ISO 14971 defines a framework for risk management applicable to all stages of a medical device's life, from initial concept to decommissioning. The standard requires manufacturers to establish a risk management policy, define intended use and foreseeable misuse, and systematically identify hazards and hazardous situations. Each risk is then estimated by combining the severity of harm with the probability of occurrence, creating a quantifiable risk profile that must be evaluated against predefined risk acceptability criteria.
Glossary
ISO 14971

What is ISO 14971?
ISO 14971 is the international standard specifying a systematic process for medical device manufacturers to identify hazards, estimate and evaluate associated risks, control those risks, and monitor the effectiveness of the controls throughout the product lifecycle.
For Software as a Medical Device (SaMD), ISO 14971 is harmonized with IEC 62304, which mandates that software development processes integrate risk management outputs directly into the software development lifecycle. The standard demands that risk control measures be implemented and verified for effectiveness, with any residual risk subjected to a benefit-risk analysis. This process is documented in a living Risk Management File, which is a critical component of the Design History File (DHF) reviewed during FDA submissions like the 510(k) or De Novo Classification Request.
Core Components of ISO 14971
ISO 14971 provides a systematic process for identifying hazards, estimating and evaluating risks, and implementing control measures throughout a medical device's lifecycle. These core components form the backbone of regulatory submissions for Software as a Medical Device (SaMD).
Risk Management Plan
The foundational document defining the scope, responsibilities, and criteria for risk acceptability for a specific medical device. It establishes the risk management team, the review schedule, and the methods for verification of risk control measures. The plan must align with the Quality Management System (QMS) and be maintained as a living document throughout the product lifecycle.
Hazard Identification
A systematic process to identify known and foreseeable hazards associated with the device in both normal and fault conditions. This includes:
- Energy hazards (electrical, thermal, radiation)
- Biological hazards (contamination, toxicity)
- Information hazards (misleading outputs, data loss)
- Use-related hazards (usability errors, misinterpretation) For SaMD, particular focus is placed on algorithmic bias and false positive/negative results.
Risk Estimation & Evaluation
Each identified hazardous situation is assessed for severity of harm and probability of occurrence. The combination produces a risk level that is compared against the risk acceptability criteria defined in the plan. Risks are categorized as:
- Acceptable: No further action required
- As Low As Reasonably Practicable (ALARP): Risk reduced to the point where further reduction is disproportionate to the benefit gained
- Unacceptable: Mandatory risk control measures required
Risk Control Measures
The implementation of measures to reduce unacceptable risks to acceptable levels, following a strict hierarchy of controls:
- Inherent safety by design: Eliminate the hazard entirely (e.g., removing a feature that causes confusion)
- Protective measures: Add barriers or safeguards (e.g., confidence thresholds, human-in-the-loop verification)
- Information for safety: Provide warnings, training, or labeling (e.g., on-screen disclaimers, user manuals) Each control must be verified for effectiveness and cannot introduce new hazards.
Residual Risk Evaluation
After implementing risk control measures, the remaining risk is re-evaluated against the acceptability criteria. If residual risk remains unacceptable, additional controls must be applied. When all controls are exhausted and risk is still present, a risk-benefit analysis is conducted to determine if the medical benefits outweigh the residual risks. This analysis is critical for devices addressing life-threatening conditions where some risk is unavoidable.
Production & Post-Production Monitoring
Risk management does not end at product launch. ISO 14971 requires continuous post-market surveillance to collect and review real-world data, including:
- Medical Device Reporting (MDR) events
- Corrective and Preventive Actions (CAPA)
- User feedback and complaint analysis
- Cybersecurity vulnerability disclosures New hazards identified post-market must trigger a full re-evaluation cycle and potential updates to the Risk Management File.
Frequently Asked Questions
Clarifying the application of ISO 14971 to Software as a Medical Device (SaMD) and AI-enabled diagnostic systems, addressing the most common regulatory and engineering queries.
ISO 14971 is the international standard specifying a systematic process for risk management of medical devices throughout their entire lifecycle. For Software as a Medical Device (SaMD), it applies directly because software failures can lead to hazardous situations—such as a missed diagnosis or a false positive—resulting in patient harm. The standard requires manufacturers to establish a Risk Management File, identify known and foreseeable hazards associated with the software, estimate and evaluate the associated risks, implement control measures, and continuously monitor the residual risk in the post-market phase. Unlike hardware, software does not degrade mechanically; its hazards stem from algorithmic bias, incorrect outputs, or cybersecurity vulnerabilities, making the probability estimation of harm a unique challenge under ISO 14971.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
ISO 14971 is the central framework for medical device risk management, but it operates within a broader ecosystem of regulatory, quality, and software lifecycle standards. These related concepts are essential for a complete risk management posture.
Quality Management System (QMS)
A formalized system, typically structured around ISO 13485, that documents processes, procedures, and responsibilities for achieving quality objectives. ISO 14971 requires that risk management activities be integrated into the QMS, not performed in isolation. The QMS provides the controlled framework for executing, documenting, and maintaining the risk management file throughout the product lifecycle.
Verification and Validation (V&V)
The combined processes of confirming design outputs meet design inputs (verification) and that the final device meets user needs (validation). ISO 14971 requires that risk control measures be verified for their effectiveness. V&V activities generate objective evidence that implemented risk controls actually reduce risk to acceptable levels, closing the loop on the risk management process.
Human Factors Engineering (HFE)
The application of knowledge about human capabilities and limitations to device design. ISO 14971 explicitly requires the identification of reasonably foreseeable misuse and use errors as part of hazard identification. HFE processes, guided by IEC 62366, systematically identify and mitigate use-related hazards that could lead to patient or user harm.
Post-Market Surveillance (PMS)
The proactive, systematic process of collecting and analyzing real-world data after market release. ISO 14971 mandates that risk management is a continuous lifecycle process, not a one-time premarket activity. PMS feeds production and post-production information back into the risk management file, triggering re-evaluation of risks and the effectiveness of controls based on actual clinical use.
Cybersecurity Risk Assessment
The systematic process of identifying threats and vulnerabilities in device software. While ISO 14971 addresses safety risks, cybersecurity risks can cascade into safety hazards (e.g., a hacked infusion pump delivering a fatal dose). Modern risk management integrates security risk assessment, often guided by AAMI TIR57, directly into the ISO 14971 framework to address patient harm from malicious actors.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us