Risk Management: MDR vs ISO 14971:2019 requirements

With the publication of ISO 14971 in 2019 and the related Technical Report (ISO/TR 24971:2020) there have been a lot of analyses of the requirements in that revision of the standard versus the previous versions of the ISO standard (ISO 14971:2007) and the European Harmonized version (EN ISO 14971:2012).

However, I have not seen many (if any) analyses of the differences between ISO 14971:2019 and the MDR. I’ll tackle that in this blog. Then in a follow-up, since ISO 14971:2019 has now been harmonized to MDR (as of May 2022), I’ll discuss the potential implications of that on our practical risk management activities.

Major differences



ISO 14971:2019 (ISO/TR 24971:2020)


MDR is the law. It tells us WHAT we have to do but not HOW we have to do it.


Following the MDR is mandatory for medical devices in the EU.

ISO 14971 is a standard (and now a harmonized standard) and tells us HOW to do things.

While following standards is strictly speaking voluntary, I would suggest it would be fool-hardly to not follow the requirements of ISO 14971:2019 when selling medical devices in the EU [especially given the requirement from Annex VII (section 4.5.2) of the MDR.

“The notified body shall, where relevant, take into consideration available CS, guidance and best practice documents and harmonised standards, even if the manufacturer does not claim to be in compliance.”]


Requires risks to be reduced As Far As Possible (AFAP).

ISO 14971 is more lenient on this, with other options (including ALARP), being discussed (section 4.2 and ISO/TR 24971:2020 Annex C2).

Of course, if selling medical devices in the EU, one must meet the MDR requirements and choose the AFAP option.


Seems to require ALL known and foreseeable risks to be reduced AFAP – i.e. we can’t ignore the “very small ones” (GSPR 4 coupled with GSPR 8 “all risks”).

ISO 14971 only requires we take risk control for those risks which do not meet our predefined risk acceptability criteria (RAC) after initial risk evaluation (section 6) – i.e. we can sort of “ignore” the need for further action for the very low risks.

(Aside: This is in line with general risk management approaches for medicines where common, low severity residual risks do not require specific additional action/risk control – e.g. mild headaches).

More on this in part 2 of this blog.


Requires we disclose ALL residual risks (GSPR 4 “Manufacturers shall inform users of any residual risks.”; GSPR 23.4g)

Only requires the significant residual risks be disclosed (section 8).

More on this in part 2 of this blog.

Additional differences



ISO 14971:2019 (ISO/TR 24971:2020)


Is for medical devices.

Covers medical devices AND In-vitro diagnostics (IVDs).



Does not deal with cybersecurity risks in detail.

Cybersecurity risks are given a lot more focus than in either MDR or the previous version(s) of the standard (ISO 14971:2007; EN ISO 14971:2012) – Annex F ISO/TR 24971.


No explicit requirement for a risk management review or report.

Requirement for risk management review (and report) – section 9.

More on this in part 2 of this blog.


Not explicitly required to have a methodology and criteria for Overall Benefit-Risk.

Requirement for methodology and criteria for Overall Benefit-Risk (section 4.4e; section 8).

More on this in part 2 of this blog.


Less specific on required documentation.

More specifics regarding documentation (e.g. RMF, RMP, RMR) than MDR – throughout but including sections 4.4, 4.5, 9.


Less specific on competence for risk management team.

More specific on competence requirements for personnel conducting risk management (section 4.3).


PMS requirements (and links with risk management) in GSPR 2 through 8 do not appear as stringent as those in section 10 of ISO 14971:2019; however, those in Annex III, Articles 83-87, Annex XIV of MDR more or less align with those from section 10 from ISO 14971:2019.

Final points


“Use errors” (and the need for their consideration in hazard, sequence of event, hazardous situation development) are covered in both MDR (e.g. GSPR 5) and ISO 14971:2019.


It is a bit subtle in ISO 14971 as it is included in “reasonably foreseeable misuse”, as described in ISO/TR 24971:2020 section 5.2:

Reasonably foreseeable misuse is defined as use of the medical device in a way not intended by the manufacturer, but which can result from readily predictable human behaviour. This can relate to use error (slip, lapse or mistake), intentional acts of misuse, and intentional use of the medical device for other (medical) applications than intended by the manufacturer. Cases of reasonably foreseeable misuse can be identified during design and development by an analysis of simulated use, for example by applying a usability engineering process, or during the post-production phase by an analysis of actual use. Reasonably foreseeable misuse can be identified throughout the life cycle of a medical device, including iterations of design activities, during which the manufacturer’s ability to anticipate potential misuse progressively increases”.


As we can see from the above, there are a few important conceptual differences between the MDR requirements for risk management and those in ISO 14971:2019. However, with the harmonization of ISO 14971:2019 recently, these differences may be “smoothed out”.

The next part in this blog will look at the implications of that harmonization (as of May 11, 2022 -, given that this gives the standard a “presumption of conformity to the requirements of the MDR” (per Article 8 and as described in Annex Z of the harmonized version of the standard), yet there these differences – e.g.

  • Do we need to disclose ALL residual risks or just the significant ones?
  • Do we still need to do individual benefit-risk analyses for all residuals risks (as one of the deviations in EN ISO 14971:2012 required) or can we finally let that go and align with what EN ISO 14971:2019 says? 
Keith Morel, PhD
Post date: July 22, 2022
How can we help you? Contact us