Getting Started with Medical Device Risk: An Intro to ISO 14971

Spencer Todd

Spencer Todd

5 min read
Getting Started with Medical Device Risk: An Intro to ISO 14971

TL;DR

If you're building a medical device, ISO 14971 is a necessity as it is your blueprint for safety. It’s a formal process for figuring out what could possibly go wrong (hazards and harms), so you can manage those risks before they ever reach a patient. The goal isn’t zero risk, which is impossible in the medical device world. It is proving the device's benefits outweigh its residual risks to patients and users. Your first real job is to list out all the potential harms your device could cause, which sets the stage for everything that follows.

This blog post is  an introduction to the foundational concepts of medical device risk management. First steps include determining your Hazards, Hazardous Situations, and Harms which go into your Harms Table. It's the prequel to our next post on how to estimate risks and perform risk assessments.

Contents

Introduction: Why Risk Management is Your Safety Net

Let’s imagine that you have built a MedTech device. Whether your device is composed of AI-driven diagnostics, 3D-printed implants, or surgical assistants, before it ever touches a patient, you have to prove it won’t cause more harm than good (we call this the benefit-risk ratio). That’s where risk management and the risk management standard ISO 14971 comes in.

This standard isn’t about eliminating every risk (spoiler: that’s impossible), but about managing them thoughtfully and accounting for risk throughout the entire process of creating and then marketing your device. Risk management requires you to spot problems before they happen, reduce their impact, and monitor how well your solutions (called risk controls) work. 

I’ll refer to risk management and ISO 14971 interchangeably in this blog post but so you know this standard is recognized by most regulatory bodies as the de facto standard for risk. However, each region has its own flavor of how it looks a risk and should be accounted for. For example, the EU MDR requires that you reduce your risks as far as possible, acceptable or not, whereas ISO 14971 doesn’t require it and just recommends you do that.

The Core Concepts: Hazards, Harms, and Banana Peels

First, to understand how the risk management process works, we need to speak the same language. Risk management has a few key terms that you absolutely have to get right.

  • Harm: This is the actual injury. A skin burn, a cut, an infection, a misdiagnosis that leads to delayed treatment. It’s the bad thing that actually happens to the person.
  • Hazard: This is the potential source of that harm. Think of it as the thing with the built-in potential to do damage. Examples: electrical energy, a sharp edge on your device, a software bug, a toxic material.
  • Hazardous Situation: This is essentially how the Hazard becomes the Harm. The user touches the sharp edge. The software bug causes the pump to deliver the wrong dose. How does one lead to the other?

Think of it this way: A banana peel on the floor is the hazard. A person slipping on it is the hazardous situation. The resulting broken arm is the harm. Your job is to think through every reasonably possible “broken arm” your device could cause.

NOTE: The definitions listed above aren’t the official definitions from ISO 14971 as those definitions don’t give you the best understanding of what each means (in my humble opinion).

Visual representation of what Hazards, Hazardous Situations, and Harms are (banana for scale)

Your First Step: Building the Chain of Risk

So, how do you actually start documenting risk in a way an auditor will respect? You don’t just make a simple list of bad outcomes. You build a clear, traceable story for every potential risk. Regulators want to see that you’ve connected the dots from the source of the danger all the way to the patient.

Think of it as a three-link chain that forms the backbone of your risk analysis file:

Hazard → Hazardous Situation → Harm

This is the core logic of ISO 14971. You have to prove you’ve thought through not just what could go wrong, but how it would happen. You start by identifying the potential source of harm (Hazard), describing the scenario where a person is exposed to it (Hazardous Situation), and finally, stating the injury that results (Harm).

A lot of times, best practice is also to include a 4th step called “sequence of events” that goes between Hazard and Hazardous situation that talks about how you arrived at that Hazardous Situation. 

This is what it looks like when you start filling out your risk management file. Let’s take an example of a "smart" thermometer:

Hazard (“The Source”)

Hazardous Situation (“The Action”)

Harm (“The Injury”)

Electrical energy (hazardous voltage)

Hazardous voltage appears on the device's external conductive surfaces.

Electrical Shock, Burns

Measurement (incorrect information)

An incorrect, lower temperature is reported to the user, leading to a misinterpretation of their clinical state.

Progression of disease, Delayed treatment, Serious injury

Biological (inadequate cleaning)

Bacteria are released onto the mucous membranes of the next user.

Bacterial infection

See the difference? We’ve moved from a simple list to a structured analysis. Documenting risk this way is non-negotiable. It proves you’ve performed a thorough investigation and provides the specific context you'll need later to design effective safety features (or risk controls). This will be important when we estimate risk probability, severity and acceptability later on.

Pro Tips for a Solid Foundation

  • Be comprehensive: Don't self-censor. If a harm is plausible, get it on the list. It means that if the risk pops up later you won’t have to update this doc down the road.
  • Think beyond the patient: Could your device harm the doctor, nurse, or technician operating it? Those harms count, too.
  • Don’t confuse harms and hazards: "Software failure" is not a harm. It's a hazard or a cause. The harm is what happens to the patient because the software failed (e.g., "over-infusion of medication").
  • Look at other devices: Check the FDA’s MAUDE database for similar devices to see what kinds of harms have been reported in the real world. Don't reinvent the wheel.

Conclusion

Building a Harms Table is the ideal first step on your way to a successful risk management file. You now have a comprehensive inventory of the potential negative outcomes you need to control. You've mapped out the territory of what could go wrong.

But a list of harms doesn't tell you everything, including what to worry about most. A risk of a minor skin rash is obviously different from a risk of a fatal electrical shock. To prioritize, you need to figure out how bad each harm is (severity) and how likely it is to happen (probability). That brings us to risk estimation.

In our next post, we’ll dive into the Risk Equation (Severity x Probability) and the crucial "Bare Bones" rule for getting your risk assessment started on the right foot.

Read more