Maps to
QMSR / ISO 13485: §820.70
ISO 13485: §8.2.1
ISO 14971: §10
Requirement text
The manufacturer shall establish a system to collect and review information generated during production and post-production phases, including complaint and incident data, to determine whether that information has implications for the risk management file. When new hazards are identified or risk estimates change, the risk management file must be updated.
What changed
ISO 14971:2019 was a major revision reorganizing the standard from 9 to 10 clauses and moving extensive guidance material into a separate technical report (ISO/TR 24971:2020), making normative requirements clearer and more auditable.
The most significant change was replacing ALARP (As Low As Reasonably Practicable) with AFAP (As Far As Possible), removing the ability to use economic cost as a primary justification for not implementing a risk control. The standard introduced explicit benefit-risk analysis requirements — three new definitions were added (benefit, reasonably foreseeable misuse, state of the art) and the required conclusion shifted from 'risks are acceptable' to 'benefits outweigh residual risks.' Risk acceptability criteria must now be established and documented in the risk management plan before risk analysis begins.
Post-production requirements (Clause 10) were substantially expanded into four sub-clauses (Establish, Collect, Review, Act), mandating active collection and review of post-market data rather than passive complaint handling. The overall residual risk evaluation (Clause 8) was enhanced to require aggregate assessment of all residual risks combined, considering synergistic effects where multiple low risks may create new high-risk situations. Clause 4.3 shifted emphasis from personnel qualifications to demonstrated competence. New Annex G on cybersecurity risk management and Annex H on legacy device risk file remediation were added.
Atomic constraints
- •A documented process for collecting and reviewing post-production information must exist.
- •Post-market data must be systematically reviewed for new or changed risk signals.
- •When post-market information reveals a new hazard or changes a risk estimate, the risk management file must be updated.
- •The review must cover complaint data, incident reports, and relevant published literature on similar devices.
- •Review frequency must be defined and documented in the surveillance plan.
Common gaps
Passive complaint monitoring instead of active data collection
majorThe 2019 revision explicitly requires manufacturers to 'actively collect and review' post-production information rather than passively waiting for complaints. The four-step framework (Establish, Collect, Review, Act) requires proactive monitoring of clinical literature, similar devices, and state-of-the-art developments — not just a complaint inbox.
Post-market data not feeding back into risk management
majorBSI and TUV SUD consistently list 'lack of connection between PMS and risk management' as a top 3 major non-conformity. Organizations collect post-market data (complaints, adverse events, literature reviews) but do not have a systematic process to feed this information back into the Risk Management File, triggering re-assessment when new hazards or risk factors are identified.
Evidence signals
- •
FILE_EXISTS
Post.*Market.*Surveillance|PMS.*Plan|Post.*Deployment.*Surveillance|Surveillance.*Plan
- •
CONTENT_MATCH
Does this document describe a process for collecting and reviewing post-market complaint and incident data with a defined mechanism to update the risk management file when new hazards or changed risk estimates are identified?
Audit defense
Our Post-Market Surveillance process (Doc ID: [your document ID]) defines the data collection and review cadence for [your product]. The process explicitly requires risk management file updates when surveillance data reveals new hazards or materially changed risk estimates, ensuring the risk file remains current throughout the product lifecycle.