What are the Risk Management Documentation Requirements of ISO 14971?

August 7, 2022

What are the Risk Management Documentation Requirements of ISO 14971

Managing risk is one of the most important areas in medical device manufacturing today. Not only does it protect users and patients, it’s also a major requirement of most regulatory bodies around the world.

But alongside the risk management process are the equally important procedures for documenting these activities. In the US, the approach of FDA has long since been, “If you didn’t document it, it didn’t happen.”

That’s why so many medical device manufacturers turn to the international standard ISO 14971 - Application of Risk Management to Medical Devices. While there are in-depth requirements for the documentation alone, meeting the requirements of ISO 14971:2019 is not as cumbersome as it seems. In fact, when followed properly by medical device manufacturers, the result is a safer product and can result in lower total costs.

FREE TEMPLATE: Download your free PDF copy of our previously confidential Risk Management Plan by clicking here.

What are the ISO 14971 documentation requirements for managing medical device risk?

Though risk management documentation is mentioned throughout ISO 14971, our attention will focus on Sections 4.4 and 4.5 of the standard, which outline the requirements for the risk management plan and risk management file, respectively. 

In ISO 14971:2019, Section 4.4, the standard states that: 

Risk management activities shall be planned. For the particular medical device being considered, the manufacturer shall establish and document a risk management plan in accordance with the risk management process.

Pay special attention to the language used; the standard uses the term “shall” to denote that this is a requirement, not a suggestion. Risk management plans are crucial to effectively managing and mitigating risk. As such, there is specific documentation for alignment with ISO 14971. 

Your risk management plan must include:

  • Scope of the planned risk management activities throughout the entire product life cycle

  • Assignment of risk management responsibilities and management’s role

  • Requirements for review of risk management activities     

  • Criteria for risk acceptability, based on the manufacturer’s policy for determining acceptable risk, including  criteria for accepting risks when the probability of occurrence of harm cannot be estimated

  • A method to evaluate the overall residual risk

  • Activities for verification of the implementation and effectiveness of risk control measures

  • Activities related to collection and review of relevant production and post-production information 

Now that we have an idea of what’s required in the risk management plan documentation, we can turn our attention to Section 4.5, which states all risk management activities, including the risk management plan, are required to be documented and all versions placed in a risk management file (RMF).

The RMF is a convenient way of recording your risk management activities and shall contain documents identifying the results of each activity, including planning and showing how risk management activities are performed.

Per ISO 14971, your risk management file must include documentation of: 

  • Risk analysis

  • Risk evaluation

  • Implementation and verification of the risk control measures

  • Results of the evaluation of the residual risks

Another important detail to keep in mind for both the risk management plan and the risk management file is that these must be produced for each device or device family.

What is the significance of traceability in ISO 14971?

With such a broad range of risk management activities and various forms of documentation needed, keeping these records connected is imperative for internal and external audits, as well as for any regulatory submissions. So, it makes sense that ISO 14971 specifically mentions the need for traceability. 

In Section 4.5, the standard states, “In addition to the requirements of other clauses of this document, the risk management file shall provide  traceability for each identified hazard.”  Traceability is explained more fully in Annex A.2.4.5, found in ISO 14971:2019: 

This document uses this term to signify where the manufacturer can locate or find the locations of all the records and  other documents applicable to risk management. This facilitates the risk management process and enables more  efficient auditing to this document. Traceability is necessary to demonstrate that the risk management process has  been applied to each identified hazard.

Traceability is also vital to ensure completeness. When a risk management activity is left incomplete, it may mean that an identified hazard and its potential risk to cause harm are not controlled. Incompleteness can occur anywhere throughout the risk management process, including:

  • Unidentified hazards

  • Risks not assessed

  • Unspecified risk control measures

  • Risk control measures not implemented

  • Risk control measures that prove ineffective 

As it usually requires multiple tools to identify all risks and to evaluate them, a tool such as a risk traceability matrix can be hugely helpful. 

You can also learn more about the traceability requirements in this free, on-demand session on Documenting Risk Management to Meet Requirements of ISO 14971:2019, from the Risk Management True Quality Summit Series by Greenlight Guru.

What does ISO 14971 require for maintaining a risk management file?

Another hugely important risk management requirement under ISO 14971 is that all risk management files be living documents. Of course, this means keeping the documentation up-to-date, in both the production and post-production phases. Thus, you’ll need to establish a process for documenting and maintaining a risk management system for collecting and reviewing this information.

ISO 14971 Information Collection Guidelines

Quoting directly from ISO 14971,

The manufacturer shall collect, where applicable

    • information generated during production and monitoring of the production process

    • information generated by the user

    • information generated by those accountable for the installation, use and maintenance of the medical device

    • information generated by the supply chain

    • publicly available information

    • information related to the generally acknowledged state of the art

One of the greatest takeaways in this excerpt is the need to connect risk management files to post-production collection of customer complaints and feedback. This data can come from anywhere in the supply chain, whether it’s during shipping activities, while being installed or set up by providers, used by actual patients, or even in published articles surrounding the safety of the device type.

ISO 14971 Information Review Guidelines

Quoting directly from ISO 14971,

The manufacturer shall review the information collected for possible relevance to safety, especially whether:

    • Previously unrecognized hazards or hazardous situations are present

    • An estimated risk arising from a hazardous situation is no longer acceptable

    • The overall residual risk is no longer acceptable in relation to the benefits of the intended use or the generally acknowledged state of the art has changed.

These guidelines connect back to the importance of establishing criteria for acceptable levels of risk. It also reminds us that this is in no way a one-and-done activity. ISO 14971 requires that the risk management file shall be kept up-to-date throughout the product lifecycle, until the last product in the field is removed from use and properly disposed of. 

This is pertinent for devices that may have reached an end of their lifecycle and are being removed from circulation, and all field models being replaced by an updated or brand new device type. 

In either case, the entire RMF may only be destroyed following Document Control requirements after a device is no longer available for use, and following legal and regulatory requirements.

FREE TEMPLATE: Download your free PDF copy of our previously confidential Risk Management Plan by clicking here.

Documenting risk management according to ISO 14971 requires a purpose-built QMS solution

Risk management is much more than paperwork; it’s a product-level process that can protect developers, manufacturers, providers, and actual patients from potential harm or even death. 

So when you turn to your QMS solution, why not choose one that is purpose-built to keep you in compliance with ISO 14971:2019? Greenlight Guru offers the only integrated risk management software built specifically for MedTech companies and that aligns directly with ISO 14971:2019.

Total Product Lifecycle

If you’re ready to experience the Greenlight Guru difference, get a deep dive into our Risk Management Software, ask questions, and see your risk matrix come to life with a free demo today →


Etienne Nichols is a Medical Device Guru and Mechanical Engineer who loves learning and teaching how systems work together. He has both manufacturing and product development experience, even aiding in the development of combination drug-delivery devices, from startup to Fortune 500 companies and holds a Project...

Risk Management Plan
Search Results for:
    Load More Results