MDR Annex I General Safety and Performance Requirements 1 to 9 is where risk management obligations live in the regulation text. EN ISO 14971:2019+A11:2021 is one accepted path to meeting those obligations, not a replacement for them. Founders who start with the standard instead of the regulation miss the reason the clauses exist. Walking GSPR 1 to 9 in order is the single clearest way to see what the MDR actually demands.

By Tibor Zechmeister and Felix Lenhard.

TL;DR

  • The MDR contains the legal obligation. ISO 14971 is one way to discharge it. They are not interchangeable.
  • GSPR 1 establishes the safety and performance duty. GSPR 2 and 3 establish the risk management system and process. GSPR 4 establishes the control hierarchy. GSPR 5 addresses use error. GSPR 6 addresses lifetime. GSPR 7 addresses packaging. GSPR 8 and 9 establish the benefit-risk determination.
  • A risk file built from the standard alone can pass as a standard-compliant document and still miss GSPR obligations.
  • Every clause in a well-built risk file should trace back to a specific GSPR, not to a clause in ISO 14971.
  • Standards change. Regulations change more slowly. Anchoring your regulatory logic to the GSPR text gives a longer useful life than anchoring it to a standard revision.

Why this matters (Hook)

A founder asks: "If EN ISO 14971 is the harmonised standard for risk management, why do we need to read MDR Annex I at all? The standard already tells us what to do."

Tibor's answer, delivered often enough to be a habit: the standard tells you how. The regulation tells you why. When those two answers drift apart, the regulation wins. Founders who start with the standard and never open the regulation eventually produce risk files that read fluently but fail in places the standard does not cover. The failure mode is predictable. The fix is to reverse the order: read the GSPR first, then use the standard as the implementation manual for requirements that already exist in your head.

This post walks Annex I Chapter I, GSPR 1 to 9, in the order they appear in the regulation. It names what each requirement demands, where the standard helps, and where the standard alone cannot substitute for the MDR text.

What MDR actually says (Surface)

MDR Annex I is titled "General Safety and Performance Requirements". It is divided into three chapters. Chapter I contains the general requirements. Chapter II contains requirements regarding design and manufacture. Chapter III contains requirements regarding the information supplied with the device. Risk management obligations live primarily in Chapter I, GSPR 1 through 9, and bleed into Chapters II and III through the consequences of those first nine clauses.

GSPR 1. Safety and performance. Devices shall achieve intended performance and be safe during normal use, with risks acceptable when weighed against benefits and compatible with a high level of protection. "Acceptable" does not mean tolerable to the manufacturer. It means acceptable against benefits, at a high protection bar. That is the bar the notified body enforces.

GSPR 2. Risk management system. Manufacturers shall establish, implement, document and maintain a risk management system as a continuous iterative process throughout the device lifecycle. Three verbs: establish, implement, maintain. A plan that is written but not executed fails "implement". A plan executed once and filed fails "maintain". Notified bodies check each verb independently.

GSPR 3. Risk management process. A six-part cycle written into the regulation: plan, identify hazards, estimate and evaluate risks (for intended use and reasonably foreseeable misuse), control risks per GSPR 4, evaluate production and post-market information, and amend controls where necessary. Missing any of the six is a GSPR 3 finding.

GSPR 4. Control hierarchy. Safe design first. Protective measures (including alarms) second. Information for safety third. The order is binding. "As far as possible" is the acceptability criterion, stricter than "as low as reasonably practicable". Economic considerations are not a legitimate stopping reason. Feasibility considerations are.

GSPR 5. Use error and foreseeable misuse. Use error is a design problem first, not a training problem. This is the bridge between risk management (ISO 14971) and usability engineering (IEC 62366-1). The two cannot live in silos.

GSPR 6. Lifetime. Performance and safety must not degrade during the stated lifetime under normal use and proper maintenance. "Lifetime" means the real lifetime, not the marketing lifetime. Five years of stress, wear, calibration drift, battery degradation, software updates and maintenance cycles must be covered.

GSPR 7. Packaging, transport, storage. Characteristics and performance must not be adversely affected by transport and storage per the manufacturer's instructions.

GSPR 8. Minimisation of risks. All known and foreseeable risks and side-effects shall be minimised and acceptable against evaluated benefits during normal conditions of use.

GSPR 9. Benefit-risk ratio. The ratio must be acceptable per intended purpose. For a multi-indication device, the weighing runs once per indication.

Read together, GSPR 1 through 9 describe a complete risk management architecture in the regulation text itself, independent of any standard.

A worked example (Test)

A founder has a hazard entry in their risk file: "Residual electrical current greater than allowed limit in fault condition". The ISO 14971 template lets them fill in severity, probability, risk control (a fuse), verification (an electrical safety test), and residual risk. The template does not force them to reference the GSPR.

Now walk the same hazard through GSPR 1 to 9:

  • GSPR 1: is the device still suitable for its intended purpose with this fuse in place? Yes, performance unaffected.
  • GSPR 2: is this hazard entry part of a continuously maintained risk management system, or a one-off? It needs to be part of a maintained file with a defined review cadence.
  • GSPR 3: was this hazard identified through a structured process including reasonably foreseeable misuse? The entry must trace back to the hazard identification workshop.
  • GSPR 4: does the control (fuse) sit at the right level of the hierarchy? Is there a design alternative that removes the fault condition entirely? If so, why was the fuse chosen instead? If there is not, document that. If there is, the GSPR 4 order says consider it first.
  • GSPR 5: could a user action cause this fault condition? If yes, the control must also consider use error, not just inherent failure.
  • GSPR 6: does the fuse still work at end of life? Five years of thermal cycling? Corrosion? That is a verification the ISO-only template does not necessarily prompt.
  • GSPR 7: is the fuse rating still valid after worst-case storage conditions?
  • GSPR 8 and 9: is the residual risk of a delayed fuse response acceptable against the benefit of the device for this intended purpose?

The ISO 14971 entry would pass a standard-only review with three or four lines. The GSPR walk surfaces seven to eight distinct considerations, at least two of which (GSPR 6 lifetime, GSPR 5 use error) would typically not be in a standard-only template and any of which could become a notified body finding.

The point of the exercise is not to add paperwork. The point is that the regulation contains obligations the standard does not always prompt. Running the GSPR walk as a mental checklist, per hazard, is the cheapest way Tibor knows to prevent preventable findings.

The Subtract to Ship playbook (Ship)

Four rules for anchoring a risk file to MDR Annex I instead of to ISO 14971 alone.

Rule 1: cite GSPR, not standard clauses, in your risk file. When a risk control is implemented, reference "GSPR 4, inherent safety by design" in the control log, not "ISO 14971 clause 7". The regulation is the legal anchor. If the standard revises, the anchor stays. If the anchor is a standard clause number, a standard revision can orphan the traceability.

Rule 2: walk the nine GSPRs as a checklist once per significant hazard. Felix's field observation from forty-four startups: the teams that adopt a "nine GSPR walk" per major hazard produce risk files that survive notified body audit with markedly fewer findings. The walk takes roughly five to ten minutes per hazard and is almost always shorter than the time it takes to fix a finding after the fact.

Rule 3: read MDR Annex I Chapter I once a quarter as a team. This is a subtract-to-ship move. Instead of adding tooling, add a recurring meeting whose only purpose is to re-read GSPR 1 through 9 out loud. Tibor's experience: each re-read surfaces at least one previously under-addressed GSPR. The text does not change, but the team's understanding does, especially as the product matures and edge cases emerge.

Rule 4: treat the standard as commentary, not as scripture. EN ISO 14971:2019+A11:2021 is an excellent implementation guide. It is not the law. When the standard and the regulation drift apart, follow the regulation. Essential Requirements vs GSPR explains the legal weight Annex I carries.

Reality Check

  1. Can every member of your risk management team name GSPR 1 through 9 without looking them up?
  2. Does your risk file cite MDR Annex I GSPR numbers directly in the control log, or does it only cite ISO 14971 clauses?
  3. For each major hazard, have you walked the nine GSPRs as a checklist and documented any gaps surfaced?
  4. Does your risk management plan reference GSPR 2 and 3 by name as its legal basis?
  5. Is "as far as possible" (the MDR phrase) reproduced verbatim in your acceptability criterion, or have you silently imported "as low as reasonably practicable" from another tradition?
  6. Does your benefit-risk analysis reference GSPR 8 and 9 explicitly, and does it run per intended purpose?
  7. Do you review Annex I Chapter I as a team at least once a quarter?

Frequently Asked Questions

Why can a standard not replace the regulation? Because legal obligation flows from the regulation. The Official Journal publishes the list of harmonised standards that grant presumption of conformity, but presumption is rebuttable. If a notified body finds that a standard was applied incorrectly, or that a specific GSPR was not covered, the presumption falls and the manufacturer must demonstrate conformity directly against the regulation. A standard can be revised, superseded or removed from the harmonised list. The regulation is amended only through EU legislative procedure and is the stable anchor.

Do we cite Annex I in our risk management plan? Yes. A well-written risk management plan identifies GSPR 2 and 3 as its legal basis, names the other relevant GSPRs (4, 5, 6, 8, 9), and references EN ISO 14971:2019+A11:2021 as the harmonised implementation path. The plan should read as a document grounded in regulation, using the standard as a tool, not the other way around.

What counts as "reasonably foreseeable misuse"? GSPR 3 requires consideration of reasonably foreseeable misuse, which is broader than intended use. It includes uses the manufacturer has not instructed but could anticipate given normal human behaviour, user characteristics, and environment. A device used outdoors when the IFU specifies indoors is foreseeable if outdoor use is common in the target population. The test is what a reasonable manufacturer could anticipate, not what the IFU says.

Is GSPR numbering the same as "Essential Requirements" under the old Directives? No. The old MDD used "Essential Requirements" (ERs). The MDR replaced ERs with General Safety and Performance Requirements (GSPR). The numbering and scope also changed, not just the name. Legacy documentation that still refers to ERs is a common transition artefact. It is not automatically wrong, but it signals that the file has not been fully updated to MDR.

How often should we re-read Annex I? Tibor's recommendation to startup teams is quarterly at minimum, and always before a major design change, before a notified body audit, and when a PMS signal requires a risk file update. Re-reading is cheap. The cost of not re-reading is expensive.

Does the December 2025 Commission proposal change Annex I? At the time of writing (April 2026), the December 2025 European Commission proposal is an outline document. It signals direction, especially toward partial relief for lower-risk devices. It does not change Annex I in force today. Manufacturers continue to comply with the current text. Regulatory monitoring processes should track the proposal's progress.

Sources

  1. Regulation (EU) 2017/745 on medical devices (MDR), consolidated text. Annex I, Chapter I, General Safety and Performance Requirements 1 to 9.
  2. EN ISO 14971:2019+A11:2021, Medical devices, Application of risk management to medical devices, Annexes ZA, ZB and ZC.
  3. Tibor Zechmeister, notified body lead auditor experience across more than fifty MDR certifications, Class I to Class IIb.