ISO 14971 Risk Management: 12 FAQs answered

    Questions and Answers 2 compressed

    We've gathered in this post all the commonly asked questions about the ISO 14971 Standard together with expert answers. Read on below to see the answers.


    Click on the question to go directly to the Answer.

    What is ISO 14971?

    ISO 14971 (or to give it its full title ISO 14971:2019 - Medical Devices - Application of risk management to medical devices) is a Standard that was developed specifically for manufacturers of medical devices on the basis of established principles of risk management that have evolved over many years.

    The Standard can be used as guidance in developing and maintaining a risk management process for other products that are not necessarily medical devices in some jurisdictions and for suppliers and other parties involved in the medical device life cycle.      

    The study of this Risk Management Standard is a vital addition to an ISO 13485 Course for those implementing and/or maintaining an MDMA.

    For more information visit 14971:2019 on the ISO website. 

    New call-to-action

    What is the purpose of ISO 14971?

    The purpose of the Standard is to specify the processes for managing risks associated with medical devices. Risks can be related to injury, not only to the patient but also to the user and other persons. Risks can also be related to damage to property (for example, objects, data, other equipment) or the environment.

    Risk management is a complex subject because each stakeholder can place a different value on the acceptability of risks in relation to the anticipated benefits. The concepts of risk management are particularly important in relation to medical devices because of the variety of stakeholders including medical practitioners, the organizations providing health care, governments, industry, patients, and members of the public.


    What are the benefits of using ISO 14971?

    It is generally accepted that the concept of risk has two key components …

    • the probability of occurrence of harm; and
    • the consequences of that harm, that is, how severe it might be.

    All stakeholders need to understand that the use of a medical device involves an inherent degree of risk, even after the risks have been reduced to an acceptable level. It is well known that in the context of a clinical procedure some residual risks remain. The acceptability of a risk to a stakeholder is influenced by the key components listed above and by the stakeholder's perception of the risk and the benefit.

    Each stakeholder's perception can vary depending upon their cultural background, the socio-economic and educational background of the society concerned, and the actual and perceived state of health of the patient.

    The way risk is perceived also considers other factors, for example, whether exposure to the hazard or hazardous situation seems to be involuntary, avoidable, from a man-made source, due to negligence, arising from a poorly understood cause, or directed at a vulnerable group within society.

    As one of the stakeholders,  the manufacturer reduces risks and makes judgments relating to the safety of a medical device, including the acceptability of residual risks. The manufacturer considers the generally acknowledged state of the art, to determine the suitability of a medical device to be placed on the market for its intended use.

    The Standard specifies a process through which the manufacturer of a medical device can identify hazards associated with the medical device, estimate, and evaluate the risks associated with these hazards, control these risks, and monitor the effectiveness of the controls throughout the life cycle of the medical device.

    The decision to use a medical device in the context of a particular clinical procedure requires the residual risks to be balanced against the anticipated benefits of the procedure. The Standard and its companion Guide, ISO 24971, directs the manufacturer in making such decisions.

    Is the use of ISO 14971 mandatory?

    Yes and No. ISO 13485:2016 Clause 7.1 in a Note states: 'Further information can be found in ISO 14971'. So, that means that ISO 14971 is not mandatory.

    However, almost without exception manufacturers choose to use ISO 14971 in their medical device management systems and so, for practical purposes, you are advised to consider the Standard to be mandatory. 

    If you do not use it, you will be challenged by external auditors to demonstrate how you achieved the same level of risk management control by other methods as you would have through the application of ISO 14971.

    Is ISO 14971 intended for Medical Device Manufacturers only?


    No, The Standard may be applied to outsourced medical device manufacturers and to component manufacturers. In addition, there may be cases,  such as distribution of medical devices, where the Standard will be useful.  Indeed, there is no reason why the risk management methods of ISO 14971 can't be applied usefully by many industrial and commercial organizations.


    Do applicable regulatory requirements mentioned in ISO 13485 include ISO 14971 and other ISO Standards?

    In the EU all harmonized ISO Standards (i.e. the ones beginning EN ISO) are officially optional.  If these Standards are not applied where they could be applied, Auditors will ask for evidence of alternative methods used to achieve the same end result. Both ISO 14971 and ISO 15223-1:2016 (the medical device labelling Standard) need special mention.

    ISO 14971 is a standard for the application of risk management methods for the safe use of medical devices throughout their life-cycle. ISO 13485 Clause 7.1, Planning for product realization states that: 'Further information can be found in ISO 14971'.  This means that the use of ISO 14971 is not mandatory.  However, almost without exception, every medical device manufacturer uses ISO 14971 to address product safety.

    The use of ISO 15223-1 for labelling etc., while not mentioned in ISO 13485, is a requirement in MDR and so this Standard must be used.

    Where does ISO/TR 24971 apply?

    ISO/TR 24971 (or to give it its full title ISO/TR 24971:2020 - Guidance on the application of ISO 14971) provides guidance to assist manufacturers in the development, implementation, and maintenance of a risk management process for medical devices that aims to meet the requirements of ISO 14971.

    It addresses the application of ISO 14971 to a wide variety of medical devices. These medical devices include active, non-active, implantable, and non-implantable medical devices, software as medical devices, and in vitro diagnostic medical devices.

    The clauses and subclauses in this document have the same structure and numbering as the clauses and subclauses of ISO 14971, to facilitate its use in applying the requirements of the standard.

    The informative Annexes contain additional guidance on specific aspects of risk management and are arguably the most useful part of ISO/TR 24971. The guidance consists of the clauses of ISO/TR 24971:2013 and some of the informative annexes of ISO 14971:2007, which are merged, restructured, technically revised, and supplemented with additional guidance.

    The most frequently read sections of the Standard are …

    • Annex A: Identification of hazards and characteristics related to safety, and
    • Annex B: Techniques that support risk analysis (PHA, ETA, FTA, FMEA, etc.).

    New call-to-action

    Can we get certified to ISO 14971?

    No. Neither ISO 14971 nor ISO/TR 24971 are auditable Standards. The ISO develops International Standards, such as ISO 9001 and ISO 14001, but is not involved in their certification.

    ISO does not issue certificates. ISO 13485 certification is performed by external certification bodies; so, a company or organization cannot be certified by the ISO organization itself.


    Learn about our ISO 14971 Risk Management - Advanced Course


    What's new in the 2019 version of ISO 14971?

    The main changes compared to the previous edition are ...

    • The clauses of ISO/TR 24971:2013 and some informative annexes of ISO 14971:2007 are merged, restructured, technically revised, and supplemented with additional guidance.

    • To facilitate the use of ISO/TR 24971, the same structure and numbering of clauses and subclauses as in ISO 14971:2019 is employed. The informative annexes contain additional guidance on specific aspects of risk management.

    • While the previous edition of ISO 14971 was a complete document addressing the risk management of medical device manufacture, the current version is not. 

      ISO 14971 now covers the proposed risk management processes, while the tools needed to implement risk management (PHA - Preliminary Hazard Analysis, ETA - Event Tree Analysis, various types of FMEA, HACCP, etc.) are covered in ISO/TR 24971. You will need to purchase both Standards to have 'a complete picture'.

    Why isn't a Failure Modes and Effects Analysis (FMEA) enough?

    Until now, using Failure Modes and Effects Analysis (FMEA) has been common practice.  But this will no longer be accepted by external auditors,

    The 2019 edition makes clear that risk management is required throughout the medical device's life cycle, from initial product concept through to end-of-life disposal. While some FMEA's may cover the entire lifecycle, other tools like PHA (Preliminary Hazard Analysis), HACCP (during manufacturing processes), user FMEA, etc, will be required. 

    What does the life cycle approach mean in practice?

    As mentioned above, the life cycle approach goes from the initial design concept to end-of-life disposal. 

    A Risk Management File is required to retain the risk management history for a device or device type.  This includes not only the use of a variety of risk management tools but also the revision and updating of the tools and associated records based on production and post-production data, post-market surveillance data, field notices, root causes of recalls, etc.


    Learn about out ISO 14971 Risk Management - Foundation Course


    Do Internal Auditors need training in ISO 14971?

    If your Internal Auditors are to be able to audit the risk management used and their effectiveness, training in ISO 14971 is essential.  Hence, we developed the ISO 14971 Risk Management for Medical Devices - Foundation Course (8 hours approx.). Select the button above for details.


    New call-to-action


    Got a Question we haven't answered?

    We'd love to hear it and, if possible, answer it for you.  Just use our Support Ticket System.  You'll find a Knowledge Base there that might have an immediate answer for you. Otherwise, fill in a Ticket.

    For more visit deGRANDSON Support Ticket.



    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts