Maps to
QMSR / ISO 13485: §820.30(g)
ISO 13485: §7.3.3
ISO 14971: §7.1
Requirement text
The manufacturer shall identify and evaluate risk control options, selecting the most appropriate based on the required hierarchy: inherent safety by design takes priority, followed by protective measures in the device or manufacturing process, then information for safety (labeling, warnings).
What changed
ISO 14971:2019 was a major revision reorganizing the standard from 9 to 10 clauses and moving extensive guidance material into a separate technical report (ISO/TR 24971:2020), making normative requirements clearer and more auditable.
The most significant change was replacing ALARP (As Low As Reasonably Practicable) with AFAP (As Far As Possible), removing the ability to use economic cost as a primary justification for not implementing a risk control. The standard introduced explicit benefit-risk analysis requirements — three new definitions were added (benefit, reasonably foreseeable misuse, state of the art) and the required conclusion shifted from 'risks are acceptable' to 'benefits outweigh residual risks.' Risk acceptability criteria must now be established and documented in the risk management plan before risk analysis begins.
Post-production requirements (Clause 10) were substantially expanded into four sub-clauses (Establish, Collect, Review, Act), mandating active collection and review of post-market data rather than passive complaint handling. The overall residual risk evaluation (Clause 8) was enhanced to require aggregate assessment of all residual risks combined, considering synergistic effects where multiple low risks may create new high-risk situations. Clause 4.3 shifted emphasis from personnel qualifications to demonstrated competence. New Annex G on cybersecurity risk management and Annex H on legacy device risk file remediation were added.
Atomic constraints
- •Risk control options must be evaluated in the prescribed priority order (design → protective measure → information for safety).
- •When a lower-priority control type is used, the rationale for not using higher-priority options must be documented.
- •Risk controls that themselves introduce new hazards must be analyzed.
- •Selected risk control measures must be documented in the risk management file.
- •The implementation of each risk control measure must be verified.
Common gaps
Risk control hierarchy not followed — jumping to labeling
majorISO 14971 specifies a priority order: (1) inherent safety by design, (2) protective measures in the device or manufacturing process, (3) information for safety and training. The most frequent audit citation is jumping straight to warnings and labeling without documenting why higher-priority controls were not feasible.
Control effectiveness verification conflated with implementation verification
majorISO 14971 requires both verification that risk control measures are implemented AND verification that they are effective at reducing risk. Many manufacturers verify implementation ('the control exists in the design') but do not separately verify effectiveness ('the control actually reduces the risk as intended'). Records must be maintained for both.
Evidence signals
- •
FILE_EXISTS
Risk.*Table|FMEA|Risk.*Control.*Measure
- •
CONTENT_MATCH
Does this document identify risk control measures categorized by type (inherent design, protective, information for safety), with analysis of whether any controls introduce new risks or hazards?
Audit defense
Risk control measures in the Risk Table for [your product] (Doc ID: [your document ID]) are categorized by type per the ISO 14971 priority hierarchy. Where information-for-safety controls were chosen, the table documents why higher-priority design controls were not feasible.