Patient Guard

ISO 14971 and the Risk Management of Medical Devices


Medical Device Risk Management

ISO 14971 and the Risk Management of Medical Devices plays an integral part of demonstrating product safety throughout the life cycle of medical devices. In fact, the focus of all global medical device regulations relate to risk and how these are mitigated, to demonstrate that the clinical benefit of using the medical device outweighs the risks associated with using the medical device.

The risk management of medical devices following ISO 14971

What is ISO 14971?

ISO 14971 is an international standard, a set of ‘state of the art’ and best practice principles adopted by medical device manufacturers. The standard sets out how risks should be identified, assessed for severity and likelihood of occurrence, applying control measures, re-assessment of the risk once control measures are in place, evaluation of residual risks introduced by control measures.

It provides a framework to follow to assess risk at each stage of the product life cycle:

  • Design
  • Manufacturing
  • Packaging
  • Transport
  • Storage
  • Use
  • Obsolescence/disposal

The standard is a harmonised/consensus standard. This means that it should be used to demonstrate medical device compliance for the aspects of risk management in accordance with medical device regulations. This includes EU MDR 2017/745, EU IVDR 2017/746, UK MDR 2002 and FDA CFR 21.

ISO 14971 Risk Management Plan

The first aspect to consider when implementing ISO 14971 is planning. A risk management plan should be developed to demonstrate how risk management will take place. This should be a set of instructions detailing in what form risk management activities will be conducted, the type of risk management principles that will be applied (FMEA for example). It should set out the criteria for what constitutes an acceptable risk compared to an unacceptable risk, and what the actions are based on the risk acceptability criteria.

The risk management plan should include the stages at which risk management should take place, and who should be involved in risk management activities. It should also include when and how risk management should take place in relation to post market surveillance and vigilance activities, such as if there was an adverse incident relating to the use of the medical device, that was not foreseen when originally assessing the risks of the medical device.  

The aim of the plan is to ensure that medical device manufacturers reduce risks to as low as possible. Risk management is an ongoing process and documentation continually kept up to date within the risk management file.

Each medical device type should have its own risk management documentation, this is usually kept with the technical documentation in the medical device file.

Do you need support with Risk Management Activities?

ISO 14971 Risk Identification

Manufacturers of medical devices are responsible for identifying all the known and foreseeable risks associated with the use of the medical device both within its intended use and misuse of the medical device, the risks should be assessed in both normal and fault conditions. Here is an example taken from Annex C of the ISO 14971 standard on how this information should be presented.

Risk Identification

A table taken from Annex C of ISO 14971 - The table shows the identifcation of hazards, hazardous situations and harm from risks associated with medical devices

ISO 14971Risk Analysis

Once risks have been identified they should be assessed based on their severity and likelihood of occurrence. They should also be assessed for acceptability based on the level of risk identified. One way this can be done is through FMEA.

Severity is given a number of 1 to 5, with 1 being the lowest risk and 5 being the highest risk and the same for likelihood of occurrence. Its important to remember that the severity of the identified risk will always be the same even after control measures have been put in place, but the likelihood of risk can be moved to a lower number once mitigated and controlled.

Here is an example of how risk acceptability works. The numbers in the green section are generally considered to be acceptable risks and have been reduced to as low as possible. Numbers in the orange section are medium level risks and need to be assessed to see if they can be reduced further, and if they can not then they need to be assessed to see if the risk is considered to be acceptable when weighing up the benefit of using the device. Numbers that are in the red zone need to be reduced further and are not acceptable risks, if these risks cannot be reduced further by control measures, the manufacturer needs to think about redesigning/manufacturing, changing the intended use etc. of the device to ensure the risk is removed or changed to an acceptable risk level.

Let’s go back to our example of the identified risks, lets assume the risk management group have reviewed all the potential risks in terms of their severity and considered the likelihood of them occurring:

They would then see that the three risks identified, once risk scores have been applied, are not in the green zone, and therefore are not acceptable and need to have control measures put in place to reduce the risk to as low as possible.

Risk Scoring Chart

ISO 14971 Risk scoring table

Identified Hazards with Risk Scoring

ISO 14971 Table showing risk analysis of a medical device with FMEA risk scores included.

ISO 14971 Risk Evaluation

Once risk control and mitigation factors have been put in place, the manufacturer should assemble the risk management team to evaluate the risk control measures to ensure that the risk has been reduced to as low as possible. They should also evaluate any residual risks that remain after the control measures have been put in place by performing the risk analysis of the control measure against the original risk identified. If the control measures do not mitigate the risk to an acceptable level, then they should take action such as redesign, changes in manufacturing and so on, and then assess the risk again.

In some cases, the implementation of a control measure may introduce new risks. In this case these new risks should be documented, and the process described above followed.

Looking at our example above, here we describe what the risk evaluation may look like:

red caution symbol used to explain medical device risk management in line with ISO 14971 on Patient Guards medical device consultancy risk management blog.

Evaluation of Risks once Risk Control measures have been implemented

ISO 14971 table showing control measure and then the process of performing risk analysis against the control measures and the origional risk identified.

ISO 14971 Risk-Benefit Assessment

Once the device is in its final finished form ready for release. The Risk Management Team should evaluate the over all risk documentation that has been generated and evaluate if the residual risks are acceptable and that all residual risk information where a risk is still possible is documented either on the medical device labelling in the form of symbols following ISO 15223-1, and in the instructions for use, providing the end user with important information on how to use the device safely.

In this review all the risks and residual risks should be assessed against the clinical intended use of the device. They should assess that the over all risks associated with the use of the device as intended, are outweighed by the benefits of using the device for its intended purpose.

Continual review

Risk Management doesn’t end when a medical device has been launched and is on the market. The risk management team should regularly check the post market surveillance data being generated from within the Quality Management System from manufacturing records, customer feedback, customer complaints, adverse incidents and review of data being generated about other similar devices placed on the market such as from competitor devices.

New unforeseen risks should be logged and assessed on an ongoing basis and control measures put in place including re-design or manufacturing changes if needed. The manufacturer should also take into account the risks associated with withdrawal or discontinuation of the medical device.

Patient Guard

We hope you found this article useful, its always important to include someone with medical device regulatory experience on your medical device risk management team, this is to help navigate any regulatory requirements or changes which may impact you and your medical devices. If you would like to discuss this with us then please contact us for a discussion on how patient guard can assist you in this area.

Subscribe to our News Letter

* indicates required

Please select all the ways you would like to hear from Patient Guard Limited:

You can unsubscribe at any time by clicking the link in the footer of our emails. For information about our privacy practices, please visit our website.

We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices.

Continual review of risk management of medical device through their entire product life cycle to ensure they remain compliant and safe

Our Services

Our Medical Device and IVD Regulatory & Quality Assurance Services

Do you need support with Medical Device or IVD compliance?

We can help you!