How do usability and cybersecurity fit into risk analysis?

Use-related hazards are analyzed per IEC 62366-1. Software/cyber risks follow IEC 62304 and threat modeling; vulnerabilities are treated as hazards with controls and monitoring.

« Back to Glossary Index

Risk Analysis

Q: Is risk analysis mandatory?

Yes. EU MDR Annex I requires continuous risk management, and U.S. QMSR expects ISO 14971-conformant practices. Most markets align to ISO 14971.

Q: What’s the difference between risk analysis and risk assessment?

Risk analysis identifies hazards and estimates risks; risk evaluation compares them to acceptance criteria. Together they are often called risk assessment, which is part of risk management.

Q: Do I need clinical data for risk analysis?

Not always. Clinical evidence is required when non-clinical data are insufficient to judge residual risk/benefit (e.g., MDR Annex XIV, PMA expectations).

Q: How should overall residual risk be documented?

Provide a reasoned conclusion that overall residual risk is acceptable given benefits, supported by V&V, labeling, and post-market plans.

Risk analysis is the systematic process of identifying hazards and estimating risks for a medical device as part of a manufacturer’s risk management process. Under ISO 14971:2019, risk analysis feeds into risk evaluation, risk control, and overall residual risk decisions. In the EU, continuous risk management is mandated by MDR 2017/745 Annex I (GSPR); in the U.S., FDA’s QMSR (21 CFR 820) aligns with ISO 13485 and expects ISO 14971-conformant practices. Risk analysis begins early in design and continues through production and post-market surveillance.

ISO 14971:2019EU MDR Annex IFDA QMSR

Scope & terminology (precise usage)

Risk analysis: identify hazards, foreseeable sequences of events, hazardous situations, and estimate risk(s) (severity × probability).
Risk evaluation: compare estimated risk to acceptance criteria to determine need for control.
Risk control: select/implement measures, verify effectiveness, and assess residual risk/benefit-risk.
Risk management file (RMF): living compilation of plans, analyses, evaluations, controls, and post-market results (ISO 14971 §4.5).

How to perform risk analysis (ISO 14971 aligned)

Plan the process (scope, methods, criteria, roles; linkage to design controls and PMS).
Identify hazards (biological, chemical, electrical, mechanical, radiation, usability/use error, software, cybersecurity, data/privacy where applicable).
Define foreseeable misuse & use scenarios (user, environment, lifecycle; integrate IEC 62366-1 usability engineering).
Estimate risk for each hazardous situation (pre-control) using defined scales; document assumptions and uncertainty.
Evaluate against acceptance criteria; apply risk controls in priority: inherent safety by design → protective measures → information for safety/IFU.
Verify risk control implementation and validate that residual risk is acceptable in intended use (consider cumulative overall residual risk).
Document traceability: hazard → hazardous situation → sequence of events → harms → controls → verification/validation → residual risk → benefit-risk.

Evidence typically referenced

Biocompatibility: ISO 10993-1 strategy and testing.
Electrical/EMC: IEC 60601-1 / 60601-1-2 (active devices).
Software lifecycle & cybersecurity: IEC 62304, secure development/patching, vulnerability management.
Usability/human factors: IEC 62366-1 summative validation.
Sterilization/packaging/shelf-life: ISO 11135/11137/17665; ISO 11607.

Lifecycle integration

Design controls: map risks to inputs/outputs, V&V, labeling, and claims.
Production & suppliers: special processes, acceptance activities, and change control reflect risk.
Post-market: PMS/PMCF, complaints, vigilance trend analysis; update RMF and benefit-risk as new data emerge.

Risk Analysis — FAQs

Is risk analysis mandatory?

Yes. EU MDR Annex I requires continuous risk management; U.S. QMSR expects ISO 14971-conformant processes as part of the QMS. Most markets follow ISO 14971.

What’s the difference between risk analysis and risk assessment?

Per ISO 14971, risk analysis identifies/estimates risks; risk evaluation compares them to criteria. Together they are often called “risk assessment,” which sits within the broader risk management process.

How do usability and cybersecurity fit?

Use-related hazards are analyzed via IEC 62366-1. For software/connected devices, include IEC 62304 and cybersecurity threat modeling; treat vulnerabilities as hazards with controls and monitoring.

Do I need clinical data for risk analysis?

Not always. Start with pre-clinical evidence; when non-clinical data are insufficient to judge residual risk/benefit, clinical data (clinical evaluation/investigation) may be needed per MDR Annex XIV or U.S. PMA expectations.

How is “overall residual risk” documented?

Provide a reasoned, evidence-based conclusion that the device’s overall residual risk is acceptable given benefits, supported by verification/validation, labeling, and post-market plans.