Third edition of ISO 14971 - What has changed?

The third edition of ISO 14971 is now available as a draft (FDIS).

This new version of ISO 14971 will probably be published as ISO 14971:2019. It will represent an evolutionary development of ISO 14971:2007, rather than a break with the concepts used previously.

Overview of contents

1. ISO 14971, third edition »

2. Overview of changes »

3. Conclusion »

Nevertheless, manufacturers should familiarize themselves with the new and the amended requirements this standard defines.

1. Third edition of ISO 14971

The third edition of ISO 14971 follows its predecessor ISO 14971:2007 (“second edition”). This second edition is also the basis for EN ISO 14971:2012, the standard harmonized for the EU medical device directives.

It is still unclear whether the EU Commission will harmonize the new version for the Medical Devices Regulation (MDR), which could lead to the publication of EN ISO 14971:2020.

At the same time, ISO has also revised ISO 24971, which is also available as a draft. This “explanatory standard” is becoming more important because it now contains some of the non-normative annexes of the old ISO 14971.

2. Overview of changes

a) New chapter structure

The first thing that stands out is the new chapter structure. ISO 14971:2019 now follows the usual structure, which starts with the chapters:

  1. Scope
  2. Normative references
  3. Terms and definitions

The new chapter with the normative references changes the numbering: ISO 14971:2019 now has ten chapters.


Fig. 1: New chapter structure of the third edition of ISO 14971 (ISO 14971:2019). (Click to enlarge)

The chapter structure reveals another difference: The requirements for the downstream phase are more comprehensive and divided into four sections (10.1 to 10.4).

b) More importance placed on the risk-benefit ratio?

ISO 14971:2019 claims to place even greater emphasis on demonstrating that the benefits outweigh the risks. It adds the missing definition of the term “benefit”.

Definition: Benefit

“Positive impact or desirable outcome of the use of a medical device on the health of an individual, or a positive impact on patient management or public health”

Source: ISO 14971, 3rd edition

Examples of these benefits are:

  • Faster recovery, more complete recovery
  • Curing with fewer side effects
  • More accurate diagnosis
  • Better public healthcare

This makes it clear that the benefit refers to a medical benefit and not, for example, a higher economic benefit for the operator.

The standard does not really establish any new requirements. It continues to state that it is the management's job to define the risk policy. This must be based on the state of the art. The third edition of ISO 14971:2019 at least adds a definition of the term “state of the art”.

Definition: State of the Art

“Developed stage of technical capability at a given time as regards products, processes and services, based on the relevant consolidated findings of science, technology and experience”

Source: ISO 14971, 3rd edition

This state of the art cannot be compared with the state of the science. Instead, it is more in line with generally accepted technical and medical “good practices”.

One new feature of the third edition of ISO 14971 is that the manufacturers can define acceptance criteria for the evaluation of individual risks that are different to those used for the evaluation of the overall residual risk. The acceptance criteria for the individual risks can be used to decide on the need for risk control measures. The acceptance criteria for the overall risk can be used to decide whether the product can be marketed.

c) IT security in scope

The third edition of ISO 14971 explicitly includes risks resulting from inadequate “data and system security”. However, it does not define any specific requirements.

In German-speaking countries in particular, there is a risk that manufacturers will be able to distinguish precisely between safety and security because both terms are translated as “Sicherheit” in German.

While weighing medical benefits against “safety risks” makes sense, weighing medical benefits against “security risks” can lead to confusion. An increase in security can even have negative effects on safety.

d) Reasonably foreseeable misuse must be taken into account

ISO 14971:2019 adds the explicit requirement to analyze reasonably foreseeable misuse. It defines this “reasonably foreseeable misuse” as follows:

Definition: Reasonably foreseeable misuse

“Use of a product or system in a way not intended by the manufacturer, but which can result from readily predictable human behavior”

Source: ISO 14971, 3rd edition

Such misuse can be intentional or unintentional. An example would be, for example, using a medical device without reading the instructions for use carefully first.

e) Safety-related characteristics must be identified

It is just the chapter that is new; the requirements regarding safety-related characteristics are not. The manufacturers must record these characteristics, which are essential for the safety of the device, qualitatively and quantitatively - preferably with limits. All IEC 60601-1 experts will immediately think of the essential performance characteristics. And rightly so!

The Johner Institute recommends looking into the system requirements in particular, in order to determine if there might be a risk if these requirements are not met or not met to the specified extent.

f) Production and post-production requirements

The most obvious change relates to risk management in production and the post-production phase, i.e., the post-market phase. The requirements are very similar to those of the MDR:

Both the MDR and the third edition of ISO 14971 require proactive collection and evaluation of data from post-development phases. The MDR talks about a process, ISO 14971 about a system.

Fig. 2: ISO 14971:2019 requires the active collection and analysis of data and, if necessary, corresponding action.

Like the MDR, the standard also defines the sources of information that always have to be taken into consideration, such as public information, information on the state of the art, and information generated during the installation, use and maintenance of the device.

The information must be used to determine whether:

  • New hazards not previously considered have to be taken into account
  • The risks (probabilities and severity of damage) have been correctly assessed
  • The risks are still acceptable, e.g., because the state of the art has changed

The manufacturer must then act based on the results of this evaluation. Specifically, the third edition of ISO 14971 lists actions relating to the medical device (e.g., implementation of new risk-minimizing actions) and actions that relate to risk management (e.g., risk management process).

Further information

Read more on the subject of the post-production phase and post-market surveillance.

3. Conclusion

The third edition of ISO 14971 makes the already good second edition even better. A lot of changes are editorial in nature and provide more clarity and make it more rigorous.

Particularly noteworthy are the more precise requirements for the post-production phase. Nevertheless, the scope of the changes remains so limited that “Version 2.1” would perhaps have been more appropriate. The following are particularly regrettable:

  1. A lot of helpful annexes have been moved to ISO 2497 This does make ISO 14971 more streamlined, but forces manufacturers to buy a second standard.
  2. Some explanations have disappeared completely. The old ISO 14971 had made it clear that risk is not calculated by simply multiplying the severity and probability of damage. How can such a central and justified statement be taken out given that 95% of manufacturers do exactly that?
  3. It can be assumed that the EU considers the requirements of the MDR regarding risk management to be only partially covered by the third edition. This means, there is once again the threat of additional requirements and normative interpretations in the Z-annexes.
  4. The interaction of risk management and the clinical evaluation is not described at all in the third edition of 14971, and only described in very basic terms in the revised ISO 274971.
  5. It is understandable that the standards committee would want to align the standard with the usual chapter structure. This editorial change will mean that most manufacturers will have to check their specifications documents (SOPs, work instructions, templates, etc.) to check that the references to the chapter structure are still correct. A lot of work that does not benefit patient safety.

In spite of these downsides, manufacturers should be able to easily live with this third edition of ISO 14971. Sometimes less is more.


Prof. Dr. Christian Johner


A quick overview: Our


Learn More Pfeil_weiß

Always up to date: Our


Learn More Pfeil_grau