12 years is a long time. A time in which medical technology has revolutionized. Time to publish the third edition of the standard for risk management for medical devices, ISO 14971. It will be published in December 2019 and harmonized in May 2022.

Here’s an overview of the key requirements

ISO 14971:2019 for risk management has

A new chapter structure: chapter 2: Normative references is new. Some subchapters are structured differently than before.

New terms: The terms benefit, reasonably foreseeable misuse and state of the art are new.

a revised scope, which now also explicitly mentions software

fewer annexes: some annexes (C, D, F – H and J) have been moved to ISO/TR 24971 and annex I has been deleted.

After this short overview, the changes of ISO 14971:2019 compared to EN ISO 14971:2013 or EN ISO 14971:2012 are presented in more detail below. 


There have been some changes in the scope: the new edition not only describes a process, but also specifies the terminology and principles of risk management. The process is not just specified as before, but is intended to support manufacturers in risk management activities. The scope also includes software as medical devices and not only medical devices and in vitro diagnostic medical devices as before.

Another new aspect is that the standard now requires that hazardous situations be identified (chap. 4.1 a)) and that the process applies not only to all life cycle phases, but also to the risks of the medical device. The standard still does not specify acceptable risk levels, but the manufacturer must establish objective criteria for risk acceptability.

Normative references

This chapter is new and empty.

Terms and definitions

The third version of ISO 14971 introduces three new terms: benefit, reasonably foreseeable misuse, and state of the art.

Benefit describes a positive influence or desirable outcome that not only affects the health of the patient, but can also be applied to, for example, patient management or public health.

Reasonably foreseeable misuse of a medical device was moved from a note in the second edition of ISO 14971 to a defined term. This misuse refers to the unintended use of a medical device, that is, outside its intended purpose and related to reasonably foreseeable actions.

The state of the art is defined as what one would expect: a certain technical stage, related to processes, products and services that is based on the knowledge gained from science, technology and experience. Of interest is Note 1, which clarifies that it does not necessarily mean the most technically advanced solution, but that the term can be understood as “generally accepted state of the art”.

Some existing terms have been changed, as an example the accompanying documentation. Accompanying documentation has been expanded to include instructions for decommissioning and disposal of the medical device, and to indicate that auditory, visual or tactile materials and various types of media can also be used as accompanying documentation.

General requirements for a risk management system

In the first subsection, Risk Management Process, of ISO 14971:2019, a new way of thinking becomes apparent. The manufacturer should not only define and document a process, he should also implement it. More often, one also finds new formulations: Away from a “it shall…” to a “the manufacturer shall…”. It seems that the Commission wants to make the manufacturer more responsible and reduce the scope for interpretation.

New in the risk management process are the requirements that a) the RM process must also be realized, that b) in addition to the hazards, the hazardous situations must also be identified and c) the RM personnel must have “education, training, skills and experience” and no longer just knowledge and experience.

Risk analysis

The chapter structure has been changed slightly: Intended Use is no longer listed together with the safety-related characteristics, but with the new reasonably foreseeable misuse.

Intended use has more requirements reminiscent of usability: medical indication, patient population, body part or tissue treated, user profile, environment of use, and principle of function/operation.

For the first time, the safety-relevant characteristics have now been given their own chapter and no longer have to remain only in the appendix. The list of questions has been moved to ISO/TR 24971.

Risk assessment

For the following information, it must be urgently noted that ISO 14971:2019 is not yet harmonized. There may still be changes in this regard.

An acceptable risk does not have to be mitigated. This was already the case in the second edition of ISO 14971. But: Annex ZA of the second edition of DIN EN ISO 14971:2013-04 clarifies that “[…] all risks, regardless of their magnitude, shall be mitigated as far as possible […]”. The new ISO 14971 is still international, so there is no corresponding, European Annex ZA yet, but under application of the MDR, the following applies: “All known and foreseeable risks and undesirable side effects shall be reduced as far as possible […]” (MDR Annex I, Chapter I, point 8).

So it will probably be business as usual in the eventually harmonized EN ISO 14971.

Risk control

The risk control measures have been extended and thus adapted to the MDR. The measure integrated safety has been extended to integrated safety and manufacturing. The information on safety has been expanded to information on safety and, if applicable, training for users.

The previous risk-/benefit analysis is called benefit-risk analysis in the new edition to emphasize the focus on benefits. Benefit, following the new definition, is no longer limited to medical benefits.

If the benefit-risk analysis shows that the overall residual risk (or a single residual risk) outweighs the benefits, the manufacturer is allowed to change the medical device or its intended use. Here, what was previously standard practice has been legalized.

Evaluation of the overall residual risk

In the new ISO 14971, the method for assessing the overall residual risk and the acceptance criteria for the overall residual risk must be specified in the risk management plan. These may differ from the method and acceptance specifications for the individual risks.

In addition, the manufacturer should no longer just decide what information is important for the supporting documents, he should now inform the users.

Review of risk management

Reviewing risk management for medical devices is a familiar task in a new guise. In the third edition of ISO 14791, the chapter is called “Risk management review” rather than “Risk management report.” As before, the documentation is also filed as a risk management report. What is new in terms of content is that it is no longer the risk management process that is reviewed, but the risk management plan. This is generally more specifically adapted to a specific product or project than the higher-level process.

Activities in production and downstream phases

In this chapter, the basic structure has changed. The focus is no longer on the information generated in these phases, but on the activities that collect and evaluate this information and then initiate appropriate actions.

The manufacturer is to collect information from the following “places”: in production; from the user; from service and installation personnel; from the supply chain; publicly available information; and information relating to the generally accepted state of the art. Also new is the requirement to collect information on similar medical and non-medical devices.

The information collected is to be evaluated in the next step with regard to its relevance to safety: Has a new hazard or hazardous situation arisen? Are the estimated risks still appropriate? Is the overall residual risk still acceptable? Has the state of the art changed?

If information is safety-relevant, the measures are divided into two areas: the medical device and the risk management process. If the medical device is affected, in addition to a review of the risk file and unacceptable risks, measures should also be reviewed to determine whether action needs to be taken for devices on the market. If risk management is affected, the impact of existing risk management activities should be evaluated.


Annexes C, D, F – H and J have been moved to ISO/TR 24971, Annex I has been deleted. Annex B (2019) corresponds to Annex B (2012) and Annex C (2019) corresponds to Annex E (2012).

Annex B presents an overview of the equivalents of the second and third editions of ISO 14971 and an overview of risk management.

Annex C is largely identical to Annex E of the second edition. In addition to the new name “Fundamental risk concepts,” there is a new illustration of the relationships between hazard, hazard situation, and damage, and new hazards.


The new ISO 14971:2019 does not reinvent risk management and risk analysis. The most important new requirements are

Defining the method and acceptance criteria for overall residual risk in the risk management plan

The activities in production and downstream phases (modified).

These changes will require adjustments to the risk management process.


Don’t miss out on keeping up to date with further developments via the seleon Regulatory Affairs Blog. Your seleon experts are always up to date.

By the way, seleon’s regulatory affairs experts are also available to you personally for advice and support. Your advantage is that they can provide the best and most realistic assistance with their practical know-how from the development and production of medical devices.

Try it out and get in touch.

Basic knowledge of risk management:

Good risk management brings some benefits to companies, such as reducing quality costs and ensuring product success. So familiarize yourself with the key points:

Important terms in risk management

In order to describe various risks that occur, uniform terms are defined in the ISO 14971 standard, the use of which is common in applied risk management.

Harm: physical injury or damage to the health of people or damage to goods or the environment.

Hazard: potential source of harm.

Severity: the degree of potential impact of a hazard.

Hazardous situation: “Circumstances in which people, property or the environment are exposed to one or more hazards.” (ISO 14971)

In the risk assessment, it must be evaluated what can be the trigger for a hazard and what sequence of events is triggered by it, which then leads to a hazardous situation. Only when a person is exposed to a hazardous situation can harm occur, because the hazardous situation alone does not cause harm. This results in possible harms that must be evaluated according to their severity (e.g., death/irreversible/reversible) as well as probabilities of occurrence. The latter apply to the occurrence of the hazardous situation and the occurrence of the damage. The severity levels and occurrence probabilities are determined individually by the manufacturers depending on the medical device. The risk is thus a combination of the probability of occurrence of a harm and the severity of that harm.

What does product-related risk management mean?

The ISO 14971 standard specifies the application of risk management (RM for short) to medical devices. Thus, the manufacturer is responsible for ensuring the safety of the medical device, taking into account the recognized state of the art. In doing so, an assessment and evaluation of the risks must be carried out over the entire product life cycle, as well as their control with suitable measures and the monitoring of the effectiveness of the measures for risk avoidance or reduction. Foreseeable misuse of the product must also be considered. In most cases, the risk cannot be completely eliminated. Then a so-called residual risk remains, which is also evaluated. Reasons must be given as to why the residual risk is acceptable and whether the benefits of the product outweigh the risks.

Risk management is carried out in several steps:

Risk analysis using various methods

Risk assessment: acceptance evaluation of the individual risks

Risk control: risk control, measures for risk minimization

Evaluation of the overall risk: acceptance of the overall risk – or not

Downstream phases: continuous risk assessment and updating by information from manufacturing and manufacturing downstream phases

Of course, proper establishment of the risk management process requires suitable and competent personnel within the company and a risk management plan.

The risk management plan

… contains the following parts:

Scope of responsibilities and the individual phases

responsibilities and authorities

Requirements for the review of activities

Criteria for the acceptance of risks

Procedures for assessing overall residual risk and criteria for accepting overall residual risk (new in ISO 14971:2019)

Verification activities

Post-market surveillance activities

Above all, the criteria for risk acceptance are essential for any risk management plan. A matrix must be used to show exactly what combination of probability of harm and severity of harm is acceptable, and what is not.

Methods for risk analysis

There are several ways to perform a risk analysis. Among the most common are:

Preliminary Hazard Analysis (PHA)

FMEA (Failure Mode and Effects Analysis)

FTA (Fault Tree Analysis)



Preliminary hazard analysis is a technique used in the early stages of a project to identify hazards and hazardous situations. User scenarios can be helpful in uncovering potential hazard situations in the product application. It is important to determine the individual components of the product and the interfaces in order to also determine whether special or additional accessories are required.

The FMEA (Failure Mode and Effects Analysis) method comes in two forms. Process FMEA addresses production failures, while design FMEA takes a closer look at construction failures. This analysis method looks at defects that could potentially occur in the product and evaluates them according to their degree of impact on the patient, user, or third party, the probability of occurrence, and if applicable, detection. This method helps prevent defects and is intended to improve the technical reliability of the medical device.

Among other things, the FTA is used to identify the causes of an already known failure condition and to analyze the failure modes. In doing so, the FTA works “top-down”, i.e., it starts with an event and searches systematically and in detail for its cause.

In the case of sabotage, it analyzes what can happen if the system is intentionally put out of operation and in what way this can harm the patient. An example would be if a cable is plugged into a socket that was not intended for this purpose.

The Ishikawa/Fishbone is also known as a cause and effect diagram. It represents all possible causes that lead to or significantly influence a result. All causes for problems that may occur should be identified in this diagram and their dependencies shown.

Risk assessment

For each identified hazard situation or process failure, a decision must be made as to whether risk mitigation is required, with the general approach being that the use of risk control measures should be advocated for each hazard or process failure. This is done by applying the criteria established in the risk management plan. For example, if a medical device can cause the patient’s blood pressure to drop in the event of a defect, the resulting hazardous situation is insufficient blood flow, and this in turn can result in (medical) shock. The cause may be a kink in the pressure line of the device. The assessment of this risk is “unacceptable” and thus a risk control measure is mandatory. The general rule is that risks, regardless of their acceptability, are mitigated as much as possible. For the assessment of risks and further mitigation measures, it is important to distinguish between the principles of the international ISO 14971:2019 and the European harmonized EN ISO 14971:2012.

Risk governance

In risk control, the mitigation measures are defined, implemented, verified (Have they been implemented correctly?) and validated (Are they working as intended?). The residual risk must then be reassessed and a benefit-risk analysis prepared. After all these steps, the completeness of the risk control must be documented; this is the only way to evaluate the overall risk.

Downstream phases

The manufacturer must collect and review information about the medical device from the manufacturing itself and from post-manufacturing phases. This means that even when the product is on the market, information about its safety/risks must be collected and verified. Furthermore, it must also be verified whether previously unrecognized hazards or hazardous situations exist, whether new findings lead to an adjustment of the risk acceptance criteria, or whether the risks resulting from the hazardous situation are no longer acceptable.

Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only.