Managing risk for ISO 14971

ISO 14971 is a standard which sets out the risk management requirements for medical device businesses.

In this article, we've asked Dave Beard, Service Implementation Manager for Qualsys' life science customers, to share how Qualsys's software helps medical device companies meet the ISO 14791 risk management requirements. 

ISO 14971 Risk Management Process Flow

The aim of the below is to provide you with an overview of how our software can help your organisation meet the ISO 14791 requirements. This is by no means an exhaustive list of all the requirements or all the ways you can use our software to manage risk. 


EQMS Modules

ISO 14791 Requirements Example of how Qualsys's software helps

Part 3 of ISO 14971 is about establishing your risk management framework. 



Risk management process

An ongoing process for risk management must be defined, documented and maintained. 

Document Manager by Qualsys enables you to define, document and maintain your established risk management process. The direction provided in this document can then be applied to Risk Manager where you can configure requriements to analyse, evaluate, control, and manage production and post-production information about your medical device. 

Management responsibilities

Top management provide evidence of its commitment to risk management by ensuring the provision of adequate resources and the assignment of the correspondingly qualified personnel. 

All of Qualsys's software modules are free for end users. This makes the management system accessible and part of the fabric of all the organisation's policies. For example, leadership may not need to be able to configure fields, but they will want a picture of how the business is performing. 

All of the modules require roles and responsibilities to be assigned, so management know what they need to do and when. 

Qualification of personnel

Personnel must have the appropriate knowledge and experience of the medical device and its use, the technologies involved and about risk management techniques.

Training Records Manager by Qualsys provides a central system to plan, test, manage and evidence  employee competency. 

Risk management plan

A documented risk management plan which includes planned risk management activities, assignment of responsibilities and authorities, requirements for the review, criteria for risk acceptability, activities related to collected and review of production and post-production information. 

Documented risk management plans can be maintained in Document Manager and Risk Manager

Document Manager by Qualsys enables you to document policies, communicate, demonstrate commitment and provide a Single Source of Truth linking to all decisions and actions taken. 

Risk management file

Establish and maintain a risk management file for each medical device. Provide traceability to the following elements for each identified hazard: 

- Risk analysis 

- Risk evaluation 

- Implementation and verification of the risk control measures 

- Assessment of the acceptability of any residual risks


Files related to the risk management of each medical device are stored in a single, incorruptible system.

Activity is visible to authorised users, and there is access to audit trails and workflows to ensure all risks have been appropriately measured and activities are recorded.


Part 4 requires you to use your risk management file to document the intended use of your medical device, identify characteristics  that could affect safety, carry out a risk analysis and estimate the risk for each hazardous situation. 



Risk analysis process

Conduction and results of the risk analysis recorded in the risk management file.

Risk Manager records the person carrying out the risk analysis, scope, date, and enables a description and identification of the medical device to be associated with the risks.

Document Manager provides a secure, accessible repository for all documents in the risk management file. Advanced search features and a Document Navigator structure makes it easy to retrieve only the most recent file. 


Intended use and identification of characteristics related to the safety of the medical device

Intended use and reasonably forseeable misuse must be described, qualitative and quantitative characteristics that could affect safety of the medical device and limits.


Risk suggestions may be raised by employees / suppliers to help build a full picture of potential misuse or safety issues. 



Identification of hazards. 

Documentation about forseeable hazards associated with medical devices in both normal and fault conditions.

Audit Manager provides a flexible and intuitive system to explore potential internal and supplier risks, then systematically raise audit reports such as the identification of product hazards.

Estimation of risks for each hazardous situation 

Reasonably forseeable sequences or combinations of events that can result in a hazardous situation are considered and the resulting hazardous situation is recorded. 

Risk Manager enables you to apply a quantitative assessment of the hazards associated with your medical device. 


Part 5 requires you to evaluate the risk for each identified hazardous situation. 

Risk evaluation

The manufacturer must decide using the criteria defined in the risk management plan for each identified hazardous situation if risk reduction is required. 

Risk Manager enables your organisation to evaluate each individual hazard, or any other type of risk, in risk categories. 
Part 6 requires you to develop risk control measures when risk must be reduced. 

Risk reduction

Risk control activities must be performed if necessary. 

Control activities can be recorded in Risk Manager.

Risk control option analysis

Risk control measures identified and documented are appropriate for reducing risks to an acceptable level. 

Risk control options may be assigned using Risk Manager such as inherent safety and design, protective measures in the medical device or information for safety.

Implementation of risk control measures

Risk control measures must be verified and recorded. 

Workflows throughout all the modules enable the organisation to ensure risk controls have been implemented, approved and reviewed. 

Residual risk evaluation

Residual risk evaluated using criteria in the risk management plan are recorded. 


Evaluate and document whether residual risk has been judged acceptable or not, and the activities resulting in this evaluation using Risk Manager.

Part 7 requires you to evaluate the acceptability of the overall residual risk 

Evaluation of overall residual risk acceptance

Decide and record if the overall residual risk posed by the medical device is acceptable using the criteria defined in the risk management plan. 

Evidence, by reviewing the data and literature, how the medical benefits outweigh the residual risk or describe which information is necessary to include about accompanying documents in order to disclose the overall residual risk using Risk Manager.


Part 8 requires you to carry out a risk management review and prepare a risk management report.


Risk management report

Review of risk management process carried out prior to release of medical device.


The Dashboard enables organisation too ensure the risk management plan has been implemented, overall residual risk is acceptable, appropriate methods are in place to obtain relevant production and post-production information. 

Part 9 requires you to establish a system that you can use to monitor your medical device/s in the production and post-production phases.  

Production and post-production information

There must be a system to collect and review information about the medical device in the production and 

CAPA Manager enables information to be collected and reviewed about the medical device in the production and post-production phases. 


Download our datasheet to find out more about how medical device companies use our software for a robust quality and risk management system. 

Medical device quality management software datasheet brochure

Topics: ISO 13485, Tools, ISO 14971

Share your thoughts on this article