Risk analysis ISO 14971:2019

 What is ISO 14971?

ISO 14971 is the international standard which specifies requirements of risk management
systems for medical devices. It explains the best practices considering the entire lifecycle of
medical devices.

 What is the latest version of ISO 14971?

The latest version of ISO 14971 is specified as ISO 14971:2019 since it was released in
2019. Prior to this publication there were two earlier versions of ISO 14971 specified as ISO
14971:2007 and ISO 14971: 2000. Also the European version of the same standard is
referred as EN ISO 14971.

 Does US FDA recognizes the new version of ISO 14971?

The US Food and Drug Administration (FDA) recognizes the new version of ISO 14971
along-with many other regulatory bodies throughout the world.

 Does ISO 13485 require ISO 14971?

ISO 13485 mandates risk analysis and management process for medical devices. ISO
13485 references to ISO 14971 as guidance for medical devices risk management. Learners
can also learn about ISO 13485 with Alison' free course on ISO 13485:2016 - Quality
Management Systems for Medical Devices

 What is the difference between ISO 31000 and ISO 14971?

ISO 31000 ISO 14971

ISO 31000 is a general risk management ISO 14971 is specific to medical devices, and
standard which can be applied to any is focused on managing hazards of a medical
organization and to any business function. device or in-vitro medical devices.
ISO 31000 is applicable to cover the entire ISO 14971 is applicable to all stages of a
life of an organization; relevant to strategies, medical device's life-cycle.
decision making, any activity, product,
service, asset, project etc.
ISO 31000 is related to business risk. ISO 14971 is related to product risk i.e.
medical device.
ISO 31000 caters all types of risk such as ISO 14971 is focused on managing risks
risks having positive and negative related to medical device hazards. It guides
consequences. the risk management process for managing
If you want to learn about ISO 31000, take those hazards associated with medical device.
Alison's free online course on ISO It also emphasizes on risk versus benefit
31000:2018 - Enterprise Risk Management analysis.
Framework for Risk Leaders.
 Risk analysis ISO 14971:2019

 Introduction to ISO 14971

 The complete name of ISO 14971 is ISO 14971:2019 Medical Devices-Application of Risk
Management to Medical Devices.
ISO Technical Committee ISO TC/210 took part in its standardization process. The current
edition of this standard is its third edition. ISO 14971:2000 and ISO 14971:2007 are the first
and second editions respectively. The standard provides medical device manufacturers with
a framework within which they can apply experience, insight, and judgment to manage risks
associated with the use of medical devices.

 ISO 14971 - Illustration

 Scope & Exceptions of ISO 14971:2019

Standard's Scope: The requirements of ISO 14971:2019 are applicable on phases of the life
cycle of a medical device such that the risks associated with medical devices, their
biocompatibility, data, and systems security, electricity, moving parts, radiation, and usability
are addressed thoroughly.
Exclusion to Standard's Scope: The requirements of ISO 14971:2019 exempt the following
from its scope:
• Decisions regarding the use of a medical device in the context of any specific clinical
procedure. This is because it is not a manufacturer's concern, rather it is the concern of
medical practitioners.
• Business risk management

 The Reason to Update ISO 14971

Medical devices need to be managed regarding the risks they can pose. Therefore, proper
risk management is necessary to be carried out during the entire life cycle of a medical
device. The International Organization for Standardization has devised the standard ISO
14971 to help the companies carry out the proper risk management process for their
products. Recently, few changes were brought out into ISO 14971, and its Technical Report,
ISO TR 2497, and the updated version of both were released as ISO 14971:2019 and
ISO/TR24971:2020, respectively.
 Risk analysis ISO 14971:2019

The updated version comes up with revisions in interpretations of the primary risk
management process. In addition to this, the updated version also contains a discussion on
Risk Management System alongside with risk management process.

 What were the Reasons to Update ISO 14971?

Difficulty in Navigation : The previous versions of ISO 14971 were hard to navigate. They
also contain inefficient information regarding the safety of medical devices.
Lack of Guidance in Risk Management: Earlier versions of ISO 14971 failed to guide the
medical device manufacturers regarding risk management, hence were unable to complete
the standard criteria.
Use of Outdated Definitions: The predecessors of ISO 14971 contained old definitions that
do not fulfill risk management requirements for the modern medical device industry.

 Correspondence with Other Standards

 Apart from the reasons listed above, one of the main reasons to update ISO 14971 was to
align it with the requirements of EU MDR, EU IVDR, and ISO 13485:2016

 To address the shortcomings present in the previous editions of ISO 14971, the International
Standard for Standardization (ISO) and International Electro technical Commission (IEC)
came together in 2016 to plan changes in the existing standard; the new standard was
released on December 18, 2019. These updates also put their emphasis on the post-market
FDA situation

 Both ISO and IEC also contributed to updating the technical report, i.e., ISO TR 24971. This
technical report provides medical manufacturers with helpful guidance information.

 ISO 14971:2019 Versus ISO/TR 24971:2020

ISO 14971:2019 ISO/TR 24971:2020

This standard is about the application of This guidance is about the application of
risk management to medical devices. ISO 14971.
ISO 14971 explains terminology, principles ISO/TR 24971:2020 offers assistance on
and a process for risk management of the development, application and
medical devices. maintenance of a risk management
system for medical devices as per ISO
14971:2019.
ISO 14971 does not mandate the risk ISO/TR 24971:2020 offers guidance on risk
management to be an integral part of management as an integrated part of the
QMS based on ISO 13485. Quality Management System based on ISO
13485.
ISO 14971 tells organization what to do for ISO/TR 24971:2020 how to implement list
medical devices' risk management of "To Dos" in ISO 14971:2019.
process.
 Risk analysis ISO 14971:2019

 Overview of Changes
Overview of changes made in ISO 14971
The newly updated edition of ISO 4971:2019 contains the following changes:

• New terms and definitions

• Additional risk management guidance
• Other requirements regarding production and post-production
• A clause on normative references.

Overview of change made in ISO TR 24971

The updated edition of ISO TR 24971 contains the following changes:

• Guidance on risk management for in-vitro diagnostic devices

• Risk management plans
• Risk concepts and techniques
• Guidance on hazard detection.

Before the 2019 update of ISO TR 24971, all of this information was present in ISO 14971. Also,
the technical committee (JWG1) and ISO Technical Management Board (TMB) have decided to
list all of the information annexes primarily in ISO TR 24971 instead of ISO 14971.

 Major Revisions in ISO 14971:2019

 The significant revisions made in ISO 14971:2019 as compared to its predecessors are
as follows:

Clause on Normative References : To comply with the requirements for standardization; Clause 15
of ISO/IEC Directives, Part 2:2018, a clause on normative references has been included in the
third edition. But there are no references here.

Defined Terms : Defined terms are updated and printed in italic so that readers can identify them
in the body of the document. In addition, many defined terms are derived from ISO/IEC Guide
63:2019.

Introduction of New Terms : The terms benefit, reasonably foreseeable misuse, and state-of-the-
art has been introduced and described in the third edition.

Benefit-Risk Analysis : The third edition of ISO 14971 focuses on the benefits that the use of
medical devices can offer. Also, the term Benefit-Risk Analysis has been aligned with the
terminology used in other regulations.

 Usage if process
The term Process, described in the third edition of ISO 14971, can be used to manage risks
associated with medical devices and those related to data and systems security.

 Risk Management Plan

A risk management plan describes the method used to determine the overall residual risk
and its acceptability criteria. The process can include collecting and evaluating data and
other literature for the medical device and similar medical devices and other available
products in the market. As a result, acceptability criteria for the overall residual risk can differ
from the acceptability criteria of individual risks.
 Risk analysis ISO 14971:2019

 Requirement to Disclose Residual Risks

After evaluating overall residual risk and its acceptance, the requirements to disclose residual
risks have been shifted and merged into one condition.

 Risk management Report :

The Risk Management Plan demands a review of the medical device before its commercial
distribution. The results of this review ought to be documented in the risk management report.

 Production & Post Production Requirement

The third edition contains restructured requirements regarding production and post-production
activities. In addition, detailed information is given regarding the collection of the information. The
clause also lists the actions taken after reviewing the collected data and determining its
relevance to safety.

 Information Annexes
In the third edition of ISO 14971, more information and rationale for the requirements have been
given in Annex A. The information covering correspondence between the clauses of the second
edition with the third is provided in Annex B.

 Major Updates in ISO 14971

Risk Management Plan

The revised version contains the Risk Management Plan. The standard also shows variations at
different steps while describing the risk management plan. A medical device manufacturer may
need to revise his process drawings accordingly with the standard in this regard.

Risk Analysis (Clause-5.4)

 Clause 5.4 on Risk Analysis has been made more precise and specific. The revised passage
says:
“The manufacturer shall identify and the document known and foreseeable hazards
associated with the medical device based on the intended use, reasonably foreseeable
misuse and the characteristics related to safety in both normal and fault conditions.”
Now the approach on risk analysis won't be limited to fault condition analysis only.
Rather, due to the addition of the paragraph above, there will be other factors to consider
within the risk management process.

Benefit –Risk Analysis (Clause-7.4)

Clause 7.4 has been renamed Benefit-Risk Analysis. The standard requires only those risks to
have a Benefit-Risk Analysis, which are declared as unacceptable.

Production & Post –Production Activities (Clause-10)

Clause 10 of ISO 14971:2019 has been renamed as Production and post-production activities,
and this clause now aligns with clause 8 of ISO 13485, which is on Measurement Analysis and
Improvement. this clause comes with the following changes in the revised version of ISO 14971:

1. Instead of waiting for complaints, clause 10 now focuses on having an active process for
collecting information.

2. Regarding production and post-production information, clause 10 provides guidelines on:

• Establishing a system for collection of production and post-production information
• Reviewing information collected on production and post-production
• The correct action which needs to be taken
• How the correct action should be taken.

3. This clause now requires risk management in post-market surveillance.

 Risk analysis ISO 14971:2019

 Details of Changes Made in ISO TR 24971

 The addition regarding changes made in ISO TR 24971 in its 2019 version consists mainly of
the addition of new Annexes. These annexes are listed below:

Risk Concepts (Annex-D) : This Annex refers to Risk Concepts Applied for Medical Devices. This
clause has been deleted from ISO 14971. Instead, it is now redistributed throughout ISO TR
24971 as a numbered clause.

Risk Management for Cyber-security (Annex-F): Annex F is the newly added Annex. It is four
pages long and addresses risk management regarding cyber and data security along with the
cyber-security process about ISO 14971.

Risk Management File (Annex-G) : This annex is beneficial for the companies that are willing to
update their risk management system to comply with the requirements of the edited version of
ISO 14971

In-Vitro Diagnostic (IVD) Devices (Annex-H) : This new annex does not only contain information
on IVD devices; instead, it contains information on all medical devices.

 Addition of New Terms & Definitions in ISO 14971

 The sub-clauses of clause 3 of the ISO 14971:2019 contains new definitions for these
terms

Benefit (Clause-3.2) : The term Benefit is defined as, “Positive impact or desired outcome of
the use of a medical device in the health of an individual, or a positive impact on patient
management or public health.”

Harm (Clause-3.3): The term Harm is defined as “physical injury or damage to the health of
people, or damage to property or the environment.”

Reasonably Foreseeable Misuse (Clause-3.15): The term Reasonably Foreseeable Misuse is

defined as, “Use of a product or system in a way not intended by the manufacturer, but
which can result from readily predictable human behavior.”

State of the Art (Clause-3.28): The term State-of-the-Art is defined as, “Developed state of
technical capability at a given time as regards products, processes, and services, based
on the relevant consolidated findings of science, technology, and experience.”

 Other Definitions in ISO 14971

 Many defined terms in ISO 14971:2019 are derived from ISO/IEC Guide 63:2019.

 Accompanying Documentation: Accompanying Documentation is defined in Clause 3.1

as 'materials accompanying a medical device and containing information for the user or those
 Risk analysis ISO 14971:2019

accountable for the installation, use, maintenance, decommissioning and disposal of the medical
device, particularly regarding safe use.’
Some important notes are:
• The accompanying documentation can consist of the instructions for use, technical description,
installation manual, quick reference guide, etc.
• Accompanying documentation is not necessarily a written or printed document but could involve
auditory, visual, or tactile materials and multiple media types.

Intended Use or Purpose: Intended Use or Purpose is defined in Clause 3.6 as'use for which a
product, process or service is intended according to the specifications, instructions and
information provided by the manufacturer.’

In Vitro Diagnostic Medical Device: IVD medical device is defined in Clause 3.7 as 'device,
whether used alone or in combination, intended by the manufacturer for the in-vitro examination
of specimens derived from the human body solely or principally to provide information for
diagnostic, monitoring or compatibility purposes and including reagents, calibrators, control
materials, specimen receptacles, software, and related instruments or apparatus or other
articles.'

Life Cycle: The life Cycle is defined in Clause 3.8 as'series of all phases in the life of a medical
device, from the initial conception to final decommissioning and disposal.’

 Manufacturer: Manufacturer is defined in Clause 3.9 as 'natural or legal person with responsibility
for the design and/or manufacture of a medical device with the intention of making the medical
device available for use, under his name, whether or not such a medical device is designed
and/or manufactured by that person himself or on his behalf by another persons.’

Some important notes under this definition are:

• The natural or legal person has ultimate legal responsibility for ensuring compliance with all
applicable regulatory requirements for the medical device in the countries or jurisdictions where
it is intended to be made available or sold, unless this responsibility is specifically imposed on
another person by the Regulatory Authority (RA) within that jurisdiction.
• The manufacturer’s responsibilities include meeting both pre-market requirements and post-
market requirements, such as adverse event reporting and notification of corrective actions.
• “Design and/or manufacture” may include specification development, production, fabrication,
assembly, processing, packaging, repackaging, labelling, relabelling, sterilization, installation, or
remanufacturing of a medical device; or putting a collection of devices, and possibly other
products, together for a medical purpose.

 Medical Device : Medical Device is defined in Clause 3.1 as 'instrument, apparatus, implement,
machine, appliance, implant, reagent for in vitro use, software, material or other similar or related
 Risk analysis ISO 14971:2019

article, intended by the manufacturer to be used, alone or in combination, for human beings, for
one or more of the specific medical purposes of

• diagnosis, prevention, monitoring, treatment or alleviation of disease

• diagnosis, monitoring, treatment, alleviation of or compensation for an injury
• investigation, replacement, modification, or support of the anatomy or of a physiological
process
• supporting or sustaining life
• control of conception
• disinfection of medical devices
• providing information by means of in vitro examination of specimens derived from the human
body, and which does not achieve its primary intended action by pharmacological,
immunological or metabolic means, in or on the human body, but which may be assisted in its
function by such means.'

Learn about medical devices, start this course online on Alison: ISO 13485:2016 - Quality
Management Systems for Medical Devices

Objective Evidence: Objective Evidence is defined in Clause 3.11 as 'data supporting the
existence or verity of something.’ Objective evidence can be acquired with observations,
measurements, tests or by other means.
Post-Production : Post-Production is defined in Clause 3.12 as 'part of the life cycle of the medical
device after the design has been completed and the medical device has been manufactured.’
Procedure: Procedure is defined in Clause 3.13 as 'specified way to carry out an activity or a
process.’
Process : Process is defined in Clause 3.14 as 'set of interrelated or interacting activities that use
inputs to deliver an intended result.’
Residual Risk: Residual Risk is defined in Clause 3.17 as 'risks remaining after risk control
measures have been implemented.’
Risk: Risk is defined in Clause 3.18 as 'combination of the probability of occurrence of harm and
the severity of that harm.’
Risk Analysis: Risk Analysis is defined in Clause 3.19 as 'systematic use of available information
to identify hazards and to estimate the risk.’
Risk Assessment: Risk Assessment is defined in Clause 3.2 as 'overall process comprising a
risk analysis and a risk evaluation.’
Risk Control: Risk Control is defined in Clause 3.21 as 'process in which decisions are made and
measures implemented by which risks are reduced to, or maintained within, specified levels.’
Risk Estimation: Risk Estimation is defined in Clause 3.22 as'process used to assign values to the
probability of occurrence of harm and the severity of that harm.’
Risk Evaluation: Risk Evaluation is defined in Clause 3.23 as 'process of comparing the estimated
risk against given risk criteria to determine the acceptability of the risk.’
 Risk analysis ISO 14971:2019

Risk Management : Risk Management is defined in Clause 3.24 as 'systematic application of

management policies, procedures and practices to the tasks of analyzing, evaluating, controlling
and monitoring risk.’
Risk Management File: Risk Management File is defined in Clause 3.25 as 'set of records and
other documents that are produced by risk management.’
Safety: Safety is defined in Clause 3.26 as 'freedom from unacceptable risk.’

Severity: Severity is defined in Clause 3.27 as 'measure of the possible consequences of a

hazard.’

Top Management: Top Management is defined in Clause 3.29 as 'person or group of people who
directs and controls a manufacturer at the highest level.’

Use Error: Use Error is defined in Clause 3.3 as 'user action or lack of user action while using the
medical device that leads to a different result than that intended by the manufacturer or expected
by the user.’

In Vitro Diagnostic Medical Device: Verification is defined in Clause 3.31 as 'confirmation, through
the provision of objective evidence, that specified requirements have been fulfilled.’

 Lesson Summary
 The complete name of ISO 14971:2019 is ISO 14971:2019 Medical Devices-Application
of Risk Management to Medical Devices.

 The requirements of ISO 14971:2019 are applicable on phases of the life cycle of a
medical device such that the risks associated with medical devices, their biocompatibility,
data, and systems security, electricity, moving parts, radiation, and usability are
addressed thoroughly.

 The requirements of ISO 14971:2019 exempt the following from its scope:
• Decisions regarding the use of a medical device in the context of any specific clinical
procedure;
• Business risk management.

 The third edition of ISO 14971 focuses on the benefits of the use of medical devices.
Also, the term Benefit-Risk Analysis has been aligned with the terminology used in other
regulations.

 Usage of Process
The term Process, described in the third edition of ISO 14971, can be used to manage
risks associated with medical devices and those related to data and systems security.
 Risk analysis ISO 14971:2019

 Risk Management Plan

A risk management plan describes the method to determine the overall residual risk and
its acceptability criteria.

 Requirements to Disclose Residual Risks

After evaluating overall residual risk and its acceptance, the requirements to disclose
residual risks have been shifted and merged into one single requirement.

 Risk Management Report

The Risk Management Plan demands a review of the medical device before its
commercial distribution. The results of this review ought to be documented in the risk
management report.

 Production & Post-Production Requirements

The third edition contains restructured requirements regarding production and post-
production activities. In addition, detailed information is given regarding the collection of
the information. The clause also lists the actions to be taken after reviewing the collected
data and determining its relevance to safety.

 Information Annexes
In the third edition of ISO 14971, more information and rationale for the requirements
have been given in Annex A. The data covering correspondence between the clauses of
the second edition with the third is provided in Annex B.

 The Reason to Update ISO 14971

Medical devices need to be managed regarding the risks they can pose. Therefore,
proper risk management is necessary to be carried out during the entire life cycle of a
medical device. The International Organization for Standardization has devised the
standard ISO 14971 to help the companies carry out the proper risk management
process for their products.

 The previous versions of ISO 14971 were hard to navigate. They also contain inefficient
information regarding the safety of medical devices.

 Earlier versions of ISO 14971 failed to guide the medical device manufacturers regarding
risk management, hence were unable to complete the standard criteria.

 The predecessors of ISO 14971 contained old definitions that do not fulfill risk
management requirements for the modern medical device industry.

 Correspondence with Other Standards

To address the shortcomings present in the previous editions of ISO 14971, the
International Standard for Standardization (ISO) and International Electrotechnical
Commission (IEC) came together in 2016 to plan changes in the existing standard; the
 Risk analysis ISO 14971:2019

new standard was released on December 18, 2019. These updates also put their
emphasis on the post-market FDA situation.

 Overview of Changes Made in ISO 14971

• New terms and definitions
• Additional risk management guidance
• Other requirements regarding production and post-production
• A clause on normative references.

 Overview of Changes Made in ISO TR 24971

• Guidance on risk management for in-vitro diagnostic devices
• Risk management plans
• Risk concepts and techniques
• Guidance on hazard detection.

 Details of Changes Made in ISO 14971

Clause 2 of ISO 14971:2019 is entirely new. It deals with Normative References, which is
the requirement of the ISO Technical Management Board. ISO 14971’s clause 2 states
that there are “no normative references.”

In the 2019 version of ISO 14971, clauses have been renumbered and incremented by 1
from this clause onwards.

 Addition of New Terms & Definitions

Benefit (Clause-3.2)
Harm (Clause-3.3)
Reasonably Foreseeable Misuse (Clause-3.15)
State of the Art (Clause-3.28)

 Risk Management Plan

The revised version contains the Risk Management Plan in Figure 1 of clause 4.1. The
standard also shows variations at different steps while describing the risk management
plan. A medical device manufacturer may need to revise his process drawings
accordingly with the standard in this regard.

 Risk Analysis (Clause-5.4)

Clause 5.4 on Risk Analysis has been made more precise and specific. The revised
passage says:“The manufacturer shall identify and document the known and foreseeable
hazards associated with the medical device based on the intended use, reasonably
foreseeable misuse and the characteristics related to safety in both normal and fault
conditions.”
 Risk analysis ISO 14971:2019

Because many tools are only fault condition analysis, this section now requires the use of
multiple risk analysis tools.

 Benefit-Risk Analysis (Clause-7.4)

Clause 7.4 has been renamed Benefit-Risk Analysis. The risks declared as
unacceptable; the standard requires only those risks to have a Benefit-Risk Analysis.

 Production & Post-Production Activities (Clause-10)

Instead of waiting for complaints, clause 10 now focuses on having an active process for
collecting information, and it also requires risk management in post-market surveillance.

Details of Annexes Added in ISO 14971:2019

 Rationale for Requirements (Annex-A)

Annex-A helps in clarifying the reasons for having requirements in ISO 14971:2019.

 Risk Management Process (Annex-B)

Previously, this annex contained a flowchart that gave an overview of the risk
management process. In the revised version, Annex B includes Risk Management
Process for Medical Devices and a table of correspondence between the standard’s
versions of 2007 to 2020.

 Examples of Hazards, Foreseeable Sequences, Events, and Hazardous Situations

(Annex-C)
This Annex was previously part of Annex E of ISO TR 24971. Now, it has been moved to
ISO 14971:2019 and contains information on examples of Hazards, Foreseeable
Sequences, Events, and Hazardous Situations.

 Details of Changes Made in ISO TR 24971: The addition of changes made in ISO TR 24971 in
its 2019 version consists mainly of new Annexes. These annexes are listed below:
 Risk Concepts (Annex-D)
This Annex refers to Risk Concepts Applied for Medical Devices. This clause has been
deleted from ISO 14971. Instead, it is now redistributed throughout ISO TR 24971 as a
numbered clause.

 Risk Management for Cyber-security (Annex-F)

Annex F is the newly added Annex. It is four pages long and addresses risk management
regarding cyber and data security along with the cyber-security process about ISO
14971.
 Risk analysis ISO 14971:2019

 Risk Management File (Annex-G)

This annex is beneficial for the companies that are willing to update their risk
management system to comply with the requirements of the edited version of ISO 14971.

 In-Vitro Diagnostic (IVD) Devices (Annex-H)

This new annex does not only contain information on IVD devices; instead, it contains
information on all medical devices.
 Risk analysis ISO 14971:2019

Module -2

 ISO 14971:2019 - Illustration

 The two most important aspects of ISO 14971 are risk management process and benefit risk
analysis.

 Risk Management Process

Clause 4.1 of the revised standard includes the Risk Management steps within its process. The
steps needs to be incorporated in a complete plan which incorporates risk analysis, risk
evaluation, risk control, evaluation of overall risk, risk management review and production, post
production activities.
 Benefits Risk Analysis
Clause 7.4 has been renamed as Benefit-Risk Analysis. According to ISO 14971:2019, the
Benefit-Risk Analysis will be required only for those unacceptable risks. The manufacturers
should determine if there are any regulatory requirements to consider to conduct a Benefit-Risk
Analysis.

 Proactive Processes in Medical Device Risk Management Process

 Need for Active Process: Instead of relying on complaints only, this standard stresses the need for
an active process to collect information. This standard will help in showing correspondence to the
post-market surveillance requirements set by the regulators. This standard provides guidelines
on establishing a system that will help gather information regarding production, post-production,
and other information relevant to this clause.

 Advantages of Revision: It also helps in reviewing this collected information as well as the
execution of the corrective action afterward. This standard text on post market activities is three
times lengthier in the 2019 version as compared to its 2007 predecessor. This is because it
requires risk management to be included in post-market surveillance.
 Risk analysis ISO 14971:2019

 Risk Analysis - Clause 5

 Risk analysis is conducted on each medical device, and foreseeable hazards are
recognized. Risk is estimated for each hazardous situation. Functionalities that can likely
influence the safety of the medical device are also noted. Risk analysis should also
include a combination of hazardous events that can generate a hazardous situation.
Likely foreseeable combinations of such events should also be assessed.
Updates in clause 5:
The ISO 14971:2019 categorically incorporates two important changes:
- IT security threat in the medical device will also be reflected in the scope of risk management.
So the risk analysis should also consider it.
- The risk analysis will now incorporate likely foreseeable misuse of the medical device. Such as
use of the device without reading IFUs i.e. instruction for use.
Example:
When a heel stick is utilized to gather blood from infants for testing, the blood is warmed with a
chemical pack. The sudden rupturing of this chemical pack is a foreseeable effect of the
characteristics of the chemical pack, and the hazardous event is a combination of the heel stick
used for collecting the sample (likely a negligible hazard) and the chemical pad used to ease the
process of sampling. The risk management file is updated accordingly based on all analysis
results.

 Risk Evaluation - Clause 6

 What is risk evaluation?

Each hazardous situation is further evaluated, and then the organization’s risk acceptability
criteria are employed to verify whether risk mitigation techniques are needed for listed hazards or
not. The outcomes of risk evaluation are also reported in the risk management file.

 Risk Evaluation calculation :

Risk evaluation is normally done by multiplying the severity of the hazard by the likelihood of
its occurrence.
Risk Evaluation = Likelihood x Severity of Hazard

 Risk Control - Clause 7

What is control?
Risk control is a risk mitigation process in which unacceptable risk is mitigated through
controls.

 What can go wrong?

At times, controls enforced to mitigate a risk add different risk hazard. The effectiveness of the
control is measured by re evaluation of residual risk, i.e., remaining risk after the control is
implemented. Therefore these controls are ineffective unless and until, the new risks are within
acceptable range or controlled within acceptable limits.

 Factors to select a control

A risk control is selected based on the following factors:
- Practicality (how useful the implemented control is)
- Simplicity (how easily it can be implemented)
- Economic feasibility (the cost of the control does not affect product profitability)

 What should be done when residual risk is unacceptable ?

If the residual risk is not acceptable, a risk benefit analysis is performed. Or when an additional
control is impractical, then the risk-benefit analysis should direct whether the medical benefits of
 Risk analysis ISO 14971:2019

the device surpass the residual risk of that or not. Illustration for benefit-risk analysis is presented
on next page.

 Benefit - Risk Analysis

 Risk Evaluation of Overall Residual Risk - Clause 8

What is risk Evaluation of Overall Residual Risk?

Residual risk evaluation is conducted after all controls are implemented. Any change in any control,
or in the process of medical device functionality may require re evaluation of overall residual risks.

 Risk Management Review - Clause 9

 What is risk management review? As management reviews are conducted for the Quality
Management System, similarly, such reviews should be performed for the risk management
system as well. Before a medical device goes to the commercial market, a risk management
review needs to be done. Based on the review, a risk management report is finalized. The
report should incorporate the outcomes of the review and is incorporated into the overall
risk management file.
 Risk Benefits Analysis: A risk benefit analysis is conducted when the residual risk is not
tolerable. When incorporating more controls are not reasonable, then the risk benefit
analysis should help the organization whether the medical benefits of the device outweighs
the residual risk.

 Production & Post-production Activities - Clause 10

 What is production & Post Production activities? A monitoring system is needed to identify the
performance of the medical device. The monitoring system should be instituted, developed, and
maintained. The outcomes need to be recorded in the risk management file.

 Example
- Updates that comes from production incorporate any defects or failures in clinical trials.

- Updates from post-production activities incorporate any customer complaints or product failures
that may enhance the risk (as likelihood of occurrence increases).
 Risk analysis ISO 14971:2019

 Production & Post-Production Activities

 Clause 10 has been renamed as “Production and post-production activities”. This clause
now corresponds to Clause 8 of ISO 13485 on Measurement Analysis and Improvement,
which deals with:
o Complaint handling

o Customer feedback

o Internal auditing

o Control of non-conforming products

o Data analysis

o Improvements

 Annexes in ISO 14971:2019

 The changes made in ISO 14971 do not encompass the clauses only. Significant changes have
also been made in the annexes of the standard.
o Rationale for Requirements (Annex-A)

This annex clarifies the rationale for requirements in this standard. It can assist those
manufacturers using this standard to learn about the reasons for the requirements given in this
standard.

o Risk management Process (Annex-B)

Previously, this annex had a flowchart that gave an overview of the risk management process.
However, Annex B in the revised standard contains the Risk Management Process for Medical
Devices and a table that shows the correspondence between 2007 and the 2019 version of the
standard.

o Examples of Hazards, Foreseeable Events,& Hazardous situation (Annex-C)

This annex differs from the one present in the 2007 version of the standard as it gives guidance
information on Examples of Hazard, Foreseeable Events, and Hazardous Situations. This
guidance information was previously present in Annex E of ISO TR 24971. In contrast, Annex C
was used to identify Medical Device Characteristics, although now it has shifted to Annex A in
ISO TR 24971.
 Risk analysis ISO 14971:2019

 ISO/TR 24971 - Medical Devices - Guidance on the Application of ISO

14971
 ISO TR 24971 guides professionals how to implement and manage the requirements of
ISO 14971:2019. We will show with examples how it is done.

ISO 14971:2019 ISO TR 24971:2020 Relation

In Clause 4.3, ISO 14971 Under the same Clause 4.3, ISO 14971 only expresses
says "Persons performing risk ISO TR 24971 provides Table the requirements or
management tasks shall be 1 - Examples of competent guidelines whereas ISO TR
competent on the basis of personnel and relevant 24971 provides a detail
education, training, skills and knowledge and experience. It analysis as tabulated in Table
experience appropriate to the also advises that some part 1.
tasks assigned to them." of the risk management
process can be outsources
and it records should be
maintained as evidence of
competence. This is
illustrated on next page.
In Clause 4.4, ISO 14971 ISO TR 24971 explains these This is just one example
states "Risk management
activities shall be planned." It elements of planning in related to scope. In-fact ISO
further states "The plan shall separate sub-clauses. For TR 24971 explains each
include at-least the following:
example; the given constituent of the plan listed
a) the scope of the planned
risk management activities, requirement of ISO 14971 is in ISO 14971, such as
identifying and describing explained in Clause 4.4.2 i.e. assignment of responsibilities
medical device and life-cycle
Scope of the Risk and authorities in Clause
phases ..."
Management Plan. It 4.4.3, requirements for review
says "Some of the elements of risk management activities
of risk management plan can in Clause 4.4.4 etc.
apply to product realization
process (design,
development and production
of the medical device). Other
elements can apply to the
production and post-
production phase (such as
installation, use,
maintenance,
decommissioning, and
disposal of the medical
device)."
 Risk analysis ISO 14971:2019

 Competent Professionals Explanation with Knowledge and

Experience
 Below is a tabulated illustration of the part of Table 1 in ISO TR 24971:2020. It explains
the relation of person or function with the knowledge and experience. Similarly there are
other roles and functions addressed in Table 1.

 Likelihood - Qualitative Explanation of Probability of Occurrence of

Harm
 ISO 14971:2019 states in clause 5.5 i.e. Risk Estimation as "The system used for qualitative or
quantitative categorization of probability of occurrence of harm and severity of harm shall be
recorded in the risk management file." Whereas ISO TR 24971 provides an example of the
qualitative system for likelihood of harm in Table 3.
 Risk analysis ISO 14971:2019

 Severity Levels - Qualitative Description

 Similarly ISO TR 24971 offers an example of qualitative description for severity levels.

 Below is an example of 3 x 3 matrix of risk rating system inspired by ISO TR 24971 examples. If
we calculate risk using the qualitative descriptions as presented here, this risk matrix will help in
making decisions of where to take immediate action and where to manage and monitor.

Severity -
Levels Severity - Moderate Severity - Significant
Negligible

Moderate Risk - High Risk - Take

Likelihood - High High Risk - Take Action
Manage Action

Likelihood - Low Risk - Just Moderate Risk -

High Risk - Take Action
Medium Monitor Manage

Low Risk - Just Low Risk - Just Moderate Risk -

Likelihood - Low
Monitor Monitor Manage

 Risk Matrix Chart

 Below is an example of risk matrix chart, it can also be used for plotting various risks for
medical device. It will help in identifying those which needs to be controlled immediately
and which ones seems to be controlled. R1, R2, R3, R4 are examples of various risks.
 Risk analysis ISO 14971:2019

 Hazard Relationship with Situations Leading to Harm

 Below is an interesting example of how an electrically motivated medical device can become a
complex event with different harmful impacts along with different level of probabilities.

Hazard Analysis:
Hazard: Electricity
Reality: A line voltage of 220 volts of an insulated wire is present beneath the cover of an
electrically motivated medical device.
Events and Incidences:
a. Insulation material is deteriorated by cracks and is exposed (Pa = 0.01)
b. Insulation material wears off from the wire and is detached (Pb = 0.10)
c. User connects and turns on the device (Pc = 0.10)
d. User removes and discard cover (Pd = 0.10)

Hazardous Situation 1: User is exposed to line voltage i.e. P1 = Pa * Pb * Pc * Pd = 1 x 10-5

Probability of Harm :
Probability that user touches the wire and experiences:

- Discomfort (P2 = 0.10)

- Burn (P2 = 0.01)
- Death (P2 = 0.001)

Illustration:
 Risk analysis ISO 14971:2019

 Dependence on ISO TR 24971 for Implementing ISO 14971

Explanation : In the next tab, an illustration is presented to show relationship between person's
experience and the need of ISO TR 24971 for implementing ISO 14971. The illustration will show
the dependence level with experience and knowledge. Obviously high experienced people in
medical devices compliance won't need a guide like TR 24971 to implement ISO 14971. The red
curve shows dependency on ISO TR 24971 for implementing ISO 14971 whereas the yellow
curve shows the knowledge and experience of a professional.

 Time Oriented Analysis of Benefit Versus Risk

 Explanation: As a new state-of-the-art medical device technology is introduced and approved. It

has more benefits than hazards and is usually in the optimal range. As the time progresses there
are new state-of-the-art medical devices in the market and the old design and technology is
becoming obsolete with certain issues in it which are referred as hazards and other types of
risks. For a certain time, it is acceptable in the market till the time comes when it becomes
obsolete since the benefits are no longer recognized and the device has more hazards
compared with new technology which is more safer.

 ISO TR 24971

The technical report of ISO 14971, i.e., ISO TR 24971, has also seen many significant updates
in its 2020 version, and its revised version covers the following topics:

 Risk management for In-vitro diagnostic devices

 Risk management plans
 Risk concepts and techniques
 Guidance on hazard identification

This information was previously present in the older version ISO 14971. Still, with the input from
the ISO Technical Management Board, the technical committee decided to list the information
annexes primarily in ISO TR 24971.

The new annexes which have been added to the technical report cover different topics on
guidance. However, it should be noted that this guidance information cannot be confused with
the requirements of this standard. These annexes are the source of information that the
manufacturers may require to comply with the standard and its implementation.

Risk Concepts (Annex-D) : Annex D covers Risk Concepts Applied to Medical Devices. This
annex was omitted entirely from the ISO 14971 and was instead redistributed as a numbered
clause in ISO TR 24971.

In-Vitro Diagnostic (IVD) Devices (Annex-H): The ISO Technical Committee 212, responsible for
IVD standards, performed extensive revisions in this annex. The revised annex now includes
information not only on IVD devices but on all medical devices. It provides manufacturers with
 Risk analysis ISO 14971:2019

valuable information on how they should deal with false positives and false negatives within the
risk management system.

 New Annexes in ISO TR 24971

 Two new annexes, i.e., Annex F and Annex G, have been added to the technical report, and they
cover Risk Management for Cyber-security and Risk Management File, respectively.
 Risk-Management for Cyber-Security (Annex-F): This four-page long annex covers risk
management for cyber and data security as well as other cyber-security processes related to ISO
14971.
 Risk Management File (Annex G) : The components and devices covered by this annex do not
comply with the requirements of ISO 14971. It discusses the appropriate process that can help in
the remediation of the risk management file. This annex may be helpful for the companies who
are planning to update their risk management systems to comply with the requirements of ISO
14971:2019.

 Clauses in ISO TR 24971

Benefit-Risk Analysis: Clause 7.4 in ISO TR 24971 now contains three more pages to cover
benefit and benefit-risk analysis. For example, it tells manufacturers about the benefit, which
does not help attain economic or business advantages.

Clause 7.4.2 gives an overview of clinical benefits, while clause 7.4.5 provides three examples of
the conclusions of the benefit-risk analysis.
Risk Management in Post-Market Surveillance: Compared to ISO TR 24971:2013, which contained
only one page on risk management in post-market surveillance, four additional pages are now
present in ISO TR 24971:2019 in Risk Management in Post-Market Surveillance.

 Risk Management Process Steps in ISO 14971:2019

 In industrial manufacturing processes, the process of risk management is of great importance. It
assists the manufacturers in determining the risks associated with the manufactured products, or
otherwise, there will be chances of incidents that can happen with the consumers.

The importance of this risk management process increases several folds when it comes to
medical devices. Therefore the International Organization for Standardization (ISO) has
formulated a standard with ISO 14971 in this regard. ISO 14971 provides a complete risk
management framework to address the risks associated with design, development, production,
and post-production activities for all medical devices.

Deficiencies in EU MDR & IVDR: The European directives and regulations such as EU MDD, and
EU IVDR require manufacturers to implement a quality management system that addresses risk
management. However, these steps are not sufficient enough as they do not address every
aspect of risk management. Therefore, there was a need for a more detailed and state-of-the-art
standard to address this risk management issue.
 Risk analysis ISO 14971:2019

ISO 14971:2019 & ISO/TR 24971: The publication of the third edition of ISO 14971 along with its
technical report, i.e., ISO/TR 24971, provides detailed guidance on the risk management
concepts while showing its compliance to the essential safety and performance principles. These
standards thus can assist in risk management regarding the life-cycle of medical devices to a
greater extent.

 Steps for Risk Management Process in ISO 14971:2019

 Following are the steps which constitute the Risk Management Process in ISO 19471:2019:
 Risk Management Plan (Step-1)
 A risk management plan tells the manufacturers regarding the risk management activities which
they should conduct over the life cycle of a medical device. This plan contains criteria for:
o Risk acceptability that is based on regulations

o International standards

o State-of-the-art

o Stakeholder concerns

o Activities that will help in verifying the implementation and effectiveness of risk control measures

o The information which is collected during production and post-market activities.

The manufacturer will be liable to develop a risk management report after reviewing the plan’s
execution.

 Risk Assessment (Step-2)

 Risk Analysis:

Risk analysis comprises of recognition and documentation of:

o The intended use of the medical device
o Reasonably Foreseeable Misuse errors (which also include abnormal use of the medical
device) along with its correct use.
These risks are considered and reduced by adding controls through the methods of Usability
Engineering.
In this risk analysis, those reasonably foreseeable events that can contribute to hazardous
situations, such as the medical devices' intended use, reasonably foreseeable misuse, and
safety-related characteristics, are added. In the final step of risk analysis, the severity of harm
and the probability of each hazardous situation are estimated.
Risk Evaluation: During this phase, risks are analyzed using criteria for risk acceptability which is
defined in the risk management plan. The risk becomes a residual risk if it becomes acceptable,
or otherwise, it becomes necessary to perform risk control activities. All of these evaluations, as
part of the risk management file, are listed down.

 Risk Control (Step-3)

 Risk analysis ISO 14971:2019

 Reduction of risks at an acceptable level can be achieved by designing the devices with
inherent safety to prevent the occurrence of hazardous situations. If this is not
convenient, then a device should be designed to minimize the probability of occurrence
of any dangerous situation. In case these protective measures do not play their role in
risk reduction, safety information should be provided to the device’s users in the following
form:
 Instructions
 Warnings
 Contraindications
 User training

 Ensuring the Measures : It is important to ensure that these risk control measures do not pose
additional risks to the users.

 Implementing & Analyzing: The measures taken for reducing risks are implemented, verified for
their effectiveness, and documented. Residual risks are analyzed using risk acceptability criteria.
More risk control activities should be implemented if the risk is considered unacceptable.

 Benefit-Risk Analysis : In cases where risk controls are not feasible to implement, a Benefit-Risk
Analysis can help determine whether the benefits of using a medical device will exceed its
residual risk. The device can then either be modified or limited in its intended use.

Evaluation of Overall Residual Risk (Step-4) : An analysis of all the individual risks should be
made to ensure that these small risks do not combine themselves into a significant unexpected
risk. For this purpose, a method and criteria are documented in the risk management plan,
ensuring the acceptability of the overall residual risk.

The criteria for tolerating overall residual risk can vary from the requirements of acceptability of
basic risk. This variation is found from organization to organization in their procedure of
determining the acceptable risk. The users should be told about any residual risks inherent with a
device’s use even after all the risk control measures have been taken. Thus, this will allow the
users to choose to continue with the same device or find its alternative.

Risk Management Review

Risk analysis ISO 14971:2019