In the highly regulated world of medical devices, ensuring patient safety and product effectiveness is paramount. Risk management plays a critical role in achieving this, and ISO 14971:2019 provides the globally recognized framework for identifying, evaluating, and controlling risks throughout a medical device’s lifecycle. This standard guides manufacturers through a systematic process to minimize harm, balancing innovation with safety. Navigating ISO 14971:2019 requires a deep understanding of both its structured approach and its integration into quality management systems, making it essential for compliance, market access, and, ultimately, protecting patient health.
Some of the key definitions
- Risk management: systematic application of management policies, procedures and practices to the tasks of analysing, evaluating, controlling and monitoring risk.
- Risk: combination of the Probability of Occurrence of harm and the Severity of that harm.
- Hazard: potential source of harm.
- Harm: injury or damage to the health of people, or damage to property or the environment.
- Hazardous situations: circumstance in which people, property or the environment is/are exposed to one or more hazards.
Management responsibilities
Top Management shall provide evidence of its commitment to the Risk Management process by ensuring:
- The provision of adequate resources; and
- The assignment of competent personnel for Risk Management.
Top Management shall:
- Define and document a policy for establishing criteria for Risk acceptability.
- Review the suitability of the Risk Management process at planned intervals to ensure its continuing effectiveness and shall document any decisions and actions taken (part of the QMS review for example).
Competence of personnel
- Persons performing Risk Management tasks shall be competent on the basis of education, training, skills and experience appropriate to the tasks assigned to them.
- Knowledge and experience with the particular medical device (or similar medical devices) and its use, the technologies involved or the Risk Management techniques employed.
Risk Management process
The manufacturer shall establish, implement, document and maintain an ongoing process for:
- Identifying hazards and hazardous situations associated with a medical device.
- Estimating and evaluating the associated risks.
- Controlling these risks.
- Monitoring the effectiveness of the risk control measures.
Risk Management process shall be understood as a continuous iterative process throughout the entire lifecycle of the medical device, requiring regular systematic updating.
Risk Management Plan: Risk Management activities shall be planned.
Risk Assessment: Risk Analysis + Risk Evaluation
- Risk Analysis:
- Hazards identification:
- Intended use and reasonably foreseeable misuse.
- Identification of characteristics related to safety.
- Identification of hazards and hazardous situations.
- Risk estimation: process used to assign values to the Probability of Occurrence of harm and Severity of harm.
- Hazards identification:
- Risk Evaluation: evaluate the estimated risks and determine if the risk is acceptable or not, using the criteria for risk acceptability defined in the Risk Management Plan.
Risk Control:
- Risk control option analysis: determine risk control measures that are appropriate for reducing the risks to an acceptable level. Risk control options:
- Inherently safe design and manufacturer.
- Protective measures in the medical device itself or in the manufacturing process.
- Information for safety and, where appropriate, training to users.
- Implementation of risk control measures: selected risk control measures shall be implemented and verified.
- Residual risk evaluation: if a residual risk is not judged acceptable using the criteria for risk acceptability defined in the Risk Management Plan, further risk control measures shall be considered.
- Benefit-risk analysis: if some risks remain at an unacceptable level after Risk controls, data and literature may be gathered and reviewed to provide objective evidence and to determine if the benefits of the intended use outweigh this residual risk.
- Risks arising from risk control measures: the effects of the risk control measures shall be reviewed with regard to whether:
- New hazards or hazardous situations are introduced
- The estimated risks for previously identified hazardous situations are affected by the introduction of the risk control measures.
- Completeness of risk control.
Evaluation of Overall Residual Risk:
After all risk control measures have been implemented and verified, the overall residual risk posed by the medical device shall be evaluated:
- If the overall residual risk is judged acceptable, users shall be informed of significant residual risk the necessary information shall be included in the accompanying documentation.
- If the overall residual risk is not judged acceptable in relation to the benefits of the intended use, implementing additional risk control measures or modifying the medical device or its intended use may be considered.
Risk Management Review: prior to release for commercial distribution of the medical device, the execution of the Risk Management Plan shall be reviewed, ensuring at least that:
- The Risk Management Plan has been appropriately implemented
- The overall residual risk is acceptable
- Appropriate methods are in place to collect and review information in the production and post-production phases
Production and post-production activities: a system to actively collect and review information relevant to the medical device in the production and post-production phases shall be established, documented and maintained.
- Information collection
- Information review
- Actions
Risk Management File
Set of records and other documents that are produced during the whole Risk Management process.
Have a look at this flyer with a summary of the key points: Risk Management ISO 14971
