Documented intended use specifying patient population, user profiles, use environment, and clinical indication as traceable input to hazard identification.
“Reasonably foreseeable misuse” is now a defined term — explicit documentation of off-label and misuse scenarios is required, not optional.
Hazard-to-use traceability — every hazard in the Risk Table must trace back to a specific intended use or misuse scenario in the source document.
Maps to
ISO 14971: §5.2 Intended use and reasonably foreseeable misuse
ISO 13485: §7.3.3 Design and development inputs
Pre-QMSR Part 820 (legacy QSR): §820.30(c) Design input.
Requirement text
The manufacturer shall document the intended use of the medical device and shall also document reasonably foreseeable misuse. The intended use documentation should take into account the intended medical indication, patient population, part of the body or type of tissue interacted with, user profile, use environment, and operating principle.
Why this clause exists
A hazard analysis that begins without a documented user profile and use environment is building on an unstable foundation — what counts as a foreseeable harm depends entirely on who is using the device and where. Manufacturers who skip or thin out the intended-use documentation tend to produce hazard analyses anchored only to engineering failure modes, missing the larger category of harms that arise from correct use by the wrong person, in the wrong environment, or for a slightly different purpose than intended. ISO 14971:2019 clause 5.2 formalizes this requirement because regulators observed repeatedly that post-market safety issues disproportionately trace to user-interface mismatches and off-label use patterns that were foreseeable at design time but never documented. The explicit addition of "reasonably foreseeable misuse" as a defined term in the 2019 edition signals that documenting anticipated misuse is not an admission of fault — it is a prerequisite for designing against the actual risk landscape the device will encounter in the field.
What changed
ISO 14971:2019 was a major revision reorganizing the standard from 9 to 10 clauses and moving extensive guidance material into a separate technical report (ISO/TR 24971:2020), making normative requirements clearer and more auditable.
The most significant change was replacing ALARP (As Low As Reasonably Practicable) with AFAP (As Far As Possible), removing the ability to use economic cost as a primary justification for not implementing a risk control. The standard introduced explicit benefit-risk analysis requirements — three new definitions were added (benefit, reasonably foreseeable misuse, state of the art) and the required conclusion shifted from 'risks are acceptable' to 'benefits outweigh residual risks.' Risk acceptability criteria must now be established and documented in the risk management plan before risk analysis begins.
Post-production requirements (Clause 10) were substantially expanded into four sub-clauses (Establish, Collect, Review, Act), mandating active collection and review of post-market data rather than passive complaint handling. The overall residual risk evaluation (Clause 8) was enhanced to require aggregate assessment of all residual risks combined, considering synergistic effects where multiple low risks may create new high-risk situations. Clause 4.3 shifted emphasis from personnel qualifications to demonstrated competence. ISO/TR 24971:2020 (informative companion) adds Annex G (cybersecurity risk management) and Annex H (legacy device risk file remediation).
Common gaps (what we see in audits)
- Reasonably foreseeable misuse insufficiently documented — The 2019 edition formally defines 'reasonably foreseeable misuse' and requires it to be documented. FDA precedent (e.g., surgical mesh cases) shows that manufacturers must document and design against foreseeable misuse based on clinical trends, even when that use is explicitly 'off-label' in the instructions for use.