Risk management for

medical devices and the

new BS EN ISO 14971
Author: Jos van Vroonhoven, Philips.
Updated in July 2022.
BSI White Paper Series
BSI Risk management for medical devices and the new BS EN ISO 14971 2

Contents

History of risk management 4

Introduction3

History of risk management 4

Risk management by BS EN ISO 14971 6

Relation of BS EN ISO 14971 with other standards 20

Conclusion 22

References23

Author 25

Peer Reviewers 26

Published white papers 27

About BSI Group 28

Disclaimer
Disclaimer: The views and opinions expressed in this white paper
are those of the authors. They do not necessarily reflect the official
policy or position of BSI Group. This white paper is not a peer-
reviewed work. Although it may be a sponsored publication, it is
issued solely for information of the authors’ views and opinions
only. BSI Group makes no representations as to accuracy, suitability
or validity of information. All information is provided on an ‘as is’
basis. BSI accepts no liability for any loss or damage caused, arising
directly or indirectly in connection with reliance on its contents
except to the extent that such liability may not be excluded in law.
BSI Risk management for medical devices and the new BS EN ISO 14971 3

Introduction

Risk management is an important aspect in the

life cycle of medical devices. Patients are already
in a vulnerable position, and during diagnosis and
treatment, they should be protected from risks
that could further impact their health.
International standard BS EN ISO 14971 [1] was
developed to provide a process to assist
manufacturers in identifying the hazards
associated with medical devices, assessing the
corresponding risks, controlling these risks where
needed, and monitoring the effectiveness of the
risk control measures. The third edition of this
standard was published in December 2019,
followed in June 2020 by the updated companion
report ISO/TR 24971 [2], which provides extensive
guidance on the application of the standard. A
transitional period of 3 years following
publication is usual to allow all stakeholders to
adapt to the requirements in the new edition.

The standard is adopted in the European Union as

a new edition of BS EN ISO 14971, and the
guidance report is adopted as CEN ISO/TR 24971.
EN ISO 14971:2019 and its amendment A11:2021
is listed in the Official Journal of the European
Union (OJEU) as a harmonized standard in support This paper starts with a brief overview of the
of the European Regulations 2017/745 [6] for development of risk management over the past
medical devices (MDR) and 2017/746 [7] for in centuries, from elementary risk awareness in the
vitro diagnostic medical devices (IVDR). Since early days to the structured stepwise process of
national standards bodies are obliged to adopt planning, assessment, control and monitoring that
European Norms as national standards, BS EN ISO we have today. This includes a review of how
14971:2019 is adopted in the United Kingdom as a regulations and standards for medical devices
new edition of BS EN ISO 14971 with identical have developed over the recent decades. The risk
technical content as BS EN ISO 14971:2019 and a management process as described in BS EN ISO
national foreword. The guidance report is adopted 14971 [1] is discussed in detail and the main
in the United Kingdom as PD CEN ISO/TR changes in the third edition are indicated and
24971:2020. In this paper, we will refer to the explained. The broader context of BS EN ISO 14971
international documents BS EN ISO 14971 and and its use in conjunction with other international
ISO/TR 24971 for brevity. standards to demonstrate compliance with
regulatory requirements is also discussed.
BSI Risk management for medical devices and the new BS EN ISO 14971 4

History of risk management

Risk perception in early days In later years, people would apply ‘trial and error’
Risk management has evolved over many methods and use experience from previous
centuries. It started with awareness and the failures to improve their decisions and actions.
recognition that sometimes things go wrong, and The focus was on analysing and learning from
gradually progressed with the application of more previous mistakes and failures and on improving
structured approaches and finally developed into product designs to prevent new failures, but there
a field of science in its own right. Elaborate was less focus on reducing the consequences of
historical reviews of risk management can be the failures. This can be seen as a simple but
found in [8, 9, 10]. In the times of ancient history, effective application of post-production feedback.
people recognized that they could have good luck The industrial revolution of the 19th century
on some days and bad luck on other days. They opened a new era of mechanization. The invention
consulted priests and oracles to learn if the gods of the steam engine enabled the development of
would favour their actions and which would be locomotives and large machines for a wide variety
the right day to build a house or to embark on a of industrial applications. These machines made of
long journey. The advice was often cryptic and iron introduced new risks that were not present
ambiguous, but it provided confidence when their before. The brittleness of cast iron and the power
decisions were based on the advice given. This of pressurized steam frequently resulted in
way of dealing with uncertainty should be seen accidents with severe injuries and often with many
more as an early and limited kind of ‘risk people being injured or killed, which revealed the
awareness’ than as an effective form of risk need to develop safety principles and to perform
management. Failures and damages that reliability engineering. This led to the development
occurred were accepted and regarded as part of of safer designs and better materials (wrought
their unavoidable fate, but there were no iron, steel alloys) and to the implementation of
attempts to understand or even eliminate the protective measures with the machinery.
underlying causes.
The development of statistical methods in the 17th
century by Pascal [11] and later refinements by
Laplace [12] provided a mathematical basis for
probability theory. This theory enabled the
analysis of the probability of occurrence of failures
and deviations from the expected. Statistical
methods came into use by banks and insurance
companies to support decision making and to
manage financial risks. Nevertheless, it was not
until after World War II that more structured
approaches to risk analysis and risk management
came into use for product development. This was
stimulated for a large part by the growth of the
aviation and aerospace industries and the
concerns on the safety of nuclear power plants.
Structured approaches for risk analysis were
developed, such as Fault Tree Analysis (FTA),
Failure Mode and Effects Analysis (FMEA) and
Hazard and Operability Study (HAZOP). Safety
engineering also became an important topic in the
defence sector, where the first edition of the US
military standard MIL-STD-882 on system safety
[13] was published in 1977, and even more
prominently in the aviation sector, where a United
Nations specialized agency for civil aviation safety
[14] was established already in 1944.
BSI Risk management for medical devices and the new BS EN ISO 14971 5

Risk management for medical devices The second edition of ISO 14971 was published in
Performing risk management became an essential 2007 and the third edition in 2019, followed by the
requirement for medical device manufacturers revised companion document ISO/TR 24971 [2] in
with the publication of the European Directives 2020, containing extensive guidance on the
AIMDD [3], MDD [4] and IVDMDD [5]. The risk application of ISO 14971. The requirements in the
management requirements only covered risk third edition of BS EN ISO 14971 [1] are expressed
analysis and were expressed in general, not very more accurately and are elaborated with more
specific terms. Risks needed to be reduced as far detail compared to the second edition. The
as possible while taking account of the generally requirements are in line with the recognized
acknowledged state of the art and maintaining a essential principles of safety and performance of
high level of protection of health and safety. medical devices (see ISO 16142-1 [17]) and in vitro
Similar requirements can be found in the diagnostic medical devices (see ISO 16142-2 [18]).
regulations of other countries. European standard They are also aligned with the general safety and
EN 1441 [15] provided a procedure for performance requirements of the European
manufacturers to investigate the safety of medical Regulations, MDR [6] and IVDR [7]. In view of the
devices by identifying hazards and estimating risks improved and more detailed risk management
based on available information. The scope of this requirements in these regulations compared to the
standard was restricted to risk analysis because it European Directives [3, 4, 5], it is more accurate to
was intended for conformity assessment purposes, say that the general safety and performance
i.e. to support demonstrating conformity with the requirements in [6, 7] have been aligned with the
essential requirements related to risk analysis in globally accepted risk management framework
the European medical device directives. and principles that have evolved over the past
Unfortunately, the directives provide little guidance decades. As result of this alignment, there are no
on further steps in the risk management process content deviations between the risk management
and on the acceptability of residual risks. requirements of the European MDR and IVDR and
those in the third edition of BS EN ISO 14971.
ISO Technical Committee 210 (Quality
management and corresponding general aspects
for medical devices) and IEC Subcommittee 62A
(Common aspects of electrical equipment used in
medical practice) recognized the need to develop
an international standard for risk management of
medical devices and established their Joint Working
Group 1. EN 1441 [15] was taken as a starting point
and was converted with minimal editing to BS EN
ISO 14971-1 [16] in 1998, which thus also covered
risk analysis. BS EN ISO 14971-1 was intended to
be the first part in a series of standards. It was
decided later that, instead of publishing separate
parts, it would be better to publish one document
covering all elements of the risk management
process. This effort led to the first edition of BS EN
ISO 14971 [1] in 2000, in which the principles of
risk management for medical devices were
elaborated further and the entire risk management
process was described. This standard provided a
complete framework for risk management
including monitoring risks in the post-production
phase. The standard was amended with a rationale
in 2003.
BSI Risk management for medical devices and the new BS EN ISO 14971 6

Risk management by BS EN ISO 14971

General this is not required by BS EN ISO 14971. The reason

The risk management process described in BS EN is that regulations in some countries do not oblige
ISO 14971 [1] consists of several steps, as manufacturers of low-risk medical devices to
illustrated in Figure 1, which apply to the design, implement a quality management system.
development, production and post-production However, if a manufacturer has implemented a
stages of every medical device. The distinct process quality management system, it is recommended to
steps are numbered from 1 to 6 and discussed in integrate the risk management procedures into
detail in this paper. It is important to recognize that system. In this context, it is emphasized that
that these steps need to be documented in the European MDR and IVDR [6, 7] require the
procedures in the manufacturer’s organization. The manufacturer to implement a quality management
procedures for risk management can be system that addresses risk management.
embedded in a quality management system, but

Figure 1 – The six process steps in the risk management process of BS EN ISO 14971 [1].

1. Risk 2. Risk 3. Risk

management assessment control
plan

6. Production 5. Risk 4. Evaluation

and post- management of overall
production review residual risk
activities
BSI Risk management for medical devices and the new BS EN ISO 14971 7

A selection of important definitions in BS EN ISO further noted that the numbering of the clauses
14971 [1] is given in Table 1. These defined terms has changed in the third edition of BS EN ISO
are frequently used in this paper. The definitions 14971, because a clause on normative references
for benefit and reasonably foreseeable misuse are has been inserted following requirements by the
new in the third edition of the standard. It is ISO/IEC Directives.

Table 1 – Important definitions in BS EN ISO 14971 [1]

Term Definition

Benefit Positive impact or desirable outcome of the use of a medical device on the
health of an individual, or a positive impact on patient management or public
health

Note: Benefits can include positive impact on clinical outcome, the patient’s
quality of life, outcomes related to diagnosis, positive impact from diagnostic
devices on clinical outcomes, or positive impact on public health
Harm Injury or damage to the health of people, or damage to property or the
environment

Hazard Potential source of harm

Hazardous situation Circumstance in which people, property or the environment is/are exposed to
one or more hazards

Intended use Use for which a product, process or service is intended according to the
specifications, instructions and information provided by the manufacturer

Note: The intended medical indication, patient population, part of the body or
type of tissue interacted with, user profile, use environment and operating
principle are typical elements of the intended use

Reasonably foreseeable Use of a product or system in a way not intended by the manufacturer, but
misuse which can result from readily predictable human behaviour

Note: Readily predictable human behaviour includes the behaviour of all types
of users, e.g. lay and professional users. Reasonably foreseeable misuse can be
intentional or unintentional

Residual risk Risk remaining after risk control measures have been implemented

Risk Combination of the probability of occurrence of harm and the severity of that
harm

Risk control Process in which decisions are made and measures implemented by which
risks are reduced to, or maintained within, specified levels

Safety Freedom from unacceptable risk

BSI Risk management for medical devices and the new BS EN ISO 14971 8

Top management responsibilities Top management also needs to define the policy
The commitment of top management is on how to establish the criteria for risk
indispensable for proper risk management. Large acceptability. These criteria need to be based on
corporations can consist of separate entities (such relevant international standards and the
as divisions or business units), where each entity regulations of the countries or regions where the
can have its own risk management process and its medical devices are intended to be marketed.
own quality management system. In such cases, Considerations of the generally acknowledged
top management refers to those individuals who state of the art and known stakeholder concerns
direct and control that entity. need to be taken into account as well. Local
regulations can impose that risks must be reduced
Top management is responsible for the provision as far as possible or as low as reasonably
of adequate resources and the assignment of practicable (i.e. technically feasible in practice). A
competent personnel. This means that personnel well-known concept for exposure to ionizing
need to have appropriate training and also the radiation is that the resulting radiation dose to any
tools and the time to perform the risk person must be as low as reasonably achievable
management tasks assigned to them. Top (the ALARA principle, see [19, 20]). Where
management is further responsible for the applicable, these concepts need to be incorporated
continued effectiveness of the risk management in the criteria for risk acceptability. This means that
process and, therefore, needs to regularly review the criteria need to provide guidelines on how far
its suitability at planned intervals. Information the risks shall be reduced. The end points for risk
from the post-production phase can be valuable reduction ‘as far as possible’ can be determined
input for this review. based on international standards that provide
specific state-of-the-art technical solutions or on
local regulations that have specific requirements or
limits. These concepts and the end points for risk
reduction should be described in the policy.

Figure 1 – Important definitions in BS EN ISO 14971 [1]

Probability of Severity of harm

occurrence
Minor Major Critical Fatal

Frequent
Probable
Occasional
Remote
Improbable

Insignificant or negligible risk

Investigate further risk reduction
Unacceptable risk
BSI Risk management for medical devices and the new BS EN ISO 14971 9

A risk chart or risk matrix shown in Figure 2 can be The severity levels need to be described in relation
useful in supporting the estimation and evaluation to the possible harm (injury to people, or damage
of residual risk, especially those risks for which no to property or the environment). These levels can
requirements and no technical solutions exist in distinguish between life-threatening injuries,
international standards or local regulations. In serious injuries that are not life-threatening but
such cases, the criteria can require risk reduction needing immediate medical attention, major
as far as possible where the end point is based on injuries that can result in permanent damage or
the combination of the probability of occurrence of impairment, minor injuries that are transient or
harm and the severity of possible harm, as reversible, minor injuries needing limited medical
indicated in a risk chart. However, it is emphasized care, pain and discomfort. Concerning damage to
that the criteria for risk acceptability need to take property or the environment, the severity levels
the applicable regulations and standards into can distinguish between leakage of radioactive
account and need to be more comprehensive than substances, leakage of or contact with hazardous
only a risk chart, and that a risk chart by itself is chemicals, contamination with blood or other
not the criteria. It is further noted that the bodily fluids (possible infection with blood-borne
descriptors of the severity and probability levels in viruses or bacteria), loss of x-ray images (where
Figure 2 are just examples, and that more or fewer retaking adds radiation dose), loss of other images,
levels and different descriptors can be chosen (e.g. loss of data, unauthorized access to data,
Negligible, Moderate, Significant, Serious, destruction of the medical device or repairable
Catastrophic for the severity levels and damage to the medical device. The probability
Inconceivable, Unlikely, Rare, Possible, Often for range can be divided into discrete levels based on
the probability levels). ISO/TR 24971 [2] provides the probability of occurrence of harm per use, per
guidance on defining the policy and on procedure, per device, per hour of use or within a
establishing the criteria for risk acceptability. population. The choice can depend on the type of
medical device.
BSI Risk management for medical devices and the new BS EN ISO 14971 10

Risk management plan (process step 1) Risk assessment (process step 2)

All risk management activities must be planned. Risk assessment is a key element of the risk
The plan provides a roadmap for the risk management process, consisting of a risk analysis
management activities to be conducted during the and a risk evaluation. The first step in the risk
life cycle of the medical device. The risk analysis is documenting the intended use of the
management plan has to include among others the medical device (see definition in Table 1). It is
criteria for risk acceptability for the medical device important that the manufacturer carefully thinks
to be developed. These criteria are established about the purpose of the planned medical device.
based on the policy defined by top management. clear description of the intended use is helpful in
The inclusion of the criteria in the risk management determining the boundaries of the correct use or
plan is helpful in ensuring an objective evaluation correct application of the medical device. Any use
of the residual risks later in the process. Moreover, beyond those boundaries determines the ‘misuse’
having a plan ensures an organized approach to of the medical device.
risk management and prevents essential activities
from being forgotten. For this purpose, a review of The intended use includes:
the execution of the risk management plan is • the medical indication and application (disease
required to be performed at the end of the design type, tissue and part of the body)
and development process and before commercial • the intended patient population (children, adults,
distribution of the medical device. This review elderly or specific patient groups, which can
ensures that the risk management plan has been include limitations in dexterity or cognition)
properly executed so far, and that the final medical • the users and the use environment (lay users at
device is safe. The risk management plan further home, professional users in a hospital or outside
includes activities for the verification of the hospitals for emergency care)
implementation and effectiveness of the risk • the operating principle (how the diagnosis or
control measures and activities for the collection treatment is achieved)
and review of information during the production
and post-production phases.

A risk management file needs to be created and

maintained. Important parts of the risk
management file are the risk management plan
and the risk management report, which is created
after the review of the execution of the plan. The
risk management file further contains (references
to) all records and other documents that are
produced during the risk management process. The
risk management file needs to provide traceability
for each identified hazard to the risk analysis, the
risk evaluation and the implemented risk control
measures, including the evaluation of the residual
risks. Traceability is necessary to ensure
completeness of the risk management process, i.e.
that all hazards are appropriately addressed and
that every risk is adequately controlled.
BSI Risk management for medical devices and the new BS EN ISO 14971 11

Table 2 – Definitions related to use from IEC 62366-1 [21]

Term Definition

Abnormal use Conscious, intentional act or intentional omission of an act that is counter to
or violates normal use and is also beyond any further reasonable means of
user interface-related risk control by the manufacturer

Examples: Reckless use or sabotage or intentional disregard of information

for safety are such acts

Note: An intended but erroneous action that is not abnormal use is

considered a type of use error. Abnormal use does not relieve the
manufacturer from considering non-user interface-related means of risk
control
Correct use Normal use without use error

Normal use Operation, including routine inspection and adjustments by any user, and
stand-by, according to the instructions for use or in accordance with generally
accepted practice for those medical devices provided without instructions for
use

Note: Normal use should not be confused with intended use. While both
include the concept of use as intended by the manufacturer, intended use
focuses on the medical purpose while normal use incorporates not only the
medical purpose, but maintenance, transport, etc. as well

Use error User action or lack of user action while using the medical device that leads to
a different result than that intended by the manufacturer or expected by the
user

Note: User error includes the inability of the user to complete a task. Use
errors can result from a mismatch between the characteristics of the user,
user interface, task or use environment. Users might be aware or unaware
that a use error has occurred. An unexpected physiological response of the
patient is not by itself considered use error. A malfunction of a medical device
that causes an unexpected result is not considered a use error

User Person interacting with (i.e. operating or handling) the medical device

User interface Means by which the user and the medical device interact

Note:User interface includes all the elements of the medical device with which
the user interacts, including the physical aspects of the medical device as well
as visual, auditory, tactile displays and is not limited to a software interface
BSI Risk management for medical devices and the new BS EN ISO 14971 12

Definitions related to use from the international

standard for usability engineering IEC 62366-1 [21]
are given in Table 2. The different kinds of use and
misuse are illustrated in the diagram of Figure 3.
Correct use of the medical device includes the
documented intended use, i.e. the medical
purpose for which the device is intended to be
used and also other uses that are necessary but
not directly for medical purposes, such as
maintenance, calibration, transport, stand-by, etc.

Figure 3 – Different kinds of use and misuse of a medical device considered in usability
engineering and risk management

Use/misuse of medical devices

Risk management, ISO 14971

Reasonably foreseeable use/misuse Not reasonably foreseeable use/misuse

Usability engineering, IEC 62366-1

Normal use Part of abnormal use, but not reasonably

Correct use: Use error (part foreseeable, therefore out of scope
• Intended use of reasonably
• Other use foreseeable
(maintenance, misuse)
transport, stand-by,
etc.)

Abnormal use
(part of reasonably foreseeable misuse)
BSI Risk management for medical devices and the new BS EN ISO 14971 13

Some forms of misuse can be foreseen based on sometimes called ‘off-label use’. Other intentional
readily predictable human behaviour and are acts like sabotage cannot be foreseen by any
called reasonably foreseeable misuse in BS EN ISO reasonable means and are also part of abnormal
14971 [1] (see Table 1). The manufacturer needs to use. Those acts can be outside the scope of risk
document the reasonably foreseeable misuse and management and are usually not included in the
consider it in the risk management process as well. reasonably foreseeable misuse. But this is not a
Such misuse can be a use error which is performed fixed rule, because breaches of data and systems
unintentionally. However, use error can also arise security by hackers can be regarded acts of
from an intentional action, for example when the sabotage but can also be reasonably foreseen.
user consciously presses a button which appears
to be the wrong button. Since errors can normally The second step in the risk analysis is identifying
occur, both use error and correct use are the characteristics of the medical device that can
considered to be part of normal use. Risks related affect its safety. Such characteristics can be related
to use error can be analysed and evaluated using a to the performance or the operating principle of
usability engineering process, such as the one the medical device, its intended use or reasonably
described in IEC 62366-1 [21]. Those risks can often foreseeable misuse. This can concern among
be controlled effectively in the user interface (see others the materials used in parts coming into
definition in Table 2). It has to be recognized, contact with the patient, moving parts, the use of
however, that some risks related to use error radiation for diagnosis or treatment, the accuracy
cannot be reduced sufficiently in this way and may of measurements, the need for calibration or
need further control by other measures outside maintenance, the security of data or the required
the user interface. Therefore, the results of the skills of the user. These characteristics need to be
usability engineering process have to be fed back considered in the risk management process. The
into the risk management process of BS EN ISO characteristics can be qualitative or quantitative
14971. Reasonably foreseeable misuse can also and it may be necessary to establish limits that
include instances of abnormal use, which are not should not be exceeded. An extensive list of
regarded as use error and cannot be controlled in questions that can assist the manufacturer in
the user interface. Abnormal use is a term from identifying the characteristics related to safety is
usability engineering (see Table 2) and concerns, contained in ISO/TR 24971 [2]. It is emphasized
for example, the intentional use of the medical that those questions are examples and the list
device for an application that is unspecified or should not be used as a checklist.
unintended by the manufacturer. This is
BSI Risk management for medical devices and the new BS EN ISO 14971 14

The third step is identifying the hazards associated All hazardous situations and all kinds of harm need
with the medical device and identifying the to be considered, not only the worst-case scenarios
reasonably foreseeable sequences or combinations with the highest severity of harm, because scenarios
of events that can lead to hazardous situations. It with less severe harm could have a higher probability
is important to consider the medical device not of occurrence and could thus lead to a higher risk.
only in its normal condition, but also when a defect
is present or in a fault condition that could occur. Risk evaluation is also part of risk assessment. It is
The intended use, the reasonably foreseeable the step where the estimated risks are evaluated
misuse and the characteristics related to safety are using the criteria for risk acceptability as defined in
important inputs in this step. It has to be the risk management plan. The criteria for risk
emphasized that different sequences of events can acceptability are established based on the policy
lead from one hazard to different hazardous defined by top management and are documented
situations, and that one hazardous situation can in the risk management plan. The criteria can
lead to different kinds and severities of harm incorporate the concept that risks have to be
depending on the circumstances. These situations reduced as far as possible (see earlier section on
need to be considered as separate risks and should top management responsibilities). The conclusions
not be combined and assessed together. of the evaluation are documented in the risk
management file. If the risk is judged acceptable,
The fourth and final step in the risk analysis is the estimated risk becomes the residual risk. If the
estimating the risk for each of the identified risk is not judged acceptable, it is mandatory to
hazardous situations. The severity of any possible perform risk control.
harm and the probability that this harm occurs
need to be estimated. The probability of Experience shows that there is confusion about
occurrence of harm (P) can be decomposed into estimating risk when a particular risk control
the probability that a hazardous situation occurs measure is always part of the medical device
(P1) and the probability that the hazardous design. In this case it is sufficient to estimate and
situation leads to harm (P2). Such decomposition evaluate the risk after implementation of the risk
(P = P1 × P2) can be helpful but is not mandatory. control measure. It is not useful and therefore
Data and experience with previous or similar discouraged to estimate the (theoretical) risk for a
medical devices on the market can be useful in medical device without the particular risk control
estimating the risks, either qualitatively or measure in place, because it has become an
quantitatively. A risk chart as shown in Figure 2 can integral part of the medical device design.
be useful in risk estimation.
BSI Risk management for medical devices and the new BS EN ISO 14971 15

Risk control (process step 3) The risk control measures selected have to be
The manufacturer has several risk control options implemented, and the implementation verified.
for eliminating or reducing risks to an acceptable This can be done as part of design and
level. Many international standards provide specific development verification in a quality management
technical solutions to address particular risks. system. The effectiveness of the risk control
Those standards should be considered in selecting measures implemented also have to be verified,
the most appropriate options. which can be done as part of design and
development validation in a quality management
• The first and preferred option is to eliminate the system. The results of these verifications are
risk by making the design of the medical device documented in the risk management file.
and its manufacturing process inherently safe.
This ensures that a hazardous situation cannot After implementation of the risk control measures,
occur. This is often related to the operating the residual risk has to be estimated and evaluated
principle of the medical device. Examples include again using the criteria for risk acceptability. If the
designing medical devices for single use such risk is not judged acceptable, it is necessary to
that they cannot be reused, designing medical consider more risk control. These iterations are
electrical equipment such that live parts and indicated in Figure 1 with the arrows back and
high-voltage parts cannot be touched, and forth between risk control and risk assessment. If,
designing surfaces without sharp edges. after careful analysis, it is concluded that further
risk control is not practicable, the manufacturer
• If this is not possible, the second option is to may perform a benefit–risk analysis. Data and
implement protective measures in the design of literature can be gathered and analysed to
the medical device or in the manufacturing determine if the benefits of using the medical
process. Such measures can reduce the device outweigh the residual risk. If this is not the
probability of occurrence of a hazardous case, the manufacturer needs to go back in the
situation or harm and/or the severity of the process and consider to modify the medical device
harm. Examples of such measures include gloves or to restrict the intended use (for example, to
and special clothing to protect against exclude vulnerable patient groups). Otherwise, the
contamination, covers to protect against risk remains unacceptable and the medical device
electrical shock, barriers to prevent collision or development needs to be abandoned.
trapping between moving parts, lead aprons and
screens to protect against radiation. Protective Completeness is an important aspect in risk
measures also include alarms to alert people of a management. Therefore, the manufacturer is
hazardous situation needing immediate attention required to check that all identified hazardous
to avoid any harm from occurring. situations have been addressed and all risk control
activities have been completed. In addition, it has
• If protective measures do not sufficiently reduce to be checked that the selected and implemented
the risk, the third option is to provide information risk control measures do not introduce new risks
for safety to the users of the medical device. The and do not affect other risks.
information for safety can be given in the form of
warnings or contraindications, or as instructions
how to handle and use the medical device. This
information can concern in particular actions that
the user needs to take or to avoid to prevent the
occurrence of a specific hazardous situation or
harm. Some examples are warnings against
reuse of single-use medical devices, warnings for
high voltage, high temperature or radiation,
instructions to use personal protective
equipment, and instructions for calibration and
maintenance of medical devices performing
measurements. Training of users can be an
important means of providing the information
for safety.
BSI Risk management for medical devices and the new BS EN ISO 14971 16

Evaluation of overall residual risk (process manufacturer could gather data and literature to
step 4) determine if the benefits of using the medical
device would outweigh the overall residual risk. In
When one arrives at this process step, all individual
this approach it was unclear which criteria for risk
risks have been controlled and judged acceptable.
acceptability should be used and if the benefits of
In some cases, a benefit–risk analysis has been
the intended use should or could also be
performed with the conclusion that the benefits
considered in the first evaluation. Further, it was
outweigh a particular risk. Although each risk is
not clear which individual risks should be included
acceptable, it is important to also consider the
in the evaluation of the overall residual risk.
contributions of all risks together (i.e. the overall
residual risk). The reason is that the combination of
The two-step approach is replaced with one
several small risks could pose an unexpected big
evaluation in the third edition of BS EN ISO 14971.
risk. For example, there could be too many risks in
It is required that the contributions of all individual
the yellow area of Figure 2 that were each
residual risks are taken into account, and that the
investigated and for which no further risk
overall residual risk is evaluated in relation to the
reduction is possible. Another example is a
benefits of the intended use of the medical device.
particular risk control measure that is designed to
The manufacturer is required to document the
control two independent risks simultaneously,
evaluation method and the criteria for acceptability
which could be deemed unacceptable.
of the overall residual risk in the risk management
plan. This ensures an objective evaluation. The
The clause on the evaluation of the overall residual
method can include gathering data and literature
risk has undergone considerable change in the
for similar medical devices available on the market
third edition of BS EN ISO 14971 [1]. The second
and judgement by a cross-functional team of
edition provided for a two-step approach, where
experts with knowledge of and experience in
the overall residual risk was first evaluated against
application of the medical device.
the acceptability criteria. Second, if the overall
residual risk was not judged acceptable, the
BSI Risk management for medical devices and the new BS EN ISO 14971 17

ISO/TR 24971 [2] provides further guidance on device in a particular procedure, for example,
possible approaches that can be used in the erythema, that can occur after radiation therapy,
evaluation and on inputs and other considerations patients experiencing blood in their urine after
that can be taken into account. It is explained that lithotripsy of kidney stones and swelling or
the criteria for acceptability of the overall residual inflammation of the eye after ophthalmic surgery.
risk can be different from the criteria for The disclosed information enables the user to
acceptability of individual risks. In any case, these make informed decisions on whether to use this
criteria have to be based on the manufacturer’s medical device in a particular situation or to
policy for acceptable risk. If the overall residual risk choose for a different medical device, taking
is not judged acceptable, the manufacturer needs account of the condition of the individual patient.
to go back in the process and apply additional risk The disclosure of residual risks needs to be
control measures. These iterations are indicated in distinguished from information for safety, which is
Figure 1 with the arrows back and forth between a risk control measure. While the disclosure of
risk control and evaluation of overall residual risk. residual risk is descriptive and provides the user
The manufacturer can also consider to modify the with information on risks inherent to the use of the
medical device or to restrict the intended use (for medical device, information for safety is instructive
example, excluding vulnerable patient groups). and provides the user with information on how to
Otherwise, the overall residual risk remains use the medical device and on actions to take or to
unacceptable and the medical device development avoid to prevent a particular hazardous situation or
needs to be abandoned. harm from occurring. ISO/TR 24971 [2] provides
further guidance on information for safety and the
The manufacturer is instructed to inform users of disclosure of residual risk.
any significant residual risks and to disclose those
risks by providing relevant information in the
accompanying documentation. Since BS EN ISO
14971 [1] focuses on risks related to the design of
the medical device and how the manufacturer can
control them, it is important to disclose the
residual risks inherent to the use of the medical
device after all risk control measures have been
implemented. The residual risks can relate to
side-effects or after-effects of using the medical
BSI Risk management for medical devices and the new BS EN ISO 14971 18

Risk management review (process step 5) level document providing evidence that the risk
As emphasized before, completeness is an management plan has been satisfactorily executed
important aspect of risk management. Therefore, and the objectives have been achieved.
after the design and development of the medical Information from the production and post-
device and before its commercial distribution, BS production phases could reveal the need to adapt
EN ISO 14971 requires the manufacturer to review and improve the medical device during its life cycle
that the risk management plan was properly and thus also to update the risk management
executed and appropriately implemented. It also report.
needs to be ensured and recorded that the overall
residual risk is acceptable. Methods to collect and
review production and post-production
information need to be in place before the medical
device is finally released and placed on the market.
The results of this review are documented as the
risk management report, which forms a crucial
part of the risk management file. The risk
management report is signed off by persons with
the appropriate authority and serves as the high-
BSI Risk management for medical devices and the new BS EN ISO 14971 19

Production and post-production activities

(process step 6) • The third step is to review if the information is
relevant to the safety of the medical device. In
The clause on production and post-production
particular, the manufacturer needs to determine
information has undergone considerable
whether a previously unidentified hazard or
modification in the third edition of BS EN ISO
hazardous situation exists, an estimated risk is
14971 [1]. The principles of collecting and
no longer acceptable, the benefits of the medical
reviewing information have not changed, but the
device no longer outweigh the overall residual
requirements and the activities are described more
risk, or the generally acknowledged state of the
elaborately and more precisely. The clause is
art has changed. For example, the benefit in
divided into four sections corresponding to the
practice could appear to be less than anticipated
steps that the manufacturer needs to take.
or new technologies could have become available
with smaller associated risks. In such cases, it
• The first step is to establish a system to collect
needs to be investigated whether the medical
and review relevant production and post-
device under consideration still has a favourable
production information. This system must
benefit-risk balance.
include appropriate methods for the collection
and processing of data, which can include
• If any of the above situations occurs, the
statistical methods for trend analysis. The system
manufacturer needs to take action. This is the
can be integrated with the monitoring and
fourth step. The required actions are described in
feedback processes required by a quality
more detail in the third edition of the standard.
management system. The necessary activities to
The manufacturer has to review the risk
set up the system for collecting and reviewing
management file for the medical device and
information has to be included in the risk
determine if any new risk needs to be assessed
management plan.
or any previously estimated risk needs to be
assessed again, and if it is necessary to
• The second step is to collect relevant information
implement additional risk control measures.
for the medical device under consideration. A
Actions regarding medical devices already on the
non-exhaustive list of sources is given in the
market can be required as well. The
standard, including information from users, from
manufacturer has to also evaluate the impact on
the supply chain and on the generally
the risk management activities that were
acknowledged state of the art (such as new or
previously performed. This evaluation can
revised standards, alternative medical devices or
provide valuable input for top management
alternative therapies). Publicly available
when they review the suitability of the risk
information about similar medical devices and
management process.
similar other products on the market should be
considered as well. Those other products are not
necessarily medical devices, but they can have a
similar (non-medical) application or similar
operating principles. It is required that the
manufacturer actively collects the information
and does not wait passively until such
information becomes known.
BSI Risk management for medical devices and the new BS EN ISO 14971 20

Relation of BS EN ISO 14971

with other standards
Other standards for medical devices and the patient or the user of the medical device. BS EN
processes ISO 14155 [23] applies to the clinical investigation
of medical devices on humans and provides the
BS EN ISO 14971 [1] provides a generic process for
principles for good clinical practice. This includes
risk management of all kinds of medical devices,
ethical considerations, responsibilities of the
applicable to the entire life cycle from design and
parties involved and requirements for planning,
development through production and post-
conduct, recording and reporting of clinical
production until decommissioning and disposal.
investigations. IEC 62304 [24] defines a common
The standard is primarily aimed at medical device
framework for the life-cycle processes of medical
manufacturers, but it can also be used by other
device software, which can be embedded software
parties involved in the life cycle of the medical
intended to be incorporated in a medical device or
device such as suppliers. It can also be applied to
standalone software intended to be used as a
other products that are not necessarily considered
medical device. This framework includes
as medical devices in all jurisdictions but that can
requirements for development and maintenance
be subject to medical-device regulations or similar
planning, documentation, classification and risk
regulations, such as the products without an
management.
intended medical purpose listed in Annex XVI of
the EU MDR [6]. Due to its generic character, BS EN
Device-specific standards need to be applied
ISO 14971 needs to be applied in combination with
together with BS EN ISO 14971. These standards
other process standards and device-specific
can be regarded as representing the generally
standards in order to ensure the safety of the
acknowledged state of the art, providing technical
medical device and to demonstrate compliance
solutions to control specific risks that are typical
with all regulatory requirements.
for the given category of medical devices.
Compliance with such standards can be used to
As indicated above in Risk assessment (process
deduce that the corresponding risks are reduced to
step 2) where reasonably foreseeable misuse was
acceptable levels, unless there is objective evidence
discussed, it is important to investigate use errors
to the contrary. Many device-specific ISO standards
in the medical device development. The kind and
exist for a wide range of (mostly non-electrical)
type of use errors are difficult to predict, as is the
medical devices and their components. Also, there
probability that they will actually occur. The
are many particular standards – IEC 60601-2-x and
usability engineering process described in IEC
IEC/ISO 80601-2-x – for the basic safety and
62366-1 [21] can replace some steps in the risk
essential performance of medical electrical
management process, because this standard
equipment. Each of these particular standards
provides dedicated methods to identify hazardous
applies to a specific category of medical electrical
situations related to use error and to evaluate the
equipment and has been developed as a dedicated
effectiveness of the risk control measures in the
version of the general safety standard IEC 60601-1
user interface of the medical device. Similarly,
[25]. The manufacturer needs to consider which
other process standards can be used in
combination of process standards and device-
conjunction with BS EN ISO 14971. For example, BS
specific standards is appropriate for the medical
EN ISO 10993-1 [22] provides the general principles
device or medical equipment that is being
of and a process for the evaluation of biological
developed.
risks of materials expected to come in contact with
BSI Risk management for medical devices and the new BS EN ISO 14971 21

Other standards and guides for safety and The concepts and definition of risk in BS EN ISO
risk management 14971 are in strong contrast with those in ISO
Guide 73 [28] (risk management vocabulary) and
As a risk management standard, the purpose of BS
BS ISO 31000 [29] (risk management guidelines).
EN ISO 14971 [1] is to assist manufacturers in
Risk in [28, 29] is defined as the effect of
achieving safety (i.e. freedom from unacceptable
uncertainties on (business) objectives. Since these
risks) for the medical devices that they develop and
effects can be positive or negative, the risk in the
place on the market. BS EN ISO 14971 is based on
latter documents can be related to threats as well
ISO/IEC Guides 51 and 63. ISO/IEC Guide 51 [26] is
as opportunities. The guidelines in BS ISO 31000
addressed to writers of international standards for
are expressed in general, high-level language and
all sectors and provides guidelines on how to
are intended for business risk management and
include safety aspects. ISO/IEC Guide 63 [27]
dealing with uncertainties. This makes BS ISO
provides guidelines on how safety aspects should
31000 not suitable for applying safety principles
be included in standards specifically for the
and managing risks in product development.
medical device sector. This guide was developed
Nevertheless, one can recognize the typical
based on ISO/IEC Guide 51 and is addressed to
process steps that are present in any risk
writers of international standards for medical
management process [1, 10, 13, 26, 27]. However,
devices. This was considered necessary in view of
the general guidelines of BS ISO 31000 need to be
the high importance of safety and the strict
‘translated’ carefully to each specific situation and
regulatory requirements in this sector. The two
each specific product being considered. For the
standards expressing the essential principles for
application of risk management to medical devices,
safety and performance of medical devices [17]
this translation has already been performed in ISO/
and in vitro diagnostic medical devices [18] are
IEC Guide 63 [27] and BS EN ISO 14971.
based on BS EN ISO 14971 and ISO/IEC Guides 51
and 63. Risk in all these documents is defined in
terms of the probability of occurrence of harm and
the severity of possible harm. In all safety
standards directly or indirectly derived from ISO/
IEC Guide 51, harm can be injury or damage to the
health of people, but also damage to property or
the environment (see Table 1). Thus, we can say
that the concepts of risk in these documents are
based on well-established safety principles.
BSI Risk management for medical devices and the new BS EN ISO 14971 22

Conclusion

The science of risk management has developed

and matured over the past centuries. This holds
for all industry sectors including the medical
device sector. It is now impossible to imagine that
a medical device would be developed and placed
on the market without thorough risk assessment
or post-production monitoring. BS EN ISO 14971
[1] has established itself as the globally recognized
standard for applying risk management to medical
devices. It provides a complete and
comprehensive process for manufacturers to
identify hazards associated with the medical
devices under development, to assess the risks
involved, to control those risks and to monitor the
effectiveness of the risk controls throughout the
life cycle of the medical device. The companion
report ISO/TR 24971 [2] provides guidance on the
application of the standard.

The requirements in the third edition of BS EN ISO

14971 are aligned with the general safety and
performance requirements of the European
Regulations MDR [6] and IVDR [7] and are in
accordance with the regulatory requirements for
medical devices in most other jurisdictions. The
requirements also support demonstrating
compliance to the essential principles of safety
and performance for medical devices and in vitro
diagnostic medical devices [17, 18]. Therefore, BS
EN ISO 14971 will continue to be the globally
recognized risk management standard. Further,
the third edition of BS EN ISO 14971 has been
harmonized and listed in the Official Journal of the
European Union as providing a presumption of
conformity to the European MDR and IVDR
without content deviations.
BSI Risk management for medical devices and the new BS EN ISO 14971 23

References

1. ISO 14971, Medical devices – Application of 12.

risk management to medical devices (Edition Laplace (1814) Théorie analytique des
1:2000, 2:2007, 3:2019) probabilités, 2nd ed. Paris, Courcier
Imprimeur-Libraire.
2. ISO/TR 24971, Medical devices – Guidance on 13. Department of Defense, Military standard on
the application of ISO 14971 (Edition 1:2013, system safety. MIL-STD-882 (Edition A:1977,
2:2020) B:1984, C:1993, D:2000, E:2012)

3. Council Directive 90/385/EEC on the 14. International Civil Aviation Organization.

approximation of the laws of the Member Available from: https://www.icao.int
States relating to active implantable medical
devices (1990, last amended 2007) 15. EN 1441, Medical devices – Risk analysis
(Edition 1:1997, withdrawn)
4. Council Directive 93/42/EEC concerning
medical devices (1993, last amended 2007) 16. ISO 14971-1, Medical devices – Risk
5. Directive 98/79/EC of the European management – Part 1: Application of risk
Parliament and of the Council on in vitro analysis (Edition 1:1998, withdrawn 2000)
diagnostic medical devices (1998, last
amended 2011) 17. BS ISO 16142-1:2016, Medical devices –
Recognized essential principles of safety and
6. Regulation (EU) 2017/745 of the European performance of medical devices – Part 1:
Parliament and of the Council on medical General essential principles and additional
devices (2017) specific essential principles for all non-IVD
medical devices and guidance on the selection
7. Regulation (EU) 2017/746 of the European of standards
Parliament and of the Council on in vitro
diagnostic medical devices (2017) 18. BS ISO 16142-2:2017, Medical devices –
Recognized essential principles of safety and
8. Covello, V.T. & Mumpower, J. (1985) Risk performance of medical devices – Part 2:
analysis and risk management: An historical General essential principles and additional
perspective. Risk Analysis, 5, 103-120. specific essential principles for all IVD medical
devices and guidance on the selection of
9. Zachmann, K. (2014) ‘Risk in historical standards
perspective: Concepts, contexts, and
conjectures’, in C. Klüppelberg, D. Straub 19. International Atomic Energy Agency (IAEA),
and I.M. Welpe (eds.) Risk – A Radiation Protection and Safety of Radiation
Multidisciplinary Introduction. Switzerland, Sources: International Basic Safety Standards,
Springer International Publishing. General Safety Requirements, Part 3 (2014)

10. Aven, T. (2016) Risk assessment and risk 20. Council Directive 2013/59/EURATOM laying
management: Review of recent advances on down basic safety standards for protection
their foundation. European Journal of against the dangers arising from exposure
Operational Research, 253, 1-13. to ionising radiation (2013)

11. Ore, O. (1960) Pascal and the invention of 21. BS EN 62366-1:2015+A1:2020, Medical
probability theory. The American devices – Part 1: Application of usability
Mathematical Monthly, 67, 409-419. engineering to medical devices
BSI Risk management for medical devices and the new BS EN ISO 14971 24

22. ISO 10993-1, Biological evaluation of medical

devices – Part 1: Evaluation and testing within
a risk management process (Edition 5:2018)

23. BS EN ISO 14155:2011, Clinical investigation

of medical devices for human subjects – Good
clinical practice
24. BS EN 62304:2006+A1:2015, Medical device
software – Software life cycle processes

25. IEC 60601-1, Medical electrical equipment –

Part 1: General requirements for basic safety
and essential performance (Edition 3:2005,
Amendment 1:2012)

26. ISO/IEC Guide 51, Safety aspects —

Guidelines for their inclusion in standards
(Edition 1:1990, 2:1999, 3:2014)

27. ISO/IEC Guide 63, Guide to the development

and inclusion of safety aspects in International
Standards for medical devices (Edition 1:1999,
2:2012, 3:2019)

28. 2ISO Guide 73, Risk management

– Vocabulary (Edition 1:2009)

29. BS ISO 31000:2018, Risk management

– Guidelines
BSI Risk management for medical devices and the new BS EN ISO 14971 25

Author

Jos van Vroonhoven, Senior Manager

Standardization, Philips,
The Netherlands
Jos has had a 30-year career with Philips in The
Netherlands, of which 15 years have been spent
in Research and Development and 15 years in
Healthcare. He became increasingly involved in
the application of x-ray safety standards when
working as a radiation protection specialist. He
participated in several IEC working groups to
develop IEC 60627 (anti-scatter grids), IEC 60601-
2-54 (x-ray diagnostic equipment), IEC/TR 60601-
4-1 (equipment with a degree of autonomy) and
the first amendment to IEC 60601-1. In his
current position, Jos focuses on international and
European standardization for medical electrical
equipment in IEC, ISO, CEN and CENELEC. He is
chair of the NEN national mirror committee for
IEC/TC 62 and its subcommittees and an expert
member of the national mirror committee for
ISO/TC 210. Since 2016 he is also the convener of
Joint Working Group 1 (JWG1) between ISO/TC
210 and IEC/SC 62A on the application of risk
management to medical devices, working on the
revision of ISO 14971 and ISO/TR 24971. JWG1
has also prepared ISO/IEC Guide 63 with
guidance for standards writers on the inclusion
of safety aspects in international standards for
medical devices.
BSI Risk management for medical devices and the new BS EN ISO 14971 26

Reviewers

Jane Edwards, Head of Communications, Global Jeremy Tinkler, Director of Regulatory

Product Management, BSI Consultancy and Quality Assurance, MedPass
Jane holds a BSc in Chemistry and an MBA from International SAS, Paris
Durham University. She has over 13 years’ Jeremy joined MedPass International, a Clinical
experience in the medical device industry, having Research Organisation and regulatory
previously worked for Coloplast in their ostomy consultancy, in 2007 after 20 years at MHRA,
and continence business. Jane’s experience where he was Principal Specialist in Biosciences
includes working within the pharmaceutical, and Implants. Since 1987, he has taken a leading
chemical and telecoms industries for Glaxo role in the development of international
Wellcome, ICI and Ericsson, allowing her to bring standards in risk management, biological safety,
depth of knowledge from across many industries clinical investigation and implants, and MEDDEV
and technologies. Her current role in BSI allows 2.7/1 on clinical evaluation. He has been
her to work with technical reviewers across all involved in writing risk management standards
disciplines ensuring that all BSI communications since the 1990s and is Chairman of ISO Technical
are accurate and relevant. She is a member of Committee 194 (biological and clinical
the European Medical Writers Association. evaluation), responsible for ISO 14155 and ISO
10993.

Paul Sim, Medical Devices Knowledge Manager, Eamonn Hoxey, Director, E V Hoxey Ltd
BSI Standards Eamonn is a technical author, trainer and
Paul has worked in the healthcare industry for consultant in a range of life science areas
over 35 years, joining BSI in 2010 to lead the including regulatory compliance, quality
organization in Saudi Arabia where it had been management, sterility assurance and standards
designated as a Conformity Assessment Body. development. He worked for Johnson & Johnson
Later, he managed BSI’s Unannounced Audits for 17 years in positions of increasing
programme. Since October 2015, he has been responsibility for Quality and Regulatory
working with both the Notified Body and Compliance for medical devices, pharmaceuticals
Standards organizations looking at how best to and consumer products, including Vice President
use the knowledge, competencies and expertise of Compliance, Vice President of Market Quality
in both. Previously he held senior RA/QA and leading quality implementation for the EU
leadership positions at Spacelabs Healthcare, medical devices regulation for J&J’s Medical
Teleflex Medical, Smiths Medical and Ohmeda Devices companies. Prior to joining J&J, Eamonn
(formerly BOC Group healthcare business). Paul spent 16 years with the UK Medical Devices
is a member of the Association of British Agency, including six years as Head of Device
Healthcare Industries (ABHI) Technical Policy Technology and Safety. Eamonn is currently chair
Group and Convenor of the ABHI ISO TC 210 of ISO TC 198, Sterilization of Healthcare
Mirror Group. He is Convenor of the BSI products, chair of CEN TC 204 ‘Sterilization of
Committee that monitors all of the work medical devices’ and past chair of ISO TC 210
undertaken by ISO TC 210, and Convenor of the ‘Quality management and related general
BSI Subcommittee dealing with quality systems. aspects for medical devices’. He received the BSI
As UK Delegation Leader to ISO TC 210, he is also Wolfe-Barry medal in 2016 for his contribution to
actively involved in the work of national, standards development.
European and international standards’
committees.
BSI Risk management for medical devices and the new BS EN ISO 14971 27

Published white papers

• The growing role of human factors and usability • The impact and potential for 3D printing and
engineering for medical devices: What’s required in bioprinting in the medical devices industry, Kenny
the new regulatory landscape? Bob North Dalgarno

• The differences and similarities between ISO • Sterilization – Regulatory requirements and
9001:2015 and ISO 13485:2016: Can we integrate supporting standards, Eamonn Hoxey
these quality management standards? Mark
Swanson • Medical device clinical investigations – What’s new
under the MDR? Maria Donawa
• Planning for implementation of the European
Union Medical Devices Regulations – Are You • The convergence of the pharmaceutical and
Prepared? Eamonn Hoxey medical devices industries: Navigating the
innovations and regulations, Barbara Nasto and
• Cybersecurity of medical devices: Addressing Jonathan Sutch
patient safety and the security of patient health
information, Richard Piggin • Phthalates and endocrine disruptors – An overview
of their safety requirements and evaluations and
• The European Medical Devices Regulations: What the standards that support them, Benjamin Seery
are the requirements for vigilance reporting and
post-market surveillance? Eamonn Hoxey • European Union Medical Device Regulation and In
Vitro Device Regulation: unique device
• General Safety and Performance Requirements (Annex identification: What is required, and how to
1) in the New Medical Device Regulation: Comparison manage it, Mary Gray
with the Essential Requirements of the Medical Device
Directive and Active Implantable Device Directive, • Person responsible for regulatory compliance
Laurel Macomber and Alexandra Schroeder (PRRC) – MDR/IVDR Article 15: An overview of the
requirements and practical considerations, Anne
• Do you know the requirements and your Jury and Maddalena Pinsi
responsibilities for medical device vigilance
reporting? A detailed review on the requirements of • Guidance on MDCG 2019-9: Summary of Safety
MDSAP participating countries in comparison with and Clinical Performance, Amie Smirthwaite
the European Medical Device Regulation 2017/745,
Cait Gatt and Suzanne Halliday • Clinical evaluation under EU MDR, Amie
Smirthwaite
• Technical Documentation and Medical Device
Regulation: A Guide for Manufacturers to Ensure • Medical device clinical investigations — What’s new
Technical Documentation Complies with EU under the MDR? An update, Maria Donawa
Medical Device Regulation 2017/745, Dr Julianne
Bobela, Dr Benjamin Frisch, Kim Rochat and • Using Standards to Demonstrate conformity with
Michael Maier Regulations, Eamonn Hoxey

• Nanotechnology: What does the future look like for Forthcoming white papers
the medical devices industry? Professor Peter J • Requirements of EU-GDPR and PMCF studies,
Dobson, with Dr Matthew O’Donnell 23 registries and surveys under the MDR (working
title), Richard Holborow
• Developing and maintaining a quality
management system for IVDs, Melissa Finocchio • Performance Evaluation for IVD, Fiona Gould

• Recent advancements in AI – implications for

medical device technology and certification, Anil
Anthony Bharath
BSI Risk management for medical devices and the new BS EN ISO 14971 28

About BSI Group

BSI (British Standards Institution) is the business

standards company that equips businesses with
the necessary solutions to turn standards of best
practice into habits of excellence. Formed in 1901,
BSI was the world’s first National Standards Body
and a founding member of the International
Organization for Standardization (ISO). Over a
century later it continues to facilitate business
improvement across the globe by helping its clients
drive performance, manage risk and grow
sustainably through the adoption of international
management systems standards, many of which
BSI originated. Renowned for its marks of
excellence including the consumer recognized BSI
Kitemark™, BSI’s influence spans multiple sectors
including aerospace, construction, energy,
engineering, finance, healthcare, IT and retail. With
over 70,000 clients in 150 countries, BSI is an
organization whose standards inspire excellence
across the globe.

BSI is keen to hear your views on this paper, or for

further information please contact us here:
[email protected]

This paper was published by

BSI Standards Ltd

For more information please visit:

bsigroup.com/en-GB/our-services/
medical-device-services/
BSI-Medical-Devices-Whitepapers/

Read more about our

services and products
on our website
bsigroup.com