ISO 14971: Choosing the Right Risk Management Tool

Infographic showing how to avoid risk

Using FMEA alone is the lazy choice and no longer acceptable

ISO 14971, Medical devices - Application of risk management to medical devices, is frequently miss-applied and if your ISO 13485 QMS Manual claims to use ISO 14971 you'd better use it properly. Some bastardised version of FMEA alone will no longer be accepted as the publication of ISO 14971:2019 and the associated Technical Report (a guide) ISO 24971:2020 attests.  External Auditors will want to see that both have been adequately applied in taking a product lifecycle approach.

Risk assessment tools and techniques offer unique insight into the practical application of Risk Management.  The variety, complexity and wide range of applicability of these tools can be confusing especially for those new to risk management.

Too often those responsible for overseeing the risk management of an organization limit themselves to using basic FMEA – Failure Modes and Effect Analysis – or even a slimmed-down version of an FMEA.  This is a mistake.  The expectation of External Auditors is for two or more risk management tools to be used.

ISO 14971 Risk Management for Medical Devices - Advanced Course

Six common mistakes in using ISO 14971

  1. Use of FMEA alone: a single FMEA is used; usually a process FMEA.  This is not acceptable as the Standard requires risk management throughout the product lifecycle, from initial product concept to end-of-life disposal.
  2. pFMEA focused on component failure: This is to miss the point of Clause 7.1 of ISO 13485 completely where it is the threat to patient/user safety in regular use and possible misuse of the product that is the concern.
  3. No Risk Management File (RMF) is maintained: such a file is required in addition to the file requirements of Clauses 4.2.3 and 7.3.10 of ISO 13485.
  4. No periodic or adverse event-driven update of Risk Management Tools/Methods: Risk management throughout the lifecycle of the product/device is required.
  5. No history in the RMF: The reasons why updates were made to risk management records are documented or referenced in the RMF.
  6. No proactive effort to seek out Post-Market Surveillance data and to update Risk Management records accordingly (in addition to other actions that may be required). 

ISO 14971 Risk Management for Medical Devices - Foundation Course

Applications of Risk Assessment Tools in the Product Lifecycle

It is not immediately obvious to the reader of ISO 14971 as to where in the lifecycle of a product each of the tools should be applied.  The table below maps each of the tools against the lifecycle stage where typically they are used.

Applications of Risk Assessment Tools in the Product Lifecycle

Doesn't only apply to Medical Devices

While our focus is on the risk associated with Medical Device manufacture, you can no doubt find analogous opportunities to apply the tools to your organization. And they are not limited in use to manufacturing; they are just as applicable to all business activities, both public and private sector. 

The management of risk is fundamental to business improvement. So be sure to give these tools a try.

And training is essential if you are to successfully implement these Risk Management Tools

To fill this need we have developed two Courses.

For Internal Auditors:

ISO 14971 Risk Management for Medical Devices - Foundation Course

For Quality Managers and Consultants:

ISO 14971 Risk Management for Medical Devices - Advanced Course


Note: First published in Apr 2019; revised and updated in Aug 2021.


Related Articles

deGRANDSON Global is an ISO Certified Educational Organization

InISO 21001 ISO 29993 ISO 29994  October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

  • ISO 21001, Educational Organizational Management System,
  • ISO 29993, Learning Services outside formal Education,  and
  • ISO 29994, Learning Services – additional requirements for Distance Learning.

We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


Written by Dr John FitzGerald

Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems

Subscribe to Email Updates


Recent Posts

Posts by Topic