Application of Risk Management - ISO 14971

This section was developed step-by-step, to be used also a teaching material and as template for other projects developed through UBORA.
A complete risk analysis has been performed taking into consideration Palpreast device.

Risk analysis


Risk analysis is defined, according to ISO 14971, as the “Systematic use of available information to identify hazards and to estimate the risk”, where

  • hazard: potential source of harm to patient or user;
  • hazardous situation: circumstance in which people property, or the environment are exposed to one or more hazard(s);
  • harm: physical injury or damage to health of person, or damage to property or environments.


  • Define the intended use and identify characteristics related to safety of the device, i.e. characteristics that could impact safety of device (questions in ISO 14971 Annex C). Examples are:
    • is the medical device intended to be in contact with the patient or other persons?
    • Is the medical device intended to be cleaned and disinfected by the user?
    • Are measurements taken?
    • Does the medical device contain software?
    • Is the medical device interpretative?
    • Does the medical device use an alarm system?
  • Identify hazards and hazardous situations, i.e. a list of foreseeable hazards (potential sources of harm):
    • energy hazards;
    • biological and chemical hazards;
    • operational hazards;
    • information hazards.

As example, Tables 1 and 2 describe the hazards and the hazardous situations related to the use of Palpreast, respectively.

Table 1 - Palpreast hazards identification

Table 2 - Palpreast Hazardous situation

  • Estimate risk(s) for each hazardous situation. Risk estimation has two components:
    • Probability of the occurring hazardous situation;
    • Consequences of the harm – Severity.

According to Annex D of ISO 14971:2017, a semi-qualitative analysis was performed, using a 5x5 risk matrix where the levels of severity and probability are described in Table 3 and Table 4, respectively.
Finally, Table 5 describes the Estimated risks for each hazardous situation related to Palpreast use and Table 6 shows a more the comprehensive risk matrix.

Table 3 - Five qualitative severity levels

Table 4 - Semi-qualitative probability levels

Table 5 - Estimated risk for Palpreast

Table 6 - Semi-quantitative 5x5 risk matrix for Palpreast

Evaluation Risk

According to ISO 14971, the “Evaluation of Risk” is defined as the “Process of comparing estimated risk against given risk criteria to determine acceptability of the risk”. For each identified hazardous situation, the manufacturer decides if risk reduction is required, on the basis of its acceptability criteria defined in the risk management plan.

Table 7 shows the risk evaluation and risk acceptability for Palpreast.

Table 7 - Semi-qualitative 5x5 risk evaluation matrix. The green cells are related to acceptable risk, the red cells are relative to unacceptable risk

Risk control

According to ISO 14971, the “Risk control” is defined as the “Process in which decisions are made and measures implemented by which risks are reduced to, or maintained at, specified levels”.

The risk control measures related to Palpreast use are described in Table 8.

Table 8 - Risk control measures for Palpreast use

After the Risk control all risks must be considered acceptable.