ISO 14971 – Medical Device Risk Management

This topic is part of the SG Systems Global regulatory & operations glossary.

Updated October 2025 • Risk Management • Quality, Regulatory, Design & Development, Post‑Market

ISO 14971 defines how medical‑device organizations plan, execute, and maintain risk management across the full product life cycle. It’s not “an FMEA” and it’s not a one‑time deliverable; it’s a closed‑loop system that ties design inputs, verification/validation, production controls, and post‑market signals into a single, living Risk Management File (RMF). In practice, ISO 14971 is the safety backbone inside an ISO 13485 QMS and is expected by FDA under the modernized QMSR and legacy 21 CFR 820 design‑control concepts. When run properly, it drives safer designs, cleaner files, and faster, defensible decisions when things go sideways.

“If your ‘risk management’ is a binder finished the week before submission, it isn’t ISO 14971—it’s a liability.”

1) What ISO 14971 Covers—and What It Does Not

Covers: the process to manage device risks: defining a risk policy and acceptance criteria; planning; hazard identification; risk estimation and evaluation; selecting/implementing risk controls; evaluating residual and overall residual risk; and continuous updates from production and post‑market data. The output is a maintained RMF tied to design controls (DHF) and operations.

Does not cover: ISO 14971 doesn’t prescribe one tool (e.g., FMEA) or dictate specific probability/severity scales. It doesn’t replace your QMS, SOPs, or labeling governance. It complements them—especially V&V, HFE, CAPA, and Document Control.

2) Regulatory & System Anchors

ISO 14971 is referenced by ISO 13485 and aligned with FDA’s QMSR. EU MDR/IVDR expect the same risk‑management outcomes: risks reduced through design and manufacturing “as far as possible” and a documented, evidence‑backed benefit‑risk. Practically, that means your RMF must trace into requirements, verification, clinical/usability evidence, labeling, and post‑market activities—no gaps.

3) The ISO 14971 Risk‑Management Flow (What You Actually Do)

• Policy & acceptance criteria: define severity/probability scales and what “acceptable” means for your portfolio (device class, intended use, patient population). See QRM & Risk Register.
• Plan: product‑specific plan covering scope, responsibilities, methods, data sources, and review points. Tie to controlled documents.
• Hazard identification: systematic methods (PHA, DFMEA, HAZOP, misuse analysis, HFE) plus field evidence.
• Risk estimation & evaluation: severity × probability, pre‑control and post‑control; justify your data and assumptions.
• Risk control: inherent safety by design → protective measures → information for safety/IFU, in that order. Link to V&V and IFU/labeling control.
• Residual & overall residual risk: evaluate per‑hazard residuals and then the overall residual risk—document the rationale.
• Production & post‑production (P&PP): keep the RMF updated from NCs, returns, service, PMS: deviations/NC, RMA/returns, CAPA, OOT/OOS, and trending.

4) Risk Policy & Acceptability—Make the Rules Before the Game

Define scales that engineers and clinicians can actually use. Pre‑define what requires escalation (e.g., any catastrophic harm with credible occurrence) and what needs management sign‑off. Bake those thresholds into your risk register and SOPs so decisions are consistent and auditable.

5) Hazard Identification—Use Multiple Lenses

Combine user scenarios and misuse (HFE), design analyses (DFMEA), process risks (PFMEA, PCP), and field history. Tie hazards to requirements (URS) so controls trace cleanly into tests and labels.

6) Risk Controls—Design First, Labels Last

ISO 14971 expects inherent safety by design before you lean on guards and warnings. When you must use information‑for‑safety, control it tightly through labeling control, V&V, and—where applicable—device identification like UDI. Prove controls work; don’t just state them.

7) Verification & Validation—Evidence or It Didn’t Happen

Every risk control gets objective evidence: tests, analyses, inspections, validated methods, and usability studies (HFE). Link those to design outputs and store the proof in the DHF. If a control relies on manufacturing, confirm capability and ongoing control (VMP, Process Validation).

8) Production & Post‑Production—Close the Loop

Your RMF must evolve with reality. Feed it with NCs, RMAs, trending (OOT/OOS), investigations (RCA), and CAPA. When a change is needed, gate it through MOC/Change Control and refresh the risk evaluations accordingly.

9) The Risk Management File (RMF)

Treat the RMF as a controlled, auditable body of evidence—not scattered spreadsheets. It should be under Document Control, use effective dates, and carry complete audit trails with ALCOA(+) integrity. Link it to DHF and, for manufacturing‑dependent controls, to the DHR.

10) Metrics That Prove Control

• Risk‑closure lead time: median days from hazard entry to verified control in place.
• Critical‑hazard test coverage: % of high‑severity hazards with direct V&V evidence in the DHF.
• Reopened risks: % of risks reopened from P&PP signals—lower is better (good design & monitoring).
• RMF refresh latency: time from NC/CAPA close to RMF update.
• Label‑dependent controls: % of risks relying on IFU/label alone (trend down via design solutions).

11) Common Pitfalls & How to Avoid Them

• “FMEA‑only” mindset. Use multiple methods and explicitly connect hazards to requirements, tests, and labels.
• Back‑filled files. Build RMF content as you go; late reconstruction is obvious and brittle under audit.
• Unverifiable controls. Every control must have planned verification in V&V.
• Policy drift. If acceptance criteria vary by team or product, fix your risk policy and retrain.
• Label‑as‑design. Over‑reliance on warnings signals weak engineering. Push controls up the hierarchy.
• RMF not connected to change. Gate design/process changes through MOC with mandatory risk‑impact assessment.

12) What Belongs in the RMF

Risk policy and acceptance criteria; product‑level plan; hazard analyses and traceability; pre‑ and post‑control risk evaluations; selected controls with rationale and verification evidence; benefit‑risk judgments; overall residual‑risk evaluation; P&PP data sources and trending rules; links to DHF/DHR; and records of reviews/approvals with e‑signatures and audit trails.

13) How This Fits with V5 by SG Systems Global

Risk Register & Governance. The V5 platform provides a structured risk register with effective‑dated policies, scales, and acceptance matrices tied to roles and approvals under Document Control.

Traceability to DHF & V&V. V5 links hazards → requirements → tests → results, ensuring every control has planned verification and that evidence lives with the DHF.

Operations Feedback. Nonconformances, CAPA, returns, and trending flow back into the RMF with audit trails and ALCOA(+) compliance.

Change Gating. Risk‑impact checks are enforced during MOC/Change Control so no design/process update ships without an RMF update.

Bottom line: V5 turns ISO 14971 from a paperwork burden into an evidence machine—traceable, current, and ready for regulators.

14) FAQ

Q1. Is ISO 14971 mandatory?
It’s the de‑facto global expectation. ISO 13485‑certified systems rely on it; FDA’s QMSR and EU MDR expect equivalent outcomes. If you sell devices, you need an ISO 14971‑compliant process.

Q2. How does ISO 14971 relate to ISO 13485?
ISO 13485 tells you to apply a risk‑based QMS; ISO 14971 gives the product risk process. They’re complementary and should be integrated in your design controls and operations.

Q3. Do I need an FMEA?
Usually yes—but FMEA alone is not sufficient. Use multiple methods (DFMEA, PFMEA, misuse analysis, HFE) and tie them into a single RMF.

Q4. What is “overall residual risk”?
After evaluating residual risk for individual hazards, you judge whether the product’s overall residual risk is acceptable given its benefits. That decision needs documented criteria and sign‑off.

Q5. How often must the RMF be updated?
Continuously. Production and post‑market data trigger reassessment; changes go through MOC/Change Control, and you record the new evaluations and evidence.

Q6. Where does labeling fit?
“Information for safety” (IFU, warnings, UDI) is the last layer of control. Prefer inherent design changes and protective measures first, then lock label content through labeling control and verify usability.

Related Reading
• QMS & Regulations: ISO 13485 | QMSR | 21 CFR 820
• Risk Tools & Analysis: QRM & Risk Register | FMEA | PFMEA | HAZOP
• Design & Evidence: V&V | HFE | DHF | Document Control
• Operations & Feedback: Deviations/NC | CAPA | Returns (RMA) | OOT | OOS
• Labeling & Info for Safety: IFU | Labeling Control | UDI