What is ISO 14971?

What is ISO 14971?

Put simply, ISO 14971 is the global standard for medical device risk management. It was introduced to outline a universal process for identifying potential risks in a medical device at every stage of production, evaluating how dangerous they could be, controlling and reducing these potential risks and then continually monitoring them to prevent harm.

Risk management is important in all sectors of the engineering industry, but plays a particularly important role in the production of medical devices because of the direct effect that a malfunction can have on health. By following the standardised methods outlined in ISO 14971, companies can be sure that their medical device is compliant with the legal regulations that are necessary to sell it globally.

ISO 14971 Explained

The ISO 14971 standard, titled ‘Medical devices — Application of risk management to medical devices’ was developed for the manufacturers of medical devices to harmonise the risk management strategies used throughout the product development cycle. The purpose of this harmonisation was to ensure that the same level of standards was being met in all products sold on the global market, to ensure minimal risk for all those who use the products.

The most recent update to the standard was done in December 2019 with the publication of ISO 14971:2019. This document outlines all the necessary processes that must be followed to efficiently manage the risks that are associated with medical devices.

By following the guidance set out in ISO 14971, manufacturers will define a risk policy for their development process, complete risk assessments and analysis according to this policy, and put control measures in place according to the level of risk that has been identified. This process will be monitored to gauge how effectively the risks are being managed, and updated or changed as necessary.

What is risk management?

Risk management refers to the strategies and controls that are used to identify, analyse, control and manage risk. It ensures that any potential risks are discovered before, in this case, a medical device is put on the market and monitors the safety of the device even after it has been manufactured and distributed.

Risk management is also useful because it ensures that control measures are put in place to minimise potential damage if a medical device does become hazardous. It is the basis on which ISO 14971 is formed, and a key part of every stage of product development.

In risk management ‘risk’ is understood as having two different components. These are:

  • The probability that harm is going to occur
  • The severity of the harm identified, and its consequences

When referring to a ‘risk’ concerning medical devices, this usually means a software or component malfunction that inhibits the normal functioning of the device, results in incorrect data or stops the device working altogether.

ISO 14971 Risk Management

The full details of how to apply risk management to medical devices in a way that is compliant with ISO 14971 can be found in the official document, which all manufacturers should purchase and read. An overview of the process can be found below, separated into the following sections:

  • Create a risk policy
  • Analyze potential hazards
  • Evaluate the risk of these hazards
  • Implement controls to reduce risk
  • Monitor the effectiveness of risk controls
  • Create a risk management report

Risk Policy

A risk policy is a document that outlines an organisation’s approach to risk management, including the general risks that they face and the overall attitude towards managing and handling these risks. It may identify the individuals responsible for monitoring risk management procedures within the organisation, and state who has created and approved the policy.

A key factor of a risk policy is outlining how the risk acceptability criteria should be created for every medical device that a company produces. This is usually done through a risk assessment matrix, which rates the different levels of risk in relation to how probable risk is and how severe the consequences are.

Once a company has defined its risk policy, it can then go about creating the necessary plans for how risk is going to be managed in every stage of product development, from identifying potential risks to monitoring how well they are reduced. This policy should be documented in a format that all employees should be able to access, and must be updated if necessary to reflect changing circumstances.

Risk Policy

Analyze Hazards

Once a risk policy has been developed, the first stage in risk management is to analyse the hazardous situations that could occur if a device was to malfunction. Many different tools and programs can be used to identify potential hazards at every stage of the device’s development, along with speculating and listing them yourself.

To systematically identify the hazards that are present, the ISO 14971 standard suggests that you first consider the ways that your medical device is intended to be used and then how misuse could reasonably occur. Then, analyse all the components of the device and identify the hazard they could become if the device malfunctioned.

Once each hazard has been identified, it should then be linked to a potentially hazardous situation. This can be done using a table, where a hazard is listed, then a sequence of events, then the hazardous situation that these events would lead to.

Evaluate Risk

Once all the potential hazards connecting to a medical device have been identified, the next step of ISO 14971 risk management is to analyse and evaluate the level of risk that each hazardous situation carries. This is one of the most important steps outlined in the standard, as it can affect whether your product moves on to the next stage of development or has to undergo more work to make it safer.

For every hazardous situation, you will need to evaluate the level of risk that is present. This is where a company’s risk policy will be used to decide on risk estimates and levels of acceptability.

A risk estimate is calculated by comparing the severity of the potentially hazardous situation and the probability that it will occur. Whilst the severity of a hazardous situation is quite easy to calculate on its own, data will often be needed to decide on the probability of it occurring. This can be done by looking at similar products, industry data and user testimonials to get an accurate idea of how likely it is that a malfunction will occur.

Once the levels of risk presented by each hazardous situation have been evaluated, the final step of this stage of risk management is to decide which hazards are acceptable and which ones will need control measures brought in. This is where the risk assessment matrix outlined in your risk policy is brought in, which will outline the levels of risk your company has decided do not need to be controlled.

In the majority of cases, unless a hazardous situation has a very low chance of occurring and is not particularly severe, it will require control measures to be put in place.

Implement Risk Controls

After completing the ISO 14971 risk analysis, you will be left with a list of hazards that need to be reduced or removed. Ideally, the chances of hazardous situations occurring will be totally removed, but you are aiming to reduce the risk enough so that each hazard becomes acceptable under your company’s risk acceptance policy.

Risk controls can be split into three different categories:

  • Safety by design
  • Protective measures during manufacturing and in the device
  • Safety information on device labels and packaging

Implementing safety by design can be one of the most time-consuming methods of risk control, but it is also the most effective. If components or features of your medical device are potentially hazardous, the best thing to do is evaluate their design and see if there are any ways you can reduce the risk through a redesign.

If some of the potential hazards are not connected to the device’s design, the best method of risk control is to include protective measures in the manufacturing process and the device itself that will reduce the potential damage done if a hazardous situation does occur.

Finally, hazardous situations that are severe but highly unlikely are often controlled by putting health and safety warnings on the packaging or labels of a medical device, warning the user if any conditions need to be avoided or signs to look out for. You should consider that not all users will fully read the safety information, so any vital instructions should be communicated in a way that can’t be missed.

Once all necessary risk control measures have been put in place, another product risk assessment must take place to ensure that the previously identified hazards have been reduced to an acceptable level of risk. You must also remember to consider whether any new risk control measures come with their own hazards, and decide how best to remove or reduce these.

The ISO 14971 document includes a risk-benefit analysis after this residual risk assessment, ensuring that the potential risks posed by the medical device outweigh the benefits that it will bring. After this has been confirmed, all the actions that have been taken must be recorded so that there is clear evidence of risk control.

Hazard Warning Sign

Monitor Control Effectiveness

Many people assume that risk management ends when a product has been manufactured and released, but this is definitely not the case with medical devices. The effectiveness of the risk control measures needs to be continually monitored to ensure that the device remains safe to use over time, particularly if device software needs to be periodically updated.

Regular product updates should be gathered to ensure that there have been no malfunctions whilst the device is in use, and any issues or accidents need to be recorded straight away and addressed if necessary. This may lead to changes in your original risk acceptance matrix, as the probability of a hazardous situation occurring may prove different than its original estimate.

This procedure for monitoring the device after distribution should be outlined in the risk policy, which should also contain information on what to do if an issue is identified.

Create a Risk Management Report

The entire risk management process should have been documented as you went along, as the final stage is to produce a report detailing all the possible risks of using your medical device and the controls that have been put in place to make it safe. Not only will this give your device more credibility as a safe piece of medical equipment, but it also gives you a document that can be continually updated as the device is used.


ISO 14971 is one of the most important standards for medical devices out there at the moment, and knowledge of its specifications and procedures is essential for any engineer or software developer who wants to work in the medical industry. Whilst the risk management process outlined in the standard has many stages, it is a relatively simple document to follow and ensures that all necessary steps have been taken to minimise the chance of a device becoming hazardous.

If you’re looking for a recruitment partner who knows the industry inside-out and can help find people with the right skills and knowledge of these kinds of safety standards, why not get in touch and find out more about what we can do for you.

Chris Oddy

Chris Oddy

About the Author

Chris is an award-winning recruitment consultant who has specialised in the electronics and embedded systems sector since 2008. Chris is passionate about technology and customer service.


to hire

We provide contract and permanent solutions to electronics and embedded systems businesses throughout the UK and Ireland.

for work

If you’re looking for a contract or permanent role within an electronics and embedded systems business, we can help you. Get in touch below.

Job alerts

Sign up to our job alerts and get automatically notified when any jobs come in which match your skill set!