Notified Body View of Implementation of EN ISO 14971:2012

Home / News, Views & Updates / Notified Body View of Implementation of EN ISO 14971:2012

Notified Body View of Implementation of EN ISO 14971:2012

During the process of harmonisation of ISO 14971: 2007 as an EN standard, it became apparent that the standard did not comply with all the requirements of the Medical Devices Directives (MDDs), namely 90/385/EEC, 93/42/EEC and 98/79/EC. Seven discrepancies were identified; these discrepancies are described in EN ISO 14971: 2012 as “Content Deviations”. Our newsletters to date have dealt with these seven Content Deviations.

In this blog, we review the Notified Bodies Recommendations Group (NBRG) Consensus Paper for the Interpretation and Application of Annexes Z in EN ISO 14971: 2012. This gives an insight into Notified Body thinking on the implementation of EN 14971

The NBRG Consensus paper which has Interim NBMed status, gives some very useful clarification and allows practical leeway on implementation when compared to a strict reading of the EN 14971 Annexes. Most notable among these are the clarifications given on the treatment of negligible risks, the use of ALARP, when to apply Risk Benefit Analysis and clarifying that “information on how to use a device safely may be considered a risk control measure”

The purpose of the paper is to “bridge the gap” between the interpretation of Annexes ZA, ZB and ZC of EN 14971 and “the practice of putting safe medical devices on the market in the EU and other countries where the MDDs apply”.

The document first off considers two aspects of the Annexes Z:

  • Reduce the risk “as far as possible”
  • Economical considerations in risk management

1)  Reduce risk “as far as possible”: this has caused considerable confusion and this consensus paper “offers Notified Bodies and manufacturers an interpretation of “as far as possible” that is “clear, easy to understand and unambiguous.”   (In line with Clause 1.1 of the 2013 edition of the European Commission, Parliament and Council’s Joint Practical Guide of the European Parliament, the Council and the Commission for persons involved in the drafting of European Union legislation)” 

  • Economical considerations in risk management: Content Deviation 3 of EN 14971 effectively meant that the ALARP concept could not be used with regard to economic considerations. However this consensus paper states that this interpretation is not consistent with the “Medical Device Directives’ objective as stated in, for example, the following recital of Directive 93/42/EEC:”
Whereas the essential requirements and other requirements set out in the Annexes to this Directive, including any reference to ‘minimizing’ or ‘reducing’ risk must be interpreted and applied in such a way as to take account of technology and practice existing at the time of design and of technical and economical considerations compatible with a high level of protection of health and safety.


The paper goes on to make specific recommendations for industry for the interpretation of each Content Deviation.


Content Deviation 1: Treatment of negligible risks:


  • Identify known and foreseeable hazards
  • Estimate the risk for each hazardous situation identified
  • Risk control measures and the results of the risk evaluation must be recorded in the risk management file for all risks.

Content Deviation 2: Discretionary power of manufacturers as to acceptability of risks:


  • “The manufacturer shall consider whether death or serious deterioration of health is unlikely to occur in normal operation or due to device malfunctions or deterioration of characteristics or performance, or any inadequacy in the labelling or instructions for use. If unlikely to occur, the risk shall be considered acceptable.”
  • If the risk is not considered acceptable, the risk acceptability is “preferably based on harmonized standards specifying state of the art risk control measures for particular categories of medical devices. Basing the risk reduction end-point on harmonized standards ensures that the risk is reduced to an acceptable level.”
  • “When those publications are not available, the manufacturer must assess the best risk reduction means and shall include, in the description of the risk management process, what criteria were used to determine the acceptability of risks. The criteria for risk acceptability are then based, among others on historical data, best medical practice and state of the art.”
  • “Further risk control measures do not improve the safety.”
  • “If a reduction to an acceptable level cannot be achieved, a risk-benefit analysis must demonstrate that the residual risk is outweighed by the medical benefit as explained in Content Deviation 4.”
  • “Compliance may be demonstrated by reflecting such end-points in the criteria for risk acceptability as part of the risk management file. Where safety cannot be demonstrated as such, existing clinical data is used to demonstrate that the medical benefit outweighs the risk.”

Content Deviation 3: Risk reduction “as far as possible” versus “as low as reasonably practicable”: 

  • “With this deviation the European Commission raises the concern that economic considerations might surmount safety considerations. On the other hand the reduction of a risk “as far as possible” could be without limits and the resulting devices might no longer be affordable for a larger group of patients.”


  • The safety of the product must not be compromised for cost reasons. “For transparency the manufacturer must document the end-point criteria of risk reduction based on his risk policy.”
  • Compliance is demonstrated by documentation.

Content Deviation 4: Discretion as to whether a risk-benefit analysis needs to take place:

  • “At the end of the risk management process, the manufacturer shall perform a risk benefit analysis for individual risks that are not acceptable and for which further risk reduction is not possible. In any case the manufacturer shall perform an overall risk-benefit analysis considering all individual risks to provide a rationale for overall risk acceptance. “
  • “Compliance is checked by inspection of the individual and overall risk-benefit analyses.”

Content Deviation 5: Discretion as to the risk control options: 


“As stated above for Content Deviation 2, the manufacturer can justify ceasing further risk reduction where it is determined that the risk is acceptable”

“The manufacturer shall consider all risk control measures in Essential Requirement 2 that are appropriate to reduce the risk to an acceptable level. In so doing, the manufacturer shall document the control options in the priority order, as part of the risk management process.”

Content Deviation 6: Deviation as to the first risk control option 


“The manufacturer shall ensure that, whenever possible, the first risk control option includes both safe design and safe construction.

Not relevant for compliance verification.“

Content Deviation 7: Information of the users influencing the residual risk 

Content Deviation 7 states “..manufacturers shall not attribute additional risk reduction to the information given to the users…” However the NBRG Consensus Paper draws a distinction between information given to the user regarding safe use and disclosure of residual risk. The NBRG takes the view that Content Deviation 7 relates to the latter but not to the former. This effectively means that in the eyes of the Notified Body, information contained in Instructions for Use that details how certain risks can be avoid or reduced, can be considered as a risk control measure.

The NBRG Consenus paper states; “Any information for safety comprising instructions of what actions the user can take or avoid in order to prevent a hazardous situation from occurring may be considered a risk control measure. As required by Essential Requirement 13.1 of Directive 93/42/EEC (respectively ER B.8 of 98/79/EC) it may be considered as a risk control measure. The information includes the instructions for use, labels, etc. Since ‘safe use’ is related to risk control measures, the Medical Device Directives do not deviate in that regard from EN 14971. Any effects on risk reduction are to be documented by the manufacturer in the risk management file.

‘Disclosure of residual risk’ should be conducted in compliance with EN  14971 Clause 6.4, 6.5 and 7.  The manufacturer shall not claim a reduction to the probability of harm when disclosing residual risk.

Compliance is checked by inspection of the risk management file.”

Recommendations for the Notified Body audit process – 6 pointers.

The paper give six specific pointers. “The Notified Bodies will focus on objective evidence on how manufacturers addressed the gaps (gaps between the requirements of the Directives and the Risk Management Standard (documented in the EN ISO 14971: 2012 edition) which must be addressed, if applicable) and modified their Risk Management Process accordingly. More specifically they will evaluate”:

  1. “Are all design solutions in conformity with the safety principles given in the Essential Requirements and EN ISO 14971 (inherent safe design and construction > protection measures > information for safety)?”
  2. “Has the manufacturer demonstrated that all risks have been reduced to an acceptable level in the sense of this guidance paper?”
  3. “Has the manufacturer conducted a risk benefit analysis for all individual residual risks that are not acceptable according to the risk acceptability criteria?”
  4. “Has the manufacturer conducted an overall risk benefit analysis?”
  5. “Has the manufacturer demonstrated that information for safety is effective?”
  6. “Has the manufacturer included information on residual risks, if needed, in the accompanying documents?”

To access the Notified Bodies Recommendations Group (NBRG) Consensus Paper for the Interpretation and Application of Annexes Z in EN 14971 use the link below.

Submitted by SQT Life Sciences Tutor John Lafferty



Share this Article

Blog Sign up

Sign up to receive the latest industry and company news direct to your inbox.