By Rick Schrenker

In a previous article I wrote for 24×7, titled “This is My Confession” (Read it online at, I expressed my long-held opinion that clinical engineering (CE)/HTM departments should have access to medical device manufacturers’ risk management files (RMFs). I won’t revisit why I believe that and will leave you to determine whether you want to do it. 

But, before that, I’d expect you would want to know something about RMFs, which in turn would require knowing something about International Organization for Standardization (ISO) 14971: Medical devices—Application of risk management to medical devices, which describes RMFs.

(Before going further, I need to disclose that I’m working from a copy of 14971-2007, which I referred to while drafting a quality manual for a medical device data systems some years ago. The latest revision of 14971 was released just last year. From what I’ve read, the elements discussed below have not changed significantly.)

Section 3.5 of 14971-2007 describes the RMF as follows: “For the particular medical device being considered, the manufacturer shall establish and maintain a risk management file [which] shall provide traceability for each identified hazard to the risk analysis, the risk evaluation, the implementation and verification of the risk control measures, and the assessment of the acceptability of any residual risks.

From there, the standard lays out sections 4.1 to 4.4 on the risk analysis process, section 5 on risk evaluation, sections 6.2 to 6.7 on risk control, section 7 on evaluation of overall residual risk accountability, section 8 on the risk management report, and section 9 on production and post-production information. Every one of these sections ends with the same sentence: “Compliance is checked by inspection of the risk management file.” 

Perhaps back in the days when CE/HTM departments didn’t have to be as concerned about interactions between medical devices—that is, before devices were so interconnected—CE/HTM departments didn’t need to know what was in those files. But those of us who helped develop the first version of ISO: 80001 struggled with trying to determine what a “responsible organization” would need from the RMFs of the potentially numerous medical device manufacturers that could provide devices for a networked system. 

Aside 1: I left the committee before the Technical Report was adopted and do not know how it resolved the issues.

Aside 2: My readings about 14971-2019 indicate that the revision acknowledges that device interactions can create hazards that need to be considered in risk management.

Analyzing the Annexes 

In addition to the normative standard are a number of annexes. My understanding is some of the annexes from the 2007 and 2013 revisions have been moved into a Technical Report, 24971, which offers guidance on the implementation of 14971. There are bound to be differences between all of these, but some basic concepts cited from the beginning will not change substantively, if at all. 

Here are some examples from Annex A—Rationale for Requirements: “Completeness is very important in risk management.”

  • “Analysis should consider that medical devices can also be used in situations other than those intended by the manufacturer.” 
  • “Where the probability of occurrence of harm cannot be calculated, hazards still have to be addressed.” 
  • “Frequently, good quantitative data are not readily available. The suggestion that estimation of risk only be done in a quantitative way has therefore been avoided.” 
  • “Decisions have to be made about the acceptability of risk.”

Further, Annex C focused on questions that could be used to identify medical device characteristics that could impact on safety, for example: 

  • “How will information for safe use be provided?”
  • “Can the user interface design contribute to an error?”
  • “Is the medical device controlled by a menu?”

Moreover, Annex D addressed the application of risk concepts to medical devices, for example:

  • “Hazardous situations resulting from systemic faults”
  • “Risks whose probability cannot be estimated”
  • “Risk evaluation and risk acceptability”
  • “Overall residual risk evaluation”

There were additional annexes that addressed hazard analysis and risk management techniques (for example, failure mode and effects analysis, or FMEA) and hazard analysis for in vitro devices and biological hazards. And that was in back in 2007. Bottom line: Do you care what’s in any of the risk management files for your devices? Why or why not?

Rick Schrenker is a systems engineering manager for Massachusetts General Hospital. Questions and comments can be directed to 24×7 Magazine chief editor Keri Forsythe-Stephens at [email protected].