Why Your Risk File and CER Still Do Not Talk to Each Other

Written by HATEM RABEH, MD, MSc Ing

Your Clinical Evaluation Expert And Partner

in
S

The disconnect between risk management and clinical evaluation is not a documentation problem. It is a process problem. And it reflects a deeper misunderstanding of what MDR actually requires.

Both documents exist. Both follow their respective standards. ISO 14971 governs your risk file. MDCG 2020-6 frames your clinical evaluation. Yet when a Notified Body reviewer opens both files, they see two parallel stories that never converge.

This is not because teams lack competence. It is because the integration point is never built into the workflow.

The Structural Separation

In most organizations, risk management and clinical evaluation are handled by different people. The engineer owns the risk file. The clinical specialist owns the CER. They work from different templates, reference different standards, and report to different managers.

This separation makes sense from a workload perspective. But it creates a structural problem.

Risk management identifies hazards, estimates probabilities, and proposes mitigations. Clinical evaluation assesses clinical data, establishes safety and performance, and supports intended use claims. Both processes conclude with their own reports.

Then someone submits both to the Notified Body and assumes the link is obvious.

Reviewers do not read between the lines. If the link is not explicit, it does not exist.

What MDR Actually Requires

MDR Annex I states that devices must meet the general safety and performance requirements. Risk management and clinical evaluation are the two pillars that support this demonstration.

Risk management under ISO 14971 identifies what could go wrong. Clinical evaluation under MDR Article 61 and Annex XIV demonstrates what actually happens in clinical use.

MDCG 2020-6 makes this explicit. Section 9.2 requires that the clinical evaluation addresses the residual risks identified in the risk management file. It also requires that any adverse events or undesirable side effects are analyzed and related back to the risk file.

This is not optional language. It is a direct regulatory expectation.

Yet in practice, the CER section on safety often reads like a literature review summary. It lists adverse events from clinical studies. It may compare your device to similar devices. But it does not map those events to the hazards listed in your risk file.

The reverse problem is just as common. The risk file includes mitigations based on design, labeling, or clinical data. But it does not reference where in the CER that clinical data is presented or analyzed.

Where the Disconnect Happens in Practice

The disconnect begins early. Risk analysis workshops happen during design. Clinical evaluation comes later, often when preparing for regulatory submission.

By the time the clinical team writes the CER, the risk file is already locked. The clinical team reads the risk file to understand device risks. But they do not revise their clinical evaluation structure to mirror the risk analysis structure.

So the CER follows the MEDDEV 2.7/1 or MDCG 2020-6 template. It has sections on intended use, device description, clinical background, clinical data analysis, and conclusions. Somewhere in the safety section, adverse events are listed. But they are organized by study, not by hazard.

Meanwhile, the risk file is organized by hazard. Each hazard has a risk estimation, a mitigation strategy, and a residual risk. Some mitigations reference clinical data. But the reference is generic: “Clinical studies show low adverse event rate.”

No table. No cross-reference. No explicit link.

The Missing Integration Layer

What is missing is an integration layer. A structure that forces both documents to reference each other explicitly.

This is not about creating redundant text. It is about creating cross-referenced tables and statements that close the loop.

For example:

In the risk file, each residual risk should include a reference to the CER section that addresses it clinically. If the risk is hemorrhage, the risk file should state: “Residual risk is acceptable based on clinical evidence presented in CER Section 6.3.2.”

In the CER, the safety analysis should include a table that maps each identified hazard to the clinical evidence that evaluates it. If hemorrhage is a hazard, the CER should explicitly state: “Hemorrhage risk is identified in Risk File Hazard ID 003. Clinical data from Study X shows an incidence of Y%, which is consistent with the risk estimation.”

This sounds simple. But it requires coordination that most teams do not have.

Why This Matters Beyond Documentation

This is not a cosmetic issue. It reflects whether your organization actually integrates risk and clinical thinking.

When risk and clinical evaluation are separate processes, decisions are made in isolation. Risk mitigations are proposed without checking if clinical data supports them. Clinical studies are designed without ensuring they address identified residual risks.

Then during PMCF, the same disconnect continues. PMCF plans are written to collect safety and performance data. But they do not explicitly target the residual risks that need ongoing monitoring.

So you collect clinical data. You update the CER. But the risk file does not get updated with new post-market evidence. The loop never closes.

Notified Bodies see this. They see risk files that list “ongoing PMCF” as a mitigation but no evidence that PMCF is actually feeding back into risk management. They see CERs that reference PMCF reports but no clear link to how that data informs residual risk acceptability.

The Consequence During Audits

During audits, reviewers will ask: “How do you ensure clinical evaluation addresses all residual risks?”

If the answer is, “Our clinical team reviews the risk file,” that is not enough. The reviewer wants to see the output of that review. They want to see traceability.

If you cannot show them a table, a cross-reference, or an explicit statement in both documents, you have a deficiency.

This deficiency does not mean your device is unsafe. It means you have not demonstrated compliance with the requirement to link risk management and clinical evaluation.

And that is enough to delay certification.

What Practical Integration Looks Like

Practical integration starts with structure, not with effort.

Create a shared reference table. This table lives in both the risk file and the CER. It lists each significant residual risk, its hazard ID, its risk level, and the CER section where it is clinically addressed.

In the risk file, include a column that points to the CER. In the CER safety section, include a table that lists all hazards from the risk file and summarizes the clinical evidence for each.

This forces both teams to coordinate. The clinical team cannot complete the CER without knowing what residual risks exist. The risk team cannot close residual risks without confirming the CER covers them.

Second, review both documents together before submission. Not sequentially. Together.

Sit in a room with the risk manager and the clinical evaluator. Go through the residual risk list. For each one, ask: “Where in the CER is this addressed?” If the answer is unclear, revise the CER to make it explicit.

Then reverse the exercise. Go through the CER safety section. For each adverse event or safety finding, ask: “Which hazard in the risk file does this relate to?” If there is no corresponding hazard, either add it to the risk file or explain why it is not relevant.

This exercise takes a few hours. But it prevents weeks of back-and-forth with the Notified Body.

What About PMCF?

The same integration applies to PMCF. Your PMCF plan should explicitly state which residual risks it monitors. Your PMCF reports should update the risk file with new incidence data or emerging risks.

If your PMCF plan is generic—collecting safety and performance data without targeting specific residual risks—you have missed the integration requirement again.

PMCF is not a standalone activity. It is the clinical arm of ongoing risk management. That link must be explicit in the documentation.

Why This Will Not Fix Itself

This problem does not fix itself because it is not a knowledge problem. Most teams understand that risk and clinical evaluation should be linked. But understanding is not the same as execution.

The issue is workflow. Risk management happens in one software tool. Clinical evaluation happens in a different document system. There is no shared template that forces integration.

So the responsibility falls on individuals. Someone needs to remember to cross-reference. Someone needs to ensure consistency. And when that person is busy or changes roles, the link breaks.

The solution is to build integration into the template. Make it impossible to complete the CER without filling in the risk cross-reference table. Make it impossible to close a residual risk in the risk file without referencing a CER section.

This is process design, not documentation effort.

What Comes Next

This is the first part of a series on risk management and clinical evaluation under MDR. The second part will focus on how to structure clinical safety sections so they map directly to risk analysis outputs.

For now, the takeaway is simple. Your risk file and CER do not talk to each other because you have not built the conversation into the structure.

Start by creating a shared cross-reference table. Use it in both documents. Review both documents together before submission.

This will not solve every regulatory challenge. But it will close one of the most common gaps that Notified Bodies find.

Peace,
Hatem
Clinical Evaluation Expert for Medical Devices
Follow me for more insights and practical advice.