Publication of Z Annexes and the Harmonisation of ISO 14971:2019

  • Post author:
This is our latest article on the Harmonisation of EN ISO 14971:2019. It has been a long two years since ISO 14971:2019 Medical Devices – Application of Risk Management was published but the European Amendment containing the Z Annexes has finally been published and we are now on the cusp of its harmonisation with European Medical Devices Regulations.

Read Time: 9 minutes
Written by: John Lafferty

Topics covered in this article

  1. The Z Annexes for EN ISO 14971:2019 and their Contents
  2. What is not covered by the new Z Annexes
  3. Implications for the Medical Device manufacturer
  4. ISO 14971:2019 Training Course Information

For terms used in this blog, see the end of the article.

1. The new Z Annexes and what they contain

A European-only amendment to ISO 14971:2019 designated EN ISO 14971:2019+Amd11:2021 was published on 31st December 2021. The European amendment contains two new Z Annexes – ZA and ZB, one for each of the European Medical Devices Regulations – MDR 2017/745 and IVDR 2017/746 respectively. EN ISO 14971:2019+Amd11:2021 is available for purchase from the normal standards publication websites. For compliance with the EU MDR and IVDR, EN ISO 14971:2019+Amd11:2021 is the version of the standard that you will be required to reference in all official documentation. There will be no Z Annexes against the three EU Medical Devices Directives as shortly these will no longer be in force). For Britain, the correct version of the standard to reference will be BS EN ISO 14971:2019+Amd11:2021. Note: BS EN ISO 14971:2019 has been withdrawn in favour of the new European amendment. For products regulated throughout the rest of the world the correct Risk Management Standard to reference will be ISO 14971:2019.

Harmonisation in Q1 2022

In the first quarter of 2022, it is planned that the European Union will publish EN ISO 14971:2019+Amd 11:2021 in the Official Journal of the European Union as a Harmonised Standard (see also Note 1 below). This is a major milestone in European Medical Device regulation and has been achieved through admirable persistence by members of the CEN committee and their EU counterparts to find an agreed form of wording for the Z Annexes. Compliance with a Harmonised Standard allows presumption of compliance with the relevant parts of European Legislation.

Contents of the Z Annexes

Firstly, there are no Content Deviations in the Z Annexes of EN ISO 14971:2019+Amd 11:2021 (there were seven Content Deviations in the Z Annexes of EN ISO 14971:2012, these stated ways in which ISO 14971:2007 differed from the three EU Medical Device Directives) – many will regard this as good news. The Z Annexes state that once the standard has been published in the OJEU, compliance with the standard will give a presumption of conformance with the applicable GSPRs of the MDR and IVDR, and that the scope is limited to Medical Devices regulated under those Regulations. However, the Z Annexes contain a number of explanatory notes that state that the reader must comply with certain requirements of the EU MDR and IVDR which override any content of the standard.

So, what are the clarifying statements of the Z Annexes?

The three most important clarifying statements are as follows;

a.     The terms in the Regulations will override the terms in the standard. This is significant in two respects; firstly, where there are some differing definitions e.g. Benefit in the Standard, but Clinical Benefit in the MDR and the IVDR (remember also, that the definition of Clinical Benefit differs between the MDR and the IVDR); secondly, where a term in not defined in the Regulations e.g. ‘State-of-the-Art’ but is defined in the standard, there is no impediment to using the definition in the standard (again, interestingly, the definition of State-of-the-Art contained in ISO 14971 makes no reference to safety or to compliance with standards; yet, in the vacuum left by the absence of a harmonised standard, the industry has been awash with talk of “State-of-the-Art Standards”).

b.     The risk management process must comply with the requirement in the Regulations that risks have to be reduced as far as possible (or similar wording in the GSPRs). Reducing risk as far as possible is optional in ISO 14971 because that form of words appears only in the European Regulations.

c.     The manufacturer’s policy for determining acceptable risk must be in compliance with the applicable GSPRs.

2. What is not covered by the new Z Annexes?

The Z Annexes contained in EN ISO 14971:2019+Amd 11:2021 each contain a table showing which GSPRs are covered and the extent to which the requirements of those GSPRs are covered by the standard. GSPRs 3,4,5 and 8 are listed in both Annexes with a statement that these GSPRs are covered with regards to process requirements but not in relation to device-specific execution of the [risk management] process. In addition, Annex ZA (relating to the MDR) states that GSPR 9 (relating to products without a medical purpose) is covered provided the criteria for acceptability contained in GSPR 9 have been met.

Annex ZA also states that usability-specific aspects of applicable GSPRs are not covered. IEC 62366 covers usability of Medical Devices and it is hoped that this standard will be harmonised in due course.

The Z Annexes do not list GSPRs 1, 2, 7, or 10 to 23 as being covered by the standard. GSPR 1 of the Regulations contains requirements on; safety and effectiveness, ensuring that the benefits outweigh the risks, the need for a high level of health protection, and taking into account the generally acknowledged state of the art. GSRP 2 explains that risk reduction as far as possible means without adversely affecting the benefit-risk ratio. GSPR 7 relates to risks associated with transport and storage. (In the opinion of the author, there is a great need for harmonised standards in the area of transportation and storage). GSPRs 10 to 23 contain specific safety requirements relating to design and manufacture of devices, and information to be supplied with the device. ISO 14791 was never intended to address these types of requirements.

Wording differences between ISO 14971 and the Regulations

There remain some notable differences in wording between ISO 14971 and the Regulations (some of which were mentioned in the Content Deviations contained in EN ISO 14971:2012) which are not mentioned in the Z Annexes of EN ISO 14971:2019+Amd 11:2021- for example, ISO 14971:2019 Section 7.1 states; ‘The manufacturer shall use one or more of the following risk control options in the priority order listed:

a.     inherently safe design and manufacture

b.     protective measures

c.     information for safety’

The wording ‘one or more’ could be interpreted as meaning that the manufacturer need not consider protective measures if the risk has been reduced to an ‘acceptable level’ by means of design alone. However, compliance with the EU MDR or IVDR require that all three options must be attempted (if they are applicable to the device in question) in order to reduce the risk as far as possible. This subtle difference is not made clear by the Z Annexes nor the standard itself. Only time will tell if this wording difference will give rise to any issues in the future but it is something of which manufacturers should be aware, and indeed it is not the only wording difference between the Standard and the Regulations.

3. Implications of the harmonisation of ISO 14971:2019 for the Medical Device manufacturer

On the whole, the harmonisation of ISO 14971:2019 (as EN ISO 14971:2019+Amd 11:2021) is great news for the Medical Device manufacturer. There will be just one standard for risk management worldwide, which was the goal of the ISO and CEN committees who worked on the creation of ISO 14971:2019. Manufacturers who supply into Europe will have to comply with requirements of the applicable Z Annexes. Compliance with EN ISO 14971:2019+Amd 11:2021 gives a presumption of compliance with (the relevant parts of) the European Medical Device regulations. Medical Device manufacturers will, of course, still have to comply with the GSPRs, and should read the wording of those GSPRs carefully and ensure that their risk management process and any risk management records for their devices comply with all applicable GSPRs. Manufacturers will have to purchase the new amendment EN ISO 14971:2019 Amd 11:2021 and reference this version of the standard in their documentation for European medical devices (including IVDRs). It is expected that the cost of the amendment will be much less than the cost of the standard itself.

4. EN ISO 14971:2019 training course information

Northridge Quality & Validation runs ongoing comprehensive training courses on EN ISO 14971:2019 via our training partner, SQT Training.
Course Title: Quality Risk Management and ISO 14971:2019

Method of Delivery: Zoom
Dates and Booking: Course details can be found on
Course Content: The course covers the principles and practices of Risk Management and the actions that Medical Device Manufacturers need to implement in order to comply with ISO 14971:2019, the Z Annexes and the Medical Devices Regulations.

Ongoing updates on Risk Management

In the months ahead, Northridge Quality & Validation and our training partners SQT Training Ltd. will bring you further updates on Risk Management and related matters.
You can follow the Northridge Quality & Validation LinkedIn page here.


Note 1: A harmonised standard is a European standard developed by a recognised European Standards Organisation: CEN, CENELEC, or ETSI. It is created following a request from the European Commission to one of these organisations. Manufacturers, other economic operators, or conformity assessment bodies can use harmonised standards to demonstrate that products, services, or processes comply with relevant EU legislation. The references of harmonised standards must be published in the Official Journal of the European Union. Source:

Note 2: A list of harmonised standards can be found at

Terms used in this blog:

CEN: Comité Européen de Normalisation (European Committee for Standardization)

GSPRs: General Safety and Performance Requirements of Annex I of the EU MDR 2017/745 and EU IVDR 2017/746

The Regulations: EU MDR 2017/745 and EU IVDR 2017/746

You can follow the Northridge Quality and Validation LinkedIn Company page for more updates.

Ongoing Updates:  If you wish to get our updates emailed directly to your inbox, sign up for our eNewsletter.

About the Author – John Lafferty

John Lafferty is the owner of the Northridge Quality & Validation which provides consultancy to the Medical Device industry.
Specialties His specialties include Software Validation, MDSAP, ISO 13485, ISO 14971 and MDR. John is the holder of a Degree in Manufacturing Technology, Certificate in Training & Continuing Education, Certificate in Quality Management.
Experience He has over 25 years’ experience in the medical device and pharmaceutical industry. He was a Senior Manager of a multinational Medical Devices plant where he managed the Quality, Regulatory, Environmental, and Health & Safety Management Systems. He has successfully completed numerous consultancy projects with medical device manufacturers in Ireland and throughout Europe.
SQT Training Tutor John is also a Life Sciences Tutor with SQT Training