Maps to
ISO 14971: §8 Evaluation of overall residual risk
ISO 13485: §5.6 Management review
Pre-QMSR Part 820 (legacy QSR): §820.30(g) Design validation.
Requirement text
Before releasing the device, the manufacturer shall evaluate the overall residual risk posed by the medical device, taking into account the contributions of all residual risks, in relation to the benefits of the intended use, using the method and the criteria for acceptability of the overall residual risk defined in the risk management plan. When the overall residual risk is judged acceptable, the manufacturer shall inform users of significant residual risks through the accompanying documentation. A risk management review shall confirm all planned activities have been implemented, the overall residual risk is acceptable, and appropriate measures are in place to collect and review information in the production and post-production phases.
What changed
ISO 14971:2019 was a major revision reorganizing the standard from 9 to 10 clauses and moving extensive guidance material into a separate technical report (ISO/TR 24971:2020), making normative requirements clearer and more auditable.
The most significant change was replacing ALARP (As Low As Reasonably Practicable) with AFAP (As Far As Possible), removing the ability to use economic cost as a primary justification for not implementing a risk control. The standard introduced explicit benefit-risk analysis requirements — three new definitions were added (benefit, reasonably foreseeable misuse, state of the art) and the required conclusion shifted from 'risks are acceptable' to 'benefits outweigh residual risks.' Risk acceptability criteria must now be established and documented in the risk management plan before risk analysis begins.
Post-production requirements (Clause 10) were substantially expanded into four sub-clauses (Establish, Collect, Review, Act), mandating active collection and review of post-market data rather than passive complaint handling. The overall residual risk evaluation (Clause 8) was enhanced to require aggregate assessment of all residual risks combined, considering synergistic effects where multiple low risks may create new high-risk situations. Clause 4.3 shifted emphasis from personnel qualifications to demonstrated competence. ISO/TR 24971:2020 (informative companion) adds Annex G (cybersecurity risk management) and Annex H (legacy device risk file remediation).
Atomic constraints
- •The overall residual risk must be evaluated as a combination of individual residual risks, not just summed.
- •Risk interactions and combined effects of mitigation measures must be considered.
- •Overall residual risk must be evaluated against the acceptability criteria in the Risk Management Plan.
- •A formal risk management review must be performed and documented before product release.
- •The review must confirm all risk management plan activities were executed and all risk controls implemented and verified.
- •The review conclusion must be documented in the Risk Management Report.
Common gaps
No aggregate overall residual risk assessment performed
majorThe 2019 edition requires evaluation of the combined residual risk from all identified hazards, considering all implemented control measures. Many manufacturers evaluate residual risks individually but never assess whether the totality of residual risks is acceptable. The evaluation must compare aggregate risk against established criteria with benefit-risk analysis.
Evidence signals
- •
FILE_EXISTS
Risk.*Management.*Report|RM.*Report|Clinical.*Safety.*Case.*Report
- •
CONTENT_MATCH
Does this document contain a formal evaluation of overall residual risk considering combined effects, a risk management review confirming completeness of all planned activities, and a final acceptability conclusion signed before product release?
Audit defense
The Risk Management Report for [your product] (Doc ID: [your document ID]) includes an overall residual risk evaluation considering control measure interactions, and a formal management review confirming all plan activities were executed. This is required prior to commercial release and serves as the definitive pre-market risk management record.