The ISO 14971 risk control priority hierarchy — inherent design first, protective measures second, information for safety third — applies unchanged to all user interface risk controls.
AMD1:2020 explicitly adds training alongside information for safety at priority level (c); the ISO 14971 cross-reference updated from 2007 §6.2 to 2019 §7.1.
Documented rationale showing higher-priority controls were considered before information for safety was selected — missing rationale for each hazard is a standard notified body finding.
Maps to
IEC 62366: §4.1.2 RISK CONTROL as it relates to USER INTERFACE design
ISO 13485: §7.3.2 Design and development planning
ISO 14971: §7.1 Risk control option analysis
Requirement text
To reduce use-related risk, the manufacturer shall use one or more of the following options, in the order of priority required by ISO 14971:2019 clause 7.1: (a) inherently safe design and manufacture; (b) protective measures in the medical device itself or in the manufacturing process; and (c) information for safety and, where appropriate, training to users. Risk control measures applied to the user interface must be applied in this priority sequence — design-based controls are required before information-for-safety controls are accepted as adequate.
Why this clause exists
Clause 4.1.2 exists because the single most common regulatory failure in user interface risk management is accepting information for safety — a label, a warning, or user training — as the primary risk control for a hazardous use scenario that could have been eliminated or mitigated at the design level. FDA MAUDE data and MDR incident databases document recurring class-level use errors in infusion pump interfaces, glucose meters, and radiation therapy systems where the manufacturer's risk control was a warning in the instructions for use rather than a design change that would have made the unsafe interaction physically impossible or cognitively less likely. IEC 62366-1 clause 4.1.2 codifies the ISO 14971 risk control priority hierarchy as an explicit obligation within the usability engineering context because usability reviewers and notified bodies observed that this hierarchy was routinely inverted in device human factors files: teams would identify a hazard-related use scenario, document that the risk was 'mitigated by training' or 'addressed in the IFU', and close the risk control without any analysis of whether inherent design changes or protective measures were practicable. The clause forces a documented analysis at each priority level before descending to information-for-safety controls.
What changed
IEC 62366-1:2015+AMD1:2020 CSV clause 4.1.2 carries the risk control priority hierarchy from ISO 14971 directly into the usability engineering standard. The Amendment 1 (2020) update revised the ISO 14971 cross-reference from the 2007 edition (clause 6.2) to the 2019 edition (clause 7.1), and added training explicitly alongside information for safety as a permissible option at priority level (c). In the 2015 edition, training was implied but not listed; AMD1:2020 names training explicitly as a recognized control at the third priority level. The substantive obligation — strict priority ordering with design controls before information-for-safety controls — is unchanged from 2015.
Common gaps (what we see in audits)
- Information for safety selected without documenting rejection of higher-priority controls — Manufacturers frequently select warning labels or user training as risk controls for use-related hazards without any documented analysis of whether inherent design changes or protective measures were practicable. Notified bodies and FDA reviewers consistently cite this as a deficiency because the risk control priority hierarchy requires documented rationale at each level.
- Training accepted as a primary risk control for hazards that could be designed out — Device-specific training is listed in AMD1:2020 as a permissible control at priority level (c), but it is not acceptable as the sole control where a design change would eliminate or substantially reduce the use-error probability. Teams sometimes treat AMD1:2020’s explicit naming of training as a new permission to rely on it more heavily, when in fact the priority hierarchy still requires it to be the last resort.