Your Risk File and CER Are Not Talking. Here’s the Problem.
I see it in every third audit. The Risk Management File lists residual risks. The Clinical Evaluation Report discusses safety. But nowhere do they connect. When a reviewer asks where the clinical data addresses residual risk X, the team scrambles to find an answer that was never written down.
In This Article
This disconnect is not cosmetic. It creates real regulatory exposure.
Under MDR Article 61 and Annex I, clinical evaluation and risk management are not separate processes. They are integrated, iterative, and mutually dependent. Yet in most technical files, they exist as parallel documents that barely reference each other.
The consequence is not just a deficiency notice. It is the inability to demonstrate that your benefit-risk determination is actually supported by clinical evidence.
Why Integration Matters Under MDR
The MDR introduced a higher bar for clinical evidence. But it also clarified something that was always implied: risk control measures must be validated clinically, not just verified technically.
Article 61(1) states that clinical evaluation must demonstrate safety and performance. Annex I Section 1 requires that residual risks are acceptable when weighed against benefits. These two obligations converge in one place: the clinical evaluation must explicitly address whether the residual risks identified in the Risk Management File are acceptable based on the clinical data.
Most teams treat this as a summary statement in the CER conclusion. That is insufficient.
The clinical evaluation is not complete until every residual risk in the Risk Management File has been traced to specific clinical evidence that addresses its acceptability.
If your Risk Management File identifies thermal injury as a residual risk, your CER must present data on thermal events in clinical use. If you list infection as a residual risk, your clinical evaluation must provide evidence on infection rates and their clinical consequences.
The connection must be explicit, documented, and reviewable.
Where the Disconnect Happens
In most organizations, risk management and clinical evaluation are managed by different people. The risk manager updates the Risk Management File. The clinical affairs specialist writes the CER. They coordinate at milestones, but they do not work from a shared framework.
The result is predictable. The Risk Management File evolves through design controls, hazard analysis, and verification testing. The CER evolves through literature review, clinical data analysis, and SOTA assessment. They reference the same device, but they do not reference each other.
When a Notified Body reviewer opens both documents, the gap becomes visible immediately.
The CER discusses safety in general terms, but does not map clinical evidence to the specific residual risks documented in the Risk Management File. The reviewer cannot trace how clinical data supports the acceptability of each identified risk.
This is not a documentation issue. It is a process issue.
What Integration Actually Looks Like
Integration does not mean copying tables from one document to another. It means creating a documented reasoning path that connects specific risks to specific clinical evidence and specific benefit-risk conclusions.
Start with the residual risks in the Risk Management File. For each one, the clinical evaluation must answer:
– What is the clinical evidence on the frequency of this risk?
– What is the clinical evidence on the severity when it occurs?
– What is the clinical evidence on risk mitigation effectiveness?
– What is the clinical benefit that justifies accepting this residual risk?
These questions must be answered with references to specific studies, datasets, or clinical experience. Not in general terms. Not with assumptions.
If the risk is rare but serious, the CER must present evidence of rarity. If the risk is common but minor, the CER must present evidence of minor consequences. If a risk control measure reduces the risk, the CER must show clinical data supporting that reduction.
Every residual risk becomes a line item in the clinical evaluation.
The Benefit-Risk Table Is Not Enough
Many CERs include a benefit-risk table that lists risks and benefits side by side. This is required, but it is not sufficient.
The table shows what is being weighed. It does not show the evidence behind the weighing. A reviewer needs to see how you reached the conclusion that the benefit outweighs the risk for each specific hazard.
That reasoning must be embedded in the body of the CER, tied to the data, and traceable back to the Risk Management File.
The benefit-risk determination is not a single conclusion. It is a collection of specific determinations, one for each residual risk, each supported by specific clinical evidence.
How Risk Management Feeds Clinical Evaluation
The Risk Management File should not be finalized before the clinical evaluation begins. It should be updated as clinical evidence emerges.
When clinical data reveals a higher-than-expected adverse event rate, that information must flow back into the risk analysis. When PMCF data shows effective risk mitigation, that must be reflected in the residual risk estimates.
This is the iterative relationship described in ISO 14971 and reinforced by MDR. Risk management informs clinical evaluation. Clinical evaluation informs risk management. Both evolve together throughout the device lifecycle.
In practice, this means:
– Clinical evaluation findings must trigger risk management reviews
– Risk management updates must be reflected in the CER
– PMCF data must feed both documents simultaneously
– Benefit-risk conclusions must be revisited when either document changes
If your CER is written once and left static while the Risk Management File is updated through design changes, you have broken the integration.
What Reviewers Look For
When a Notified Body reviews your technical file, they open the Risk Management File and the CER side by side. They look for coherence.
They check whether the risks discussed in the CER match the residual risks in the risk file. They check whether the severity and probability estimates are consistent. They check whether the clinical evidence cited in the CER actually addresses the risks identified in the risk analysis.
If they find mismatches, they issue deficiencies. If they find gaps, they question whether the benefit-risk determination is valid.
The Risk Management File lists specific residual risks with probability and severity estimates, but the CER does not present data supporting those estimates. The reviewer cannot verify that the risk levels are based on clinical evidence.
This is not about formatting. It is about demonstrability.
You must be able to show, with documented evidence, that every residual risk has been evaluated clinically and that the benefit-risk conclusion is supported by data.
Building the Integration Into Your Process
Integration starts with process design, not documentation.
Create a shared framework where risk management and clinical evaluation are planned together. Define decision points where both activities are reviewed jointly. Establish clear responsibilities for maintaining coherence between the documents.
In practical terms:
– Include the clinical affairs specialist in risk review meetings
– Include the risk manager in clinical evaluation planning
– Map each residual risk to a clinical evaluation question during CER planning
– Review coherence before every submission
– Update both documents together during post-market surveillance
The goal is not to merge the documents. It is to ensure they reflect a single, coherent reasoning process.
PMCF as the Connective Tissue
PMCF is where integration becomes most visible. The PMCF plan must address gaps in clinical evidence related to residual risks. The PMCF report must provide data that validates or updates the risk analysis.
If your PMCF activities are designed without reference to the Risk Management File, you are missing the point. PMCF is not just about performance confirmation. It is about ongoing benefit-risk assessment.
Every PMCF data point should feed both the clinical evaluation and the risk analysis. Every risk-related finding should trigger both documents to be updated.
This is the lifecycle approach MDR requires.
What Happens When Integration Is Missing
The consequences are not theoretical. I see them in real audits.
Submissions are delayed because reviewers cannot trace clinical evidence to residual risks. Deficiencies are issued because the benefit-risk determination lacks documented support. Teams spend months rewriting sections to create connections that should have existed from the start.
In the worst cases, the entire benefit-risk conclusion is questioned because the clinical evaluation did not address the actual residual risks of the device.
This is avoidable. But it requires treating integration as a process requirement, not a documentation task.
Integration is not about cross-referencing documents. It is about ensuring that risk management and clinical evaluation reflect a single, evidence-based reasoning process that a reviewer can follow from start to finish.
When integration is present, reviewers can see how you reached your conclusions. They can verify that clinical evidence supports the benefit-risk determination. They can confirm that residual risks are acceptable based on documented data.
When integration is missing, none of that is possible.
If you are preparing a CER or updating a Risk Management File, pause and ask: can a reviewer trace every residual risk to specific clinical evidence? If not, the integration is incomplete.
And that is where the next deficiency will come from.
Peace,
Hatem
Clinical Evaluation Expert for Medical Devices
Follow me for more insights and practical advice.
Frequently Asked Questions
What is a Clinical Evaluation Report (CER)?
A CER is a mandatory document under MDR 2017/745 that demonstrates the safety and performance of a medical device through systematic analysis of clinical data. It must be updated throughout the device lifecycle based on PMCF findings.
How often should the CER be updated?
The CER should be updated whenever significant new clinical data becomes available, after PMCF activities, when there are changes to the device or intended purpose, and at minimum during annual reviews as part of post-market surveillance.
What causes CER rejection by Notified Bodies?
Common reasons include inadequate equivalence demonstration, insufficient clinical data for claims, poorly structured SOTA analysis, missing gap analysis, and lack of clear benefit-risk determination. Structure and logical flow are as important as the data itself.
Which MDCG guidance documents are most relevant for clinical evaluation?
Key documents include MDCG 2020-5 (Equivalence), MDCG 2020-6 (Sufficient Clinical Evidence), MDCG 2020-13 (CEAR Template), MDCG 2020-7 (PMCF Plan), and MDCG 2020-8 (PMCF Evaluation Report).
Need Expert Help with Your Clinical Evaluation?
Get personalized guidance on MDR compliance, CER writing, and Notified Body preparation.
✌
Peace, Hatem
Your Clinical Evaluation Partner
Follow me for more insights and practical advice.
– MDR 2017/745 Article 61, Annex I
– ISO 14971:2019 Application of risk management to medical devices
– MDCG 2020-6 Regulation (EU) 2017/745: Sufficient clinical evidence for legacy devices
