ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management. ISO 31000 seeks to provide a universally recognized paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions.
ISO 31000 was published as a standard on the 13th of November 2009, and provides a standard on the implementation of risk management. A revised and harmonized ISO/IEC Guide 73 was published at the same time. The purpose of ISO 31000:2009 is to be applicable and adaptable for “any public, private or community enterprise,
association, group or individual.” Accordingly, the general scope of ISO 31000 – as a family of risk management standards – is not developed for a particular industry group, management system or subject matter field in mind, rather to provide best practice structure and guidance to all operations concerned with risk management.
Currently, the ISO 31000 family is expected to include:
ISO 31000:2009 – Principles and Guidelines on Implementation
ISO/IEC 31010:2009 – Risk Management – Risk Assessment Techniques
ISO Guide 73:2009 – Risk Management – Vocabulary
Risk Management—Principles and Guidelines ANSI/ASSE/ISO 31000 (Z690.2-2011)
(identical national adoption of ISO 31000:2009)
Scope: This standard provides principles and generic guidelines on risk management. This standard can be used by any public, private or community enterprise, association, group or individual and is not specific to any industry or sector.
This standard can be applied throughout the life of an organization and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets. In addition, this standard can be applied to any type of risk, whatever its nature, whether having positive or negative consequences.
It is intended that this standard be utilized to harmonize risk management processes in existing and future standards. It provides a common approach in support of standards dealing with specific risks and/or sectors and does not replace those standards. This standard is not intended for the purpose of certification.
ISO 14971 is an ISO standard for the application of risk management to medical devices. The latest significant revision was published in 2007 with a minor update published in 2009. In 2013, a technical report ISO/TR 24971 waspublished by ISO TC 210 to provide expert guidance on the application of this standard.
This standard establishes the requirements for risk management to determine the safety of a medical device by the manufacturer during the product life cycle. Such activity is required by higher level regulation and other quality management system standards such as ISO 13485. Specifically, ISO 14971 is a nine-part standard which first establishes a framework for risk analysis, evaluation, control, and management, and also specifies a procedure for review and monitoring during production and post-production.
In 2012, a European harmonized version of this standard was adopted by CEN as EN ISO 14971:2012. This version is harmonized with respect to the three European Directives associated with medical devices Medical Devices Directive 93/42/EEC, In-vitro Diagnostic Medical Device Directive 98/79/EC, and Active Implantable Medical Device Directive 90/385/EEC through the three ‘Zed’ Annexes (ZA, ZB & ZC). This was done to address the presumed compliance with the 3 Directives that is obtained through notified body certification audits and regulatory submissionsthat claim compliance to this standard.
EN ISO 14971:2012 applies only to manufacturers with devices intended for the European market; for the rest of the world, ISO 14971:2007 remains the standard recommended for medical device risk management purposes.