V5 Ultimate
Compliance · The complete guide

ISO 14971Medical devices — Application of risk management

TL;DR

ISO 14971:2019 defines the globally accepted, lifecycle-wide process manufacturers use to identify hazards, estimate and evaluate risks, control risks, and monitor effectiveness for medical devices, including software, with EN ISO 14971:2019+A11:2021 guiding EU MDR alignment.

Reviewed · By V5 Ultimate compliance team· 2,036 words · ~10 min read
AI · Explain it for MY operation

How does ISO 14971 apply to your shop floor?

Pick your industry and scale — Ask V5 rewrites the definition in your context, gives a worked example, and shows what V5 does on day one.

Your scale

01What ISO 14971 covers and why it matters

ISO 14971:2019 is the international standard for risk management of medical devices. It defines a systematic process to identify hazards associated with a device, estimate and evaluate the resulting risks, implement risk controls, and monitor the effectiveness of those controls throughout the product lifecycle. It applies to hardware, software, accessories, and integrated systems intended for medical purposes.

The standard expects manufacturers to define risk acceptability criteria up front, perform risk control option analysis in priority order, verify implementation and effectiveness, and perform an overall residual-risk evaluation. It requires a Risk Management File (RMF) that consolidates plans, analyses, control rationales, verification evidence, and post-production information that may change decisions over time.

Regulators worldwide rely on ISO 14971 as the state of the art for device safety engineering. In the EU, EN ISO 14971:2019+A11:2021 provides alignment guidance to the General Safety and Performance Requirements (GSPRs) in Regulation (EU) 2017/745 (MDR). The 2019 edition is supported by ISO/TR 24971:2020, which offers clause-by-clause practical guidance, and it has been updated by Amendment 1:2024 to clarify certain concepts and references.

Manufacturers should understand that ISO 14971 is not merely a design-phase activity. It is a lifecycle discipline that continues into production and post-production monitoring, where real-world data can confirm assumptions or expose new hazards. The RMF must be kept current as evidence evolves to protect patients, users, and others who may be affected by device operation or failure.

For details on the maintenance changes, see iso-14971-2019-amd1-2024.

02Regulatory basis, harmonization, and EN ISO 14971:2019+A11:2021

ISO 14971 is the technical backbone for risk management obligations embedded in medical-device regulations. In the EU, Regulation (EU) 2017/745 (MDR) and Regulation (EU) 2017/746 (IVDR) require a structured, iterative process to identify and control risks as part of conformity assessment. MDR Article 10(2) and Annex I GSPRs 1 through 9 explicitly require risk reduction to be integrated with clinical benefit and post-market experience.

EN ISO 14971:2019+A11:2021 adds EU-specific annexes (ZA for MDR, ZB for IVDR) that map ISO 14971 clauses to MDR and IVDR legal requirements. The mapping helps manufacturers show how their RMF supports GSPR conformity, especially where risk control prioritization, benefit-risk justification, and information-for-safety are tested by Notified Bodies. Outside the EU, regulators including the U.S. FDA, Health Canada, the UK MHRA, Australia’s TGA, and Japan’s PMDA recognize ISO 14971 as state of the art and expect alignment in submissions and inspections.

Global quality doctrine reinforces this stance. ICH Q9 provides a foundational framework for quality risk management that complements device-specific expectations. The common thread is that risk decisions must be science-based, documented, and continuously improved as evidence accrues.

In practice, auditors and reviewers look for consistent policy, predefined acceptability criteria, complete traceability from hazards to controls and verification, and a visible feedback loop from post-market surveillance into design changes and labeling updates.

For the legal backbone and expectations on risk reduction and benefit-risk under EU law, see eu-mdr.

03Scope and applicability

ISO 14971 applies to all medical devices across classes I to III, including accessories and combination of devices used together as systems. It covers active and non-active devices and extends to software that is a medical device in its own right or that is embedded within a device.

For software, the standard must be applied in concert with the software lifecycle processes of IEC 62304. That linkage ensures that hazard identification and risk control cover software architecture, failure modes, cybersecurity-related risks that can lead to harm, and updates over time. For usability-related risks, manufacturers should integrate the human-factors engineering process of IEC 62366-1, since use errors and design-induced confusion can be significant sources of hazardous situations.

Risk management also spans interactions with power, energy, and environmental factors addressed in collateral standards such as IEC 60601 for basic safety and essential performance. The scope includes hazards to patients, users, service personnel, and bystanders, as well as indirect harms that may arise from delayed or incorrect diagnoses or therapies.

Beyond design and development, ISO 14971 expects control of risks emerging during manufacturing, packaging, transport, installation, servicing, and decommissioning. Production and post-production information closes the loop, requiring manufacturers to collect, review, and act on quality and safety signals so that the RMF reflects current knowledge of the device’s risk profile.

For usability engineering practices, see iec-62366-1.

04How the ISO 14971 process runs in practice

Risk management starts with policy and planning. The Risk Management Plan sets scope, responsibilities, interfaces, risk acceptability criteria, and verification strategy. Hazard identification follows, using systematic techniques that consider intended use, reasonably foreseeable misuse, known and foreseeable hazards, and sequences of events that can lead to hazardous situations and harms.

Risks are estimated by combining severity of harm and probability of occurrence of that harm. Risks are evaluated against predefined criteria to decide if control is needed. When required, risk control option analysis is performed in priority order to reduce risk to acceptable levels. Implementation of controls is verified, residual risk is estimated and evaluated, and benefit-risk analysis is performed if residual risk remains above criteria and cannot be further reduced.

Before release, the manufacturer performs an overall residual-risk evaluation, documents conclusions in the Risk Management Report, and ensures appropriate production and post-production monitoring is in place. Throughout, traceability must link each hazard to causes, controls, verification evidence, and residual-risk disposition.

PhaseKey activitiesTypical outputs
PlanningDefine policy, scope, responsibilities, criteria, methods, and verification approachRisk Management Plan, acceptability criteria, method references
AnalysisIdentify hazards and sequences of events, define harms, estimate risksHazard list, hazard analyses, initial risk estimates
EvaluationCompare to criteria, decide if control is requiredRisk evaluation decisions, control triggers
ControlOption analysis, implement controls in priority order, verify effectivenessControl specifications, verification evidence, updated residual risks
Overall evaluationAggregate view of residual risk and benefit-risk, disclosure in information for safetyRisk Management Report, IFU content decisions
Production and post-productionCollect and review field data, trend, feed changes back into design and labelingPMS inputs, CAPA, RMF updates, change records

Maintain strong linkage from the RMF to design outputs, verification reports, labeling content, and the regulatory dossier so that evidence of conformity is complete and navigable in your technical-file.

05Risk Management File (RMF) contents and traceability expectations

The RMF is the documentary center of ISO 14971 compliance. It does not need to be a single binder, but it must be a readily retrievable set of records that demonstrates process execution and decisions. Auditors and reviewers expect to see clear linkage from the Risk Management Plan through analyses, control specifications, verification evidence, and the final Risk Management Report.

Core contents typically include risk policy and acceptability criteria, the plan with responsibilities and interfaces, hazard identification outputs, risk estimates and evaluations, risk control option analysis and rationale, verification evidence for implemented controls, residual-risk evaluations, benefit-risk justifications where applicable, the overall residual-risk conclusion, and decisions on information for safety and training. Production and post-production procedures, trending rules, and periodic reviews must be referenced and show execution.

Traceability is critical. Each hazard should point to causes and sequences of events, selected controls, how each control was verified, and the updated risk estimate. The RMF should also connect to complaint handling, nonconformity management, corrective and preventive actions, and change control, since these are common entry points for risk updates.

Many organizations reflect risk status and ownership in a living quality-risk-register. Whether you maintain a central register or distribute records across design controls and production systems, ensure there is a single authoritative trail that aligns with your qms procedures and demonstrates that post-production information is routinely reviewed and acted upon.

06Key requirements: risk controls, acceptability, and benefit-risk

ISO 14971 requires that risk control option analysis follow a priority order: inherent safety by design, protective measures in the device or process, and information for safety, including training. Warnings and instructions are not substitutes for feasible design risk reductions. Each selected control must be implemented and verified for effectiveness, and any introduced risks (risk from risk control) must be analyzed and addressed.

Risk acceptability criteria must be predefined and consistently applied. The standard does not prescribe a specific numerical method, but it expects transparent, justified criteria aligned with clinical context. Manufacturers often use matrices or tiered criteria that weigh severity and probability, especially for harms that are serious but rare. Where residual risk remains above criteria and cannot be further reduced, a documented benefit-risk analysis is required.

Before release, the manufacturer performs an overall residual-risk evaluation that considers aggregate residual risks, risk interdependencies, and any necessary disclosures. If information for safety is part of the control strategy, ensure the Instructions for Use and training content accurately reflect residual risks and proper mitigations.

Under EU MDR, these determinations are also tested against GSPRs and clinical evaluation, so ensure alignment across technical documentation, vigilance rules, and the post-market follow-up plan. Consistency among design records, labeling, and clinical claims is a frequent focus of Notified Body review.

For labeling discipline and clarity, consult instruction-for-use-ifu; to visualize criteria and decisions, see risk-matrix.

07Relationships to ISO 13485, IEC 62366, IEC 62304, and EU MDR

ISO 14971 does not exist in isolation. ISO 13485 requires risk-based approaches across the Quality Management System and mandates integration points for design controls, purchasing controls, production, and servicing. Risk management tasks should appear as explicit inputs and outputs in design and development planning, design reviews, verification, validation, and transfer to production.

IEC 62366-1 requires usability engineering to identify and control use-related hazards and to validate that the user interface supports safe and effective use. The usability engineering file should cross-reference the RMF, since use errors and abnormal use scenarios often drive risk control requirements and labeling. Similarly, IEC 62304 weaves risk classification into software lifecycle tasks, and residual risks in software should be visible in the RMF with corresponding verification evidence.

In the EU, MDR Annex I GSPRs require that all known and foreseeable risks be reduced as far as possible and be outweighed by the device’s benefits. That legal test spans design, manufacturing, and clinical evaluation, which means the RMF must align with clinical data, the performance claims in labeling, and the post-market plan. Notified Bodies expect to navigate smoothly from a GSPR checklist to the RMF and supporting evidence.

Operationally, link the RMF to design change control, supplier controls, production nonconformance processes, and complaint handling. Regular management review should cover risk metrics, signals from the field, and the status of actions that affect risk so that leadership can verify ongoing suitability and effectiveness of the risk management process.

08Common pitfalls and misinterpretations

Despite its clarity, ISO 14971 is often misapplied in ways that weaken safety cases. A common issue is treating risk management as a static design deliverable instead of a continuously updated discipline. Another is failing to articulate and approve risk acceptability criteria at the outset, which leads to ad hoc decisions that are difficult to defend under audit.

Documentation gaps also erode confidence. If the chain from hazard to control to verification to residual risk is broken, reviewers cannot confirm that risks are controlled. Equally problematic is substituting warnings for feasible design risk reductions, which conflicts with the required priority order of controls. In software, not analyzing off-nominal states, concurrency, and update pathways leaves important risk contributors unaddressed.

Post-production omissions are another frequent finding. Complaint and vigilance data, trend analyses, CAPA, and supplier issues must feed back into the RMF, with visible reassessment of residual and overall risk. Finally, the overall residual-risk evaluation should be explicit, evidence-based, and aligned with labeling and clinical evaluation, not implied by a stack of individual analyses.

  • No predefined, approved risk acceptability criteria before analysis begins
  • Over-reliance on a single numerical scoring scheme that obscures clinical severity
  • Using information for safety where inherent safety by design is feasible
  • Weak verification of control effectiveness, especially for software mitigations
  • Poor traceability between usability findings and risk controls in the RMF
  • Failure to update the RMF with post-market signals and CAPA outcomes

09Implementation patterns and how V5 Ultimate supports you

Effective ISO 14971 implementation starts with a clear policy, roles, and interfaces to design controls, software lifecycle, usability engineering, and post-market processes. Establish risk acceptability criteria that reflect clinical context, agree on methods and evidence requirements, and define how management will review overall residual risk before release. Build traceability from day one so each hazard links to controls and verification evidence.

Integrate the RMF with change control and field feedback. Automate collection of production and post-production data, define trending rules, and route signals for risk reassessment. Keep the RMF navigable by aligning artifact naming and identifiers across engineering, clinical, labeling, and regulatory documentation. Conduct periodic, data-driven management reviews that test whether the process remains suitable and effective.

During audits and submissions, ensure that reviewers can move seamlessly from GSPR or equivalent checklists to the RMF and into underlying verification reports and labeling. Prepare concise rationales for benefit-risk decisions and document why information for safety is appropriate where used. Maintain training and competency records for individuals responsible for risk management activities.

Frequently asked questions

Q.What is the difference between ISO 14971 and ISO/TR 24971?+

ISO 14971 contains the normative requirements for medical-device risk management. ISO/TR 24971:2020 is a technical report that provides detailed guidance and examples to help manufacturers implement those requirements effectively.

Q.Does EN ISO 14971:2019+A11:2021 change the ISO 14971 requirements?+

No. A11 adds EU mapping annexes (ZA for MDR and ZB for IVDR) to show how ISO 14971 supports GSPRs. It does not alter the technical clauses or obligations of ISO 14971:2019.

Q.How does ISO 14971 relate to software development under IEC 62304?+

IEC 62304 governs the software lifecycle, while ISO 14971 governs risk management. Software hazards, classifications, and mitigations from IEC 62304 activities must be analyzed and verified within the ISO 14971 RMF, including updates over the device’s life.

Q.What must the Risk Management File include?+

It should include policy and acceptability criteria, the plan, hazard identification outputs, risk analyses and evaluations, risk control option analysis, verification evidence, residual-risk evaluations, the overall residual-risk conclusion, and production and post-production information.

Q.How should benefit-risk analysis be documented under EU MDR?+

When residual risks exceed predefined criteria and cannot be further reduced, justify that the clinical benefits outweigh those risks. Align the rationale with GSPRs, clinical evaluation, and labeling, and document it in the RMF and technical documentation.

Q.How often should the RMF be updated post-market?+

Update whenever production or post-production information affects risk assumptions or controls. At minimum, review periodically per your procedures and whenever signals from complaints, vigilance, or CAPA indicate a meaningful change.

Q.Can a risk matrix alone prove compliance?+

No. A matrix is a tool to visualize criteria and decisions. Compliance depends on a complete, traceable process with justified criteria, control rationales, verification evidence, and a documented overall residual-risk evaluation.

Primary sources

Further reading

Explore this topic

ISO 14971 sits inside this topic cluster in our glossary. Every neighbour is one click away.

See ISO 14971 working on a real shop floor

V5 Ultimate ships with the ISO 14971 controls already wired in — audit trail, e-signatures, validation evidence. Free trial, no credit card, onboard in days, not months.