Risk Management ISO Standards – ISO 14971: 2019 and ISO TR 24971: 2019


2020-bl-brandwood_715x320The definitive risk management standard for medical devices – ISO 14971: 2019 – Medical Devices – Application of Risk Management and the accompanying guidance on its application – ISO TR 24971: 2019 were revised in December 2019. These revisions provide device manufacturers with more clarity on critical aspects of hazard identification, risk concepts and techniques, the importance of the risk management plan, as well as end-to-end traceability to ensure risk is effectively managed across all stages of the product life-cycle.

While the foundation and structure of the risk management process has remained unchanged from previous versions, the 2019 revision contains specific information on aspects such as:

  • Quality management system integration.
  • Extension into the post-production activities.
  • Applicability to Software as a Medical Device (SaMD) and in vitro diagnostic (IVD) devices and data security.
  • Criteria for acceptability of overall residual risks.
  • Benefit-risk analysis.

Clause 5.4 of ISO 14971: 2019 has been rewritten to stress the requirement for consideration of risks during normal operation, rather than use of tools that only address fault conditions, such as Failure Modes & Effects Analysis (FMEA). Under ISO 14971 risk has only two components – probability (occurrence) and severity (consequence), with no consideration for detectability as used in FMEA. The reasoning is that detectability would only influence the probability of an event occurring and can be offset by suitable adjustment of the occurrence scale. Since ISO 14971 provides a framework for risk management of medical devices aimed at reducing risk of harm to users, unless the end-user can detect the specific risk and react effectively in real time, detectability serves no useful purpose as a risk control measure. When applied in process FMEAs for instance, detection (of failures that may pose hazards, rather than harms) has been historically used as a significant measure in reducing the probability of the harm actually occurring, assuming the detected condition can be effectively acted upon, such as during production processes.

It is worth mentioning that ISO 14971 defines risk as the combination of the probability of occurrence of harm and the severity of that harm, whereas FMEA is about the probability of occurrence of a failure and severity of the consequences of the failure. As the common terms probability and severity represent very different entities with low correlation in these scenarios, care is required when applying these terms to FMEA and to risk management.

Management of risk occurs in three-steps:

  1. Hazard identification.
  2. Risk assessment (i.e. analysis and evaluation).
  3. Risk control.

Starting the risk management process from the preliminary identification of hazards associated with the particular design and characteristics of the device, then estimating risk for the hazardous situations resulting from a sequence of events would provide the risks prior to any risk control measures.

In the next step, the identified hazardous situations are considered for applying appropriate risk control measures one at a time and estimating risks for potential harm to users. Accordingly, two probabilities come into play: 1) the probability of the hazard resulting in a hazardous situation, and 2) the probability of the hazardous situation resulting in harm. The probability of occurrence of harm is the product of these two probabilities. Incidentally, use of the terms ‘pre-mitigation’ and ‘post-mitigation’ risks to characterize these two phases is considered inappropriate, as mitigation applies to acceptance of residual risks, rather than reduction of risk accomplished through risk control measures.

Two risk analysis tools particularly useful in the identification of hazards, hazardous situations, risk control measures and harm are the Preliminary Hazard Analysis and Fault Tree Analysis. Use of these top-down analysis tools should lay the foundation for risk analysis and serve as precursors for subsequent assessment of risks under fault conditions and failure modes. A combination of the analyses using the top-down and bottom-up (e.g. FMEA) tools would provide manufacturers a robust assessment of risks; on its own FMEA is not risk management as represented by ISO 14971.

To accommodate the addition of new or revised standards under the ‘generally acknowledged state of the art’ and align with ISO 13485: 2016 requirements, Clause 10 of both the ISO 14971: 2019 Standard and the Guidance have been substantially revised, to include monitoring of production and post-production information. The requirements for information collection, review and determination of information relevant to safety, both for the particular device and for the risk management process, largely align with post-market surveillance activities, including post-market clinical follow-up (PMCF) sought by regulatory bodies.

ISO TR 24971: 2019 provides guidance on benefit-risk analysis, by helping in estimation of anticipated benefits, based on positive impact on clinical outcomes and related factors, and then providing criteria for comparing benefit and risk, to determine if the overall residual risk is outweighed by the benefits.

Due to the complexity of medical devices, approaches to the life-cycle, and the iterative nature of risk management, end-to-end traceability is fundamental in ensuring all steps of the risk management process have been applied, and identified hazards have the appropriate risk controls in place. This level of traceability, linking individual hazards to the corresponding requirement and testing can pose as a challenge for device manufacturers; while any of several techniques may be adopted by device manufacturers, one example of how risk management activities can be summarized in a traceable manner is available in Annex C of GHTF/SG2/N15R8 – Implementation of risk management principles and activities within a Quality Management System.


Homi Dalal is a Regulatory Affairs professional with 20 years of experience with reputed multinational organizations, engaged in global medical device regulatory submissions, product life-cycle compliance and post-market activities. Homi is well-versed in medical devices regulations for global markets – United States FDA, European Union CE Mark, Australian TGA, New Zealand MedSafe, and IMDRF/ GHTF recommendations.

As a consultant for Brandwood CKC, Homi provides clients with assistance in achieving regulatory approval for their products in various jurisdictions worldwide. Homi has particular expertise in Risk Management across product life-cycle – ISO 14971, AS/ NZS 31000 as well as in depth knowledge of risk assessment methodologies and tools.


Free Resource

ISO 14971 Medical Device Risk Management

Enjoying this blog? Learn More.

ISO 14971 Medical Device Risk Management

Download Now