EN ISO 14971 or not EN ISO 14971?

The European community recognised EN ISO 14971:2012 in July 2012. EN ISO 14971:2012 supersedes
EN ISO 14971:2009 which was based on ISO 14971:2007 ‘Medical devices - Application of risk management
to medical devices’.

In general, the EC committee felt that the application of ISO14971:2007 did not meet the Essential Requirements
described in the European Medical Device Directive 93/42/EEC. Therefore the EC group reviewed ISO14971 to
identify these areas in the standard that are not compliant with the MDD and formally document these deviations.

EN ISO 14971:2012 applies only to manufacturers with devices intended for the European market; for the rest of
the world, ISO 14971:2007 remains the standard recommended for risk management purposes.

Standard outline

This standard published* in 2012 is somewhat unusual in its layout: it includes three annexes located at the beginning
of the document and then includes a copy of the 2007 corrected version of ISO 14971. So in essence new content is
all contained in the three annexes entitled ZA, ZB and ZC. These annexes apply to Medical Devices (MDD), Active
Implantable Medical Devices (AIMD) and In Vitro Diagnostic Medical Devices (IVDD) respectively. Annex ZA details
seven deviations between the ISO standard and the essential requirements of the MDD.

How has it been received?

The deviations described in these annexes have not been embraced by the community. In fact they triggered debates
on many forums and several safety engineers have expressed consternation and disagreement. For instance see the
following interesting discussion on LinkedIn.

Among the many contentious discussions, one of them appears to take place between the ISO group and the EC. For
instance SoftwareCPR web site reports that “The debate over ISO 14971 continues between industry and the European
Commission. The joint ISO & IEC working group responsible for ISO 14971 met and determined that ISO 14971 still
represents the state of the art for medical device risk management and that no changes were needed despite the
position of the EC that ISO 14971 does not meet the essential requirements of the directives. Several notified bodies
and COCIR/Eucomed have produced guidance for how manufacturers can use ISO 14971 in claiming conformance
to the essential requirements.”

Some thoughts

Several EN14971 statements are strong and powerful statements that may surprise more than one safety engineer.
For instance it says “that all risks, regardless of their dimension, need to be reduced as much as possible”.
Apparently this statement is derived from Annex I Section I and II of the EU Council Directive 93/42/EEC. In my
opinion this is a leap of faith.

One could wonder about the role of risk assessment in this new context. Typically risk assessment is performed
to focus attention during the design & development phase on the most severe hazards or the most critical ones.
Risk assessment also helps determine how much risk mitigation for a particular hazard is required. In the EN14971
context, one would reduce all risks as much as possible and therefore risk assessment would only be used to
confirm that the residual risks are acceptable. This approach could mean spending substantial effort on risk
reduction for risks that may be acceptable from the onset.


Given the multiple debates of opinion and interpretation of EN14971, we recommend that you consult your notified
body to determine their position on this new standard. Some notified bodies have already published their position
versus EN14971. Additionally if your organization is already compliant with ISO 14971, we recommend that you
review the EU MDD and determine whether additional changes to your risk management process are required to
be compliant with the EU MDD. Let us not forget that the intent of EN14971 is to highlight areas where compliance
 with ISO14971 may not always mean compliance with the Essential Requirements of the EU MDD. At the end of
the day, the goal of a medical device manufacturer is compliance with the EU MDD rather than EN14971 and we
should not lose track of this goal.

*The European Committee for Standardization (CEN) does not re-sell standards. As a result EN ISO 14971 can
be obtained from one of the national standards body. You could get the UK version, the Danish version, etc.
All these versions should be identical except for the first few introductory pages.