Skip to main content

Risk Management (ISO 14971)

Overview

Risk management is a core requirement for Device Licence applications. All applicants must demonstrate that risks associated with their device have been systematically identified, evaluated, and controlled. Health Canada expects risk management to be conducted in accordance with ISO 14971:2019 — Medical devices — Application of risk management to medical devices.

ISO 14971 risk management process

The ISO 14971 process involves:

1. Risk management plan

A documented plan establishing:

  • Scope of the risk management activities
  • Responsibilities and authorities
  • Risk acceptability criteria
  • Verification activities

2. Hazard identification

Systematic identification of all foreseeable hazards associated with the device, considering:

  • Intended use and reasonably foreseeable misuse
  • Device characteristics that could affect safety
  • Energy outputs, substances used, and patient/user contact

3. Risk estimation

For each hazard, estimate:

  • Probability of occurrence of harm
  • Severity of harm

4. Risk evaluation

Determine whether each risk is acceptable using the risk acceptability criteria from the risk management plan. Risks above the acceptability threshold must be mitigated.

5. Risk control

Implement risk controls in order of priority:

  1. Inherent safety by design (preferred)
  2. Protective measures (guards, alarms)
  3. Information for safety (warnings, labelling)

6. Residual risk evaluation

After controls, evaluate:

  • Individual residual risks (still acceptable?)
  • Overall residual risk (is the overall benefit-risk profile favourable?)

7. Risk management report

A summary report documenting:

  • Conclusion that the risk management process has been implemented
  • Overall residual risk acceptability
  • Methods used to collect production and post-production information

What to include in the Device Licence application

For Class III and IV devices, the full Risk Management File should be available for Health Canada inspection, and the application should include:

  • The Risk Management Report (summary)
  • Identification of all hazards and their controls
  • Benefit-risk analysis

For Class II devices, a risk management summary is typically sufficient.

Post-market risk management

The risk management process does not end at market authorisation. Post-market information (complaints, incidents, vigilance data) must feed back into the risk management process. This is particularly important when preparing for licence amendments or periodic reviews.

Legislative source: Medical Devices Regulations, SOR/98-282, Schedule 1; ISO 14971:2019