Maps to
QMSR / ISO 13485: §820.30(g)
ISO 13485: §7.1
ISO 14971: §4.4
Requirement text
The manufacturer shall document a product-specific risk management plan. The plan must define the scope of risk management, planned activities and their sequence, responsibilities, acceptance criteria (severity and probability scales, risk matrix), and the method for evaluating overall residual risk.
What changed
ISO 14971:2019 was a major revision reorganizing the standard from 9 to 10 clauses and moving extensive guidance material into a separate technical report (ISO/TR 24971:2020), making normative requirements clearer and more auditable.
The most significant change was replacing ALARP (As Low As Reasonably Practicable) with AFAP (As Far As Possible), removing the ability to use economic cost as a primary justification for not implementing a risk control. The standard introduced explicit benefit-risk analysis requirements — three new definitions were added (benefit, reasonably foreseeable misuse, state of the art) and the required conclusion shifted from 'risks are acceptable' to 'benefits outweigh residual risks.' Risk acceptability criteria must now be established and documented in the risk management plan before risk analysis begins.
Post-production requirements (Clause 10) were substantially expanded into four sub-clauses (Establish, Collect, Review, Act), mandating active collection and review of post-market data rather than passive complaint handling. The overall residual risk evaluation (Clause 8) was enhanced to require aggregate assessment of all residual risks combined, considering synergistic effects where multiple low risks may create new high-risk situations. Clause 4.3 shifted emphasis from personnel qualifications to demonstrated competence. New Annex G on cybersecurity risk management and Annex H on legacy device risk file remediation were added.
Atomic constraints
- •A product-specific risk management plan must be documented before risk analysis begins.
- •The plan must define the scope: which device, which lifecycle phases are covered.
- •Responsibility for risk management activities must be assigned to named roles.
- •Risk acceptability criteria must be defined: severity categories, probability categories, and the risk acceptance matrix.
- •The method for evaluating overall residual risk must be specified in the plan.
- •Risk acceptability criteria must be established and documented in the plan before risk analysis begins — not defined retroactively after the risk analysis is complete per ISO 14971:2019 clause 4.4.
- •The plan must define the method for evaluating overall residual risk, including an approach for evaluating whether the combined effect of all individual residual risks remains acceptable.
- •The plan must specify a method for evaluating whether the benefits of the device outweigh the overall residual risk, establishing the benefit-risk framework used in the Risk Management Report.
- •The plan must address activities for collecting and reviewing information generated during production and post-production phases per ISO 14971:2019 clause 4.4(f).
- •The risk management file must contain or reference: the risk management plan, records of hazard identification, risk analyses, risk evaluations, risk control measures and their verification, overall residual risk evaluation, and the risk management report.
Common gaps
Risk acceptability criteria defined retroactively
majorISO 14971:2019 explicitly requires that risk acceptability criteria be established and documented in the risk management plan before risk analysis begins. Many manufacturers define criteria retroactively after seeing their risk analysis results, undermining the objectivity of the evaluation. Auditors reject plans that define criteria after the fact.
No methodology for overall residual risk evaluation
majorThe 2019 edition requires the risk management plan to establish the methodology for evaluating overall residual risk and the criteria for its acceptance. Many plans address individual risk evaluation but lack a defined approach for aggregate residual risk assessment. Plans that state 'if all individual risks are acceptable, the overall risk is acceptable' are rejected.
Evidence signals
- •
FILE_EXISTS
Risk.*Management.*Plan|Risk.*Policy|Clinical.*Risk.*Plan|CRMP
- •
CONTENT_MATCH
Does this document define risk acceptance criteria including a severity scale, probability scale, and risk acceptability matrix, with named responsibilities for risk management activities and a defined scope?
Audit defense
The Risk Management Plan for [your product] (Doc ID: [your document ID]) defines our risk policy, acceptance matrix, and assigns responsibility to our Risk Manager. It establishes the criteria applied consistently across all risk analysis activities for this device.