ISO 14971 Walkthrough

Dr. Oliver Eidel
Updated April 17, 2024

When developing software as a Medical Device, you need to do Risk Management. What’s that?

In simple terms, you need to think about what could go wrong with your software and how that would harm patients. As an auditor put it, “you do risk management in your head all the time anyway, you just need to write it down!”. Sounds easy. It almost is!

If you haven’t gotten your hands on a PDF copy of the ISO 14971, head over to my article on accessing standards for less than 30€. You won’t get around reading the standard so you might as well start now.

Alright, let’s get down to business and see what needs to be done.

ISO 14971 Requirements

Compared to the IEC 62304 (see my walkthrough), the ISO 14971 is substantially shorter. That means that understanding the work involved typically only takes two years. Kidding. Maybe an afternoon or a few days. Unless your consultant over-engineers it. That could force your company to do risk analysis for 6 months – I’ve seen this happen!

Let’s stop the ranting and look at the work. As always, it’s all about setting up processes and creating documents.

Risk Management Process

You need to have a process for risk management. This process should describe how you systematically and regularly analyze product-based risks at your company.

How is this implemented? Typically, you’ll write a document which is a SOP (Standard Operating Procedure) for your risk management and train your team to actually adhere to it.

As part of this risk management process, you’ll create a risk management plan, risk analysis & risk table and risk management report.

Risk Management Plan

The risk management plan is a document in which you describe how you plan to do risk management for a certain product. It typically includes roles and methods.

Risk Analysis & Risk Table

The actual risk analysis is by far the largest chunk of work. In simple terms, you need to list all things which could go wrong with your software and what would subsequently happen to patients. Obviously, you can go into infinite detail here so it’s important to strike a balance between “detailed enough” and “getting it done”.

Read: FMEA, Part 1: Risk Acceptance Matrix (ISO 14971 Risk Analysis)

Risk Management Report

Once you’re done with risk analysis, e.g. before shipping the initial version of your software as a medical device, you summarize everything in a document called risk management report. This hardly contains any new information, except one important thing: It states whether, in summary, you think your risks are acceptable.

Post-Production Activities

There are various post-production activities involved in risk management. You probably could have guessed this – risk management doesn’t magically end when you ship your medical device for the first time.

Instead, you need to continuously check whether new risks are discovered which may harm patients. And of course, as soon as you start changing your software, new risks could be introduced and all your documentation needs to be updated.

On a different note: Do you still have lots of questions about the EU MDR and would you like to talk to a human? No worries! We offer our Regulatory Strategy Workshop to companies like yours, in which we sit down with you for two hours, answer all your questions and come up with a plan with which you’ll bring your product to market. For only 400€!

Or, if you don’t like talking to humans, check out our Wizard instead. It’s a self-guided video course which helps you create your documentation all by yourself. No prior knowledge required.

Or, if you’re looking for the most awesome (in our opinion) eQMS software to automate your compliance, look no further. We’ve built Formwork, and it even has a free version!

And finally, if all of this doesn’t sound helpful and your situation seems hopeless, check out our consulting 🙂

Congratulations! You read this far.
Get notified when we post something new.
Sign up for our free newsletter.


Leave the first comment