The five-step risk management skeleton — hazard identification, risk estimation, risk control, residual risk evaluation, and lifecycle integration — persists from 2007.
AFAP replaces ALARP; benefit-risk analysis is now an explicit required step; the guidance companion moved to ISO/TR 24971:2020.
Risk management file completeness at design freeze — Plan, Risk Table, and Report must all exist and be current, not created retroactively.
Maps to
ISO 14971: §4.1 Risk management process
ISO 13485: §7.1 Planning of product realization
Pre-QMSR Part 820 (legacy QSR): §820.30(g) Design validation.
Requirement text
The manufacturer shall establish, implement, document and maintain an ongoing process for risk management throughout the medical device lifecycle. This process must encompass risk analysis, risk evaluation, risk control, and production and post-production activities.
Why this clause exists
Risk management conducted as a one-time pre-launch exercise tends to miss field-emergent harms that only surface after the device reaches widespread use. Historically, manufacturers have completed formal risk documentation at the design-transfer gate and then allowed the risk file to become static — failing to update it as post-market complaints, design changes, and software anomalies accumulated. Regulators codified the lifecycle-integration requirement in ISO 14971 clause 4.1 because devices evolve after launch: software is updated, indications expand, user populations shift, and clinical evidence accumulates. Without an ongoing, documented process, no organizational mechanism exists to detect when a previously acceptable risk has become unacceptable in light of new information or changed state of the art.
What changed
ISO 14971:2019 was a major revision reorganizing the standard from 9 to 10 clauses and moving extensive guidance material into a separate technical report (ISO/TR 24971:2020), making normative requirements clearer and more auditable.
The most significant change was replacing ALARP (As Low As Reasonably Practicable) with AFAP (As Far As Possible), removing the ability to use economic cost as a primary justification for not implementing a risk control. The standard introduced explicit benefit-risk analysis requirements — three new definitions were added (benefit, reasonably foreseeable misuse, state of the art) and the required conclusion shifted from 'risks are acceptable' to 'benefits outweigh residual risks.' Risk acceptability criteria must now be established and documented in the risk management plan before risk analysis begins.
Post-production requirements (Clause 10) were substantially expanded into four sub-clauses (Establish, Collect, Review, Act), mandating active collection and review of post-market data rather than passive complaint handling. The overall residual risk evaluation (Clause 8) was enhanced to require aggregate assessment of all residual risks combined, considering synergistic effects where multiple low risks may create new high-risk situations. Clause 4.3 shifted emphasis from personnel qualifications to demonstrated competence. ISO/TR 24971:2020 (informative companion) adds Annex G (cybersecurity risk management) and Annex H (legacy device risk file remediation).
Common gaps (what we see in audits)
- Risk management treated as post-design checkbox exercise — One of the most common failures is creating a risk management file only after device design is essentially complete. Risk management must inform design decisions from the beginning. If risk assessment is done retrospectively, there is no opportunity to implement effective design controls and the risk management record becomes unconvincing to auditors.
- FMEA used as sole risk analysis tool — Manufacturers limit themselves to basic FMEA as their only risk management tool. External auditors expect at minimum two or more complementary tools (e.g., FMEA combined with Preliminary Hazard Analysis, fault tree analysis, or hazard analysis). FMEA alone misses 'normal condition' hazards — a sharp needle is a hazard even when it functions perfectly.
- Risk management file not updated after field actions — BSI identifies 'unupdated risk management records throughout product lifecycle' as the #1 audit nonconformity. Risk management files are created during design but not updated as post-market data, design changes, field safety corrective actions, and CAPA findings accumulate — leaving the file in an inaccurate pre-recall state.