--- title: Hazard Identification: Systematic Methods for Finding What Can Go Wrong description: Systematic hazard identification methods for medical devices under EN ISO 14971 and MDR Annex I, from multidisciplinary brainstorming to AI-assisted discovery. authors: Tibor Zechmeister, Felix Lenhard category: Risk Management Under MDR primary_keyword: hazard identification medical device MDR canonical_url: https://zechmeister-solutions.com/en/blog/hazard-identification-methods source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # Hazard Identification: Systematic Methods for Finding What Can Go Wrong *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **Hazard identification under EN ISO 14971:2019+A11:2021 clause 5.4 requires the manufacturer to consider all reasonably foreseeable hazards and hazardous situations, across normal and fault conditions, across the full device lifecycle. Sitting alone with a spreadsheet and typing from memory does not meet that bar. Systematic methods do.** **By Tibor Zechmeister and Felix Lenhard.** ## TL;DR - EN ISO 14971:2019+A11:2021 clause 5.4 requires systematic identification of hazards and hazardous situations for normal and fault conditions across the device lifecycle. - The fake version of hazard identification is one person, one day, one checklist. Every notified body auditor recognises it instantly. - The credible version uses multidisciplinary brainstorming with risk, top management, development, marketing, sales, and RA in the same room. - Typical hazard categories that get missed: mechanical (drops, crush, pinch), hygienic (cross-contamination), biocompatibility (prolonged skin contact), electrical, and software use-error. - AI-assisted hazard discovery is emerging state of the art for creative hazard surfacing, not as a replacement for human expert review. - In Tibor's experience, the first real ISO 14971 session always surfaces hazards the development team had never considered. ## Why this matters Early in his career, Tibor reviewed the risk management approach of an optical medical device company that was already past the startup stage. The entire approach was four PowerPoint slides: "do an Excel sheet with a risk analysis, tolerable or not tolerable, done." Tibor's assessment at the time, still accurate today: that represents maybe five percent of what EN ISO 14971 actually requires. The worst part of the story was not that the approach had slipped past auditors before. The worst part was that the entire company believed this was the correct approach. The same pattern shows up in startups Tibor audits twenty years later. A single quality manager, one afternoon, a list of thirty hazards copied from a previous project. No system, no method, no multidisciplinary input. The notified body desk reviewer opens the file, reads the hazard list, and immediately asks: how do you know this is complete. There is no answer, because completeness was never a design goal of the exercise. Hazard identification is the foundation of the entire risk file. Everything downstream, estimation, evaluation, control, residual risk, benefit-risk, all of it rests on what appears in clause 5.4. Missing a hazard at this step means the hazard is not estimated, not evaluated, not controlled, and not disclosed. A missed hazard is not just a paperwork gap. It is a device safety gap. ## What MDR actually says MDR Annex I GSPR 2 requires manufacturers to establish, implement, document, and maintain a risk management system. That system must be systematic. The word "systematic" appears repeatedly in Annex I and in EN ISO 14971, and it is not decorative. It excludes ad-hoc methods. MDR Annex I GSPR 3 requires the elimination or reduction of risks as far as possible through safe design and manufacture. A risk cannot be eliminated if it has not been identified. Identification precedes control. MDR Annex I GSPR 4 requires the manufacturer to take protective measures for risks that cannot be eliminated. Same logic: no identification, no protective measure. EN ISO 14971:2019+A11:2021 clause 5.4 is the operative clause for hazard identification. The standard requires the manufacturer to: - Identify hazards associated with the medical device in both normal and fault conditions. - Consider reasonably foreseeable sequences or combinations of events that can result in a hazardous situation. - Record the identified hazards and hazardous situations. Clause 5.5 requires estimation of the risk for each identified hazardous situation, but 5.5 depends entirely on the quality of 5.4. Skipping effort at 5.4 means the numbers in 5.5 describe a subset of reality. Annex C of EN ISO 14971 lists example hazard categories to prompt thinking: energy hazards, biological and chemical hazards, information hazards, operational hazards. These are prompts, not a checklist to tick. A notified body auditor who sees a hazard file that exactly matches Annex C with nothing added recognises it as a copy-paste. ## A worked example A startup is developing a handheld diagnostic device intended for use in primary-care clinics and by patients at home. The development team is five people. Two software, two hardware, one clinical lead. The quality lead is a fractional consultant on twenty percent time. The fractional QA sits down to draft the hazard list. The list has twenty-two entries, almost all software-related, because the QA's background is software. The list is sent to the notified body as part of a pre-submission pack. Tibor reviews the pre-submission pack and the hazard list. In an hour of reading, working from Annex C of EN ISO 14971 and the intended use statement, Tibor surfaces the following hazards that are missing. **Mechanical hazards.** The device is handheld. Users will drop it. The drop test in EN 60601-1 clause 15.3.4 is one answer but the hazard must exist in the risk file first. Crush hazard if the device is placed on a chair and sat on. Pinch hazard at the battery compartment hinge. **Hygiene and biocompatibility hazards.** The device is handed between patients in a clinic. Cross-contamination through the handle surface. The device contacts intact skin for short periods, so EN ISO 10993-1:2025 biological evaluation applies. If the outer housing is a new polymer formulation, biocompatibility is not automatic. **Electrical hazards.** The device is mains-powered for charging. Dielectric strength, leakage currents, touch current under single fault conditions. EN 60601-1 applies but the hazards it controls must appear on the risk file first. **Use error hazards.** The device has a small screen. Users aged 70 and above may mis-read the screen. Users with tremor may mis-press buttons. The user manual is only in English at first release, creating a hazard for non-English-reading users in the EU market. **Environmental hazards.** Use in direct sunlight may obscure the screen. Use in a humid bathroom (home use) may cause condensation on the internal PCB. The revised hazard list goes from twenty-two to fifty-one entries. Not because the original twenty-two were wrong. Because the method was wrong. One person cannot see everything. Method compensates for that limit. ## The Subtract to Ship playbook Tibor's method, distilled from fifteen years and fifty-plus certifications, has four practical steps. **Step one. Multidisciplinary brainstorming.** Risk, top management, development, marketing, sales, RA. Every discipline in the same room for a structured session. Different disciplines see different hazards. Marketing knows the user demographics development did not consider. Sales knows the misuse patterns the clinical lead did not foresee. Top management knows the commercial pressure that creates shortcuts the risk manager never hears about. All of it belongs in clause 5.4. **Step two. Prompt lists, not copy-paste.** Use Annex C of EN ISO 14971 as a prompt. Use Annex H of the same standard for risk management in in vitro devices. Use the hazard libraries of adjacent devices already on the market. Read the FDA recall database for similar products. Read the vigilance reports in Eudamed once the system is live. None of these are checklists to tick. All of them are thought prompts to force the team past its own blind spots. **Step three. Lifecycle walkthrough.** The device lifecycle is transport, storage, installation, training, normal use, cleaning and disinfection, maintenance, software updates, reuse, disposal, and end of life. Walk through every phase. In each phase, ask: what user, what environment, what failure mode. This surfaces hazards that the normal-use focus hides. **Step four. AI-assisted hazard discovery.** This is emerging state of the art. Large language models can be primed with the intended purpose, the use specification, and a device description, and asked to generate candidate hazards across Annex C categories. The output is not authoritative. It is a creative brainstorm input to the human-led review. Tibor uses it as a fourth team member in brainstorming sessions, on the condition that every AI-generated hazard gets a human reviewer signing the column that says "real hazard, yes or no". Used this way, AI catches creative hazards that human teams consistently miss. Used as a replacement for human judgment, it produces confident nonsense. Subtract what does not belong. A hazard that is not plausible for this device, this user, this environment, drops off the list with a one-line justification. Do not inflate the list to look thorough. Inflate the method. ## Reality Check 1. Did your last hazard identification session include at least four distinct functional disciplines in the same room? 2. Can you name three hazards on your list that came from someone other than the quality lead? 3. Did you walk through every phase of the device lifecycle, not only normal use? 4. Does your hazard file cite EN ISO 14971 clause 5.4 as the operative clause, and show how clause 5.4 was applied? 5. If a notified body auditor asks "how did you ensure completeness of hazard identification", do you have a documented method rather than an assertion? 6. Have you reviewed at least one adjacent device's published vigilance data or FDA recall history for candidate hazards? 7. If you used AI to generate candidate hazards, did a human expert sign every entry as accepted or rejected? ## Frequently Asked Questions **How long should hazard identification take?** For a simple Class I device, a full first-pass session is typically a day of preparation, a half-day multidisciplinary workshop, and two or three days of consolidation. For a Class IIa or Class IIb device, the preparation is longer and the workshop is typically split into two sessions. Half an afternoon is not hazard identification, it is gesturing at it. **Do we need to identify every conceivable hazard?** No. EN ISO 14971 requires reasonably foreseeable hazards. Implausible hazards can be excluded with a short justification. But "reasonably foreseeable" is a higher bar than most startups apply at first draft. **What is the difference between a hazard and a hazardous situation?** A hazard is a potential source of harm. A hazardous situation is the circumstance in which people, property, or the environment are exposed to one or more hazards. Clause 5.4 asks for both, and the distinction matters for clause 5.5 risk estimation. **Can we reuse a hazard list from a previous project?** You can reuse the process and the template. You cannot reuse the conclusions. Every device has its own intended purpose, environment, and user population, and the hazard list follows from those inputs. Reusing conclusions without redoing the method is a notified body finding. **Is AI-assisted hazard discovery acceptable to notified bodies?** As of 2026, notified bodies will accept AI-assisted brainstorming as an input, on the condition that a qualified human expert reviews every AI-generated entry and the method is documented in the risk management plan. Using AI as the sole method is not acceptable. **What hazard categories do startups miss most often?** In Tibor's experience: hygiene and cross-contamination, biocompatibility of prolonged-contact materials, mechanical drop and crush, and foreseeable misuse tied to specific user populations (elderly, paediatric, non-native language readers). ## Related reading - [Intended use and reasonably foreseeable misuse in risk analysis](/blog/intended-use-foreseeable-misuse-risk-analysis) on the inputs that feed clause 5.4 hazard identification. - [The ISO 14971 Annex Z trap](/blog/iso-14971-annex-z-trap) on the MDR-specific deviations that override the as-low-as-reasonably-practicable logic of base ISO 14971. - [Risk management for AI medical devices](/blog/risk-management-ai-medical-devices) on hazard identification methods specific to learning systems. - [MDR Annex I General Safety and Performance Requirements](/blog/mdr-annex-i-gspr) on how GSPR 2 and 3 bind the hazard identification step into the certification path. ## Sources 1. Regulation (EU) 2017/745 on medical devices, consolidated text. Annex I GSPR 2, 3, and 4. 2. EN ISO 14971:2019+A11:2021, Medical devices, Application of risk management to medical devices, clauses 5.4 and 5.5, Annex C and Annex H. 3. EN ISO 10993-1:2025, Biological evaluation of medical devices, Part 1, Evaluation and testing within a risk management process. 4. EN 60601-1:2006+A1+A12+A2+A13:2024, Medical electrical equipment, Part 1, General requirements for basic safety and essential performance, clauses 8 and 15. --- *This post is part of the [Risk Management Under MDR](https://zechmeister-solutions.com/en/blog/category/risk-management) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*