5 Most Common Mistakes Made When Implementing ISO 14971

June 2, 2019

5 Most Common Mistakes Made When Implementing ISO 14971

ISO 14971 is a descriptive regulatory standard that provides guidance for how to apply risk management to medical devices. It has been adopted by regulatory agencies as a globally recognized standard for which medical device companies must adhere to when managing risk throughout the entire product lifecycle.

The main intent of risk management is to serve as a foolproof method to identify, evaluate, monitor and mitigate potential issues throughout the entire product lifecycle. Provided that companies follow these guidelines, the end result will be the production of safer medical devices. For these reasons, medical device companies must pay close attention and adhere to the guidelines found in ISO 14971.

The standard is written quite clearly, using language that makes it relatively easier to understand than the majority of other requirements documents. Despite being the case, many medical device companies still struggle with properly implementing ISO 14971 into their quality system processes.

Keep reading to learn about the five most common mistakes device makers make when implementing ISO 14971:

1. Treating risk management as a “checkbox” item

Treating risk management as a checkbox activity is something I speak about quite frequently. Why? Because it keeps happening!

Companies will all too often create a high-level checklist of to-do tasks that must be checked off because the regulatory standard says they should, or because they will be audited for not doing so. By approaching risk in this way, they are missing out on a unique opportunity to learn from risk management activities.

Going through the motions doesn’t lend itself well to uncovering things that aren’t already on the surface. This type of approach makes it impossible to be proactive and is an impediment to the company. Without being able to dive deeper into company processes to see how risk is functioning, any issues that eventually do arise will have to be dealt with by using a reactionary approach.

BONUS RESOURCE: Click here to download a free Risk Management Plan Template to use when implementing ISO 14971.

2. Refusing to adopt a risk-based mindset

I see companies make this costly mistake all too often -- they do not implement risk early on in the design and development process. It’s imperative for risk to be integrated in your system early on so that you’re creating risk-based requirements that will drive the entire design of your device. When companies miss this critical window of time, systemic issues can easily manifest.

I don’t advocate that you document your risk activities just for the sake of it, but certain items should be formally documented. These formally documented items, such as risk management activities, documentation, and records, will live in your risk management file (RMF). These items include evidence of:

  • Risk Management Plan
  • Risk Controls
  • Risk Analysis
  • Risk Evaluation
  • Evaluation of Overall Risk Acceptability
  • Risk Management Report
  • Production and Post-Production Risks

The risk management file is foundational to your device and is passed on to whomever is doing the manufacturing, including third-party manufacturers. It would be a mistake to not treat this artifact as a “living file” and delay putting this together early in the design process.

Imagine that point in development where you go through design transfer to the production of your device. There will be events that occur, whether they be complaints, customer feedback or nonconformances. All of these scenarios require you to revisit the risk management file and your risk assessment for the product. If you haven’t done a good job of documenting from the outset, it’s going to be difficult to assess whatever is uncovered in your risk assessment.

3. Using FMEA as a primary method to approach risk

Failure modes and effects analysis (FMEA) is an effective tool for assessing fault failures, root cause analyses, and failure modes. It is not designed to eliminate systemic issues. ISO 14971 subscribes to a much more holistic approach, offering device makers ways in which deep seated systemic issues can be uncovered and resolved.

FDA defines risk as “the probability of occurrence combined with the severity of harm caused.” A device can be used exactly as labeled and intended, yet some level of risk will remain present. Risk still exists even if a device isn’t in failure mode. This is a divergence from FMEA because FMEA specifically focuses on failures. There isn’t one proven way in which risk leads to harm; it might be a single fault, issue or event; whereas other times, it might be a chain of events.

A big concern of mine is that many companies still use FMEA as their primary and only method for assessing and managing. FMEA is not a panacea. All situations that can lead to harm must be considered and recorded, not just issues with the device that associated with failure modes.

4. Over-documenting risk-based activities

You’ve heard me say before, if it’s not documented it didn’t happen. While it’s true companies are most commonly scrutinized for under-documenting their processes and activities, there is such a thing as over-documentation. Too many times companies will create a cumbersome web of sub-FMEAs, which in turn essentially multiplies their risk requirements at each stage of the design and development process.

There are reasons why you will need to create multiple risk assessments, but if risk management is done properly, all documented risk-based activities should flow naturally through product development. It’s when you over-document existing risk assessments and when you start getting all of these different risk assessments at different levels, it can create operational challenges in trying to meet them all.

The goal of a risk assessment is to identify the “big ticket” items first. You need to focus more time and energy on mitigating those bigger risks as much as possible, rather than dividing your attention across superfluous tasks. When in doubt, ensure your primary focus is on addressing the items that will add value to the safety and efficacy of your product.

A lot of companies believe that throwing paper at a task will be enough to make it go away. Wrong. In doing this, you’re just covering up the issue to eventually resurface later. My advice is to stay high level. Start from the top down. When you identify a high-risk issue, that’s the opportunity to go a bit deeper and maybe go bottom-up with root cause analysis for that issue.

5. Risk management not continuing throughout entire product lifecycle

ISO 13485:2016 introduced the idea of a risk-based QMS in its numerous references to ISO 14971. Those references are often interpreted as a mindset and methodology companies can adopt in order to use risk-based decision making and criteria for their processes and procedures.

The challenge that companies experience happens when there is a discontinuation of their risk-based approach at some point during the lifecycle of the product. Usually once the device is ready to be sent to the manufacturer, the risk management file (if one exists) tends to be very static in nature. If the product is static, companies will have a hard time effectively managing the post-market surveillance stage of the product lifecycle.

Companies that do not have a risk management plan in place for the post-market stage of their device will be hit hard when complaints and nonconformances arise. This goes back to the importance of having an updated, living risk management file that travels with the device across all stages of its lifecycle. When this file exists, you can reference it in the event of a complaint or nonconformance to determine the root cause or if the issue was adequately captured in the first place.

BONUS RESOURCE: Click here to download a free Risk Management Plan Template to use when implementing ISO 14971.

Final thoughts

Assuming you have a risk management file, how do you ensure it doesn't grow static and always kept up to date? This can be challenging, depending on the type of quality system you use. Paper-based files are prone to many errors and missing documents, while all-purpose spreadsheets can become overly burdensome and get overlooked when stored in tabs and compressed folders. 

Tools like FMEA take a lot of training to understand and properly implement, as well. The difficulty of the aforementioned risk management alternatives is only amplified once you hand off the control of your device to a third party manufacturer.

Medical device companies using Greenlight Guru’s medical device QMS software are able to implement and manage every process using its risk management workflows that are purpose-built into the software.

No more worrying about whether your risk management file is outdated or missing because every feature set has been designed to seamlessly work together, providing full visibility and quality control. If you recorded any activity or file in the cloud-based platform, the advanced document management workflow allows you to produce any report in minutes with the click of a button. 

Looking for an all-in-one QMS solution to advance the success of your in-market devices and also integrate your quality processes with product development efforts? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software →


Jon Speer is a medical device expert with over 20 years of industry experience. Jon knows the best medical device companies in the world use quality as an accelerator. That's why he created Greenlight Guru to help companies move beyond compliance to True Quality.

Risk Management Plan Template
Download Now
Search Results for:
    Load More Results