ISO 14971:2019 Revisions – Part 2: Management Responsibility, Risk Analysis, and Risk Management File

This column continues the author’s analysis of the revisions introduced in ISO 14971:2019, the third edition of the international standard for medical device risk management, which was first published in November 2019.

Management Responsibility

A note regarding “Management review of risk management process suitability” has been added to the standard. Top management is required to ensure the continuing effectiveness of the risk management process by reviewing the suitability of the risk management process at planned intervals and documenting all decisions and actions taken.

This management review requirement is important to ensure that organizations continuously improve their risk management process and respond to feedback from the market and changes in the regulatory environment. For example, if new hazards are discovered during use of the medical device, or if information about failures in competing products is made public, the organization must reassess the overall suitability of the risk management process. This ensures that the risk management approach remains effective as circumstances and knowledge evolve.

It should be noted that ISO 14971 does not require the establishment of a comprehensive Quality Management System (QMS). However, if a manufacturer has implemented a QMS based on standards such as ISO 13485, conducting the review of risk management process suitability as part of the QMS management review is acceptable practice. This integrated approach enables more efficient and coordinated operation of the entire QMS.

Risk Analysis

The revisions to the risk analysis section are structurally significant. In the second edition, there was a single requirement: “4.2 Characterization of the intended use, including the characteristics of the intended user.” In the third edition, this has been subdivided into two distinct requirements: “5.2 Intended use and reasonably foreseeable misuse” and “5.3 Identification of hazards related to the medical device.”

The most significant change is the explicit addition of “reasonably foreseeable misuse” to the risk analysis process. This requirement extends beyond merely considering the designed intended use of the device; it requires manufacturers to evaluate how users might actually use the device—including ways that, while not intended, are reasonably predictable. This is a meaningful expansion of the analytical scope.

For example, in analyzing the risks of a medical injection device, manufacturers must consider not only the intended administration method but also scenarios such as healthcare workers setting incorrect doses when in a hurry, or patients misunderstanding specific operational steps during self-administration. These represent reasonably foreseeable misuses that must be included in the hazard analysis. By explicitly requiring consideration of foreseeable misuse, the standard ensures that manufacturers conduct more comprehensive risk assessments and implement more robust risk management practices across a wider range of realistic use scenarios.

Risk Control

The description of risk control measures has been substantially expanded. In the third edition, the following items are explicitly stated as risk control measures:

a) Inherent safety by design and manufacturing b) Protective measures in the medical device itself or in the manufacturing process c) Safety-related information and, where appropriate, user training

A particularly important addition is the explicit mention of “manufacturing” and “training” as integral components of risk control. Historically, in traditional risk management approaches, risk control measures were often concentrated on the design phase, while manufacturing processes were typically handled as quality management concerns. However, the third edition recognizes manufacturing processes themselves as significant risk control measures.

For instance, in sterile medical devices, the sterilization process itself is a critical risk control measure against the hazard of microbial contamination. The explicit inclusion of training reflects the recognition that user instruction for healthcare professionals and patient education are also important risk reduction measures. This emphasis demonstrates that medical device risk management extends beyond the design phase and encompasses the entire device lifecycle, from development through manufacturing, distribution, and use.

Risk Management File

The requirements for the Risk Management File (RMF) have been clarified and detailed. The third edition explicitly specifies traceability requirements for the RMF. The RMF must maintain clear traceability for each hazard across the following activities:

• Risk analysis
• Risk evaluation
• Implementation and verification of risk control measures
• Results of residual risk evaluation

The strengthening of traceability requirements has significant implications for regulatory inspections and audits. When each hazard can be clearly traced through the entire risk management process—how it was identified, evaluated, and controlled—the appropriateness of the risk management process can be demonstrated to regulatory authorities. For example, if an infection risk hazard is identified, the RMF must document and link the risk evaluation results, the selected risk control measures (such as sterilization process and usage instructions), and the assessment of residual risk in a coherent, traceable manner.

With these enhanced traceability requirements, the RMF has evolved beyond simply being a record of risk analysis; it has become a critical document that demonstrates the entire decision-making process underlying the safety of a medical device. This documentation approach provides regulatory authorities with confidence in the manufacturer’s systematic approach to ensuring device safety throughout the device lifecycle.

(To be continued)