Maps to
QMSR / ISO 13485: §820.30(g)
ISO 13485: §5.6
ISO 14971: §8
Requirement text
Before releasing the device, the manufacturer shall evaluate the overall residual risk considering interactions between individual risks and control measures. A risk management review shall confirm all planned activities have been implemented, the risk management file is complete, and the overall residual risk is acceptable.
What changed
ISO 14971:2019 was a major revision reorganizing the standard from 9 to 10 clauses and moving extensive guidance material into a separate technical report (ISO/TR 24971:2020), making normative requirements clearer and more auditable.
The most significant change was replacing ALARP (As Low As Reasonably Practicable) with AFAP (As Far As Possible), removing the ability to use economic cost as a primary justification for not implementing a risk control. The standard introduced explicit benefit-risk analysis requirements — three new definitions were added (benefit, reasonably foreseeable misuse, state of the art) and the required conclusion shifted from 'risks are acceptable' to 'benefits outweigh residual risks.' Risk acceptability criteria must now be established and documented in the risk management plan before risk analysis begins.
Post-production requirements (Clause 10) were substantially expanded into four sub-clauses (Establish, Collect, Review, Act), mandating active collection and review of post-market data rather than passive complaint handling. The overall residual risk evaluation (Clause 8) was enhanced to require aggregate assessment of all residual risks combined, considering synergistic effects where multiple low risks may create new high-risk situations. Clause 4.3 shifted emphasis from personnel qualifications to demonstrated competence. New Annex G on cybersecurity risk management and Annex H on legacy device risk file remediation were added.
Atomic constraints
- •The overall residual risk must be evaluated as a combination of individual residual risks, not just summed.
- •Risk interactions and combined effects of mitigation measures must be considered.
- •Overall residual risk must be evaluated against the acceptability criteria in the Risk Management Plan.
- •A formal risk management review must be performed and documented before product release.
- •The review must confirm all risk management plan activities were executed and all risk controls implemented and verified.
- •The review conclusion must be documented in the Risk Management Report.
Common gaps
No aggregate overall residual risk assessment performed
majorThe 2019 edition requires evaluation of the combined residual risk from all identified hazards, considering all implemented control measures. Many manufacturers evaluate residual risks individually but never assess whether the totality of residual risks is acceptable. The evaluation must compare aggregate risk against established criteria with benefit-risk analysis.
Evidence signals
- •
FILE_EXISTS
Risk.*Management.*Report|RM.*Report|Clinical.*Safety.*Case.*Report
- •
CONTENT_MATCH
Does this document contain a formal evaluation of overall residual risk considering combined effects, a risk management review confirming completeness of all planned activities, and a final acceptability conclusion signed before product release?
Audit defense
The Risk Management Report for [your product] (Doc ID: [your document ID]) includes an overall residual risk evaluation considering control measure interactions, and a formal management review confirming all plan activities were executed. This is required prior to commercial release and serves as the definitive pre-market risk management record.