---
title: ISO/TR 24971 Risk Management Guidance: Key Takeaways for Startups
description: ISO TR 24971 risk management guidance: what the technical report adds to EN ISO 14971:2019+A11:2021 and how startups should use it.
authors: Tibor Zechmeister, Felix Lenhard
category: Risk Management Under MDR
primary_keyword: ISO TR 24971 risk management guidance
canonical_url: https://zechmeister-solutions.com/en/blog/iso-tr-24971-risk-management-guidance
source: zechmeister-solutions.com
license: All rights reserved. Content may be cited with attribution and a link to the canonical URL.
---

# ISO/TR 24971 Risk Management Guidance: Key Takeaways for Startups

*By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.*

> **ISO/TR 24971 is the technical report that accompanies EN ISO 14971:2019+A11:2021. It is informational guidance, not a harmonised standard, and it cannot grant presumption of conformity on its own. What it does is explain how to apply the clauses of ISO 14971 in practice, offer example techniques, and walk through templates for risk management plans, risk management files, and risk management reports. For a medtech startup, ISO/TR 24971 is the most practical reading material in the entire risk management literature.**

**By Tibor Zechmeister and Felix Lenhard.**

## TL;DR
- ISO/TR 24971 is a technical report, abbreviated TR. Technical reports are informational ISO documents. They do not carry the weight of a standard, and they are not harmonised under the MDR.
- The report exists to help users apply EN ISO 14971:2019+A11:2021. Every clause of ISO 14971 has a corresponding section in ISO/TR 24971 with examples, suggested approaches, and worked illustrations.
- ISO/TR 24971 lists example techniques for hazard identification and risk analysis, including FMEA, FTA, HAZOP, preliminary hazard analysis, and event tree analysis.
- Notified body auditors treat ISO/TR 24971 as authoritative interpretation of ISO 14971, even though it does not grant presumption of conformity. A startup that ignores the technical report is throwing away the clearest available guidance on what "good" looks like.
- For a startup, the practical use is as a reference while writing the risk management plan, building the risk file, and drafting the risk management report. It is the manual, not the law.
- The edition in force changes over time. Always check what the current edition is before citing it. 

## Why this matters

The risk management literature for medical devices is dense. A founder new to the field typically encounters three documents in quick succession. First, MDR Annex I, which states in regulatory language that risks must be identified, controlled, and weighed against benefits. Second, EN ISO 14971:2019+A11:2021, which is the harmonised standard that describes the process. Third, a consultant or a notified body references ISO/TR 24971, and the founder wonders whether they need to read yet another document.

Tibor's answer is yes, and specifically because it is the document that will actually help. EN ISO 14971 is prescriptive. It tells the reader what must be done. ISO/TR 24971 is illustrative. It shows the reader how to do it. Felix has observed the same pattern across the medtech startups he has coached. Teams that read only the standard produce risk files that are technically compliant and practically weak. Teams that read the technical report alongside the standard produce risk files that survive audits because they reflect the thinking the auditor is trained to look for.

This post explains what ISO/TR 24971 actually contains, how it differs from EN ISO 14971, and how a startup should use it.

## What MDR actually says

The MDR does not name ISO/TR 24971. MDR (EU) 2017/745 Annex I General Safety and Performance Requirements 1 to 9 set out the risk management requirements. Annex II requires the risk management file as part of the technical documentation. Those are the legal hooks.

The link to EN ISO 14971:2019+A11:2021 comes through harmonisation. EN ISO 14971:2019+A11:2021 is the harmonised standard listed in the Official Journal for risk management. When a manufacturer follows the harmonised standard, they benefit from presumption of conformity with the corresponding MDR General Safety and Performance Requirements, bounded by the scope of the Annex ZA of the standard. That presumption is narrower than it looks, and [the Annex Z trap is covered separately](/blog/iso-14971-annex-z-trap).

ISO/TR 24971 sits alongside the standard, not inside the harmonisation chain. A technical report is an informational ISO deliverable. It is approved by the relevant ISO committee, but it does not go through the full standard ratification process. Technical reports are not harmonised under the MDR. Citing ISO/TR 24971 does not grant presumption of conformity. Following the guidance in ISO/TR 24971 does not automatically mean the manufacturer has satisfied MDR Annex I.

What ISO/TR 24971 does provide is the committee's interpretation of how to apply ISO 14971. That matters because the notified body auditors who review the risk management file are trained against ISO 14971 and routinely use ISO/TR 24971 as the reference for what "acceptable" looks like in practice. An auditor will not cite ISO/TR 24971 as a requirement. An auditor will cite it as guidance when explaining why a particular approach is or is not sufficient.

The practical status: informational guidance, not regulatory law, but treated as authoritative interpretation by the people who audit the risk management file. A startup should read it the way a good software engineer reads a language specification and a best-practices guide side by side. The spec tells you what is legal. The guide tells you what is wise.

## A worked example

A Series A medtech startup building a connected wearable for cardiac rhythm monitoring is preparing for its first notified body Stage 1 audit. The regulatory affairs lead has a copy of EN ISO 14971:2019+A11:2021 and has produced a risk management plan, a risk management file, and a draft risk management report. The team believes the file is ready.

A pre-audit review by Tibor surfaces three issues, and in each case the issue traces back to guidance ISO/TR 24971 provides that the standard itself does not.

**Issue one: the risk management plan.** ISO 14971 requires a risk management plan. The startup's plan is four pages and names the responsible persons, the scope, and the acceptability criteria. ISO/TR 24971 shows a worked example of a risk management plan that includes, in addition, the specific techniques to be used at each phase, the criteria for completeness of hazard identification, and the review cadence during the product lifecycle. Those additions are not required by ISO 14971. They are shown in ISO/TR 24971 as elements of a mature plan. Tibor's prediction: without those additions, a notified body auditor will ask whether the plan is complete and will probably raise an observation. With them, the auditor will sign off.

**Issue two: the characteristics-related hazard identification.** ISO 14971 requires the manufacturer to list the characteristics of the device relevant to safety. The startup has done this in a short table. ISO/TR 24971 provides a worked list of questions the manufacturer should ask about each characteristic, covering intended users, intended use environments, intended duration of use, contact with other devices, energy delivered, materials in contact with the patient, and software and data handling. The startup's table covered five questions. ISO/TR 24971 illustrates around thirty. Rerunning the exercise with the full question set surfaces four hazards the team had missed, including a user-environment hazard about humidity and ingress protection in home use. The design changes as a result.

**Issue three: risk acceptability criteria.** ISO 14971 requires the manufacturer to define acceptability criteria. The startup's criteria are a 5x5 severity-probability matrix with a red-amber-green zone. ISO/TR 24971 shows multiple approaches to acceptability, including approaches where benefit is explicitly part of the acceptability judgement rather than a separate step, and approaches where individual high-severity risks are treated differently from the aggregate residual risk. The startup's simple matrix is technically compliant with ISO 14971 but does not match the complexity of their device. After reading the technical report, the team adopts a two-tier approach: the matrix for routine hazards, and an individual benefit-risk narrative for the three catastrophic top events.

None of those three changes was legally required. All three made the difference between a file that passes an audit and a file that passes an audit cleanly. That is the value of ISO/TR 24971 for a startup.

## The Subtract to Ship playbook

Treat ISO/TR 24971 as the operating manual for EN ISO 14971, and subtract the rest of the risk management reading list. Most of what founders buy and download elsewhere is a paraphrase of the technical report. Go to the source.

**Step one.** Obtain a copy of the current edition of ISO/TR 24971. Check the edition in force at your notified body's current audit cycle. Technical reports do get superseded. 

**Step two.** Read it once end to end alongside your copy of EN ISO 14971:2019+A11:2021. Each clause of the standard has a corresponding subsection in the report. Read them in pairs, not separately.

**Step three.** Use the examples in the report as templates for your own artefacts. The risk management plan example, the characteristics-list questions, the hazard identification examples, and the acceptability criteria examples are all concrete enough to adapt directly. Adapting is faster than reinventing. Attribute the adaptation in your plan: "this risk management plan is adapted from the example in ISO/TR 24971 clause X."

**Step four.** When your team chooses a technique for hazard identification or risk analysis, cross-check against the techniques listed in the technical report. FMEA, FTA, HAZOP, preliminary hazard analysis, and event tree analysis are all listed. If your choice is in the list, you have implicit backing from the technical report. If your choice is not in the list, the burden is on you to justify why.

**Step five.** Keep the technical report within arm's reach during internal reviews of the risk management file, not just at authoring time. A team that re-reads the relevant clause before a review catches gaps before an auditor does.

**Step six.** Do not cite ISO/TR 24971 as if it were a harmonised standard. In your technical documentation, cite EN ISO 14971:2019+A11:2021 for presumption of conformity. Cite ISO/TR 24971 as the guidance you consulted. That distinction matters. A file that claims presumption of conformity through the technical report alone is incorrectly referenced and will draw a finding.

**Step seven.** Flag edition uncertainty. If your team is not 100 percent sure which edition of ISO/TR 24971 is current at the time of writing, flag it for verification. Do not invent a date. This post is flagged: 

## Reality Check

1. Do you have a copy of the current edition of ISO/TR 24971, not an old edition from a previous project?
2. Has your team read the technical report alongside EN ISO 14971:2019+A11:2021, clause by clause, at least once?
3. Does your risk management plan contain the elements illustrated in ISO/TR 24971's worked example, or only the elements strictly required by ISO 14971?
4. When you list the safety-relevant characteristics of your device, are you working from the full question set in the technical report or from a shorter improvised list?
5. Are your risk acceptability criteria appropriate for the severity profile of your device, or are they a default matrix copied from a template?
6. Does your file cite EN ISO 14971:2019+A11:2021 for presumption of conformity and ISO/TR 24971 only as guidance, not as a harmonised standard?
7. When a newer edition of the technical report is issued, does your team have a process to check what changed and whether your file needs updating?

## Frequently Asked Questions

**Is ISO/TR 24971 a harmonised standard under the MDR?**
No. It is a technical report. Technical reports are informational ISO deliverables and are not harmonised under the MDR. EN ISO 14971:2019+A11:2021 is the harmonised standard for risk management.

**Does following ISO/TR 24971 grant presumption of conformity?**
No. Only the harmonised standard grants presumption of conformity, and only within the scope of its Annex ZA. ISO/TR 24971 is guidance that helps a manufacturer apply the harmonised standard correctly.

**Can a notified body raise a finding based on ISO/TR 24971?**
A notified body cannot cite the technical report as a legal requirement, but can and will reference it as guidance when explaining why a particular part of the risk management file falls short of what is expected under EN ISO 14971.

**Does ISO/TR 24971 recommend specific techniques?**
It lists and explains several, including FMEA, FTA, HAZOP, preliminary hazard analysis, and event tree analysis. It does not prescribe one over another. The manufacturer picks based on the device.

**How often is ISO/TR 24971 revised?**
Less frequently than ISO 14971, but it does change. A startup should verify the current edition at the start of any new project and again before major notified body audits. 

**Should the startup cite ISO/TR 24971 in the technical documentation?**
Yes, as a guidance reference. Keep it separate from the harmonised standard citations. Citing it as if it were harmonised is a documentation error a notified body will flag.

## Related reading
- [The ISO 14971 Annex Z trap](/blog/iso-14971-annex-z-trap). Why the harmonised presumption of conformity for risk management is narrower than founders assume.
- [FTA, fault tree analysis for medical devices](/blog/fta-fault-tree-analysis-medical-devices). A technique listed in ISO/TR 24971 and explained for MedTech startups.
- [HAZOP for medical devices](/blog/hazop-medical-devices). Another technique in ISO/TR 24971's toolkit, applied to drug delivery and diagnostic fluidics.

## Sources
1. Regulation (EU) 2017/745 on medical devices, consolidated text. Annex I General Safety and Performance Requirements 1-9, Annex II technical documentation.
2. EN ISO 14971:2019+A11:2021. Medical devices. Application of risk management to medical devices. Harmonised standard.
3. ISO/TR 24971. Medical devices. Guidance on the application of ISO 14971. Technical report, informational, not harmonised. 

---

*This post is part of the [Risk Management Under MDR](https://zechmeister-solutions.com/en/blog/category/risk-management) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*