--- title: How to Link Risk Management to Clinical Evaluation Under MDR description: How risk management outputs feed clinical evaluation inputs under MDR Article 61 and EN ISO 14971, with the benefit-risk loop auditors expect. authors: Tibor Zechmeister, Felix Lenhard category: Risk Management Under MDR primary_keyword: link risk management clinical evaluation MDR canonical_url: https://zechmeister-solutions.com/en/blog/link-risk-management-clinical-evaluation source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # How to Link Risk Management to Clinical Evaluation Under MDR *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **Under MDR Article 61, clinical evaluation must confirm conformity with the relevant general safety and performance requirements and characterise and evaluate residual risks, side-effects and the benefit-risk ratio. That language forces a direct link: residual risks coming out of the EN ISO 14971:2019+A11:2021 risk management process become questions the Clinical Evaluation Report must answer with clinical data, and the benefit side of the benefit-risk equation comes from that same clinical evidence. Annex XIV Part A operationalises the bridge by requiring the Clinical Evaluation Plan to identify the general safety and performance requirements that need clinical data, set acceptance criteria for benefit-risk, and specify the methods used. A risk management file that lists residual risks with no corresponding clinical data plan, or a Clinical Evaluation Report that claims benefit without quantifying it against documented risks, fails both sides of Article 61.** **By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.** --- ## TL;DR - MDR Article 61(1) requires clinical evaluation to verify conformity with relevant general safety and performance requirements, to characterise and evaluate undesirable side-effects, and to assess the acceptability of the benefit-risk ratio referred to in Annex I Sections 1 and 8. - Residual risks documented in the risk management file are inputs to the Clinical Evaluation Plan under Annex XIV Part A. Each residual risk above a screening threshold should be traceable to a clinical question and a data source. - The benefit side of the benefit-risk determination is sourced from clinical data. EN ISO 14971:2019+A11:2021 does not generate benefit evidence. The Clinical Evaluation Report does. - The link is bidirectional. New clinical data can change the probability or severity of known risks and can reveal new ones, which must trigger a risk file update. - Auditors look for three specific artefacts: a cross-reference table between residual risks and CER sections, a benefit-risk determination signed against the current CER version, and a change log showing clinical findings being fed back into the risk file. - Startups save months by planning the linkage before writing either document, rather than reconciling them after the fact. --- ## Why this matters Tibor has audited risk management files that read like they were written in one room and clinical evaluation reports that read like they were written in a different building, by people who never spoke. The two documents cite different hazards, use different acceptability thresholds, and reach different conclusions about the same device. When that happens, the notified body does not have a benefit-risk determination it can defend. It has two competing narratives. MDR Article 61 does not allow two narratives. The regulation treats clinical evaluation as the process that confirms conformity with safety and performance, characterises residual risks against clinical reality, and sets the benefit side of the benefit-risk ratio that Annex I Section 8 requires the manufacturer to accept. The risk management process under EN ISO 14971:2019+A11:2021 sets the risk side. Neither document is complete without the other. Felix sees the same break pattern on the startup side. A founding team writes a risk register in week three, then a CRO writes a clinical evaluation plan in month nine, and nobody connects the two until a notified body reviewer asks why the CER does not address the three highest residual risks. That is a process design problem, fixable before either document exists. ## What MDR actually says Article 61(1) of Regulation (EU) 2017/745 states that confirmation of conformity with relevant general safety and performance requirements set out in Annex I under the normal conditions of the intended use of the device, and the evaluation of undesirable side-effects and of the acceptability of the benefit-risk ratio referred to in Sections 1 and 8 of Annex I, shall be based on clinical data providing sufficient clinical evidence, including where applicable relevant data as referred to in Annex III. Three things are locked in by that sentence. First, clinical evaluation confirms conformity with the relevant general safety and performance requirements, not the other way around. Second, undesirable side-effects and residual risks are a required output of clinical evaluation, not a separate track. Third, the benefit-risk ratio referenced in Annex I Sections 1 and 8 is acceptable only if clinical data supports that conclusion. Annex I Section 1 requires devices to achieve the performance intended by their manufacturer and to be designed and manufactured in such a way that, during normal conditions of use, they are suitable for their intended purpose. Section 8 requires that all known and foreseeable risks, and any undesirable side-effects, shall be minimised and be acceptable when weighed against the evaluated benefits to the patient and user of the device in its intended use, achieving the highest level of safety and protection of health. The phrase "when weighed against the evaluated benefits" is the load-bearing one. Benefits have to be evaluated. That evaluation is the job of the clinical evaluation. Annex XIV Part A then tells the manufacturer how to plan for that. A Clinical Evaluation Plan shall include an identification of the general safety and performance requirements that require support from relevant clinical data, a specification of the intended purpose, a clear specification of the intended target groups, a clear specification of the intended clinical benefits with relevant and specified outcome parameters, the methods to examine qualitative and quantitative aspects of clinical safety with clear reference to the determination of residual risks and side-effects, and parameters to be used to determine, based on the state of the art in medicine, the acceptability of the benefit-risk ratio. EN ISO 14971:2019+A11:2021 supplies the risk side. Clause 7 requires residual risks to be evaluated. Clause 8 requires an evaluation of overall residual risk. Annex I of the standard tracks the relationship between risk management and other lifecycle activities including clinical evaluation, expecting information to flow in both directions. That loop is what Article 61 presumes is running. ## A worked example Consider a Class IIa handheld diagnostic device intended to identify a specific biomarker in point-of-care settings. The risk management file, written against EN ISO 14971:2019+A11:2021, identifies twelve residual risks after risk control. The three highest concern false-negative results in low-biomarker-concentration samples, operator error in sample preparation under time pressure, and cross-contamination from reused cartridge trays. A well-linked Clinical Evaluation Plan picks up all three. It identifies the relevant general safety and performance requirements in Annex I that each risk maps to. For the false-negative risk, it specifies a clinical question: what is the sensitivity of the device at or below the clinically relevant detection threshold, in the intended target population, under the normal conditions of use. It specifies the data source: a prospective clinical performance study combined with published sensitivity data for the same biomarker family. It specifies an acceptance criterion tied to the state of the art in medicine, not to an arbitrary internal number. The benefit side of the benefit-risk ratio is the faster turnaround and earlier clinical decision that the point-of-care format enables. That benefit is not self-evident. The Clinical Evaluation Plan has to specify the intended clinical benefits with relevant and specified outcome parameters, per Annex XIV Part A. In this worked example, those parameters are time from sample to actionable result, proportion of patients whose management decision is made in the same visit, and a usability-anchored rate of correct interpretation by the intended user group. When the Clinical Evaluation Report is written, each of those twelve residual risks has an entry referencing the clinical data that characterised it, the residual probability and severity after that characterisation, and any change required in the risk file. The benefit-risk determination signed at the end of the CER cites specific benefit numbers and specific risk numbers. The risk management report references back to the same CER version. An auditor can trace any residual risk from the risk file to a CER section and back again in under a minute. Tibor has seen the opposite pattern more often. The risk file lists the twelve risks. The CER discusses a sensitivity study. Neither document names the other. The benefit-risk determination is one paragraph at the end of the CER and quantifies nothing. That submission collects a major non-conformity for inadequate integration between Article 61 and Annex I Section 8. ## The Subtract to Ship playbook Felix has watched startups try to bolt this linkage on at the end, after both documents are written. It never works on the first try and it is always the most expensive way to do it. The Subtract to Ship approach is to plan the linkage before writing either document. Step one is to write a residual risk to clinical evidence map as soon as a stable residual risk list exists. For each residual risk above a screening threshold, name the general safety and performance requirement it relates to, the clinical question that would characterise it, the candidate data source, and the acceptance criterion. The map is a single table. It lives in the risk management file and is referenced from the Clinical Evaluation Plan. Step two is to write the Clinical Evaluation Plan against that map. Annex XIV Part A requires the plan to identify the general safety and performance requirements that require clinical data. The map already did that. The plan specifies the methods, the sources, the parameters for benefit-risk acceptability, and the link to the PMS and post-market clinical follow-up plans. It references the risk management plan by version, not by a vague phrase. Step three is to run the risk management process and the clinical evaluation process on a shared review cadence. When new clinical data arrives, it is reviewed for impact on the risk file before the CER section that uses it is finalised. When a risk control change happens, the CER section covering the affected risk is reviewed for impact before the risk file update is signed. This is the integration that MDCG 2020-5 assumes when it discusses equivalence and MDCG 2023-7 assumes when it discusses clinical investigation exemptions. Step four is to make the benefit-risk determination one document that both processes feed. Article 61 and Annex I Section 8 require a single acceptability decision. Do not write one benefit-risk paragraph in the risk management report and a different one in the CER. Write one benefit-risk determination, reference it from both, and update it as one document on a defined schedule. The notified body will check that the versions align. Step five is to close the loop with PMS. Article 83 requires PMS data to update the benefit-risk determination, the design and manufacturing information, and the clinical evaluation. That update is impossible if the risk file and the CER were never linked in the first place. Building the linkage up front is also what makes post-market integration possible later. ## Reality Check - Does the current risk management file have a residual risk to clinical evidence map, or is the linkage implicit? - Can an auditor trace any residual risk above the screening threshold to a section of the Clinical Evaluation Report and back again in under two minutes? - Does the Clinical Evaluation Plan identify the general safety and performance requirements that require clinical data, or does it default to a generic list? - Are the intended clinical benefits specified with measurable outcome parameters, as Annex XIV Part A requires, or are they described in marketing language? - Does the benefit-risk determination exist as one document that both the risk management report and the Clinical Evaluation Report reference, or as two paragraphs that might not agree? - When the last piece of new clinical data arrived, was the risk file reviewed for impact before the CER section was finalised? - Is the linkage fresh enough to survive a PMS-driven update without a full rewrite? ## Frequently Asked Questions **Does MDR Article 61 require a formal cross-reference table between the risk management file and the Clinical Evaluation Report?** Article 61 does not prescribe the table format. It requires that clinical evaluation confirm conformity with relevant general safety and performance requirements and characterise residual risks and the benefit-risk ratio. In practice, notified bodies expect the linkage to be traceable. A cross-reference table is the simplest way to make it so, and Tibor has yet to see a well-run file that does not include one. **Can residual risks be characterised purely through non-clinical testing rather than clinical data?** Annex XIV Part A requires the Clinical Evaluation Plan to identify which general safety and performance requirements need clinical data. Some hazards are adequately addressed by bench testing alone. Others, particularly those affecting clinical outcomes, require clinical evidence. The decision is documented in the plan and justified against the state of the art. **What happens when clinical data contradicts the initial residual risk assessment?** The risk management file is updated. EN ISO 14971:2019+A11:2021 requires the risk management process to be responsive to new information, including information from clinical evaluation. If a residual risk was underestimated, risk controls are revisited. If it was overestimated, the file reflects the improved understanding. Either way, the benefit-risk determination is reviewed. **Is the benefit-risk determination part of the Clinical Evaluation Report or the risk management report?** It is referenced from both, but it exists as one decision. MDR Annex I Section 8 requires a single acceptability conclusion. Writing two versions invites contradictions. The practical solution is to maintain the benefit-risk determination as a standalone document, signed against the CER version and the risk management report version that support it. **How does this linkage affect post-market clinical follow-up planning?** PMCF, under Annex XIV Part B, is designed to generate new clinical data that updates the benefit-risk determination. If the initial linkage between risk management and clinical evaluation is weak, PMCF cannot close the gaps it is supposed to close. Good up-front integration makes PMCF planning straightforward because the outstanding questions are already listed. **Do MDCG 2020-5 and MDCG 2023-7 change the linkage requirement?** They clarify how clinical evaluation and clinical investigation obligations interact, particularly for equivalence claims and for the Article 61(4) to 61(6) exemptions. They do not relax the Article 61(1) core requirement. The linkage to residual risks and benefit-risk acceptability applies regardless of the evidence route chosen. ## Related reading - [MDR Article 61 Clinical Evaluation Requirements](/blog/mdr-article-61-clinical-evaluation-requirements). The regulatory anchor this post depends on. - [MDR Annex XIV Part A Clinical Evaluation](/blog/mdr-annex-xiv-part-a-clinical-evaluation). How the plan and report structure the linkage. - [Clinical Evaluation Report CER Under MDR](/blog/clinical-evaluation-report-cer-mdr). Where the benefit side of the benefit-risk ratio is evidenced. - [Benefit-Risk Analysis Under MDR](/blog/benefit-risk-analysis-mdr). The acceptability decision both documents feed. - [How PMS Feeds Back into Risk Management](/blog/pms-feedback-risk-management). Closing the loop after market entry. ## Sources 1. Regulation (EU) 2017/745 on medical devices, consolidated text. Article 61, Annex I Sections 1 and 8, Annex XIV Part A. 2. EN ISO 14971:2019+A11:2021, Medical devices – Application of risk management to medical devices. Clauses 7 and 8, Annex I. 3. MDCG 2020-5, Clinical Evaluation – Equivalence. April 2020. 4. MDCG 2023-7, Guidance on exemptions from the requirement to perform clinical investigations pursuant to Article 61(4) to (6) MDR. December 2023. --- *This post is part of the [Risk Management Under MDR](https://zechmeister-solutions.com/en/blog/category/risk-management) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*