ISO, the International Organization for Standardization, issued a new standard dedicated to the application of risk management to medical devices.

Brief Overview of ISO standards 


ISO is an organization comprised of several national standards bodies. The development of a particular standard is usually handled by the appropriate technical committee that includes representatives of each national body interested in the subject matter. At the same time, ISO committees work together with various international organizations. Each document should be approved in accordance with the procedure established by the ISO Directives. 

The standard specifies such elements as:

  • Definitions and terminology used
  • Main principles
  • Requirements on building the proper processes of risk management. 

The document does not regulate the risk associated with the use of medical devices during clinical procedures or any commercial/business risk. The standard also does not provide any information regarding the acceptable level of risk since such level should be defined separately in each particular case. 

For the purpose of the described standard, the most important terms are defined to ensure that all documents have the same meaning and can be applied properly. In particular, the main definitions provided in the new standard are the following:

  • Benefit: any positive impact caused by a medical device when used for the intended purpose in accordance with the recommendations and instructions defined by the manufacturer;
  • Harm: any damage caused by a medical device. It is important to mention that for the purpose of the standard “harm” refers to any harm caused by a device and is not limited to the direct harm caused to the health of a patient, but could also include harm caused to other objects, such as property or environment;
  • Hazardous situations: situations in which someone or something is exposed to the risk of incurring harm;
  • Reasonably foreseeable misuse: a specific way in which the patient or another person could use the device. Despite the fact that such use contradicts the manner prescribed by the manufacturer, it could be foreseen in advance so the manufacturer has to assess the risks associated with such use too. It is provided that such misuse could be divided into intentional or unintentional, and could be conducted both by general users or healthcare professionals;
  • Residual risk: a specific kind of risk that always remains beyond the control of any party involved and could not be excluded due to its nature, so the manufacturer has to warn about it.

The New Standard in Detail


This particular standard is intended to provide medical device manufacturers with the requirements of risk management including all its aspects. It could also be used as guidance for the establishment of the risk management system in the production facility. At the same time, the rules and principles expressed could also be applicable to other steps of a medical device lifecycle by any of the parties involved in the design, manufacturing, distribution, and utilization of medical devices. The standard is focused on processes related to managing risks associated with the health of patients or other persons using the device. 

The standard issued by ISO constitutes the third edition of ISO 14971. The updated version, ISO 14971:2019, includes numerous substantial changes and amendments, such as: 

  • All definitions used in the documents were revised, several new definitions were added, any and all definitions included in the document highlighted with a special font (italic) to make it easier to identify them;
  • The concept of benefit(s) has been extended and developed, including the benefit-risk analysis;
  • All aspects related to the concept of risk have also been developed and improved;
  • It was stated that the risk management report should be provided prior to making the device available on the market to confirm the results of the appropriate review;
  • The provisions regulating production and non-production activities were revised and updated. In particular, the new version of the standard provides detailed requirements to the information on safety that should be collected and composed in a structured manner on all steps of the lifecycle of a medical device.


Risk-Based Approach


One of the most important concepts described in the document is the “benefit-risk”, providing that any benefit from the use of the device should be evaluated only in connection with the associated risk. It is stated that the balance may vary depending on the parties involved and their particular circumstances. 

According to the document, the concept of risk is comprised of two core elements:

  • The probability of the harm taking place, 
  • The nature of the harm that could be probably caused  – in other words, the particular consequences. 

The use of any medical device is always associated with a certain level of risk and there is no way to eliminate it all, but it is important to mitigate it to the lowest level possible. The manufacturer plays one of the most important roles in this process. First of all, the manufacturer has to define whether the device is suitable for the intended purpose before making it available on the market. In particular, the standard provides the manufacturer with the exact approach allowing to identify the potential risk and its nature, assess it and find the most suitable way to reduce it. The manufacturer has to control the risk during the whole life cycle of a medical device and apply all measures necessary to maintain the risk associated with the use of the device at the lowest possible level. 

The direct utilization of a medical device in the course of certain clinical procedures is also associated with the internal, or residual risks. In this case, the concept of a benefit-risk analysis approach should be used to identify how the risk associated with the use of the device corresponds to the expected benefit. At the same time, it is important to mention that the process of making such decisions falls outside the scope of the new standard. It is also stated that in some cases, additional standards should be applied to assess the risk properly due to the specific features of the medical device. 

How Can RegDesk Help?


RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.