ClaripulseClaripulse
Get Early Access

Risk Management

ISO 14971 Risk Management for Medical Devices

ISO 14971 is the standard that governs how medical device risk is managed, from the first hazard analysis to the last field report. The part teams underestimate is the end of that arc: the obligation to keep watching the device once it is on the market, and to fold what the field tells you back into the risk file.

What ISO 14971 is

ISO 14971 is the international standard for applying risk management to medical devices, including software and in vitro diagnostics. It does not prescribe which risks are acceptable. It prescribes a disciplined process for finding hazards, estimating and evaluating the risks they create, controlling those risks, and then verifying that the controls actually worked. That process runs the length of the device lifecycle rather than ending at launch.

The standard is effectively mandatory in practice. It is the recognized basis for demonstrating risk management to major regulators, and it is tightly coupled to the quality management system described in ISO 13485. In the European Union the harmonized version, EN ISO 14971, is the reference used to support conformity with the Medical Device Regulation.

The vocabulary the standard runs on

Most arguments about a risk analysis come from people using the same words to mean different things. ISO 14971 defines a small set of terms precisely, and the whole method depends on keeping them straight:

  • Hazard. A potential source of harm. A sharp edge, a software fault, and a depleting battery are all hazards.
  • Hazardous situation. The circumstance in which a person, property, or the environment is exposed to a hazard. The battery is a hazard; a patient relying on the device when the battery is near depletion is the hazardous situation.
  • Harm. The actual injury or damage that results. Loss of therapy, a burn, or a delayed diagnosis are harms.
  • Risk. The combination of the probability of harm and its severity. A hazard with severe consequences but a vanishingly small probability can carry less risk than a frequent, moderate one.

The risk analysis is the work of tracing the sequences of events that turn a hazard into a hazardous situation, and a hazardous situation into harm, then estimating probability and severity along that chain. Getting the vocabulary right is what makes the estimates comparable across reviewers.

The risk management process

The core loop is consistent across the lifecycle:

  • Risk analysis. Identify the intended use and reasonably foreseeable misuse, enumerate hazards, and work out the sequences of events that could turn a hazard into harm.
  • Risk evaluation. Estimate each risk from the probability of harm and its severity, then judge it against your acceptability criteria.
  • Risk control. Reduce unacceptable risks through design, protective measures, or information for safety, and verify the controls do not introduce new risks.
  • Residual risk and benefit-risk. Judge what remains, individually and overall, against the clinical benefit of the device.

The acceptability criteria deserve a note of their own. ISO 14971 requires you to define how you will decide a risk is acceptable before you start evaluating, not after you see the numbers. Those criteria live in the risk management plan, which keeps the evaluation honest and gives an auditor a fixed yardstick to check your conclusions against.

The risk management plan and the risk management file

Two artifacts hold the process together. The risk management plan is written up front and defines the scope of the activity for a given device, who is responsible for each part, the risk acceptability criteria, how verification of risk controls will be done, and how production and post-production information will be collected and reviewed. It is the contract you hold yourself to.

The risk management file is the body of records that proves the plan was carried out. It is not a single document so much as a traceable index into everything that demonstrates risk management actually happened. A complete file lets a reviewer follow a single thread end to end:

  • the identified hazards and hazardous situations,
  • the risk evaluation and the acceptability decision for each,
  • the risk controls applied and the verification evidence that they work and did not introduce new risks,
  • the residual risk for each item and the overall residual risk, judged against benefit, and
  • the production and post-production review records over time.

Traceability is the quality auditors look for first. If a hazard cannot be traced to a control, and the control to its verification, the file has a gap regardless of how thorough any single document looks.

What the 2019 revision changed

ISO 14971:2019 did not rewrite the process, but it raised expectations at the two ends that teams tend to treat as paperwork. Benefit-risk analysis became more explicit, and the production and post-production requirements were strengthened. The message is that risk management is a living activity: the risk file is supposed to change as real-world evidence arrives, not sit frozen after the submission is filed.

The practical shifts worth knowing:

  • Benefit-risk is named, not implied. The standard now calls for an explicit determination that benefit outweighs residual risk, both for individual risks and overall.
  • Production and post-production work was strengthened. The requirements gathered in Clause 10 of the 2019 edition make active collection and review of field information an obligation, not an optional extra.
  • Tighter QMS integration. Risk management is framed as part of the quality management system rather than a parallel exercise, which is what couples it so closely to ISO 13485.
  • Guidance moved to ISO/TR 24971. The standard was slimmed to requirements, and most of the how-to, including methods for estimating the probability of harm and worked examples, now lives in the companion technical report.

For teams selling into the EU, the harmonized EN ISO 14971 carries Annex Z content that maps the standard to the Medical Device Regulation, which is worth checking when the risk file has to support a CE submission.

Benefit-risk analysis

Benefit-risk analysis is where the discipline of risk management meets the clinical reality that almost no useful device is risk-free. The standard asks two related questions. First, for any individual residual risk that cannot reasonably be reduced further, does the benefit of the device outweigh it? Second, taking all residual risks together, is the overall residual risk outweighed by the overall clinical benefit?

The reason this matters for post-production work is that both judgments rest on assumptions about how often harms actually occur and how severe they turn out to be. Those assumptions are made with the best evidence available at the time of design. Field data is what tests them. A benefit-risk conclusion that looked sound at launch can be undermined by a failure mode that turns out to be more frequent or more serious than estimated, which is exactly the kind of finding a surveillance program is meant to surface.

Production and post-production information

The production and post-production activities clause (Clause 10 in the 2019 edition) requires manufacturers to actively collect information about the device once it is in real-world use, and to review it for two things: whether previously unrecognized hazards or hazardous situations are present, and whether any risk is no longer acceptable. Customer complaints, CAPAs, field corrective actions, literature, and public adverse event databases are all named inputs.

The standard is explicit that you cannot rely only on reactive channels like your own complaints. You need an active system that also looks outward at the experience of comparable devices on the market. That outward look is exactly where the public adverse event record earns its place.

Using FDA MAUDE as a risk input

The FDA MAUDE database is the largest public source of medical device adverse event reports, which makes it the natural outward-facing input for the post-production review. Used well, it does three jobs for a risk file:

  • Surfaces failure modes you have not seen yet, including ones reported against competitor devices in your category.
  • Pressure-tests your estimates. A hazard you rated as remote may look less remote once you read how often it appears across the product code.
  • Creates a defensible record. An auditor wants to see that you looked, what you searched, and what you concluded. A documented MAUDE review with a date, search terms, date range, and report references demonstrates the surveillance the standard asks for.

The catch is that raw MAUDE counts are noisy and have no denominator, so reading them as a rate is a trap. Separating a genuine pattern from reporting bias is the hard part, which is the subject of our guide to safety signal detection.

Documenting a MAUDE review for an auditor

The work only counts if it is recorded. The difference between a review that satisfies an auditor and one that does not is rarely the depth of the analysis. It is whether the search itself is reproducible. A defensible post-production review record captures, at minimum:

  1. The date and reviewer. When the review was run and who performed it.
  2. The search scope. The FDA product code or codes, the brand or model names searched, and any manufacturer filter.
  3. The date range. The window of reports covered, so the next review can pick up where this one left off.
  4. What was found. Counts by event type or failure mode, and the specific report keys for anything notable.
  5. The disposition. The conclusion for each finding: no change, a revised probability or severity estimate, a new hazard added to the analysis, or a referral into CAPA.
  6. The file reference. Where in the risk management file the finding was recorded, closing the traceability loop.

Written this way, a review from eighteen months ago can be rerun by someone who has never seen it and produce the same scope. That reproducibility is what turns a search into evidence.

Field data from similar devices

One of the more useful and underused allowances in the standard is that data from similar devices can inform your probability estimates. ISO 14971 and the companion technical report ISO/TR 24971 acknowledge that when your own device has thin history, the field experience of comparable products is legitimate evidence for how likely a hazardous situation really is.

In MAUDE, the practical unit for this is the FDA product code. Searching at the product-code level rather than by a single brand name widens the lens to the whole device family, which is what a risk analyst usually wants when scoping new or emerging risks. The free MAUDE lookup lets you search that way directly.

Keeping the risk management file current

The failure mode here is rarely the initial analysis. It is the year-two drift, when the device is selling, the field is generating reports, and the risk file has not been touched since clearance. A surveillance cadence that reviews your device and its peers on a fixed schedule, and routes anything new back into the file before the next management review, is what turns ISO 14971 from a launch document into the lifecycle process it is meant to be.

A workable cadence does not have to be elaborate:

  1. Weekly. An automated scan of new adverse events for your product codes, flagging anything statistically unusual rather than reading every report.
  2. Monthly. A short triage of the flags, deciding which warrant a documented review and which are noise.
  3. Quarterly. A formal post-production review recorded in the risk management file, with the scope and dispositions captured as above.
  4. Annually. A management review that confirms the benefit-risk conclusion still holds in light of the year’s findings.

For the broader picture of how that monitoring fits together, see our guide to post-market surveillance, or compare a continuous approach with the usual one-off search in Claripulse vs. manual MAUDE search.

Keep reading

Post-market surveillance, explained

The regulatory framework and data sources that feed the post-production side of risk management.

How safety signal detection works

The methods that turn noisy adverse event data into a defensible risk input.

Free FDA MAUDE lookup

Search adverse events by brand or product code to scope failure modes for a risk analysis.

Frequently asked questions

What is ISO 14971?+

ISO 14971 is the international standard for applying risk management to medical devices. It defines a process to identify hazards, estimate and evaluate the associated risks, control those risks, and monitor the effectiveness of the controls across the entire device lifecycle, from design through post-production.

What changed in ISO 14971:2019?+

The 2019 revision strengthened the production and post-production requirements, gave benefit-risk analysis a more explicit role, and tightened integration with the quality management system. In practice it raised the bar for actively collecting and reviewing real-world information after a device is on the market, and feeding it back into the risk management file. Most of the how-to guidance moved into the companion technical report ISO/TR 24971.

What goes in a risk management file?+

The risk management file is the body of records that demonstrates risk management was actually performed. It typically includes the risk management plan, the risk analysis with identified hazards and hazardous situations, the risk evaluation and acceptability decisions, the risk controls and their verification, the residual risk and overall benefit-risk conclusions, and the production and post-production review records. The standard emphasizes traceability: each hazard should trace through to its controls and the evidence that they work.

What is benefit-risk analysis under ISO 14971?+

Benefit-risk analysis is the judgment that the overall residual risk of a device is outweighed by its clinical benefit. ISO 14971:2019 made this more explicit, both for individual residual risks that cannot be reduced further and for the overall residual risk of the device. Post-production data can shift that balance, which is why new field information has to be reviewed against the original conclusion.

What is the difference between a hazard, a hazardous situation, and harm?+

In ISO 14971 a hazard is a potential source of harm, a hazardous situation is the circumstance in which people, property, or the environment are exposed to that hazard, and harm is the actual injury or damage that results. The risk analysis works out the sequences of events that connect a hazard to a hazardous situation and then to harm, and estimates the probability and severity along that chain.

How do you use the FDA MAUDE database for ISO 14971 risk management?+

MAUDE is a post-production information source under the standard. Teams review adverse event reports for their own device and for similar devices in the same product code to identify failure modes, confirm or revise probability and severity estimates, and document new or previously unrecognized hazards in the risk management file with traceable references.

Can you use adverse event data from similar devices in a risk analysis?+

Yes. ISO 14971 and its companion technical report ISO/TR 24971 recognize that field data from similar devices can inform probability estimation, which is useful when your own device has limited history. The informative annex on the probability of harm discusses how that probability can be reasoned about from available data.

What is ISO/TR 24971?+

ISO/TR 24971 is the technical report that provides guidance on applying ISO 14971. When the 2019 revision slimmed the standard down to requirements, much of the practical how-to, including worked examples and methods for estimating the probability of harm, was placed in ISO/TR 24971. It is not itself a requirement, but it is the natural reference for implementing the standard.

Is ISO 14971 required by the FDA?+

ISO 14971 is not a statute, but it is the recognized standard for medical device risk management worldwide and is effectively expected by major regulators. The FDA's Quality Management System Regulation aligns U.S. requirements with ISO 13485, which embeds risk-based thinking throughout the quality system. In the EU, EN ISO 14971 is the harmonized version used to support conformity with the Medical Device Regulation.

Get signal alerts before everyone else

Join the early access list for twice-a-month signal digests covering cardiology devices. Free during beta.

Free during betaTwice-a-month signal digestsUnsubscribe anytime

This guide analyzes publicly available FDA MAUDE data. It does NOT provide medical advice. MAUDE data is de-identified. Do not attempt re-identification.