ISO 14971 - The Standards Navigator

Buy ISO 14971:2019 — Official PDF & Print Sources (2026 Guide)

Where to buy the official ISO 14971:2019 standard, what formats are available, how much it costs, and why purchasing from an authorized source is non-negotiable for medical device risk management — including why the superseded 2007 edition still circulating online creates real certification and regulatory risk.

Where to buy the official ISO 14971:2019 standard, what formats are available, how much it costs, and why purchasing from an authorized source is non-negotiable for medical device risk management.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.

📥 Free ISO 13485 & ISO 14971 Implementation Checklist — Confirm you have every required risk management document before your first certification audit. → [Download Free Checklist]

ISO 14971 Is No Longer Optional for Medical Device Manufacturers

ISO 14971:2019 was already the international standard for medical device risk management. Since February 2, 2026, it carries additional weight: the FDA’s Quality Management System Regulation (QMSR) incorporated ISO 13485:2016 by reference — and ISO 13485 explicitly requires risk management per ISO 14971. That means ISO 14971 is now embedded in U.S. regulatory expectations for every manufacturer subject to 21 CFR Part 820.

FDA investigators operating under Compliance Program 7382.850 are expected to use the risk management file as their inspection roadmap — following risk documentation into design controls, CAPA, supplier qualification, and post-market surveillance. If your risk management program is not built on ISO 14971, that gap will surface under QMSR inspection.

This guide covers exactly where to buy the official ISO 14971:2019 standard, what formats are available, how much it costs, and what to watch out for when purchasing.

⚠️ The QMSR compliance date has passed (February 2, 2026). Organizations that have not yet integrated ISO 14971 across their quality system are operating with a gap that FDA inspectors are actively evaluating.

In This Guide

What ISO 14971:2019 is and what changed from the 2007 edition
Which edition you need — 2019 vs 2007
Where to buy the official standard from authorized sources
Available formats — PDF, print, multi-user, and bundles
How much ISO 14971:2019 costs
Who needs to purchase the standard
What ISO 14971 does NOT include
Common purchasing mistakes to avoid
Related standards you will also need

👉 Start Here (Top Resources)

👉 Purchase the official ISO 14971:2019 standard — the current edition for all medical device risk management programs → ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026. ANSI is the official U.S. distributor of ISO standards, ensuring you receive the controlled, compliant version required for certification audits.

👉 Purchase the required companion — ISO 13485:2016 → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off. ISO 14971 cannot be implemented in isolation — it is a required companion to ISO 13485 and must be purchased and controlled as an external document within your QMS.

👉 Save up to 50% buying both standards together → ISO Standards Packages — ANSI Webstore — the most cost-effective option for organizations purchasing ISO 14971 alongside ISO 13485 and related standards.

👉 Get ISO 13485 training covering risk management requirements → BSI Group ISO 13485 Training — BSI Group is a founding member of ISO and one of the world’s largest providers of ISO training courses, recognized by certification bodies globally.

👉 Get ISO 13485 certified with an accredited certification body → ISOQAR ISO 13485 Certification — ISOQAR is a UKAS-accredited certification body, one of the most recognized in the industry for ISO 13485 certification.

What Is ISO 14971:2019?

Feature image for an ISO 14971 guide showing medical device risk management concepts, lifecycle risk controls, and the relationship between ISO 14971, ISO 13485, and FDA QMSR requirements. — ISO 14971 is the required risk management framework for medical devices, embedding risk analysis and control throughout the product lifecycle and supporting ISO 13485 and FDA QMSR compliance.

ISO 14971:2019 — Medical Devices: Application of Risk Management to Medical Devices — is the international standard defining the process for identifying hazards associated with medical devices, estimating and evaluating associated risks, controlling those risks, and monitoring the effectiveness of those controls throughout the device lifecycle.

The standard is published by the International Organization for Standardization and is recognized globally as the baseline risk management framework for medical device manufacturers. It applies to all device classes — from Class I low-risk devices through Class III implantables — and to every organization involved in the device lifecycle: manufacturers, component suppliers, contract manufacturers, and service providers.

ISO 14971 does one thing with precision: it defines a formal, documented, lifecycle-integrated process for managing risk in medical device development and manufacturing. Nothing else in the ISO 13485 framework tells you how to manage risk — that is ISO 14971’s job.

Key updates in the 2019 edition include clarified terminology aligned with ISO/IEC Guide 63, updated requirements for risk management plan documentation, strengthened requirements for production and post-production information, and enhanced guidance on benefit-risk analysis. The 2019 edition also removed references to ALARP (As Low As Reasonably Practicable) — replacing it with a more precise framework for determining risk acceptability. For the complete breakdown of what the standard requires, see What Is ISO 14971? — Complete Guide.

ISO 14971:2019 vs ISO 14971:2007 — Which Do You Need?

Situation	Edition to Purchase
New risk management program — first implementation	ISO 14971:2019
Currently using ISO 14971:2007 — planning update	ISO 14971:2019
Pursuing ISO 13485 certification	ISO 14971:2019
Subject to FDA QMSR (21 CFR Part 820)	ISO 14971:2019
EU MDR technical documentation	ISO 14971:2019
Researching risk management before committing	ISO 14971:2019

The answer in every case is ISO 14971:2019. The 2007 edition has been superseded. ISO 13485:2016 references ISO 14971 — and certification bodies audit against the current edition. The QMSR regulatory expectation is built on ISO 13485:2016, which requires current-edition conformance.

If your organization is still operating a risk management program built on ISO 14971:2007, purchasing the 2019 edition and conducting a gap assessment is your first step. The changes are substantive enough that a documented gap assessment is expected before your next certification audit.

→ ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

Where to Buy ISO 14971:2019 — Official Sources Only

ISO standards are copyrighted intellectual property. They are not available as free downloads and must be purchased from authorized distributors. Every “free ISO 14971 PDF” circulating online is an unauthorized copy — typically an outdated 2007 edition, an incomplete document, or an altered version. Using an unauthorized copy for risk management program development introduces certification risk and potential regulatory exposure simultaneously.

Certification bodies audit against the precise wording of the current official standard. A risk management file built from an outdated or incomplete copy will generate nonconformances — costing far more in audit findings and corrective action cycles than the official document.

Provider	What You Get	Price Range	Best For	Link
ANSI Webstore	Official current edition, immediate PDF delivery, audit-accepted	$150–$200	U.S.-based organizations — official distributor, CC2026 coupon available	Buy Here
ISO.org Store	Official current edition directly from publisher	$158–$198	International buyers outside the U.S.	iso.org/store
ANSI Bundle Package	ISO 14971 + ISO 13485 + related standards	$300–$500	Organizations purchasing multiple medical device standards — significant savings	Bundle Here

Where to buy ISO standards comparison showing ANSI Webstore, ISO Store, and other resellers with pros and risks — Compare ANSI, ISO, and other sources to safely buy ISO standards for certification and compliance

ANSI Webstore is the recommended source for U.S.-based organizations. ANSI is the official U.S. distributor of ISO standards — purchasing through ANSI guarantees the current edition, complete document, licensed PDF with immediate delivery, and a recognized distributor credential accepted by all certification bodies and regulatory authorities.

→ Use coupon code CC2026 for 5% off ISO and IEC standards at the ANSI Webstore through December 31, 2026

At this point, most organizations purchasing ISO 14971 for the first time should: → Purchase the bundle including ISO 13485:2016 and ISO 14971:2019 together from ANSI Standard Packages — the savings over individual purchases typically cover the cost of training materials, and you need both documents on hand before implementation begins.

ISO 14971 Formats Available

Format	Price Range	Best For	Notes
Single-user PDF	$150–$200	Individual quality managers and risk managers	Immediate delivery, searchable — cannot be shared simultaneously
Printed copy	$170–$220	Risk management teams, controlled document environments	Useful for annotating during implementation — slightly higher cost
Multi-user license	Contact ANSI	Organizations with multiple simultaneous users	Required if multiple team members need access at the same time
Bundle with ISO 13485	$300–$500	Any organization implementing ISO 13485	Best value — you need both; bundle saves 30–50% vs individual

Single-user PDF is the most common choice for quality managers implementing risk management programs. It is immediately accessible after purchase, searchable by clause number, and sufficient for a single implementer building the risk management framework.

Important licensing rule: A single-user PDF license cannot legally be shared across your organization. If your risk management team, design engineers, and regulatory affairs personnel all need simultaneous access, a multi-user license is required. Sharing a single-user PDF via email or shared drive violates the license terms — a detail that is often overlooked during implementation and can create legal exposure.

If you are implementing both ISO 14971 and ISO 13485, purchase them as a bundle. You will need both on hand from day one of your gap assessment — and the bundle consistently saves more than the coupon alone.

→ ISO Standards Packages — Save up to 50%

How Much Does ISO 14971:2019 Cost?

Item	Typical Price	Notes
Single-user PDF	$150–$200	Standard purchase from ANSI Webstore
Printed copy	$170–$220	Physical copy for reference
Multi-user license	Varies	Contact ANSI for pricing
Bundle: ISO 14971 + ISO 13485	$300–$500	Saves 30–50% vs individual purchase
Bundle: ISO 14971 + ISO 13485 + ISO 13485 collection	$350–$600	Full medical device standards set

Use coupon CC2026 for 5% off at ANSI through December 31, 2026 → Apply at ANSI

In the context of total ISO 13485 certification costs — which range from $15,000 to $100,000+ for most organizations — the ISO 14971 standard purchase is the lowest-cost line item in your entire budget. It is also the one with the highest leverage on audit outcomes. A risk management file built from the correct current edition is foundational. Everything else in your QMS depends on it.

For the complete ISO 13485 certification cost breakdown, see How Much Does ISO 13485 Cost?

Who Needs to Purchase ISO 14971?

ISO 14971:2019 must be purchased by anyone responsible for building, implementing, auditing, or maintaining a medical device risk management program. Specifically:

Risk managers and quality managers building a risk management program from scratch or updating from ISO 14971:2007 — the standard is the only authoritative source for what the process requires. Implementing from a summary or training slide deck rather than the official document is one of the most common reasons risk management files fail certification audits.

Design engineers and product development teams at organizations with design responsibility — risk management under ISO 14971 begins at design input and runs through every design stage. Engineers performing hazard analysis, risk estimation, and risk control selection need the standard directly.

Internal auditors conducting ISO 13485 internal audits — you cannot audit risk management effectiveness against a standard you have not read. Clause 7.1, 7.3, and the full risk management integration requirements across ISO 13485 require familiarity with ISO 14971 clause requirements.

Regulatory affairs professionals preparing FDA QMSR compliance documentation or EU MDR technical files — both regulatory frameworks expect ISO 14971 conformance, and regulatory submissions are evaluated against the standard’s exact requirements.

Organizations currently certified to ISO 14971:2007 planning their 2019 edition gap assessment — purchasing the 2019 edition is step one. The gap assessment cannot be conducted without it.

If you are at this stage:

If you are a quality manager building your first ISO 14971-based risk management program → purchase ISO 14971:2019 and ISO 13485:2016 together from ANSI Standard Packages, then enroll your team in BSI Group ISO 13485 Training before documentation development begins.

If you are currently ISO 14971:2007 compliant and planning your 2019 transition → purchase the 2019 edition, conduct a documented gap assessment focused on the ALARP removal, updated risk acceptability criteria, and post-production information requirements, and update your risk management plan before your next surveillance audit.

If you are a component supplier entering the medical device supply chain → your OEM customer will require ISO 14971-aligned risk management as part of supplier qualification. Purchase the standard before your first supplier audit.

What ISO 14971 Does NOT Include

Understanding what you are not buying is as important as understanding what you are.

ISO 14971 does not provide device-specific risk acceptability criteria. The standard defines the process for determining risk acceptability — it does not tell you what the acceptable residual risk level is for your specific device. That determination is your organization’s responsibility, informed by applicable regulations, clinical data, and the state of the art.

ISO 14971 does not replace clinical evaluation. Risk management and clinical evaluation are complementary but distinct requirements under ISO 13485 and EU MDR. ISO 14971 covers the risk management process — clinical evaluation has its own standards and guidance documents.

ISO 14971 does not provide implementation templates. The standard defines requirements — your organization must build the risk management plan, hazard identification tools, risk estimation worksheets, and risk control documentation. For ready-to-use ISO 13485 QMS documentation including risk management templates, see 9001Simplified Documentation Kits. 9001Simplified provides ready-to-use documentation kits that dramatically reduce the internal labor required to build a compliant QMS from scratch.

ISO 14971 does not satisfy IEC 62304. Organizations developing medical device software need IEC 62304 — software lifecycle processes for medical devices — in addition to ISO 14971. The two standards work together but address different scopes.

Common Purchasing Mistakes to Avoid

Buying ISO 14971:2007 instead of ISO 14971:2019. The 2007 edition is superseded. Third-party sellers frequently carry outdated editions without clear disclosure. Always verify the edition year before completing a purchase. If a price seems unusually low, check the edition.

Downloading unauthorized copies. Every “free ISO 14971 PDF” found through a search engine is an unauthorized copy — typically the 2007 edition, an incomplete document, or an altered version. Using it for risk management program development introduces certification risk. The standard costs $150–$200. A major nonconformance at Stage 2 costs multiples of that in re-audit fees and timeline delays.

Purchasing without checking the edition date. Even on legitimate platforms, searching “ISO 14971” can surface the 2007 edition alongside the 2019 edition. Always confirm “ISO 14971:2019” before adding to cart.

Treating ISO 14971 as a design-only requirement. The most common QMSR and ISO 13485 gap is a risk management program that lives only in design files. Under QMSR, risk-based thinking extends across supplier qualification, production processes, CAPA, complaint handling, and post-market surveillance. Purchasing the standard is step one — reading Clauses 3, 8, and 9 in their entirety is what reveals the full scope of implementation required.

Sharing a single-user PDF with your team. A single-user license covers one user. Sharing via email or shared drive violates the license terms. If multiple team members need simultaneous access, purchase a multi-user license.

Purchasing ISO 14971 without ISO 13485. ISO 14971 does not stand alone in a medical device QMS context. It is a required companion to ISO 13485 — and you need both documents to implement either correctly. Purchase them together.

At this point, most organizations who have identified they need ISO 14971 should: → Purchase the ISO Standards Bundle including ISO 14971:2019 and ISO 13485:2016 together — this is the lowest-cost, most operationally complete starting point for any medical device risk management implementation.

Why Organizations Delay This — And What It Costs Them

The most common reason manufacturers delay purchasing ISO 14971 and building a compliant risk management program is the belief that it can be addressed “during the certification project.”

Here is what consistently happens instead:

Organizations that arrive at Stage 1 of their ISO 13485 certification audit without a documented, ISO 14971-based risk management program receive a major nonconformance — delaying Stage 2 by 3–6 months and adding $5,000–$15,000 in re-audit fees and consultant costs. The risk management file is one of the first things a certification body auditor reviews.

Under QMSR, the stakes are higher. FDA investigators under CP 7382.850 use the risk management file as their inspection roadmap. An absent or inadequate risk management program does not just generate a finding — it gives the inspector a thread to pull through design controls, CAPA, and supplier qualification simultaneously.

The organizations that move first — purchasing the standard, conducting the gap assessment, and building ISO 14971 integration across the QMS before the certification audit — consistently report shorter audit cycles, fewer findings, and lower total certification costs. The ones that treat risk management as a later step discover that it is actually the foundation everything else is audited against.

📥 Free ISO 13485 & ISO 14971 Implementation Checklist — Identify your top 5 risk management gaps before your certification audit. → [Download Free Checklist]

ISO 14971 does not operate in isolation. Organizations building a medical device QMS will need these companion standards:

Standard	Purpose	Relationship to ISO 14971	Where to Buy
ISO 13485:2016	Medical device QMS requirements	Requires ISO 14971 throughout — cannot be implemented without it	ANSI Webstore
ISO/TR 24971:2020	Guidance on ISO 14971 application	Non-mandatory companion — practical guidance on applying ISO 14971 requirements	ANSI Webstore
IEC 62304	Software lifecycle for medical devices	Complements ISO 14971 for software risk management	ANSI Webstore
ISO 9001:2015	General QMS foundation	Useful reference for organizations building ISO 13485 on an existing ISO 9001 foundation	ANSI Webstore

Organizations implementing ISO 13485 for the first time should prioritize: ISO 14971:2019 + ISO 13485:2016. These two documents together define what your QMS must do and how risk must be managed within it.

→ Save up to 50% on ISO Standards Packages — ANSI Webstore

Frequently Asked Questions

What is ISO 14971:2019?

ISO 14971:2019 is the current edition of the international standard for risk management for medical devices. It defines the process for identifying hazards associated with medical devices, estimating and evaluating risks, implementing risk controls, and monitoring effectiveness throughout the device lifecycle. It is a required companion standard to ISO 13485:2016.

Is ISO 14971 required for ISO 13485 certification?

Yes — ISO 13485 explicitly requires risk management per ISO 14971 throughout the QMS. Certification bodies audit risk management processes against ISO 14971 requirements. Under the FDA’s QMSR, ISO 14971 conformance is embedded in U.S. regulatory expectations for all manufacturers subject to 21 CFR Part 820.

What is the difference between ISO 14971:2019 and ISO 14971:2007?

The 2019 edition clarified terminology, updated the risk acceptability framework by removing ALARP references, strengthened post-production information requirements, and enhanced benefit-risk analysis guidance. Any organization currently using the 2007 edition should conduct a gap assessment and transition to the 2019 edition before their next certification audit.

Where is the best place to buy ISO 14971:2019?

The ANSI Webstore is the recommended source for U.S. organizations — it is the authorized U.S. distributor for ISO standards and guarantees the current edition. Use coupon CC2026 for 5% off through December 31, 2026. → ISO 14971:2019 — ANSI Webstore

Can I share my ISO 14971 PDF with my design team?

No — a single-user PDF license cannot be shared simultaneously. If multiple team members need access at the same time, purchase a multi-user license or individual copies. Physically sharing a printed copy sequentially is permitted.

Do I need both ISO 14971 and ISO 13485?

Yes. ISO 14971 and ISO 13485 are required companions — neither can be fully implemented without the other. ISO 13485 defines your QMS framework; ISO 14971 defines how risk must be managed within it. Purchase them together for the best value. → ISO Standards Packages — Save up to 50%

Does ISO 14971 apply to software?

ISO 14971 applies to risk management for medical devices including software as a medical device (SaMD). For the software development lifecycle specifically, IEC 62304 is the companion standard. Risk management under ISO 14971 and software lifecycle management under IEC 62304 are intended to be implemented together.

What is ISO/TR 24971?

ISO/TR 24971:2020 is a technical report providing guidance on the application of ISO 14971. It is not a requirement — it is a non-mandatory companion document offering practical interpretation and application examples. Organizations new to ISO 14971 often find it valuable alongside the standard itself.

How much does ISO 14971:2019 cost?

A single-user PDF typically costs $150–$200 from the ANSI Webstore. Use coupon CC2026 for 5% off through December 31, 2026. Bundles including ISO 14971 with ISO 13485 offer savings of 30–50% compared to individual purchases.

📥 Free Resources

👉 Free ISO 13485 & ISO 14971 Implementation Checklist — Verify every required risk management document is in place before your certification audit 👉 Manufacturing Compliance Checklist — Assess your current compliance status across quality, environmental, and safety requirements 👉 Supplier Quality Checklist — Supplier qualification requirements applicable to medical device supply chains

Not Sure What to Do Next?

◆ You need the official ISO 14971:2019 standard → ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

◆ You need the required companion standard ISO 13485:2016 → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

◆ You want to save buying both standards together → Save up to 50% on ISO Standards Packages — ANSI Webstore

◆ You need ISO 13485 training covering risk management requirements → BSI Group ISO 13485 Training

◆ You are ready to pursue ISO 13485 certification → ISOQAR ISO 13485 Certification

◆ You want to understand what ISO 14971 requires → What Is ISO 14971? — Complete Guide

◆ You want to understand the full FDA QMSR transition → FDA QSR vs ISO 13485: The Complete QMSR Transition Guide

◆ You want to understand how ISO 9001 and ISO 13485 differ → ISO 9001 vs ISO 13485 — Key Differences

◆ You want to understand what ISO 13485 requires → What Is ISO 13485? — Complete Guide

◆ You want to understand certification costs → How Much Does ISO 13485 Cost? → ISO Certification Cost Calculator

◆ You want to choose the right certification body → Best ISO Certification Bodies — Ranked & Reviewed

Still figuring out where to start?

If you are not ready to purchase yet — that is normal. ISO 14971 implementation decisions typically take 2–4 weeks from first research to commitment as organizations assess their current risk management program against what certification auditors expect.

The best next step for most organizations at this stage: → Download the free ISO 13485 & ISO 14971 Implementation Checklist — it takes 20 minutes and tells you exactly where your gaps are before you spend anything.

📥 [Download Free Checklist]

The Standard That Makes Everything Else Auditable

ISO 14971 is not a box to check. It is the document that makes every other part of your medical device QMS auditable — design controls, CAPA, supplier qualification, complaint handling, and post-market surveillance all connect back to the risk management file when a certification auditor or FDA investigator starts pulling threads.

Organizations that purchase the official standard, read it completely, and build their risk management program against its actual requirements consistently report fewer findings, shorter audit cycles, and lower total certification costs. The ones that work from summaries, training slides, or outdated editions discover those shortcuts at the worst possible moment.

The standard costs $150–$200. A failed Stage 2 audit costs multiples of that. Buy the official edition.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

👉 Get updates on new standards, implementation strategies, and compliance insights 👉 Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

ISO 14971 vs ISO 13485: What’s the Difference and How Do They Work Together? (2026 Guide)

ISO 13485 requires risk management throughout the quality management system. ISO 14971 defines exactly how that risk management must be conducted. This guide covers the precise differences between the two standards, where they integrate clause by clause, and what the FDA’s QMSR means for both.

Last Updated: May 2026

ISO 13485 requires risk management. ISO 14971 defines how to do it. Understanding the precise relationship between these two standards — and what it means under the FDA’s QMSR — is the difference between a QMS that holds up under inspection and one that doesn’t.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.

📋 Free Download: ISO 13485 Gap Assessment Checklist Identify your compliance gaps before your first audit — 64 items across 7 sections including ISO 14971 risk management integration and all four FDA QMSR bridge requirements. Download Free Checklist

ISO 13485 Tells You to Manage Risk. ISO 14971 Tells You How.

That single sentence is the most important thing to understand about the relationship between these two standards — and it’s the part most manufacturers either misread or oversimplify.

ISO 13485:2016 is a quality management system standard. It requires risk-based thinking throughout the QMS — in design and development planning, production controls, supplier controls, complaint handling, and post-market surveillance. It references ISO 14971 in a note to Clause 7.1. But it does not specify how risk management must be conducted. It tells you risk management is required. ISO 14971 tells you how to do it.

ISO 14971:2019 is a risk management standard. It provides the structured framework — hazard identification, risk estimation, risk evaluation, risk control, overall residual risk evaluation, risk management review, and post-production monitoring — that gives ISO 13485’s risk management requirements their practical content.

Together they form the twin pillars of medical device quality and safety assurance. Neither is complete without the other for a manufacturer operating in any major regulated market. And under the FDA’s Quality Management System Regulation (QMSR), effective February 2, 2026, the relationship between the two standards now carries federal regulatory weight.

In This Guide

What ISO 13485 covers and what it requires on risk
What ISO 14971 covers and what it adds
The key differences between the two standards
The precise points where ISO 13485 references ISO 14971
The important nuance about whether ISO 14971 is truly mandatory
How the FDA QMSR changes the practical answer to that question
How to implement both standards together
Which standard to buy first and why
Frequently asked questions

✅ Start Here (Top Resources)

📋 Buy ISO 13485:2016 (official standard) → ANSI Webstore — ANSI is the official U.S. distributor of ISO standards, ensuring you receive the controlled, compliant version required for certification audits. Use coupon CC2026 for 5% off.

📋 Buy ISO 14971:2019 (required companion) → ANSI Webstore — Purchase both standards together for maximum savings. Use coupon CC2026 for 5% off.

📋 Save buying both standards → ISO Standards Bundles — Up to 50% Off — Purchasing ISO 13485 and ISO 14971 as a bundle through the ANSI Webstore saves significantly compared to individual purchases.

📋 Get ISO 13485 trained before implementation → BSI Group ISO 13485 Training — BSI Group is a founding member of ISO and one of the world’s largest providers of ISO training courses, recognized by certification bodies globally.

📋 Get ISO 13485 certified → ISOQAR ISO 13485 Certification — ISOQAR is a UKAS-accredited certification body — one of the most recognized in the industry for ISO management system certification.

What Is ISO 13485?

Medical device quality management infographic showing ISO 13485 certification concept with medical equipment and headline “What Is ISO 13485? Complete Guide (2026)”. — ISO 13485 defines the quality management system requirements for medical device manufacturers, focusing on regulatory compliance, risk management, and consistent product quality.

ISO 13485:2016 is the international standard for quality management systems specific to the medical device industry. It specifies requirements for a QMS that enables an organization to consistently design, develop, produce, and deliver safe and effective medical devices and related services.

ISO 13485 is used as the baseline QMS framework by regulatory authorities and certification bodies in most major medical device markets — including Health Canada, the EU MDR, MDSAP, and since February 2, 2026, the FDA’s QMSR under 21 CFR Part 820.

ISO 13485 covers the full scope of quality management system requirements:

Context of the organization and QMS scope
Management responsibility, quality policy, and management review
Resource management — personnel, infrastructure, and work environment
Product realization — design and development, purchasing, production, and service provision
Measurement, analysis, and improvement — internal audits, complaint handling, CAPA, and corrective action

What ISO 13485 requires on risk: ISO 13485 requires risk-based thinking throughout the quality management system. Risk management must be planned as part of product realization (Clause 7.1), integrated into design and development (Clause 7.3), applied to supplier controls (Clause 7.4), and fed by post-market surveillance feedback (Clause 8.2). The standard references ISO 14971 explicitly in its Clause 7.1 note and implicitly throughout its design and development requirements.

What ISO 13485 does not do is specify the methodology for risk management. It does not define how to identify hazards, estimate risks, evaluate acceptability, or control residual risk. That is what ISO 14971 does.

For a complete overview of ISO 13485 requirements, see What Is ISO 13485? Complete Guide.

What Is ISO 14971?

ISO 14971:2019 is the international standard for the application of risk management to medical devices. It provides the structured methodology — terminology, principles, and process — for identifying hazards, estimating and evaluating risks, implementing risk controls, and monitoring risk throughout the entire device lifecycle.

ISO 14971 covers:

Risk management planning — scope, lifecycle phases, risk acceptability criteria
Hazard identification — under both normal use and fault conditions
Risk estimation — probability of harm and severity of harm
Risk evaluation — comparison against acceptability criteria
Risk control — priority order: design, protective measures, information for safety
Evaluation of overall residual risk — including benefit-risk analysis where required
Risk management review — pre-release review with identified reviewers
Production and post-production information — systematic feedback into the risk management file

What ISO 14971 adds beyond ISO 13485: While ISO 13485 says risk management is required throughout the QMS, ISO 14971 specifies exactly how that risk management must be structured, documented, and maintained. The Risk Management File (RMF) — the central documentation output of the ISO 14971 process — is the evidence base that demonstrates a manufacturer has systematically identified hazards, evaluated risks, implemented controls, and monitored effectiveness.

For a complete overview of ISO 14971 requirements, see What Is ISO 14971? Risk Management for Medical Devices Explained.

ISO 14971 vs ISO 13485 — Key Differences

Element	ISO 13485:2016	ISO 14971:2019
Standard type	Quality management system standard	Risk management standard
Purpose	Define QMS requirements for medical device manufacturers	Define the risk management process for medical devices
Scope	Entire quality management system	Risk management specifically
Risk coverage	Requires risk-based thinking throughout QMS	Specifies how risk management must be conducted
Key output	Certified, compliant QMS	Risk Management File (RMF)
Certification	Certifiable — third-party certification available	Not certifiable on its own
Published by	ISO Technical Committee 210 (ISO/TC 210)	ISO Technical Committee 210 (ISO/TC 210)
Current edition	ISO 13485:2016	ISO 14971:2019
Applies to	Manufacturers, suppliers, contract manufacturers	All organizations involved in device lifecycle
Risk methodology	Not specified	Six-step structured process
Hazard analysis	Referenced but not detailed	Defined in detail
Risk Management File	Not specified	Required
Benefit-risk analysis	Not addressed	Required when overall residual risk is unacceptable
Post-production monitoring	Addressed through complaint handling and feedback	Explicitly required as ongoing RMF input
QMSR status	Incorporated by reference into 21 CFR Part 820	Expected framework; referenced through ISO 13485

Best for:

ISO 13485: Any organization that designs, manufactures, or supplies medical devices and needs a certified quality management system
ISO 14971: The same organizations — it provides the risk management methodology that ISO 13485’s requirements assume is in place

Where ISO 13485 References ISO 14971

Infographic mapping ISO 13485 clauses to corresponding ISO 14971 risk management requirements, showing how quality management processes trigger risk management activities across the medical device lifecycle. — ISO 13485 establishes quality system requirements, while ISO 14971 provides the risk management framework that connects planning, design, purchasing, feedback, and improvement activities throughout the medical device lifecycle.

ISO 13485 references ISO 14971 at specific points throughout its clause structure. Understanding exactly where these references occur is critical for building a compliant integrated system.

Clause 7.1 — Planning of Product Realization

Clause 7.1 requires that risk management activities be planned as part of product realization. The note to this clause states: “Further information can be found in ISO 14971.” This is the most direct reference to ISO 14971 in the standard.

Clause 7.3 — Design and Development

The design and development requirements of ISO 13485 are where ISO 14971 integration is most intensive. Design inputs must include risk management outputs. Design verification and validation activities must address risks. The Design and Development File (DDF) must reference risk management records.

Clause 7.4 — Purchasing

ISO 13485 Clause 7.4 requires that purchasing controls be proportionate to the risk the external provider poses to the finished device. The extent of supplier qualification, incoming inspection, and monitoring is determined by risk — which requires a risk framework to apply.

Clause 8.2 — Monitoring and Measurement

Post-market surveillance and complaint handling data collected under Clause 8.2 must feed back into the risk management process. ISO 14971 Clause 11 (Production and Post-Production Information) specifies how this information must be systematically reviewed and how it triggers updates to the Risk Management File.

Clause 8.5 — Improvement

CAPA activities under Clause 8.5 must consider risk. Significant quality failures identified through corrective action must evaluate whether the risk management file needs to be updated — connecting the two standards at the improvement level of the QMS.

At this point, most organizations beginning ISO 13485 implementation should:

📋 Purchase both ISO 13485:2016 and ISO 14971:2019 together as a bundle — the clause-by-clause integration means implementing one without the other creates immediate documentation gaps that auditors will identify.

→ ISO Standards Bundle — ANSI Webstore — Save up to 50% purchasing both standards together

Is ISO 14971 Actually Mandatory Under ISO 13485?

This is one of the most debated questions in the medical device quality community, and the honest answer is more nuanced than most articles present.

The technical answer: ISO 14971 is not formally mandated by ISO 13485. The reference in Clause 7.1 is a note — informative guidance, not a normative requirement. A manufacturer could theoretically implement a risk management process using a different methodology and still demonstrate conformance to ISO 13485’s risk-based requirements.

The practical answer: In the real world, ISO 14971 is effectively mandatory for any organization pursuing ISO 13485 certification or operating in regulated markets. Here’s why:

Certification bodies expect it. When a UKAS-accredited certification body audits your ISO 13485 QMS, the auditors evaluating your risk management program will be assessing it against the ISO 14971 framework — because that is the internationally recognized methodology for medical device risk management. A risk management program that doesn’t follow ISO 14971’s structure will face significant findings regardless of the technical argument about normative versus informative references.

Regulatory bodies reference it. The EU MDR, Health Canada, TGA, and MDSAP all reference ISO 14971 as the expected risk management framework. Operating without it creates regulatory exposure in every major market.

FDA QMSR changes the equation significantly — which brings us to the most important development of 2026.

The QMSR Changes the Practical Answer

The FDA’s Quality Management System Regulation (QMSR), effective February 2, 2026, incorporated ISO 13485:2016 by reference into 21 CFR Part 820. Since ISO 13485 explicitly references ISO 14971, that reference now carries federal regulatory weight.

Under the FDA’s new inspection program — Compliance Program 7382.850 — FDA investigators are expected to start inspections by reviewing the risk management file and following risk documentation into other quality system areas. The risk management file is the inspection roadmap. If your risk management program is not structured against ISO 14971, your risk management file will not hold up under that inspection approach.

Additionally, the QMSR extended risk management expectations beyond design controls — where the old QSR concentrated them — to the entire quality system. This is precisely what ISO 14971 requires: risk management planning, hazard identification, risk control, and post-production monitoring integrated across the device lifecycle, not just in the design phase.

The bottom line under QMSR: Whether or not ISO 14971 is technically mandatory in the normative sense of ISO 13485, it is the framework FDA investigators will use to evaluate your risk management program. Operating without it under the current inspection regime is an inspection liability.

⚠️ QMSR effective February 2, 2026: If your risk management program is not built on the ISO 14971 framework, this is your highest-priority gap for QMSR compliance.

For the complete QMSR transition guide, see FDA QSR vs ISO 13485 — The Complete QMSR Transition Guide.

How the Two Standards Work Together in Practice

The integration of ISO 13485 and ISO 14971 is not a separate parallel process — it is woven into how the QMS functions. Here is how the two standards interact at each stage of the device lifecycle:

Concept and Planning Stage

ISO 13485 Clause 7.1 requires risk management to be planned as part of product realization. ISO 14971 provides the Risk Management Plan — the document that defines scope, lifecycle phases, risk acceptability criteria, and the methods that will be used throughout the device’s life.

Design and Development

ISO 13485 Clause 7.3 requires design inputs to include risk management outputs and design outputs to be reviewed against inputs. ISO 14971 provides hazard identification and risk analysis — the outputs of which flow directly into design input requirements, design verification criteria, and design validation protocols.

Purchasing and Supplier Controls

ISO 13485 Clause 7.4 requires supplier controls proportionate to supplier risk. ISO 14971’s risk framework defines what “risk” means in this context — the severity and probability of harm that could result from supplier failures. Risk level drives supplier classification, incoming inspection intensity, and qualification requirements.

Production

ISO 13485 Clause 7.5 requires controlled production conditions and validation of special processes. Risk management under ISO 14971 determines which processes require validation (those where outputs cannot be fully verified) and what monitoring is required during production.

Post-Market Surveillance and CAPA

ISO 13485 Clause 8.2 requires systematic collection of post-market information. ISO 14971 Clause 11 requires that production and post-production information be systematically reviewed and fed back into the risk management file. When complaint data or CAPA findings reveal new hazards or indicate that risk estimates were incorrect, the Risk Management File must be updated.

This is where the most common gap exists in practice: organizations that treat risk management as a design-phase deliverable and do not maintain the connection between post-market data and the risk management file. Under QMSR, this gap is visible to FDA investigators within the first day of an inspection.

📋 Free Download: ISO 13485 Gap Assessment Checklist Section 6 covers ISO 14971 risk management integration specifically — risk management plan requirements, RMF structure and completeness, post-production feedback, and QMSR inspection implications. Download Free Checklist

The Risk Management File — Where They Intersect Most Clearly

Infographic comparing ISO 9001 risk-based thinking with ISO 13485 and ISO 14971 medical device risk management requirements using an integrated Venn diagram layout. — Both standards require risk management — but the depth and formality differ significantly. ISO 9001 uses general risk-based thinking, while ISO 13485 requires formal medical device risk management aligned with ISO 14971 throughout the product lifecycle.

The Risk Management File (RMF) is the single most important integration point between ISO 13485 and ISO 14971. It is the documentation output of the ISO 14971 process, and it is the record that connects risk management to every other element of the ISO 13485 QMS.

The RMF is not a single document. It is an organized collection of records that includes:

Risk Management Plan — scope, lifecycle phases, acceptability criteria, methodology
Risk analysis records — hazard identification, risk estimation
Risk evaluation records — comparison against acceptability criteria
Risk control records — selected measures, implementation records, verification
Overall residual risk evaluation — benefit-risk analysis where required
Risk Management Review — pre-release review with identified reviewers
Post-production information records — systematic review of real-world performance data

Under ISO 13485, the DDF (Design and Development File) must contain or reference risk management records. Under the QMSR and CP 7382.850, the RMF is where FDA investigators begin their inspection — tracing risk documentation into design controls, CAPA, complaint handling, and post-market surveillance.

A Risk Management File that was completed at device release and has not been updated since is one of the most common and most significant findings under the current inspection approach. The RMF is a living document. It must be updated throughout the device’s commercial life as post-production information is gathered and evaluated.

If your organization is already ISO 13485 certified and is assessing QMSR readiness, the current state of your Risk Management File is the single most important thing to evaluate first.

At this point, most organizations preparing for QMSR inspection should:

📋 Conduct a formal review of whether your Risk Management File has been updated since device release — and whether post-market complaint and CAPA data is systematically feeding into it. This is the highest-frequency inspection gap under CP 7382.850.

From the Shop Floor

After 25 years in heavy industrial manufacturing and quality systems, the most consistent pattern I see when organizations implement both ISO 13485 and ISO 14971 is this: they implement risk management well during design and development, and then they stop.

The Risk Management File is completed before device release. The risk management review is signed off. The certification audit passes. And then for the next three years, every complaint, every CAPA, every production nonconformance is handled in its own system — with no connection back to the risk management file that is supposed to be the living record of everything known about how the device can cause harm.

Three years later, an FDA investigator arrives under CP 7382.850 with the risk management file as their starting point. They trace a complaint about device malfunction into the CAPA system. They find a corrective action that was opened and closed. They look for the connection back to the risk management file — the evaluation of whether this complaint revealed a new hazard or indicated that an existing risk estimate was incorrect. The connection doesn’t exist.

That is not an ISO 13485 finding. It is not an ISO 14971 finding. It is a QMSR finding, because under the QMSR that connection is an expected element of a functioning integrated quality and risk management system.

The organizations that handle this well are the ones that treat the RMF update as a standing agenda item in management review — not a corrective action triggered by an audit finding. Post-market data goes into the RMF review process because the system requires it, not because an investigator asked for it.

That is what the integration of ISO 13485 and ISO 14971 is supposed to produce. It is also what separates manufacturers who pass inspections from those who merely survive them.

Which Standard Do You Buy First?

Both ISO 13485 and ISO 14971 are required for any serious medical device quality management implementation. The practical question is which to acquire and read first.

Buy ISO 13485 first if your organization is beginning the certification journey. ISO 13485 defines the overall QMS framework — understanding its requirements first gives you the context for understanding where and why ISO 14971 integrates.

Buy ISO 14971 immediately after — or together as a bundle. You cannot build a compliant risk management program from summaries or paraphrases. Both standards must be purchased, controlled as external documents within your QMS (as required under QMSR), and read by the people building your system.

For a complete overview of available medical device standards, see the Standards Library — Medical Devices Section.

The bundle option saves significantly. The ANSI Webstore offers the ISO 13485 and ISO/TR 14969 Quality Management Systems Medical Devices Package which includes both documents together at a meaningful discount versus individual purchases.

📋 ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off

📋 ISO Standards Bundle — Save up to 50%

Frequently Asked Questions

What is the main difference between ISO 14971 and ISO 13485?

ISO 13485 is a quality management system standard that defines what a medical device manufacturer’s QMS must cover — including the requirement that risk management be applied throughout the system. ISO 14971 is a risk management standard that defines how risk management must be conducted — the six-step process, the required documentation, and the Risk Management File structure. ISO 13485 requires risk management. ISO 14971 specifies how to do it.

Is ISO 14971 required if you have ISO 13485?

ISO 14971 is not formally mandated by ISO 13485’s normative requirements — the reference in Clause 7.1 is a note, not a normative requirement. However, certification bodies evaluate risk management programs against the ISO 14971 framework, and under the FDA’s QMSR (effective February 2, 2026), risk management expectations now carry federal regulatory weight. For practical purposes, ISO 14971 is effectively required for any organization pursuing ISO 13485 certification or operating in regulated markets.

Can you be certified to ISO 14971?

No. ISO 14971 is not a certifiable standard — there is no third-party certification to ISO 14971 itself. ISO 13485 is the certifiable standard. However, ISO 13485 certification implicitly requires that risk management is conducted in a way consistent with ISO 14971, since that is the framework certification bodies evaluate against.

Which came first — ISO 13485 or ISO 14971?

Both standards have long histories. ISO 14971 was first published in 2000, with major revisions in 2007 and 2019. ISO 13485 was first published in 1996, revised in 2003, and again in 2016. The 2016 edition of ISO 13485 was developed with the intent of aligning more closely with the 2012 draft of ISO 14971, ensuring stronger integration between the two standards.

Does ISO 14971 apply to software as a medical device?

Yes. ISO 14971:2019 explicitly applies to Software as a Medical Device (SaMD). The companion document ISO/TR 24971 provides specific guidance on applying ISO 14971 to software, including cybersecurity risk considerations.

How does the QMSR affect the relationship between ISO 13485 and ISO 14971?

The QMSR (effective February 2, 2026) incorporated ISO 13485 by reference into 21 CFR Part 820. Since ISO 13485 references ISO 14971, that reference now carries federal regulatory weight. FDA investigators under the new Compliance Program 7382.850 start inspections with the risk management file — which is the primary output of the ISO 14971 process. The QMSR also extended risk management expectations across the entire QMS rather than concentrating them in design controls as the old QSR did.

What is the Risk Management File and which standard requires it?

The Risk Management File (RMF) is the organized collection of records that documents all risk management activities for a specific medical device — risk management plan, hazard analysis records, risk evaluation records, risk control records, overall residual risk evaluation, risk management review, and post-production information records. It is required by ISO 14971, not ISO 13485 directly. However, under ISO 13485, the Design and Development File must contain or reference risk management records — and under the QMSR, the RMF is what FDA investigators use as their inspection roadmap.

Do I need ISO/TR 24971 as well?

ISO/TR 24971:2020 is the technical report companion to ISO 14971:2019. It provides practical guidance on implementing ISO 14971’s requirements — methods for hazard identification, risk estimation, benefit-risk analysis, and software risk management. Unlike ISO 14971, it is guidance rather than a standard with requirements. For organizations building or rebuilding their risk management program, ISO/TR 24971 is a valuable implementation companion. It is not required, but it is practically useful.

How does ISO 14971 differ from ISO 31000?

ISO 14971 is specific to medical device risk management and defines risk in terms of patient harm — the combination of probability and severity of harm to people. ISO 31000 is a broader enterprise risk management standard with a wider definition of risk that includes any effect on objectives. The two are not interchangeable in the medical device context. ISO 14971 is the expected framework for medical device risk management. ISO 31000 is not.

✅ Free Resources

📋 ISO 13485 Gap Assessment Checklist — 64 items across 7 sections including ISO 14971 risk management integration requirements and all four FDA QMSR bridge requirements. Identify your gaps before your first audit.

📋 Manufacturing Compliance Checklist — ISO 9001, 14001, 45001 & OSHA — 50 items with gap scoring across all compliance systems.

📋 Supplier Quality Checklist — ISO 9001 Clause 8.4 — all supplier controls auditors evaluate, 45 items with scoring.

📋 ISO 9001 Implementation Roadmap — The exact 5-phase process from gap assessment to Stage 2 audit clearance.

Not Sure What to Do Next?

✅ You need the official ISO 13485:2016 standard 📋 ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

✅ You need the official ISO 14971:2019 standard 📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off

✅ You want to save buying both standards together 📋 ISO Standards Bundle — ANSI Webstore — Save up to 50%

✅ You want to identify your ISO 13485 and QMSR compliance gaps before spending anything 📋 Download the Free ISO 13485 Gap Assessment Checklist

✅ You need ISO 13485 training before implementation 📋 ISO 13485 Training — BSI Group

✅ You are ready to pursue ISO 13485 certification 📋 ISOQAR ISO 13485 Certification

✅ You want to understand what ISO 13485 requires 📋 What Is ISO 13485? Complete Guide

✅ You want to understand what ISO 14971 requires 📋 What Is ISO 14971? Risk Management for Medical Devices

✅ You want to understand the FDA QMSR and its impact 📋 FDA QSR vs ISO 13485 — The Complete QMSR Transition Guide

✅ You want to compare ISO 9001 and ISO 13485 📋 ISO 9001 vs ISO 13485 — Key Differences

✅ You want to understand ISO 13485 purchase options and cost 📋 Buy ISO 13485 — Complete Guide 📋 How Much Does ISO 13485 Cost?

✅ You want to browse all available medical device standards 📋 Standards Library — Medical Devices & Regulated Manufacturing 📋 Popular Standards — Most Frequently Purchased

Still Figuring Out Where to Start?

If you’re not ready to purchase or certify yet — that’s normal. ISO 13485 and ISO 14971 implementation decisions typically take three to six months from first research to commitment.

The best next step for most organizations at this stage:

📋 Download the free ISO 13485 Gap Assessment Checklist — it covers all 64 clause requirements including the ISO 14971 integration section and the four QMSR bridge requirements. It takes 30 minutes and tells you exactly where your gaps are before you spend anything.

Download Free Checklist — No Cost

ISO 13485 and ISO 14971 Are Not Optional to Each Other

ISO 13485 tells you risk management is required across your quality management system. ISO 14971 tells you how to conduct it. One without the other produces either a QMS with undefined risk methodology or a risk management program without a quality system framework to integrate it.

Under the FDA’s QMSR, effective February 2, 2026, that integration is no longer just a best practice — it is what federal regulatory inspection expects. FDA investigators start with the risk management file. They follow it into design controls, CAPA, complaint handling, and post-market surveillance. A quality management system that treats risk management as a design-phase deliverable rather than a lifecycle discipline will not hold up under that inspection approach.

The organizations that get this right are the ones that treat the Risk Management File as a living operational document — not a certification artifact. They update it because post-market data flows into it systematically. They connect CAPA to it because the system requires the connection. They identify new hazards from real-world performance data because that is what ISO 14971 Clause 11 requires and what QMSR now enforces.

That is what implementing both standards properly actually produces.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

✅ Get updates on new standards, implementation strategies, and compliance insights ✅ Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

What Is ISO 14971? Risk Management for Medical Devices Explained (2026 Guide)

ISO 14971 is not optional supplementary guidance for ISO 13485 — it is the required risk management framework woven throughout the medical device lifecycle. This guide covers what ISO 14971:2019 requires clause by clause, how its six-step process works across the device lifecycle, what changed in the 2019 edition, and why the FDA’s QMSR makes a well-maintained Risk Management File more critical than ever.

ISO 14971 is not optional supplementary guidance for ISO 13485 — it is the required risk management framework woven throughout the medical device lifecycle. Here’s what it requires, how it works, and why the FDA’s QMSR makes understanding it more important than ever.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.

From the Shop Floor

Risk management in manufacturing is not a new concept. Every process engineer who has ever run a failure modes and effects analysis on a production line understands the core logic: identify what can go wrong, estimate how likely it is and how bad it would be, put controls in place, and verify those controls work.

What ISO 14971 adds to that foundation is structure, lifecycle scope, and documentation discipline.

After 25 years in heavy industrial manufacturing — including quality systems, process control, and operational risk — the single most consistent gap I see in medical device risk management is the treatment of the Risk Management File as a design-phase deliverable rather than a living operational document. Teams build an impressive RMF during product development, get through their certification audit, and then let the file sit static while the real world generates new information about how the device actually performs.

That approach worked well enough under the old QSR. It does not work under the QMSR.

FDA investigators under CP 7382.850 are not looking at your RMF to confirm it was done — they are using it as a roadmap to evaluate whether your entire quality system is functioning as an integrated risk management framework. A risk management file that hasn’t been updated since device release is not a minor documentation gap. It is evidence that your risk management process is not integrated with complaint handling, CAPA, and post-market surveillance the way the QMSR requires.

The organizations I have seen handle this well treat the RMF update as a standing agenda item in management review — not a corrective action triggered by an audit finding. If post-market data is generating complaints, those complaints are being evaluated in the context of the risk management file every quarter. That is the operating model QMSR expects.

ISO 14971 Is the Standard Your QMS Is Already Required to Implement

If you are pursuing ISO 13485 certification, operating under the FDA’s QMSR, or manufacturing medical devices for any major regulated market, ISO 14971 is not a standard you get to choose whether to implement.

ISO 13485:2016 explicitly requires risk management per ISO 14971 throughout the medical device lifecycle — in design controls, production processes, supplier controls, complaint handling, and post-market surveillance. Under the FDA’s Quality Management System Regulation (QMSR), effective February 2, 2026, that requirement now carries federal regulatory weight. FDA investigators under Compliance Program 7382.850 are expected to use the risk management file as their inspection roadmap.

Yet despite being one of the most referenced standards in medical device regulation, ISO 14971 remains one of the least understood. Most manufacturers know it exists. Far fewer understand what it actually requires, how its six-step process works across the device lifecycle, or why the 2019 edition introduced changes that many organizations still haven’t fully implemented.

This guide covers all of it — what ISO 14971 is, what it requires clause by clause, how it integrates with ISO 13485 and the QMSR, and what your risk management program needs to look like in practice.

In This Guide

What ISO 14971 is and why it exists
Who needs ISO 14971
The six-step ISO 14971 risk management process
Key clause-by-clause breakdown
What changed in the 2019 edition
The Risk Management File — what it contains and how it’s structured
ISO 14971 and ISO 13485 — how they integrate
ISO 14971 under the FDA QMSR
ISO/TR 24971 — the companion guidance document
How to buy the official standard
Frequently asked questions

✅ Start Here (Top Resources)

📋 Purchase the official ISO 14971:2019 standard → ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

📋 Purchase the official ISO 13485:2016 standard — required companion → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

📋 Save up to 50% buying both standards as a bundle → ISO Standards Packages — ANSI Webstore

📋 Get ISO 13485 training that covers ISO 14971 integration → BSI Group ISO 13485 Training

📋 Get ISO 13485 certified with an accredited certification body → ISOQAR ISO 13485 Certification

What Is ISO 14971?

ISO 14971 is the international standard for the application of risk management to medical devices. The current version — ISO 14971:2019 — is the third edition, published in December 2019. It specifies the terminology, principles, and a structured process for identifying hazards associated with medical devices, estimating and evaluating the associated risks, controlling those risks, and monitoring the effectiveness of controls throughout the entire device lifecycle.

The standard applies to:

Physical medical devices of all classifications
Software as a Medical Device (SaMD)
In vitro diagnostic (IVD) medical devices
Combination products where the device constituent part requires risk management

Before ISO 14971, there was no universally accepted methodology for risk management in the medical device industry. Different manufacturers used different approaches, different terminology, and different standards for what constituted acceptable risk. ISO 14971 introduced a standardized process that could be consistently applied across the industry globally — giving regulators, certification bodies, and trading partners a shared framework for evaluating whether a manufacturer’s risk management is adequate.

Risk, as defined by ISO 14971, is the combination of two components:

The probability that harm will occur
The severity of that harm

This definition is important because it shapes the entire risk management process. A high-severity potential harm that is extremely unlikely to occur produces a different risk level than a moderate-severity harm that occurs frequently. ISO 14971 requires manufacturers to evaluate both dimensions systematically — not rely on intuition or experience alone.

Who Needs ISO 14971?

ISO 14971 is effectively required for any organization involved in the medical device supply chain. Specifically:

Organizations that must implement ISO 14971:

Medical device manufacturers — it is explicitly required by ISO 13485 and referenced throughout FDA QMSR, EU MDR, Health Canada, TGA (Australia), and most other major regulatory frameworks
Design-responsible organizations developing medical devices or device software
Contract manufacturers producing devices under a design owner’s technical file

Organizations that should implement ISO 14971:

Component suppliers whose products are incorporated into medical devices — risk management requirements are increasingly flowed down through quality agreements
Software developers producing SaMD or software incorporated into medical devices
Sterilization service providers — sterilization process risk must be managed within the device’s overall risk management framework

A critical distinction: ISO 14971 is not legally mandated in the same way a regulation is — regulators like the FDA do not list it as a statutory requirement. However, regulators worldwide recognize ISO 14971 as the state of the art for medical device risk management. Non-conformance with ISO 14971 — or the absence of a risk management program built on its framework — creates significant regulatory exposure. For practical purposes, ISO 14971 is mandatory for any organization intending to demonstrate that their device is safe and effective.

The ISO 14971 Risk Management Process — Six Steps

Infographic illustrating the six-step ISO 14971 medical device risk management process: Risk Analysis, Risk Evaluation, Risk Control, Overall Residual Risk, Risk Management Review, and Post-Production Information. — The six-step ISO 14971 risk management process creates a structured lifecycle approach for identifying hazards, controlling risks, evaluating residual risk, and continuously improving medical device safety.

ISO 14971 defines a six-step risk management process that applies across the entire device lifecycle — from initial concept through design, production, and post-market activities.

Step 1 — Risk Analysis

Risk analysis is the systematic use of available information to identify hazards and estimate the risks associated with a medical device. It consists of two activities:

Hazard identification: Identifying all reasonably foreseeable hazards associated with the device under both normal use conditions and fault conditions. The 2019 edition specifically requires both normal and fault conditions to be considered — a change from the 2007 edition which emphasized fault conditions primarily.

Sources of hazards include:

Device energy sources (electrical, thermal, mechanical, radiation)
Device materials and their biological interactions
Use environment and user characteristics
Reasonably foreseeable misuse
Software failures and cybersecurity vulnerabilities
Interactions with other devices

Risk estimation: For each hazardous situation identified, estimating the risk by determining the probability of occurrence of harm and the severity of that harm. ISO 14971 does not specify acceptable risk levels — manufacturers must establish their own objective criteria based on regulatory requirements, industry standards, and clinical context.

Step 2 — Risk Evaluation

Risk evaluation is the process of comparing estimated risks against the manufacturer’s defined risk acceptability criteria to determine whether risk reduction is required. If the estimated risk exceeds acceptable levels, the process moves to risk control. If the risk is within acceptable limits, it is documented as acceptable residual risk and monitored.

Step 3 — Risk Control

Risk control is the process of implementing and verifying measures to reduce risks that exceed acceptable levels. ISO 14971 requires risk control measures to be implemented in a defined priority order:

Inherent safety by design — eliminate or reduce hazards through design decisions (preferred)
Protective measures — guards, alarms, interlocks in the device or manufacturing process
Information for safety — warnings, instructions for use, training requirements (last resort)

After implementing risk control measures, the residual risk — the risk remaining after controls — must be estimated and evaluated again. The process is iterative: if residual risk is still unacceptable, additional risk control measures must be implemented.

Risk control measures must also be evaluated for introduced risks — a control measure that eliminates one hazard may introduce a new one.

Step 4 — Evaluation of Overall Residual Risk

After all individual risks have been addressed, the overall residual risk of the device must be evaluated — not just each individual risk in isolation. If the overall residual risk is not acceptable using the manufacturer’s risk acceptability criteria, a benefit-risk analysis must be performed.

Benefit-risk analysis (introduced as a formal requirement in the 2019 edition) evaluates whether the clinical benefits of the device outweigh the overall residual risk in the context of the device’s intended use. If the benefits outweigh the risks, and appropriate information is provided to users, the device may be released. If the benefits do not outweigh the risks, the device cannot be released — additional risk control measures are required.

Step 5 — Risk Management Review

Before a device is released for distribution, a formal risk management review must be completed. The 2019 edition changed the title of this clause from “Risk Management Report” to “Risk Management Review” — a deliberate signal that this is an active review activity, not simply a summary document.

The review must confirm:

The risk management plan has been fully implemented
The overall residual risk is acceptable
Appropriate methods are in place to collect and review production and post-production information

Reviewers must be identified in the risk management plan in advance — they cannot be appointed after the fact.

Step 6 — Production and Post-Production Information

Risk management does not end when the device is released. ISO 14971 requires a systematic process for collecting and reviewing information from production and post-market activities throughout the device’s commercial life. This includes:

Complaint data and adverse event reports
Post-market surveillance information
Production nonconformances and CAPA trends
New scientific and technical information relevant to device safety

When this information indicates that the risk management process needs to be updated — that a new hazard has been identified, or that an existing risk estimate was incorrect — the risk management file must be revised and risk control measures re-evaluated.

ISO 14971 Clause-by-Clause Breakdown

Clause	Title	Key Content
1	Scope	Applicability to all medical devices, SaMD, IVDs, combination products
2	Normative references	ISO 9000:2015 for defined terms
3	Terms and definitions	31 defined terms including risk, hazard, harm, hazardous situation, benefit
4	General requirements	Risk management system requirements, management responsibilities, competence requirements
5	Risk management planning	Risk management plan requirements — device scope, lifecycle phases, risk acceptability criteria
6	Risk analysis	Intended use, hazard identification, risk estimation
7	Risk evaluation	Comparison to acceptability criteria, benefit-risk analysis (Clause 7.4)
8	Risk control	Control option analysis, measure implementation, residual risk evaluation, introduced risks
9	Evaluation of overall residual risk	Overall residual risk acceptability, benefit-risk if needed
10	Risk management review	Pre-release review requirements, reviewer identification
11	Production and post-production activities	Information collection, new hazard identification, risk file updates

What Changed in ISO 14971:2019

The 2019 edition is the third edition of ISO 14971, replacing the 2007 version. Several changes have practical implementation implications:

Benefit-risk analysis is now a formal requirement. The 2019 edition formally introduced benefit-risk analysis as a defined process step (Clause 7.4) when overall residual risk is not acceptable under the manufacturer’s criteria alone. The 2007 edition referenced this concept but did not treat it as a structured requirement. The FDA’s influence here is direct — the FDA revised its language to place “benefit” before “risk” for novel device submissions, and the ISO 14971 committee adopted this framing in the 2019 revision.

Both normal and fault conditions must be analyzed. Clause 5.4 of the 2019 edition explicitly requires identification of anticipated hazards under both normal use and fault conditions. The 2007 edition emphasized fault conditions — the 2019 edition closes that gap. This has direct implications for FMEA and hazard analysis documentation.

Post-production requirements are more prescriptive. The requirements for production and post-production information collection (Clause 11) are more detailed in the 2019 edition, with stronger emphasis on systematic feedback of real-world performance data into the risk management file.

Risk Management Review replaces Risk Management Report. The title change in Clause 9 (from “report” to “review”) reflects a substantive intent: the activity must be an active review with identified reviewers, not a passive summary document compiled at device release.

EN ISO 14971:2019 + A11:2021 for EU MDR. The European version of the standard includes Amendment A11:2021, which maps ISO 14971 requirements to the General Safety and Performance Requirements (GSPR) of the EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR). Organizations selling into the EU need the A11 annex — organizations selling only in the U.S. do not, but the normative requirements are identical in both versions.

The Risk Management File

The Risk Management File (RMF) is the central documentation output of the ISO 14971 process. It is the organized collection of records that demonstrates a manufacturer has systematically identified hazards, evaluated risks, implemented controls, and monitored the effectiveness of those controls throughout the device lifecycle.

The RMF is not a single document. It is a defined collection of records that includes:

Risk Management Plan (RMP): Defines the scope of risk management activities, the lifecycle phases covered, the risk acceptability criteria, the risk estimation methodology, and the verification activities planned
Risk Analysis records: Hazard identification outputs, risk estimation records, FMEA or other analysis tool outputs
Risk Evaluation records: Comparison of estimated risks against acceptability criteria
Risk Control records: Selected control measures, implementation records, verification that controls achieved their intended risk reduction, evaluation of introduced risks
Overall Residual Risk evaluation: Documentation of the overall residual risk assessment and benefit-risk analysis if required
Risk Management Review: Pre-release review record with identified reviewers
Post-Production information records: Systematic records of production and post-market information reviewed against the risk management file

A common audit finding is a Risk Management File that functions as a static document compiled at device release — rather than a living record updated throughout the device’s commercial life as post-production information is gathered. Under the QMSR, FDA investigators start inspections with the risk management file. A static RMF that hasn’t been updated since initial device release is a significant inspection vulnerability.

Feature image promoting an ISO 13485 Gap Assessment Checklist for medical device manufacturers, contract manufacturers, and component suppliers preparing for certification and FDA QMSR compliance. — ISO 13485 Gap Assessment Checklist designed to help medical device manufacturers identify compliance gaps, prioritize actions, and prepare for certification and FDA QMSR requirements.

📋 How does your risk management program measure up? Section 6 of the free ISO 13485 Gap Assessment Checklist covers ISO 14971 integration specifically — risk management plan requirements, RMF structure, post-production feedback, and the QMSR inspection implications. Download Free Checklist

ISO 14971 and ISO 13485 — How They Integrate

ISO 14971 and ISO 13485 are companion standards — not alternatives. ISO 13485 is the quality management system framework. ISO 14971 is the risk management framework that ISO 13485 requires to be implemented throughout that QMS.

ISO 13485 references ISO 14971 in multiple clauses:

Clause 7.1 — Planning of product realization: Risk management activities must be planned as part of product realization
Clause 7.3 — Design and development: Risk management must be integrated throughout design and development activities
Clause 7.4 — Purchasing: Supplier controls must reflect risk — suppliers of higher-risk components require more rigorous qualification
Clause 8.2.1 — Feedback: Post-market feedback must be evaluated in the context of risk management
Clause 8.5 — Improvement: CAPA and continual improvement activities must consider risk management outputs

ISO 14971 is not optional supplementary guidance for ISO 13485. Organizations implementing ISO 13485 must purchase and implement ISO 14971. It is an external document that must be controlled under ISO 13485 Clause 4.2.4 — registered, version-controlled, and accessible to relevant personnel.

For a complete comparison of how ISO 13485 and risk management requirements interact, see ISO 9001 vs ISO 13485 — Key Differences.

📋 Buy ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

ISO 14971 Under the FDA QMSR

The FDA’s Quality Management System Regulation (QMSR), effective February 2, 2026, incorporated ISO 13485:2016 by reference into 21 CFR Part 820 — and with it, ISO 13485’s explicit requirement for risk management per ISO 14971.

Under QMSR, several specific changes elevate the practical importance of ISO 14971:

Risk management now extends across the entire QMS. Under the old QSR, risk management was concentrated primarily in design controls. Under QMSR, risk-based thinking is required throughout the entire quality system — supplier controls, production processes, CAPA, complaint handling, and post-market surveillance. ISO 14971 is the expected framework for implementing this expanded risk management scope.

FDA investigators start inspections with the risk management file. Under Compliance Program 7382.850 — the new inspection program that replaced QSIT on February 2, 2026 — FDA investigators are expected to begin inspections by reviewing the risk management file and following risk documentation into other quality system areas. A well-maintained, current risk management file is inspection preparation. An incomplete or static risk management file is an inspection liability.

Post-market surveillance feeds the risk management file. The QMSR’s requirements for production and post-production information — complaint handling, MDR, field corrections — are expected to feed systematically into the risk management file. Organizations that maintain complaint handling and risk management as separate, unconnected systems have a QMSR gap.

For the complete QMSR transition guide, see FDA QSR vs ISO 13485: The Complete QMSR Transition Guide.

ISO/TR 24971 — The Companion Guidance Document

ISO/TR 24971:2020 is the technical report published as a companion to ISO 14971:2019. Unlike ISO 14971, which is a normative standard (its requirements are mandatory for certification purposes), ISO/TR 24971 is guidance — it does not add requirements but provides practical methodology for implementing ISO 14971’s requirements.

ISO/TR 24971:2020 covers:

Guidance on risk management planning
Practical methods for hazard identification and risk estimation
Guidance on benefit-risk analysis
Application of risk management to software
Application of risk management to usability and human factors
Guidance on production and post-production information processes

For organizations building or rebuilding their risk management program, ISO/TR 24971 is the practical implementation companion to ISO 14971’s requirements. Many experienced quality and regulatory professionals recommend reading both together.

📋 ISO/TR 24971:2020 — ANSI Webstore — use coupon CC2026 for 5% off

How to Buy ISO 14971

ISO 14971 is a copyrighted document and must be purchased from an authorized source. It cannot be legally downloaded for free.

ANSI Webstore — Recommended U.S. Source

The ANSI Webstore is the authorized U.S. distributor for ISO standards. ISO 14971:2019 is available in PDF format with immediate download after purchase.

📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

Bundle with ISO 13485 — Save Up to 50%

Organizations implementing ISO 13485 need both standards. Purchasing as a bundle through the ANSI Webstore saves significantly compared to individual purchases.

📋 ISO Standards Bundles — Save up to 50%

For the complete guide to purchasing ISO 13485, see Buy ISO 13485 — Complete Purchasing Guide.

Frequently Asked Questions

What is ISO 14971 used for?

ISO 14971 is the international standard for applying risk management to medical devices. It provides the structured process — hazard identification, risk estimation, risk evaluation, risk control, overall residual risk evaluation, and post-production monitoring — that manufacturers must use to demonstrate that their devices are safe for their intended use.

Is ISO 14971 required for ISO 13485 certification?

Yes. ISO 13485 explicitly requires risk management per ISO 14971 throughout the medical device quality management system. Organizations cannot achieve ISO 13485 certification without demonstrating that their risk management program is built on the ISO 14971 framework. ISO 14971 must be controlled as an external document within the ISO 13485 QMS.

Is ISO 14971 required by the FDA?

ISO 14971 is not listed as a statutory FDA requirement. However, the FDA recognizes ISO 14971 as the state of the art for medical device risk management. Under the QMSR, effective February 2, 2026, ISO 13485 is incorporated by reference into 21 CFR Part 820 — and ISO 13485 explicitly requires ISO 14971. FDA investigators under CP 7382.850 use the risk management file as their inspection starting point. For practical purposes, ISO 14971 is effectively mandatory for any FDA-regulated medical device manufacturer.

What is the difference between ISO 14971:2007 and ISO 14971:2019?

The 2019 edition introduced several substantive changes: benefit-risk analysis is now a formal requirement when overall residual risk is not acceptable; both normal use and fault conditions must be analyzed during hazard identification; post-production requirements are more prescriptive; and the Risk Management Report was renamed Risk Management Review to signal an active review activity rather than a passive document.

What is the Risk Management File?

The Risk Management File (RMF) is the organized collection of records that demonstrates a manufacturer has systematically implemented the ISO 14971 risk management process. It includes the Risk Management Plan, hazard analysis records, risk evaluation records, risk control records, overall residual risk evaluation, risk management review, and post-production information records. The RMF is a living document — it must be updated throughout the device’s commercial life as post-production information is gathered.

What is ISO/TR 24971?

ISO/TR 24971:2020 is the technical report companion to ISO 14971:2019. It provides practical guidance on implementing ISO 14971’s requirements — methods for hazard identification, risk estimation, benefit-risk analysis, software risk management, and post-production information processes. It does not add normative requirements but is an essential practical companion for organizations building or rebuilding their risk management programs.

What is the difference between ISO 14971 and ISO 31000?

ISO 14971 is specific to medical device risk management and defines risk purely in terms of harm to people — the combination of probability of harm and severity of that harm. ISO 31000 is a broader enterprise risk management standard with a wider definition of risk that includes any effect on objectives, including positive risks (opportunities). The two standards serve different purposes and are not interchangeable in the medical device context.

Does ISO 14971 apply to software as a medical device?

Yes. ISO 14971:2019 explicitly applies to Software as a Medical Device (SaMD). ISO/TR 24971 provides specific guidance on applying ISO 14971 to software. The companion standard IEC 62304 — Medical Device Software Lifecycle Processes — also references ISO 14971 risk management requirements throughout its software development lifecycle requirements.

📥 Free Resources

👉 ISO 9001 Roadmap — Step-by-Step Implementation Guide
👉 Manufacturing Compliance Checklist — verify all compliance areas before your certification audit
👉 Supplier Quality Checklist — material supplier and tooling supplier qualification requirements

Not Sure What to Do Next?

✅ You need the official ISO 14971:2019 standard 📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

✅ You also need ISO 13485:2016 — the required companion QMS standard 📋 ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

✅ You need the ISO/TR 24971 implementation guidance companion 📋 ISO/TR 24971:2020 — ANSI Webstore — use coupon CC2026 for 5% off

✅ You want to save buying multiple standards together 📋 ISO Standards Bundles — Save up to 50% — ANSI Webstore

✅ You need ISO 13485 training that covers ISO 14971 integration 📋 BSI Group ISO 13485 Training

✅ You are ready to pursue ISO 13485 certification 📋 ISOQAR ISO 13485 Certification

✅ You want to understand what ISO 13485 requires 📋 What Is ISO 13485? — Complete Guide

✅ You want to understand the FDA QMSR and how ISO 14971 fits 📋 FDA QSR vs ISO 13485 — The Complete QMSR Transition Guide

✅ You want to compare ISO 9001 and ISO 13485 📋 ISO 9001 vs ISO 13485 — Key Differences

✅ You want to understand ISO 13485 purchase options and cost 📋 Buy ISO 13485 — Complete Purchasing Guide 📋 How Much Does ISO 13485 Cost?

Risk Management Is Not a Deliverable. It’s an Operating Model.

ISO 14971 is not a checkbox on a certification audit list. It is the framework that determines whether the medical devices your organization produces — or supplies components for — are demonstrably safe for their intended use.

Under the FDA’s QMSR, effective February 2, 2026, that framework now carries federal regulatory weight. Risk management under QMSR extends across the entire quality system, and FDA investigators under CP 7382.850 are using the risk management file as their inspection roadmap.

The organizations that navigate this environment successfully are the ones that treat risk management as an operating discipline — not a documentation exercise. The Risk Management File is updated because post-market data is being systematically reviewed, not because an audit is scheduled. CAPA is connected to the risk management file because the quality system is integrated, not because an investigator asked to see the connection.

That is what ISO 14971, properly implemented, actually produces.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

✅ Get updates on new standards, implementation strategies, and compliance insights ✅ Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

ISO 14971 Is No Longer Optional for Medical Device Manufacturers

In This Guide

Table of Contents

👉 Start Here (Top Resources)

What Is ISO 14971:2019?

ISO 14971:2019 vs ISO 14971:2007 — Which Do You Need?

Where to Buy ISO 14971:2019 — Official Sources Only

ISO 14971 Formats Available

How Much Does ISO 14971:2019 Cost?

Who Needs to Purchase ISO 14971?

If you are at this stage:

What ISO 14971 Does NOT Include

Common Purchasing Mistakes to Avoid

Why Organizations Delay This — And What It Costs Them

Related Standards You Will Also Need

Frequently Asked Questions

What is ISO 14971:2019?

Is ISO 14971 required for ISO 13485 certification?

What is the difference between ISO 14971:2019 and ISO 14971:2007?

Where is the best place to buy ISO 14971:2019?

Can I share my ISO 14971 PDF with my design team?

Do I need both ISO 14971 and ISO 13485?

Does ISO 14971 apply to software?

What is ISO/TR 24971?

How much does ISO 14971:2019 cost?

📥 Free Resources

Not Sure What to Do Next?

Still figuring out where to start?

The Standard That Makes Everything Else Auditable

Subscribe

ISO 13485 Tells You to Manage Risk. ISO 14971 Tells You How.

In This Guide

Table of Contents

✅ Start Here (Top Resources)

What Is ISO 13485?

What Is ISO 14971?

ISO 14971 vs ISO 13485 — Key Differences

Where ISO 13485 References ISO 14971

Clause 7.1 — Planning of Product Realization

Clause 7.3 — Design and Development

Clause 7.4 — Purchasing

Clause 8.2 — Monitoring and Measurement

Clause 8.5 — Improvement

Is ISO 14971 Actually Mandatory Under ISO 13485?

The QMSR Changes the Practical Answer

How the Two Standards Work Together in Practice

Concept and Planning Stage

Design and Development

Purchasing and Supplier Controls

Production

Post-Market Surveillance and CAPA

The Risk Management File — Where They Intersect Most Clearly

From the Shop Floor

Which Standard Do You Buy First?

Frequently Asked Questions

What is the main difference between ISO 14971 and ISO 13485?

Is ISO 14971 required if you have ISO 13485?

Can you be certified to ISO 14971?

Which came first — ISO 13485 or ISO 14971?

Does ISO 14971 apply to software as a medical device?

How does the QMSR affect the relationship between ISO 13485 and ISO 14971?

What is the Risk Management File and which standard requires it?

Do I need ISO/TR 24971 as well?

How does ISO 14971 differ from ISO 31000?

✅ Free Resources

Not Sure What to Do Next?

Still Figuring Out Where to Start?

ISO 13485 and ISO 14971 Are Not Optional to Each Other

Subscribe

From the Shop Floor

ISO 14971 Is the Standard Your QMS Is Already Required to Implement

In This Guide

Table of Contents

✅ Start Here (Top Resources)

What Is ISO 14971?

Who Needs ISO 14971?

The ISO 14971 Risk Management Process — Six Steps

Step 1 — Risk Analysis

Step 2 — Risk Evaluation

Step 3 — Risk Control