ISO 14971 Deviation #5-Risk Control for CE Marking Medical Devices

The author reviews ISO 14971 Deviation #5, which is specific to selecting risk control options and protective measures for CE Marking medical devices.

%name ISO 14971 Deviation #5 Risk Control for CE Marking Medical DevicesIf your company is CE Marking medical devices, you are required to satisfy the Essential Requirements for Safety and Performance as defined in the three European Directives (i.e., – the MDD,; the AIMD,; and the IVDD, Throughout these Essential Requirements, there is a requirement to reduce risks “as far aspossible” (AFAP) by implementing risk controls. At one time, the expectation was for companies to implement the state of the art with regard to risk controls, and “state of the art” was interpreted as the latest version of the harmonized ISO Standards. However, lawyers dominating the European Commission appear to disagree with the status quo.

Therefore, in 2012, the European National (EN) version of the Medical Device Risk Management Standard was revised ( There is no change to the content of Clauses 1 through 9. Instead, the European Commission identified seven content deviations between the 14971 Standard and the EU Directives. These deviations are identified and explained in Annexes ZA, ZB, and ZC. This blog is the fifth installment of Medical Device Academy’s seven-part blog series on this topic. The goal of the series is to identify solutions for meeting the Essential Requirements by suggesting changes to the current best practices of implementing a risk management process for medical device design.

Discretion as to the Risk Control Options/Measuresiso14971 deviation 5 ISO 14971 Deviation #5 Risk Control for CE Marking Medical Devices

Essential Requirement 1 and 2 require that risk control options are implemented for all risks prior to determining acceptability of residual risks. Essential requirement 2 also requires manufacturers to implement all risk control options—unless the risk controls do not further reduce risk.

Clause 6.2 of the 14971 Standard suggests that you only need to use “one or more” of the risk control options, and Clause 6.4 indicates that further risk control measures are not needed if the risk is acceptable. There is a clear contradiction between the intent of the Standard and the Directives.

If risk acceptability has no impact upon whether you will implement risk controls, there is really no need for performing a preliminary risk evaluation. Therefore, I have three recommendations for changes to your current risk management process:

  1. Ignore Clause 5 of the 2007/2009 version of ISO 14971
  2. Eliminate the second step of risk assessment from your flow chart for risk management (see Figure 1 from the 14971 Standard)
  3. Define risk management policies upon clinical benefits, rather than absolute risks

Instead of performing a preliminary risk evaluation (Clause 6.5), risk/benefit analysis should be moved to Clause 7, where the evaluation of overall residual risk acceptability is required. By making this change, risk controls will be implemented, regardless of risk acceptability, and acceptability of risks will be dependent upon the risk/benefit analysis alone.

Impact of this Deviation

Implementing changes to your risk management process to address this deviation has great potential to impact the design of devices—not just the risk management documentation. Design teams will no longer be able to stop the design process with an initial design that has an “acceptable risk.” Instead, design teams will be forced to implement additional risk controls and protective measures for device designs that already have a low risk of harm for certain failure modes.

The requirement to implement additional risk controls will increase the cost of devices that may have been relatively safe without the risks controls. For example, if a device is not intended to be implanted, but it is a potential foreseeable misuse, then your company may have used the instructions for use to communicate the residual risk associated with misuse of the device. However, now your company will have to implement design controls (e.g., –selection of materials suitable for implantation) to eliminate the risks associated with misuse, and protective measures (e.g., – radio-opaque thread) to help retrieve product that was implanted in an “off-label” usage.

For anyone interested in risk management training, please contact Rob Packard directly by email:

Posted in: Risk Management

Leave a Comment (0) ↓

Leave a Comment

Time limit is exhausted. Please reload the CAPTCHA.


Get every new post on this blog delivered to your Inbox.

Join other followers:

Simple Share Buttons
Simple Share Buttons