A step-by-step implementation guide for medical device manufacturers building or strengthening a risk management framework under ISO 14971:2019 and ISO 13485:2016
Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.
Your Risk Management File Is the First Thing an Auditor Opens
Not your QMS manual. Not your SOPs. Your risk management file.
That is where a notified body auditor or FDA inspector starts — because risk management in medical devices is the thread that connects every other element of your quality system. If your risk file is thin, incomplete, or disconnected from your design and production controls, the rest of your documentation will not save you.
Most medical device companies understand that ISO 14971:2019 requires a risk management process. Fewer understand what that process actually looks like when it is fully implemented — the outputs required, the decisions that must be documented, and the points where ISO 13485:2016 Clause 7.1 and ISO 14971 intersect in ways that catch teams off guard during audits.
This article walks through the complete risk management process for medical devices: what ISO 14971 requires at each stage, how those requirements connect to your QMS, and where most teams fall short.
I have spent 25 years in heavy industrial manufacturing running quality systems under ISO 9001, managing nonconformances, and building risk-based approaches to process control. When I transitioned into the ISO 13485 space, the discipline was familiar — but the regulatory stakes were different. In manufacturing, a process failure costs you time and scrap. In medical devices, the same gap in your risk file can cost you a 483 observation, a warning letter, or a market withdrawal. The rigor required is not optional, and it is not theoretical. Every output described in this article is something auditors actively look for.
Before you read further: If you have not yet assessed where your current risk management process stands against ISO 14971:2019 requirements, start there. A structured gap assessment takes less time than an audit finding.
📥 Download the ISO 13485 Gap Assessment Checklist — Free checklist for medical device manufacturers assessing their QMS against ISO 13485 requirements, including risk management obligations under Clause 7.1.
In This Guide
- What ISO 14971:2019 actually requires — the full process, not just the outputs
- How ISO 13485 Clause 7.1 connects to your risk management file
- The five stages of the ISO 14971 process with required documentation at each step
- How to set acceptable risk criteria — the decision most teams get wrong
- Post-production surveillance and why it feeds back into your risk file
- The most common audit findings in risk management reviews
- Training options for teams building or rebuilding a compliant process
Table of Contents
👉 Start Here: Top Resources for Medical Device Risk Management
If you are building or rebuilding your risk management process, these are the resources that will move you fastest:
- ISO 14971:2019 — ANSI Webstore — The current edition of the standard. Required reading for anyone responsible for a device risk management file. Use code CC2026 for 5% off at checkout.
- ISO 13485 Training — BSI Group — BSI offers ISO 13485 implementation and auditor training that covers risk management integration in depth.
- ISO 13485 Training — ISOQAR — ISOQAR provides training and certification services for ISO 13485, with risk-based thinking woven throughout their courses.
What ISO 14971:2019 Requires
ISO 14971:2019 is the international standard for the application of risk management to medical devices. It applies throughout the full device lifecycle — from concept through post-market surveillance.
The standard does not prescribe a specific risk analysis method. It does not tell you to use FMEA, FTA, or a risk matrix of a particular format. What it requires is a documented, systematic process that produces specific outputs at each stage.
The core framework in ISO 14971:2019 includes:
| Stage | What ISO 14971 Requires |
|---|---|
| Risk management plan | Define scope, responsibilities, criteria for risk acceptability, and review activities |
| Risk analysis | Identify intended use, reasonably foreseeable misuse, and associated hazards and hazardous situations |
| Risk evaluation | Compare estimated risk against criteria — determine if risk reduction is required |
| Risk control | Select and implement controls; verify effectiveness; assess residual risk and any new risks introduced |
| Benefit-risk analysis | Where residual risk remains, evaluate whether the overall benefit outweighs remaining risk |
| Risk management report | Summarize the process and confirm residual risks are acceptable |
| Post-production information | Collect and review field data; feed findings back into risk management |
Every output — the plan, the analysis, the controls, the report — must be captured in a risk management file.
How ISO 13485 Clause 7.1 Connects
ISO 13485:2016 Clause 7.1 requires that your organization document risk management requirements throughout product realization. This is not a standalone obligation — it is a QMS-level requirement that ties your risk file to your design controls, supplier management, production processes, and CAPA system.
The key connection points:
Design and development (Clause 7.3): Risk management inputs and outputs must be included in design planning. Design reviews, verification, and validation activities must all reference and be consistent with the risk management file.
Purchasing and supplier controls (Clause 7.4): Supplier-introduced risks must be identified and addressed. If a supplier failure creates a patient hazard, that scenario belongs in your risk analysis.
Production and service provision (Clause 7.5): Special processes — sterilization, labeling, software-dependent controls — require risk-based validation. Your risk file should identify where these controls are critical and what happens if they fail.
CAPA (Clause 8.5): Post-market findings, complaints, and nonconformances are data sources for your risk management process. A complaint that reveals a hazardous situation not previously identified in your risk analysis must trigger a risk file update.
Most common finding: Auditors frequently cite a disconnect between the CAPA system and the risk management file — complaints and CAPAs are processed and closed without evaluating whether the risk file needs to be updated.
If you are evaluating your current QMS against these connection points, the gap assessment checklist above covers all of them.
The Five-Stage Risk Management Process
Stage 1: Risk Management Plan
Your risk management plan is not a form — it is a governing document for the entire risk process for a specific device. It must define:
- The scope of activities (which device, which lifecycle phases)
- Roles and responsibilities for risk management activities
- Requirements for review of risk management activities
- Criteria for risk acceptability — what level of residual risk is acceptable and on what basis
The last item is where most teams take shortcuts. Acceptability criteria cannot simply reference “ALARP” or “as low as reasonably practicable” without defining what that means for your device and patient population. Auditors will push on this.
Stage 2: Risk Analysis
Risk analysis begins with a thorough description of the device — its intended use, intended users, and reasonably foreseeable misuse. From there, you identify:
- Hazards (potential sources of harm)
- Hazardous situations (circumstances in which people could be exposed to a hazard)
- Harm sequences (how the hazardous situation leads to harm)
ISO 14971 Annex C provides a non-exhaustive list of hazard categories: energy hazards, biological hazards, environmental hazards, hazards related to incorrect output, and others. Use it as a prompt, not as a complete list.
Common analysis methods include FMEA (Failure Mode and Effects Analysis), FTA (Fault Tree Analysis), and HAZOP. Most device teams use FMEA as the primary tool. None of these methods is required by the standard — but whatever method you use must be documented and consistently applied.
Stage 3: Risk Evaluation
Once you have estimated the probability and severity of each harm, you evaluate whether each risk requires reduction. This evaluation is made against the acceptability criteria defined in your risk management plan.
If a risk exceeds your acceptable threshold, risk reduction is required. If it falls below the threshold, you still need to document the evaluation decision — not just assume silence means acceptable.
📥 If you are not confident your current risk file covers these evaluation decisions consistently, download the ISO 13485 Gap Assessment Checklist and work through Section 7 — it maps directly to these requirements.
Stage 4: Risk Control
ISO 14971 requires you to follow a three-level hierarchy when selecting controls:
- Inherent safety by design — eliminate or reduce the hazard through design choices
- Protective measures — add guards, alarms, or protective barriers in the device or manufacturing process
- Information for safety — labeling, instructions for use, training requirements
You must implement controls in this order of preference. You cannot jump to warnings and labeling as your primary control if a design solution is practicable.
After implementing each control:
- Verify the control was implemented as intended
- Verify the control is effective at reducing risk
- Assess whether the control introduces any new hazards
- Re-evaluate residual risk after all controls are applied
Stage 5: Residual Risk and Benefit-Risk Analysis
After controls are in place, residual risk will remain for most devices. If residual risk exceeds your acceptability criteria even after all practicable controls have been applied, you must perform a benefit-risk analysis: does the clinical benefit of the device outweigh the remaining risk?
This analysis must be documented. “We believe the benefit outweighs the risk” is not documentation. The analysis must reference clinical evidence, intended use, and the nature and magnitude of remaining harm.
Setting Acceptable Risk Criteria
This is the decision most risk management teams get wrong, and it is the one auditors examine most carefully.
Your risk acceptability criteria must be:
- Defined before you begin risk analysis — not after you have already seen your risk estimates
- Based on relevant policy, standards, and guidance applicable to your device category
- Specific enough to make clear decisions — a matrix with defined severity and probability ranges, not a narrative statement
| What Auditors See | What They Want to See |
|---|---|
| “We aim to reduce risk ALARP” | A defined matrix with probability/severity scales and explicit acceptable/unacceptable zones |
| Criteria defined after the analysis was completed | Criteria established in the risk management plan before analysis began |
| One set of criteria applied across all device types | Criteria appropriate to the specific device and patient population |
| No documented basis for the criteria chosen | Reference to applicable guidance documents (IMDRF, EU MDR, FDA guidance) |
Reference points that support defensible criteria include FDA guidance on risk management for device software, IMDRF guidance documents, and the introductory notes in ISO 14971:2019 itself.
Risk Control Options and Residual Risk
One of the most common gaps in risk files is incomplete residual risk documentation. Teams identify hazards, apply controls, and then fail to document the post-control risk estimate.
Every control must have:
- A documented implementation record (the control was actually applied)
- A verification record (the control works as intended)
- A post-control risk re-estimate (residual probability × severity)
- An evaluation of residual risk against acceptability criteria
If your controls introduce new hazards — which software controls, sterilization processes, and combination products frequently do — those new hazards must be analyzed through the full process. There is no shortcut.
If you are preparing for your first ISO 13485 certification audit, verify that every risk control in your file has all four of these elements documented before your Stage 1 audit. Incomplete residual risk documentation is one of the most common major nonconformances found in initial certification audits.
BSI Group offers ISO 13485 implementation training that specifically addresses risk file documentation structure, including residual risk evaluation requirements. ISOQAR provides similar training with a certification pathway.
The Risk Management File
The risk management file is not a single document. It is a collection of records that demonstrates the complete risk management process was followed for a specific device. What it must contain:
- Risk management plan
- Risk analysis outputs (hazard list, probability/severity estimates)
- Risk evaluation records (acceptability decisions)
- Risk control records (implementation, verification, new hazard assessment)
- Residual risk evaluation
- Benefit-risk analysis (where required)
- Risk management report
- Post-production information review records
The risk management report is the capstone document. It confirms that the risk management plan was followed, all residual risks are acceptable, and appropriate methods were used to obtain relevant production and post-production information.
Your risk management file must be maintained and updated throughout the product lifecycle. It is not a one-time certification exercise.
Post-Production Information and Surveillance
ISO 14971 Clause 9 requires a systematic process to collect and review post-production information. This includes:
- Customer complaints and feedback
- Field service and repair reports
- Medical device reports (MDRs) and vigilance reports
- Published literature and adverse event databases
- Post-market clinical data
This information must be evaluated to determine whether it:
- Indicates previously unidentified hazards
- Changes the estimated probability or severity of a known harm
- Invalidates earlier risk control decisions
If it does, your risk file must be updated. Your CAPA process must have a defined trigger for escalating post-market findings to the risk management team.
Most common finding: Post-market surveillance is treated as a regulatory reporting obligation rather than a risk management input. Complaints are processed through CAPA, but the risk file is never reviewed against complaint trends. This is a major nonconformance under both ISO 13485 Clause 8.2.1 and ISO 14971 Clause 9.
Common Audit Findings in Risk Management Reviews
These are the findings that appear most frequently in ISO 13485 and EU MDR notified body audits:
✅ Incomplete risk analysis scope — Reasonably foreseeable misuse not identified or analyzed. Risk analysis covers intended use only.
⚠️ Acceptability criteria defined after the analysis — Criteria were back-filled to match the estimates, rather than established as the decision framework before analysis began.
⚠️ Missing residual risk evaluation — Controls were implemented and verified, but no post-control risk estimate was documented.
✅ Disconnected CAPA and risk file — Complaints and CAPAs processed and closed without triggering a risk file review.
⚠️ Labeling used as the primary control — Instructions for use are cited as the risk control when a design solution was practicable.
✅ Risk file not maintained post-launch — The risk file was complete at certification but has not been updated since. Design changes, new complaint data, and field findings are not reflected.
⚠️ No benefit-risk analysis where residual risk is above acceptability threshold — Teams acknowledge residual risk exceeds their criteria but do not formally document the benefit-risk justification.
Training for Your Risk Management Team
Risk management competence is a requirement, not a preference. Your team members responsible for risk management activities must be trained — and that training must be documented.
Both BSI Group and ISOQAR offer ISO 13485 training that covers risk management integration. BSI also offers a dedicated Risk Management — Requirements (ISO 14971) e-learning course for teams who need focused training on the standard itself.
If you are already certified under ISO 13485 and preparing for a surveillance audit:
If your risk team has not been formally trained on ISO 14971:2019 since the 2019 edition was published, now is the time to close that gap. The 2019 edition introduced changes to state-of-the-art requirements and manufacturer benefit-risk responsibilities that differ from the 2007 edition.
If you are building your QMS from scratch and need structured implementation support across all 8 clauses:
If you are evaluating implementation support options, review what documentation a compliant ISO 13485 QMS requires before investing in training. It will help you scope what your team actually needs to build.
FAQ
What is the difference between ISO 14971 and ISO 13485 for risk management?
ISO 13485:2016 Clause 7.1 requires that risk management be applied throughout product realization. ISO 14971:2019 is the standard that defines how to do it — the process, the required outputs, and the documentation. ISO 13485 tells you that you must manage risk. ISO 14971 tells you how. Most medical device manufacturers must comply with both.
Is ISO 14971 mandatory?
ISO 14971 is not directly mandated by law in most markets, but it is referenced as a harmonized standard under the EU MDR 2017/745 and EU IVDR 2017/746. For FDA-regulated devices in the US, compliance with ISO 14971 supports conformance with 21 CFR Part 820 design controls requirements. As a practical matter, no notified body or FDA inspection team will accept a risk management process that does not align with ISO 14971.
What is a risk management file?
A risk management file is the complete collection of records that documents the risk management process for a specific device. It includes the risk management plan, risk analysis outputs, evaluation records, control records, residual risk documentation, benefit-risk analysis (where required), the risk management report, and post-production surveillance records. The file must be maintained and updated throughout the device lifecycle.
How often should a risk management file be updated?
Your risk management file must be updated whenever there is a change to the device, its intended use, or new information that could affect risk estimates — including complaints, adverse events, published literature, or design changes. Many organizations establish a formal periodic review (annually or at defined product lifecycle milestones) as part of their post-market surveillance process.
What risk analysis methods does ISO 14971 require?
ISO 14971 does not mandate a specific method. FMEA, FTA, HAZOP, and preliminary hazard analysis are all acceptable approaches. What the standard requires is that the method be documented, systematic, and capable of identifying hazards and estimating risk. Most medical device manufacturers use FMEA as their primary method.
What is the difference between a hazard, a hazardous situation, and harm in ISO 14971?
A hazard is a potential source of harm — for example, excessive electrical energy in a device. A hazardous situation is a circumstance in which people, property, or the environment could be exposed to the hazard — for example, a patient contact point that can carry excessive current under a specific failure condition. Harm is the physical injury or damage to health that results. ISO 14971 requires that you trace the full sequence from hazard to harm for each risk identified.
How does ISO 14971 relate to CAPA in ISO 13485?
Your CAPA process should have a defined trigger for escalating complaints, adverse events, and nonconformances to the risk management team for evaluation. If a post-market finding reveals a previously unidentified hazard or changes the estimated probability of an existing risk, your risk file must be updated. Closing a CAPA without evaluating its implications for the risk file is one of the most common major findings in ISO 13485 surveillance audits.
What changed in ISO 14971:2019 compared to the 2007 edition?
ISO 14971:2019 introduced several substantive changes: clarified the concept of state-of-the-art and how manufacturers must use it; expanded and clarified the benefit-risk analysis process; updated the overall residual risk evaluation process; and revised the structure of the standard to align with ISO management system high-level structure conventions. Teams trained only on the 2007 edition may have gaps in their current process.
📥 Free Resources
These tools are available at no cost to support your ISO 13485 and risk management implementation:
- ISO 13485 Gap Assessment Checklist — Free checklist for medical device manufacturers assessing their QMS against ISO 13485 requirements, including risk management obligations under Clause 7.1
- ISO 9001 Roadmap — Step-by-step implementation guide for manufacturers building or improving a quality management system
- Manufacturing Compliance Checklist — Practical compliance reference covering key ISO, OSHA, and quality requirements for production environments
- Supplier Quality Checklist — Evaluation tool for assessing supplier quality controls and flow-down compliance before audits or new contracts
- AS9100 Rev D Gap Assessment Checklist — 74-item clause-by-clause checklist for aerospace suppliers assessing their QMS before certification
Not Sure What to Do Next?
🔹 Still building your understanding of ISO 13485 requirements? Start with the ISO 13485 Implementation Roadmap — it walks through all 8 clauses and how they connect before you invest in building documentation.
🔹 Ready to implement and need training for your risk management team? Both BSI Group and ISOQAR offer ISO 13485 training with risk management integration. BSI also has a dedicated ISO 14971 e-learning course.
🔹 Need to purchase ISO 14971:2019 for your quality team? Get it from the ANSI Webstore — use code CC2026 for 5% off through December 31, 2026.
Risk management is not a documentation exercise you complete before certification and revisit every few years. It is the living framework that keeps your device safe, your quality system defensible, and your audits clean. Build it right from the start — and maintain it like the regulatory asset it is.
The Standards Navigator covers ISO 13485, ISO 14971, FDA requirements, and medical device quality management in depth. Use the resources above to move from gap to compliant.
Stay Current on Medical Device Compliance
Most teams that struggle with ISO 13485 audits are not missing knowledge — they are missing a system for keeping their risk files, documentation, and compliance processes current as requirements evolve.
Organizations that pass surveillance audits consistently have one thing in common: their quality teams are not surprised by what auditors look for. They have a process for staying ahead of requirement changes, notified body expectations, and post-market obligations.
The Standards Navigator covers ISO 13485, ISO 14971, FDA QMSR, and medical device compliance requirements in plain language for quality professionals and regulatory teams.
👉 Get updates on the medical device compliance cluster — new articles, requirement changes, and implementation guidance delivered directly to your inbox.
👉 Be first to access new free resources, including the ISO 13485 Documentation Starter Kit when it launches.
Subscribe below to stay ahead.
The Standards Navigator — Industrial Compliance. Clearly Explained.
