Systematic hazard analysis — hazard, hazardous situation, harm chain — with p1/p2 probability and severity estimates referenced to the Risk Management Plan acceptance matrix.
Normal-condition hazards must be included; “reasonably foreseeable misuse” is now a defined term requiring explicit hazard identification beyond fault conditions.
Pre-control estimation — risk scores must reflect uncontrolled hazardous situations; estimates done after controls are applied are routinely rejected.
Maps to
ISO 14971: §5.4 Identification of hazards and hazardous situations
ISO 13485: §7.1 Planning of product realization
Pre-QMSR Part 820 (legacy QSR): §820.30(g) Design validation.
Requirement text
The manufacturer shall identify and document known and foreseeable hazards associated with the medical device based on the intended use, reasonably foreseeable misuse and the characteristics related to safety in both normal and fault conditions, then estimate the probability of harm occurrence and the severity of that harm for each hazardous situation.
Why this clause exists
The conceptual distinction between a hazard, a hazardous situation, and a harm is not pedantic — it is the mechanism by which risk estimation becomes defensible rather than arbitrary. A manufacturer who conflates "needle" (hazard) with "needlestick injury" (harm) skips the intermediate step of the hazardous situation, and therefore cannot separately estimate the probability that the hazard leads to exposure versus the probability that exposure leads to injury. ISO 14971 clause 5.4 requires the full three-element chain because each link has a different probability that can be influenced by different control measures. The additional requirement to analyze normal-condition hazards reflects lessons drawn from incidents where devices performed as designed yet still caused harm — an inherently sharp edge or an electromagnetic emission that exists in normal operation presents a real hazard regardless of whether a fault has occurred. Without systematic analysis spanning both normal and fault conditions, hazard identification is structurally incomplete.
What changed
ISO 14971:2019 was a major revision reorganizing the standard from 9 to 10 clauses and moving extensive guidance material into a separate technical report (ISO/TR 24971:2020), making normative requirements clearer and more auditable.
The most significant change was replacing ALARP (As Low As Reasonably Practicable) with AFAP (As Far As Possible), removing the ability to use economic cost as a primary justification for not implementing a risk control. The standard introduced explicit benefit-risk analysis requirements — three new definitions were added (benefit, reasonably foreseeable misuse, state of the art) and the required conclusion shifted from 'risks are acceptable' to 'benefits outweigh residual risks.' Risk acceptability criteria must now be established and documented in the risk management plan before risk analysis begins.
Post-production requirements (Clause 10) were substantially expanded into four sub-clauses (Establish, Collect, Review, Act), mandating active collection and review of post-market data rather than passive complaint handling. The overall residual risk evaluation (Clause 8) was enhanced to require aggregate assessment of all residual risks combined, considering synergistic effects where multiple low risks may create new high-risk situations. Clause 4.3 shifted emphasis from personnel qualifications to demonstrated competence. ISO/TR 24971:2020 (informative companion) adds Annex G (cybersecurity risk management) and Annex H (legacy device risk file remediation).
Common gaps (what we see in audits)
- Hazard identification scope incomplete — Hazard identification must systematically cover design, materials, manufacturing, user interaction, environmental factors, intended use, AND reasonably foreseeable misuse. Teams often focus on technical failure modes and miss hazards arising from foreseeable human behavior, use environments, and normal-condition hazards where the device functions as designed but is inherently hazardous.
- Risk estimation done after controls, not before — Teams estimate risk in the context of their complete system with controls in place, rather than evaluating inherent risk first. Risk evaluation must be based on what could happen without controls — control effectiveness is evaluated separately during risk control verification.