Medical Device Risk Assessment: ISO 14971 Steps, Checklist & Examples

A medical device risk assessment built on ISO 14971 gives you a rigorous, repeatable way to identify hazards, estimate and evaluate risks, implement Risk Control Measures, and monitor performance across the entire life cycle. Done well, it strengthens patient safety, design quality, and market access.

This guide walks you through each ISO 14971 step with practical checklists and concise examples. You’ll see how to plan, analyze, evaluate, control, and monitor risk—and how to capture everything in a Risk Management File you can rely on.

Risk Management Planning

Purpose and scope

Your plan defines the device scope, intended medical purpose, patient populations, environments of use, and life-cycle stages you will cover—from concept to post-production. Clarify interfaces with design controls, verification/validation, usability, cybersecurity, and clinical activities.

Roles, responsibilities, and resources

Assign a risk owner, independent reviewers, and decision-makers for escalation. Specify competencies, training, and how you’ll ensure independence of review for critical decisions, especially acceptance of overall Residual Risk.

Methods and Risk Acceptability Criteria

Choose your Hazard Identification methods (e.g., preliminary hazard analysis, FMEA, fault tree), your risk model (severity and probability categories), and your Risk Acceptability Criteria. Define when Benefit-Risk Analysis is required, how you will verify risk controls, and how you will determine overall residual risk acceptability at release.

Planned deliverables and traceability

List all deliverables: risk management plan, hazard log, risk evaluations, control specifications, verification evidence, residual risk rationale, and the final risk management report. Plan end-to-end traceability from hazards to controls to verification and Residual Risk.

Planning checklist

• Define intended use and reasonably foreseeable misuse.
• Approve Risk Acceptability Criteria and a clear risk matrix before analysis starts.
• Select Hazard Identification techniques and data sources you will use.
• Specify verification methods for each Risk Control Measure.
• Describe escalation paths for unacceptable or borderline risks.
• Set review gates and evidence expected at each gate.

Example (planning snippet)

For a home-use infusion pump, you set S1–S4 severity and P1–P5 probability bands, define “unacceptable” as any S4 risk, and require Benefit-Risk Analysis for S3/P3 or worse. You pre-plan verification via flow accuracy testing, alarm response timing, and human factors validation for key tasks.

Risk Analysis

Hazard Identification

Identify hazards across categories: mechanical, electrical, thermal, chemical/biological, radiation, software, data/cybersecurity, usability (use error), environmental, and disposal. For each hazard, describe the sequence of events that can lead to a hazardous situation and the potential harm.

Intended use, misuse, and user tasks

Document primary clinical use, operating environments, and user profiles. Map critical user tasks and foreseeable misuse (e.g., off-label environments, skipped steps, or incompatible accessories) that meaningfully change exposure to harm.

Estimating severity and probability

Estimate harm severity (clinical outcome) and the probability of that harm. Use relevant evidence: prior device data, simulations, bench/animal testing, usability studies, field data from predicate devices, and published literature. Capture assumptions and confidence levels so reviewers can judge uncertainty.

Risk analysis checklist

• Cover all life-cycle states: transport, storage, installation, normal use, maintenance, servicing, reprocessing, and end-of-life.
• Consider combined hazards and sequences (e.g., power loss + alarm failure).
• Include interface risks from accessories, consumables, and IT networks.
• Address data integrity and cybersecurity as potential harm pathways.
• Record the evidence supporting each severity/probability estimate.

Examples

• Infusion pump occlusion undetected leads to under-infusion and hyperglycemia (S2, P3 pre-control).
• Electrosurgical generator insulation failure causes thermal injury (S3, P2 pre-control).
• Software race condition results in incorrect dose display and overdose (S4, P2 pre-control).

Risk Evaluation

Compare to criteria and prioritize

Compare each risk to your Risk Acceptability Criteria using your defined matrix or thresholds. Flag unacceptable items for immediate action, and mark borderline items for Risk Control Measures and, if needed, Benefit-Risk Analysis.

Decision rationale

Record the decision for each risk: accept as-is (rare), control required, or benefit-risk needed. Explain the rationale, including references to the clinical context, available alternatives, and uncertainty. This justification becomes part of your audit-ready record.

Risk evaluation checklist

• Apply the same matrix consistently; avoid ad hoc exceptions.
• Escalate high-severity, low-probability risks for design-focused controls.
• Consolidate duplicates that share the same hazardous situation and harm.
• Document reviewers, dates, and conclusions for each evaluation.

Example

The overdose risk (S4, P2) is “unacceptable.” It requires design changes plus protective measures; labeling alone is not sufficient.

Risk Control

Hierarchy of Risk Control Measures

• Inherent safety by design: remove energy sources, reduce flow/pressure limits, use safer materials, add physical keying to prevent misconnections.
• Protective measures in the device or process: guards, interlocks, leakage/temperature sensing, dual-channel monitoring, alarms with automatic safe-state fallback.
• Information for safety: clear IFU, warnings, training, and user interface design that prevents use error through affordances and constraints.

Selecting and justifying controls

Choose controls that address root causes and fit the hierarchy. For each control, specify design inputs, acceptance criteria, and verification methods. Re-estimate risk after controls and check for new or increased risks introduced by the controls themselves.

Verification and validation

Verify that each control is implemented as specified (design verification) and that the device achieves safe, effective performance in realistic scenarios (validation). Time-critical controls—like alarm detection and shutdown—require objective timing evidence.

Risk control checklist

• Prefer design changes over warnings; justify any reliance on labeling.
• Define measurable acceptance criteria for each control.
• Verify both normal and fault conditions; test worst-case scenarios.
• Assess new hazards introduced by each control and update the analysis.
• Trace each control to verification evidence and to reduced Residual Risk.

Examples (controls for high-risk hazards)

• Overdose via misprogramming: hard dose limits, independent cross-checks, stepwise confirmations, lockouts, and human factors validation of programming tasks.
• Thermal injury: active temperature monitoring, return electrode contact quality checks, automatic power reduction and shutdown, and insulation upgrades.
• Software freeze: watchdog timers, memory bounds checks, defensive coding, and safe-state behavior on fault detection.

Residual Risk Evaluation and Benefit-Risk Analysis

Evaluate Residual Risk

After implementing controls, re-estimate severity and probability to determine Residual Risk for each hazardous situation. Decide whether each residual is acceptable against your criteria. Then evaluate overall residual risk by considering the combined effect of all remaining risks.

When and how to perform Benefit-Risk Analysis

If a residual remains unacceptable or borderline, assess clinical benefits versus remaining harms. Consider the medical condition’s seriousness, effectiveness of the device, alternative therapies, patient preferences, and uncertainty. Document why benefits outweigh risks and what further controls or risk communication you will add.

Communicating residual risk

Ensure that residual risks are clearly communicated through IFU, training, user interface cues, and labeling. Explain safe operating limits, alarm meanings, and maintenance requirements so users can manage residual exposure.

Residual risk checklist

• Use objective post-control evidence, not assumptions, for probability updates.
• Evaluate aggregated risk across all hazards and operating modes.
• Perform Benefit-Risk Analysis where criteria are not met and record the rationale.
• Obtain independent review and formal acceptance of overall Residual Risk.

Example

For the overdose hazard, added hard limits and dual-channel checks reduce probability from P2 to P1. With S4/P1 still borderline, you perform Benefit-Risk Analysis showing significant reductions in readmissions and improved glycemic control; you add enhanced training and clear alarm lexicon to communicate residual risk.

Production and Post-Production Risk Activities

Post-Market Surveillance

Establish Post-Market Surveillance (PMS) to capture real-world data: complaints, service logs, adverse event databases, literature, supplier notifications, and cybersecurity advisories. Define metrics, trending rules, and triggers for investigation.

Manufacturing and supply chain feedback

Use incoming inspection, process controls, and nonconformance data to spot emerging risks. Feed supplier changes, component obsolescence, and process deviations back into risk analysis and CAPA.

Change management and vigilance

Evaluate design, software, labeling, or manufacturing changes for risk impact before implementation. When needed, initiate field actions and update the Risk Management File and user communications.

Post-production checklist

• Define data sources, review intervals, and statistical trend methods.
• Set thresholds for escalation to CAPA and field action.
• Continuously update risk analyses with new failure modes and usage patterns.
• Periodically reassess Benefit-Risk Analysis with fresh clinical and field data.

Example

PMS trending reveals a rise in battery swelling after 18 months of use. You open a CAPA, add incoming screening on supplier lots, adjust charging firmware to reduce stress, and update the RMF with new hazards and mitigations.

Risk Assessment Documentation

Risk Management File essentials

• Approved risk management plan and Risk Acceptability Criteria.
• Hazard Identification records, risk estimates, and evaluation decisions.
• Specified Risk Control Measures, design inputs, and verification evidence.
• Residual Risk evaluations, Benefit-Risk Analysis, and communication measures.
• Overall residual risk acceptability statement and release decision.
• Production and post-production procedures, PMS results, CAPA links, and change history.
• Traceability matrix linking hazards → controls → verification → Residual Risk.

Traceability and reviews

Maintain a living traceability matrix to keep design controls, verification reports, and PMS insights aligned. Schedule periodic management reviews to confirm the Risk Management File remains current and effective.

Conclusion

By planning upfront, executing disciplined analysis, applying effective controls, and continuously learning from the field, you create a defensible Medical Device Risk Assessment that protects patients and accelerates compliance. Use your Risk Management File as a single source of truth that ties decisions to evidence at every step.

FAQs.

What are the key steps of ISO 14971 risk management?

Plan the process and criteria; analyze risks by identifying hazards and estimating severity/probability; evaluate against Risk Acceptability Criteria; implement and verify Risk Control Measures; reassess Residual Risk and, if needed, conduct Benefit-Risk Analysis; then maintain production and Post-Market Surveillance with continuous file updates.

How do you evaluate residual risk in medical devices?

After implementing controls, you re-estimate the probability (and sometimes severity) of each harm using objective evidence from tests, analyses, and validations. Compare each residual to your criteria, assess the overall residual risk across the device, and document acceptance or perform Benefit-Risk Analysis if criteria are not met.

What controls are recommended for high-risk hazards?

Prioritize inherent safety by design (e.g., dose/energy limits, safer materials), then protective measures (interlocks, guards, monitoring with automatic safe states), and finally information for safety (clear IFU, warnings, training, intuitive UI). Verify controls under worst-case and fault conditions.

How is risk managed during post-production?

You run a proactive Post-Market Surveillance program that monitors complaints, service data, literature, and supplier changes; trend the data; escalate via CAPA; update analyses and controls; communicate residual risk to users; and periodically re-evaluate overall Benefit-Risk as real-world evidence accumulates.