Understanding the Medical Device Risk Management Standard ISO 14971:2019

Understanding the revised risk management Standard ISO 14971:2019 for medical devices

This new edition aligns with the new EU MDR and EU IVDR performance requirements and provides a risk management framework for the medical devices industry from start to finish.  

ISO 14971:2019 offers guidance and a detailed look at the application of risk management, and is expected to become the state of the art within the industry. This edition also comes with a new and up to date companion report ICO/TR 24971 for further clarification.  

While most of the Standard's concepts are not entirely new, it does include updated risk management processes, with extended information related to risk analysis. It also supplies definitions of terms used within the Standard to avoid misunderstandings and misinterpretations that could lead to mistakes and negative consequences. Definitions that were not included in the previous Standard include: 'Benefit', 'Reasonably foreseeable misuse', and 'State of the art'.  

To ensure maximum clarity, ISO 14971:2019 breaks down risk management into six steps, to assist and guide the medical device industry through detailed risk management concepts while conforming with essential safety and performance principles.

1. Risk Management Plan

This first step acts as an overview of all risk management activities that will take place over a medical device's life cycle. It takes into account various criteria based on international standards, regulations, state of the art, and stakeholder concerns. This step includes checks and verifications steps to measure effectiveness of the risk management system implemented. It also details all information that needs to be collected during and post-production.

2. Risk Assessment

This section has been changed and expanded upon the most in the new edition, and is broken down into two sub-sections. 

Risk Analysis - This first step details how the medical device's intended use is documented, which helps determine how the device will be appropriately used. Along with the device's intended use, the device's correct use is also documented in detail. Also included in this documentation step is reasonable foreseeable misuse errors, device characteristics or hazardous situations that can affect safety. 

Risk Evaluation - This step ensures that all risks are assessed using appropriate criteria for risk acceptability. Documented risks are then categorised. If the risk is deemed acceptable, it is classified as a residual risk, if it is not, then other risk control activities are carried out.

3. Risk Control

This phase has not changed significantly in the new edition. It ensures that risk is minimized and effectively reduced to an acceptable level. A subsection has been added to the beginning of this phase that addresses risk reduction. This can be achieved in multiple ways including but not limited to: designing the device to be inherently safe, implementing protective measures in the device's design, providing safety information on instructions, warnings and contradictions, and user training.

4. Evaluation of Overall Residual Risk

This step is included to ensure all risks are managed in context with other potential risks to ensure that several small risks do not create a large and unanticipated risk. Criteria and acceptability for residual risk is documented here as well. Information on disclosing residual risks that still exist in a device to users is also detailed.

5. Risk Management Review 

This phase acts as a comprehensive review of the risk management plan. It guarantees that the plan and residual risks were properly executed and documented.  The review produced then feeds into the risk management report.

6. Production and Post-production Activities

This last section of the new standard is divided into three sections: Information collection, information review, and actions. These three sections provide direction on risk management and steps for information distribution and collection post-production of a medical device.  


If followed, new ISO 14971:2019 Standard will assist all medical device manufacturers in maintaining low levels of risk and ensuring both the organisation and the devices produced remain compliant. As it has been many years since the previous edition of ISO 14971 has been published, it is crucial (for both the industry as well as the device's user) that the new and current Standard is used pre-, during, and post-production.