Anne Matousek
Senior Consultant QM & RA, Regulatory Affairs Expert

Tel.: 07131 2774-40

Questions on this topic?

Send us a message!



Risk management standard for medical devices not yet harmonised

Although the EU Commission updated the list of harmonized standards for the MDD in March of this year, there is still no list of harmonized standards for the Medical Device Regulation and therefore no harmonized risk management standard.


In order to prevent the wind from taking to your face in the form of stricter guidelines and to ensure that you are not faced with unexpected hurdles, the seleon experts have done some research for you: Since December 2019, the third version of ISO 14971:2019, the risk management standard for medical devices, has been public. What has changed since then? What is there for you to do?

Although the European Commission updated the list of harmonised standards for the Medical Devices Directive MDD (93/42 EEC) in March of this year, there is not yet a list of harmonised standards for the Medical Devices Regulation (EU 2017/745) and thus no harmonised risk management standard. This poses a challenge for the development and presumption of conformity of medical devices according to MDR EU (2017/745).

According to a recent decision of the European Commission, the list of harmonised standards of the Medical Devices Directive MDD may NOT be used to document the ESPR (Essential Safety and Performance Requirements) of the MDR. In order to show that the ESPR are met, manufacturers of medical devices must therefore make an additional effort and check for each point individually to what extent it is covered by existing standards - be it risk management, quality management or other relevant requirements.

Nevertheless, a harmonisation of the risk management standard for medical devices, ISO 14971:2019, can be strongly expected. By way of comparison, the FDA has already listed the standard under "Recognised Consensus Standards", meaning that it can be applied there.


Guide published: ISO/TR 24971

Approximately six months after the publication of the risk management standard for medical devices ISO 14971:2019, the related guidance document ISO/TR 24971:2020-06 was published in June.

The guide can be seen as a long commentary, as it concretizes the requirements of ISO 14971 and provides assistance for manufacturers of medical devices in the implementation. The first 30 pages comment the ISO 14971:2019 chapter by chapter. This is followed by eight appendices of 55 pages:

  • Annex A: Identification of hazards and characteristics related to safety
  • Annex B: Techniques that support risk analysis
  • Annex C: Relation between the policy, criteria for risk acceptability, risk control and risk evaluation
  • Annex D: Information for safety and information on residual risk
  • Annex E: Role of international standards in risk management
  • Annex F: Guidance on risks related to security
  • Annex G: Components and devices designed without using ISO 14971
  • Annex H: Guidance for in vitro diagnostic medical devices


Annex on cyber and data security

Following the inclusion of software as a medical device in the third edition of ISO 14971, Annex F of ISO/TR 24971 deals for the first time with data security and cybersecurity.

The Annex introduces six important terms:

  1. Security: The system is invulnerable to hostile acts.
  2. Threat: Potential that could breach security and cause damage
  3. Vulnerability: Flaws or weaknesses in design that could be exploited to damage a system
  4. Confidentiality: Only authorised persons have access to the data.
  5. Integrity: Accurate and complete data
  6. Availability: Accessibility of data

In addition, there is information on hazards, sequences of events and damage. Those who have not yet dealt with the topic of cybersecurity will get a first idea of the topic here. (TIP: Please also have a look at our newsletter on the topic of cybersecurity).


Risk management requirements for medical devices according to MDR proposes ISO 14971

The principle of "upper beats lower" is important for international medical device manufacturers, but also for all those who read standards only from chapter 3 onwards. The stubborn application of ISO 14971:2019 and its guide ISO/TR 24971:2020 may come as a nasty surprise. This is because ISO 14971:2019 is broader than the risk management guidelines for medical devices according to MDR. This was already the case with the second version of ISO 14971 from 2012. What is still "allowed" in ISO 14971 can be considered "illegal" by MDR. For the application of the harmonised EN ISO 14971:2012, this meant that the specifications of the MDD overruled some of the principles of ISO 14971.

But the rule is: upper beats under or: MDR beats ISO 14971.


ALARP/ALARA and the risk management standard for medical devices MDR

For example, although the principles ALARA (As low as reasonably achievable) and ALARP (As low as reasonably practicable) are mentioned in ISO/TR 24971, they clearly contradict the requirements of the EU Medical Device Directive MDR, Annex I:

"(2) The requirement in this Annex to reduce risks as far as possible means the reduction of risks as far as possible without adversely affecting the benefit-risk ratio."

Even if nothing has yet been achieved in the harmonisation of ISO 14971:2019, ISO/TR 24971 is certainly worth a look!

Have you noticed that the wind is not only blowing from the MDR direction, but that risk management is also giving you turbulent times? You are in the middle of a development process and are wondering which standards are finally applicable for you and how to establish the presumption of conformity? We will be happy to give you support in these turbulent times and provide you with competent assistance in minimising your risks. Please contact us.


Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only.

Every product is unique – the mandatory tasks and measures for entering the market need to be specified individually. seleon advises you on your individual questions without any obligation.


Further entries from the "Regulatory Affairs" category

Regulatory Affairs

As an economic operator in the field of medical devices, you can quickly mutate into a manufacturer with all the obligations due to relabelling and repackaging!

Regulatory Affairs

The manufacture of medical devices must comply with the latest scientific data and regulations, including the MDR. Clinical trials and evaluations form the basis for this. And on the far side, constantly adapted input brings about innovations, which in turn benefit the...

Regulatory Affairs

The addition of the MDR to national legislation still reveals some imponderables. To prevent you from tottering, seleon has smoothened the way for you.

Clinical Affairs

Clinical affairs of medical devices requires numerous evidences and evaluations. What we know about it …


> Clinical Affairs

Quality Management

Medical devices are governed by stringent requirements on quality assurance. We know the details …


> Quality Management

Development Excellence

Product development of medical devices is subject to its own rules. We bring light into the darkness …


> Development Excellence