EN ISO 14971:2012 Impact Assessment

Link to Sam Lazzara’s EN ISO 14971:2012 Flow Chart 

Still trying to figure out what to do about EN ISO 14971:2012?
The ASQ Biomedical Division just published an article I wrote called Risky Business – Demystifying EN ISO 14971:2012. To view the article, go here.

EN ISO 14971:2012 became a European harmonized standard on August 30, 2012. The normative content is still in accordance with ISO 14791:2007. However, the relationship between ISO 14971 and the European Directives has changed as described in Annex ZA, ZB and ZC.

Compliance with the normative clauses in ISO 14971 does not ensure conformity with the Essential Requirements (ERs) of the Directives. The Z Annexes list “content deviations” between ISO 14971 and the ERs.


EN ISO 14971:2012 is a harmonised European standard currently supporting the following directives:

  • Medical Device Directive (MDD, 93/42/EEC as amended)
  • Active Implantable Medical Device Directive (AIMDD, 90/385/EEC as amended)
  • In Vitro Diagnostic Medical Devices Directive (98/79/EC as amended)

Compliance with harmonised European standards provides a “presumption of conformity” with the corresponding requirements of the associated Directive(s). Manufacturers can use harmonised standards to meet the ERs or other provisions of the Directives. However, the use of these standards remains voluntary. While very uncommon, Manufacturers are free to choose other technical solutions to demonstrate compliance with the mandatory legal requirements.

EN ISO 14971:2012 was published in July 2012 and superseded the 2009 version as a European harmonised standard in August 2012. The entry in the Official Journal reads as follows:

EN ISO 14971:2012 Medical devices – Application of risk management to medical devices
(ISO 14971:2007, Corrected version 2007-10-01)

Manufacturer Recommendations

Manufacturers demonstrate their conformity with the Essential Requirements (ERs) by preparing an ER Checklist that cross-references each ER to compliance information. If a Manufacturer’s quality system procedures, ER Checklist and Risk Management Report have already been found to be acceptable by a Notified Body, one would think there should be no impact from the content deviations. However, armed with the updated annex information in EN ISO 14971:2012, the Notified Bodies have new tools to assess the conformity of Manufacturers’ risk management process with the directives.

Manufacturers should take the following steps immediately:

  • Update risk management procedures as needed to address the deviations described in the applicable Z Annex.
  • Update existing Risk Management Reports to comply with the deviations.
  • Consider if design changes are needed to comply with the deviations. For example, since labeling can no longer be claimed to reduce risk, design provisions may be required to reduce the risk to acceptable levels.
  • Update references to EN ISO 14971 that may appear in quality system documents including technical files.

Assessment of ISO 14971:2007 Content Deviations versus Medical Device Directive Essential Requirements (in Sam’s words)

Content Deviation per EN ISO 14971:2012
Questions To Determine Impact on Risk Management (RM) Process
Practices Not Compliant with European Interpretations
1.     Treatment of Negligible Risks: ISO 14971 allows negligible risks to be ignored. The Directives require all risks to be reduced as far as possible and to be subject to risk-benefit analysis.
Does RM process allow some risks to be considered negligible and therefore not reduced by risk control measures?
{EN Compliant Answer = NO}
Three risk zones: Broadly Acceptable (BACC), Tolerable and Intolerable. No risk reduction required for BACC risks.
2.     Risk Acceptability Assessment: ISO 14971 allows risks that meet the manufacturer’s definition of “acceptable” to be excluded from overall risk-benefit analysis. The Directives require all risks to be reduced as far as possible and to be subject to risk-benefit analysis.
Does RM process exclude any “acceptable” individual risks from the overall residual risk evaluation or from risk-benefit analysis?
{EN Compliant Answer = NO}
Only “Intolerable” risks must be justified by risk-benefit analysis.
3.     Risk Reduction Economic Considerations: ISO 14971 allows risks to be reduced “as low as reasonably practicable” (ALARP). The Directives require all risks to be reduced as far as possible (AFAP) without economic considerations.
Does RM process allow risk controls to be limited for economic reasons?
(EN Compliant Answer = NO)
The cost of implementing risk control measures is a factor in determining how to reduce risks.
4.     Risk-Benefit Analysis Not Optional: ISO 14971 only requires risk-benefit analysis for risks that do not meet the manufacturer’s definition of “acceptable”. The Directives always require risk-benefit analysis, regardless of risk levels. The analysis must consider all individual risks and their impact on overall residual risk acceptability, weighing all risks combined against patient benefit.
Does RM process require an overall risk-benefit analysis for the device?
{EN Compliant Answer = YES}
Only “Intolerable” risks must be justified by risk-benefit analysis.
5.     Risk Control Options: ISO 14971 describes three risk control options to be exercised at the manufacturer’s discretion – (1) inherent safety by design, (2) protective measures, and (3) information for safety – and implies that further controls are not required if the risk is reduced to acceptable levels. The Directives require risks to be reduced until further control measures do not result in risk reduction.
Does RM process require consideration of all possible risk control options, without stopping as soon as risks are reduced to an acceptable level?
{EN Compliant Answer = YES}
Design measures and labeling warnings are implemented without considering protective measures in the device or the manufacturing process.
6.     First Risk Control Option: ISO 14971 describes the first risk control measure as “inherent safety by design” without further detail. The Directives provide additional detail by mentioning that device  design and construction must conform to safety principles, taking account of the generally acknowledged state of the art and that risks must be eliminated or reduced as far as possible through inherently safe design and construction.
Does RM process require risk elimination or reduction as far as possible through inherently safe design and construction, and the application of safety principles and state of the art?
{EN Compliant Answer = YES}
Designing device without awareness of all relevant standards.
7.     Labeling Information Cannot Influence Residual Risk: ISO 14971 describes three risk control options: (1) inherent safety by design, (2) protective measures, and (3) information for safety. The Directives view the third option as providing information on residual risk rather than reducing risk.
Does RM process allow risks to be reduced through the provision of information for safety?
{EN Compliant Answer = NO}
Taking credit for warnings in the device Instructions For Use as risk reduction measures without verifying their effectiveness.


Published by Sam Lazzara

Sam Lazzara is a Biomedical Engineer (MS Case Western, BS Brown University) and Certified Biomedical Auditor with 30+ years medical device experience. Sam’s systems and documents have delighted dozens of regulatory auditors from the United States FDA, the California Department of Health, and a flock of European Notified Bodies. He has guided quality system implementation for over 20 firms, leading to third-party certification and government approvals. A medical device start-up specialist, Sam provides state-of-the-art solutions tailored to the needs of each client. He mentors clients on all aspects of quality assurance and regulatory affairs. Sam gets particularly excited about design control, risk management, and post-market surveillance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s