Post-market surveillance loop feeding complaint and incident data back into the risk management file — new hazards or changed risk estimates trigger file updates.
Active collection is now explicit — proactive monitoring of literature, state of the art, and similar devices required, not just reactive complaint handling.
PMS-to-risk-file linkage — auditors ask for evidence that surveillance reviews triggered risk file updates; a passive complaint inbox with no update decisions fails.
Maps to
ISO 14971: §10 Production and post-production activities
ISO 13485: §8.2.1 Feedback
Pre-QMSR Part 820 (legacy QSR): §820.198 Complaint files.
Requirement text
The manufacturer shall establish, document and maintain a system to actively collect and review information relevant to the medical device in the production and post-production phases, including complaint and incident data, to determine whether that information has implications for the risk management file. The manufacturer shall review the information collected for possible relevance to safety, especially whether: previously unrecognised hazards or hazardous situations are present; an estimated risk arising from a hazardous situation is no longer acceptable; the overall residual risk is no longer acceptable in relation to the benefits of the intended use; or the generally acknowledged state of the art has changed. When any of these conditions apply, the risk management file must be updated.
Why this clause exists
The risk landscape of a deployed medical device is not static: clinical use patterns evolve, new research emerges, similar devices generate adverse event reports that are relevant to shared hazard mechanisms, and software components receive updates that change the hazard profile. A manufacturer whose risk file accurately reflected reality at design transfer but has not been touched since is functionally operating without risk management after the first product generation. ISO 14971 clause 10 exists because passive complaint handling — waiting for a user to submit a formal complaint — has proven repeatedly insufficient to detect safety signals early enough to prevent serious harm at scale. The 2019 edition restructured this requirement into a four-element framework (Establish, Collect, Review, Act) precisely because notified bodies found that organizations had complaint systems but no documented decision process for evaluating whether complaint data required risk file updates — the data was collected and then terminated in a CAPA log with no bridge back to the risk management file.
What changed
ISO 14971:2019 was a major revision reorganizing the standard from 9 to 10 clauses and moving extensive guidance material into a separate technical report (ISO/TR 24971:2020), making normative requirements clearer and more auditable.
The most significant change was replacing ALARP (As Low As Reasonably Practicable) with AFAP (As Far As Possible), removing the ability to use economic cost as a primary justification for not implementing a risk control. The standard introduced explicit benefit-risk analysis requirements — three new definitions were added (benefit, reasonably foreseeable misuse, state of the art) and the required conclusion shifted from 'risks are acceptable' to 'benefits outweigh residual risks.' Risk acceptability criteria must now be established and documented in the risk management plan before risk analysis begins.
Post-production requirements (Clause 10) were substantially expanded into four sub-clauses (Establish, Collect, Review, Act), mandating active collection and review of post-market data rather than passive complaint handling. The overall residual risk evaluation (Clause 8) was enhanced to require aggregate assessment of all residual risks combined, considering synergistic effects where multiple low risks may create new high-risk situations. Clause 4.3 shifted emphasis from personnel qualifications to demonstrated competence. ISO/TR 24971:2020 (informative companion) adds Annex G (cybersecurity risk management) and Annex H (legacy device risk file remediation).
Common gaps (what we see in audits)
- Passive complaint monitoring instead of active data collection — The 2019 revision explicitly requires manufacturers to 'actively collect and review' post-production information rather than passively waiting for complaints. The four-step framework (Establish, Collect, Review, Act) requires proactive monitoring of clinical literature, similar devices, and state-of-the-art developments — not just a complaint inbox.
- Post-market data not feeding back into risk management — BSI and TUV SUD consistently list 'lack of connection between PMS and risk management' as a top 3 major non-conformity. Organizations collect post-market data (complaints, adverse events, literature reviews) but do not have a systematic process to feed this information back into the Risk Management File, triggering re-assessment when new hazards or risk factors are identified.