ISO 14971

ISO 14971:2019 is the international standard specifying a process for manufacturers to identify hazards associated with medical devices, estimate and evaluate associated risks, control those risks, and monitor the effectiveness of those controls.

It is arguably the most foundational standard in the medical device regulatory ecosystem — referenced by FDA guidance, required for EU MDR conformity, and incorporated by reference into nearly every other device standard (IEC 62304, IEC 62366, ISO 82304, and more).

Risk management per ISO 14971 is not a documentation exercise — it is a systematic, lifecycle-spanning process that informs design decisions from the earliest concept stage through post-market surveillance.

Clause 4 — Risk Management Plan: Before beginning risk analysis, manufacturers must establish a risk management plan that defines the scope, responsibilities, review activities, and risk acceptance criteria for the specific device.

Clause 5 — Risk Analysis: Systematic identification of hazards, hazardous situations, and harms. Requires analysis of the intended use, reasonably foreseeable misuse, and all foreseeable combinations of events that could lead to a hazardous situation.

Clause 6 — Risk Evaluation: Determines whether each estimated risk is acceptable using the criteria defined in the Risk Management Plan. Unacceptable risks proceed to risk control.

Clause 7 — Risk Control: Identifies and implements measures to reduce risks to acceptable levels. The standard establishes a priority order: inherent safety by design, protective measures, information for safety.

Clause 8 — Evaluation of Overall Residual Risk: After all risk controls are implemented, the overall residual risk must be evaluated against clinical benefit.

Clause 9 — Risk Management Review: Confirms all planned risk management activities have been completed before device release.

Clause 10 — Production and Post-Production Activities: Requires monitoring of production and post-market information to update the risk management file and trigger re-evaluation when new hazards or changed risk estimates emerge.

One of the most manufacturer-specific (and therefore most scrutinized) elements of ISO 14971 compliance is the risk acceptance criteria defined in the Risk Management Plan.

ISO 14971:2019 removed the concept of 'ALARP' (As Low As Reasonably Practicable) triangles from the normative text, replacing them with a risk-benefit framework. The standard now requires that residual risk be evaluated in the context of clinical benefit.

FDA reviewers and Notified Bodies scrutinize risk acceptance criteria carefully. Criteria that are too lenient or insufficiently justified raise significant regulatory concerns.

ISO 14971:2019 replaced the 2007 edition with several important changes: the removal of ALARP triangles from normative requirements (replaced with explicit risk-benefit analysis), alignment with the EU MDR regulatory context, and clarification of terminology.

The 2019 edition also strengthened post-production requirements, explicitly requiring manufacturers to monitor published standards, scientific literature, production information, and post-market surveillance data for new hazards or changed risk estimates.

Companion standard ISO/TR 24971:2020 provides non-normative guidance on applying ISO 14971, including worked examples of risk analysis techniques, sample risk matrices, and guidance on software and cybersecurity risk.