk management process. This is consistent with ISO 14971, which requires continuous monitoring of risks and the effectiveness of control measures even after the product is released to the market. Post-production feedback is crucial for identifying new risks and ensuring that existing control measures remain effective over time.

Risk Management File

ISO 13485 requires the maintenance of a risk management file as per ISO 14971. This file must include all records and documents generated through the risk management process, ensuring traceability from hazard identification to risk control measures and their verification. The risk management file serves as comprehensive documentation of the risk management activities, providing evidence of compliance with both ISO 13485 and ISO 14971.

How eQMS Software can animate your risk management strategy

Implementing the risk management requirements of ISO 14791 manually can be a time-consuming and error-prone process.

Without the digital tools to integrate and automate your risk management strategy through a ISO 13485 complaint quality management system, you can end up with a siloed approach that might tick a few compliance boxes, but do nothing to materially control your risk.

The right eQMS system will help you digitally integrate risk management with every part of your development, production, and post-production process in line with the standards and regulation.

Centralised Documentation Management

The right QMS software provides a centralised platform for managing all risk-related documentation, ensuring that all necessary records, such as risk assessments, plans and matrices, are easily accessible and consistently updated.

Automation of Risk Management Activities

Automated workflows should link each element of your risk management process together, notifying and reminding stakeholders to regularly review risk management activities; triggering fresh risk assessments when plans, processes and designs change.

The systems should automate the collection and analysis of post-production information, feeding this data back into the risk management process to ensure continuous improvement, after the product has launched.

Enhancing Traceability and Accountability

One of the key requirements of ISO 14971 and ISO 13485 is the documentation and traceability of risk management activities. eQMS software ensures traceability by helping you gather and curate necessary information about decision making, maintaining a clear audit trail for all risk management activities.

Facilitating Real-Time Collaboration

The right eQMS software facilitates real-time collaboration among team members - breaking down the information silos that can emerge within organisations, ensuring all stakeholders are aligned and that risk management activities are conducted efficiently and effectively at the right time.

The right platform should make risk management a collaborative, visible and trackable process across your organisation.

Improving Decision-Making with Data Analytics

Advanced eQMS software often includes data analytics capabilities that provide insights into the effectiveness of risk management activities. By analysing data collected from various sources, the software can identify trends and potential areas for improvement. These insights enable organisations to make data-driven decisions, enhancing the overall quality and safety of their medical devices.


The integration of ISO 14971 and ISO 13485, supported by robust document control and eQMS software, provides a comprehensive approach to managing the quality and safety of medical devices. By digitising and automating risk management processes, organisations can improve efficiency, ensure compliance, and enhance patient safety. This holistic approach not only meets regulatory requirements but also supports the continuous improvement of medical device quality and safety throughout the product lifecycle.

A short glossary of risk management terms in ISO 14971

Benefit: Positive impact or desirable outcome of the use of a medical device on the health of an individual, or a positive impact on patient management or public health.

Foreseeable Misuse: The use of a product, process, or service in a way not intended by the manufacturer.

Harm: Physical injury or damage to the health of people or damage to property or the environment, compromising safety.

Hazard: A potential source of harm that could affect the safety of the medical device.

Hazardous Situation: A set of circumstances in which people, property, or the environment are exposed to one or more hazards, posing a threat to safety.

Intended Use: The use for which a product, process, or service is intended according to the specifications, instructions, and information provided by the manufacturer.

Probability of Occurrence: The likelihood that a specific hazard will occur, which is crucial in assessing the safety of the device.

Risk: The combination of the probability of occurrence of harm and the severity of that harm, impacting the safety of the medical device.

Risk Analysis: The process of identifying hazards and estimating the associated risks.

Risk Control: Measures taken to reduce risks to acceptable levels.

Risk Evaluation: The process of comparing estimated risks against given risk criteria to determine the acceptability of the risk.

Risk Management: A systematic process for identifying, evaluating, controlling, and monitoring risks associated with medical devices.

Risk Management File: A compilation of all documents and records produced during the risk management process.

Risk Management Plan: A documented plan outlining the strategy and actions for risk management throughout the lifecycle of a medical device.

Safety: Freedom from unacceptable risk.

Severity: The measure of the potential impact of a hazard on the health of individuals or on property, directly influencing safety.

A comprehensive guide to GxP compliance

Tags: Medical Device Development

Joe Byrne

Written by Joe Byrne

Joe Byrne is the CEO of Cognidox. With a career spanning medical device start-ups and fortune 500 companies, Joe has over 25 years of experience in the medical device and high-tech product development industries. With extensive experience in scaling businesses, process improvement, quality, medical devices and product development, Joe is a regular contributor to the Cognidox DMS Insights blog where he shares expertise on scaling and streamlining the entire product development cycle, empowering enterprises to achieve governance, compliance, and rigour.

Related Posts

Navigating UKCA Marking for Medical Devices: What You Need to Know

Post-Brexit, there is still confusion about the future use of the UKCA (UK Conformity Assessed) ...

Medical Device Technical File requirements: what you need to know

What is the medical device technical file? What should it contain and how should it be structured? ...