There are many ongoing discussions about the economic effects of the lockdown that many countries have been subject to with regards to the Corona virus.

In this article, I have applied a medical device risk management perspective on the Covid-19 situation to explore and discuss how the risks of Covid-19 would be addressed when applying ISO 14971 risk management to the situation, and comparing that with what the governments have been doing for the past years.

A medical device risk analysis on the Covid-19 situation

Medical device risk analysis should always start with potential sources of harm.

In the current situation, it is clear that Corona virus is the hazard. There are many reasonably foreseeable sequences or combinations of events that could lead to hazardous situations with regards to the Coronavirus.

Meaning: A human is exposed to the virus.

So far, the risk analysis work is relatively straightforward. What about the harm?

Some people experience symptoms so weak that they are not even aware of the virus if they are not tested. Others are entirely asymptomatic.

On the other hand, sadly, some even die.

How would this be addressed using ISO 14971 risk management?


The occurrence of harm and severity of Covid-19

During the onset of the pandemic, it was hard to say what the probability of harm would be. To some degree, it is still not that easy, as the virus mutates over time, resulting in higher or lower severities.

According to medical device risk management, when the probability of occurrence of harm cannot be estimated, the risk will be evaluated based on its severity. And since one of the harms would be death, which is the highest severity, the magnitude of risk is great even though we do not know the probability of occurrence of death.

And what about the fact that many infected people only get mild symptoms and do not die? We cannot estimate the probability of occurrence of harm for this either, which means that from an ISO 14971 perspective, the risk of death as an outcome trumps risks with higher probability and lower harm.

Had we known the actual probability of occurrence of harm, the risk might have been considered acceptable, because most jurisdiction risks that are equivalent to the risk of everyday life are by definition acceptable.

So, if we knew that Covid-19 had a probability of occurrence of death equivalent to, for example, seasonal flu, governments might have reacted differently. But, in absence of reliable data on the probability of occurrence of harm, medical device risk management would rate Covid-19 based on severity, meaning that we take a lot more precautions with this virus than we would, had it been the seasonal flu.

At the time of writing this post, the probabilities are a lot more well-known than in the initial period. And it is known that a significant part of those infected will not experience any symptoms. While some will have flu-like symptoms, others will require hospital care, intensive care, or, and in the worst-case scenario, some people will die.

The whole reasoning above is based on the fact that the estimation of probability of occurrence of harm cannot be done. In medical device risk management, risk is only comprised of two factors, the probability of occurrence of harm and the severity of harm. However, some would argue that it should also include uncertainty as one of the factors. Thus, if you are unsure of the probability, the risk is higher – which is a conclusion that makes sense.

This brings us to a question: should you only work with the worst-case harm? Which is, in this case, death.

The answer is no. Various harms will have different severities and also different probabilities. And it is not always the harm with the highest severity that has the highest magnitude of risk. It could be that a very frequent risk with low severity is worse. If you want to dig into that area more, please consider taking the risk management for medical devices and ISO 14971:2019 course (blended version).

Risk control options for the Corona virus

The most effective risk control option is inherent safety by design, which would be to completely remove the hazard. In medical terms, this would mean eradicating the virus.

The world would get there if the infectious degree reached less than 1.0 in the world, meaning that the virus would gradually become more uncommon and eventually disappear. At the time of writing this article, this is not likely to happen.

Getting vaccinated could be seen as a protective measure, and for some diseases, a successful vaccination programme could be seen as a long-term inherent safety by design risk control measure, because eventually, the vaccination programme could eradicate the virus.


Protective measures to reduce Covid-19 risks

When inherent safety by design is not an option, protective measures are the second most effective way of mitigating risks. By definition, protective measures would reduce the probability of occurrence of harm or reduce the severity. Or it would be a combination of the two.

Today, we have two main groups of risk controls that are protective measures. Technically, reducing the probability of occurrence of harm would be done by using various types of personal protective equipment, such as breathing masks, eye protection, and face masks. They will reduce the probability of being exposed to the virus or exposing others to the virus. But more or less all PPE are dependent on information for safety, which is the next risk control option.

Reducing the severity would include applying the treatment regimens that have been found to be effective. This may change the level of harm from death to full recovery or recovery with permanent injury. Had there been medicine available that was proven to be effective, this would also count as a protective measure, but you could argue that when the medicine is needed, the harm has already occurred. And that is true.


Information for safety and training of users – informing the public

Applying information for safety and training of users, is the option that is used when inherent safety by design and protective measures have not successfully eliminated risks. Keep in mind that most use of personal protective equipment would be relying on information for safety to be applied. And in the medical device industry, it is a well-established fact, that trusting people to do things right, is the least effective option.

Man wearing face mask incorrectly

And having seen on a larger scale how face masks are used (or not used), I am no longer surprised to see that people using another well-known medical device as contraceptive still get pregnant.

Because if they use condoms the way they use face masks, pregnancy or STDs are definitely part of the likely outcomes! Do people misuse condoms?

Sure, after reading this article, I am surprised to see that people are even putting the face mask on the right body part.

ISO 14971 Risk control options for Covid-19


Inherent safety by designEradication of the virus
Protective measuresPersonal protective equipment, treatment regimens
Information for safetySocial distancing


When the government tells people to practice social distancing, it is a type of information for safety. And to no surprise, there are many instances where people have violated the instructions provided. Of course, this is also true for any information provided for the use of medical devices.

Social distancing on train platform

Governments all over the world have decided on various types of risk control measures ranging from being arrested for saying the virus exists to complete lockdowns. Somewhere in the middle, intensive care has been ramped up to mitigate the consequences of Covid-19 infections. In some countries face masks are mandatory; in other countries they are not.

An interesting side note is that sometimes using protective measures that are visible to others may lead to higher risk behaviour as is shown in a study from 2013 in which it was shown that on average, drivers drive closer to bicyclists when passing them if the rider wore a helmet.


Reduce risk as far as possible…

As a result of the lockdown, critique has been raised regarding the financial consequences on the economy. This is very interesting if you look at the situation based on the medical device directives and regulations in the EU.

The consensus among legislators is that the cost should never be an argument for not trying to reduce risks. According to Annex Z of the EN ISO 14971:2012, which was authored on the initiative of the European Commission, one should always reduce risks as far as possible without economic considerations.

Practically speaking, this is not how it works. If this was true, medical care professionals would only use single-use sterile products, since there is otherwise a risk for cross-infection even though the device is just used non-invasively.

But as you know, not all medical devices are sterile and disposable. It is therefore practically impossible to fulfil the intent of the medical device directive and the medical device regulation without taking state-of-the-art into account.

This means that the governments that have decided on a total lockdown, regardless of the financial consequences, are in fact well-aligned with the philosophy and principles of risk management as it is described in the medical device directive and medical device regulation.


… without adversely affecting the benefit-risk ratio

Under the Medical Device Directive, risks had to be reduced as far as possible. However, in the new Medical Device Regulation, there is one new condition. According to the MDR, risks shall be reduced as far as possible without adversely affecting the benefit-risk ratio.

You could argue that the complete lockdown reduces the risks and that the benefit of saving the additional lives is lower than the financial cost to society. From a regulatory point of view, the benefit-risk ratio would not be affected by the number of companies that go bankrupt or the unemployment rate.

The benefit-risk ratio would instead stop the risk reduction if, for example, the healthcare personnel had so much personal protective equipment on them that they could not effectively treat the patient.

Yet another argument could be put forward with reference to the benefit-risk ratio. If tax revenues are reduced so much from lockdown, bankruptcies, and unemployment that healthcare can no longer be afforded, then one could argue that the lockdown has reduced risk so far that the benefit-risk ratio is negatively affected.

So, from the perspective of the medical device directive, a total lockdown is justified, whereas according to the Medical Device Regulation, you could argue that the risk has been reduced too far with a total lockdown or not – depending on what happens in the future.


Verify the effectiveness of risk control measures

With medical device risk management, you are required to verify the effectiveness of your risk control measures. For Covid-19, this is easier said than done.

We basically have to resort to trending over time, which is not that different from post-market surveillance. We also need to verify the implementation of the risk controls, which in theory should fail in quite a few situations where healthcare workers do not have access to the personal protective equipment that they should and that is part of the risk control measures.

If the situation had been regarding a medical device, the shortage of personal protective equipment would effectively have stopped the release of the medical device because not all risk control measures have been implemented.

Unfortunately, it is not possible to tell the virus that it will not be released.


All in all, applying ISO 14971 and medical device risk management to the current Covid-19 situation would result in similar strategies to what we are seeing in the world today.

Would you like to learn more about Risk Management?

Get instant access to our online Risk Management for Medical Devices and ISO 14971:2019 course right here. In 6 hours, you can learn more about how to develop new medical devices and maintain them in organisations where design control requirements apply. This course is taken by quality assurance, project management, design engineering or those involved in R&D and product development teams.

Peter Sebelius instructor

Peter Sebelius

Peter Sebelius is a highly esteemed trainer, consultant and entrepreneur in the medical device industry. He is a member of the Joint Working Group that is revising the ISO 13485 and ISO 14971 standards.

He has vast ‘hands on’ experience, having developed, amongst other things, a mechanical chest compression device and an ex vivo perfusion machine for lungs. He has received numerous awards including the Great Design Award and the title “This year’s specialist” by Veckans affärer.