ISO 14971 is the internationally recognized standard that defines how medical device manufacturers must identify, analyze, evaluate, and control risks associated with medical devices. Required by regulatory authorities worldwide—including the FDA, Health Canada, and PMDA—ISO 14971 risk management is not optional for device companies. This standard applies to all stages of a device's lifecycle, from concept through design, manufacturing, installation, use, and post-market surveillance.

Risk management under ISO 14971 is a systematic, iterative process designed to ensure that devices are as safe as possible while remaining beneficial to patients. A well-executed risk management program demonstrates to regulators that the manufacturer has thoughtfully considered potential hazards, implemented proportionate controls, and maintained evidence of these activities throughout the device's lifecycle.

What Is ISO 14971 and Why Does It Matter?

ISO 14971 provides a framework for managing risks in medical device development and manufacturing. The standard requires manufacturers to establish a systematic approach to identifying what could go wrong, how likely those failures are, how severe their consequences would be, and what controls can reduce risk to acceptable levels. This proactive approach to risk is more effective than reactive problem-solving after a device has been released.

The FDA explicitly references risk management in its design control guidance (21 CFR 820.30) and expects medical device companies to follow ISO 14971 principles even for U.S.-only submissions. During inspections, investigators review the risk management file to verify that manufacturers have identified potential hazards associated with their devices and have implemented appropriate control measures. A weak or incomplete risk management file is a common finding in FDA warning letters.

The Seven-Step ISO 14971 Risk Management Process

ISO 14971 defines a structured seven-step process for risk management. These steps are intended to be iterative and cyclical—as new information emerges, as the design evolves, and as the device is used in the real world, the risk assessment must be revisited and updated.

Step 1 — Risk Management Planning

Every risk management program begins with a formal risk management plan. This document outlines the scope of the risk assessment (which device aspects and lifecycle stages will be covered), identifies the team responsible for risk management, defines the process and tools that will be used, establishes timelines, and specifies roles and responsibilities. The plan must also define the risk criteria that will be used to determine whether a risk is acceptable—these criteria are based on the device's intended use, patient population, and benefit-risk balance.

Step 2 — Risk Analysis

In risk analysis, the team systematically identifies all foreseeable hazards associated with the device and documents the chain of events that could lead from a hazard to patient harm. This involves asking: What could go wrong? How could it happen? What would be the consequences? Tools commonly used include Failure Mode and Effects Analysis (FMEA), Hazard and Operability analysis (HAZOP), and fault tree analysis. The goal is to be comprehensive and systematic, not to rely on intuition or past experience alone.

Step 3 — Risk Evaluation

Once hazards have been identified and documented, each risk must be evaluated using the risk acceptability criteria defined in the risk management plan. Risk evaluation assigns severity (how harmful would the consequence be?) and probability (how likely is this to occur?) to each identified risk. These are typically combined into a risk matrix that classifies risks as low, medium, high, or unacceptable. Risks that exceed the organization's acceptability criteria must be addressed with control measures.

Step 4 — Risk Control

Risk control is where the manufacturer implements measures to reduce unacceptable risks to acceptable levels. Control measures may include design changes (e.g., adding redundancy or protective features), manufacturing controls (e.g., tighter specifications), instructions for use, labeling warnings, or training requirements. The standard distinguishes between inherent risk control (eliminating the hazard through design), protective measures (adding safeguards), and information for safety (instructions, warnings, training). Effective risk control often uses multiple strategies.

Step 5 — Evaluation of Overall Residual Risk

After implementing risk controls, the manufacturer must re-evaluate the remaining risk (called residual risk) to confirm that it meets the acceptability criteria. Additionally, the overall risk of the device—considering all identified hazards and their residual risks collectively—must be acceptable. This requires asking: Even with all our controls in place, is this device safe enough? Is the benefit to patients proportionate to the remaining risks?

Step 6 — Risk Management Review

The risk management file must be reviewed and approved by qualified individuals who did not participate in its preparation, ensuring independent evaluation. This review verifies that the risk management process was thorough, that risk evaluations are justified, that control measures are appropriate and feasible, and that the overall device risk is acceptable. The review should be documented and any findings or questions should be resolved before the device is released.

Step 7 — Production and Post-Production Activities

Risk management does not end when the device is released. The manufacturer must continue to monitor the device's performance in the real world, gather post-market data on adverse events and complaints, and update the risk assessment if new hazards or failure modes are discovered. Post-market surveillance, complaint handling, trend analysis, and periodic risk management reviews are all part of this final step. If new risks are identified, the process must cycle back to risk control and evaluation.

Key ISO 14971 Concepts Every Team Must Understand

Hazard, Foreseeable Sequence of Events, Harm, and Risk

ISO 14971 defines hazard as a potential source of harm. A hazard by itself is not a risk—a risk occurs only if there is a foreseeable sequence of events that could cause harm to a person. For example, a sharp edge on a device is a hazard, but the risk depends on whether a patient could be injured by that edge during normal use. Understanding this distinction is critical because not every hazard requires a control measure; only hazards that could realistically lead to harm in the foreseeable use environment are risks that must be managed.

Risk Acceptability and the ALARP Principle

Risk acceptability does not mean zero risk—it is impossible to achieve a device with no risk. Rather, risk acceptability means that the remaining risk is judged to be proportionate to the benefit provided by the device, and that reasonable efforts have been made to reduce risk further. The ALARP principle (As Low As Reasonably Practicable) guides this philosophy: risk should be reduced as much as possible given practical constraints, but manufacturers are not required to implement controls that are disproportionately expensive or burdensome relative to the risk reduction achieved.

Benefit-Risk Analysis

The overall acceptability of a device depends on weighing its benefits against its risks. A high-risk device may be acceptable if it provides substantial benefit to patients with no alternative treatment. Conversely, a device with even moderate risk may be unacceptable if safer alternatives exist. The risk management plan must define the intended benefits and the patient population that will benefit, so that the benefit-risk balance can be properly evaluated.

The Risk Management File: What It Must Contain

ISO 14971 requires that the manufacturer establish and maintain a risk management file containing all records of the risk management process. This file must include the risk management plan, the results of risk analysis, risk evaluation justifications, documentation of risk control measures and their effectiveness, evidence of residual risk evaluation, and documentation of the risk management review. The file must demonstrate that all steps have been completed and that decisions made were justified.

Risk management plan defining scope, risk criteria, team roles, and timeline

Risk analysis documentation (FMEA, HAZOP, or other systematic identification of hazards)

Risk evaluation with severity and probability assignments for each identified risk

Risk control plan with specific measures implemented and their design rationale

Residual risk evaluation confirming that controls reduced risk to acceptable levels

Evidence of design verification that risk controls function as intended

Independent review records with sign-off by qualified personnel

Post-market surveillance and trend analysis results

Updates to risk assessment reflecting field experience or design changes

How ISO 14971 Connects to IEC 62304, ISO 13485, and EU MDR

ISO 14971 risk management is not an isolated requirement—it integrates with other regulatory standards. IEC 62304, the standard for medical device software lifecycle, explicitly requires risk-based software development and incorporates ISO 14971 concepts. ISO 13485 quality management requires that devices be developed with risk management in place. The EU Medical Device Regulation (MDR) mandates both ISO 14971 risk management and post-market surveillance based on identified risks.

In practice, this means that risk management feeds into design control, design verification and validation activities, and software development. The risk management file becomes a central document referenced throughout the design history file and supporting documentation. For international manufacturers, using ISO 14971 as the framework for risk management ensures that the approach is compliant with FDA, PMDA, EU MDR, and other regulatory jurisdictions simultaneously.

Common ISO 14971 Pitfalls to Avoid

One of the most common failures is creating a risk management file only after the device design is essentially complete. Risk management must inform design decisions from the beginning. If risk assessment is done as a check-box exercise after design, there is no opportunity to implement effective design controls and the risk management record becomes unconvincing.

Another frequent mistake is underestimating the severity or probability of risks because the team believes controls will prevent them. Risk evaluation must be based on what could happen without controls, not on confidence in control effectiveness. For example, if evaluating the risk of an electrical shock hazard, the severity should not be downgraded because the device has insulation—the severity of electrical shock is inherently high, and the insulation is a control that reduces the probability or the ability of the hazard to cause harm.

Performing risk assessment after design is complete, limiting opportunity for effective risk control

Confusing risk evaluation with control effectiveness; risks must be evaluated first, then controls designed

Underestimating the scope of hazards because the team is overconfident in controls or user compliance

Failing to update the risk assessment when design changes occur or when post-market data reveals new hazards

Delegating risk management to a single person rather than engaging the multidisciplinary team needed for comprehensive hazard identification

💡 Best practice: Embed risk management into your design process from the earliest stages. Use cross-functional teams to identify hazards that different perspectives might reveal. Document assumptions and rationale clearly so that future reviews and post-market updates can build on your work.