ISO 14971:2019 & TR 24971 Explained - Medical Device Risk Management

Summary

In this Greenlight Guru True Quality Virtual Summit session, risk management expert Edwin Bills — a member of the ISO working group that revised the standard — walks through exactly what changed in the 2019 edition of ISO 14971 and the 2020 edition of ISO/TR 24971, and why it matters for medical device manufacturers.

Bills explains the origin of the revision (a 2016 systematic review that produced 60 consolidated categories of comments), the decision to keep the binding requirements in ISO 14971 while moving most guidance into the more easily updated technical report, and the renumbering that followed the insertion of a new "Normative references" clause. He maps how the old annexes were redistributed between the two documents, covers the new and updated definitions (benefit, reasonably foreseeable misuse, state of the art, and the removal of "physical" from harm), and details the formalized risk management system introduced in Clause 4.

He also clarifies the practical engineering points teams most often get wrong: why FMEA alone does not satisfy the standard, where each analysis tool fits in the design control flow, the expanded production and post-production requirements, and the European harmonization status under MDR and IVDR. The session closes with final thoughts on detectability, hazard analysis terminology, and traceability.

Key takeaways

• The requirements live in ISO 14971; the guidance lives in ISO/TR 24971. The working group deliberately split them so the guidance can be updated on a faster (roughly three-year) cycle without reopening the standard.
• Clause numbers shifted. A mandatory "Normative references" clause was inserted as Clause 2, pushing every later clause up by one (Terms and definitions is now Clause 3, and so on).
• Risk management is now framed as a system of five elements: the process, management responsibilities, competence of personnel, the risk management plan, and the risk management file — all required to work together.
• FMEA by itself does not meet the standard. It only addresses single-fault conditions and is a design-output tool. The standard requires identifying known and foreseeable hazards in both normal and fault conditions, which means using multiple analysis tools (PHA, fault tree, usability engineering, and others).
• Production and post-production saw the most expansion. Clause 10 now requires an active process for gathering field information — you can't simply wait for complaints — aligning with FDA and EU post-market surveillance expectations.
• New and clarified definitions were added for benefit, reasonably foreseeable misuse, and state of the art, and the word "physical" was removed from the definition of harm to capture non-physical harms.
• Use product and process safety standards to your advantage. Annex E of TR 24971 explains how leaning on recognized standards can reduce the amount of risk analysis work required.
• Harmonization status matters for Europe. As of the session, the existing harmonized versions were harmonized only to the Directives, not to MDR/IVDR; manufacturers must work with their notified body to determine compliance until CEN/CENELEC publish updated versions.

Chapters

• 0:00 — Welcome and housekeeping
• 3:50 — Speaker introduction: Edwin Bills
• 5:50 — Session agenda
• 7:54 — Why the standard was revised
• 13:00 — The final approach: separating the standard and the technical report
• 15:05 — The new structure of ISO 14971:2019
• 17:52 — How the guidance in TR 24971 was reorganized
• 28:30 — The scale of the changes (page counts)
• 30:01 — Changes to the scope
• 31:25 — New and updated definitions
• 34:22 — The risk management system (Clause 4)
• 37:42 — Risk analysis and the design control flow (Clause 5)
• 41:13 — Benefit-risk, overall residual risk, and production/post-production (Clauses 7, 8, 10)
• 44:44 — Release status and European harmonization
• 46:25 — The Vienna Agreement, MDR, and IVDR
• 48:30 — Final thoughts: detectability, hazard analysis, and FMEA limits
• 51:11 — Q&A and closing

Full transcript

Welcome and housekeeping (0:00)

Tom Rish: Hello everyone, and welcome to the Greenlight Guru True Quality Virtual Summit — the three-day event designed to provide actionable takeaways you can implement at your own company to innovate faster, stay ahead of regulatory changes, and use quality as a strategic asset to grow your business. Today's session is titled "An Inside Look at the Changes to the New ISO 14971:2019 Version from a Member of the Standards Working Group." My name is Tom Rish, I'm a medical device guru here at Greenlight Guru, and I'll be your moderator for today's event.

We have a special session today. Our speaker, Edwin Bills, is looking forward to sharing his expertise on medical device quality, regulatory, and especially risk management, and his insights into the new version of ISO 14971. A few quick housekeeping items first: this session will run about 45 minutes and will include a Q&A at the end, so please submit your questions throughout the presentation using the box on the right-hand side and we'll get to as many as time permits. The session is being recorded.

A few words on why Greenlight Guru puts on this free summit: improving the quality of life is our mission, and anything we can do to help device makers bring safer, life-changing devices to market faster and with less risk aligns with that mission — whether through free events and training, partnering with world-class consultants like Edwin Bills, or our purpose-built medical device QMS software. If you'd like to learn how device companies are moving away from paper-based, general-purpose systems to a purpose-built medical device quality management system, head to greenlight.guru to schedule a personalized demo.

Speaker introduction: Edwin Bills (3:50)

Tom Rish: Let me introduce your presenter. Edwin Bills has held quality and regulatory affairs positions at major medical device companies, including a period as corporate director of risk management, with over 36 years of experience in the field. He currently consults and provides training in medical device quality, regulatory, and risk management. With Stan Mastrangelo, he co-authored Life Cycle Risk Management for Healthcare Products: From Research Through Disposal, published by PDA. He has served as adjunct faculty in Virginia Tech's graduate online degree program in health products risk management. ASQ has awarded him Fellow status, along with Certified Quality Engineer, Certified Quality Auditor, and Certified Manager of Quality and Organizational Excellence, and he is Regulatory Affairs Certified by RAPS.

Edwin served on the international standards work that revised the third edition of ISO 14971 as a member of the technical committee, also serves on the U.S. national committee for ISO 13485, and on the AAMI technical committee developing combination products risk management guidance. Without further ado, I'll hand it over to Edwin.

Edwin Bills: Thanks, Tom — I appreciate the kind words, and I'm looking forward to the presentation. This material is up to date as of last week; a number of things I'll discuss occurred over the last few weeks.

Session agenda (5:50)

Edwin Bills: Here's the agenda. We'll go through the reasons for the changes, how the documents were reorganized — we're talking about ISO 14971:2007 and ISO/TR 24971:2013, and what they look like after the 2019 and 2020 revisions. We'll talk about specific changes, the release information, the latest status of both documents, and then some final thoughts.

Why the standard was revised (7:54)

Edwin Bills: In 2015, ISO and IEC ran a systematic review of ISO 14971 and its companion guidance document, TR 24971. The vote was tabulated in 2016 and resulted in actions we needed to take. These are joint documents developed by the two organizations and approved by all the national bodies that are members.

When TR 24971 was first released in 2013 as a technical report on implementing ISO 14971, a lot of people didn't know it existed or understand its purpose — that came out in the review. There were about 60 consolidated categories of comments, organized much the way the FDA consolidated comments for the Quality System Regulation back in 1994. That information went to ISO TC 210, Joint Working Group 1, which is responsible for the risk management standard. We met in Tampa in June 2016 to develop a work plan, then met three times a year face-to-face and countless times by web meeting.

The parent committees charged us with: maintaining the key concepts and core approach to risk management — following the trail ISO 14971 established in 2000 and revised in 2007, and keeping enterprise/business risk management (ISO 31000) as a separate process; clarifying the normative requirements, especially around production and post-production information and around clinical benefit and benefit-risk analysis; and updating the guidance and annexes. Remember: in ISO 14971, numbered clauses are requirements, and anything with an alphabetic designation (the annexes) is guidance, not a requirement. We were also asked to update TR 24971 or, optionally, merge it with the standard.

The final approach: separating the standard and the technical report (13:00)

Edwin Bills: In consultation with ISO's technical management board, we decided the informative annexes would live primarily in TR 24971, because a technical report is easier and faster to update — about three years versus five — and requires less consultation. Most comments since the first edition had been about guidance, not requirements, so separating the documents let us address requests for more information more quickly.

The technical management board also required us to insert a clause — "Normative references" as Clause 2 — even though there are none, so the standard literally states that there are no normative references. As a result, every clause numbered from 2 onward was incremented by one: Terms and definitions became Clause 3, and so on.

The new structure of ISO 14971:2019 (15:05)

Edwin Bills: Looking at the structure: in 2007 you had Clause 1 (Scope), Clause 2 (Terms and definitions), down through Clause 9 (Production and post-production information). With the new Clause 2 inserted, Terms and definitions became Clause 3. Clause 4 became "General requirements for risk management" — note the word system; we're now establishing requirements for a risk management system. Clauses 5, 6, and 7 stayed the same. In Clause 8 the word "acceptability" was struck from the evaluation of overall residual risk. Clause 9 changed from "risk management report" to "review." And the old Clause 9 became Clause 10, with "information" removed and the focus changed to activities — production and post-production activities.

That middle structure is ISO 14971:2019. TR 24971:2020 mirrors the same clause numbers and titles, but everything in TR 24971 is guidance. So if you want more on, say, evaluation of overall residual risk, you read Clause 8 in TR 24971.

How the guidance in TR 24971 was reorganized (17:52)

Edwin Bills: Because content moved out of ISO 14971:2007, the guidance picture spans three documents. In ISO 14971:2019, Annex A is the revised rationale for requirements, and Annex B is a revised version of the old Annex B, with much more detail comparing 2007 to 2019 clause by clause.

Annexes C and D from the 2007 standard now live in TR 24971:2020. The old Annex C — the questions teams use to identify hazards and safety characteristics — is updated and appears in TR 24971 (these are examples, not mandatory requirement sets). The old Annex D risk concepts were distributed throughout the numbered clauses of TR 24971. Content on hazards, foreseeable sequences of events, and hazardous situations now appears both in the fundamental risk concepts annex and in clauses 5.4 and 5.5 of TR 24971. The risk management plan, which had its own annex, is now covered in Clause 4.4 of the technical report.

The old Annex G on risk management techniques — FMEA, fault tree, HAZOP and the rest — is now Annex B of TR 24971, retitled "Techniques that support risk analysis," because that's where those techniques apply. Annex H on IVDs remains Annex H, just in the technical report. The old Annex I on biological hazards was removed entirely and deferred to ISO 10993-1, which covers that topic far better than we could. Information for safety and residual risk was clarified to finally separate those two concepts — a longstanding source of confusion from the 2012 European version.

The scale of the changes (28:30)

Edwin Bills: The 2007 edition had 15 pages of requirements; now it's just under 17 — roughly a page and a half more, almost all around Clause 10, which tells you how much production and post-production changed. On guidance: 2007 had 70 pages of informative annexes and the 2013 TR had 16, for 86 pages total. Now ISO 14971 has about 35 pages of annexes and TR 24971 has roughly 100, for 135 pages — about 49 new pages of guidance to help you implement the standard.

Changes to the scope (30:01)

Edwin Bills: The scope now notes the standard can be applied to products that aren't necessarily medical devices in some jurisdictions, and to others involved in the medical device lifecycle — some of that stems from changes with the MDR. The document does not apply to decisions on how a device is used in a particular clinical procedure; clinicians decide that. We recognize off-label use exists, and where it's known and foreseeable, you must address those risks. The standard also does not apply to business risk management, which belongs in ISO 31000, managed separately from product safety risk.

New and updated definitions (31:25)

Edwin Bills: There are new definitions. Benefit — "a positive impact or desirable outcome of the use of a medical device on the health of an individual, or a positive impact on patient management or public health" — isn't defined in the MDR or FDA documents, so this helps with benefit-risk analysis. Reasonably foreseeable misuse — "use of a product or system in a way not intended by the manufacturer, but which can result from readily predictable human behavior" — must be addressed in risk analysis. State of the art — "the developed stage of technical capability at a given time regarding products, processes, and services, based on relevant consolidated findings of science, technology, and experience" — is not bleeding-edge; it's what's commonly used, and it's often what standards define. BSI has stated that ISO 14971:2019 is the state-of-the-art standard for risk management, and CEN withdrew EN ISO 14971:2012. Finally, the word "physical" was removed from the definition of harm, because harm can be more than physical — an improper diagnosis from an underperforming IVD could cause emotional injury, and the change also applies to cybersecurity.

The risk management system (Clause 4) (34:22)

Edwin Bills: Clause 4 introduces the risk management system, which consists of five elements: the process, management responsibilities, competence of personnel, the risk management plan, and the risk management file. Those must work together as a system. Figure 1 in Clause 4.1 was updated to include the risk management plan, and titles were aligned with the new standard — if you use that diagram in your procedures, update it.

Clause 4.5 continues to require that traceability for each hazard be documented in the risk management file. Traceability first appeared in the GHTF risk management guidance. The traceability table is not an FMEA; it's a method of tying together all the documents in your risk management system — identifying the document and line item for each hazard, then moving across to the risk assessment (analysis and evaluation), risk control (the control, where the requirement appears, how you verified implementation and effectiveness, the post-control risk, and any benefit-risk comments).

Risk analysis and the design control flow (Clause 5) (37:42)

Edwin Bills: Risk analysis (Clause 5.4) now reads: the manufacturer shall identify and document known and foreseeable hazards associated with the medical device, based on intended use, reasonably foreseeable misuse, and characteristics related to safety, in both normal and fault conditions. That requires multiple analysis tools — FMEA only covers single-fault conditions, so it doesn't meet the standard by itself. You can also use hazards identified in standards (Annex E).

In the design control flow, design inputs come from intended use, clinical trials, fault tree analysis on harms and hazards, safety-related characteristics, preliminary hazard analysis, and usability engineering (formative human factors). Note that FMEA is not a design input — it's typically done from the design, so it's a design output, along with software and biocompatibility risk analysis (biocompatibility after materials selection).

Benefit-risk, overall residual risk, and production/post-production (Clauses 7, 8, 10) (41:13)

Edwin Bills: Clause 7.4 is where you find benefit-risk analysis, with three pages of guidance in the technical report; note it does not include economic or business advantages — it's about clinical benefits. Clause 8, evaluation of overall residual risk, requires evaluating all residual risk after controls are implemented and verified, and requires disclosing significant residual risk in the accompanying information — you decide what's significant.

Clause 9 was retitled to risk management review: who does the review, when, answering the three questions, then issuing a report. Clause 10, production and post-production activities, aligns with Clause 8 of ISO 13485 and with FDA and EU post-market surveillance, developed from the GHTF CAPA guidance. It requires an active process for gathering information — you can't just wait for complaints; you have to understand how your product performs in the field. This grew from half a page of requirements in 2007 to a page and a half, with four pages of guidance in TR 24971. Two new informative annexes were also added: one on cybersecurity-related risk (written by the software committees) and one on components and devices designed without using ISO 14971, useful for remediation.

Release status and European harmonization (44:44)

Edwin Bills: In December, ISO 14971:2019 was released in both the ISO and EN versions — they're identical — and CEN withdrew the 2012 edition. BSI calls the 2019 version state of the art, though each notified body has handled the 2012 transition its own way. Note that the 2012 edition only applies to the Directives, not to the MDR or IVDR. TR 24971:2020 may be released in mid-summer due to communication delays; a draft is available from the AAMI store, and it will be virtually identical to the final.

The Vienna Agreement, MDR, and IVDR (46:25)

Edwin Bills: Under the Vienna Agreement, standards intended for Europe are voted on in parallel by CEN, CENELEC, ISO, and IEC and released together. EN ISO 14971:2019 was initially approved but had no Z annexes, because the European Commission hadn't issued a standardization request yet. On May 15, they issued one for the MDR and IVDR that includes both ISO 13485 and ISO 14971. Until CEN and CENELEC update those standards and the results are published in the Official Journal, the present harmonized standards are harmonized only for the Directives — not for MDR and IVDR. So it's up to you, working with your notified body, to determine MDR/IVDR compliance. Once the standardization request is complete, CEN will issue an amendment, likely published as a 2020 edition with Z annexes, with no content deviations — only tables comparing the standard with the regulation.

Final thoughts: detectability, hazard analysis, and FMEA limits (48:30)

Edwin Bills: A few final points. Detectability does not appear in ISO 14971 — it's a process term, not a risk analysis term — though you can modify your manufacturing process with inspection and test points that may reduce the probability of occurrence of harm. Hazard analysis is not an activity in ISO 14971; we analyze risk, not the hazard, though the name persists in external tools like PHA and in software. Risk traceability is a requirement. FMEA is a useful tool with limitations — it only addresses single-fault conditions, not normal-condition hazards (typically handled with usability engineering), and it's a design-output tool, whereas ISO 13485 (Clause 7.3.3) requires risk management outputs to be design inputs, so you can't wait until design output to create them. Use product and process safety standards to reduce work, have clinicians help build your harm-severity table, and expect most of your effort in production and post-production.

Q&A and closing (51:11)

Edwin Bills: Tom, I'm ready for questions.

Tom Rish: There was so much information that we kept going — many questions were answered on the slides, including when the guidance will be released and the transition period. We'll provide a list of these questions, and the rest of the audience will get handouts of the slides and a recording by email, with recordings also on our website. Edwin, that was very helpful and informative — we appreciate it. We'll answer remaining questions offline.

Edwin Bills: Offline can be at my email address on the last slide. Thanks, Tom — I appreciate it, and I hope everyone has a great day.