Maps to
QMSR / ISO 13485: §820.30(g)
ISO 13485: §7.1
ISO 14971: §4.1
Requirement text
The manufacturer shall establish, document, implement, and maintain a process for risk management throughout the medical device lifecycle. This process must encompass risk analysis, risk evaluation, risk control, and evaluation of overall residual risk.
What changed
ISO 14971:2019 was a major revision reorganizing the standard from 9 to 10 clauses and moving extensive guidance material into a separate technical report (ISO/TR 24971:2020), making normative requirements clearer and more auditable.
The most significant change was replacing ALARP (As Low As Reasonably Practicable) with AFAP (As Far As Possible), removing the ability to use economic cost as a primary justification for not implementing a risk control. The standard introduced explicit benefit-risk analysis requirements — three new definitions were added (benefit, reasonably foreseeable misuse, state of the art) and the required conclusion shifted from 'risks are acceptable' to 'benefits outweigh residual risks.' Risk acceptability criteria must now be established and documented in the risk management plan before risk analysis begins.
Post-production requirements (Clause 10) were substantially expanded into four sub-clauses (Establish, Collect, Review, Act), mandating active collection and review of post-market data rather than passive complaint handling. The overall residual risk evaluation (Clause 8) was enhanced to require aggregate assessment of all residual risks combined, considering synergistic effects where multiple low risks may create new high-risk situations. Clause 4.3 shifted emphasis from personnel qualifications to demonstrated competence. New Annex G on cybersecurity risk management and Annex H on legacy device risk file remediation were added.
Atomic constraints
- •A documented risk management process must exist and be maintained.
- •The process must be integrated across the full device lifecycle, not just the design phase.
- •Risk management activities must be planned, not ad hoc.
- •The process must define criteria for risk acceptability.
- •Risk management records must be maintained as part of a risk management file.
Common gaps
Risk management treated as post-design checkbox exercise
majorOne of the most common failures is creating a risk management file only after device design is essentially complete. Risk management must inform design decisions from the beginning. If risk assessment is done retrospectively, there is no opportunity to implement effective design controls and the risk management record becomes unconvincing to auditors.
FMEA used as sole risk analysis tool
majorManufacturers limit themselves to basic FMEA as their only risk management tool. External auditors expect at minimum two or more complementary tools (e.g., FMEA combined with Preliminary Hazard Analysis, fault tree analysis, or hazard analysis). FMEA alone misses 'normal condition' hazards — a sharp needle is a hazard even when it functions perfectly.
Risk management file not updated after field actions
majorBSI identifies 'unupdated risk management records throughout product lifecycle' as the #1 audit nonconformity. Risk management files are created during design but not updated as post-market data, design changes, field safety corrective actions, and CAPA findings accumulate — leaving the file in an inaccurate pre-recall state.
Evidence signals
- •
FILE_EXISTS
Risk.*Management.*Plan|Risk.*Plan|RM.*Plan
- •
CONTENT_MATCH
Does this document define a systematic risk management process with defined criteria for risk acceptability that applies throughout the product lifecycle?
Audit defense
Our Risk Management Plan (Doc ID: [your document ID]) defines the lifecycle-integrated risk management process for [your product]. It references the Risk Table and Risk Management Report as the complete risk management file, fulfilling ISO 14971:2019 section 4 requirements.