Maps to
QMSR / ISO 13485: §820.30(g)
ISO 13485: §7.1
ISO 14971: §7.3
Requirement text
After implementing risk control measures, the manufacturer shall estimate and evaluate the residual risk for each hazardous situation. Where residual risk exceeds acceptability criteria, a benefit-risk analysis shall be performed to determine whether the clinical benefits of the device outweigh the remaining risk.
What changed
ISO 14971:2019 was a major revision reorganizing the standard from 9 to 10 clauses and moving extensive guidance material into a separate technical report (ISO/TR 24971:2020), making normative requirements clearer and more auditable.
The most significant change was replacing ALARP (As Low As Reasonably Practicable) with AFAP (As Far As Possible), removing the ability to use economic cost as a primary justification for not implementing a risk control. The standard introduced explicit benefit-risk analysis requirements — three new definitions were added (benefit, reasonably foreseeable misuse, state of the art) and the required conclusion shifted from 'risks are acceptable' to 'benefits outweigh residual risks.' Risk acceptability criteria must now be established and documented in the risk management plan before risk analysis begins.
Post-production requirements (Clause 10) were substantially expanded into four sub-clauses (Establish, Collect, Review, Act), mandating active collection and review of post-market data rather than passive complaint handling. The overall residual risk evaluation (Clause 8) was enhanced to require aggregate assessment of all residual risks combined, considering synergistic effects where multiple low risks may create new high-risk situations. Clause 4.3 shifted emphasis from personnel qualifications to demonstrated competence. New Annex G on cybersecurity risk management and Annex H on legacy device risk file remediation were added.
Atomic constraints
- •Residual risk must be estimated and recorded for each hazardous situation after all controls are applied.
- •Residual risk evaluation must use the same acceptance criteria as initial risk evaluation.
- •When residual risk remains unacceptable, a benefit-risk analysis must be performed and documented.
- •Benefit-risk analysis must reference clinical evidence, not only engineering judgment.
- •Users must be informed of residual risks through labeling, instructions for use, or in-application warnings.
Common gaps
Synergistic effects of combined residual risks not evaluated
majorThe overall residual risk evaluation must consider synergistic effects where multiple individually 'low' residual risks combine to create a new, higher-risk situation. For example, multiple concurrent alarms each with acceptable individual risk may together create dangerous user confusion. Manufacturers evaluate residual risks in isolation without considering aggregate effects.
Benefit-risk conclusion not explicitly documented
majorThe 2019 edition shifts the required conclusion from 'risks are acceptable' to 'benefits outweigh residual risks.' Many manufacturers' risk management reports do not include an explicit benefit-risk conclusion with documented rationale, particularly when overall residual risk exceeds pre-defined thresholds.
Evidence signals
- •
FILE_EXISTS
Risk.*Management.*Report|Risk.*Report|Benefit.*Risk|Clinical.*Safety.*Case
- •
CONTENT_MATCH
Does this document evaluate residual risk levels after risk control measures have been applied, and does it include a benefit-risk analysis that weighs device clinical benefits against remaining unacceptable risks?
Audit defense
The Risk Management Report for [your product] (Doc ID: [your document ID]) documents post-control residual risk levels for every hazardous situation. Where residual risks required benefit-risk justification, the report references clinical evaluation data demonstrating that benefits outweigh the residual risk.