Three-tier control hierarchy — inherent design, protective measures, information for safety — with documented rationale required when a lower-priority tier is selected.
Controls that introduce new hazards must be explicitly analyzed; both implementation verification and effectiveness verification are required separately.
Labeling-as-primary-control without hierarchy rationale — jumping to information-for-safety without documenting why design controls were not feasible is the most cited audit gap.
Maps to
QMSR / ISO 13485: §820.30(g) Design validation.
ISO 13485: §7.3.3 Design and development inputs
ISO 14971: §7.1 Risk control option analysis
Requirement text
The manufacturer shall identify and evaluate risk control options, selecting the most appropriate based on the required hierarchy: inherent safety by design takes priority, followed by protective measures in the device or manufacturing process, then information for safety and, where appropriate, training to users.
Why this clause exists
Warning labels are cheap and fast to produce; design changes are expensive and time-consuming. Without a prescribed priority order, cost and schedule pressure reliably push manufacturers toward information-for-safety controls even when design changes would be technically feasible. The three-tier hierarchy in ISO 14971 clause 7.1 exists to counteract this structural incentive: it requires manufacturers to at minimum evaluate and document why a higher-priority control was not chosen before defaulting to labeling. The underlying principle is that risk transferred to the user through warnings remains a residual risk the user must actively manage in every use, while risk eliminated through inherent design is removed permanently for all users regardless of training or attention. Regulators codified the hierarchy because post-market safety analyses consistently show that inadequate design controls, compensated by warning text, are a leading precursor to serious adverse events — the warning that must be read, understood, and acted upon correctly every time is the weakest possible control.
What changed
ISO 14971:2019 was a major revision reorganizing the standard from 9 to 10 clauses and moving extensive guidance material into a separate technical report (ISO/TR 24971:2020), making normative requirements clearer and more auditable.
The most significant change was replacing ALARP (As Low As Reasonably Practicable) with AFAP (As Far As Possible), removing the ability to use economic cost as a primary justification for not implementing a risk control. The standard introduced explicit benefit-risk analysis requirements — three new definitions were added (benefit, reasonably foreseeable misuse, state of the art) and the required conclusion shifted from 'risks are acceptable' to 'benefits outweigh residual risks.' Risk acceptability criteria must now be established and documented in the risk management plan before risk analysis begins.
Post-production requirements (Clause 10) were substantially expanded into four sub-clauses (Establish, Collect, Review, Act), mandating active collection and review of post-market data rather than passive complaint handling. The overall residual risk evaluation (Clause 8) was enhanced to require aggregate assessment of all residual risks combined, considering synergistic effects where multiple low risks may create new high-risk situations. Clause 4.3 shifted emphasis from personnel qualifications to demonstrated competence. ISO/TR 24971:2020 (informative companion) adds Annex G (cybersecurity risk management) and Annex H (legacy device risk file remediation).
Common gaps (what we see in audits)
- Risk control hierarchy not followed — jumping to labeling — ISO 14971 specifies a priority order: (1) inherent safety by design, (2) protective measures in the device or manufacturing process, (3) information for safety and training. The most frequent audit citation is jumping straight to warnings and labeling without documenting why higher-priority controls were not feasible.
- Control effectiveness verification conflated with implementation verification — ISO 14971 requires both verification that risk control measures are implemented AND verification that they are effective at reducing risk. Many manufacturers verify implementation ('the control exists in the design') but do not separately verify effectiveness ('the control actually reduces the risk as intended'). Records must be maintained for both.