We have an existing ISO 14971:2007 risk management file. Do we need to start over?

Not necessarily. We assess your existing file against the 2019 standard and identify the gaps. In most cases, the residual risk evaluation methodology and benefit-risk analysis sections require the most significant revision.

ISO 14971:2019

ISO 14971:2019 Risk Management — The Foundation Your Device Cannot Be Certified Without

Risk management is not a document you produce once and file away. It is a living system that runs through your entire technical file, clinical evaluation, and PMS process. MEGACERT builds risk management systems that actually protect your patients — and your certification.

Get Your Risk Management File Reviewed →

What Changed with ISO 14971:2019

The 2019 revision of ISO 14971 brought significant changes that many manufacturers underestimate:

ALARP is out — The standard now requires that risks be reduced As Far As Possible (AFAP), not merely As Low As Reasonably Practicable
Benefit-risk analysis is central — Residual risk acceptability must be explicitly justified through clinical benefit, not just probability × severity matrices
Risk management extends to IFU — Information for safety (labeling, IFU) is now a risk control measure that must be formally documented as such
Integration with clinical evaluation — Risk management files must actively reference and be informed by clinical data from the CER and PMS

Our Risk Management Deliverables

Risk Management Plan (RMP)

Scope definition, responsibilities, risk acceptability criteria, risk evaluation criteria, and risk management activities aligned to your device's intended use and lifecycle phases.

Hazard Identification & Risk Estimation

Systematic hazard identification covering intended use, foreseeable misuse, and interactions with other devices/environments. Risk estimation using severity scales and probability classes aligned to clinical evidence.

Risk Control Implementation & Verification

Three-tier risk control hierarchy per ISO 14971 Clause 6: inherently safe design → protective measures → information for safety. Verification that each control measure is effective.

FMEA (Failure Mode and Effects Analysis)

Design FMEA (dFMEA) and/or Process FMEA (pFMEA) linking failure modes to hazardous situations, risk estimates, and control measures. Fully traceable and cross-referenced to your technical file.

Residual Risk Evaluation & Benefit-Risk Analysis

Evaluation of individual and overall residual risks. Benefit-risk analysis narrative demonstrating that the clinical benefits outweigh the residual risks — using clinical data from your CER.

Risk Management Report (RMR)

Confirmatory review that the risk management plan has been executed, residual risks are acceptable, and appropriate PMS methods are in place to detect new risks in the field.

Standards We Work With

Our risk management work integrates and cross-references the following standards and guidelines as applicable to your device:

ISO 14971:2019 — Medical devices: Application of risk management
IEC 62366-1:2015+AMD1:2020 — Usability engineering
IEC 60601-1:2005+AMD2:2020 — General requirements for electrical safety
ISO 10993-1:2018 — Biological evaluation
MDCG 2020-6 — Guidance on sufficient clinical evidence for legacy devices
MDR Annex I — General Safety and Performance Requirements

Frequently Asked Questions

No — risk management is one critical pillar, but GSPR compliance also requires performance testing, biocompatibility data, usability evaluation, and clinical evidence. MEGACERT helps you build an integrated compliance strategy, not isolated documents.

Ready to build a risk management system that protects your patients and passes Notified Body scrutiny? Contact MEGACERT for a free risk file review.