Technical articles

Ensuring the safety of medical devices, an essential tool: risk management according to ISO 14971:2019



Medical Devices (MD) and In Vitro Diagnostic Medical Devices (IVDMD) shall be designed and manufactured to ensure their performance and safety under normal conditions of use. 

This involves compliance with General Safety and Performance Requirements (GSPRs) listed in Annex I of Regulations (EU) 2017/745 “MDR” and 2017/746 “IVDR”. Chapter I of the GSPRs outlines general requirements. The first eight points are focusing on product risk management. Therefore, risk management is at the core of MDR and IVDR regulations

Implementing ISO 14971:2019 and its amendment A11:2021 allows for the presumption of conformity of MD, IVDMD, MD software, and accessories with GSPRs throughout the product lifecycle. 

This article explores how ISO 14971:2019 and its amendment A11:2021 facilitate compliance with GSPRs throughout the product lifecycle focusing on a well-defined risk management process.

Product Risk Management Process

To ensure the performance of MD/IVDMD and the safety of patients and/or users, risk management shall be carried out throughout its lifecycle, from initial design to final decommissioning and disposal. This requires commitment from the manufacturer and its management, including providing adequate resources and assigning competent personnel for risk management. 

In this way, the manufacturer can ensure the risk management process through seven steps:

The risk management process shall be documented through a procedure and appropriate forms to create the risk management file. This file includes a risk management plan, matrix and report and constitutes an essential part of the product’s technical documentation, as set out in Chapter 5 of Annex II of both Regulations.

It is important to note that there are other processes, such as usability engineering (according to IEC 62366) or process risk analysis (pFMEA), that are not part of the product risk management file. However, data from these processes can be used as input for identifying new product risks. 

Additionally, several other complementary standards provide specific requirements for medical device risk management, such as IEC 60601-1 for electro-medical devices, IEC 62304 for medical software, or ISO 10993-1 for the biological evaluation of medical devices. All these standards interact in a complex way regarding risk management for medical devices and shall be appropriately integrated into the risk management process.

Our Convictions

The new version of ISO 14971:2019 and strengthened regulatory requirements have highlighted recurrent non-conformities in risk management among manufacturers, such as:

  • Estimation and evaluation of benefits
  • Individual and overall benefit/risk analysis
  • Evaluation of overall risk
  • Identification and control of combined risks
  • Communication of residual risks

Efor has developed a qualitative and quantitative methodology that incorporates these new requirements and addresses compliance with these recurring gaps. Furthermore, our Technical Direction has significant experience and expertise in this approach, which has been reviewed multiple times by different Notified Bodies without any non-conformities.

Our Approach / Our Support

Efor can assist you in complying with ISO 14971:2019 as well as Chapter I of Annex I of MDR and IVDR by providing regulatory and methodological support. 

Indeed, Efor has established a procedure describing the development, implementation, and maintenance of the risk management system for MD, IVDMD, MD software, and accessories. 

Available support options are:

  • Assessment of the manufacturer’s current methodology and documentation.
  • Risk management training over 1 or 2 days, virtual or in-person.
  • Documentation preparation for the risk management process in accordance with regulatory and normative requirements: procedures, forms applicable as-is, and risk management files.
  • Operational support by one or more consultants supported by a Technical Manager from Efor’s Technical Direction.

In conclusion, risk management for medical devices is a crucial element of regulatory compliance and patient safety. Efor offers a comprehensive approach to help you meet these challenges and to ensure the quality and safety of your medical products.