The AI Traceability Journal – October 2025 | Risk Justification Under Scrutiny — Moving Beyond Assumption to Evidence

Theme: ISO 14971:2019 · MDR Annex I · IVDR Annex I · PRRC Liability & Clinical Evaluation

The regulatory landscape has decisively shifted from accepting well-intentioned assumptions to demanding rigorous, evidence-based justification. For every residual risk carried forward in a device's lifecycle, a simple statement that "benefits outweigh the risks" is no longer sufficient. Whether finalising a clinical evaluation report (CER), managing post-market surveillance (PMS), or reviewing labeling, the clarity, traceability, and defensibility of your risk-benefit justifications are under unprecedented scrutiny.

This edition provides a structured framework to build an audit-ready justification system that aligns technical, clinical, and regulatory evidence into a coherent and defensible chain of reasoning.

Why Risk Justification is a Critical Focus in 2025

The elevated expectations are driven by concrete regulatory requirements and enforcement trends:

1. Explicit Regulatory Mandates: Both MDR and IVDR Annex I, Chapter I, Section 1, state that devices must achieve a "benefit-risk ratio that is acceptable when weighed against the intended purpose..." and that "any residual risks... require minimisation." This places the burden of proof squarely on the manufacturer to demonstrate acceptability [1].

   
   

2. ISO 14971 is an Applied Standard, Not a Theoretical Exercise: Clauses 6 through 8 of the standard outline a continuous process of risk assessment, control, and evaluation of residual risk. A weak or unsupported justification represents a failure in the implementation of this process, not a minor documentation oversight.
   

3. Increased PRRC and Corporate Liability: The Person Responsible for Regulatory Compliance must be able to defend every risk-benefit decision. This is impossible without an auditable trail that links the justification to specific device context, clinical data, and post-market evidence [2].

Common Justification Gaps Still Prevalent in Audits

A Three-Tier Evidential Justification Model

To replace subjective opinion with objective defensibility, implement a stratified justification framework for each residual risk:

1. Technical & Design Justification: Link the risk to the specific device design, hardware/software controls, and inherent safety features. This is the "how we built it safe" argument.

   • Example: "The risk of over-infusion is mitigated by the embedded independent safety controller with redundant clock cycles, as verified in V&V test report VVR-2024-018."
     

2. Clinical & Usability Justification: Provide the evidence from clinical evaluation, usability engineering files, literature, or PMS trends that demonstrates the residual risk is acceptable in the context of the intended patient population and clinical condition.

   • Example: "The accepted residual risk of vessel dissection is justified by clinical data from the PMCF study (CEP-2023-101) showing a rate of <0.5%, which is consistent with rates reported in the scientific literature (cite sources) and is outweighed by the benefit of successful vessel occlusion."
     

3. Regulatory & State-of-the-Art Justification: Anchor the decision in recognised standards, common specifications, or guidance documents to demonstrate alignment with current regulatory expectations and the general state of the art.

   • Example: "The cybersecurity risk assessment and acceptance criteria are aligned with the principles of the FDA Cybersecurity Guidance and the state-of-the-art framework outlined in IEC 81001-5-1" [3].

Execution Checklist for a Robust Justification System

• For every risk assessment (new or residual):

  • Document the technical mitigation and the rationale for its sufficiency.

  • Cite the specific clinical evidence (e.g., CER section, PMS report number) that justifies acceptance.

  • Reference the applicable regulatory basis (standard, guidance, CS).

  • Log reviewer name, date, and document version.

• Create explicit traceability links in your eQMS: Risk ID → Clinical Evaluation Report → PMS Report → Change Control Record.

• Reassess legacy risks using the latest post-market data and document the review.

• Log justifications even for "no action" decisions to demonstrate continuous monitoring.

• Prepare a Risk Justification Dashboard for Management Review, summarising the status of all high-priority residual risks and the evidence supporting them.

• Conduct an internal audit focused specifically on the adequacy and traceability of risk-benefit justifications across a sample of the RMF.

Leveraging AI to Standardise Justification Entries

AI can help overcome the initial documentation burden by providing a structured and consistent starting point for your rationale.

AI Prompt:

"Act as a senior regulatory affairs specialist for a [e.g., Class IIb active implantable device] in the [e.g., EU] market. Generate a formal risk justification entry for a residual risk with a probability of 'remote' (1/10,000) and a severity of 'serious injury'. The justification must include:

1. A technical rationale referencing specific device mitigations (e.g., material biocompatibility, software alarm).

2. A clinical rationale citing simulated or actual clinical data and linking it to patient benefit.

3. A regulatory rationale referencing at least one relevant standard (e.g., ISO 10993-1, IEC 60601-1).
   

Format the entry with a reviewer name and timestamp."

Always validate and tailor the AI-generated output with your specific device data and verified evidence.

Conclusion

In the current regulatory environment, generic risk statements are a significant liability. Compliance and patient safety now demand a traceable, multi-layered justification that weaves together design controls, clinical evidence, and regulatory alignment into a single, defensible narrative. By implementing this structured framework, you transform your risk management file from a static compliance document into a dynamic, evidence-based record that protects patients, justifies your decisions, and satisfies auditor scrutiny.

References & Further Reading

[1] European Commission: Regulation (EU) 2017/745 (MDR) - Annex I, General Safety and Performance Requirements

• Link:https://www.medical-device-regulation.eu/2019/07/23/annex-i-general-safety-and-performance-requirements/

• Why it's relevant: This is the definitive source for the general safety and performance requirements, explicitly mandating a positive benefit-risk ratio and the minimization of residual risk.

[2] European Commission: "Questions and Answers on the Person Responsible for Regulatory Compliance (PRRC)"

• Link: https://health.ec.europa.eu/document/download/463b4f08-44a2-4018-9957-488bf386fc3a_en

• Why it's relevant: Reinforces the legal obligation of the PRRC to ensure regulatory compliance, which is impossible without a fully justified and traceable risk management process.

[3] FDA Guidance: "Cybersecurity in Medical Devices: Quality System Considerations and Content of Submissions" (Final Guidance, Sept 2023)

• Link: https://www.fda.gov/media/167974/download

• Why it's relevant: Serves as a concrete example of a "Regulatory & State-of-the-Art Justification." It provides a modern framework for risk assessment and justification that auditors expect to see reflected in relevant risk files.

The November issue of The AI Traceability Journal  will cover the exciting topic: "The Compliance Matrix Isn’t Optional – Building Your Applicable Requirements System Before the Next Audit" Want to learn more? Take the Free Online Course: How to build an AI-supported justified and traceable Applicable list of regulations and standards.