ISO 14971 Risk Management: Where Companies Fail

What are the most common ISO 14971 audit findings?

A medical device manufacturer began receiving complaints that one of its disposable devices occasionally cracked during clinical use. Initially, the events appeared isolated, and customer service handled each complaint individually. Replacement products were shipped, the cases were closed, and no formal corrective and preventive action (CAPA) was opened.

Six months later, a trend emerged. The cracking issue was occurring more frequently under specific environmental conditions during transport and storage. During an audit, the notified body reviewed the company’s risk management file and discovered that the identified hazard was present in the original design risk analysis. However, its severity and probability had never been updated based on real-world complaint data.

The issue was no longer just a complaint-handling concern. It had become evident that the organization’s risk management system was not functioning as a living process.

Most findings are not due to missing documentation. Rather, they result from weak execution of the risk management process. Organizations often have risk files in place, but the content does not demonstrate that risks are being effectively identified, evaluated, and controlled.

Many organizations complete the required risk documentation, but the process often breaks down when auditors look for evidence that the controls actually work in practice. In some cases, teams cannot clearly explain why residual risks were considered acceptable, especially when new complaints or field data have emerged.

Why do risk files fail during regulatory or notified body review?

Risk files often fail because they are treated as static documents rather than dynamic systems.

An effective risk management process should:

1. Incorporate post-market surveillance (PMS) data
2. Reflect real-world product performance
3. Be updated when new risks are identified

For example, recurring complaints about device performance should trigger a reassessment of risk, even if initial controls were considered adequate. If the risk file remains unchanged despite new evidence, this suggests that the system is not functioning properly.

How should risk management link to complaints and CAPA?

This is a critical area where many systems break down.

A system for actively collecting and reviewing information should include monitoring and feedback, such as complaints and adverse event reports. In addition, the system should actively solicit user feedback and collect other relevant information. The manufacturer should consider the extent of these activities and determine which activities are appropriate for the particular medical device.

For example, limited monitoring might be sufficient for medical devices with a long history of use and well-understood risks. For medical devices involving novel treatments, such as new intended uses, or innovative technologies, especially those with less-understood risks, more elaborate monitoring may be warranted, including post-market clinical follow-up (PMCF) studies.

Complaints should not be handled independently because organizations may miss patterns that indicate broader system issues.

ISO 14971 expects risk management to function as a continuous, evidence-driven process that supports patient safety throughout the product lifecycle and evolves as new information becomes available.

The cracking device example illustrates a common weakness seen during audits. Risk management systems often fail because organizations do not consistently connect real-world evidence, complaints, CAPAs, and ongoing risk evaluation into a continuously active process.

To go deeper, SGS offers ISO 14971 training focused on hazard identification, the risk management process, control implementation, monitoring effectiveness, and linkage to technical documentation.