verified_user
Standardful
Homechevron_rightStandardschevron_rightISO 14971:2019
ActiveInternational Standardupdate Standard Updated: Dec 2019fact_check Fact checked: Jun 28, 2026

ISO 14971:2019

Medical devices — Application of risk management to medical devices

apartmentPublishing Organization:International Organization for Standardization (ISO)

Standard Introduction

ISO 14971:2019 is an active standard published by International Organization for Standardization (ISO). It is commonly used across Medical Devices, Healthcare, Technology and applies in Global.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with ISO 14971:2019.

health_and_safety

Full Lifecycle Coverage

Applies risk management across the entire medical device lifecycle — from initial concept and design through production, post-market surveillance, and decommissioning.

assessment

Benefit-Risk Analysis

The 2019 edition places greater emphasis on the overall benefit-risk ratio, requiring manufacturers to weigh clinical benefits against residual risks systematically.

sync

Continuous Process

Risk management is not a one-time activity but an ongoing process that integrates post-production information and state-of-the-art knowledge into risk evaluations.

list_alt Risk Management Process Steps

  • Risk management planning and scope definition
  • Hazard identification and hazardous situation analysis
  • Risk estimation and risk evaluation against acceptability criteria
  • Risk control option analysis and implementation
  • Evaluation of overall residual risk
  • Risk management review and reporting
  • Production and post-production information collection
  • Integration with ISO 13485 quality management system

Who Needs to Comply?

groups

All medical device manufacturers, including software-as-a-medical-device (SaMD) and in vitro diagnostic (IVD) device makers. Required by the EU MDR, FDA, and most global regulatory frameworks.

Key Requirements

1

Risk Management Plan

Establish a documented risk management plan defining scope, responsibilities, risk acceptability criteria, verification activities, and review requirements for the entire product lifecycle.

2

Hazard Identification & Risk Analysis

Systematically identify known and foreseeable hazards in both normal and fault conditions. Estimate risks by analyzing severity of harm and probability of occurrence for each hazardous situation.

3

Risk Control Measures

Implement risk controls following the priority hierarchy: inherent safety by design, protective measures in the device or manufacturing process, and information for safety (labeling, instructions).

4

Overall Residual Risk Evaluation

Evaluate the overall residual risk from all identified hazards after all risk control measures are applied, and determine whether the medical benefits outweigh the remaining risks.

5

Post-Production Monitoring

Collect and review production and post-production information including complaint data, incident reports, and published literature to identify previously unrecognized hazards or risks.

Implementation Roadmap

1
Phase 1schedule Duration: 3-6 weeks

Define medical-device risk management scope

Identify the products, services, sites, systems, teams, jurisdictions, and stakeholders covered by ISO 14971:2019. Confirm owners, boundaries, applicable obligations, documentation, and evidence expectations for hazard identification, foreseeable misuse, risk estimation, risk evaluation, risk control, residual-risk acceptability, benefit-risk analysis, production information, and post-production monitoring.

2
Phase 2schedule Duration: 4-10 weeks

Assess gaps and prioritize risks

Compare current practices with the expected medical-device risk management approach. Review risk management plans, hazard analyses, control verification, residual-risk evaluation, risk management reports, production feedback, and post-market surveillance links, then prioritize gaps by legal exposure, safety impact, customer commitments, operational dependency, and audit or market-access readiness.

3
Phase 3schedule Duration: 8-24 weeks

Implement controls and records

Deploy the required procedures, technical controls, review gates, training, supplier workflows, reporting paths, and operational records. Maintain risk management files, hazard analyses, FMEA or equivalent analyses, verification records, benefit-risk decisions, usability links, complaint data, and post-market reviews as traceable evidence.

4
Phase 4schedule Duration: Ongoing

Review, audit, and improve

Run internal reviews, management reporting, audits, corrective actions, and change assessments. Refresh the program when products, services, suppliers, technology, regulations, incidents, or stakeholder expectations change.

Compliance Checklist

0 / 12

checklist Scope and governance

checklist Controls and evidence

checklist Monitoring and improvement

Penalties & Enforcement

warning

No direct penalties for non-compliance with the standard itself. However, failure to demonstrate adequate risk management can result in rejection of regulatory submissions, product recalls, and market access denial under the EU MDR, FDA 21 CFR 820, and other regulations.

Frequently Asked Questions

Who needs ISO 14971:2019?

expand_more

ISO 14971:2019 is most relevant to medical-device and IVD manufacturers managing product risks across the lifecycle. The exact scope depends on products, services, jurisdictions, customer commitments, and whether the organization needs certification, conformity evidence, regulatory readiness, or internal governance.

Is ISO 14971:2019 certifiable?

expand_more

ISO 14971 is usually audited through medical-device QMS and regulatory reviews rather than as a standalone certification.

What should the implementation focus on first?

expand_more

Start by defining scope and obligations, then build a current-state gap assessment. The most important early work is to confirm ownership, affected assets or processes, risk criteria, customer or legal drivers, and the evidence the organization must be able to produce.

What evidence is useful for ISO 14971:2019?

expand_more

Useful evidence includes risk management files, hazard analyses, FMEA or equivalent analyses, verification records, benefit-risk decisions, usability links, complaint data, and post-market reviews. The evidence should be version-controlled, attributable to owners, and linked to risks, obligations, controls, decisions, and corrective actions.

How often should the program be reviewed?

expand_more

Review it at planned intervals and whenever products, services, suppliers, operating environments, incidents, customer commitments, or regulations change. High-risk domains should use more frequent monitoring and management reporting.

Official Documentation

View All

Implementation Timeline

description
1998
ISO 14971-1:1998 published as the first risk management standard for medical devices
publish
2000
First edition of ISO 14971 published, consolidating the full risk management process
edit_document
2007
Second edition published with refined documentation requirements and regulatory alignment
public
2012
EN ISO 14971:2012 introduced for European harmonization with Medical Device Directives
check_circle
Dec 2019
Third edition (ISO 14971:2019) published with enhanced benefit-risk analysis and post-market requirements

Related Categories