EU Commission: Publishes Links to Each Notified Body’s List of Public Fees
10 August 2024
Switzerland to Recognize Extended IVDR Transition Period under EU Regulation 2024/1860
15 August 2024Page Last Reviewed: 21 January 2026
- Harm vs Hazard vs Hazardous Situation
- Risk
- Risk Analysis vs Hazard Analysis
- Risk Estimation vs Risk Evaluation vs Risk Rating
- Risk Assessment vs Risk Evaluation
- Read Next
- Risk Control vs Risk Mitigation (and Residual Risk)
- Benefit/Risk Analysis
- Risk Management
- Risk Management File vs Report (and Records)
- FMEA as a Risk Record
- ISO 14971 vs EU MDR/IVDR
Risk management is a critical part of the Total Product Life Cycle framework. Despite its criticality, manufacturers continue to experience difficulty in understanding several risk management concepts and terminology.
Terms related to risk management are defined in ISO 14971, the international standard on risk management for medical devices. Below we provide an overview of these concepts and terms. Plus, examples of their application in risk management, as well as the application of ISO 14971 within the overall EU device regulatory framework.
Harm vs Hazard vs Hazardous Situation
ISO 14971 defines ‘harm’ as:
“injury or damage to the health of people, or damage to property or the environment”
Harm may be permanent (e.g. death) or may be transitory (e.g. temporary inconvenience). It is a key term. It forms the basis of risk management, which aims to identify all hazards.
ISO 14971 defines ‘hazard’ as:
“potential source of harm”
ISO 14971 defines a ‘hazardous situation’ as:
“Circumstance in which people, property or the environment is/are exposed to one or more hazards”
Examples of Harms vs Hazards vs Hazardous Situations
As shown in the below table, potential harm that results from a hazard, is dependent upon the hazardous situation. There may potentially be multiple different hazardous situations leading to the same harm, based upon the nature of the hazard and other considerations, e.g., intended use of the device, the environment in which it is used, etc.
| Harm (the injury or damage that could occur) | Hazard (the potential source of the harm) | Hazardous Situation (the circumstances in which exposure to harm occurs) |
|---|---|---|
| Thermal burn | Device surface temperature | Device with a burn-inducing surface temperature comes into contact with patient skin |
| Electrical shock | Device power source | User comes into direct contact with exposed live electrical wiring in a mains connected device |
| Allergic reaction | Device chemical composition | Patient comes into direct contact with a device which contains a chemical to which the patient has an allergy |
Once identified, the risk associated with each harm is:
- estimated, i.e., severity and probability of occurrence of harm,
- risk controls are implemented so that associated risk is reduced as far as possible, and
- ensure that the benefits of the device outweigh the risks remaining after the implementation of risk controls, i.e. benefit-risk analysis.
During production/post-production, occurrences of harm are monitored (e.g., vigilance and post-market surveillance) to:
- ensure continual accuracy and completeness of the identified harms and their estimated risks,
- ongoing effectiveness of risk controls, and
- maintenance of the benefit-risk analysis of the device.
Risk
ISO 14971 defines ‘risk’ as the:
“combination or the probability of harm and the severity of that harm”
Within this context, ISO 14971 also defines ‘severity’ as the:
“measure of the possible consequence of a hazard”
ISO 14971 reiterates the above, stating:
“It is generally accepted that the concept of risk has two key components: 1) the probability of occurrence of harm; and 2) the consequences of that harm, that is, how severe it might be.”
Severity and Probability
Severity of harm can usually be readily identified. However, often more than one type of severity is possible. For example, in the case of the harm of thermal burn described above, burns can be categorized as being:
- first-degree (superficial),
- second-degree (partial thickness) or
- third-degree (full thickness) burns with more severe and extensive burns requiring more specialized treatment and increasing the probability of secondary effects (e.g. psychological effects).
The probability of harm can sometimes be readily estimated based upon publicly available data, e.g. probability of intestinal perforation during a colonoscopy based upon published incidence rates. However, quite often the probability of harm occurring is dependent on multiple events / hazardous situations occurring.
For example, in the hazardous situation described above for electrical shock, three independent events must occur for this hazardous situation to arise:
- Event # 1: The device needs to be connected to mains electricity
- Event # 2: Device electrical wiring needs to be exposed
- Event # 3: The user needs to contact the exposed live electrical wiring
The probability of each of these individual events, can be used to estimate the probability of an electrical shock occurring.
Where more than one type of severity of harm is possible, risk should be estimated based upon the probability of occurrence of each level of severity. For example, if first-degree, second-degree, and third-degree burns are possible, then each should have its own probabilities of occurrence. This would be based upon the possible combinations of hazards and hazardous situations that could occur.
Risk Analysis vs Hazard Analysis
ISO 14971 defines ‘risk analysis’ as the:
“systematic use of available information to identify hazards and to estimate the risk”
Similar to the erroneously interchanging of the terms hazard and risk, the term ‘hazard analysis’ is often erroneously used by manufacturers when describing risk analysis.
While the term ‘hazard analysis’ is not defined under ISO 14971, it is understood to be the identification of hazards, which is one component of risk analysis. Hazard analysis does not include any risk estimation.
For example:
- Hazard analysis involves the generation of a list of hazards and hazardous situations, considering device characteristics (e.g. chemical, physical, biological, performance, use-related hazards)
- Risk analysis involves hazard analysis, as well as the estimation of risk (i.e. probability of occurrence and severity of harm) for those identified hazards/hazardous situations
Root Cause Analysis
ISO 14971 does not establish a definition for ‘Root Cause Analysis’. However, the term is commonly used in hazard and/or risk analysis.
Root Cause Analysis collectively describes a wide range of techniques, tools, and approaches used to identify hazards, and the hazardous situations that could cause harm.
Tracing its origins to the broader field of Total Quality Management, such Root Cause Analysis methodologies / techniques / approaches can include:
- Events and causal factor analysis. This is commonly used where a single-event harm has occurred, i.e., not used where a cascade or chain of hazardous situations result in the identified harm.
- Change analysis, where a system’s safety and/or performance has changed significantly. E.g., a shift in the analytical or clinical performance of an IVD beyond established limits.
- Barrier analysis, where there is a focus on risk controls in place to either 1) prevent or 2) detect hazards which may have failed. E.g. analysis of potential causes of a lockout mechanism failure.
- Risk tree analysis, such as use of tree diagrams to identify 1) what could occur and 2) the contributory factors to hazardous situations and harm. E.g., Ishikawa/fishbone diagrams.
- Kepner-Tregoe Problem Solving and Decision Making. These provide four distinct phases for resolving problems: 1) Situation analysis, 2) Problem analysis, 3) Solution analysis, and 4) Potential problem analysis.
Risk Estimation vs Risk Evaluation vs Risk Rating
ISO 14971 defines ‘risk estimation’ as the:
“Process used to assign values to the probability of occurrence of harm and the severity of that harm”
ISO 14971 defines ‘risk evaluation’ as the:
“Process of comparing the estimated risk against given risk criteria to determine the acceptability of the risk”
Risk Estimation
Values assigned to the probability of occurrence of harm and its severity may be qualitative, semi-quantitative, or quantitative in nature.
Typically, either qualitative or semi-quantitative is applied in the healthcare industry. Between the two, there is a preference for semi-qualitative as this allows for:
- The utilization of post-market surveillance data to verify whether risk estimates assigned during design & development were accurate (and subsequently the overall benefit-risk analysis was accurate), and
- whether any changes are necessary based upon post-market data.
Assigning values to the severity of harm is generally straightforward, due to comparisons that can be made based on the impact. For example, death vs. permanent injury vs. temporary injury vs. inconvenience.
Where manufacturers most often struggle, is in assigning values for the probability of occurrence. They frequently perform risk estimations first by utilizing a qualitative system, then shift to a semi-quantitative or quantitative system once they have gathered relevant statistical data, e.g., from clinical investigations or productions/post-production data sources, such as post-market surveillance.
Caution should be taken when establishing levels for probabilities of occurrence. Particularly when utilizing semi-quantitative or quantitative values, as these should ideally:
- be related to timeframes (to facilitate trend analysis and reporting under the MDR/IVDR), and
- clearly indicate how the values relate to device utilization, as this facilitates consistency during design & development and post-market surveillance, e.g., % of patients on which the device is used, % of devices used, % of device utilizations, etc.
Examples: Values for probability of occurrence of harm and its severity
| Harm Severity Level | Harm Description |
|---|---|
| Fatal | Results in death |
| Critical | Results in permanent impairment or irreversible injury / psychological trauma |
| Major | Results in injury or impairment requiring inpatient medical or surgical intervention or long-term psychological support services |
| Minor | Results in temporary injury or impairment not requiring inpatient medical or surgical intervention or requires short-term psychological support services |
| Negligible | Inconvenience or temporary discomfort |
| Harm Probability of Occurrence Level | Probability of Occurrence Description (Range) |
|---|---|
| Frequent | ≥ 50% |
| Probable | <50% and ≥ 5% |
| Occasional | <5% and ≥ 1% |
| Remote | <1% and ≥ 0.001% |
| Improbable | < 0.001% |
Risk Rating
The result of risk estimation is a ‘risk rating’. While this term is not defined in ISO 14971 or the MDR/IVDR, it is a common industry term.
A risk rating is assigned to each combination of hazard/hazardous situation/harm. It is typically identified in the risk analysis record by a hazard identification number (e.g. H001, H002, etc.) or other identification system.
Below is an example of stratified risk ratings using the severity and probability of occurrence level described in the tables above:
Risk Criteria
Under ISO 14971, ‘risk criteria’ (also referred to as ‘risk acceptability criteria’) must be established for evaluating both individual and overall risks. What does this mean, however?
Evaluating Individual Risk
The risk rating assigned to each of the above identified hazards would be assessed against pre-determined individual risk acceptability criteria. For example:
- No individual risk can be in any of the red fields in the below table. This individual risk is unacceptable.
- Any individual risk in any of the below yellow fields must be assessed for further risk reduction measures, i.e., risk controls. Where no further risk reduction is possible, an individual benefit/risk analysis must be undertaken. If the end result determines that it does not adversely impact the benefit/risk profile of the device, then the risk is considered to have been reduced as far as possible and is broadly acceptable.
- Any individual risk in any of the below green fields are considered to be acceptable. The risk is considered to have been reduced as far as possible and an individual benefit-risk analysis is not required.
Evaluating Overall Risk
The totality of risk ratings assigned to identified hazards is assessed against overall risk acceptability criteria, such as:
- No individual risks can be in Zone 1 (red cells) in the above table. The presence of any individual risks in Zone one constitutes unacceptable risk.
- Where more than 25% of all identified hazard identification numbers are in Zone 2 (yellow cells) or Zone 3 (green cells), an overall benefit/risk analysis must be undertaken. The results must confirm they do not adversely impact the benefit/risk profile of the device, after which overall risk is considered to have been reduced as far as possible and is broadly acceptable.
- Where less than 25% of all identified hazard identification numbers are in Zone 2 or Zone 3, the overall risk is considered to have been reduced as far as possible. An overall benefit/risk analysis is still required; however, the benefits are understood to outweigh the overall risks of the device.
Risk Evaluation
The process outlined above, of comparing estimated risk against risk acceptability criteria, comprises ‘risk evaluation’.
Please note that the above examples for risk estimation and risk evaluation are provided for illustrative purposes only. ISO 14971 does not mandate the approach/tools to be adopted by manufacturers.
Risk Assessment vs Risk Evaluation
ISO 14971 defines ‘risk assessment‘ as the:
“overall process comprising risk analysis and a risk evaluation”
Taking into consideration the risk management process already covered above: Risk Analysis + Risk Evaluation. = Risk Assessment
Read Next
Overview of Shelf Life, Expiration Dates, Device Lifetime/Useful Life, Service Life, and Life Cycle for medical devices and IVDs in Europe.
Risk Control vs Risk Mitigation (and Residual Risk)
Risk Control
ISO 14971 defines ‘risk control’ as the:
“process in which decisions are made and measures implemented by which risks are reduced to, or maintained within, specified levels”
The “specified levels” mentioned above, are the risk levels determined by the manufacturers’ risk acceptability criteria (for both individual and overall risk).
There is a priority to the types of risk controls that should be applied:
- Inherent safe design and manufacture, e.g., an IVD reagent manufacturer uses an antibiotic to reduce the risk of microbial contamination instead of sodium azide (the latter having risks of explosion and/or fire if disposed of incorrectly)
- Protective measures in the device itself, or in the manufacturing process, e.g., an IVD reagent manufacturer formulates its device so that the sodium azide concentration is below levels considered to be hazardous, as the presence of antibiotics adversely impacts device performance
- Information for safety and, where appropriate, training to users, e.g., an IVD reagent manufacturer 1) adds warnings to the Instructions regarding the presence of sodium azide and the potential consequences of improper disposal, and 2) also provides a safety data sheet detailing chemical hazards for the device
Risk Mitigation
Manufacturers may believe that ‘risk control‘ is synonymous with ‘risk mitigation‘; however, such an approach would be misaligned with common industry practices, particularly in software engineering.
The ISO 14971 definition for ‘risk control’ covers the reduction, or maintenance, of risk within specified levels. It does not distinguish whether any reduction in risk is due to 1) a reduction in probability of occurrence, or 2) the severity if it occurs.
There is a distinction in software engineering, however:
- ‘risk control’ is understood to comprise specific actions to reduce a risk event’s probability of occurrence, while
- ‘risk mitigation’ comprises a set of actions to reduce the consequences and impact of the risk event, i.e., its severity.
Therefore, caution should be exerted in using the terms ‘risk control’ and ‘risk mitigation’, as ‘risk mitigation’ is not defined under ISO 14971.
Residual Risk
ISO 14971 defines ‘residual risk’ as:
“Risk remaining after risk control measures have been implemented”
Under ISO 14971, once the manufacturer has identified and implemented the necessary risk controls, it must:
- Re-perform risk estimation and risk evaluation to determine the acceptability of the residual risks. In particular, the results of re-evaluation are compared with the pre-risk control risk evaluation, to identify whether there has been a reduction in the risk level.
- In most cases, it is not possible to reduce the severity of harm unless the risk control adopted involves complete removal (or substitution) of the original hazard. For example, device reformulation, e.g. removal/substitution of a hazardous chemical with a non-hazardous chemical. Therefore, manufacturers typically revise the probability of occurrence in order to lower residual risk levels.
- NOTE: This type of detail is typically scrutinized by Notified Bodies and regulators.
- Determine whether the risk control(s) introduce new hazards or hazardous situations, e.g., the introduction of sodium azide as an antimicrobial agent in an IVD reagent introduces the possibility of explosion or fire if improperly disposed.
- Determine whether estimated risks for previously identified hazardous situations are affected by the risk controls.
Benefit/Risk Analysis
ISO 14971 defines ‘benefit’ as:
“Positive impact or desirable outcome of the use of a medical device on the health of an individual, or a positive impact on patient management or public health”
The description of specific device benefits is an area of greater scrutiny under ISO 14971:2019, as historically it has been poorly documented by manufacturers. Compounding this is that direct comparison of risks and benefits is challenging. It requires consideration of factors such as:
- Disease/condition characterization of the intended patients
- Data uncertainty
- Clinical/performance data, such as from peer-reviewed scientific literature identified during clinical/performance evaluation, can help to address this concern
- Vigilance data available on similar or equivalent devices, that is already available on the market
- Comparison of the benefits and risks of the device with the generally acknowledged state of the art, i.e., similar devices and alternatives
Device benefits may be related to safety and/or performance outcomes. For example:
- Safety: Reduced frequency of complications / side effects compared to similar devices.
- Performance: Reduced surgery time compared to similar devices.
- Performance: Superior clinical / diagnostic sensitivity and specificity compared to similar devices.
Benefit/risk analysis is performed (both individually and overall) when assessing the residual risks. The outcome of the benefit/risk analysis depends on the residual risk levels and the established risk acceptability criteria. The outcome of the benefit/risk analysis must result in a positive benefit/risk ratio, i.e., benefits realized from use of the device outweigh the residual risks.
Risk Management
ISO 14971 defines ‘risk management’ as the:
“Systematic application of management policies, procedures and practices to the tasks of analysing, evaluating, controlling and monitoring risk”
In addition to the risk management activities already described above, risk management also includes the monitoring of risk. This is typically performed through utilization of other QMS processes that are interlinked with the risk management process, including:
- Management review
- Audits
- Vigilance, including vigilance reporting and field safety corrective actions (FSCAs)
- Post-market surveillance and post-market clinical/performance follow-up
- Control of non-conformances and corrective actions/preventative actions (CAPA)
- Clinical / Performance evaluation
The records generated through the risk management process are then included, and/or cross-referenced, in the manufacturer’s risk management file for the device family.
Risk Management File vs Report (and Records)
ISO 14971 defines the ‘risk management file’ as the:
“Set of records and other documents that are produced by risk management”
This “set of records” begins with creation of the risk management plan, whose minimum content requirements are established in ISO 14971. It continues to the records generated through the entire risk management process.
The ‘risk management report’ (also referred to as ‘risk management summary report’) typically incorporates all elements that need to be recorded, that are not captured by the risk management plan and risk assessment records. These include:
- Benefit/risk analyses (both individual and overall, if individual benefit-risk analysis is not captured in risk assessment records)
- Verification of completeness of risk controls
- Risk management review, including verification of:
- Appropriate implementation of the risk management plan
- Acceptability of overall residual risk
- Establishment of appropriate methods for the collection and review of information in the production and post-production phases
FMEA as a Risk Record
When it comes to Risk Assessment and Risk Control records, the most commonly encountered records are Failure Mode & Effects Analyses (FMEAs). Their use is widespread in multiple industries and the methodology is well known/established. However, in the medical device industry, care needs to be taken when utilizing FMEAs.
ISO 14971 requires that manufacturers identify, and document, known and foreseeable hazards associated with the characteristics related to safety in both normal and fault conditions. As FMEAs inherently have a focus on “failure modes” (i.e. fault conditions), they need to ensure that hazards and hazardous situations in normal conditions are also identified.
ISO 14971 vs EU MDR/IVDR
One of the factors considered when revising ISO 14971:2007 to ISO 14971:2019, was the evolving global regulatory landscape, including the EU MDR/IVDR.
The European harmonized version of the standard was amended in 2021 (EN ISO 14971:2019/A11:2021) to include Annexes ZA/ZB. These annexes clarify the relationship between the standard and the MDR/IVDR requirements, including identifying gaps between the two. For example:
- ISO 14971:2019 does not define what constitutes risks being ‘reduced as far as possible.’ However, manufacturers seeking CE marking must ensure their risk management approach complies with GSPR 2 of the MDR/IVDR, which requires risks to be reduced as far as possible without adversely affecting the benefit-risk ratio.
- The criteria for establishing risk acceptability must align with the General Safety and Performance Requirements (GSPRs) of the MDR/IVDR, particularly GSPRs 1, 2, 4, 5(a), 8, and 9, as applicable to the device.
Additional elements of risk management under ISO 14971 and their relationship to MDR/IVDR, include:
Trend Reporting Requirements
Trend reporting is established within the scope of MDR/IVDR’s post-market surveillance requirements. They require establishing methods and protocols to manage the incidents subject to trend reporting. For example, to 1) identify any statistically significant increase in the frequency or severity of incidents, and 2) the observation period.
Therefore, risk estimation levels (for both severity and probability of occurrence) should be established so that they may be used to determine statistically significant increases.
Overall Residual Risk Acceptability Criteria Combined with the Benefit-Risk Analysis
They should be designed so that they can be used as suitable indicators and as threshold values, for continuous reassessment of the benefit-risk analysis and of the risk management, as required under MDR/IVDR post-market plan requirements.
Clinical/Performance Evaluation Reports
Clinical/Performance Evaluation Reports should be closely aligned with the risk management file. Particularly in regard to the benefits and risks identified in clinical evidence included in these reports, and the overall benefit-risk analysis.
Typically, when demonstrating conformity with MDR/IVDR GSPR 1 (Requirement for Safety), these reports include:
- a cross-reference table to the risk management file, with indication of the clinical risks identified (along with the respective clinical data source),
- their corresponding hazard identification number in the risk analysis,
- description of the risk controls implemented, and
- indication that risks have been reduced as far as possible.
