We've supported dozens of medical device manufacturers through the SFDA Technical File Assessment process. Based on our direct experience, here are the ten most common risk file deficiencies that cause delays, additional information requests, or outright rejections.
1. Missing or Vague Risk Acceptability Criteria
The problem: Many submissions include a risk matrix but fail to clearly define what constitutes "acceptable," "ALARP" (As Low As Reasonably Practicable), or "unacceptable" risk. Without these definitions, SFDA reviewers cannot evaluate whether your risk decisions are justified.
The fix: Define explicit severity and probability scales (with examples relevant to your device) and a color-coded risk matrix in Section 2 of your Risk Management Plan. Reference ISO 14971:2019 Clause 4.4 for guidance.
2. No Verification Evidence for Risk Controls
The problem: Manufacturers list risk control measures (e.g., "software alarm added," "guard installed") without providing any evidence that the control actually works as intended.
The fix: For every risk control measure, link to specific V&V test results, design verification reports, or clinical evidence. Use a traceability matrix to connect hazards → controls → verification evidence.
3. Incomplete Hazard Identification
The problem: Many risk files focus only on normal use scenarios and ignore reasonably foreseeable misuse, maintenance procedures, disposal, and interactions with other devices.
The fix: Use Annex C of ISO 14971:2019 as a systematic hazard identification prompt. Walk through every lifecycle phase: transport, storage, installation, normal use, abnormal use, maintenance, and decommissioning.
4. No Benefit-Risk Analysis for Residual Risks
The problem: When individual residual risks exceed the acceptability threshold, ISO 14971 requires a benefit-risk analysis to justify keeping the device on the market. This step is frequently skipped, especially for lower-risk classifications.
The fix: Include a formal Benefit-Risk Analysis section in your Risk Management Report that weighs clinical benefits against each unacceptable residual risk, with references to clinical data.
5. Risk File Not Updated to ISO 14971:2019
The problem: Submissions reference the 2007 or 2012 edition of ISO 14971. SFDA (and most other regulatory bodies) now expects conformance to the 2019 edition, which introduced significant changes to benefit-risk analysis and production/post-production requirements.
The fix: Update your RMP and risk analysis methodology to reference ISO 14971:2019 and incorporate the post-production requirements of Clause 10.
6. Disconnected Post-Market Surveillance
The problem: The risk file exists as a standalone document with no mechanism to incorporate new information from complaints, adverse events, or field performance data.
The fix: Add a section to your RMP describing the feedback loop from post-market surveillance to risk analysis updates. Show evidence (e.g., meeting minutes, updated hazard log entries) that this loop is actually active.
7. DFMEA/PFMEA Not Linked to Risk Controls
The problem: Manufacturers submit a DFMEA or PFMEA as their "risk analysis" but don't connect the failure modes to specific risk controls and their verification.
The fix: Ensure your FMEA has columns for Risk Control Measures, Post-Control Risk Priority, and Verification Evidence Reference. The FMEA should feed directly into your risk management summary.
8. Missing Labeling and IFU Risk Analysis
The problem: Risks related to labeling, instructions for use, and user interface are not addressed. This is particularly important for devices marketed in Saudi Arabia where Arabic labeling requirements apply.
The fix: Include a specific section addressing risks arising from inadequate or incorrect labeling, language barriers, and user interface design. Cross-reference with IEC 62366 (usability engineering) where applicable.
9. No Consideration of Similar Devices
The problem: ISO 14971 Clause 4.3 requires manufacturers to consider reasonably foreseeable hazards based on available data, including data from similar devices. Many files show no evidence of this analysis.
The fix: Include a literature search summary referencing MAUDE database entries, MHRA adverse event reports, or published recalls for similar devices. Document how these findings influenced your hazard identification.
10. Risk Management Report Missing Overall Evaluation
The problem: The Risk Management Report fails to include a formal conclusion on the overall residual risk acceptability. Reviewers need a clear, approved statement.
The fix: Include an explicit overall residual risk evaluation statement, signed by authorized personnel, confirming that the overall residual risk is acceptable per your defined criteria.
How to Avoid These Issues
The common thread across all ten issues is traceability and completeness. Your risk file isn't just a document — it's a system of interconnected evidence that demonstrates you've systematically identified, evaluated, and controlled risks throughout the device lifecycle.
If you're preparing for an SFDA submission and want to ensure your risk management file is deficiency-free, Regulatory Assist can conduct a pre-submission review or build your RMF from the ground up.