EN ISO 14971:2009

SLOVENSKI STANDARD
01-november-2009
1DGRPHãþD
SIST EN ISO 14971:2007
0HGLFLQVNLSULSRPRþNL8SRUDEDREYODGRYDQMDWYHJDQMDSULPHGLFLQVNLK
SULSRPRþNLK,62SRSUDYOMHQDYHU]LMD
Medical devices - Application of risk management to medical devices (ISO 14971:2007,
Corrected version 2007-10-01)
Medizinprodukte - Anwendung des Risikomanagements auf Medizinprodukte (ISO
14971:2007)
Dispositifs médicaux - Application de la gestion des risques aux dispositifs médicaux
(ISO 14971:2007, Version corrigé 2007-10-01)
Ta slovenski standard je istoveten z: EN ISO 14971:2009
ICS:
11.040.01 Medicinska oprema na Medical equipment in general
splošno
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN ISO 14971
NORME EUROPÉENNE
EUROPÄISCHE NORM
July 2009
ICS 11.040.01 Supersedes EN ISO 14971:2007
English version
Medical devices - Application of risk management to medical
devices (ISO 14971:2007, Corrected version 2007-10-01)
Dispositifs médicaux - Application de la gestion des risques Medizinprodukte - Anwendung des Risikomanagements auf
aux dispositifs médicaux (ISO 14971:2007, Version Medizinprodukte (ISO 14971:2007, korrigierte Fassung
corrigée de 2007-10-01) 2007-10-01)
This European Standard was approved by CEN on 13 June 2009.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving
this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning
such national standards may be obtained on application to the CEN Management Centre or to any CEN or CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CEN or CENELEC member into its own language and notified to the CEN Management Centre has the same
status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees, respectively, of Austria,
Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and
United Kingdom.
CEN Management Centre: CENELEC Central Secretariat:
Avenue Marnix 17, B-1000 Brussels Avenue Marnix 17, B-1000 Brussels
© 2009 CEN/CENELEC All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 14971:2009 E
worldwide for CEN national Members and for CENELEC
Members.
Contents Page
Foreword .3
Annex ZA (informative) Relationship between this European Standard and the Essential
Requirements of EU Directive 93/42/EEC on Medical Devices .4
Annex ZB (informative) Relationship between this European Standard and the Essential
Requirements of EU Directive 90/385/EEC on Active Implantable Medical Devices .5
Annex ZC (informative) Relationship between this European Standard and the Essential
Requirements of EU Directive 98/79/EC on In Vitro Diagnostic Devices .6

Foreword
The text of ISO 14971:2007, Corrected version 2007-10-01 has been prepared by Technical Committee
ISO/TC 210 “Quality management and corresponding general aspects for medical devices” of the International
Organization for Standardization (ISO) and has been taken over as EN ISO 14971:2009 by Technical
Committee CEN/CLC TC 3 “Quality management and corresponding general aspects for medical devices” the
secretariat of which is held by NEN.
This European Standard shall be given the status of a national standard, either by publication of an identical
text or by endorsement, at the latest by January 2010, and conflicting national standards shall be withdrawn at
the latest by March 2010.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO 14971:2007.
This document has been prepared under a mandate given to CEN by the European Commission and the
European Free Trade Association, and supports essential requirements of EU Directives 93/42/EEC on
Medical Devices, 90/385/EEC on Active Implantable Medical Devices and 98/79/EC on In Vitro Diagnostic
Devices.
For relationship with EU Directives, see informative Annexes ZA, ZB and ZC, which are an integral part of this
document.
The present standard can also be used to support some parts of the conformity assessment procedures
described in annexes of the European medical devices directives (90/385/EEC, 93/42/EEC and (98/79/EC):
− an adequate description of: results of the risk analysis,
− an undertaking by the manufacturer to institute and keep up to date a systematic procedure to review
experience gained from devices in the post-production phase and to implement appropriate means to
apply any necessary corrective action
NOTE: Other requirements may be applicable to this aspect

In establishing the policy for determining risk acceptability criteria, this standard allows manufacturers to
choose from a range of options within those permitted by regulations (see clause 3.2). European medical
devices directives require that, in selecting the most appropriate solutions for the design and construction of
the devices, these solutions must conform to safety principles, taking account of the generally acknowledged
state of the art, and the manufacturer must apply the following principles in the following order:
• eliminate or reduce risks as far as possible (inherently safe design and construction),
• where appropriate take adequate protection measures including alarms if necessary, in relation to
risks that cannot be eliminated,
• inform users of the residual risks due to any shortcomings of the protection measures adopted.

In this context, ‘eliminating’ or ‘reducing’ risk must be interpreted and applied in such a way as to take account
of technology and practice existing at the time of design and of technical and economical considerations
compatible with a high level of protection of health and safety; (see also Annex D.8).
According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following
countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Cyprus, Czech
Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain,
Sweden, Switzerland and the United Kingdom.
Endorsement notice
The text of ISO 14971:2007, Corrected version 2007-10-01 has been approved by CEN as a EN ISO
14971:2009 without any modification.
Annex ZA
(informative)
Relationship between this European Standard and the Essential Requirements of
EU Directive 93/42/EEC on Medical Devices
This European Standard has been prepared under a mandate given to CEN by the European Commission
and the European Free Trade Association to provide a means of conforming to Essential Requirements of the
New Approach Directive 93/42/EEC on medical devices.

Once this standard is cited in the Official Journal of the European Communities under that Directive and has
been implemented as a national standard in at least one Member State, compliance with the clauses of this
standard confers, within the limits of the scope of this standard, a presumption of conformity with the
corresponding Essential Requirements of that Directive and associated EFTA regulations.

This standard provides a process for managing risks associated with medical devices. Because this standard
describes an ongoing process applicable in part or in all to the Essential Requirements of Directive 93/42/EEC
on medical devices, it is not meaningful to link individual clauses of the standard to specific corresponding
Essential Requirements.
Compliance with all the requirement clauses in this standard will ensure that general aspects of medical
devices related to patient risk and safety have been addressed. For particular medical devices or for particular
safety aspects, additional specific requirements may need to be complied with in order to meet the essential
requirements. With respect to users of medical devices and third persons, additional specific requirements
from other EU Directives may need to be complied with in order to meet Essential Requirement 1. Relevant
harmonized standards may also be used for these purposes.

The risk management processes described in this standard could establish the need for collection of clinical or
other experimental data for risk-benefit evaluation purposes. It does not describe how this has to be carried
out. Relevant harmonized standards may be used for this purpose.

WARNING — Other requirements and other EU Directives may be applicable to a product falling within the
scope of this standard.
Annex ZB
(informative)
Relationship between this European Standard and the Essential Requirements of
EU Directive 90/385/EEC on Active Implantable Medical Devices
This European Standard has been prepared under a mandate given to CEN by the European Commission
and the European Free Trade Association to provide a means of conforming to Essential Requirements of the
New Approach Directive 90/385/EEC on active implantable medical devices.

Once this standard is cited in the Official Journal of the European Communities under that Directive and has
been implemented as a national standard in at least one Member State, compliance with the clauses of this
standard confers, within the limits of the scope of this standard, a presumption of conformity with the
corresponding Essential Requirements of that Directive and associated EFTA regulations.

This standard provides a process for managing risks associated with medical devices. Because this standard
describes an ongoing process applicable in part or in all to the Essential Requirements of Directive
90/385/EEC on active implantable medical devices, it is not meaningful to link individual clauses of the
standard to specific corresponding Essential Requirements.

Compliance with all the requirement clauses in this standard will ensure that general aspects of medical
devices related to patient risk and safety have been addressed. For particular medical devices or for particular
safety aspects, additional specific requirements may need to be complied with in order to meet the essential
requirements. With respect to users of medical devices and third persons, additional specific requirements
from other EU Directives may need to be complied with in order to meet Essential Requirement 1. Relevant
harmonized standards may also be used for these purposes.

The risk management processes described in this standard could establish the need for collection of clinical or
other experimental data for risk-benefit evaluation purposes. It does not describe how this has to be carried
out. Relevant harmonized standards may be used for this purpose.

WARNING — Other requirements and other EU Directives may be applicable to a product falling within the
scope of this standard.
Annex ZC
(informative)
Relationship between this European Standard and the Essential Requirements of
EU Directive 98/79/EC on In Vitro Diagnostic Devices
This European Standard has been prepared under a mandate given to CEN by the European Commission
and the European Free Trade Association to provide a means of conforming to Essential Requirements of the
New Approach Directive 98/79/EC on in vitro diagnostic devices.

Once this standard is cited in the Official Journal of the European Communities under that Directive and has
been implemented as a national standard in at least one Member State, compliance with the clauses of this
standard confers, within the limits of the scope of this standard, a presumption of conformity with the
corresponding Essential Requirements of that Directive and associated EFTA regulations.

This standard provides a process for managing risks associated with medical devices. Because this standard
describes an ongoing process applicable in part or in all to the Essential Requirements of Directive 98/79/EC
on in vitro diagnostic devices, it is not meaningful to link individual clauses of the standard to specific
corresponding Essential Requirements.

Compliance with all the requirement clauses in this standard will ensure that general aspects of medical
devices related to patient risk and safety have been addressed. For particular medical devices or for particular
safety aspects, additional specific requirements may need to be complied with in order to meet the essential
requirements. With respect to users of medical devices and third persons, additional specific requirements
from other EU Directives may need to be complied with in order to meet Essential Requirement 1. Relevant
harmonized standards may also be used for these purposes.

The risk management processes described in this standard could establish the need for collection of clinical or
other experimental data for risk-benefit evaluation purposes. It does not describe how this has to be carried
out. Relevant harmonized standards may be used for this purpose.

WARNING — Other requirements and other EU Directives may be applicable to a product falling within the
scope of this standard.
INTERNATIONAL ISO
STANDARD 14971
Second edition
2007-03-01
Corrected version
2007-10-01
Medical devices — Application of risk
management to medical devices
Dispositifs médicaux — Application de la gestion des risques aux
dispositifs médicaux
Reference number
ISO 14971:2007(E)
©
ISO 2007
ISO 14971:2007(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO 2007
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2007 – All rights reserved

ISO 14971:2007(E)
Contents Page
Foreword. iv
Introduction . v
1 Scope . 1
2 Terms and definitions. 1
3 General requirements for risk management . 5
3.1 Risk management process . 5
3.2 Management responsibilities . 7
3.3 Qualification of personnel . 7
3.4 Risk management plan. 7
3.5 Risk management file. 8
4 Risk analysis . 8
4.1 Risk analysis process . 8
4.2 Intended use and identification of characteristics related to the safety of the medical
device. 9
4.3 Identification of hazards . 9
4.4 Estimation of the risk(s) for each hazardous situation. 9
5 Risk evaluation. 10
6 Risk control . 11
6.1 Risk reduction . 11
6.2 Risk control option analysis. 11
6.3 Implementation of risk control measure(s). 11
6.4 Residual risk evaluation. 12
6.5 Risk/benefit analysis . 12
6.6 Risks arising from risk control measures.12
6.7 Completeness of risk control . 12
7 Evaluation of overall residual risk acceptability . 13
8 Risk management report. 13
9 Production and post-production information. 13
Annex A (informative) Rationale for requirements . 15
Annex B (informative) Overview of the risk management process for medical devices . 23
Annex C (informative) Questions that can be used to identify medical device characteristics that
could impact on safety. 25
Annex D (informative) Risk concepts applied to medical devices. 32
Annex E (informative) Examples of hazards, foreseeable sequences of events and hazardous
situations . 49
Annex F (informative) Risk management plan . 54
Annex G (informative) Information on risk management techniques. 56
Annex H (informative) Guidance on risk management for in vitro diagnostic medical devices. 60
Annex I (informative) Guidance on risk analysis process for biological hazards. 76
Annex J (informative) Information for safety and information about residual risk . 78
Bibliography . 80

ISO 14971:2007(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
International Standard ISO 14971 was prepared by ISO/TC 210, Quality management and corresponding
general aspects for medical devices, and Subcommittee IEC/SC 62A, Common aspects of electrical
equipment used in medical practice. Annex H, “Guidance on risk management for in vitro diagnostic medical
devices”, was prepared by ISO/TC 212, Clinical laboratory testing and in vitro diagnostic test systems.
This second edition cancels and replaces the first edition (ISO 14971:2000) as well as the amendment
ISO 14971:2000/Amd.1:2003.
For purposes of future IEC maintenance, Subcommittee 62A has decided that the contents of this publication will
1)
remain unchanged until the maintenance result date indicated on the IEC web site under http://webstore.iec.ch
in the data related to the specific publication. At this date, the publication will be
⎯ reconfirmed,
⎯ withdrawn,
⎯ replaced by a revised edition or
⎯ amended.
This corrected version of ISO 14971:2007 incorporates the following correction:
⎯ a corrected version of Figure 1 on page 6.

1) IEC National Committees are requested to note that for this publication the maintenance result date is 2014.
iv © ISO 2007 – All rights reserved

ISO 14971:2007(E)
Introduction
The requirements contained in this International Standard provide manufacturers with a framework within
which experience, insight and judgment are applied systematically to manage the risks associated with the
use of medical devices.
This International Standard was developed specifically for medical device/system manufacturers using
established principles of risk management. For other manufacturers, e.g., in other healthcare industries, this
International Standard could be used as informative guidance in developing and maintaining a risk
management system and process.
This International Standard deals with processes for managing risks, primarily to the patient, but also to the
operator, other persons, other equipment and the environment.
As a general concept, activities in which an individual, organization or government is involved can expose
those or other stakeholders to hazards which can cause loss of or damage to something they value. Risk
management is a complex subject because each stakeholder places a different value on the probability of
harm occurring and its severity.
It is accepted that the concept of risk has two components:
a) the probability of occurrence of harm;
b) the consequences of that harm, that is, how severe it might be.
The concepts of risk management are particularly important in relation to medical devices because of the
variety of stakeholders including medical practitioners, the organizations providing health care, governments,
industry, patients and members of the public.
All stakeholders need to understand that the use of a medical device entails some degree of risk. The
acceptability of a risk to a stakeholder is influenced by the components listed above and by the stakeholder’s
perception of the risk. Each stakeholder’s perception of the risk can vary greatly depending upon their cultural
background, the socio-economic and educational background of the society concerned, the actual and
perceived state of health of the patient, and many other factors. The way a risk is perceived also takes into
account, for example, whether exposure to the hazard seems to be involuntary, avoidable, from a man-made
source, due to negligence, arising from a poorly understood cause, or directed at a vulnerable group within
society. The decision to use a medical device in the context of a particular clinical procedure requires the
residual risks to be balanced against the anticipated benefits of the procedure. Such judgments should take
into account the intended use, performance and risks associated with the medical device, as well as the risks
and benefits associated with the clinical procedure or the circumstances of use. Some of these judgments can
be made only by a qualified medical practitioner with knowledge of the state of health of an individual patient
or the patient’s own opinion.
As one of the stakeholders, the manufacturer makes judgments relating to safety of a medical device,
including the acceptability of risks, taking into account the generally accepted state of the art, in order to
determine the suitability of a medical device to be placed on the market for its intended use. This International
Standard specifies a process through which the manufacturer of a medical device can identify hazards
associated with a medical device, estimate and evaluate the risks associated with these hazards, control
these risks, and monitor the effectiveness of that control.
For any particular medical device, other International Standards could require the application of specific
methods for managing risk.
INTERNATIONAL STANDARD ISO 14971:2007(E)

Medical devices — Application of risk management to medical
devices
1 Scope
This International Standard specifies a process for a manufacturer to identify the hazards associated with
medical devices, including in vitro diagnostic (IVD) medical devices, to estimate and evaluate the associated
risks, to control these risks, and to monitor the effectiveness of the controls.
The requirements of this International Standard are applicable to all stages of the life-cycle of a medical
device.
This International Standard does not apply to clinical decision making.
This International Standard does not specify acceptable risk levels.
This International Standard does not require that the manufacturer have a quality management system in
place. However, risk management can be an integral part of a quality management system.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply:
2.1
accompanying document
document accompanying a medical device and containing information for those accountable for the
installation, use and maintenance of the medical device, the operator or the user, particularly regarding safety
NOTE Adapted from IEC 60601-1:2005, definition 3.4.
2.2
harm
physical injury or damage to the health of people, or damage to property or the environment
[ISO/IEC Guide 51:1999, definition 3.3]
2.3
hazard
potential source of harm
[ISO/IEC Guide 51:1999, definition 3.5]
2.4
hazardous situation
circumstance in which people, property, or the environment are exposed to one or more hazard(s)
[ISO/IEC Guide 51:1999, definition 3.6]
NOTE See Annex E for an explanation of the relationship between “hazard” and “hazardous situation”.
ISO 14971:2007(E)
2.5
intended use
intended purpose
use for which a product, process or service is intended according to the specifications, instructions and
information provided by the manufacturer
2.6
in vitro diagnostic medical device
IVD medical device
medical device intended by the manufacturer for the examination of specimens derived from the human body
to provide information for diagnostic, monitoring or compatibility purposes
EXAMPLES Reagents, calibrators, specimen collection and storage devices, control materials and related instruments,
apparatus or articles.
NOTE 1 Can be used alone or in combination with accessories or other medical devices.
NOTE 2 Adapted from ISO 18113-1:—, definition 3.29.
2.7
life-cycle
all phases in the life of a medical device, from the initial conception to final decommissioning and disposal
2.8
manufacturer
natural or legal person with responsibility for the design, manufacture, packaging, or labelling of a medical
device, assembling a system, or adapting a medical device before it is placed on the market or put into service,
regardless of whether these operations are carried out by that person or on that person's behalf by a third
party
NOTE 1 Attention is drawn to the fact that the provisions of national or regional regulations can apply to the definition of
manufacturer.
NOTE 2 For a definition of labelling, see ISO 13485:2003, definition 3.6.
2.9
medical device
any instrument, apparatus, implement, machine, appliance, implant, in vitro reagent or calibrator, software,
material or other similar or related article, intended by the manufacturer to be used, alone or in combination,
for human beings for one or more of the specific purpose(s) of
⎯ diagnosis, prevention, monitoring, treatment or alleviation of disease,
⎯ diagnosis, monitoring, treatment, alleviation of or compensation for an injury,
⎯ investigation, replacement, modification, or support of the anatomy or of a physiological process,
⎯ supporting or sustaining life,
⎯ control of conception,
⎯ disinfection of medical devices,
⎯ providing information for medical purposes by means of in vitro examination of specimens derived from
the human body,
and which does not achieve its primary intended action in or on the human body by pharmacological,
immunological or metabolic means, but which may be assisted in its function by such means
NOTE 1 This definition has been developed by the Global Harmonization Task Force (GHTF). See bibliographic
reference [38].
[ISO 13485:2003, definition 3.7]
2 © ISO 2007 – All rights reserved

ISO 14971:2007(E)
NOTE 2 Products, which could be considered to be medical devices in some jurisdictions but for which there is not yet
a harmonized approach, are:
⎯ aids for disabled/handicapped people,
⎯ devices for the treatment/diagnosis of diseases and injuries in animals,
⎯ accessories for medical devices (see Note 3),
⎯ disinfection substances,
⎯ devices incorporating animal and human tissues which can meet the requirements of the above definition but are
subject to different controls.
NOTE 3 Accessories intended specifically by manufacturers to be used together with a “parent” medical device to
enable that medical device to achieve its intended purpose, should be subject to this International Standard.
2.10
objective evidence
data supporting the existence or verity of something
NOTE Objective evidence can be obtained through observation, measurement, testing or other means.
[ISO 9000:2005, definition 3.8.1]
2.11
post-production
part of the life-cycle of the product after the design has been completed and the medical device has been
manufactured
EXAMPLES transportation, storage, installation, product use, maintenance, repair, product changes,
decommissioning and disposal.
2.12
procedure
specified way to carry out an activity or a process
[ISO 9000:2005, definition 3.4.5]
2.13
process
set of interrelated or interacting activities which transforms inputs into outputs
[ISO 9000:2005, definition 3.4.1]
2.14
record
document stating results achieved or providing evidence of activities performed
[ISO 9000:2005, definition 3.7.6]
2.15
residual risk
risk remaining after risk control measures have been taken
NOTE 1 Adapted from ISO/IEC Guide 51:1999, definition 3.9.
NOTE 2 ISO/IEC Guide 51:1999, definition 3.9 uses the term “protective measures” rather than “risk control
measures.” However, in the context of this International Standard, “protective measures” are only one option for controlling
risk as described in 6.2.
ISO 14971:2007(E)
2.16
risk
combination of the probability of occurrence of harm and the severity of that harm
[ISO/IEC Guide 51:1999, definition 3.2]
2.17
risk analysis
systematic use of available information to identify hazards and to estimate the risk
[ISO/IEC Guide 51:1999, definition 3.10]
NOTE Risk analysis includes examination of different sequences of events that can produce hazardous situations
and harm. See Annex E.
2.18
risk assessment
overall process comprising a risk analysis and a risk evaluation
[ISO/IEC Guide 51:1999, definition 3.12]
2.19
risk control
process in which decisions are made and measures implemented by which risks are reduced to, or
maintained within, specified levels
2.20
risk estimation
process used to assign values to the probability of occurrence of harm and the severity of that harm
2.21
risk evaluation
process of comparing the estimated risk against given risk criteria to determine the acceptability of the risk
2.22
risk management
systematic application of management policies, procedures and practices to the tasks of analysing, evaluating,
controlling and monitoring risk
2.23
risk management file
set of records and other documents that are produced by risk management
2.24
safety
freedom from unacceptable risk
[ISO/IEC Guide 51:1999, definition 3.1]
2.25
severity
measure of the possible consequences of a hazard
2.26
top management
person or group of people who direct(s) and control(s) a manufacturer at the highest level
NOTE Adapted from ISO 9000:2005, definition 3.2.7.
4 © ISO 2007 – All rights reserved

ISO 14971:2007(E)
2.27
use error
act or omission of an act that results in a different medical device response than intended by the manufacturer
or expected by the user
NOTE 1 Use error includes slips, lapses and mistakes.
NOTE 2 See also IEC 62366:—, Annexes B and D.1.3.
NOTE 3 An unexpected physiological response of the patient is not by itself considered use error.
2)
[IEC 62366:— , definition 2.12]
2.28
verification
confirmation, through the provision of objective evidence, that specified requirements have been fulfilled
NOTE 1 The term “verified” is used to designate the corresponding status.
NOTE 2 Confirmation can comprise activities such as:
⎯ performing alternative calculations;
⎯ comparing a new design specification with a similar proven design specification;
⎯ undertaking tests and demonstrations;
⎯ reviewing documents prior to issue.
[ISO 9000:2005, definition 3.8.4]
3 General requirements for risk management
3.1 Risk management process
The manufacturer shall establish, document and maintain throughout the life-cycle an ongoing process for
identifying hazards associated with a medical device, estimating and evaluating the associated risks,
controlling these risks, and monitoring the effectiveness of the controls. This process shall include the
following elements:
⎯ risk analysis;
⎯ risk evaluation;
⎯ risk control;
⎯ production and post-production information.
Where a documented product realization process exists, such as that described in Clause 7 of
[8]
ISO 13485:2003 , it shall incorporate the appropriate parts of the risk management process.
NOTE 1 A documented quality management system process can be used to deal with safety in a systematic manner,
in particular to enable the early identification of hazards and hazardous situations in complex medical devices and
systems.
2) To be published.
ISO 14971:2007(E)
NOTE 2 A schematic representation of the risk management process is shown in Figure 1. Depending on the specific
life-cycle phase, individual elements of risk management can have varying emphasis. Also, risk management activities can
be performed iteratively or in multiple steps as appropriate to the medical device. Annex B contains a more detailed
overview of the steps in the risk management process.
Compliance is checked by inspection of appropriate documents.

Figure 1 — A schematic representation of the risk management process
6 © ISO 2007 – All rights reserved

ISO 14971:2007(E)
3.2 Management responsibilities
Top management shall provide evidence of its commitment to the risk management process by:
⎯ ensuring the provision of adequate resources
and
⎯ ensuring the assignment of qualified personnel (see 3.3) for risk management.
Top management shall:
⎯ define and document the policy for determining criteria for risk acceptability; this policy shall ensure that
criteria are based upon applicable national or regional regulations and relevant International Standards,
and take into account available information such as the generally accepted state of the art and known
stakeholder concerns;
⎯ review the suitability of the risk management process at planned intervals to ensure continuing
effectiveness of the risk management process and document any decisions and actions taken; if the
manufacturer has a quality management system in place, this review may be part of the quality
management system review.
NOTE The documents can be incorporated within the documents produced by the manufacturer’s quality
management system and these documents can be referenced in the risk management file.
Compliance is checked by inspection of the appropriate documents.
3.3 Qualification of personnel
Persons performing risk management tasks shall have the knowledge and experience appropriate to the tasks
assigned to them. These shall include, where appropriate, knowledge and experience of the particular medical
device (or similar medical devices) and its use, the technologies involved or risk management techniques.
Appropriate qualification records shall be maintained.
NOTE Risk management tasks can be performed by representatives of several functions, each contributing their
specialist knowledge.
Compliance is checked by inspection of the appropriate records.
3.4 Risk management plan
Risk management activities shall be planned. Therefore, for the particular medical device being considered,
the manufacturer shall establish and document a risk management plan in accordance with the risk
management process. The risk management plan shall be part of the risk management file.
This plan shall include at least the following:
a) the scope of the planned risk management activities, identifying and describing the medical device and
the life-cycle phases for which each element of the plan is applicable;
b) assignment of responsibilities and authorities;
c) requirements for review of risk management activities;
d) criteria for risk acceptability, based on the manufacturer’s policy for determining acceptable risk, including
criteria for accepting risks when the probability of occurrence of harm cannot be estimated;
e) verification activities;
ISO 14971:2007(E)
f) activities related to collection and review of relevant production and post-production information.
NOTE 1 Refer to Annex F for guidance on developing a risk management plan.
NOTE 2 Not all parts of the plan need to be created at the same time. The plan or parts of it can be developed over
time.
NOTE 3 The criteria for risk acceptability are essential for the ultimate effectiveness of the risk management process.
For each risk management plan the manufacturer should choose appropriate risk acceptability criteria.
Options could include, among others:
⎯ indicating in a matrix, such as Figures D.4 and D.5, which combinations of probability of harm and severity of harm
are acceptable or unacceptable;
⎯ further subdividing the matrix (e.g., negligible, acceptable with risk minimization) and requiring that risks first be made
as low as reasonably practicable before determining that they are acceptable (see D.8).
Whichever option is chosen, it should be determined according to the manufacturer’s policy for determining criteria for risk
acceptability and thus be based upon applicable national or regional regulations and relevant International Standards, and
take into account available information such as the generally accepted state of the art and known stakeholder concerns
(see 3.2). Refer to D.4 for guidance on establishing such criteria.
If the plan changes during the life-cycle of the medical device, a record of the changes shall be maintained in
the risk management file.
Compliance is checked by inspection of the risk management file.
3.5 Risk management file
For the particular medical device being considered, the manufacturer shall establish and maintain a r
...