EN ISO 14971:2019+A11:2021 is the harmonised standard for medical device risk management under the MDR. When applied correctly, and read together with its Annexes ZA, ZB and ZC, it gives the manufacturer presumption of conformity with MDR Annex I GSPR 1 to 9. The Annex Z tables are the bridge between the standard and the regulation. Applying ISO 14971 without the Annex Z lens is the most common way startups produce a risk file that looks professional and still fails audit.

By Tibor Zechmeister and Felix Lenhard.

TL;DR

  • The MDR does not mandate a specific risk management standard. It requires a risk management system that meets Annex I GSPR 1 to 9.
  • EN ISO 14971:2019+A11:2021 is the harmonised standard listed for that purpose. Using it correctly gives presumption of conformity under MDR Article 8.
  • Presumption of conformity is a legal bridge. It does not remove the underlying GSPR obligation.
  • The "+A11:2021" suffix is not cosmetic. A11 adds the Annex Z content that maps clauses to MDR requirements.
  • Annex ZA maps clauses to the MDR, ZB to the IVDR, ZC to earlier directives. For MDR devices, ZA is the one that matters.
  • Applying ISO 14971 without reading Annex ZA leaves gaps that notified bodies flag as nonconformities.
  • "As far as possible" in the MDR is not the same as "as low as reasonably practicable" in older risk management traditions. The MDR is stricter.

Why this matters (Hook)

A founder calls the regulatory lead and asks: "We bought ISO 14971, we built the risk file the way the standard describes, we have hazard tables and risk control measures. We are MDR-compliant on risk management, correct?" The honest answer is: probably not, unless the team applied EN ISO 14971:2019+A11:2021 with the Annex Z mappings in front of them the whole time.

Tibor has seen this conversation play out many times across surveillance audits. The risk file looks professional. The tables are complete. The language matches the standard. And the MDR-specific obligations, the ones that live in Annex Z and not in the body of the ISO standard, are missing. That is the difference between a standard-compliant risk file and an MDR-compliant risk file. The notified body enforces the MDR, not the standard.

This post explains the mechanism. It covers what presumption of conformity actually means, why EN ISO 14971:2019+A11:2021 is the right version to cite, what the Annex Z tables do, and where the standard alone falls short of the regulation.

What MDR actually says (Surface)

Start with MDR Article 8. Article 8 establishes the rule for harmonised standards: devices in conformity with the relevant harmonised standards, or parts thereof, whose references are published in the Official Journal of the European Union, shall be presumed to be in conformity with the requirements of the Regulation covered by those standards.

Three things matter. First, presumption applies only to the parts of the regulation the standard actually covers. A harmonised risk management standard does not grant presumption for clinical evaluation. Second, the standard must be the version referenced in the Official Journal. Older versions do not grant presumption. Third, presumption is rebuttable, not an exemption. If a manufacturer applies the standard incorrectly, the presumption falls and the GSPR obligation remains.

MDR Annex I is where the General Safety and Performance Requirements live. GSPR 1 to 9 together are the legal surface risk management has to cover: GSPR 1 (safety and performance), GSPR 2 (lifecycle risk management system), GSPR 3 (six-part cycle: plan, identify, evaluate, control, feedback, amend), GSPR 4 (binding hierarchy of controls), GSPR 5 (use error), GSPR 6 (lifetime), GSPR 7 (packaging/transport), GSPR 8 (minimisation of known and foreseeable risks), GSPR 9 (benefit-risk ratio per intended purpose).

EN ISO 14971:2019+A11:2021 is the harmonised standard published in the Official Journal for that purpose. The "+A11:2021" amendment is the critical piece for anyone working under the MDR. A11 is the European common amendment that inserts Annexes ZA (MDR), ZB (IVDR) and ZC (active implantable devices directive) into the standard. The body of ISO 14971 itself is internationally written and does not address MDR clauses directly. The Annex Z tables do the mapping.

Annex ZA is a clause-by-clause table. Down the left: every clause of ISO 14971. Across the top: every MDR GSPR the clause is relevant to. In the cells: notes, including where the standard covers the requirement in full, where it covers it in part, and where the standard does not cover the requirement at all. The notes flag gaps. Those gaps are the gotchas.

The two most-cited gaps in Annex ZA, and the ones Tibor sees fail most often in startup risk files, are:

  1. "As far as possible" vs "as low as reasonably practicable". ISO 14971 historically uses language around reducing risk to a reasonably practicable level, balancing cost, benefit and feasibility. The MDR uses "as far as possible" in GSPR 4. Annex ZA flags this difference explicitly: the MDR is stricter. Economic considerations are not a legitimate stopping criterion. Feasibility is still relevant, but cost is not. A risk file that stops reducing a risk because "further reduction would be economically disproportionate" fails the MDR test even if it passes the ISO test.

  2. Initially acceptable risks. Section 6 of ISO 14971 states that if a risk is initially judged acceptable, no further risk control is required. Annex ZA flags that this provision, taken alone, is not sufficient under MDR. The MDR ratchet under GSPR 4 requires that the hierarchy of controls be considered regardless of whether the initial risk estimate is acceptable. The question "can we design this hazard out entirely?" must be asked even when the hazard is already judged tolerable. Founders who copy the ISO 14971 decision tree literally, without the Annex ZA overlay, silently miss this.

A third frequently-flagged gap concerns benefit-risk analysis. MDR GSPR 8 and 9 require the ratio to be acceptable for each intended purpose. For a device with multiple indications, the analysis must be performed per indication. A single aggregate statement can fail at audit.

A worked example (Test)

A startup building a Class IIa wound-monitoring patch applies EN ISO 14971:2019+A11:2021 for the first time. The team uses a commercial template that has been sold as "MDR-ready". The template renders the hazard tables, the risk evaluation matrix, and the control implementation log cleanly.

The risk file goes to the notified body. Pre-audit document review flags three findings:

Finding 1: economic acceptability criterion. The risk management plan contains the sentence: "Risks are reduced to a level where further control would impose disproportionate cost relative to the risk reduction benefit." Annex ZA flags exactly this language. The MDR "as far as possible" criterion excludes cost as a stopping reason. Corrective action: rewrite the plan to remove the cost language and replace it with a feasibility-only criterion.

Finding 2: initially acceptable risks. Eleven hazards in the file are marked "initial risk acceptable, no further action required." The template, following ISO 14971 Section 6 literally, did not prompt the team to consider the GSPR 4 hierarchy for these entries. The auditor asks: for each of these eleven hazards, was inherent safety by design considered, and if so, why was it not implemented? The team has no record. Corrective action: reopen the eleven entries, run the hierarchy exercise, document the outcome for each.

Finding 3: benefit-risk per intended purpose. The device has two distinct intended purposes in the Instructions for Use: monitoring acute post-surgical wounds and monitoring chronic diabetic foot ulcers. The risk file contains one benefit-risk analysis covering both. MDR GSPR 8 and 9 require the analysis per intended purpose. Corrective action: split the analysis, run the benefit side separately for the two patient populations.

None of these findings would have been flagged by a purely ISO 14971-focused review. All three are standard notified body findings under the MDR because Annex ZA flags them and auditors are trained to look. The fix is structural, not cosmetic. Tibor's experience: these three corrections together typically take a small team two to four weeks.

The Subtract to Ship playbook (Ship)

Felix has watched startups burn months on avoidable ISO 14971 rework. The subtract-to-ship pattern for this specific problem has four moves.

Move 1: buy the amended version, not the base version. EN ISO 14971:2019+A11:2021 is the version to purchase from the national standards body. The "+A11:2021" is the part that contains the Annex Z tables. Buying ISO 14971:2019 without the A11 amendment is the first mistake. The Annex Z content is what you are paying for. Verify the reference in the Official Journal before citing it in your documentation. The harmonised standards list does change.

Move 2: print the Annex ZA table and pin it to the wall. The ZA table is a two-page reference that should be visible to every person touching the risk file. When a team member opens a hazard entry, they should be able to see, in their peripheral vision, which clauses of the standard map to which MDR GSPR, and where the gaps are flagged. Felix's rule: if your risk management workflow requires someone to remember that economic stopping criteria are disallowed, your workflow will fail when that person is tired.

Move 3: rewrite your risk management plan template to reflect the MDR gaps. A generic ISO 14971 plan template does not say "economic considerations are not a stopping criterion". An MDR-compliant plan template does. A generic template does not require explicit hierarchy consideration for initially acceptable risks. An MDR-compliant template does. Subtract the generic template and replace it with one that forces the MDR-stricter path in the document structure itself.

Move 4: run an Annex ZA gap review before every notified body submission. Walk the risk file row by row against the ZA mappings. The review is not glamorous. It is the single highest-leverage activity in a pre-audit month. Tibor has seen startups cut their audit findings roughly in half with this one exercise.

A risk file citing a superseded version of the standard is a finding waiting to happen. How to use harmonised standards covers the operational mechanics.

Reality Check

Seven diagnostic questions. Each "no" is a specific, actionable gap.

  1. Does your risk management plan cite EN ISO 14971:2019+A11:2021 by full title, including the A11 amendment?
  2. Have you read Annex ZA in full, at least once, as a team?
  3. Is your acceptability criterion phrased as "as far as possible" or similar MDR-compliant language, with no cost or economic component?
  4. For every hazard marked "initially acceptable", have you documented consideration of the GSPR 4 hierarchy?
  5. If your device has more than one intended purpose, does the risk file contain a separate benefit-risk analysis per intended purpose?
  6. Do you have a process for tracking when the harmonised standards list in the Official Journal changes, so that a superseded version does not end up cited in your submission?
  7. Can every member of your risk management team explain, in one sentence, what Annex ZA does and why it matters?

Frequently Asked Questions

What exactly does "presumption of conformity" mean? It means a legal bridge. If a manufacturer applies a harmonised standard correctly, the notified body assumes the relevant MDR requirements are met without the manufacturer having to re-prove them from first principles. The presumption is rebuttable: if evidence shows the standard was applied incorrectly, the presumption falls and the manufacturer must demonstrate conformity with the MDR requirement another way.

Is ISO 14971:2019 the same thing as EN ISO 14971:2019+A11:2021? No. ISO 14971:2019 is the international standard, written for a global audience. EN ISO 14971:2019 is the European adoption. The "+A11:2021" is a European common amendment that adds Annexes ZA, ZB and ZC, mapping the clauses of the standard to the MDR, IVDR and earlier directives. For MDR conformity, the A11 amendment is what gives the standard its MDR-specific content. Citing only ISO 14971:2019 is insufficient for MDR purposes.

Can we apply ISO 14971 without the Annex Z tables and still be compliant? In theory, yes, if the manufacturer can demonstrate by other means that the MDR GSPR are fully met. In practice, notified bodies expect to see Annex ZA applied, and applying the standard without its European annex is the single most common root cause Tibor sees for risk management findings.

Does the standard replace the MDR? No. The MDR is always the binding requirement. The standard is one accepted way to meet it. If the standard and the MDR ever conflict, the MDR wins. This is explicitly stated in the foreword to the European version: where there is a conflict between the standard and the regulation, the regulation prevails.

How often is the harmonised standards list updated? The European Commission publishes updates to the harmonised standards list in the Official Journal periodically, sometimes multiple times a year. Manufacturers are expected to monitor these updates. When a new version of a standard is harmonised, there is typically a transition period during which both the old and new versions provide presumption of conformity, after which only the new version does.

What happens if we apply an unharmonised risk management standard? The manufacturer loses presumption of conformity and has to demonstrate, by direct argument against the MDR Annex I GSPR text, that the chosen approach meets the regulation. It is possible but expensive in both effort and audit risk. Startups rarely benefit from this path.

Sources

  1. Regulation (EU) 2017/745 on medical devices (MDR), consolidated text. Article 8, Annex I General Safety and Performance Requirements 1 to 9.
  2. EN ISO 14971:2019+A11:2021, Medical devices, Application of risk management to medical devices, including Annexes ZA, ZB and ZC.
  3. Official Journal of the European Union, harmonised standards list under Regulation (EU) 2017/745, most recent publication.