The hierarchy matters because not all risk controls are equally effective. A design change that eliminates a hazard is fundamentally more reliable than a warning label that depends on the user reading and following instructions.
The Three-Tier Hierarchy
ISO 14971 clause 7.1 defines three categories of risk control, to be applied in strict priority order:
1. Inherent Safety by Design (InherentSafetyDesign)
The most effective approach: change the design so the hazard cannot occur, or its severity is inherently limited.
Examples for the Smart Infusion Pump:
- Using a peristaltic pump mechanism that physically cannot deliver fluid in reverse
- Selecting biocompatible materials that eliminate chemical exposure hazards
- Designing the enclosure so pinch points are physically impossible
Why it is most effective: No user action required. No component can fail and defeat the control. The hazard is addressed at the source.
2. Protective Measures (ProtectiveMeasure)
When inherent safety is not achievable, add physical barriers or automatic safeguards between the hazard and the user/patient.
Examples:
- Automatic tubing clamp that activates when the pump door opens
- Air-in-line detector that stops infusion when bubbles are detected
- Overcurrent protection circuitry on the power supply
- Alarmed occlusion sensor that alerts the operator and pauses delivery
Why it is second priority: These depend on a component functioning correctly. If the sensor fails or the clamp mechanism jams, the protection is lost.
When neither design changes nor protective measures can adequately reduce risk, provide information that enables the user to avoid harm.
Examples:
- Warning labels on the device about maximum pressure limits
- Instructions for Use specifying the correct tubing set
- Training requirements for operators on alarm response procedures
- On-screen warnings when battery is critically low
Why it is least effective: These depend entirely on the user reading, understanding, remembering, and correctly applying the information. Human factors research consistently shows that warning-based controls have the highest failure rate.
Implementation in the Solution
Risk Control Work Item
Each risk control measure is a work item of type riskControl with a riskControlType multi-valued enumeration field:
| Enum Value | Display Name | Sort Order |
|---|
InherentSafetyDesign | Inherent Safety by Design | 1 |
ProtectiveMeasure | Protective Measure | 2 |
InformationForSafety | Information for Safety | 3 |
The riskControlType field supports multiple values. A single risk control can be classified under more than one tier — for example, a redesigned enclosure (inherent safety) that also includes warning markings (information for safety). However, ISO 14971 expects that higher-priority controls are applied first, and lower-priority controls supplement rather than replace them.
Risk Control Linkage
Risk controls connect to the rest of the data model through three link roles:
| Link | Direction | Meaning |
|---|
mitigates | Risk Control —> Risk Record | This control reduces risk for this HARA entry |
mitigates | Risk Control —> Failure Mode | This control addresses this DFMEA failure mode |
implements | System/Design Requirement —> Risk Control | This requirement implements the control measure |
implements link is critical for audit traceability. It answers: “Where in the design is this risk control realized?” If a risk control has no implementing requirement, there is a traceability gap.
The Risk Control Plan
All 26 risk controls in the project are consolidated in the Risk Control Plan document (Risks/RiskControlPlan). This document uses a dedicated risksheet configuration that displays:
- The risk control description and type classification
- All risk records and failure modes that the control mitigates
- The implementing requirements that realize the control in the design
- The control’s workflow status (draft through approved)
The Risk Control Plan serves as the single source of truth for all risk controls and is a required deliverable under ISO 14971.
How Risk Controls Affect Risk Levels
Applying risk controls should reduce the post-mitigation probability scores on each risk record:
| Control Type | Typical P1 Impact | Typical P2 Impact |
|---|
| Inherent Safety by Design | Strong reduction (hazard eliminated) | May reduce (severity limited by design) |
| Protective Measure | Moderate reduction (exposure prevented) | Moderate reduction (harm prevented) |
| Information for Safety | Weak reduction (user avoids hazard) | Weak reduction (user mitigates harm) |
Auditor Expectations
ISO 14971 auditors look for evidence that:
- The hierarchy was followed — Design controls were considered before protective measures, which were considered before information controls
- Each control is traceable — Every risk control links to the risk records it mitigates and the requirements that implement it
- Residual risk is documented — After all controls are applied, post-mitigation risk levels are recorded and justified
- The Risk Control Plan is current — All controls are in the plan with their status and classification
The riskControlType field provides the primary evidence for item 1. The mitigates and implements links provide evidence for item 2.
Related Pages
