Pre-release risk management review confirming all plan activities executed and all controls verified — Risk Management Report approval as mandatory release gate.
Aggregate evaluation of combined residual risks is required — synergistic effects across individually acceptable risks must be assessed, not just summed.
Aggregate residual risk analysis in the Risk Management Report — absence of a combined-effects section is the most common new finding under the 2019 edition.
Maps to
ISO 14971: §8 Evaluation of overall residual risk
ISO 13485: §5.6 Management review
Pre-QMSR Part 820 (legacy QSR): §820.30(g) Design validation.
Requirement text
Before releasing the device, the manufacturer shall evaluate the overall residual risk posed by the medical device, taking into account the contributions of all residual risks, in relation to the benefits of the intended use, using the method and the criteria for acceptability of the overall residual risk defined in the risk management plan. When the overall residual risk is judged acceptable, the manufacturer shall inform users of significant residual risks through the accompanying documentation. A risk management review shall confirm all planned activities have been implemented, the overall residual risk is acceptable, and appropriate measures are in place to collect and review information in the production and post-production phases.
Why this clause exists
Individual residual risks can each be within the acceptable zone yet interact in ways that create a new, higher-order hazardous situation — multiple independent alarm conditions, each with tolerable probability, can combine under a single clinical scenario into a pattern that overwhelms a clinician's response capacity. ISO 14971 clause 8 exists precisely because risk management methods such as FMEA evaluate hazards row by row and have no built-in mechanism for detecting combinatorial effects across rows. The aggregate evaluation requirement was substantially strengthened in the 2019 edition after notified bodies repeatedly found that manufacturers' Risk Management Reports contained per-hazard analyses without any statement about the totality of residual risk — a gap that leaves the question every regulator cares about most (is this device safe enough to release?) technically unanswered in the risk file. The mandatory pre-release risk management review functions as the organizational checkpoint that prevents a device from entering distribution before the complete risk picture has been examined by a responsible person with authority to halt release.
What changed
ISO 14971:2019 was a major revision reorganizing the standard from 9 to 10 clauses and moving extensive guidance material into a separate technical report (ISO/TR 24971:2020), making normative requirements clearer and more auditable.
The most significant change was replacing ALARP (As Low As Reasonably Practicable) with AFAP (As Far As Possible), removing the ability to use economic cost as a primary justification for not implementing a risk control. The standard introduced explicit benefit-risk analysis requirements — three new definitions were added (benefit, reasonably foreseeable misuse, state of the art) and the required conclusion shifted from 'risks are acceptable' to 'benefits outweigh residual risks.' Risk acceptability criteria must now be established and documented in the risk management plan before risk analysis begins.
Post-production requirements (Clause 10) were substantially expanded into four sub-clauses (Establish, Collect, Review, Act), mandating active collection and review of post-market data rather than passive complaint handling. The overall residual risk evaluation (Clause 8) was enhanced to require aggregate assessment of all residual risks combined, considering synergistic effects where multiple low risks may create new high-risk situations. Clause 4.3 shifted emphasis from personnel qualifications to demonstrated competence. ISO/TR 24971:2020 (informative companion) adds Annex G (cybersecurity risk management) and Annex H (legacy device risk file remediation).
Common gaps (what we see in audits)
- No aggregate overall residual risk assessment performed — The 2019 edition requires evaluation of the combined residual risk from all identified hazards, considering all implemented control measures. Many manufacturers evaluate residual risks individually but never assess whether the totality of residual risks is acceptable. The evaluation must compare aggregate risk against established criteria with benefit-risk analysis.