EBOOK

ISO 14971 Risk

Management for
Medical Devices:
The Definitive
Guide
Medical Device Guru, Greenlight
Guru
Etienne Nichols
ISO 14971 Risk Management for Medical Devices: The Definitive Guide Page 1

ISO 14971 Risk Management for M

The Definitive Guide

Table of Contents

2 What is Risk? 14 Risk Management Plan

2 The Importance of Risk and
15 Risk Management File
Medical Devices
16 Risk Assessment = Risk Analysis + Risk
3 Introduction to the Definitive Guide Evaluation
to ISO 14971 Risk Management 16 Risk Analysis
for Medical Devices
3 What You Will Gain From This Guide to 23 Risk Controls
ISO 14971
26 Overall Residual Risk Acceptability
5 Regulations & Standards for ISO 14971 Risk
Management 26 Risk Management Review
6 ISO 14971—The Current State 27 Production & Post-Production
8 Design Controls & Risk Management Information
29 Summary
10 Risk Management Process Overview
11 Risk Management Definitions You 29 A New Era of Risk Management for
Need To Understand MedTech

13 Role of Management in
Risk Management

www.greenlight.gu
ISO 14971 Risk Management for Medical Devices: The Definitive Page

What is Risk?
Take a moment and think about this:
What is RISK?

How does RISK impact you every day?

The #1 definition in the dictionary defines RISK as possibility of loss or

injury. There are things that each of us do every day that involves RISK.

The food you eat, the habits you have, your daily routine—all full of risks in some
way, shape, or form.

One of the riskiest things I do just about every single day is drive my car. But I
don’t usually think about this being a risk at all. I take it for granted.

Could I get in an accident? Could I get injured or possibly die? Of course. Yet I
estimate that the likelihood of these things happening to me are low enough that
I’m willing get behind the wheel without question.

Maybe it’s because I know that my car has anti-lock brakes, seat belts, and
airbags. Maybe it’s because I know that the car I drive has been through rigorous
safety testing.

Risk per ISO 14971 is defined as the combination of the probability of occurrence
of harm and the severity of that harm.

The intent behind Risk Management is to identify, evaluate, analyze, assess, and
mitigate potential product issues.

Risk Management is a total product life cycle process.

The Importance of Risk and Medical Devices

The medical device industry is built on trust, between those who design,
develop, and manufacture devices, and those who depend on those devices to
work safely and effectively.
ISO 14971 Risk Management for Medical Devices: The Definitive Page

Imagine this from the perspective of a patient going in for any medical
procedure. The patient probably thinks very little about the risks of the medical
devices about to be used.

Generally, the patient trusts the expertise of the clinicians. The patient seldom
wonders if the products used by the clinicians are safe and have been thoroughly
and rigorously tested.

The patient, often unknowingly, accepts the risks of the medical device you and I
design, develop, and manufacture. And this is exactly why Risk Management is so
important to the medical device industry. You have to know that the medical
devices you are involved with bringing to patients and end-users are safe.

Introduction to the Definitive Guide

to ISO 14971 Risk Management for
Medical Devices
Make no mistake—the products that MedTech professionals design, develop, and
bring to market have improved the quality of life for thousands and thousands of
people. Here at Greenlight Guru, we are fortunate to have the opportunity to work
with many others who have the same purpose and mission.

If you think about it, the ideal of improving the quality of life is the very premise of
product risk management.

What You Will Gain From This

Guide to ISO 14971
The topic of Risk Management is one that can be daunting, and at times
confusing. Thankfully, ISO 14971 exists and is helpful in providing guidance and
direction.

www.greenlight.gu
ISO 14971 Risk Management for Medical Devices: The Definitive Page

ISO 14971 provides a thorough explanation of relevant terms and definitions. And
the standard defines a risk management process.

I’ve written this guide to align with the latest version of ISO 14971 and to provide
you additional tips and insights for medical device risk management.

For me, it is very interesting to observe and listen to feedback and comments about
the topic from the perspectives of the experts, the regulators, the consultants, and
medical device companies.

Many times, it seems as though each of these perspectives has a very different
view of the world regarding medical device Risk Management. At times, it seems
as though no one agrees.

The practice of Risk Management in the medical device industry is also

intriguing to me. By and large, what I have observed is that Risk Management is
too often something we do because we have to—a checkbox activity.

It seems that we seldom use Risk Management as a tool to help us design,

develop, and manufacture safer medical devices.

But we should.

The purpose of this guide is three-fold:

1. To leave you with an understanding of what is expected from medical
device regulators regarding Risk Management.

2. To help you use Risk Management as a tool to design safer medical devices
by providing a few helpful tips and pointers to guide you.

3. To share with you all the steps that you need to define and address within
your Risk Management procedures.

Please note that the focus of this guide is strictly medical device product risk
management. I will not explore other “risk management” topics such as business
or project.
ISO 14971 Risk Management for Medical Devices: The Definitive Page 5

Regulations & Standards for ISO 14971 Risk

Management
Realize that nearly every medical device regulatory agency has placed the topic of
Risk Management front and center.

In fact, regulatory agencies, including FDA, are now using risk-based processes
throughout their own internal processes when reviewing device submissions and
conducting inspections and audits.

Know this: U.S. FDA, Health Canada, EU Competent Authority, Australia TGA,
and Japan MHLW all require you to have a Risk Management process defined
and Risk Management documentation for your products.

And all these regulatory agencies endorse ISO 14971 Medical devices—
Application of Risk Management to Medical Devices.

In addition to ISO 14971, there are several other key medical device industry
standards requiring risk management. The partial list includes:
• IEC 60601
• IEC 62366
• ISO 10993
• ISO 13485

Yes, all these standards make reference to risk management (and ISO 14971).

Did you notice ISO 13485 is on that list?

This is significant because the ISO 13485 standard is specific to quality

management systems.

The expectation is that you manage risk throughout the entire product lifecycle and
throughout your entire QMS.

www.greenlight.guru
ISO 14971 Risk Management for Medical Devices: The Definitive Page 6

ISO 14971—The Current State

I could share with you a history lesson on the genesis and evolution of medical
device risk management.

While there may be some merit in going through this history, I suspect you are
probably more interested in the present state of Risk Management, as well as
where things are headed.

The current “state of the art” regarding risk management is described in the
standard ISO 14971 Medical devices—Application of Risk Management to Medical
Devices.

A Brief Overview of the Standard and Accompanying Guidance

The current version of ISO 14971 was released in December 2019. This version
replaced the previous two versions of the standard that were utilized by many of
you across the world:

ISO 14971:2007 and EN ISO 14971:2012

As you likely know, the EN version was applicable if you were selling medical
devices in Europe. While there is still an EN version of ISO 14971:2019, it is now
identical to the regular version of ISO 14971:2019. When selling in Europe though, it is
important to know that additional risk requirements apply, which are outlined in the
EU MDR.

Here is the abstract describing the standard:

This document specifies terminology, principles and a process for risk
management of medical devices, including software as a medical device
and in vitro diagnostic medical devices. The process described in this
document intends to assist manufacturers of medical devices to identify the
hazards associated with the medical device, to estimate and evaluate the
associated risks, to control these risks, and to monitor the effectiveness of
the controls.

The requirements of this document are applicable to all phases of the life
cycle of a medical device. The process described in this document applies to
risks associated with a medical device, such as risks related to
biocompatibility, data and systems security, electricity, moving parts,
radiation, and usability.
ISO 14971 Risk Management for Medical Devices: The Definitive Page 7

The process described in this document can also be applied to products that
are not necessarily medical devices in some jurisdictions and can also be
used by others involved in the medical device life cycle.

This document does not apply to:

— decisions on the use of a medical device in the context of any
particular clinical procedure; or

— business risk management.

This document requires manufacturers to establish objective criteria for risk

acceptability but does not specify acceptable risk levels.

Risk management can be an integral part of a quality management system.

However, this document does not require the manufacturer to have a quality
management system in place.

ISO 14971 is a very good standard. While not prescriptive per se, the standard
does a very good job of explaining the requirements, expectations, and stages of
a risk management process.

Additionally, the standard provides several informative annexes which provide

more in-depth explanations and examples.

While this guide provides an overview, walk-through, and practical application of

ISO 14971, I highly recommend that you do make the ~$200 decision to actually
purchase the standard (no, I don’t get a commission). It is worth it.

The medical device regulatory world has adopted this standard. And I see no
reason to abandon this notion.

You should also be aware of ISO/TR 24971—Guidance on the application of ISO

14971. 24971 (no, it’s not a typo) is a guidance document specifically for ISO
14971. If you are seeking additional insights and guidance on application of ISO
14971, the ISO/TR 24971 guidance is helpful.

www.greenlight.guru
ISO 14971 Risk Management for Medical Devices: The Definitive Page 8

Design Controls & Risk Management

Design Controls are intended to demonstrate that a medical device has been:
1. Designed to address the needs of users and patients.

2. Designed to meet inputs and requirements.

3. Proven to meet applicable standards.

4. Meets performance criteria.

Your Design Controls will prove that your medical device is safe for use.

Does this sound like Risk Management?

The intent behind Risk Management is to identify, evaluate, analyze, assess, and
mitigate potential product issues.

There is a very strong correlation and relationship between Design Controls and
Risk Management.

With Design Controls, you also identify, evaluate, analyze, assess, and mitigate
potential product issues.

Design Controls and Risk Management address design, development,

and manufacturing of medical devices from slightly different perspectives.

Good Design Controls Reduce Product Risks

If you are thorough with defining and documenting User Needs, Design Inputs,
Design Outputs, Design Verification, Design Validation, and Design Reviews, then
you will be on the right track towards ensuring your medical device is safe.

Prior to clinical use, you have to know without a doubt that the product is safe
and/or determine that the medical benefits outweigh the risks (which should be
documented in a benefit-risk analysis).

Embrace this in your own medical device product development efforts.

ISO 14971 Risk Management for Medical Devices: The Definitive Page 9

Realize Design Controls and Risk Management are related.

Realize that your overall goal in medical device product development and
manufacturing is to prove and demonstrate that your product meets clinical needs,
design inputs and requirements, and is safe and effective.

Risk Management Is Still Needed Even With Good Design Controls

Having solid Design Controls in place is NOT a substitute for Risk Management.
Both are needed.

Realize that Risk Management is just as important (maybe more so) than Design Controls.

Realize that Risk Management is a way to evaluate your product from a different
perspective.

Realize that good Risk Management involves a series of tools, when used
properly, will drastically improve the quality, safety, and effectiveness of your
medical device.

Risk Management & Design Controls Must Be Linked

The best practices of medical device product development have a good flow
between Design Controls and Risk Management.

For example, as you identify hazards and hazardous situations, these should
“feed” into the Design Controls process in defining User Needs and Design Inputs.

When you evaluate risks, you will need to establish Risk Controls to mitigate and
reduce risks. Design Outputs, Design Verifications, and Design Validations become
these risk controls.

In fact, using Risk Management as a real tool will help you with Design Verification
and Design Validation planning. Let me explain.

Risk Controls are used to help identify ways to reduce the risks. Your Risk
Controls should align with and include Design Verification and Design Validation
activities.

Are you starting to see how closely related Risk Management and Design
Controls should be?
ISO 14971 Risk Management for Medical Devices: The Definitive Page

www.greenlight.guru
ISO 14971 Risk Management for Medical Devices: The Definitive Page

Risk Management Process Overview

Let’s start to dive into the details of Risk Management.

As I go through this guide on medical device risk management, I will often

reference the ISO 14971 standard (the reasons for this are described earlier in this
guide).

Medical device Risk Management requires top management involvement. It

requires that a company establish a Risk Management Policy.

The process itself includes:

• Risk Management Planning
• Risk Analysis
• Risk Evaluation
• Risk Controls
• Overall Residual Risk Acceptability
• Risk Management Review
• Production & Post-Production Information

The infographic below aligns directly with the ISO 14971 standard on a one to one
basis and is a high-level overview of the Risk Management process.
RISK CONTROL
ISO 14971 Risk Management for Medical Devices: The Definitive Page

If you are developing medical devices in this day and age, you absolutely must
have an established Risk Management process defined, documented, and
implemented.

As you go through this guide, I will share with you all the steps that you need to
define and address within your Risk Management procedures.

Risk Management needs to involve more than just engineers and product
developers.

You need to include end-users, marketing, sales, business development, quality,

regulatory, and manufacturing on your product Risk Management team.

THIS IS VERY IMPORTANT: Risk Management is an enterprise-wide process.

Why?

All of these functional areas provide different perspectives and experiences for the
medical devices you are designing, developing, and manufacturing.

It is important to ensure your Risk Management efforts are holistic.

Risk Management Definitions You Need

To Understand
There are several key terms pertaining to Risk Management defined in ISO 14971
that you definitely need to understand.

RISk mANAgemenT—systematic application of management policies, procedures,

and practices to the tasks of analyzing, evaluating, controlling, and monitoring risk

RISk—combination of the probability of occurrence of harm and the severity

of that harm

HAZARD—potential source of harm

HAZARDOuS SITuATION—circumstance in which people, property, or the

environment are exposed to one or more hazard(s)

www.greenlight.gu
ISO 14971 Risk Management for Medical Devices: The Definitive Page

HARM—physical injury or damage to the health of people, or damage to property or

the environment

SEVERITY—measure of the possible consequences of a hazard

RISk ANALYSIS—systematic use of available information to identify hazards and to

estimate the risk

RISk eSTIMATION—process used to assign values to the probability of occurrence of

harm and the severity of that harm

RISk eVALuATION—process of comparing the estimated risk against given risk

criteria to determine the acceptability of the risk

RISk ASSESSMENT—overall process comprising a risk analysis and a risk evaluation

RISk CONTROL—process in which decisions are made and measures implemented

by which risks are reduced to, or maintained within, specified levels

RESIDuAL RISk—risk remaining after risk control measures have been taken

Realize that in practice, many people use the terminology incorrectly and/or
interchangeably.

For example, someone might use “risk analysis” to refer to “risk management”.

When this happens, I recommend asking the person to explain what they mean.
I’ve witnessed (and probably participated in) several disagreements where the
terminology created confusion. Getting a grasp on the list of terms above is critical
to understanding medical device risk management.
ISO 14971 Risk Management for Medical Devices: The Definitive Page

Role of Management in
Risk Management
Oftentimes, it is assumed that the topic of Risk Management is only the
responsibility of the medical device product developers and engineers designing
new products.

While it is true that product developers and engineers do play a pivotal role,
medical device Risk Management is a much more comprehensive process that
should span all functional areas of a medical device.

This means that, in addition to product developers and engineers, other

functional areas including business development, marketing, manufacturing,
sales, and end- users should be an integral part of your Risk Management
process.

The cornerstone of a medical device company’s risk management process must

be executive management.
1. Executive management is the ultimate authority within the company.
This resource, whether he / she realizes it or not, has the responsibility
for determining whether the product risks are acceptable or not.

2. Executive management has the responsibility for making sure there are
adequate and appropriate resources for conducting risk management
activities.

3. Executive management has the responsibility of ensuring the company’s

risk management processes are adequate and effective.

4. Executive management must review the company’s risk management

processes for effectiveness. This means that the company’s risk management
processes are described, documented and controlled as part of quality system
procedures.

5. Executive management also has the responsibility for defining the company’s
risk management policy. This involves determining the risk acceptability
criteria. The criteria should be based on solid, objective evidence, such as
industry standards.

www.greenlight.gu
ISO 14971 Risk Management for Medical Devices: The Definitive Page
Generally, a Risk Management Policy is a top-level document included within the
company’s quality management system.

www.greenlight.gu
ISO 14971 Risk Management for Medical Devices: The Definitive Page

Risk Management Plan

A Risk Management Plan is a product-level document.

The Risk Management Plan should identify the risk management activities you
anticipate and plan throughout the product’s life cycle.

The Risk Management Plan is dynamic and should be revisited and updated
often. This is not a “one and done” activity.

A Risk Management Plan must include the following criteria:

• Scope of the Risk Management activities. Define the product included. It is possible
to have multiple products described within a single Risk Management Plan.
• Describe the intended use of the product(s).
• Identify all Risk Management activities planned throughout the product
life cycle.
• Define roles and responsibilities. Identify the Risk Management team that will
be reviewing and approving risk documentation.
• Criteria for the product’s risk acceptability. (Note, that oftentimes this is
likely to be defined within your Risk Management Procedure.)
• Specify methods to verify Risk Control measures are implemented and
reduce risks to the pre-established acceptable levels.
• Define how post-production information will be captured and fed into
Risk Management activities for the product.

The Risk Management Plan evolves and should be kept current—even after product
development is completed.

free download: to get this previously confidential risk management plan template in accordance with the req
ISO 14971 Risk Management for Medical Devices: The Definitive Page

Risk Management File

A Risk Management File (RMF) is the place where you keep your risk
management activities, documentation, and records.

A Risk Management File contains evidence of:

• Risk Management Plan
• Risk Analysis
• Risk Evaluation
• Risk Controls
• Evaluation of Overall Risk Acceptability
• Risk Management Review
• Production and Post-Production Risks

A Risk Management File can be structured and organized by an individual product

or for a product family.

It is possible for the RMF to be a reference / pointer document and identify

location of the contents, although I do not recommend this approach.

Why?

This approach is full of opportunities for document and record-keeping errors.

A best practice is to keep the contents of the product Risk Management File
together in a single location for ease of access and use.

This is very difficult to manage and maintain using a paper-based approach. And
you can search far and wide for a software solution that is compliant with ISO
14971.

But I’ll save you a bit of time and effort and point you to the only software solution
that aligns with ISO 14971: Greenlight Guru (That’s part of the reason we built it).

Our purpose-built workflows enable you to align and maintain compliance with
ISO 14971:2019 and the risk-based requirements of ISO 13485:2016. Learn more
about Greenlight Guru’s Risk Management Software →
ISO 14971 Risk Management for Medical Devices: The Definitive Page
www.greenlight.guru
ISO 14971 Risk Management for Medical Devices: The Definitive Page

Risk Assessment = Risk Analysis +

Risk Evaluation
ISO 14971 discusses Risk Analysis and Risk Evaluation as separate sets of tasks
that together comprise Risk Assessment.

As a practical matter, I will generally conduct Risk Analysis and Risk Evaluation at
the same time.

To do so, it is important for you to understand the tasks involved with each.

Risk Analysis
The starting point for identifying specific risks related to medical device products is
Risk Analysis.

There are lots of ways you can conduct Risk Analysis.

Many techniques are used throughout the industry, including preliminary hazards
analysis, FMEA, and fault tree analysis.

Know that each of these techniques has pros and cons.

You should also know that if you are using FMEA only for your Risk Management
efforts, you are NOT meeting the intent of ISO 14971.

FMEA is a reliability tool that assumes single-fault failures as part of analysis. Risk
Management is broader than just failures; risks exist when medical devices are
used without failure modes.

In my opinion, as you go through Risk Analysis, Risk Evaluation, and Risk

Controls, there is a good flow and progression.

You should define an approach that helps you document and capture all of these
Risk Management steps (which I explain in the Ideal Risk Management Workflow
section of this guide).
ISO 14971 Risk Management for Medical Devices: The Definitive Page

Risk Analysis Process

The Risk Analysis Process is typically described in your company’s Risk
Management procedure.

The Risk Analysis must identify the medical device, as well as who was involved,
risk analysis scope, and date(s).

Intended Use
When you start your Risk Analysis, you should work from a documented intended
use statement.

Yes, this should be the same intended use that you capture as part of Design
Controls when defining User Needs and Design Inputs.

Knowing the intended use is important for Risk Management. This statement
helps define the scope and will be instrumental as you identify hazards, harms,
etc.

Once you have defined the intended use, chances are you will be able to also
identify cases of foreseeable misuse too.

You should define these and include intentional and unintentional misuse cases.
Yes, you should consider off-label uses of the device.

There will be hazards from your product being used correctly and as intended.

There will also be hazards from foreseeable misuse.

The safety characteristics included in your medical device should be identified.

Things like special guards or redundant features are good examples.

One excellent way to ensure safety characteristics are established and

documented is to define these as specific Design Inputs in your Design History
File.

Identification of Hazards
Hazards are potential sources of harm.
ISO 14971 Risk Management for Medical Devices: The Definitive Page

www.greenlight.guru
ISO 14971 Risk Management for Medical Devices: The Definitive Page

For your product, you need to identify all the possible hazards. ISO 14971 Annex C
contains a great list of examples of hazards.

Here are a few examples:

• Electromagnetic Energy

ϐ Line Voltage

ϐ Leakage Current

ϐ Electric Fields

• Thermal Energy
• Mechanical Energy

ϐ Gravity

ϐ Vibration

• Biological

ϐ Bacteria

ϐ Viruses

• Chemical

To identify hazards, understanding the intended use is important and necessary

(as well as foreseeable misuse).

A good technique for identifying hazards is to go through all the steps required for
your product to be used. At each step, identify if there are any potential sources of
harm.

Keep in mind that “harm” is generally focused on the patient. But it should also
consider end-users, damage to property, and the environment (I discuss harm
further on in this guide).

You may be wondering how you can possibly identify hazards when you do not
know exactly what your medical device is going to be.

I understand this might be challenging early on during product development. And I

encourage you to attempt to identify hazards as early in the medical device product
development process as possible.
ISO 14971 Risk Management for Medical Devices: The Definitive Page

Why?

When you identify hazards early, you have an opportunity to make sure that
your product’s User Needs and Design Inputs are defined in a way to address
any potential concerns. Doing so ensures that your Design Controls and Risk
Management activities are in sync.

And there is only one software platform designed specifically to integrate Design
Controls and Risk Management. Yep, you guessed it: Greenlight Guru.

Hazardous Situations
If a hazard is a potential source of harm, a hazardous situation is a circumstance
where people, property, and/or the environment is exposed to one or more
hazard.

For a hazardous situation to occur, there has to be a foreseeable sequence of

events that lead to this.

Once again, understanding the intended use and the steps involved in using your
medical device should help guide you through this process.

The foreseeable sequence of events that someone will go through in using your
product, which can result in a hazardous situation, should also be identified.

Hazard Foreseeable Sequence of Events Hazardous Situation

Electromagnetic 1. Electrostatically charged Failure to deliver

Energy (ESD) patient touches infusion
pump
2. ESD causes pump and
pump alarms to fail
3. Insulin not delivered to patient
insulin unknown to
patient with elevated
blood glucose level

As you can see from the provided example, in order for the Hazardous Situation
to occur, there are a series of things that must happen first (Foreseeable
Sequence of Events).
ISO 14971 Risk Management for Medical Devices: The Definitive Page
www.greenlight.guru
ISO 14971 Risk Management for Medical Devices: The Definitive Page

important tip: Hazards and Hazardous Situations exist for every single medical device. This is 100% true e

Estimation of Risks for each Hazardous Situation

Once a Hazardous Situation is identified, you need to identify all the
possible harms.

Each Hazardous Situation is likely to have multiple possible harms. Capture each.

Once harms are identified, you need to estimate the risk of each harm.

Risk per ISO 14971 is defined as the combination of the probability of

occurrence of harm and the severity of that harm.

I should also remind you of the definition of harm. Harm is physical injury or
damage to the health of people, or damage to property or the environment.

So risk estimation requires you to identify two things: severity and probability of
occurrence.

note: Probability of occurrence is sometimes referred to as “probability”, “occurrence”, and/or “likelihood”.

A common technique that is used is defining descriptions for various levels for
both severity and probability of occurrence.
ISO 14971 Risk Management for Medical Devices: The Definitive Page

Here is an example of a severity and occurrence table.

Severity Description

Critical Loss of limb; life-threatening injury

Major Severe, long-term injury; potential disability

Serious Short-term injury or impairment requiring additional

medical intervention to correct (e.g reoperation)

Minor Slight customer inconvenience; little to no effect on

product performance, non-vital fault

Negligible No or negligible risk to patient

The severity levels and descriptions should align with your medical

devices. Here is an example of a probability of occurrence table.

Occurrence Level Description

Frequent 1 in 100

Probable 1 in 1,000

Occasional 1 in 10,000

Remote 1 in 100,000

Improbable 1 in 1,000,000

Oftentimes, probability of occurrence might include quantitative terms (such as the

example above). Sometimes this can be difficult to estimate because your product
is new and/or there is little data available.

Note that there is no medical device industry standard for severity and probability
of occurrence.

www.greenlight.guru
ISO 14971 Risk Management for Medical Devices: The Definitive Page

When estimating severity and occurrence for Harms of each Hazardous

Situations, you should leverage objective evidence to support your estimates.
Objective evidence can include things such as:
• Similar products
• Regulatory data (such as adverse events reported to FDA)
• Scientific white papers
• Industry standards
• End-user expertise
• Supporting test data

For each Hazardous Situation, you need to estimate the Severity and estimate the
Occurrence in order to ultimately estimate Risk.

A common technique for this is to establish a Risk Acceptability Matrix or Risk

Evaluation Matrix (which I will expand on further under Risk Evaluation).

The table below shows the occurrence and severity levels. As you can see, risk
levels have been defined as either “low”, “medium”, or “high”.
Frequent LOW MEDIUM HIGH HIGH HIGH
Probable LOW MEDIUM MEDIUM HIGH HIGH
Occasional LOW LOW MEDIUM MEDIUM HIGH
Remote LOW LOW LOW MEDIUM HIGH
Improbable LOW LOW LOW LOW MEDIUM
Negligible Minor Serious Critical Catastrophic

Risk Evaluation
Once Risks for each Harm has been estimated, you now need to evaluate these
risks to determine if risk reduction is required.

In the section above, I provided a sample of a Risk Acceptability Matrix. In this

example, I identified three risk levels or “zones”: low, medium, and high.

Your risk acceptability does not necessarily need to have three zones.
ISO 14971 Risk Management for Medical Devices: The Definitive Page

A common practice for Risk Evaluation is to identify which risk zones are
acceptable and which require risk reduction. This is something that you need to
define in your Risk Management Procedure and Risk Management Plan.

For those selling in the US, the typical practice is to correlate the low zone with an
acceptable risk and the high zone with unacceptable risk. The medium zone often
fits into what is referred to “as low as reasonably practicable.” Items in the high risk
levels require risk reduction and those in the medium level are generally
considered for risk reduction, as well.

For those selling devices into the EU market, it is important to know that the EU
MDR states that you must “reduce risks as far as possible” meaning you need to
consider risk reductions for all risks, regardless of the risk level.

Risk Controls
Now that you have conducted a Risk Analysis and Risk Evaluation, you are now
ready to identify Risk Controls.

Risk Reduction
During Risk Evaluation, you identified items that require risk reduction. Risk
Controls are about reducing identified risks to acceptable levels.

Risk Control Option Analysis

Risk Controls are measures that you take with your medical device to reduce the
risk. While it is possible to reduce the severity of an identified harm, generally speaking,
a Risk Control will have the most significant impact on the probability of occurrence of
a harm.

Risk Controls can include a wide array of options.

All too often, when Risk Controls are identified, they are more likely to involve
adding additional information to a label or instructions for use.
ISO 14971 Risk Management for Medical Devices: The Definitive Page
www.greenlight.guru
ISO 14971 Risk Management for Medical Devices: The Definitive Page

But please remember this. You should consider Risk Control options according to
the following priority:
• Inherent safety by design
• Protective measures in the actual medical device and/or manufacturing process
• Information for safety, such as labeling and instructions for use

Risk Controls should be focused on the specific design features first and labeling
as a last resort.

And yes, it is possible to include multiple Risk Controls to reduce risk. This is
actually a best practice.

I’ve shared a few times throughout this guide on the connection between Design
Controls and Risk Management. Risk Controls is an area with very strong ties to
Design Controls.

In fact, another best practice is to identify specific Design Outputs, Design

Verifications, and/or Design Validations as your Risk Control measure.

With Greenlight Guru’s Risk Solutions, you can finally demonstrate a risk-based
approach to design with linkability and full traceability to related design controls
and components. It also aligns with industry regulations with built-in industry lists
generated from IMDRF for documenting device Hazards and Harms.

Implementing Risk Controls

Once Risk Controls are identified, the next step is to implement them.

And if you follow my tip above about using Design Outputs, Design Verifications,
and Design Validations as Risk Control measures, then implementation is a bit
easier since these items are required as part of your Design Controls process.

Once Risk Controls are implemented, then you need to verify that this has
happened and determine the effectiveness of the measures taken. Record of this
shall be documented.
ISO 14971 Risk Management for Medical Devices: The Definitive Page

Residual Risk Evaluation

Now that Risk Controls have been implemented and verified for effectiveness, it is
now time to re-evaluate the risks.

You are going to use the same criteria you established for severity, occurrence,
risk levels, and risk acceptability as discussed before.

The objective is to evaluate the residual risks to determine if the risk level has been
reduced to acceptable levels (or if following EU MDR, is reduced as far as
possible).

In the event the residual risks are still unacceptable, revisit Risk Controls to
identify other means to reduce.

Benefit-Risk Analysis
The concept of a benefit-risk analysis is this: the medical benefits of the medical
device outweigh the residual risk.

After you identify Risk Controls and evaluate residual risks, it is still possible that
you will have some risks that are still in the unacceptable level. In these cases, it
might make sense to conduct and document a benefit-risk analysis (BRA).

The BRA must be documented and provided objective evidence and rationale for
why the medical benefits outweigh the unacceptable risks. If you are able to do so,
the BRA is a special provision for moving forward with unacceptable risks. An
important thing to remember is financial reasoning should never be included in a
BRA.

Please note that the benefit-risk analysis topic can be a slippery slope. You should
definitely take every possible measure to reduce the risk first via Risk Controls.

As an important side note, some individuals that are following the EU MDR say that
a BRA is required for all risks. The rationale is the regulations state that all risks
shall be reduced as far as possible. This is something to consider when you are
drafting your risk management plan.
ISO 14971 Risk Management for Medical Devices: The Definitive Page

www.greenlight.guru
ISO 14971 Risk Management for Medical Devices: The Definitive Page

Risks from Risk Controls

There is another twist to consider after you have implemented Risk Controls. And
the twist is, “did your Risk Controls introduce any new hazards or hazardous
situations?”

If so, then you need to add the hazards and hazardous situations and go through
the risk management process steps identified throughout this guide.

Overall Residual Risk Acceptability

So far, you have evaluated the individual risks identified for your medical device.

The next step is to now evaluate the overall residual risk acceptability of the
medical device on its whole entirety.

To do so, you are going to use the same severity, occurrence, risk level, and risk
acceptability criteria you use throughout the process.

If you determine that the overall residual risk of the entire product is not acceptable,
this is another case where you can conduct a benefit-risk analysis. The overall
BRA should be included with your Risk Management Report.

If you determine that the overall residual risk of the entire product is acceptable,
document this decision and support your rationale. I recommend including this in
your Risk Management Report.

Risk Management Review

Before going to market with your medical device, the results of all steps in your
risk management process shall be reviewed to ensure completeness.
ISO 14971 Risk Management for Medical Devices: The Definitive Page

You need to establish a Risk Management Report which will summarize all your
risk management activities and include any benefit-risk analyses and explanation
of overall risk acceptability.

The Risk Management Report should also discuss your plans for evaluating risks
in production and post-production.

I recommend that you have executive management in your company approve the
Risk Management Report.

Production & Post-Production

Information
Risk Management is a total product lifecycle process.

Unfortunately, risk management efforts have a tendency to trail off and be forgotten
once a product is launched.

Please don’t let this happen to you!

Your product Risk Management File needs to be a living document.

Very few companies have figured out how to ensure RMF is living after product
development.

However, Greenlight Guru’s software allows you to keep your RMF documents
readily available to update with production and post-production information.
What’s more—with our Risk Management solution, the intuitive software features
in-line editing, auto-calculated risk probabilities, up-to-date IMDRF codes, and
more.
Click here to learn more about Greenlight Guru’s Risk Solutions.

You need to consider and document production related risk management

activities and events.

www.greenlight.gu
ISO 14971 Risk Management for Medical Devices: The Definitive Page

You need to ensure that post-production processes that you have in place to
support your QMS are feeding into your Risk Management process.

Complaints need to tie into Risk Management. Did the complaint identify a new
hazard or hazardous situation not captured? Does the occurrence of harm align
with what you estimated?

Customer feedback needs to tie into Risk Management. Did you learn something
about your product that impacts the Risk Management?

Non-conformances need to tie into Risk Management.

CAPAs need to tie into Risk Management.

The point is this: Once you begin manufacturing and launch your medical device
into the market, you are going to learn a great deal about the product.

You need to make sure that your Risk Management documentation is current and
as best as possible, an accurate reflection of the actual risks your product poses.

One poor practice I have observed is adding a “risk” section to CAPA,

complaint, non-conformance, and other post-production documents and forms.

I do not recommend taking this angle. Yes, these forms should identify whether or
not risk management is impacted and require an explanation if not.

If risk is impacted by one of these post-production events, do yourself a HUGE

favor and make an update to the actual Risk Management File that you worked so
hard on during product development.
ISO 14971 Risk Management for Medical Devices: The Definitive Page

Summary
Realize that your Risk Management process must include:
• Risk Management Planning
• Risk Analysis
• Risk Evaluation
• Risk Controls
• Overall Residual Risk Acceptability
• Risk Management Review
• Production & Post-Production Information

Risk Management can be a difficult process. Use ISO 14971 and this guide to help
make it easier.

You have to tie Design Controls with Risk Management.

Risk Management needs to be living throughout the entire product

lifecycle. And for all these reasons, we developed Greenlight Guru’s Risk

Solutions.

A New Era of Risk Management

for MedTech
Our cutting-edge Risk Solutions pairs AI-generated insights with intuitive,
purpose- built risk management workflows for streamlined compliance and
reduced risk throughout the entire device lifecycle.

Greenlight Guru Risk Solutions help MedTech companies improve the risk
management process, driving more efficiency and confidence, and getting
safer devices to market faster.

www.greenlight.gu
ISO 14971 Risk Management for Medical Devices: The Definitive Page

Risk Solutions is made up of two key components:

• Risk Management provides visually intuitive, collaborative workflows for
creating risk matrices and documenting risk and is the only solution in the
industry that aligns with ISO 14971:2019 while providing complete
traceability throughout the entire device life cycle.
• Risk Intelligence leverages advanced statistical models that help you identify
the most relevant device hazards and patient harms with probabilities based
on the occurrence of real-world adverse event data. Use AI-generated insights
to transform the way you work.

Ready to step into the future and get more effective, efficient, and confident in managing risk for you
ISO 14971 Risk Management for Medical Devices: The Definitive Guide Page

ISO 14971 Risk

Management for
Medical Devices:
The Definitive
Guide

Schedule Your Personalized Demo

of Greenlight Guru
www.greenlight.guru
www.greenlight.guru