ISO 14971 Risk Control and Residual Risk Explained
Risk analysis identifies problems.
Risk control is where you prove you can manage them.
What is Risk Control in ISO 14971?
Risk control is the stage where identified risks are reduced to acceptable levels.
ISO 14971 requires manufacturers to:
- Identify appropriate risk control measures
- Implement those measures
- Verify their effectiveness
- Evaluate residual risk
This is a structured and documented process. :contentReference[oaicite:0]{index=0}
The Risk Control Hierarchy (Critical Concept)
ISO 14971 defines a strict priority order for risk control:
- Inherent safety by design
- Protective measures
- Information for safety (warnings, IFU)
This hierarchy must be followed.
Design out risk first—warnings are the last resort. :contentReference[oaicite:1]{index=1}
Examples of Risk Control
Example 1: Electrical Hazard
- Design: Insulation and grounding
- Protection: Circuit breaker
- Information: Warning label
Example 2: Use Error
- Design: Simplified user interface
- Protection: Software alerts
- Information: Instructions for use
What is Residual Risk?
Residual risk is the risk that remains after all control measures are applied. :contentReference[oaicite:2]{index=2}
It is unavoidable—risk can be reduced, but not eliminated.
Residual Risk Evaluation
After implementing controls, manufacturers must:
- Evaluate residual risk against acceptance criteria
- Determine if additional controls are required
- Document justification for acceptance
This must be recorded in the risk management file.
Risk/Benefit Analysis (When Risk Cannot Be Reduced Further)
If risk cannot be reduced to acceptable levels:
- Perform a risk/benefit analysis
- Determine if medical benefit outweighs risk
- Document justification
This is a critical regulatory decision point. :contentReference[oaicite:3]{index=3}
Risks Introduced by Risk Controls
Risk controls can introduce new risks.
- New hazards may arise
- Existing risks may change
These must be identified and managed as part of the process. :contentReference[oaicite:4]{index=4}
What Auditors Look for in Risk Control
Auditors assess:
- Whether controls follow the hierarchy
- If controls are effective
- If residual risk is justified
- If risk/benefit decisions are documented
They will challenge weak justifications.
Common Risk Control Mistakes
- Relying on warnings instead of design changes
- Not verifying effectiveness of controls
- Accepting risk without justification
- Not updating risk after changes
Residual Risk: Weak vs Strong Justification
| Weak Justification | Strong Justification |
|---|---|
| “Risk acceptable” | “Risk acceptable based on defined criteria and benefit analysis” |
| No supporting data | Supported by evidence and rationale |
| No linkage to controls | Clear traceability to implemented controls |
How Risk Control Links to CAPA and Post-Market Data
Risk control is not static.
- CAPA may introduce new controls
- Complaints may reveal ineffective controls
- Post-market data may change risk acceptability
ISO 14971 requires ongoing monitoring and updating of risk controls. :contentReference[oaicite:5]{index=5}
How to Strengthen Risk Control and Residual Risk Decisions
- Prioritise design-based controls
- Define clear risk acceptance criteria
- Require evidence for residual risk acceptance
- Integrate CAPA and post-market data
- Regularly review risk files
FAQ: Risk Control and Residual Risk
What is risk control in ISO 14971?
The process of reducing risk to acceptable levels using structured measures.
What is residual risk?
The remaining risk after controls are applied.
Can residual risk be zero?
No. Risk can be reduced but not eliminated.
What is the biggest mistake?
Accepting risk without proper justification or relying only on warnings.
Final Takeaway
Risk control is where decisions are tested.
If you cannot justify your residual risk, your system will not withstand an audit.
