Back to the Glossary

ISO 14971

ISO 14971 is the international standard that defines the requirements and processes for applying risk management to medical devices.

The International Organization for Standardization (ISO) standard ISO 14971 is the definitive standard for applying risk management specifically within the medical device industry. It is explicitly recognized by regulatory bodies like the FDA and is integrated into other medical device quality standards.

It provides a framework for manufacturers to manage risks throughout the entire product lifecycle, from initial design to post-production monitoring. The standard requires manufacturers to establish, document, and maintain procedures for risk management.

Frequently Asked Questions (FAQs) Associated with ISO 14971

The sources detail ISO 14971’s critical role in design control, its cyclical nature, and its specific documentation requirements.

1. What are the key goals and philosophy of ISO 14971?

The fundamental philosophy of ISO 14971 is that an ounce of prevention is worth a pound of cure. The goal is not only to comply with the standard but also to improve outcomes throughout the product lifecycle.

  • Proactive Mitigation: Identifying and mitigating issues early in the process is beneficial and helps prevent costly design changes, production delays, and potential recalls later on.
  • Safety and Effectiveness: ISO 14971 forms the backbone for applying risk management in medical device sub-processes, such as clinical trials.
  • Risk-Benefit Rationale: The process ensures that the device benefits continue to outweigh the risks throughout the product lifecycle.

2. What is the scope and applicability of the standard?

ISO 14971 applies specifically to the medical device industry.

  • Inclusivity: The standard is intended to apply to all medical devices, including Software as a Medical Device (SaMD) and in vitro diagnostic devices (IVD).
  • Process Risk: It is also used to demonstrate risk mitigation of process risk (e.g., Process Failure Mode Effect Analysis or pFMEA) in manufacturing processes that affect product quality.

3. How does ISO 14971 integrate with other QMS standards like ISO 13485?

ISO 14971 requires full integration of the risk process into the product life cycle. This integration is explicitly cross-referenced in the medical device QMS standard, ISO 13485.

  • Design Inputs: ISO 13485 (Section 7.3.3) specifies that outputs of risk management must be one of the design and development inputs. This requirement forces manufacturers to conduct risk management processes during the design phases.
  • QMS Integration: ISO 13485:2016 requires risk to be considered throughout the entire QMS.

4. What are the key phases of the risk management process defined by ISO 14971?

The ISO 14971 process is cyclical and structured, consisting of several parts:

  1. Risk Management Plan: Established at the beginning of the design process, defining who, what, where, and when for risk activities, and establishing risk acceptability criteria.
  2. Risk Analysis (Part 3): Identifying possible hazards (e.g., bacterial contamination) and hazardous situations (the trigger event). This must be done by a cross-functional team.
  3. Risk Estimation (Part 3): Assigning a numerical or qualitative value to the risk, considering the probability of occurrence and the severity of the harm.
  4. Risk Evaluation (Part 4): Comparing the estimated risk against predefined risk acceptability criteria established in the plan.
  5. Risk Control (Part 5): Taking steps to reduce unacceptable risks to acceptable levels. The preferred order of controls places the onus first on "inherently safe design and manufacture", followed by protective features, and finally, information for safety (labeling/training), which is the least effective.
  6. Evaluating the Residual Risk (Part 6): Reviewing the risk that still remains after controls are implemented and verified. Any significant residual risks must be identified and disclosed (e.g., in the Instructions for Use or Investigator’s Brochure).

5. What are the major documentation requirements under ISO 14971?

The standard requires comprehensive documentation to demonstrate control over risks:

  • Risk Management Plan (RMP): A living document detailing the planned risk activities and acceptability criteria across the product lifecycle.
  • Risk Management File (RMF): Contains all records related to risk management, including analysis, estimation, risk controls, verification of controls, and residual risk evaluations.
  • Traceability: The RMF must contain traceability for each hazard to its associated risk analysis, evaluation, controls, and residual risk evaluation.

6. What did the ISO 14971:2019 revision emphasize?

The current edition, ISO 14971:2019, added increased requirements for the post-market risk management process.

  • Post-Market Surveillance: Manufacturers must establish a system to collect and analyze data about products once launched to market.
  • Ongoing Review: The RMP must include a plan for collecting and reviewing post-production information. This involves regularly sifting through data (e.g., production nonconformance data, customer feedback, scientific literature, regulatory reporting) to identify new hazards or determine if the current risk estimate needs to be revised.
  • Escalation: The review process must include escalation triggers for immediate evaluation if concerning post-production data is received.

7. How does ISO 14971 define core risk terms?

ISO 14971 provides specific definitions for related concepts to minimize confusion:

  • Risk Analysis: Identifying possible hazards that could cause harm to people, property, or the environment.
  • Risk Estimation: The process used to assign a numerical value to the identified hazards, considering probability of occurrence and severity of the harm.
  • Risk: The actual representation of the risk estimation, often referenced as a risk index.
  • Risk Assessment: A comprehensive document containing both the risk analysis and the risk evaluation.
  • Risk Management: The overall umbrella term that refers to all sub-processes and components of the risk process.

8. What tools or methods are associated with risk analysis under this standard?

While performing risk analysis requires creative thinking, various tools and inputs are recommended:

  • Team: Analysis should be performed by a cross-functional team.
  • Sources: ISO 14971 contains a good starter list of hazards in Annex C. Other sources include publicly available information about similar devices (e.g., public complaint reporting data), and pre-market testing data.
  • Methods: Analytical methods used in risk management include Failure Mode and Effects Analysis (FMEA), and Hazard Analysis and Critical Control Points (HACCP) summaries. The use of tools like Fault Tree Analysis (from ICH Q9) may also be helpful for the actual work of risk analysis.

Ready to see what Botable can do for you?

Book your demo now to see how Botable can transform your workplace.

Identify your unique challenges

Flexible pricing options

Easy integrations

Step-by-step implementation plan

Customize Botable for your workflow

Book a demo

Find out how Botable can answer your employee’s questions in just 30 minutes.