Risk management is the connective tissue that runs through every aspect of medical device development, manufacturing, and post-market surveillance. A comprehensive guide to ISO 14971 hazard analysis, risk control, FMEA methodology, and integration with ISO 13485 design controls.
By Jared Clark, JD, MBA, PMP, CMQ-OE, RAC — Updated March 2026
ISO 14971:2019 defines the internationally recognized process for applying risk management to medical devices. It is not a guideline, a recommendation, or a best practice — it is the mandatory framework referenced by every major medical device regulatory system in the world, including ISO 13485, the FDA's QMSR, the EU Medical Device Regulation (MDR), and Health Canada's CMDR. A compliant risk management process is a non-negotiable prerequisite for bringing any medical device to market, regardless of the device's classification, complexity, or intended use.
The fundamental premise of ISO 14971 is straightforward: all medical devices carry inherent risks, and the manufacturer's obligation is to identify those risks systematically, reduce them to acceptable levels using a defined hierarchy of risk controls, and demonstrate through documented evidence that the overall residual risk is acceptable in relation to the device's clinical benefits. This process is not a one-time exercise performed during product development — it is a lifecycle activity that begins at concept and continues through post-market surveillance, feeding new safety information back into the risk management file as long as the device remains on the market.
Risk management under ISO 14971 is deeply intertwined with ISO 13485 design controls. The risk management process generates safety requirements that become design inputs, risk control measures that become design outputs, and residual risk evaluations that inform design validation. Organizations that treat risk management as a parallel or afterthought activity — rather than as an integrated element of the design process — invariably produce risk management files that auditors recognize as retrospective compliance exercises rather than genuine engineering analysis.
200+
Clients Served
100%
First-Time Audit Pass Rate
RAC
Regulatory Affairs Certified
The ISO 14971 Framework
ISO 14971 defines a structured, iterative process that flows from hazard identification through risk control to post-production monitoring. Each stage produces documented evidence that becomes part of the risk management file.
Identify intended use and foreseeable misuse, identify hazards and hazardous situations, and estimate risk for each hazardous situation using severity and probability.
Compare estimated risks against acceptability criteria defined in the risk management plan. Determine which risks require reduction and which are already acceptable.
Implement risk controls following the hierarchy: inherently safe design first, then protective measures, then information for safety. Verify effectiveness and check for new risks.
Evaluate overall residual risk acceptability. Perform risk-benefit analysis when individual residual risks remain in the ALARP region. Document the overall risk evaluation.
Risk analysis is the foundation of the entire risk management process. It begins with a thorough understanding of the device's intended use, reasonably foreseeable misuse, and the characteristics that could affect safety. ISO 14971 Annex C provides a comprehensive list of hazard categories to consider: energy hazards (electrical, thermal, mechanical, radiation), biological hazards (biocompatibility, infection, bioburden), environmental hazards (electromagnetic interference, temperature extremes), hazards from incorrect output or function, and hazards arising from use error. The objective is completeness — every hazard that could reasonably occur must be identified and documented.
For each identified hazard, the risk analyst must determine the hazardous situations in which the hazard could result in harm, and estimate the severity of that potential harm and the probability of its occurrence. The probability estimation considers the probability of the hazardous situation occurring and the probability that the hazardous situation leads to harm. These estimates should be based on available data: clinical literature, complaint history from similar devices, published standards, expert judgment, and worst-case engineering analysis. The risk estimation is documented in the risk analysis worksheet, which forms the core of the risk management file.
ISO 14971 does not prescribe specific hazard identification techniques — it requires that the techniques used be appropriate for the device and documented in the risk management plan. In practice, the medical device industry relies on three primary analytical techniques, often used in combination to ensure comprehensive hazard coverage.
FMEA is the most widely used risk analysis technique in medical device development. It is a systematic, bottom-up methodology that examines each component, subsystem, or process step to identify potential failure modes, their causes, their effects on the overall device or process, and the existing controls for detecting or preventing those failures. Each failure mode is assigned a Risk Priority Number (RPN) based on the product of severity, occurrence probability, and detectability ratings. While the RPN is useful for prioritization, ISO 14971 requires that risk acceptability decisions be based on the severity-probability risk matrix, not solely on the RPN. FMEA can be applied to both Design FMEA (dFMEA) for the device design and Process FMEA (pFMEA) for manufacturing processes.
Fault Tree Analysis is a top-down, deductive technique that starts with a specific undesirable event (the “top event”) and systematically identifies all possible combinations of component failures, software errors, human errors, and environmental conditions that could cause that event. FTA uses Boolean logic gates (AND, OR) to model causal relationships, producing a visual tree structure that reveals single points of failure and common-cause failures. FTA is particularly valuable for safety-critical failure analysis where understanding the complete causal chain is essential — for example, analyzing how a patient could receive an incorrect drug dose from an infusion pump, or how an implantable device could deliver an unintended electrical stimulus.
HAZOP is a structured brainstorming technique that uses guide words (no, more, less, reverse, other than) applied to process parameters to identify deviations from intended operation. While originally developed for the chemical process industry, HAZOP is increasingly applied to medical device processes and systems, particularly for devices involving fluid flow, gas delivery, or complex multi-step procedures. HAZOP is most effective when conducted by a cross-functional team that includes design engineers, manufacturing engineers, quality engineers, clinical specialists, and human factors experts.
Component → failure mode → system effect. Comprehensive and systematic.
Undesirable event → causal chains → root causes. Reveals single points of failure.
Parameter deviation → consequences → safeguards. Best for process hazards.
After estimating the severity and probability of each identified risk, the manufacturer must evaluate whether each risk is acceptable, unacceptable, or falls within the ALARP (As Low As Reasonably Practicable) region. These acceptability criteria must be defined in the risk management plan before the risk analysis begins — they should not be established retroactively to fit the results. The criteria are typically represented in a risk acceptability matrix that plots severity against probability, with regions designated as broadly acceptable, ALARP, or intolerable.
Risks that fall in the intolerable region must be reduced regardless of cost or technical difficulty. Risks in the ALARP region must be reduced as far as reasonably practicable, considering the state of the art, available risk controls, and the clinical benefit of the device. Risks in the broadly acceptable region do not require further reduction, though manufacturers should still consider whether practicable reductions are available. When individual residual risks remain in the ALARP region after all practicable risk controls have been implemented, a risk-benefit analysis must demonstrate that the medical benefit of the device outweighs the residual risk.
| Severity → Probability ↓ |
Negligible (S1) | Minor (S2) | Serious (S3) | Critical (S4) | Catastrophic (S5) |
|---|---|---|---|---|---|
| Frequent (P5) | ALARP | Intolerable | Intolerable | Intolerable | Intolerable |
| Probable (P4) | Acceptable | ALARP | Intolerable | Intolerable | Intolerable |
| Occasional (P3) | Acceptable | Acceptable | ALARP | Intolerable | Intolerable |
| Remote (P2) | Acceptable | Acceptable | Acceptable | ALARP | Intolerable |
| Improbable (P1) | Acceptable | Acceptable | Acceptable | Acceptable | ALARP |
Acceptability criteria must be defined in the risk management plan before risk analysis begins. This matrix is illustrative — actual criteria should reflect the device's risk profile and state of the art.
ISO 14971 mandates a priority-ordered hierarchy for risk control measures. Manufacturers must first attempt to eliminate or reduce risks through inherently safe design. If inherently safe design alone cannot adequately reduce the risk, protective measures must be added (guards, alarms, interlocks, safety mechanisms). If residual risk still exists after protective measures, information for safety must be provided through labeling, warnings, training materials, and Instructions for Use. This hierarchy is not advisory — auditors expect documented evidence that higher-tier controls were considered and either implemented or rejected with documented justification before relying on lower-tier controls.
Eliminate hazards through design choices. Examples: use non-toxic biocompatible materials, design out sharp edges, eliminate single points of failure, select intrinsically safe electrical components, design connectors that prevent wrong connections. This is the most effective and reliable form of risk control because it removes the hazard entirely rather than mitigating it.
Add safety mechanisms when hazards cannot be designed out. Examples: physical guards, alarm systems, automatic shutoffs, pressure relief valves, software interlocks, dual-channel safety circuits, fault detection algorithms. Protective measures add complexity to the design, which itself may introduce new hazards that must be analyzed.
Provide warnings, training, and labeling when residual risks remain. Examples: warning labels, contraindication statements, training requirements, maintenance schedules, IFU procedures for safe use. Information for safety is the least reliable control because it depends on the user reading, understanding, and following the instructions. It should never be the primary risk control for serious hazards.
After implementing risk control measures, two critical verification steps are required. First, risk control verification — confirming that the control measure has been properly implemented and is effective at reducing the risk as intended. Second, new hazard analysis — evaluating whether the risk control measure itself introduces any new hazards or increases existing risks. Both steps must be documented in the risk management file. A common audit finding is risk control measures that have been documented but never verified through testing or inspection.
The risk management file is the complete collection of records and other documents produced by the risk management process. It is not a single document — it is a structured compilation that contains or references every artifact generated during risk analysis, evaluation, control, and monitoring activities. The risk management file is one of the first documents requested during both ISO 13485 certification audits and FDA inspections, and its completeness, traceability, and currency are primary indicators of an organization's risk management maturity.
Integrated by Design
Risk management is not a parallel activity to design controls — it is embedded at every stage. The risk management file and the Design History File must be developed together with bidirectional traceability.
Hazard identification and preliminary risk analysis generate safety requirements that become mandatory design inputs. Every identified hazard must be traceable to a design input that addresses it. Incomplete risk analysis at this stage cascades into missing design requirements.
Risk control measures are incorporated as design outputs: device specifications, manufacturing procedures, labeling warnings, and software safety mechanisms. Each risk control must be traceable to the hazard it addresses and to the verification activity that confirms its effectiveness.
Design validation evaluates residual risk under actual or simulated use conditions, confirming that the overall risk-benefit profile is acceptable. Validation findings may reveal new hazards or unexpected use patterns that require risk management file updates and potential design changes.
ISO 14971 explicitly requires that risk management extend beyond product launch into production and post-production activities. Manufacturers must establish and maintain a process for collecting and reviewing information about the device during production and in the post-production phase, including complaint data, adverse event reports (MDRs), field safety corrective actions, scientific literature, and post-market surveillance study results. This information must be systematically evaluated against the existing risk management file to determine whether new hazards have been identified, whether estimated risks have changed, or whether the overall risk acceptability determination needs to be revisited.
The FDA's Quality Management System Regulation (QMSR) reinforces this lifecycle approach by incorporating ISO 13485 by reference, which in turn requires risk-based thinking throughout the quality management system. Under QMSR, risk management is not a standalone compliance exercise — it is embedded in every quality system process, from management review and CAPA to supplier management and production controls. The QMSR also maintains FDA-specific requirements for post-market surveillance, including Medical Device Reporting (21 CFR 803) and corrections and removals (21 CFR 806), which serve as critical inputs to the ongoing risk management process.
Complaint Data
Customer complaints and product quality reports may reveal hazards not identified during pre-market risk analysis or confirm actual occurrence rates for estimated risks.
Adverse Event Reports (MDRs)
Reportable adverse events and malfunctions provide direct evidence of hazards materializing in clinical use and may trigger immediate risk management file updates.
CAPA Investigations
Corrective and preventive actions driven by quality data may identify systemic issues that affect risk estimations or reveal the need for additional risk controls.
Scientific Literature & Standards Updates
New published evidence, updated consensus standards, or revised FDA guidance may change the state of the art and affect risk acceptability determinations.
Field Safety Corrective Actions
Recalls, field corrections, and safety notices from similar devices in the market provide valuable risk intelligence that should be evaluated against your own risk management file.
A medical device manufacturer developing a Class II therapeutic device engaged our team to build their risk management process from the ground up. We facilitated the cross-functional hazard identification workshop, developed the complete dFMEA and pFMEA, established risk acceptability criteria, and compiled the risk management file with full traceability to the Design History File. The risk management file supported both the company's ISO 13485 certification audit (zero major findings) and their FDA 510(k) submission, which received clearance without Additional Information requests.
View Case Studies →Risk management consulting is a core specialty within Certify Consulting. For a complete view of all ISO certification services — including ISO 9001, ISO 14001, ISO 27001, ISO 42001, and more — visit the hub.
Expert answers to common questions about ISO 14971, FMEA, risk management files, and regulatory compliance.
Risk management is the most interconnected requirement in medical device development — touching every design control stage, every regulatory submission, and every post-market obligation. Schedule a free consultation to discuss your ISO 14971 risk management challenges.
No commitment required. 200+ clients served with a 100% first-time audit pass rate.
JD, MBA, PMP, CMQ-OE, RAC
Jared Clark is an ISO 14971 risk management consultant and medical device quality expert with deep expertise in FMEA, fault tree analysis, risk-benefit analysis, and ISO 13485 design control integration. His Regulatory Affairs Certification (RAC) from RAPS represents the gold standard credential for medical device regulatory professionals, qualifying him to bridge both risk management science and regulatory strategy. With 200+ medical device clients and a 100% first-time audit pass rate, Jared has helped companies build risk management systems that withstand the most rigorous certification audits and FDA inspections.
ISO 13485 Clause 7.3 design controls, DHF structure, verification, validation, and FDA 21 CFR 820 alignment.
FDA regulatory submissions — 510(k), De Novo, PMA pathways, predicate analysis, and end-to-end submission support.
Complete quality management system implementation from gap analysis through successful certification audit.