Guidelines that aid medical device manufacturers in the regulatory approval process are welcomed resources for engineers. The third edition of the IEC 60601-1 integrates risk management into the previously accepted safety standards for medical electrical equipment. This article clarifies what is covered by this standard.

By Steve A. McRoberts
  • Risk management standards
  • What’s new
  • What’s changed
  • Risk management solution
One should not underestimate the importance of the standard ISO 14971:2000 for manufacturers of medical equipment. The standard has been around for only six years, but its impact is being felt and its influence is growing. The basic requirements of risk management have been implemented in the national regulations of the United States, European Union, and Canada for many years before the publication of the standard. For example, the medical devices directive 93/42/EEC states the need for a risk benefit analysis in essential requirement number 1 “ . . . provided that any risks which may be associated with their use constitute acceptable risks when weighed against the benefits of the patient and are compatible with a high level of protection of health and safety.” The need to control risks is stated in essential requirement number 2 “ . . . in selecting the most appropriate solutions, the manufacturer must apply the following principles in the order indicated:
  • Eliminate or reduce risks as far as possible (inherent safe design)
  • Where appropriate take adequate protective measures
  • Inform users of residual risks
The remaining steps of risk management are intertwined in the other essential requirements. ISO 14971 has been a harmonized standard for the medical directives for many years and has been used by many manufacturers to satisfy the risk management requirements of the directives.

US regulations also incorporate risk management. The preamble to the final rule of the Quality System Regulations state that “Manufacturers shall identify possible hazards associated with the design in both normal and fault conditions . . . If any risk is judged unacceptable, it should be reduced to acceptable levels . . .” Thus, it is clear that the FDA also expects manufacturers to apply risk management.

The problem many manufacturers faced before the publication of ISO 14971 was satisfying the requirements of the regulations in a meaningful and systematic way. ISO 14971 established clear definitions for the many terms that had been included in these regulations and also a simple but effective methodology for applying risk management.

Furthermore, the latest edition of ISO 13485:2003, which has become the defacto standard for medical device quality management systems, contains a requirement for a risk management process to be developed. Developers of medical software will already be extremely familiar with the requirements of risk management, which is used extensively in the development of such medical software.

For many manufacturers, it has been difficult for them to know if they truly conform to the requirements of the ISO 14971 standard. Although notified bodies or quality system registrars may have evaluated them to ISO 13485, the risk management requirements of ISO 13485 do not necessarily match up with ISO 14971. Risk management contained in ISO 14971 is much more extensive than the risk management requirements of ISO 13485.

Risk Management Registration
UL is launching a new Risk Management Registration program for manufacturers to enable them to meet the risk management requirements of the third edition of IEC 60601-1. Manufacturers will be able to have their systems assessed to the requirements of ISO 14971 by independent, and objective risk management auditors from UL. This registration will enable manufacturers to demonstrate that they meet the requirements of the third edition of IEC 60601-1 and to take advantage of the many benefits of fully implementing an ISO 14971 risk management system. This new service can be combined with UL’s medical device Quality Management System assessments (to ISO 13485:2003) and regulatory assessments such as those for CE marking, and for Canadian licensure (CMDCAS).
Moreover, those who have fully implemented an ISO 14971 compliant risk management system have found many business and economical benefits. Use of the standard enables shorter development lifecycles by requiring a clear and full identification of a product’s intended use before any design actually begins, hence preventing rework or clarification delays. Maintaining product safety and effectiveness is greatly strengthened when all post-production information is assessed for impact on device safety. Above all, it requires the manufacturer to verify and monitor the key risk control features of the device. By analyzing and tracking information on the continued effectiveness of risk control measures, manufacturers can make changes to further strengthen and improve their design processes.

In December 2005, the long-awaited third edition of IEC 60601-1 was published by the International Electrotechnical Commission (IEC). Previously, the second edition of IEC 60601-1, as well as its five collateral (horizontal) standards and nearly 50 particular standards for specific types of medical equipment, were the principal standards for the safety of medical electrical equipment. Regulatory bodies and test laboratories around the world universally accepted these standards. The third edition of the standard integrates risk management throughout all of the clauses and sections of the standards. In addition, the third edition requires manufacturers to have a risk management process that conforms to ISO 14971 in place.

Furthermore, the scope of the new standard is expanded to include not only basic safety but also essential performance. Essential performance is defined by the manufacturer using its risk management process. Hence, it will be impossible to comply with the requirements of IEC 60601-1 and gain valued certification without having a fully documented risk management system in place.

In conclusion, the traditional world of testing and certification of medical equipment will be forever coupled with risk management, ISO 14971, and on-site audit of the effective implementation of a manufacturer’s risk management system. Does this make conformance with the standard more stringent? While there are new basic risks and requirements such as insulation coordination in the third edition of IEC 60601-1, risk management makes the application of the standard more flexible. One of the most obvious ways is the requirement to use risk management to determine whether a lesser degree of insulation (creepage, clearance distances, and dielectric strength) for parts that can only be contacted by the operator than for those parts that can be brought into contact with the patient. The second edition of IEC 60601-1 made little distinction in that regard.

This is not the only place where risk management is mentioned in the new standard. In fact, it is mentioned over 100 times throughout the new standard. Every clause and every requirement is subject to a risk management process. Is this different from what we did before? Test laboratories and manufacturers could always determine the applicability of a particular clause using the alternative construction clause 3.4, but the third edition of IEC 60601-1 requires manufacturers to have a clear methodology and basis for challenging the applicability of a particular clause. This methodology is the use of a risk management process conforming to ISO 14971.
For additional information on the technologies and products discussed in this article, see Medical Design Technology online at or Underwriters Laboratories Inc. at

Steve A. McRoberts is the global principal engineer for medical regulatory programs at Underwriters Laboratories Inc. (UL), 333 Pfingsten Rd., Northbrook, IL 60062. His responsibilities include the program development and technical expertise for UL’s medical regulatory programs including FDA 510(k) and inspection programs, CMDCAS (Canada) and European MDD, and IVDD Notified Bodies. Steve has been a participant in the IEC working groups for the development of risk management aspects of IEC 60601, third edition. He can be reached at +44-1259-215161 or