Sorting It Out

Making sense of the many guidance documents, standards related to medical device risk management

by Scott A. Laman

Medical device risk management is an interesting and rewarding profession because we perform critical analyses throughout a product’s life cycle to protect patients and users from harm. Risk management also can be a challenging subject as a technical field and as a topic that elicits many opinions and emotions regarding specific implementation details.

In 2012, the European standard, EN ISO 14971 Risk management for medical devices,1 was revised and has become the standard for organizations throughout much of the world. However, ISO 14971—Medical devices—application of risk management to medical devices2 (no EN) was last revised in 2007 and remains the standard for organizations in the United States.

Within the last few years, there have been several U.S. guidance documents and technical information reports (TIR) issued that solely recognize ISO 14971:2007, which further muddies the waters with respect to how a global organization can best demonstrate compliance to the EN and non-EN version of ISO 14971 within the confines of a simple quality system.

Compounding that duality challenge is the people side of medical device work. Unlike some technical subjects, decisions regarding the application of risk management are often not black and white—there are many ways to demonstrate compliance.

In addition, risk management is intuitive because we apply the concepts in most areas of our lives. For example, we routinely and subconsciously estimate the severity of some form of harm and the probability of some type of cause, whether the subject is medical, financial, relational or driving a car.

Therefore, we are all experts in the general application of risk management, which can make it difficult to obtain consensus in a medical device business across all geographies and divisions.

ISO 14971 basics

The basic deliverables of ISO 14971 are clear: a risk management plan, a risk analysis or analyses of various types that meet the detailed requirements, a risk management report, and a system to collect and review production and post-production information, all of which are to be documented in the risk management file. None of that changed with EN ISO 14971:2012. However, the 2012 revision goes above and beyond in several areas.

The purpose of EN ISO 14971:2012 was to establish consistency with European Union Medical Device Directive, 93/42/European Economic Community (EEC),3 commonly known as the Medical Device Directive (MDD). Annex ZA describes the changes in the form of what are called content deviations. Briefly, the new or clarified requirements of EN ISO 14971:2012 are:

  • Each individual residual risk and the overall residual risk must be reduced "as far as possible" (AFAP)—even risks identified as negligible.
  • Risk-benefit analysis must be conducted for each individual risk, as well as for the overall risk (weighing all risks combined against the benefit).
  • If "as low as reasonably practicable" (ALARP) terminology is used in the risk management file, economic considerations must not be used to justify risk acceptability.
  • All the control options must be applied and not stopped if the first or second control option has reduced the risk to an acceptable level.
  • No additional risk reduction may be attributed to information given to the users.

To address the changes, organizations have implemented any or all of the following fixes, although there are many different approaches with respect to specific details that may demonstrate compliance:

  • Eliminate ALARP terminology. Document the reduction of all risks AFAP in individual risk analyses and the risk management report.
  • Document risk-benefit analyses for each individual risk (that is, line item) in the risk analysis. Document the overall risk-benefit analysis in the risk management report.
  • State in the governing internal standard operating procedure and in the risk management report that all the control options have been applied and no risk reduction credit was given for residual risk disclosure, such as warnings and precautions.

Ultimately, in a global organization, it is desirable to create and maintain risk management files to comply with EN ISO 14971:2012 because the requirements generally include those of ISO 14971:2007.

Differences of opinion

Revisiting the people side of the job, all of these implementation details provide opportunities for differences of opinion to develop. For example, a risk-benefit analysis on an individual risk may be:

  • A general, repeated statement on each line of a risk analysis.
  • A comprehensive statement specific to each particular risk.
  • A reference to where the risk-benefit statement can be found, such as in a clinical evaluation or risk management report.

To work through the inevitable differences of opinion regarding exactly how to implement the details of any standard, two questions must be asked:

  1. "Do we want to standardize?"
  2. "Is there consensus regarding best practice to standardize on?"

Depending on the answers to these questions, details regarding next steps have been previously introduced in a 2 x 2 matrix called a consensus chart.⁴

While ISO 14971 is the foundation for medical device risk management, several related guidance documents, reports and standards build on the concepts. In the United States, current hot subjects include the application of ISO 14971 to usability and human factors, cybersecurity and risk-benefit determination.

Last December, the U.S. Food and Drug Administration (FDA) guidance document "Factors to Consider Regarding Benefit-Risk in Medical Device Product Availability, Compliance and Enforcement Decisions" was issued. If there was any doubt the FDA does not recognize the EN version, appendix A clearly states "ISO 14971 is an FDA-recognized standard ..."5

While this guidance was written for post-market nonconforming or noncompliant product issues, the principles can be applied proactively in developing an EN ISO 14971 risk management file. While it is simple to systematically document risks in a hazard analysis performed early in product design, benefits can be less clear at that time.

As a potential mind-jogging tool, the FDA guidance describes the following factors that may be considered to characterize device benefits: impact on patient health and clinical management, magnitude of benefits, likelihood of patients experiencing the benefits, duration of effect, patient perspective, benefits for healthcare givers and medical necessity. These are the types of benefits that must be considered and balanced against each individual risk and all risks taken as a whole.

If an organization proactively and comprehensively documents device benefits as well as risks in the risk management file, post-market decisions that affect product availability can be more objective and fact based, and less judgment based.

Cybersecurity threats

In our fast-changing world of increasing computer capabilities, cybersecurity is another hot topic. The FDA issued the guidance document "Postmarket Management of Cybersecurity in Medical Devices" in December 2016.6 The guidance applies to devices that contain software or programmable logic, or software that is itself a medical device. Devices that are networked are particularly vulnerable.

In this guidance, a link is made between cybersecurity risk and overall risk to health, with the foundation for cybersecurity risk management coming from 21 CFR 820. A more direct parallel between cybersecurity and ISO 14971 can be found in Association for the Advancement of Medical Instrumentation (AAMI) TIR 57:2016—Principles for medical device security—Risk management.7 Consistent with U.S. philosophy, the introduction states "This document does not address content deviations included in Annex ZA of EN ISO 14971:2012."8

Specifically, the AFAP requirement is not included in the evaluation of security risks. TIR57 recommends that a security risk process be developed that is separate—not integrated with—the safety risk process.9 Cybersecurity does have its own terminology, including identification of threats, vulnerabilities and assets. Cybersecurity risks that affect patient and user safety, however, also should be documented in the safety risk management file. In a global organization, the full requirements of EN ISO 14971 should be addressed.

Device use risk also continues to receive much focus. The FDA guidance "Applying Human Factors and Usability Engineering to Medical Devices" was issued in February 2016.10 Although user error has long been part of the trilogy of design, process and use risks identified in a top-level hazard analysis, the guidance provides more details regarding identifying and analyzing critical tasks, and applying usability failure mode and effects analysis and fault tree analysis. A particularly detailed section on human factors validation testing is helpful.

The usability engineering process is shown in parallel to ISO 14971 in International Electrotechnical Commission (IEC) 62366:2015-Part 1—Application of usability engineering to medical devices,11 a standard that all risk management professionals should understand and apply. Those of us who work with medical equipment also should be familiar with IEC 60601-1-6:2010, General requirements for basic safety and essential performance.12

In summary, the proliferation of related guidance documents and standards, the need to demonstrate compliance to ISO14971 and EN ISO 14971, and the countless ways in which details can be implemented all make medical device risk management a challenging career, but it is also a fantastic opportunity to do good for many people. 


  1. European Committee for Standardization (CEN), EN ISO 14971—Risk management for medical devices, 2012.
  2. International Organization for Standardization (ISO), ISO 14971—Medical devices—application of risk management to medical devices, 2007.
  3. European Commission, European Union Medical Device Directive, 93/42/European Economic Community (EEC), June 14, 1993.
  4. Scott A. Laman, "Building a Consensus," Quality Progress, October 2009, p. 72.
  5. U.S. Food and Drug Administration (FDA), "Factors to Consider Regarding Benefit-Risk in Medical Device Product Availability, Compliance and Enforcement Decisions," guidance document, Dec. 22, 2016.
  6. FDA, "Postmarket Management of Cybersecurity in Medical Devices," guidance document, Dec. 28, 2016.
  7. Association for the Advancement of Medical Instrumentation (AAMI), AAMI/Technical Information Report (TIR) 57:2016—Principles for medical device security—Risk management, June 2015.
  8. CEN, EN ISO 14971 Risk management for medical devices, Annex ZA, 2012.
  9. AAMI, AAMI/TIR 57:2016—Principles for medical device security—Risk management, see reference 7.
  10. FDA, "Applying Human Factors and Usability Engineering to Medical Devices," guidance document, Feb. 3, 2016.
  11. International Electrotechnical Commission (IEC), IEC 62366:2015-Part 1—Application of usability engineering to medical devices, 2015.
  12. IEC, IEC 60601-Parts 1-6:2010, General requirements for basic safety and essential performance, 2010.

Scott A. Laman is senior manager of quality engineering and risk management for Teleflex Inc. in Reading, PA. He earned a master’s degree in chemical engineering from Syracuse University in New York. Laman is an ASQ fellow and a certified manager of quality/organizational excellence, quality engineer, reliability engineer, Six Sigma Black Belt, quality auditor, supplier quality professional and biomedical auditor. He is also an ASQ fellow, a past chair of the ASQ Professional Ethics and Qualifications Committee.

Do you have a suggestion on a topic or industry that Field Notes should focus on? Let us know your thoughts by sending us a note at editor@asq.org.

Average Rating


Out of 0 Ratings
Rate this article

Add Comments

View comments
Comments FAQ

Featured advertisers