ISO Standard14971:2019

ISO 14971 — Risk Management.

Application of risk management to medical devices. The globally harmonized framework for systematic hazard identification, risk estimation, risk control, and lifecycle risk monitoring.

ISO 14971:2019Risk Management

ISO 14971 — Risk Management for Medical Devices

ISO 14971:2019 is the internationally recognized standard specifying requirements for manufacturers to establish, document, implement, and maintain an ongoing risk management process throughout the entire lifecycle of a medical device. It provides a systematic framework for identifying hazards, estimating and evaluating associated risks, controlling those risks, and monitoring the effectiveness of risk controls.

Compliance with ISO 14971 is a prerequisite for CE marking under EU MDR 2017/745, referenced in FDA guidance for premarket submissions, required by HSA Singapore, and mandated under the TGA conformity assessment framework. It is the global lingua franca of medical device risk management.

Risk Management Lifecycle

ISO 14971 requires risk management to be an ongoing lifecycle activity — not a one-time design exercise. The process spans from concept through decommissioning and integrates with design controls, production, and post-market surveillance.

Concept & Design

Hazard identification, initial risk analysis, risk control selection, design verification

Development & Verification

Risk control implementation, verification testing, residual risk evaluation

Production

Process FMEAs, production risk controls, IQ/OQ/PQ validation activities

Post-Market

PMS data review, complaint trending, vigilance reporting, risk file updates

Relationship to ISO 13485 and Regulatory Submissions

ISO 13485:2016: Section 7.1 of ISO 13485 requires risk management activities throughout product realization. ISO 14971 is the implementation standard satisfying this requirement. The risk management file is a mandatory QMS record.

EU MDR 2017/745: Annex I General Safety and Performance Requirements mandate risk management per ISO 14971. Risk-benefit analysis is required for all risks and the Technical Documentation must include the complete risk management summary.

FDA 510(k) / De Novo / PMA: FDA guidance references ISO 14971 as the recognized standard for risk management. Risk analyses are required in premarket submissions. Software risk analysis (IEC 62304) must align with the ISO 14971 risk framework.

HSA Singapore: HSA requires technical files to include risk management documentation aligned with ISO 14971. Audit findings frequently cite inadequate hazard identification and missing risk control verification.

Key Terminology (ISO 14971:2019)

Hazard

Potential source of harm (e.g., electrical energy, sharp edge, toxic substance, software bug).

Hazardous Situation

Circumstance in which people, property, or the environment are exposed to one or more hazards.

Harm

Physical injury or damage to the health of people, or damage to property or the environment.

Severity

Measure of the possible consequences of a hazard. Rated on a defined scale (Negligible → Catastrophic).

Probability of Harm

P(harm) = P(hazardous situation) × P(harm | hazardous situation). Both factors must be considered.

Risk

Combination of the probability of occurrence of harm and the severity of that harm. Risk = Severity × Probability.

Residual Risk

Risk remaining after risk control measures have been taken. Must meet acceptability criteria.

ALARP

As Low As Reasonably Practicable. Risks in the middle zone must be reduced unless cost is grossly disproportionate to benefit.

Risk Management File

Set of records and documents produced by risk management activities. Must be maintained throughout the device lifecycle.