Over the last several years, the increasing diversity and complexity of medical devices raised the need for the standardisation of a risk management process. That’s why ISO 14971 was first introduced back in 2000. Since then, the standard has been evolving and adapting to the changing medical device industry.

In this article, prepared in close collaboration with Krzysztof Minicki, our Director of Healthcare and Life Sciences, we’re explaining what the current version of ISO 14971 covers as well as how it’s related to the EU MDR, FDA and ISO 13485.

What is ISO 14971?

ISO 14971 is a risk management standard for medical devices. It defines the rules and describes procedures that the manufacturers of medical devices, including software, have to adhere to concerning risk management.

The aim of ISO 14971 is to help the manufacturers identify, estimate, evaluate, monitor and control risk associated with a medical device. It also helps minimise risk by giving guidance on how to check whether the control measures were implemented correctly.

What’s important, ISO 14971 specifies that the risk management process should be iterative and implemented at every stage of product manufacturing: from the very beginning to the end of a product lifecycle. Risk management should be managed not only during the manufacturing and implementation of medical devices but also after they are released to the end users.

The current version of the ISO 14971 standard came into force in December 2019. Since all standards are regularly reviewed by the International Organization for Standardization, after one of such reviews it was decided that the previous version of ISO 14971 was out-of-date. The definitions it included were no longer accurate and it lacked the guidelines on how to conduct activities related to risk management. There was also a need for adjusting the standard to the EU MDR and other similar regulations, for example, the FDA, as well as the newest version of ISO 13485.

What are the main changes in the new version of the ISO 14971 standard?

There are three main changes in the current ISO 14971:2019 version in comparison to the previous ISO 14971:2012 one:

Establishing risk acceptability criteria

There must be acceptability criteria established for individual residual risks and overall residual risk. Before we get into more details, let’s stop for a moment to explain what a residual risk of a medical device is.

Residual risk is a type of risk associated with the side-effects or after-effects of using a medical device for a specific procedure, for example, an overdose of Roentgen radiation. Residual risk is the amount of risk remaining after reducing the inherent risk by introducing risk controls.

The new version of ISO 14971 requires that all residual risks should be assessed against the acceptability criteria. Also, medical device software manufacturers are obliged to analyse and assess the overall residual risk as well as establish the methods and criteria for conducting such analysis.

Conducting a risk-benefit analysis

The newest version of the ISO 14971 standard requires that the analysis of the risk-benefit ratio for individual residual risks as well as for the overall residual risk be conducted. The risk-benefit analysis has to take into consideration also the Intended Use of a medical device.

Assessing the risk-benefit acceptability can be divided into three stages:

Assessing the risk-benefit acceptability should include both the individual residual risks and overall residual risk. What is more, when conducting risk analysis you should take into consideration that a user may use a device in a way that is inconsistent with its Intended Use. Putting an adequate disclaimer won’t be enough in such a case. A device must be protected against using it not in accordance with its Intended Use as well as it should have the highest possible usability, also with regard to ergonomics, environment, etc.

Creating a risk management process

ISO 14971:2019 requires medical device software manufacturers to establish metrics to conduct regular risk evaluation throughout the whole life-cycle of a product, from design, through development to post-production. ISO 14971:2019 specifies how the process should look like in detail. It’s up to manufacturers how frequently such evaluation should take place as long as the effectiveness and regularity are maintained.

It’s worth mentioning that when it comes to minimising risk, hardware solutions are superior to software ones. Using a hardware risk mitigation measure is always advisable if possible.

ISO 14971:2019 vs ISO 13485

Risk management processes and procedures specified by ISO 14971 must be an integral part of a risk management system compliant with ISO 13485. These two standards are related and mutually complementary. Additionally, the life cycle requirements for the development of medical software and software as a medical device is specified by the international standard IEC 62304.

ISO 14971:2019 vs EU MDR

ISO 14971 isn’t an officially MDR-harmonised standard for medical device risk yet because these two weren’t prepared and introduced in parallel. The difference between harmonised and non-harmonised standards is that the former are endorsed by government institutions and fulfil legal requirements. Does it mean that we should wait with the implementation of ISO 14971 into our risk management processes until it’s MDR-harmonised?

No such thing. The ISO 14971 addresses aspects that are also required by the EU MDR. These are specified in Annex I of the MDR, which describes general requirements for medical device safety.

However, there are also certain differences between ISO 14971 and EU MDR.

One of them lies in risk management and reduction requirements. According to ISO 14971, there are three acceptable approaches: ALARP (As Low As Reasonably Practicable), ALARA (As Low As Reasonably Achievable) or AFAP (As Far As Possible). On the contrary, EU MDR allows only the last one (Annex I, Chapter 2). What to do in such a case?

In matters where the requirements of ISO 14971 and EU MDR differ, the latter is always superior.

Also, MDR puts more emphasis on ensuring an adequate scope of risk management and protection measures. When some kind of risk cannot be eliminated or there’s a low risk-benefit ratio, as per MDR, you should implement other protection measures and solutions, such as alarms or trainings for employees. ISO 17971 has no requirements in this regard.

ISO 14971 vs FDA

The 2019 version of the ISO 14971 has been officially recognised by the FDA as a risk management standard for medical devices.

ISO/TR 24971: Guidelines on the application of ISO 14971

ISO/TR 24971 is a set of guidelines on how to practically approach ISO 14971 implementation. What’s important for manufacturers of software as a medical device, Annex F to ISO/TR 24971, contains information and best practices concerning cybersecurity key topics, such as: threat, vulnerability, integrity, data availability and accessibility, confidentiality, etc.

What’s the transition period for ISO 14971:2019?

The recent version of ISO 14971 should be adopted by all manufacturers of medical devices within three years following the publication, so in 2022 at the latest.

Need help with implementing ISO 14971:2019?

Beyond software developments services we also offer help with risk analysis and support in adjusting your processes and procedures to the current version of ISO 14971:2019. Also, we provide our customers with a ready-for-submission risk management file.

We mainly focus on risks associated with product design and development, but you can also count on our expertise in risk analysis for products that are already in use.

Use the contact form below to tell us about your needs and Krzysztof will get back to you as soon as possible.

About the author

Małgorzata Kruszyńska

Małgorzata Kruszynska

Business Researcher