MedDeviceGuideMedDeviceGuide
Back
Risk ManagementQuality SystemsRegulatoryUSEU

ISO/TR 24971 for Medical Devices: Practical Guidance for Applying ISO 14971

Comprehensive guide to ISO/TR 24971:2020, the companion technical report to ISO 14971:2019 — how to use its annexes for hazard identification, risk analysis methods, benefit-risk analysis, cybersecurity, IVDs, and practical implementation across your risk management process.

Ran Chen
Ran Chen
Global MedTech Expert | 10× MedTech Global Access
2026-04-2411 min read

Why ISO 14971 Alone Is Not Enough

ISO 14971:2019 tells medical device manufacturers what they must do for risk management — identify hazards, estimate and evaluate risks, implement controls, and monitor residual risk. But it does not always explain how to do it in practice. The standard is intentionally concise, leaving manufacturers to interpret requirements like "reasonably foreseeable misuse," "benefit-risk analysis," and "completeness of risk control" on their own.

ISO/TR 24971:2020 fills this gap. Published in June 2020 as a companion technical report, it provides detailed, non-mandatory guidance on the development, implementation, and maintenance of a risk management system for medical devices according to ISO 14971:2019. As ISO describes it, the report "provides the practical interpretation and application guidance that manufacturers need to implement ISO 14971:2019 effectively and consistently."

This guide walks through what ISO/TR 24971:2020 contains, how to use it in practice, and which annexes matter most for your specific device type.

What ISO/TR 24971:2020 Is — and Is Not

It Is a Technical Report, Not a Standard

ISO/TR 24971:2020 is classified as a technical report, not an international standard. The "TR" designation means its content is informative, not normative. It does not add requirements beyond what ISO 14971:2019 already specifies. Instead, it provides context, examples, and practical methods for meeting those requirements.

This distinction matters for regulatory submissions: you cannot claim conformity to ISO/TR 24971 because it has no requirements. But notified bodies and FDA reviewers will expect your risk management approach to be consistent with its guidance, particularly for complex topics like benefit-risk analysis and cybersecurity.

Complete Rewrite From the 2013 Edition

The 2020 edition is essentially a complete rewrite of the 2013 version. As Greenlight Guru notes, "some elements that were previously written into ISO 14971 have since been shifted to annexes in TR 24971:2020 (such as in vitro diagnostic devices, risk management plans, risk concepts and techniques, and guidance on hazard identification)." The clauses and subclauses mirror the structure and numbering of ISO 14971:2019, making it easy to find guidance for each specific requirement.

The report was prepared jointly by ISO Technical Committee TC 210 (Quality management and corresponding general aspects for medical devices) and IEC Subcommittee SC 62A (Common aspects of electrical equipment used in medical practice).

Structure: How the Document Is Organized

ISO/TR 24971:2020 has two main parts:

  1. Clauses 3 through 10: Mirror the clause numbering of ISO 14971:2019, providing guidance for each corresponding requirement. If ISO 14971 Clause 5.3 requires identification of hazardous situations, ISO/TR 24971 Clause 5.3 explains practical approaches for doing so.

  2. Annexes A through H: Standalone guidance documents covering specific topics that apply across multiple clauses of ISO 14971.

Recommended Reading
Hazard Analysis Methods for Medical Devices: FMEA vs FTA vs PHA vs Use-Related Risk Analysis
Risk Management Quality Systems2026-04-24 · 13 min read

The Annexes: What Each One Covers

Understanding the annexes is the most practical way to use ISO/TR 24971. Here is what each one addresses and when to reference it.

Annex A: Intended Use and Reasonably Foreseeable Misuse

Annex A provides a detailed framework for defining intended use and identifying reasonably foreseeable misuse — one of the most scrutinized aspects of risk management. It includes a checklist approach for evaluating safety characteristics, helping manufacturers systematically consider:

  • What the device claims to do (intended use)
  • How users might use the device outside its intended purpose (reasonably foreseeable misuse)
  • Whether abnormal uses should factor into risk analysis
  • How to distinguish between off-label use and foreseeable misuse

This annex is particularly important for devices with complex user interfaces, home-use devices, and combination products where misuse scenarios are not immediately obvious.

Annex B: Risk Analysis Techniques

Annex B is the most frequently referenced annex. It describes recognized risk analysis techniques and when to apply each one:

Technique Direction Best For Limitation
Preliminary Hazard Analysis (PHA) Top-down Early concept phase, limited design info Not detailed enough for design-level analysis
FMEA (DFMEA, PFMEA, SFMEA) Bottom-up Component/process failure analysis, known architecture Single-fault only, cannot model event combinations
Fault Tree Analysis (FTA) Top-down System-level failures, multi-event combinations Requires detailed system knowledge
Hazard and Operability Study (HAZOP) Guideword-based Process deviations, complex systems Resource-intensive, needs experienced team
Use-Related Risk Analysis Scenario-based User interface hazards, normal use risks Requires human factors expertise

ISO/TR 24971 states explicitly that these techniques are "complementary, and it can be necessary to use more than one of them in order to support a thorough and complete risk analysis." This is a critical point for audit readiness — relying exclusively on FMEA is not sufficient for most devices.

Annex C: Guidance on Hazard Identification

Annex C provides structured methods for identifying hazards, including:

  • Checklist-based approaches using ISO 14971 Annex C hazard categories
  • Brainstorming techniques with cross-functional teams
  • Review of previous customer complaints and post-market data
  • Searching FDA MAUDE database for predicate device incidents
  • Analysis of reasonably foreseeable sequences and combinations of events

The annex emphasizes that hazard identification should cover the entire lifecycle — from manufacturing and packaging through use, maintenance, and disposal.

Annex D: Information for Safety and Information on Residual Risk

Annex D addresses a frequently misunderstood requirement: when and how to communicate residual risks to users. ISO 14971:2019 requires that residual risks be disclosed in accompanying documentation (such as the IFU) when appropriate. Annex D provides guidance on:

  • Determining which residual risks need communication
  • How to present risk information in labeling and IFU
  • Balancing information for safety against information overload
  • Methods for assessing whether users actually understand residual risk information

Annex E: Role of International Standards in Risk Management

Annex E explains how device-specific international standards (such as IEC 60601-1, ISO 10993, IEC 62366-1) interact with ISO 14971. It clarifies that:

  • Device-specific standards represent the generally acknowledged state of the art
  • Compliance with such standards provides risk control measures for specific hazards
  • But compliance with device-specific standards does not replace the full ISO 14971 risk management process
  • The risk management file should reference and justify the use of specific standards

Annex F: Guidance on Risks Related to Security

Annex F is entirely new in the 2020 edition and addresses cybersecurity risk management — a topic that was barely mentioned in previous versions. It covers:

  • Identifying security-related hazards (data breaches, ransomware, unauthorized access)
  • Applying ISO 14971 risk management to cybersecurity threats
  • Integration with IEC 62443 and other cybersecurity standards
  • Balancing safety risks from security vulnerabilities
  • Lifecycle considerations for connected devices and SaMD

This annex is critical for any device with network connectivity, wireless communication, or cloud-based data processing. As the EU Cyber Resilience Act and NIS2 Directive take effect, Annex F guidance will become increasingly important for EU market access.

Annex G: Components and Devices Designed Without Using ISO 14971

Annex G addresses a practical reality: many manufacturers use commercial off-the-shelf (COTS) components, subcontract assemblies, or integrate devices that were not designed using ISO 14971. This annex explains how to:

  • Evaluate risks from components and sub-assemblies that lack ISO 14971 documentation
  • Apply risk management to purchased parts and supplier-provided components
  • Document assumptions and justifications for using components without full risk files
  • Integrate supplier risk data into your own risk management file

Annex H: Guidance for In Vitro Diagnostic Medical Devices

Annex H, prepared jointly with ISO Technical Committee TC 212 (Clinical laboratory testing and in vitro diagnostic test systems), provides IVD-specific risk management guidance:

  • Risk considerations unique to IVDs (false positive/negative results, analytical performance)
  • How IVD risk management differs from therapeutic device risk management
  • Integration of clinical performance and analytical performance into risk estimation
  • Specific hazard categories relevant to IVDs

Practical Application: How to Use ISO/TR 24971 Day-to-Day

During Risk Management Planning

When writing your risk management plan per ISO 14971 Clause 4.2, use ISO/TR 24971 Clause 4 to:

  • Determine appropriate risk analysis methods based on device complexity
  • Define risk acceptability criteria that account for state of the art
  • Plan for production and post-production information collection
  • Establish the scope and timing of risk management reviews

During Hazard Identification

Reference Annexes A and C when conducting hazard identification:

  • Use the Annex A checklist to systematically evaluate intended use and foreseeable misuse
  • Apply Annex C methods (checklists, brainstorming, MAUDE review) to ensure comprehensive identification
  • Document which methods were used and why they are appropriate for the device

During Risk Analysis and Evaluation

Use Annex B to select and justify risk analysis methods:

  • Apply PHA early, FMEA for component-level analysis, FTA for system-level combinations
  • Document why specific techniques were chosen
  • If using only FMEA, prepare a justification for why other methods are not needed

During Benefit-Risk Analysis

ISO/TR 24971 Clause 7.4 provides the most detailed benefit-risk analysis guidance available in any international document. It covers:

  • Criteria for conducting benefit-risk analysis
  • How to define and evaluate "benefit" (a term defined in ISO 14971:2019 Clause 3.2 but not in EU MDR or FDA regulations)
  • Structured comparison methods
  • Practical examples of benefit-risk analyses for different device types

As MedSysCon notes, ISO/TR 24971 includes "extensive discussion, with examples, of 'benefit' and 'benefit-risk analysis'" that is not found in regulations or other standards.

During Post-Market Risk Management

ISO/TR 24971 Clause 10 provides expanded guidance on the significantly enhanced post-market requirements in ISO 14971:2019:

  • What information to collect from production and post-production sources
  • How to review collected information for relevance to safety
  • What actions to take when new hazards or changing risk profiles are identified
  • How to feed post-market findings back into the risk management process

Regulatory Alignment

EU MDR

EN ISO 14971:2019+A11:2021 is a harmonized standard under the MDR, providing presumption of conformity with GSPR 1-3. While ISO/TR 24971 itself is not harmonized, its guidance is referenced by notified bodies as the expected approach to implementing ISO 14971. The EU Commission's MDCG guidance documents on clinical evaluation and post-market surveillance align with ISO/TR 24971's approaches.

FDA

FDA recognizes AAMI/ANSI/ISO 14971:2019 as a consensus standard. The Agency's risk management presentations explicitly reference AAMI/ISO TR 24971:2020 as providing "guidance on the application of ISO 14971." With the QMSR (Quality Management System Regulation) effective 2026, which aligns US requirements with ISO 13485, the integration of ISO 14971 and ISO/TR 24971 into quality systems will become even more important.

Health Canada, TGA, and Other Regulators

Health Canada requires ISO 14971 compliance for medical device licenses. Australia's TGA aligns with ISO 14971 for risk management requirements. Both regulators expect risk management approaches consistent with ISO/TR 24971 guidance.

Recommended Reading
Clinical Equivalence Assessment Under EU MDR: Technical, Biological, and Clinical Equivalence
Clinical Evidence EU MDR / IVDR2026-04-24 · 12 min read

Key Differences From ISO/TR 24971:2013

Aspect 2013 Edition 2020 Edition
Structure Separate from ISO 14971 numbering Mirrors ISO 14971:2019 clause numbering
Cybersecurity Not addressed Annex F provides dedicated guidance
IVD guidance Less detailed Annex H expanded with TC 212 collaboration
Benefit-risk Limited discussion Clause 7.4 with extensive examples
Hazard identification Partial guidance Annexes A and C with systematic methods
Risk analysis methods Basic descriptions Annex B with detailed technique comparison
Intended use Minimal coverage Annex A with comprehensive framework
Overall Guidance for ISO 14971:2007 Guidance for ISO 14971:2019 with expanded annexes

Who Should Use ISO/TR 24971

  • Quality and regulatory teams — For establishing risk management procedures and SOPs
  • R&D and design engineers — For selecting appropriate risk analysis methods during development
  • Clinical affairs teams — For understanding benefit-risk analysis frameworks
  • Software teams — For integrating cybersecurity risk management (Annex F) with ISO 14971
  • IVD manufacturers — For IVD-specific risk management approaches (Annex H)
  • Post-market surveillance teams — For implementing post-production risk monitoring

Key Takeaways

ISO/TR 24971:2020 is the practical companion to ISO 14971:2019. It does not add requirements but provides the methods, examples, and context that manufacturers need to implement risk management effectively. Its eight annexes cover the topics that cause the most confusion in practice: intended use and misuse, risk analysis technique selection, cybersecurity, IVD-specific considerations, benefit-risk analysis, and hazard identification. Using ISO/TR 24971 as a daily reference — not just a shelf document — is the most effective way to build a defensible risk management system that satisfies notified bodies, FDA, and other regulators worldwide.

Related Articles

Quality SystemsISO 13485

Agile vs Waterfall for Medical Device Software: IEC 62304, Design Controls, and Audit Evidence

How to choose between Agile and Waterfall for medical device software development under IEC 62304 — AAMI TIR45 guidance, design control mapping, hybrid models, and what auditors actually look for.

2026-04-24·14 min read
RegulatoryCommercialization

Bangladesh DGDA Medical Device Registration Guide: Classification, Import Permits, and Local Representative Requirements

Complete guide to registering medical devices in Bangladesh through the Directorate General of Drug Administration (DGDA) — four-tier risk classification (A–D) aligned with ASEAN MDD, two-step Recipe Approval and Final Registration process, reference country Free Sale Certificate requirements, local authorized representative obligations, import licensing and indent approval workflow, Maximum Retail Price (MRP), Bengali labeling, ISO 13485 QMS expectations, Drug and Cosmetics Act 2023, fees, timelines, and South Asia market strategy.

2026-04-24·13 min read
Risk ManagementRegulatory

Benefit-Risk Analysis for Medical Devices: FDA, EU MDR, and ISO 14971 Decision Framework

Complete guide to benefit-risk analysis for medical devices — ISO 14971:2019 residual risk evaluation, EU MDR AFAP requirements, FDA benefit-risk factors for PMA/De Novo/510(k), MDCG guidance, practical examples, and documentation best practices.

2026-04-24·12 min read