Residual risk evaluation has two steps under EN ISO 14971:2019+A11:2021. Clause 7.4 evaluates each individual residual risk after controls. Clause 8 evaluates the overall residual risk of the device as a whole. MDR Annex I §1, §3, §4, and §8 provide the regulatory frame. The most damaging mistake is declaring residual risk acceptable on weak evidence, because post-market data that contradicts the file draws immediate notified body attention. The fix is to document acceptability against explicit, pre-declared criteria and to reopen the file the moment reality disagrees.

By Tibor Zechmeister and Felix Lenhard.

TL;DR

  • Residual risk is the risk that remains after all selected risk controls have been implemented and verified.
  • EN ISO 14971:2019+A11:2021 clause 7.4 requires evaluation of each individual residual risk against the manufacturer's acceptability criteria.
  • Clause 8 of the same standard requires a separate evaluation of the overall residual risk of the device, taken as a whole.
  • MDR Annex I §4 requires that the benefit-risk ratio remains favourable after all risk management decisions.
  • Acceptability criteria must be pre-declared, not invented after the fact to justify a result.
  • When post-market data contradicts the pre-market residual risk position, the risk file must reopen. Delaying this reopening is one of the clearest red flags a notified body watches for.
  • Tibor has seen this exact scenario play out with a prolonged-skin-contact device where post-market irritation reports forced corrective actions and notified body engagement.

Why this matters

A startup Tibor advised had a wearable device intended for long-duration skin contact. The pre-market risk analysis listed skin irritation as a low-probability, low-severity hazard. The control was material selection and IFU guidance on usage duration. The residual risk was declared acceptable. The clinical evaluation supported a positive benefit-risk ratio. The device was CE marked and placed on the market.

Within the first year of commercial use, customer feedback started reporting skin irritation more frequently than the pre-market file had anticipated. A small number of cases involved prolonged erythema. The team treated the signals as isolated complaints for several months before recognising that the pattern was a direct contradiction of the residual risk position documented in the technical file. By the time the risk management file was formally reopened, the pattern was visible in PMS data, trend reporting obligations under MDR Article 88 were triggered, and the notified body was aware.

The corrective actions that followed were extensive. A revised biocompatibility analysis, an updated risk file, a labelling change, and a field safety notice. The notified body engaged directly with the team to review the pre-market residual risk rationale. The questions were pointed. What was the evidence base for the original acceptability decision? Why had PMS signals not fed back into the risk file earlier? What process change would prevent recurrence?

The story is not unique. It is the standard shape of a residual risk problem that escalates from a quiet pre-market decision into a loud post-market correction. The lesson is not that residual risks should never be accepted. The lesson is that acceptance has to be documented against robust evidence, and that the moment reality disagrees with the file, the file has to move.

What ISO 14971 and MDR actually say

EN ISO 14971:2019+A11:2021 clause 7.4 covers the evaluation of individual residual risks. After each control has been implemented and verified under clause 7.3, the manufacturer must evaluate whether the residual risk is acceptable against the risk acceptability criteria defined earlier in the risk management plan. If a residual risk is not acceptable, further controls must be considered, and the analysis loops until every individual residual risk is either acceptable or the manufacturer has documented a specific justification.

Clause 8 of the same standard is a separate and additional evaluation. It covers the overall residual risk of the device taken as a whole. Individual residual risks can each be acceptable in isolation while the combined effect across the device is not. Clause 8 forces the manufacturer to step back from the individual rows of the risk file and look at the total residual risk picture. The output is a written evaluation, approved by responsible management, stating whether the overall residual risk is acceptable in relation to the expected benefits of the device.

MDR Annex I §1 requires that devices be designed and manufactured in a way that, during normal conditions of use, they are suitable for their intended purpose, and that they do not compromise the clinical condition or the safety of patients and users. This is the top-level obligation that residual risk evaluation serves.

MDR Annex I §3 requires the risk management system to be continuous and iterative across the entire device lifecycle. Post-market data is an explicit input. A residual risk decision that stays frozen for three years while complaints accumulate is not aligned with §3.

MDR Annex I §4 requires that risk control measures do not adversely affect the benefit-risk ratio. The residual risk position after controls must still be part of a positive benefit-risk conclusion. This is where the individual risk file meets the clinical evaluation report in the technical documentation.

MDR Annex I §8 sets the risk control priority that feeds into residual risk. A residual risk that exists because an available first-tier control was rejected cannot be defended as acceptable on the basis that the third-tier control is in place.

Annex ZA of the EN version flags the interaction between the standard's risk-benefit language and the MDR's AFAP principle. Residual risk cannot be justified purely on the basis that "the benefit outweighs the risk" when a further technically feasible control would have reduced the risk. The AFAP obligation runs before the benefit-risk comparison.

A worked example

Consider a device worn on the skin for eight hours per day. The pre-market risk analysis identifies skin irritation as a potential hazard. The acceptability criteria, declared in the risk management plan, state that low-severity transient irritation with an incidence below a defined threshold is acceptable. Higher incidence, or more severe reactions, is not.

Clause 7.4 evaluation, pre-market. The controls are material selection (first tier), textile liner design (second tier), and IFU guidance on hygiene and wear duration (third tier). Effectiveness of the material choice is evidenced by biocompatibility testing under EN ISO 10993-1:2025. The residual risk is evaluated against the declared threshold and judged acceptable. The record cites specific data.

Clause 8 evaluation, pre-market. The overall residual risk evaluation considers skin irritation together with all other residual risks, including mechanical, thermal, and usability risks. Management signs off that the combined picture is acceptable against expected clinical benefit.

Post-market signal. Within the first year, PMS data shows irritation reports running at roughly twice the declared threshold. Some reports are not transient. This is a direct contradiction of the pre-market clause 7.4 position.

Clause 10 iteration. The risk management file reopens. The clause 7.4 evaluation is revisited with the new data. The residual risk is no longer acceptable against the original criteria. New controls are considered. Options include a material change, a wear-duration limit enforced by the device or IFU, or a contraindication for specific skin types.

Clause 8 re-evaluation. The overall residual risk is re-evaluated after the new controls. Management signs off again or, if the picture is no longer acceptable, the device is modified further before remaining on the market.

PMS and vigilance obligations. Where the signal crosses trend reporting thresholds under MDR Article 88, or where serious incidents are identified, Article 87 reporting obligations apply. The notified body is informed through the normal channels.

The worked decision record has to show each of these steps. The dates matter. The gap between the first PMS signal and the reopening of the risk file is the metric the notified body will examine most closely. A short gap is a mature process. A long gap is a finding.

The Subtract to Ship playbook

The Subtract to Ship approach to residual risk evaluation is built around four commitments that protect the team from the slow-motion failure mode Tibor saw with the skin contact device.

Commitment 1. Declare acceptability criteria before the analysis. The risk management plan must state the criteria in writing before the risk analysis begins. Criteria written after the fact to justify a specific result are a red flag for auditors and for post-market reviewers. Pre-declared criteria, even imperfect ones, are defensible.

Commitment 2. Keep clause 7.4 and clause 8 records separate and explicit. Individual residual risk evaluations live in the risk file rows. The overall residual risk evaluation lives in a distinct document, approved and dated, that references the clause 7.4 rows and states the clause 8 conclusion. Do not conflate the two.

Commitment 3. Build a defined PMS-to-risk loop. Customer feedback and complaint data must feed into a scheduled review of residual risk positions. The review does not have to be weekly. It does have to be defined, executed, and recorded. Tibor has seen teams update risk files only every two or three years; that cadence is too slow for any device with meaningful user-contact or usage complexity.

Commitment 4. Reopen the file the moment reality disagrees. The test is not whether the PMS signal has crossed a statutory reporting threshold. The test is whether the signal contradicts a residual risk position in the file. If it does, the file reopens. Waiting until a vigilance report is unavoidable is the worst possible sequence.

Felix's coaching experience adds a practical framing. The residual risk evaluation is the closest thing the risk file has to an accountability document. Founders who treat it as a serious board-level topic, not a quality-department artefact, are the ones who react quickly when the market disagrees with the file. Founders who treat it as a box to tick are the ones who learn about their residual risk problems from a notified body email.

Reality Check

  1. Were your residual risk acceptability criteria declared in writing before the risk analysis started, or were they shaped by the results?
  2. Do you have a clause 8 overall residual risk evaluation document, approved and dated, distinct from your individual risk file rows?
  3. How frequently does your PMS data actually feed back into residual risk reviews? If the answer is "every two or three years," the cadence is out of line with MDR Annex I §3 expectations.
  4. Can you name the specific PMS signal that would trigger a reopening of the residual risk position for your top three hazards?
  5. If a notified body reviewer asked to see the timeline from first customer complaint to risk file reopening for a real event, could you produce it in hours, not weeks?
  6. Does your clause 8 evaluation reference the clinical evaluation and its benefit-risk position, or do the two documents live in separate silos?
  7. If a residual risk became unacceptable tomorrow, what is the defined decision path from that recognition to market action (labelling change, design change, field safety notice, vigilance report)?

Frequently Asked Questions

What is the difference between individual residual risk and overall residual risk? Individual residual risk is the remaining risk of a single hazard after its controls are in place. Overall residual risk is the combined picture across all hazards for the device as a whole. EN ISO 14971:2019+A11:2021 treats them in two separate clauses (7.4 and 8) because the combined picture can be unacceptable even when each individual risk passes.

Who signs off the overall residual risk evaluation? Responsible management, as specified in the risk management plan. The decision is not purely technical. It requires business-level authority because it includes a judgement on whether the device should go to market or remain there.

Can a residual risk be acceptable even if it exceeds the declared criteria? Only with a specific, documented justification that addresses why the criteria cannot be met, what additional controls have been considered and rejected, and how the benefit-risk position remains favourable. Auditors will challenge this pattern hard.

How does clause 8 connect to the clinical evaluation? The overall residual risk evaluation is a direct input to the benefit-risk analysis in the clinical evaluation report. A change in residual risk requires a corresponding review of the clinical evaluation conclusion. The two documents are not independent.

What if a post-market signal contradicts a residual risk position but does not meet vigilance thresholds? Reopen the risk file anyway. The vigilance reporting threshold is a regulatory floor, not a trigger for internal action. Clause 10 of the standard requires that new information be considered in the risk management process, regardless of whether it triggers external reporting.

Is it acceptable to update the risk file only during annual reviews? No. MDR Annex I §3 treats risk management as continuous and iterative. A fixed annual cadence that delays action on known signals is not aligned with the regulation. Scheduled reviews are fine; they supplement event-driven updates, they do not replace them.

Sources

  1. Regulation (EU) 2017/745 on medical devices, consolidated text. Annex I §1, §3, §4, §8. Articles 87, 88.
  2. EN ISO 14971:2019+A11:2021, Medical devices, Application of risk management to medical devices. Clauses 7.3, 7.4, 8, 10.
  3. EN ISO 10993-1:2025, Biological evaluation of medical devices, Part 1.