7 Deviations within EN ISO 14971:2012: Risk Evaluation Process

This 7 part blog series continues with the author reviewing deviation #2 of the EN ISO 14971: 2012 Standard, which is specific to the risk evaluation process. 
%name 7 Deviations within EN ISO 14971:2012: Risk Evaluation Process

In 2012, the European National (EN) version of the Medical Device Risk Management Standard was revised, but there was no change to the content of Clauses 1 through 9. Instead, the European Commission identified seven content deviations between the 14971 Standard and the requirements of three device directives for Europe. This seven-part blog series reviews each of these changes individually.

Discretionary Power of Manufacturers as to the Acceptability of Risks: The Risk Evaluation Process

The second deviation is specific to the risk evaluation process. The ISO 14971 Standard indicates in Annex D4 that the acceptability of risk is not specified by the Standard and must be determined by the manufacturer. In Clause 3.2 of the 14971 Standard, it states that, “Top management  shall: define and document the policy for determining criteria for risk acceptability.” This risk management policy is intended to indicate a threshold for risk acceptability. In Clause 5 of the 14971 Standard, the manufacturer is instructed to evaluate whether risks are acceptable using the risk management criteria defined in the risk management policy.

Essential requirements 1 and 2 require that risks be reduced as far as possible, and that all risks shall be included in a risk/benefit analysis—not just the risks above a certain threshold. Therefore, the requirement to establish a risk policy for the acceptability of risk directly contradicts the MDD.

Since the 2nd edition of the 14971 Standard was first issued (i.e., -2007), clients have been asking me how to establish acceptability criteria. For new devices, I recommend benchmarking the risks of the new device against existing devices. In other words, if the new device presents equal or lower risks than existing devices, then the risks of the new device are acceptable. For existing devices, I recommend performing a risk/benefit analysis, evaluating adverse events observed with the device against the benefits of using the device. Unfortunately, most companies choose arbitrary thresholds for acceptability of risk. Instead of relying upon benchmarking or risk/benefit analysis, companies will establish a policy that all risks must be below a quantitative value. For example, if the range of possible risks scores are from 1 to 1,000, all risks of 100 or less may be acceptable.

What is Acceptable?

In order to comply with the EN ISO 14971:2012 version of the risk management standard, you will need to implement risk controls for all risks, regardless of acceptability. However, you will also need to perform a risk/benefit analysis. The risk/benefit analysis should consider not only the benefits to patients and the risks of using the device, but the analysis should also consider relative benefits of using other devices.

The clinical evaluation report and the risk management report for the device should be based upon clinical evidence of the device for the intended use—including adverse events. For new devices that are evaluated based upon literature review of equivalent devices, Notified Bodies expect a Post-Market Clinical Follow-up (PMCF) study to be conducted in order to verify that the actual risk/benefit of the device is consistent with the conclusions of the clinical evaluation. In order to perform this analysis, a clinical expert is necessary to properly evaluate the risk/benefit ratio of the device, and to create a protocol for a PMCF study.

MEDDEV 2.12/2 rev 2, Post Market Clinical Follow-up Studies, indicates that the PMCF study protocol should indicate the study endpoints and the statistical considerations. In order to do this, your company will need to establish quantitative criteria for acceptability of the identified risks. Therefore, the existing 14971 Standard needs to be modified to clarify that risk acceptability criteria should be based upon clinical data, and evaluation of risks should be conducted at a later point in the risk management process (e.g., – as part of the overall risk/benefit analysis).

Impact of this Deviation

As your company becomes aware of the second deviation between the 14971 Standard and the Essential Requirements of the device directives, your risk management team will need to change the risk management process to clarify when risk acceptability should be evaluated, and the risk management policy should specify how acceptability should be determined.

The risk management process at your company will need to specify that implementation of risk controls is required for all risks—regardless of acceptability. You should also consider eliminating the evaluation of risk prior to implementation of risk controls. Instead, your company should base acceptability of risk solely upon the clinical risk/benefit analysis, and should involve the manufacturer’s medical officer in making this determination.

Finally, your risk management process should specify the need for PMCF studies in order to verify that actual clinical data supports the conclusion that the risk/benefit ratio is acceptable over the lifetime of the device.

Posted in: Risk Management

Leave a Comment (4) ↓


  1. Doug Fernie July 21, 2015

    I wonder if the author has actually ever done risk management since what he advocates is likely to put a stop to any product introduction. It is a practical impossibility to consider all risks since, by definition, there is an infinity of them. Some common sense would be useful here.

    • Rob Packard November 6, 2015

      In 2007 when ISO 14971 was being taught by BSI to the company I worked at, the emphasis was to identify as many hazards and risks as possible but then to categorize the risks and neglect those that are negligible. This is no longer allowed by the EU Commission. If you read my recent postings on risk management you will find that I recommend only identifying those hazards that are likely to cause harm. I recommend starting with the TPLC database where you can find a list of actual device malfunctions for a similar device. I have designed dozens of devices and worked on 100+ risk management files. Some are excellent, but many are missing obvious hazards that they have already implemented risk controls for. You need to develop a systematic and rational process for identifying the hazards. It will also be required to document this list in future CE Technical Files.

  2. Michael Cejnar June 10, 2017

    HI Rob
    I know you didn’t write the EN ISO, but you say “only identifying those hazards that are likely to cause harm”?

    So instead of documenting all hazards, and documenting your decision which need reduction, you and the Annex Z’s advocate deciding in our head which don’t need reducing and never listing them?
    You don;t think that’s reducing safety?

    • Rob Packard August 17, 2017

      When the 2007 standard was first issued, I trained people to identify as many hazards as possible. However, in order to comply with current EU requirements that approach is not feasible. I’m not arguing the process is better or worse, however, if you are distributing in Europe you have no choice.


Leave a Comment

Time limit is exhausted. Please reload the CAPTCHA.


Get every new post on this blog delivered to your Inbox.

Join other followers:

Simple Share Buttons
Simple Share Buttons