Inferensys

Glossary

ISO 14971

ISO 14971 is an international standard specifying a systematic process for medical device manufacturers to identify hazards, estimate and evaluate associated risks, control those risks, and monitor the effectiveness of controls throughout the product lifecycle.
Risk analyst performing AI risk assessment on laptop, risk matrices visible, casual office risk session.
RISK MANAGEMENT STANDARD

What is ISO 14971?

ISO 14971 is the international standard specifying a systematic process for medical device manufacturers to identify hazards, estimate and evaluate associated risks, control those risks, and monitor the effectiveness of the controls throughout the product lifecycle.

ISO 14971 defines a framework for risk management applicable to all stages of a medical device's life, from initial concept to decommissioning. The standard requires manufacturers to establish a risk management policy, define intended use and foreseeable misuse, and systematically identify hazards and hazardous situations. Each risk is then estimated by combining the severity of harm with the probability of occurrence, creating a quantifiable risk profile that must be evaluated against predefined risk acceptability criteria.

For Software as a Medical Device (SaMD), ISO 14971 is harmonized with IEC 62304, which mandates that software development processes integrate risk management outputs directly into the software development lifecycle. The standard demands that risk control measures be implemented and verified for effectiveness, with any residual risk subjected to a benefit-risk analysis. This process is documented in a living Risk Management File, which is a critical component of the Design History File (DHF) reviewed during FDA submissions like the 510(k) or De Novo Classification Request.

RISK MANAGEMENT FRAMEWORK

Core Components of ISO 14971

ISO 14971 provides a systematic process for identifying hazards, estimating and evaluating risks, and implementing control measures throughout a medical device's lifecycle. These core components form the backbone of regulatory submissions for Software as a Medical Device (SaMD).

01

Risk Management Plan

The foundational document defining the scope, responsibilities, and criteria for risk acceptability for a specific medical device. It establishes the risk management team, the review schedule, and the methods for verification of risk control measures. The plan must align with the Quality Management System (QMS) and be maintained as a living document throughout the product lifecycle.

02

Hazard Identification

A systematic process to identify known and foreseeable hazards associated with the device in both normal and fault conditions. This includes:

  • Energy hazards (electrical, thermal, radiation)
  • Biological hazards (contamination, toxicity)
  • Information hazards (misleading outputs, data loss)
  • Use-related hazards (usability errors, misinterpretation) For SaMD, particular focus is placed on algorithmic bias and false positive/negative results.
03

Risk Estimation & Evaluation

Each identified hazardous situation is assessed for severity of harm and probability of occurrence. The combination produces a risk level that is compared against the risk acceptability criteria defined in the plan. Risks are categorized as:

  • Acceptable: No further action required
  • As Low As Reasonably Practicable (ALARP): Risk reduced to the point where further reduction is disproportionate to the benefit gained
  • Unacceptable: Mandatory risk control measures required
04

Risk Control Measures

The implementation of measures to reduce unacceptable risks to acceptable levels, following a strict hierarchy of controls:

  1. Inherent safety by design: Eliminate the hazard entirely (e.g., removing a feature that causes confusion)
  2. Protective measures: Add barriers or safeguards (e.g., confidence thresholds, human-in-the-loop verification)
  3. Information for safety: Provide warnings, training, or labeling (e.g., on-screen disclaimers, user manuals) Each control must be verified for effectiveness and cannot introduce new hazards.
05

Residual Risk Evaluation

After implementing risk control measures, the remaining risk is re-evaluated against the acceptability criteria. If residual risk remains unacceptable, additional controls must be applied. When all controls are exhausted and risk is still present, a risk-benefit analysis is conducted to determine if the medical benefits outweigh the residual risks. This analysis is critical for devices addressing life-threatening conditions where some risk is unavoidable.

06

Production & Post-Production Monitoring

Risk management does not end at product launch. ISO 14971 requires continuous post-market surveillance to collect and review real-world data, including:

  • Medical Device Reporting (MDR) events
  • Corrective and Preventive Actions (CAPA)
  • User feedback and complaint analysis
  • Cybersecurity vulnerability disclosures New hazards identified post-market must trigger a full re-evaluation cycle and potential updates to the Risk Management File.
RISK MANAGEMENT FOR MEDICAL DEVICE SOFTWARE

Frequently Asked Questions

Clarifying the application of ISO 14971 to Software as a Medical Device (SaMD) and AI-enabled diagnostic systems, addressing the most common regulatory and engineering queries.

ISO 14971 is the international standard specifying a systematic process for risk management of medical devices throughout their entire lifecycle. For Software as a Medical Device (SaMD), it applies directly because software failures can lead to hazardous situations—such as a missed diagnosis or a false positive—resulting in patient harm. The standard requires manufacturers to establish a Risk Management File, identify known and foreseeable hazards associated with the software, estimate and evaluate the associated risks, implement control measures, and continuously monitor the residual risk in the post-market phase. Unlike hardware, software does not degrade mechanically; its hazards stem from algorithmic bias, incorrect outputs, or cybersecurity vulnerabilities, making the probability estimation of harm a unique challenge under ISO 14971.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.