Risk management is one of the most important regulatory requirements that manufacturers of medical devices must fulfill.

ISO 14971 is the standard for the “application of risk management to medical devices.” It describes a risk management process designed to ensure that the risks associated with medical devices are known, controlled, and acceptable in relation to the benefits.

Fig. 1: Risk management process according to ISO 14971 (click to enlarge)Risk management process according to ISO 14971


On this page, you will find articles…

  1. on the activities in the risk management process prescribed by ISO 14971,
  2. on the standard itself,
  3. on the interaction between risk management and IT security,
  4. on the application of the standard in specific contexts, e.g., standalone software and
  5. where you can get support with risk management.

1. Articles on activities in the risk management process

a) Risk management plan

The first step in risk management for a specific device is to prepare a risk management plan. This plan specifies

  • which roles or persons (with which competences) carry out
  • which activities
  • with which methods
  • at what time.

This risk management plan must be included in the standard operating procedure for risk management.

b) Hazard analysis

Manufacturers must first determine the intended purpose of the device.

Then, they must identify the hazards and hazardous situations as part of a hazard or risk analysis. There are several methods for this:

The process FMEA (pFMEA) is recommended for identifying risks arising from faulty processes.

c) Risk evaluation

The next step is for manufacturers to assess the risks. To do this, they must determine:

  • The severity of possible harm according to ISO 14971. For some harms, the ICF helps to classify the harm.
  • The probability of these harms occurring

Many manufacturers work with a Risk Priority Number (RPN). However, this concept does not comply with ISO 14971.

d) Risk acceptance

At this point, the manufacturers’ task is to determine their risk acceptance criteria. This is usually done in the form of a risk acceptance matrix.

The FDA’s Benefit-Risk Guidance also helps with this.

You should be familiar with these figures when assessing the residual risk. The Kaplan-Meier curve also helps in risk management.

e) Risk control and risk management report

Laws such as the MDR and IVDR oblige manufacturers to minimize or control risks. This means that they must reduce the risks as far as possible and in accordance with their acceptance criteria.

The article on information as risk control measures and the safety assurance cases, which the FDA even requires for some devices, are beneficial in discussions with auditors and authorities.

Manufacturers must document the output of all previous activities in a risk management report. In this assessment, manufacturers should ensure they are avoiding the 7 most common risk management errors.

All these records and documents then form the risk management file.

f) Post-production phase

This is not the end of risk management. Instead, the post-market phase, or post-production phase, as ISO 14971 calls it, follows. Part of this is post-market surveillance and monitoring of the devices on the market.

2. Articles on the standard

There is a 2022 version of DIN EN ISO 14971. However, the last significant change was made in 2019. These changes were introduced with third edition of ISO 14971. This makes EN ISO 14971:2012 with Annex ZA obsolete.

You can learn more about the meaning of prefixes such as DIN, EN, and ISO in the article on harmonized standards.

The article on ISO 24971 describes how manufacturers should apply the (new version) of the standard.

Another critical question is whether ISO 14971 is applicable at all. In this context, the terms foreseeable misuse and abnormal use are essential.

In other areas of law, ISO 31000 is used, which can at least serve as a source of inspiration for medical device manufacturers.

3. Articles on the interaction of risk management and IT security

For medical devices that contain software or are software, IT security significantly impacts the risks. The following publications are helpful here:

  • Articles on IT security in general and on IT security in the healthcare sector and regulatory requirements
  • Cybersecurity in medical devices: FDA guidance documents
  • AAMI TIR 57: IT security and risk management
  • UL 2900: Why you should know the IT security standard but never buy it
  • Medical Cloud: Cloud computing in the healthcare sector
  • ISO/IEC 15408: Evaluating the IT security of (medical) devices

4. Articles on specific contexts

a) Articles for software manufacturers

For medical devices that contain software or are standalone software, we recommend these articles:

  • Software risk management for medical software
  • Probability of software errors

b) Articles for other organizations

Risk management for medical device manufacturers differs in some aspects from risk management for other organizations:

The Johner Institute provides help

Benefit from the support of the Johner Institute:

  • Do you still have questions about risk management? You can get answers in our free micro-consulting.
  • In the Risk Management and 14971 seminar, you will learn about the regulatory requirements and how to implement them.
  • The Medical Device University provides step-by-step instructions on creating a lean and ISO 14971-compliant risk management file with video training. In addition, a complete set of templates for a risk management file takes a lot of work off your hands.
  • You can also benefit from the support of the risk management team. It will help you to write and check your files and prepare them for audits and reviews.

Contact us right away to discuss the next steps. In this way, you can achieve safety devices quickly, without unnecessary effort, and promptly obtain approval.

Software maintenance: How to avoid typical audit pitfalls

Software maintenance is the phase in which software is further developed, e.g., with the objective of According to the FDA, 79% of all bugs occur during software maintenance. Accordingly, some regulations address this topic. Regulatory requirements for software maintenance Requirements of the Medical Device Regulation MDR (2017/745) The Medical Device Regulation requires medical device manufacturers…


PMS trend analysis – a complex issue where you cannot fail

Trend analysis is a legal obligation of all medical device manufacturers, especially in “Post-Market Surveillance.” Manufacturers must not fail in the selection and application of suitable statistical methods for trend analysis. This is because the focus of authorities and notified bodies is increasingly shifting to monitoring post-market activities. This article provides a quick introduction to this…


DIN EN IEC 80001-1:2023

IEC 80001-1 has the long title “Application of risk management for IT-networks containing medical devices – Part 1: Tasks, responsibilities and activities“. This article reveals what the standard requires and why manufacturers should also consider it. 1. About DIN EN IEC 80001-1 a) Objectives of DIN EN IEC 80001-1 The standard aims to help minimize…


Risk mitigation through information?

Whether risk mitigation through information is permitted regularly leads to discussions. The answer to this question is important because it determines the conformity and non-conformity of medical devices. This article provides the answer and thus resolves a “historical misunderstanding.” 1. Regulatory framework All manufacturers are obliged to minimize the risks posed by their medical devices.…


Probability of software defects

The probability of software defects is difficult to estimate. It’s so difficult that the “old” DIN EN IEC 62304:2006 wrote: “However, there is no agreement on how to determine the probability of the occurrence of software failures using traditional statistical methods.” The standard concluded that “the probability of such a malfunction must be assumed to…