MDR Annex I requires risks to be reduced "as far as possible" regardless of the initial level. EN ISO 14971:2019 alone follows ALARP, which lets a manufacturer stop once a risk is judged acceptable. The gap is closed by EN ISO 14971:2019+A11:2021 Annex Z, which is the bridge notified bodies expect. Startups who copy the raw standard into their QMS silently inherit the wrong stopping rule and fail audits.

By Tibor Zechmeister and Felix Lenhard.

TL;DR

  • MDR Annex I §2 and §4 require risk reduction "as far as possible" without negatively affecting the benefit-risk ratio.
  • EN ISO 14971:2019 clause 7 alone stops at acceptable residual risk. That is ALARP, not MDR.
  • EN ISO 14971:2019+A11:2021 Annex Z is the official bridge that reconciles the standard with MDR General Safety and Performance Requirements.
  • A "risk is low, no further action needed" statement in a risk file is one of the most reliable red flags notified bodies look for.
  • Acceptability criteria must be written before the analysis, not fitted afterwards to match whatever the team found.
  • Copy-pasting the clause numbers of ISO 14971 into a procedure is not the same as implementing MDR-compliant risk evaluation.

Why this matters

Tibor still remembers an early-career encounter with an optical medical device company, already past startup stage, that handed over four PowerPoint slides when asked about risk management. The slides said, in effect, "do an Excel sheet with a risk analysis, tolerable or not tolerable, done." The worst part was not that this had slipped past their previous auditors. The worst part was that the entire company genuinely believed this was the correct approach.

That belief is the core problem this post addresses. Risk evaluation under MDR is not an Excel sheet with two columns. It is a structured judgment supported by acceptability criteria, applied using a specific reduction philosophy that differs from the one most engineers assume when they read ISO 14971 for the first time.

Felix sees the downstream version of this pattern in founder coaching. A startup copies an ISO 14971 procedure from a consultant template, plugs in device-specific hazards, marks a few as "acceptable", and moves on. Eighteen months later the notified body audit opens the risk file and starts asking why no further risk control was applied to hazards that had been reduced as far as reasonably possible but not as far as possible. The answer, in every case, is that the manufacturer was reading the wrong stopping rule into the process.

What MDR actually says

MDR Annex I is the source of truth for risk evaluation. The relevant paragraphs are in Chapter I, General Requirements.

MDR Annex I §1 establishes that devices must achieve the performance intended by their manufacturer and be designed and manufactured in such a way that, during normal conditions of use, they are suitable for their intended purpose. They must be safe and effective and not compromise the clinical condition or the safety of patients.

MDR Annex I §2 requires manufacturers to establish, implement, document and maintain a risk management system. It specifies that risk management must be a continuous iterative process throughout the entire lifecycle of a device.

MDR Annex I §3 sets out the obligations of that risk management system. Manufacturers must:

  1. Establish and document a risk management plan for each device.
  2. Identify and analyse known and foreseeable hazards associated with each device.
  3. Estimate and evaluate the risks associated with, and occurring during, the intended use and during reasonably foreseeable misuse.
  4. Eliminate or control the risks referred to above.
  5. Evaluate the impact of information from the production phase and, in particular, from the post-market surveillance system on hazards and the frequency of occurrence thereof, on estimates of their associated risks, as well as on the overall risk, benefit-risk ratio and risk acceptability.
  6. Based on the evaluation of the impact of the information referred to in the previous point, if necessary amend control measures.

MDR Annex I §4 is the clause that creates the gap with ISO 14971. It requires manufacturers, in eliminating or reducing risks related to use, to:

(a) eliminate or reduce risks as far as possible through safe design and manufacture; (b) where appropriate, take adequate protection measures, including alarms if necessary, in relation to risks that cannot be eliminated; and (c) provide information for safety (warnings, precautions, contra-indications) and, where appropriate, training to users.

The phrase "as far as possible" is doing the heavy lifting. It is not "as far as reasonably practicable" and it is not "until acceptable". It is an absolute reduction obligation constrained only by MDR Annex I §8, which says that all measures to eliminate or reduce risks shall conform to the generally acknowledged state of the art and that reduction of risks must be balanced against benefits so that the benefit-risk ratio remains favourable.

MDR Annex I §5 and §9 then handle the risks that survive reduction. Residual risks must be communicated to the user. The benefit-risk determination must be documented. The risk management process must cover the full lifecycle including post-market data.

Where ISO 14971 diverges

EN ISO 14971:2019 clause 7 describes risk evaluation. In the standard's logic, a risk is compared against the manufacturer's acceptability criteria. If it is acceptable, further risk control is not required. If it is unacceptable, risk control is required. This is an ALARP pattern and it is internally consistent with the standard.

MDR does not accept that stopping rule. MDR requires reduction as far as possible even for risks that would be judged acceptable under the manufacturer's criteria.

EN ISO 14971:2019+A11:2021 Annex Z is the bridge. Annex Z is not new material. It is a normative mapping between the clauses of ISO 14971 and the requirements of the MDR. The A11:2021 amendment makes Annex Z part of the harmonised European version of the standard. Notified bodies read Annex Z as the interpretation that closes the ALARP-vs-AFAP gap and expect manufacturers to apply the standard with that interpretation in place.

The Annex Z interpretation, at a practical level, says this: clause 7 of ISO 14971 must be applied in a way that does not conflict with MDR Annex I §4. Where the two appear to conflict, MDR wins. Risk reduction continues as long as further reduction is technologically feasible and does not degrade the benefit-risk ratio.

A worked example

A handheld diagnostic device has a residual risk of thermal discomfort on prolonged skin contact. Severity is low (minor skin warming, no injury). Probability under normal use is medium. The manufacturer's acceptability matrix puts this cell in the "acceptable" bucket.

Under a pure ISO 14971 reading, the manufacturer documents the acceptability decision and moves on. Under MDR Annex I §4, the question is different: is there any further reduction possible that does not make the device unusable or shift the benefit-risk ratio negatively?

The manufacturer looks again. A lower-power operating mode is possible for the second half of any session longer than 20 minutes. It costs two weeks of firmware work. It does not affect diagnostic accuracy. It reduces the thermal risk further.

Under MDR, that reduction is required even though the unreduced risk was already acceptable. The acceptability verdict is not a stopping signal. It is an input to the benefit-risk balancing that happens after all feasible reductions have been applied.

Tibor has seen the mirror image of this example go wrong. A device with prolonged skin contact. The manufacturer checked materials, declared the residual risk acceptable, and shipped. Post-market feedback surfaced skin irritations. The case triggered a change procedure and a notified body engagement at the next surveillance audit. The lesson was not that the original acceptability judgment had been wrong on its face. The lesson was that declaring acceptability on weak evidence draws notified body attention the moment reality contradicts it.

The Subtract to Ship playbook

Felix's coaching translation of the above into a startup-sized process runs five steps.

Step 1. Adopt EN ISO 14971:2019+A11:2021 explicitly. Not EN ISO 14971:2019 on its own. Not ISO 14971:2019 without the A11 amendment. The harmonised European version is the only one that carries the Annex Z bridge. Reference this exact edition in the risk management procedure.

Step 2. Write a reduction philosophy clause into the procedure. One paragraph that states, in plain language, that risk reduction continues as far as possible per MDR Annex I §4 even when residual risk would be acceptable under the matrix, subject to the benefit-risk balance in MDR Annex I §8. This paragraph is the stopping rule the audit team will check against.

Step 3. Apply the control hierarchy. MDR Annex I §4(a)(b)(c) is a hierarchy. Inherent safety by design first. Protective measures second. Information for safety last. Tibor sees startups skip to information for safety because it is the cheapest control, and that is one of the classic auditor findings. If inherent design or protective measures were available and not applied, "warning in the IFU" is not sufficient.

Step 4. Document the decision to stop reducing. For each risk, the file must show what further reduction was considered and why it was not applied. The acceptable answers are: further reduction is not technologically feasible in the current state of the art; further reduction would degrade the benefit-risk ratio; further reduction would violate another MDR requirement. A fourth answer. "the risk was already acceptable". Is the wrong answer under Annex Z.

Step 5. Loop post-market data back. MDR Annex I §3 requires the risk management process to respond to post-market surveillance input. This is the link to PMS feedback into risk management. Probabilities and severities are not frozen at launch. If a risk was judged low at launch and post-market data shows it was not, the risk evaluation reopens. Tibor has seen the bad version of this: PMS data collected diligently but the risk management file updated only every two or three years. The reduction obligation does not take those years off.

This playbook is the Subtract to Ship interpretation of MDR-compliant risk evaluation: do the small number of things that matter, document them clearly, and stop mistaking template compliance for regulatory compliance.

Reality Check

  1. Does your risk management procedure cite EN ISO 14971:2019+A11:2021, including the A11 amendment, by exact reference?
  2. Does your procedure state, in writing, that risk reduction continues as far as possible under MDR Annex I §4 even when residual risk is acceptable under your matrix?
  3. For each residual risk classified as acceptable, can you point to the documented consideration of further reduction options?
  4. Is the control hierarchy (inherent design, protective measures, information for safety) visible in your risk control records, or are most of your controls labels and warnings?
  5. Does your post-market surveillance process have a defined cadence for updating risk estimates, or does the risk file only get touched during audit preparation?
  6. If a notified body lead auditor opened your risk file on the thermal, mechanical, and biocompatibility risks specifically, would they see reduction reasoning or only acceptability verdicts?
  7. Does your team understand why a "risk is low, no further action needed" note is a red flag under MDR even if it is compliant with the bare text of ISO 14971 clause 7?

Frequently Asked Questions

Isn't ISO 14971 harmonised under MDR, and therefore sufficient on its own? The standard harmonised under MDR is EN ISO 14971:2019+A11:2021, which includes Annex Z. Annex Z is the interpretation that makes the standard consistent with MDR Annex I. Applying ISO 14971 without Annex Z is applying a different standard.

What if our matrix already puts a risk in the "unacceptable" bucket if any further reduction is technologically possible? That matrix design effectively bakes the MDR reduction philosophy into the acceptability criteria. It is a legitimate approach and it is one way to stay aligned with Annex Z. The weakness is that it can drive teams to stop doing creative hazard discovery once the matrix says "acceptable". The point of MDR Annex I §4 is that reduction work continues past that line.

Who signs off on the "no further reduction is feasible" judgment? MDR does not specify a role. In Tibor's experience, the credible pattern is a multidisciplinary review: risk management, development, top management, clinical, regulatory affairs, and where relevant marketing and sales. One person with one checklist is not a credible sign-off, regardless of seniority.

Can we use qualitative risk evaluation or does MDR require quantitative? MDR does not mandate quantitative probability numbers. Qualitative evaluation is acceptable when quantitative data is not available, provided the reasoning is documented and the limitations are acknowledged. What is not acceptable is hiding weak evidence behind precise-looking numbers.

What is the single most common finding notified bodies raise against startup risk files? In Tibor's audit work, the most common finding is that the file documents risk acceptability verdicts without documenting the reduction options that were considered and ruled out. The second most common finding is that information-for-safety controls are applied where inherent design or protective measures were available.

Sources

  1. Regulation (EU) 2017/745 on medical devices, consolidated text. Annex I, Chapter I §1 to §9.
  2. EN ISO 14971:2019+A11:2021, Medical devices – Application of risk management to medical devices, including Annex Z mapping to Regulation (EU) 2017/745.
  3. EN ISO 14971:2019+A11:2021, clauses 5, 6, 7 and 10 on risk management planning, risk analysis, risk evaluation and risk management review.