Back to Blog
ISO 14971Risk ManagementSaMDRegulatory ComplianceMedical Devices

Safe & Effective: A Guide to ISO 14971 Risk Management

The Infera Team15 min read

This guide demystifies the ISO 14971 standard, providing a clear roadmap for how companies can proactively identify, evaluate, and control risk throughout the entire product lifecycle.

Safe & Effective: A Guide to ISO 14971 Risk Management

We have covered the blueprint for your company (ISO 13485) and the recipe for your software (IEC 62304). Now we turn to the standard that acts as the conscience for your entire operation: ISO 14971, the Application of Risk Management to Medical Devices.

Risk management is not just a box to check or a document to file. It is the single most critical, continuous process that demonstrates your commitment to patient safety. It is a systematic way of asking, "What could go wrong?" and then proactively doing everything in your power to control and minimize those possibilities.

For regulators, a well-executed risk management process is the clearest indicator of a mature and responsible medical device manufacturer. This guide will break down the essential concepts of ISO 14971 into a practical, step-by-step framework.

---

The Core Principle: What is Risk?

In the context of medical devices, "risk" has a specific definition. It's the combination of two critical factors:

Risk = Probability of Occurrence of Harm x Severity of that Harm

Let’s break this down:

  • A Hazard is a potential source of harm. For SaMD, a hazard could be a software bug, a cybersecurity breach, a server outage, or even a confusing user interface.
  • A Hazardous Situation is a circumstance in which people, property, or the environment are exposed to one or more hazards. For example, a clinician viewing an incorrect patient image due to a software bug.
  • Harm is the physical injury or damage to the health of people that can result.
  • Severity is the measure of the possible consequences of that harm.
  • Probability is the likelihood that the harm will occur.

Your job is not to create a "risk-free" device—that’s impossible. Your job is to use a systematic process to understand the risks, reduce them as far as possible, and make an informed, evidence-based decision that the medical benefits of your device outweigh any remaining risks.

---

The ISO 14971 Risk Management Lifecycle

Risk management is not a one-time activity that you complete and file away. It is a continuous loop that begins before you design your product and continues long after it is on the market.

[Image of a continuous loop diagram for ISO 14971 process]

1. Risk Management Planning

Like everything in the regulated space, you start with a plan. Your Risk Management Plan is the rulebook for how your company will conduct all risk-related activities. Crucially, this plan must define your risk acceptability criteria. You must decide, *before* you begin your analysis, what levels of risk are acceptable for your device. This is typically done using a risk matrix that maps severity and probability.

2. Risk Analysis

This is the investigative phase where you identify and characterize all the potential risks associated with your device.

  • Identify Intended Use and Characteristics: What is your device supposed to do? Who will use it? What technology does it rely on?
  • Identify Hazards: Brainstorm all known and foreseeable hazards. For SaMD, think creatively:
  • Software Flaws: Incorrect calculations, algorithm failures, data corruption.
  • Cybersecurity: Unauthorized access, data breaches, malware.
  • Usability: Confusing UI that leads to user error.
  • System Failures: Server downtime, loss of connectivity, interoperability issues with other systems.
  • Estimate the Risk: For each hazardous situation you identify, you must estimate the associated risk by determining the severity of potential harm and the probability of its occurrence.

3. Risk Evaluation

For each risk you’ve estimated, you compare it against the risk acceptability criteria defined in your plan.

  • If the risk falls into your "Acceptable" region, you document the rationale and move on.
  • If the risk is "Unacceptable," you must take action to reduce it.

4. Risk Control

This is the mitigation phase. Your goal is to reduce unacceptable risks to an acceptable level. ISO 14971 gives you a clear hierarchy for how to do this, in order of preference:

  1. Inherent Safety by Design: This is the most effective control. Can you design the hazard out of your software entirely? For example, if you are worried about users entering an invalid dose, can you design the input field to only accept numbers within a safe range?
  2. Protective Measures: If you can’t eliminate the hazard, you can add protective measures within the software or system. This could be an alarm, a warning message, or a confirmation screen for critical actions.
  3. Information for Safety: This is your last resort and the weakest form of control. This includes adding warnings to your user manual or providing specific training. While often necessary, you cannot rely on instructions alone to mitigate a serious risk.

After implementing a control, you must verify that the control works as intended. Then, you assess the residual risk—the risk that remains after the control has been applied.

5. Evaluation of Overall Residual Risk

Once you have analyzed and controlled all individual risks, you must step back and look at the big picture. You must evaluate the total risk profile of the device and weigh it against the intended medical benefit. This benefit-risk analysis is a critical part of your regulatory submission. You must be able to make a compelling, evidence-based argument that the benefits your device provides to patients outweigh the sum of all its remaining risks.

6. Risk Management Review and Report

Before you release your product, your team must conduct a final, formal review of the entire risk management process. The output is the Risk Management Report, which summarizes all your activities and provides the final conclusion that the overall residual risk is acceptable. This report is a key document that demonstrates the safety of your device to regulators.

7. Production and Post-Production Activities

Risk management is never finished. After your SaMD is on the market, your plan must include a system to actively collect and review information from the real world. This includes:

  • Customer complaints and feedback.
  • Publicly available information and scientific literature.
  • Data on the general state of the art (e.g., new cybersecurity threats).

This information must be fed back into your risk management file. If new hazards are discovered or if the probability or severity of a known hazard changes, you must re-evaluate the risk and take appropriate action. This closes the loop and makes risk management a true lifecycle activity.

---

The Foundation of Responsible Innovation

ISO 14971 is deeply intertwined with your QMS (ISO 13485) and your SDLC (IEC 62304). Your risk management activities will define some of your software requirements. Your risk control measures must be implemented and tested according to your development process. And the entire process must be documented and controlled by your quality system.

Adopting a robust risk management process is

Written by The Infera Team

More from our Blog

Explore more insights on medical device compliance and quality management.

View All Posts