Skip to content
CROSSWALK

ISO 14971 §10

Maps to

ISO 14971: §10 Production and post-production activities

ISO 13485: §8.2.1 Feedback

Pre-QMSR Part 820 (legacy QSR): §820.30(g) Design validation., §820.198 Complaint files.

Requirement text

The manufacturer shall establish, document and maintain a system to actively collect and review information relevant to the medical device in the production and post-production phases, including complaint and incident data, to determine whether that information has implications for the risk management file. The manufacturer shall review the information collected for possible relevance to safety, especially whether: previously unrecognised hazards or hazardous situations are present; an estimated risk arising from a hazardous situation is no longer acceptable; the overall residual risk is no longer acceptable in relation to the benefits of the intended use; or the generally acknowledged state of the art has changed. When any of these conditions apply, the risk management file must be updated.

What changed

ISO 14971:2019 was a major revision reorganizing the standard from 9 to 10 clauses and moving extensive guidance material into a separate technical report (ISO/TR 24971:2020), making normative requirements clearer and more auditable.

The most significant change was replacing ALARP (As Low As Reasonably Practicable) with AFAP (As Far As Possible), removing the ability to use economic cost as a primary justification for not implementing a risk control. The standard introduced explicit benefit-risk analysis requirements — three new definitions were added (benefit, reasonably foreseeable misuse, state of the art) and the required conclusion shifted from 'risks are acceptable' to 'benefits outweigh residual risks.' Risk acceptability criteria must now be established and documented in the risk management plan before risk analysis begins.

Post-production requirements (Clause 10) were substantially expanded into four sub-clauses (Establish, Collect, Review, Act), mandating active collection and review of post-market data rather than passive complaint handling. The overall residual risk evaluation (Clause 8) was enhanced to require aggregate assessment of all residual risks combined, considering synergistic effects where multiple low risks may create new high-risk situations. Clause 4.3 shifted emphasis from personnel qualifications to demonstrated competence. ISO/TR 24971:2020 (informative companion) adds Annex G (cybersecurity risk management) and Annex H (legacy device risk file remediation).

Atomic constraints

  • A documented process for collecting and reviewing post-production information must exist.
  • Post-market data must be systematically reviewed for new or changed risk signals.
  • When post-market information reveals a new hazard or changes a risk estimate, the risk management file must be updated.
  • The review must cover complaint data, incident reports, and relevant published literature on similar devices.
  • Review frequency must be defined and documented in the surveillance plan.

Common gaps

Passive complaint monitoring instead of active data collection

major

The 2019 revision explicitly requires manufacturers to 'actively collect and review' post-production information rather than passively waiting for complaints. The four-step framework (Establish, Collect, Review, Act) requires proactive monitoring of clinical literature, similar devices, and state-of-the-art developments — not just a complaint inbox.

Post-market data not feeding back into risk management

major

BSI and TUV SUD consistently list 'lack of connection between PMS and risk management' as a top 3 major non-conformity. Organizations collect post-market data (complaints, adverse events, literature reviews) but do not have a systematic process to feed this information back into the Risk Management File, triggering re-assessment when new hazards or risk factors are identified.

Evidence signals

  • FILE_EXISTS

    Post.*Market.*Surveillance|PMS.*Plan|Post.*Deployment.*Surveillance|Surveillance.*Plan

  • CONTENT_MATCH

    Does this document describe a process for collecting and reviewing post-market complaint and incident data with a defined mechanism to update the risk management file when new hazards or changed risk estimates are identified?

Audit defense

Our Post-Market Surveillance process (Doc ID: [your document ID]) defines the data collection and review cadence for [your product]. The process explicitly requires risk management file updates when surveillance data reveals new hazards or materially changed risk estimates, ensuring the risk file remains current throughout the product lifecycle.

Related clauses

Risk Management ProcessRisk Management PlanIntended Use and Reasonably Foreseeable MisuseHazard Identification and Risk Estimation

Review your documents against this clause →

Further reading

Free compliance review. Pay only for the detailed report.

No credit card. No sales call. No consultants required.

Start My Free Review →

Read-only access. Your documents stay in your Drive.