Go to Client Portal

Effective Implementation of EN ISO 14971 Medical Device Risk Management Standard

Risk management is an important lifecycle product development requirement for all medical device organizations when developing, manufacturing, and commercially distributing medical products. To appropriately address issues of potential risk within the European Economic Area (EEA), manufacturers must utilize the harmonized standard, EN ISO 14971:2012, to meet regulatory requirements. However, EU device manufacturers often struggle to effectively implement this particular requirement given how the standard was harmonized by the European competent authorities.

In 2012, the European National (EN) version of the Medical Device Risk Management Standard (ISO 14971) was revised, but without changes to Clauses 1 through 9. Rather, the European Commission identified seven (7) so-called content deviations between the ISO 14971 and the regulatory requirements of the three (3) medical device directives for Europe.

These inconsistencies have caused confusion surrounding what processes to utilize when addressing risk. To assist EU device manufacturers in their understanding of how to effectively undertake risk management activities, provided below is information on the most significant changes pertaining to ISO 14971.

Content Deviation 2:  Discretionary Power of Manufacturers as to the Acceptability of Risks: The Risk Evaluation Process

The second deviation to ISO 14971 is specific to the risk evaluation process. The ISO 14971 Standard version indicates in Annex D4 that the acceptability of risk is not specified by the Standard and must be determined by the manufacturer. In Clause 3.2 of the ISO 14971 Standard, it states that, “Top management shall define and document the policy for determining criteria for risk acceptability.”

This particular risk management policy is intended to indicate a threshold for risk acceptability. In Clause 5 of the Standard, the manufacturer is instructed to evaluate whether risks are acceptable using the risk management criteria defined in the risk management policy.

This requirement – to establish a risk acceptance policy – contradicts the Medical Device Directive (MDD) Annex I requirements as amended. The Essential Requirements ER1 and ER2 mandate that all identified risks be reduced as far as possible (AFAP), and that all risks shall be included in a risk/benefit analysis – not just the risks beyond a specific pre-defined acceptance threshold.

Most medical device manufacturers choose arbitrary thresholds for acceptability of risk instead of utilizing benchmarking tools or a preliminary risk/benefit analysis. It is quite common for medical device makers to establish a policy that all risks must be below a quantitative threshold; e.g. in case the range of possible risks scores are from 1 to 1,000, all risks of 1 in100 or lower may be acceptable.

For EU manufacturers of novel devices, it is strongly recommended that all foreseeable risks are benchmarked against known risks of existing similar devices. If the novel device presents equal or lower risks than existing devices, the risks of the novel device can be considered acceptable.

What is Acceptable?

In order to comply with the risk management portion of EN ISO 14971:2012, risk controls must be implemented for all risks, regardless of acceptability.

Manufacturers will also need to perform a conclusive risk/benefit analysis, which should consider not only all identified residual risk, but the clinically relevant patient benefits including usability risks and relative benefits of available alternative treatment options.

The acceptability of risk cannot be based solely on technological design features and physical performance test results. Since June 2016, the Clinical Evaluation Report (CER) must be based on clinical evidence of the device under evaluation for its intended medical purpose, including known and foreseeable side effects and potential complications.

Content Deviation 4: Discretion as to whether a Risk/Benefit Analysis should Take Place

The current ISO 14971 Risk Management Standard lacks clarity surrounding the interdependence and consistency of risk acceptability criteria and scientific clinical data confirming a beneficial risk/benefit profile. There is widespread confusion as to whether an individual and/or overall risk/benefit evaluation is a mandatory requirement of the EN ISO 14971 risk management process:

  • Clause 6.5 states: “If the residual risk is not judged acceptable using the criteria established in the risk management plan and further risk control is not practicable, the manufacturer may gather and review data and literature to determine if the medical benefits of the intended use outweigh the residual risk.”
  • Clause 7 states: “If the overall residual risk is not judged acceptable using the criteria established in the risk management plan, the manufacturer may gather and review data and literature to determine if the medical benefits of the intended use outweigh the overall residual risk.”

However, in the informal section of ISO 14971 D.6.1, it states: “A risk/benefit analysis is not required by this International Standard for every risk.”

Clauses 6.5 and 7 imply that an overall risk/benefit analysis should not take place if the overall residual risks are judged acceptable when using the criteria established in the risk management plan.

Contrary to the above statements, content deviation 4 in EN ISO 14971:2012 states the following:

  • According to Section 1 of Annex I to Directive 93/42/EEC: “an overall risk/benefit analysis must take place in any case, regardless of the application of criteria established in the management plan of the manufacturer.”
  • Accordingly,the manufacturer must undertake the risk/benefit analysis for the individual risk and the overall risk/benefit analysis (weighing all risks combined against the benefit) in all cases.”

The last paragraph may suggest that the risk/benefit analysis is necessarily a part of the risk management report, but in actuality, this is not the case. While the harmonized EN ISO 14971 Risk Management Standard diligently sets the purpose of the risk management requirements into perspective from its referenced regulatory requirements, the intrinsic risk/benefit evaluation requirement in the MDD: M5 set forth in Annex I ER 6 and ER 6a is pointing to Annex X.

  • Section 6 of Annex I to Directive 93/42/EEC requires undesirable side effects to: “constitute an acceptable risk when weighed against the performance intended.
  • Section 6 of Annex I to Directive 93/42/EEC requires: “demonstration of conformity with the Essential Requirements must include a clinical evaluation in accordance with Annex X.

Both Essential Requirements, 6 and 6a, directly connect the acceptability of risk when evaluated against probable patient benefits with the requirement of a clinical evaluation assessment as set forth in Annex X. The MEDDEV guidance 2.7/4 entitled “Clinical evaluation: a guide for manufacturers and notified bodies under directives 93/42 and 90/385” is intrinsically connected with MDD:M5 Annex X.

While this guidance document states in Section 2. Scope: “This guide is not legally binding. Only the text of the Directives is authentic in law.”

The same section states further:

“Nevertheless, due to the participation of interested parties and of experts from national Competent Authorities, it is anticipated that this guide will be followed within the Member States, thereby supporting uniform application of relevant provisions of EU Directives and common practices.”

In current regulatory compliance practice, EU Notified Bodies only accept clinical evaluation assessments following the above referenced (non legally binding) MEDDEV guideline on a clinical evaluation process with the following outcome:

  • The clinical evaluation process is considered part of medical device design and development lifecycle starting with a device concept.
  • Risk Management outcome is considered input for the Clinical Evaluation Process.
  • The clinical evaluation report is an outcome of the design validation phase with matured design characteristics including human factors and clinical usability for its intended medical use(s) and purpose9s).
  • The Clinical Evaluation format and content should (i.e. must) follow the medical device lifecycle concept requirements outlined in the MEDDEV guidance document 2.7/4 revision 4.

Impact of Risk Management Content Deviations

The evaluation of residual risk and acceptability of risk should be a derived upon the clinical risk/benefit analysis, and must involve medical and clinical experts for the assessment and final determination.

The harmonized EN risk management version includes the mandatory collection and evaluation of post-production market information. In case post-production information reveals previously unrecognized hazards, hazardous situations, or different risk estimates (e.g. occurrence rates that are no longer considered acceptable), the legal manufacturer must reexamine the risk management file and the device’s residual risk acceptance and risk/benefit assessment.

Finally, the Clinical Evaluation Process should determine the need for and the extent of Post-Market Clinical Follow-Up (PMCF) studies. A PMCF study determination is part of the initial Clinical Evaluation Report (CER) and intended to collect post-market clinical data to verify that the risk/benefit conclusion is acceptable over the lifetime of the device under real world intended use conditions (MEDDEV guidance 2.12/2 rev 2, titled “Post Market Clinical Follow-Up Studies”).


It is essential that medical device manufacturers accurately understand the significant content deviations between the EN ISO 14971 Risk Management Standard and the current Essential Requirements of the EU device directives in order to effectively address and change associated risk management and clinical evaluation processes:

  • The risk management policy must clearly specify how acceptability of risk is be determined in light of intended clinical purpose(s), probable patient benefits and foreseeable clinical complications.
  • Risk Management and Clinical Evaluation are mandatory and interdependent medical device lifecycle processes for all devices independent of risk classification.
  • Both processes must be implemented and maintained to meet product specific regulatory requirements as set forth in the EU directives and guidance documents.
  • Risk Management and Clinical Evaluation processes mandate implementation of significant pre- and post-market organizational and reporting requirements.
  • The need and justification for PMCF studies should be carefully planned and implemented to verify that the risk/benefit profile remains consistent with the conclusions of the clinical evaluation report for the anticipated use life (e.g. confirming long-term medical patient benefits).

Additionally, the incoming EU Medical Device Regulation (MDR/2017/745) provides clear statements regarding risk management, clinical performance and clinical evaluation requirements in the context of the new MDR regulatory framework that must be considered. The following is a non-inclusive excerpt from the MDR 2017/745 preamble:

(33) The risk management system should be carefully aligned with and reflected in the clinical evaluation for the device, including the clinical risks to be addressed as part of clinical investigations, clinical evaluation and post-market clinical follow up.

(33) The risk management and clinical evaluation processes should be inter-dependent and should be regularly updated.

(49) The summary of safety and clinical performance for a device should include in particular the place of the device in the context of diagnostic or therapeutic options taking into account the clinical evaluation of that device when compared to the diagnostic or therapeutic alternatives and the specific conditions under which that device and its alternatives can be considered.

How can NAMSA Help?
Navigating the international regulatory landscape can be overwhelming for any medical device manufacturer. That’s why having the right partner, at the right time, can be invaluable in achieving reimbursement requirements and market success.

NAMSA is the industry leader in driving successful regulatory outcomes through effective interactions with the EU Commission and Notified Bodies. In fact, our internal teams of medical device development experts communicate with EU entities nearly every day.  Our teams are the most experienced in industry at accelerating regulatory submissions and approvals for device manufacturers. This expertise has been proven to save medical device organizations up to $17M in costs and 23 months in development timelines (access our client testimonials here).

If you are interested in speaking with us about EU-related activities or other global regulatory strategies, please contact us at: communications@namsa.com or 1-419-666-9455. You may also visit our regulatory consulting webpage here.



Stephan Buttron

Stephan Buttron currently serves as NAMSA’s Senior Product Development Strategist. Mr. Buttron has over 20 years’ experience in achieving EU, U.S. FDA and other international regulatory medical device approvals and registrations. He has provided global consulting services on regulatory strategy development to medical device manufacturers regarding least burdensome pathways for 510(k)/PMA and MMD-CE mark applications. He has successfully managed FDA pre-submission meetings for Investigational Device Exemption (IDE) pathways with multiple FDA specialty branches. Stephan is considered a key industry thought leader on risk management, and has provided multiple training sessions to medical device manufacturers on structured risk management process per EN ISO 14971 & EU MDD 93/42 as amended with directive 2007/ 47. Mr. Buttron has also provided countless educational opportunities to international organizations regarding medical device design and development issues related to ISO 13485 & EU MDD 2007/47 compliance.