ISO 14971 and Clinical Evaluation: Where the Linkage Breaks Down
I have seen countless clinical evaluation reports that reference ISO 14971 without actually connecting risk analysis to clinical evidence. The risk management file exists. The clinical evaluation report exists. But the conversation between them never happens. This gap creates a fundamental deficiency that Notified Bodies spot immediately.
In This Article
This is part 3 of the series on Risk Management & Clinical Evaluation.
Under MDR Article 61(1), manufacturers must establish, document, implement, and maintain a system for risk management. ISO 14971 provides the recognized framework for this requirement. At the same time, Annex XIV of the MDR requires clinical evaluation to address the safety and performance of the device throughout its lifecycle.
The problem is not that manufacturers ignore either requirement. The problem is that these two activities run in parallel tracks that rarely intersect in a meaningful way.
The Regulatory Expectation
MDCG 2020-6 on sufficient clinical evidence explicitly states that clinical data must inform risk management and that residual risks must be addressed through clinical evaluation. ISO 14971 requires manufacturers to evaluate risks based on available information, including clinical data.
The expectation is clear: risk analysis should drive clinical questions, and clinical evidence should validate or challenge risk estimates.
But when you open most clinical evaluation reports, you find a section called “Risk-Benefit Analysis” that summarizes conclusions from the risk management file without demonstrating how clinical data actually shaped those conclusions.
The CER references the risk management file but does not show how clinical data confirmed, modified, or challenged individual risk estimates. The linkage is administrative, not analytical.
Where the Disconnect Happens
The breakdown occurs at multiple points in the process. Most of them are structural.
1. Timing and Sequence
Risk management typically starts early in the design phase. Clinical evaluation often happens later, when the technical file is being compiled for submission. By the time clinical data is analyzed, the risk management file is treated as closed.
This sequence creates a one-way relationship. Risks inform what needs to be evaluated clinically, but clinical findings rarely loop back to update risk estimates or refine hazard scenarios.
The result is a static risk file that does not reflect what was actually learned from clinical evidence.
2. Different Teams, Different Languages
Risk management is often led by quality or engineering teams. Clinical evaluation is handled by regulatory affairs or clinical specialists. These groups use different frameworks and speak different languages.
The risk manager thinks in terms of hazards, failure modes, and severity scores. The clinical evaluator thinks in terms of endpoints, event rates, and literature quality.
When the CER needs to address residual risks, it imports conclusions from the risk file without translating them into clinical terms. When the risk file needs clinical data, it references the CER without extracting specific evidence on failure modes or use errors.
The linkage requires translation. Clinical data must be mapped to specific hazards. Risk estimates must be validated against clinical event rates. This does not happen automatically.
3. The Literature Search Mismatch
Clinical evaluation relies on systematic literature searches designed to capture data on safety and performance. Risk management relies on hazard analysis, FMEA, and use-related testing.
The literature search for clinical evaluation rarely includes terms that would capture failure mode data, usability issues, or near-miss events. As a result, the clinical evidence base does not align with the hazards identified in the risk file.
For example, the risk file may identify a hazard related to incorrect catheter placement. But the literature search strategy focuses on procedural outcomes, not placement errors. The clinical evaluation then concludes that the device is safe without addressing the specific hazard that was flagged.
What Reviewers Look For
When a Notified Body reviews the CER and the risk management file together, they are checking for coherence.
They want to see that every residual risk with medium or high severity is explicitly addressed in the clinical evaluation. Not just mentioned, but supported with data that shows the risk is acceptable in the context of the claimed benefits.
They want to see that if clinical data revealed unexpected adverse events, those events were fed back into the risk management process and evaluated as potential hazards.
They want to see that the risk-benefit conclusion in the CER is based on a comparison of quantified clinical risks and measurable clinical benefits, not on a summary statement.
What they find instead is a CER that says “the device is safe and effective” and a risk file that says “all residual risks are acceptable.” Both statements may be true, but the connection between them is not demonstrated.
The risk-benefit section of the CER does not provide traceability to specific risks in the risk management file. Reviewers cannot verify that clinical evidence actually addressed the identified hazards.
The Practical Consequence
This disconnect creates multiple points of failure during regulatory review.
The Notified Body may accept the risk file but request additional clinical data to justify residual risks. The manufacturer then realizes that the literature search was not designed to capture that data.
Or the CER may identify an adverse event that was not considered in the risk file. The Notified Body asks how this event was classified and mitigated. The manufacturer cannot answer without reopening the risk analysis.
Or the post-market data reveals a pattern of use errors. The PMCF plan did not include monitoring for those errors because they were not flagged as high-priority risks. The risk file needs to be updated. The CER needs to be revised. The PMCF plan needs to be amended.
Each of these scenarios delays submission, increases cost, and signals to the Notified Body that the quality management system is not functioning as intended.
How to Build the Linkage
The solution is not complex, but it requires deliberate planning and cross-functional coordination.
1. Align the Literature Search with Risk Analysis
Before finalizing the literature search strategy, review the risk management file. Identify the top residual risks and ensure that the search terms will capture data relevant to those hazards.
If the risk file identifies use-related hazards, include terms related to user errors, training, and human factors. If the risk file identifies material degradation, include terms related to biocompatibility and long-term exposure.
The goal is to make the clinical evidence base responsive to the questions raised by risk analysis.
2. Create a Traceability Matrix
Document which clinical data addresses which hazard. This can be a simple table that lists each residual risk and references the section of the CER where that risk is evaluated using clinical evidence.
This matrix should be part of the CER. It allows reviewers to verify that every significant risk was addressed and that the conclusions are data-driven.
3. Update Risk Estimates Based on Clinical Data
When the clinical evaluation is complete, review the risk management file to see if any estimates need to be revised. If the literature shows a higher-than-expected event rate for a particular complication, update the probability score and reassess acceptability.
If post-market data reveals new hazards, add them to the risk file and address them in the next CER update.
The risk file should be a living document that evolves as clinical knowledge accumulates.
The linkage is bidirectional. Risk analysis should inform clinical evaluation. Clinical evaluation should inform risk management. Both documents must reference each other with specificity and traceability.
4. Involve Clinical Evaluators in Risk Reviews
When the risk management team conducts a design review or a risk assessment update, include the clinical evaluator. This ensures that risk conclusions are consistent with the available clinical evidence and that new risks are captured in the clinical evaluation plan.
This does not mean the clinical evaluator must attend every FMEA session. It means that at key decision points, someone who understands the clinical data should be in the room.
The PMCF Dimension
Post-market clinical follow-up is where this linkage becomes most critical. MDCG 2020-6 requires that PMCF activities address residual risks and uncertainties identified during the pre-market clinical evaluation.
If your PMCF plan does not explicitly list the risks it is monitoring, the Notified Body will ask why. If your PMCF reports do not update risk estimates based on real-world data, the link is broken again.
The PMCF plan should reference the risk management file and specify which hazards require ongoing surveillance. The PMCF report should feed back into the risk file and trigger updates when thresholds are exceeded or new patterns emerge.
This is not optional. Annex XIV Section 1.1 requires that clinical evaluation be continuously updated with data from PMCF. ISO 14971 requires that risk management be updated throughout the product lifecycle.
Why This Matters Now
Under the Medical Device Regulation, the scrutiny on clinical evaluation and risk management has intensified. Notified Bodies are required to verify that manufacturers have sufficient clinical evidence to support safety and performance claims, including the acceptability of residual risks.
The days of referencing ISO 14971 in the CER without showing the actual connection are over. Reviewers expect to see data-driven justifications for every residual risk, traceable to specific sections of the clinical evaluation.
Manufacturers who treat risk management and clinical evaluation as separate compliance exercises will face repeated deficiencies and delays. Those who integrate the two processes will move through review faster and with fewer revisions.
The technical work is not harder. The organizational discipline is.
The linkage between ISO 14971 and clinical evaluation is not about documentation. It is about how decisions are made. If clinical evidence does not inform risk conclusions, and if risk analysis does not shape clinical evaluation, both processes lose credibility.
Final Thoughts
The gap between ISO 14971 and clinical evaluation is not a regulatory mystery. It is a process gap that most manufacturers inherit from legacy systems designed before MDR.
Closing that gap requires deliberate coordination, clear traceability, and a willingness to update both documents based on what the other reveals.
It also requires recognizing that the risk-benefit conclusion in the CER is not a summary statement. It is the output of a rigorous comparison between quantified clinical risks and measurable clinical benefits, anchored in the hazards identified in the risk management file.
When that connection is made explicit, the regulatory file becomes coherent. When it is missing, reviewers stop and ask questions that delay everything.
Next in this series, we will look at how PMCF planning must reflect both clinical evaluation gaps and unresolved risks, and why most PMCF plans fail to do either.
Peace,
Hatem
Clinical Evaluation Expert for Medical Devices
Follow me for more insights and practical advice.
Frequently Asked Questions
What is a Clinical Evaluation Report (CER)?
A CER is a mandatory document under MDR 2017/745 that demonstrates the safety and performance of a medical device through systematic analysis of clinical data. It must be updated throughout the device lifecycle based on PMCF findings.
How often should the CER be updated?
The CER should be updated whenever significant new clinical data becomes available, after PMCF activities, when there are changes to the device or intended purpose, and at minimum during annual reviews as part of post-market surveillance.
What causes CER rejection by Notified Bodies?
Common reasons include inadequate equivalence demonstration, insufficient clinical data for claims, poorly structured SOTA analysis, missing gap analysis, and lack of clear benefit-risk determination. Structure and logical flow are as important as the data itself.
Which MDCG guidance documents are most relevant for clinical evaluation?
Key documents include MDCG 2020-5 (Equivalence), MDCG 2020-6 (Sufficient Clinical Evidence), MDCG 2020-13 (CEAR Template), MDCG 2020-7 (PMCF Plan), and MDCG 2020-8 (PMCF Evaluation Report). ISO 14971, MDCG 2020-6
Need Expert Help with Your Clinical Evaluation?
Get personalized guidance on MDR compliance, CER writing, and Notified Body preparation.
✌
Peace, Hatem
Your Clinical Evaluation Partner
Follow me for more insights and practical advice.
– MDR 2017/745 Article 61 and Annex XIV
– ISO 14971:2019 Medical devices — Application of risk management to medical devices
– MDCG 2020-6 Regulation (EU) 2017/745: Sufficient clinical evidence for legacy devices
Deepen Your Knowledge
Read Complete Guide to Clinical Evaluation under EU MDR for a comprehensive overview of clinical evaluation under EU MDR 2017/745.
