Skip to main content
What’s New in ISO 14971:2019 and ISO/TR 24971:2020

Author: Silas Minnick, Senior Quality Engineering Consultant

What’s in your ISO 14971 risk management plan?

In December 2019, the latest revision to ISO 14971 was released. This standard specifies the terminology, principles, and processes related to the application of risk management for medical devices.

While medical device standards are essential to understanding the requirements for devices, it’s their accompanying guidance on the development, implementation, and maintenance of them throughout the product life cycle that provide you with the tools to carry them out. The risk management guidance for medical devices, ISO/TR 24971:2020, was just released this past June.

One item of note from the updated standard is that the manufacturer is still empowered to determine the method of measurement and the criteria for when any risk mitigation is necessary.

I believe these updates are intended to provide clarification of terms, emphasis on software, and expanded understanding that will aid manufacturers in developing acceptable risk management plans that will hold them accountable for safe medical devices throughout the product life cycle.

Read on to gain insight into three new definitions specified in ISO 14971:2019, as well as my thoughts on the future of medical device risk management.

Three new definitions added to ISO 14971:2019

I should point out that the terms ‘benefit’, ‘reasonably foreseeable misuse’ and ‘state of the art’ had been previously used numerous times in older versions of ISO 14971 where in the 2019 version definitions of them had been added with notes to provide clarification on their meaning (supplied below as written with relevant notes to the entries in the standard):

1.) Benefit – positive impact or desirable outcome of the use of a medical device on the health of an individual, or a positive impact on patient management or public health.

Note: Benefits can include positive impact on clinical outcome, the patient’s quality of life, outcomes related to diagnosis, positive impact from diagnostic devices on clinical outcomes, or positive impact on public health.

2.) Reasonably foreseeable misuse – use of a product or system in a way not intended by the manufacturer, but which can result from readily predictable human behaviour.


  • Readily predictable human behaviour includes the behaviour of all types of users, e.g. lay and professional users.
  • Reasonably foreseeable misuse can be intentional or unintentional.

3.) State of the art – developed stage of technical capability at a given time as regards products, processes and services, based on the relevant consolidated findings of science, technology and experience.

Note: The state of the art embodies what is currently and generally accepted as good practice in technology and medicine. The state of the art does not necessarily imply the most technologically advanced solution. The state of the art described here is sometimes referred to as the “generally acknowledged state of the art”.

Risk Management Considerations for Devices Sold in Europe

If selling devices in Europe a manufacturer must take into consideration BS EN ISO 14971:2012 from the British Standards Institute (BSI) which was approved by the European Committee for Standardization (CEN) on May 16, 2012. As noted in the forward of this document it states that its content is identical to ISO 14971:2007 however there are three annexes at the beginning which identify several shortcomings within ISO 14971:2007 compared to the Medical Device Directive (MDD) 93/42/EEC.

Text common within all of these unique BS EN ISO 14971:2012 annexes is that all risks have to be reduced “as far as possible” vs. allowing the manufacturer to have the freedom in deciding upon the threshold for risk acceptability.

With the release of ISO 14971:2019 I expect a new BSI version approved by the CEN shall then be published at some time in the future so any specific needs for the EU Medical Device Regulation (MDR) 2017/745 can be addressed.

Medical Device Cybersecurity and the Future of Risk Management

Another update worth noting is the migration of the annexes. Six annexes from ISO 14971:2007 were moved to the guidance on the application of ISO 14971, and two were added, resulting in a total of eight annexes now in ISO/TR 24971:2020.ISO/TR 24971:2020.

@ – moved from ISO 14971:2007
In my opinion, shifting and expanding the annexes from the standard to the guidance will allow for more frequent revisions. This change highlights the revision’s emphasis on addressing the evolving needs of medical device software.

Flexibility to update the guidance will enable our industry to more aggressively focus on medical device cybersecurity and patient privacy issues as the technology changes far faster than the standard, which is reviewed every five years.

As our industry expands to include more medical devices with a software component, we must ensure that the application of standards that ensure safety can keep pace with the speed of technology – the most recent updates to the standards and their guidance are a step in the right direction.

Medical Device Risk Management Know-How

Clear, concise instructions and quality tools for planning, verification and validation are critical components of any medical device risk management plan.

Contact QA Consulting today to discuss your medical device risk management strategy.