ISO 14971 Risk Assessment: What You Actually Need to Do

The Process

1. Identify Hazards

List every potential source of harm. Not just device failures — include use errors, environmental factors, and manufacturing variability.

Good sources: intended use, foreseeable misuse, similar device complaints (MAUDE database, field safety notices), and brainstorming with your cross-functional team.

Don't aim for completeness on day one. Your hazard list is a living document. Update it as you learn more. AttoPhase ships with a pre-populated hazard list derived from the standard, so you start from a solid foundation rather than a blank page.

2. Trace the Hazard-to-Harm Chain

This is the step many teams skip or conflate with hazard identification. ISO 14971 requires you to trace the full chain:

Hazard → Foreseeable sequence of events → Hazardous situation → Harm

For each hazard, ask: what sequence of events could lead to someone being exposed to this hazard? That exposure is the hazardous situation. And what harm could result?

This decomposition matters. Different sequences of events can lead to the same hazard causing different hazardous situations, each with its own probability and severity. If you jump straight from hazard to harm, you miss this nuance — and your risk controls will suffer for it.

Spreadsheets can capture this in columns, but as your risk file grows, tracing risk controls through to requirements and verification becomes increasingly fragile.

In AttoPhase, the default risk form fields match this chain exactly — hazard, sequence of events, hazardous situation, harm — so your risk entries are structured correctly from the start.

3. Estimate Risk

For each hazardous situation, determine:

• Severity — How bad is the harm if it occurs?
• Probability of occurrence — How likely is the full chain: the sequence of events occurring, leading to the hazardous situation, leading to harm?

ISO 14971 does not prescribe exact scales — qualitative or quantitative approaches are both valid. Common qualitative levels include:

• Severity: negligible, minor, serious, critical, catastrophic
• Probability: improbable, remote, occasional, probable, frequent

Quantitative estimates are preferable when sufficient field data is available, but qualitative levels are widely used in practice.

AttoPhase includes severity and probability scales based on widely adopted industry scales as defaults. You can use them as-is or adjust them to fit your device's risk profile through the risk configuration settings.

4. Define Acceptability Criteria

Define your risk acceptability criteria before you evaluate individual risks. This prevents bias.

If you're targeting the EU market, note that the MDR and the harmonized amendment ISO 14971:2019+A11:2021 require risks to be reduced as far as possible (AFAP) — not merely "as low as reasonably practicable" (ALARP). The difference is significant: ALARP allowed economic considerations to factor into risk decisions. AFAP does not. You must reduce every risk as far as the state of the art permits, unless further reduction would adversely affect the benefit-risk ratio.

Under FDA regulations, the framework is benefit-risk — different language, but the expectation of thorough risk reduction still applies.

In practice, your acceptability matrix still defines zones — but under AFAP, even risks in the "acceptable" zone must be reviewed for further reduction opportunities. Document why each residual risk cannot be reduced further. Some risks can only be justified by clinical benefit — if your device has a residual risk that cannot be further reduced, document the benefit-risk analysis explicitly.

AttoPhase's risk matrix gives you a visual overview of where each risk sits, making it easy to identify which ones need attention.

5. Control Risks

Apply risk controls in this order of priority:

1. Inherently safe design — Eliminate the hazard entirely. Best option, not always possible.
2. Protective measures — Alarms, barriers, automatic shutoffs in the device itself.
3. Information for safety — Labels, instructions, training. Least reliable because it depends on human behavior.

After implementing controls, re-estimate the residual risk. Verify the control works. Check that it doesn't introduce new hazards.

In AttoPhase, risk controls are linked to requirements and traced through to verification tests, so you can demonstrate that each control is implemented and verified.

6. Evaluate Overall Residual Risk

After all individual risks are controlled, step back and assess the combined effect of all residual risks together — not just each one in isolation. Is the overall residual risk acceptable given the device's clinical benefit?

AttoPhase's traceability tables give you a complete view across all risks, controls, and their verification status — making this assessment auditable rather than anecdotal.

7. Monitor Post-Production Information

Risk management doesn't end at product release. ISO 14971 clause 10 requires you to systematically collect and review production and post-production information — complaints, adverse events, field safety data — and feed it back into your risk assessment. Your risk file must be updated when you learn something new — not just at design freeze.

This is where spreadsheet-based approaches tend to break down — tracking changes across linked sheets and maintaining version history becomes increasingly error-prone.

If new information changes a risk estimate or reveals a previously unidentified hazard, update your risk file accordingly. AttoPhase maintains full version history on every risk entry, so you can trace what changed, when, and why.