Maps to
QMSR / ISO 13485: §820.30(g)
ISO 13485: §7.1
ISO 14971: §5.4
Requirement text
The manufacturer shall identify hazards and hazardous situations associated with the device under its intended use and foreseeable misuse conditions, then estimate the probability of harm occurrence and the severity of that harm for each hazardous situation.
What changed
ISO 14971:2019 was a major revision reorganizing the standard from 9 to 10 clauses and moving extensive guidance material into a separate technical report (ISO/TR 24971:2020), making normative requirements clearer and more auditable.
The most significant change was replacing ALARP (As Low As Reasonably Practicable) with AFAP (As Far As Possible), removing the ability to use economic cost as a primary justification for not implementing a risk control. The standard introduced explicit benefit-risk analysis requirements — three new definitions were added (benefit, reasonably foreseeable misuse, state of the art) and the required conclusion shifted from 'risks are acceptable' to 'benefits outweigh residual risks.' Risk acceptability criteria must now be established and documented in the risk management plan before risk analysis begins.
Post-production requirements (Clause 10) were substantially expanded into four sub-clauses (Establish, Collect, Review, Act), mandating active collection and review of post-market data rather than passive complaint handling. The overall residual risk evaluation (Clause 8) was enhanced to require aggregate assessment of all residual risks combined, considering synergistic effects where multiple low risks may create new high-risk situations. Clause 4.3 shifted emphasis from personnel qualifications to demonstrated competence. New Annex G on cybersecurity risk management and Annex H on legacy device risk file remediation were added.
Atomic constraints
- •All hazards must be identified using a systematic method, not informal review.
- •Each hazard must be traced to one or more hazardous situations.
- •Each hazardous situation must be associated with a potential harm.
- •Risk estimation must consider both probability of harm occurrence and severity of harm.
- •Intermediate probabilities (p1: probability hazard leads to hazardous situation; p2: probability hazardous situation leads to harm) shall be estimated separately when applicable.
- •Risk estimates must reference the probability and severity scales defined in the Risk Management Plan.
Common gaps
Hazard identification scope incomplete
majorHazard identification must systematically cover design, materials, manufacturing, user interaction, environmental factors, intended use, AND reasonably foreseeable misuse. Teams often focus on technical failure modes and miss hazards arising from foreseeable human behavior, use environments, and normal-condition hazards where the device functions as designed but is inherently hazardous.
Risk estimation done after controls, not before
majorTeams estimate risk in the context of their complete system with controls in place, rather than evaluating inherent risk first. Risk evaluation must be based on what could happen without controls — control effectiveness is evaluated separately during risk control verification.
Evidence signals
- •
FILE_EXISTS
Risk.*Table|FMEA|Hazard.*Log|Hazard.*Analysis|Risk.*Assessment
- •
CONTENT_MATCH
Does this document contain a structured analysis of hazards, hazardous situations, and harms with explicit probability and severity estimates for each risk, using a defined scoring system?
Audit defense
The Risk Table for [your product] (Doc ID: [your document ID]) documents all identified hazards with probability (p1, p2) and severity estimates that reference our Risk Management Plan acceptance matrix. Each hazardous situation is traceable to a specific harm with a calibrated risk score.