--- title: Common MDR Risk Management Mistakes: ISO 14971 Gaps description: Common risk management mistakes MDR startups make: Excel-only files, ISO 14971 Section 6 misread, one-person workshops, broken PMS loops. Fix each one. authors: Tibor Zechmeister, Felix Lenhard category: Risk Management Under MDR primary_keyword: common risk management mistakes MDR canonical_url: https://zechmeister-solutions.com/en/blog/common-risk-management-mistakes-iso-14971 source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # Common MDR Risk Management Mistakes: ISO 14971 Gaps *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **Startup risk files fail audit for the same four or five reasons every time. The Excel-only file with no planning or report around it. The ISO 14971 Section 6 misread that lets "initially acceptable" risks skip further control. The one-person one-day workshop dressed up as multidisciplinary brainstorming. The post-market feedback loop that exists on paper and never touches the risk file. Each of these is a named finding in Tibor's audit notebook. Each one has a concrete fix.** **By Tibor Zechmeister and Felix Lenhard.** ## TL;DR - The Excel-only anti-pattern treats risk management as a spreadsheet. MDR Annex I §3 demands a full documented process: plan, analyse, evaluate, control, residual evaluation, report, feedback. - ISO 14971 Section 6 says "no further control" if initial risk is acceptable. MDR does not accept that. MDR requires risk reduction "as far as possible" regardless of initial level. Annex ZA of EN ISO 14971:2019+A11:2021 flags this gap. - One person, one day, one checklist is not a risk management process. Credible hazard identification needs a multidisciplinary team and multiple sessions. - Post-market feedback has to flow into the risk file on a continuous cadence. Updating the file every two or three years means the probabilities and severities on record are wrong most of the time. - Most first-time audit findings in risk management cluster around these four mistakes. Fixing them up front is cheaper than fixing them in response to a non-conformity. ## Why this matters Risk management is the most frequently flagged area in Tibor's notified body audit experience. Not because the standard is unclear. EN ISO 14971:2019+A11:2021 is one of the most readable harmonised standards in the MDR ecosystem. The failures are structural. Teams treat the risk file as a compliance document to be produced once, near the end of development, by one person who happens to have the bandwidth. That is not what MDR Annex I §3 asks for. Felix has coached founders through the rebuild that follows a non-conformity. It takes months. It delays launch. It costs investor trust. Every single one of those rebuilds could have been avoided by not making the same four or five mistakes that every first-time manufacturer makes. This post is the list. ## What MDR actually says MDR Annex I §3 requires a risk management system that is established, implemented, documented and maintained across the whole lifecycle of the device. §3 lists the mandatory activities: plan, identify and analyse hazards, estimate and evaluate risks including reasonably foreseeable misuse, eliminate or control risks using the hierarchy in §4, evaluate residual risks and the overall benefit-risk, and review the process based on production and post-production information. MDR Annex I §4 defines the control hierarchy: (a) eliminate or reduce risks as far as possible through safe design and manufacture, (b) take adequate protective measures including alarms where necessary, (c) provide information for safety and where appropriate training. The order is not optional. MDR Articles 83 to 86 then require a post-market surveillance system that actively and systematically gathers data from the device in use, analyses it, and feeds it back into the technical documentation, the risk management, and the clinical evaluation. EN ISO 14971:2019+A11:2021 is the harmonised standard. Annex ZA of the A11:2021 amendment maps the standard to MDR GSPRs and explicitly flags the gap around "as low as possible" versus ISO's "as low as reasonably possible" (ALARP). Reading Annex ZA is not optional for anyone implementing the standard under MDR. ## A worked example Tibor opens a risk file on the first morning of a stage 2 audit. The file is an Excel spreadsheet. Twenty eight rows. Five columns: hazard, cause, severity, probability, "acceptable yes or no". Every row has "acceptable: yes" in green. **Finding 1: the Excel-only file.** There is no risk management plan defining scope, methods, acceptability criteria, and how post-market data flows in. There is no risk management report summarising the residual risk evaluation and overall benefit-risk conclusion. There is no link to a hazard analysis method (FMEA, HAZOP, fault tree, nothing). ISO 14971 is not just a table. It is plan, analyse, evaluate, control, evaluate residual, report. Four of those six are missing. **Finding 2: the Section 6 misread.** Every row shows "acceptable yes". The auditor asks how the controls column is empty. The founder answers that Section 6 of ISO 14971 says no further control is needed if initial risk is acceptable. The auditor opens EN ISO 14971:2019+A11:2021 Annex ZA and reads aloud: under the MDR, "as far as possible" applies regardless of initial acceptability. The finding becomes a major non-conformity. **Finding 3: the one-person workshop.** The file was written by the lead engineer in a single day. No RA involvement. No clinical input. No marketing or sales perspective. The auditor asks where mechanical hazards during patient handover were considered. They were not. Where cross-contamination was considered. It was not. The finding is scope coverage. **Finding 4: the decoupled PMS loop.** The company has a PMS plan under MDR Article 83. The PMS data collection is real. The risk file has not been updated in eighteen months. The auditor asks when post-production information last triggered a risk file update. Never. Another finding. Four findings in ninety minutes. All preventable. None unusual. ## The Subtract to Ship playbook Felix walks founders through a fix for each of the four anti-patterns. Subtract ceremony. Keep the structure that makes the file defensible. **Fix 1: turn the Excel into a process.** Write a risk management plan. Five to eight pages. Scope, method (ISO 14971 clauses referenced explicitly), acceptability criteria, roles, verification activities, and a named post-production feedback path. Write a risk management report at the end. Three to six pages. Summary of identified hazards, residual risks, benefit-risk conclusion, and list of residual risks disclosed in the IFU. Between plan and report, the spreadsheet or database can stay. It is now bracketed by the two documents that make it a process. Tibor's audit experience: the plan and report together close ninety percent of "Excel-only" findings. **Fix 2: read Annex ZA and change the acceptability language.** Replace "acceptable yes or no" with "risk reduced as far as possible, residual risk disclosed". For every hazard, document the controls considered under the hierarchy in Annex I §4: inherent safety by design first, protective measures second, information for safety last. If a stronger control was available and not used, the file must explain why. "Cost" and "schedule" are not acceptable explanations under MDR. "Technical infeasibility" and "would introduce a greater risk" are. Tibor's Q3 from the follow-up interview is this fix verbatim. **Fix 3: schedule a multidisciplinary workshop cadence.** At least one session with RA, development, clinical, quality, marketing and sales in the same room per major design phase. Minimum three sessions for a first product. Record the attendance. Record the hazard list before and after. The delta is the evidence that the session did work the one-person version cannot. For software-intensive devices, consider AI-assisted hazard brainstorming as a supplement. Tibor's Q5 and Q10 both land here. **Fix 4: rebuild the PMS feedback loop.** MDR Articles 83 to 86 require that post-market surveillance data flow back into the technical documentation and the risk management. Schedule a monthly triage of PMS inputs. Categorise by hazard family. Any input that changes a probability or severity triggers a risk file update. Any input that surfaces a new hazard triggers a new row. The risk file has a version history visible to the auditor. Tibor's Q9: bad PMS loops update the file every two to three years. Good loops update continuously. **Fix 5: stop treating "acceptable" as a stop sign.** The language in the risk file matters. Replace every "acceptable" with "as far as possible". Replace every "tolerable" with "residual risk disclosed and accepted in benefit-risk". The wording is not cosmetic. It is what the auditor reads first. **Fix 6: disclose residual risks in the IFU.** Annex I §3 and §4 require that residual risks be disclosed to the user where relevant. Missing IFU disclosure of documented residual risks is a finding Tibor has raised more than once. Close the loop from risk file to labelling. ## Reality Check 1. Does the risk management plan exist as a standalone document with acceptability criteria and a PMS feedback path? 2. Does the risk management report exist as a standalone document with a benefit-risk conclusion? 3. Has Annex ZA of EN ISO 14971:2019+A11:2021 been read and applied, so the acceptability language uses "as far as possible" not "acceptable yes or no"? 4. For every hazard with controls not implemented, is the justification based on technical infeasibility or greater risk, not on cost or schedule? 5. Has the hazard identification been done by a multidisciplinary team in more than one session, with attendance recorded? 6. Does the PMS feedback loop actually update the risk file on a monthly or quarterly cadence, with a version history to prove it? 7. Are all documented residual risks disclosed in the IFU? 8. If an auditor asked "show me the last risk file update triggered by PMS data", is the answer in the last ninety days? ## Frequently Asked Questions **Is a spreadsheet ever acceptable as a risk file?** A spreadsheet can be the storage format for the hazard analysis rows. It cannot be the entire risk file. The plan, the report, the verification records and the feedback history have to exist around the spreadsheet. Tibor's rule: if the "risk file" is a single xlsx, it is not a file. **What about "ALARP" from older UK practice?** ALARP is "as low as reasonably practicable". It was acceptable under MDD era ISO 14971 readings. Under MDR, Annex ZA makes clear that "as far as possible" is the applicable bar and that ISO 14971 Section 6 cannot be used as a stop sign. Founders copying ALARP language from older templates inherit a non-conformity. **Does Fix 3 mean every hazard review needs six people in a room?** No. It means at least one multidisciplinary session per major design phase with the relevant disciplines. Between sessions, individual contributors can maintain their own rows. The session is for the hazards nobody on their own would see. **How often does the risk file need to be updated post-launch?** Continuously, with documented review cadence. Tibor's audit benchmark: a file that has not been touched in the last six months post-launch, on a device with active PMS data, is a finding waiting to happen. **Is there a shortcut through any of this?** No. The process is the deliverable. Cutting any of plan, multidisciplinary analysis, controls hierarchy, residual evaluation, report, or PMS feedback produces a file the auditor can see through in minutes. Felix has watched founders try every corner cut. Every one of them costs more later than doing the process would have cost up front. ## Related reading - [The MDR Risk Management Process: Using ISO 14971](/blog/mdr-risk-management-process-iso-14971): the full six-activity process explained - [The ISO 14971 Annex Z Trap](/blog/iso-14971-annex-z-trap): why Annex ZA matters and what the common misreads are - [PMS Feedback into Risk Management](/blog/pms-feedback-risk-management): how Articles 83-86 data flows into the risk file on a real cadence ## Sources 1. Regulation (EU) 2017/745 on medical devices, consolidated text. Annex I §3, Annex I §4, Articles 83-86. 2. EN ISO 14971:2019+A11:2021, Medical devices, Application of risk management to medical devices. Annex ZA mapping to MDR. 3. MDCG 2025-10 (December 2025), Guidance on post-market surveillance. --- *This post is part of the [Risk Management Under MDR](https://zechmeister-solutions.com/en/blog/category/risk-management) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*