Risk Management File for Medical Devices: What Goes In It

ISO 14971:2019 Requirements for the Risk Management File

ISO 14971:2019 Clause 4.5 requires that for each medical device, the manufacturer establish and maintain a risk management file. The risk management file is the organized collection of all records and documents produced during the risk management process for a specific device. It is distinct from a standalone risk analysis spreadsheet — it encompasses the entire risk management lifecycle, from initial hazard identification through post-production surveillance.

The risk management file must contain or reference all of the outputs of the risk management process: the risk management plan, the results of risk analysis, the results of risk evaluation, the information on risk controls and their implementation, the residual risk evaluation results, and the results of the evaluation of the overall residual risk. Post-production activities (monitoring and feedback from the field) must also feed into the risk management file throughout the device lifecycle.

The risk management file concept in ISO 14971 is analogous to the Design History File in FDA design controls — it is the organized record of a regulatory process, not a single document. A well-structured risk management file has a clear index, organized sections for each required output, and version-controlled records that show the evolution of the risk analysis as design decisions were made.

For EU MDR, the risk management file is explicitly required in the technical documentation under Annex II, Section 5. Notified Body auditors will review the risk management file as part of technical documentation review. The file must demonstrate compliance with ISO 14971:2019 — the 2007 version is no longer current and does not satisfy MDR technical documentation requirements.

Risk Management Plan: The Foundation Document

ISO 14971:2019 Clause 5 requires a risk management plan for each device. The risk management plan is the document that defines the scope, objectives, and methods of the risk management process for that specific device. It is approved before risk management activities begin and is updated as needed throughout the device lifecycle.

Required elements of the risk management plan:

Scope: The plan must define the scope of risk management — which life cycle phases are addressed (design and development, production, post-production), what is considered part of the device for risk purposes, and what the device system boundaries are. For software-containing devices, the scope must clearly address whether software is within scope of the risk management plan.

Responsibility assignments: The plan must identify who is responsible for each aspect of risk management activity. This typically includes the risk manager (person responsible for leading the risk management process), subject matter experts (engineering, clinical, regulatory), and approvers (senior management or quality assurance).

Risk evaluation criteria: The plan must establish the criteria that will be used to evaluate risk — the risk acceptability matrix. This matrix defines the severity scale (what patient outcomes correspond to which severity levels), the probability scale (how probability of occurrence is estimated and categorized), and the risk acceptability criteria (which combinations of severity and probability are acceptable, require risk reduction, or are unacceptable).

Risk management activity plan: A summary of which risk management activities will be performed at each lifecycle phase, with timelines. Risk management must be planned as an integral part of design and development, not as a post-design documentation exercise.

Activities for collecting and reviewing post-production information: The plan must describe how information from field use will be collected, reviewed, and fed back into the risk management file.

Risk Analysis: Hazard Identification Through Risk Estimation

Risk analysis is the core technical activity of risk management. ISO 14971:2019 Clause 5 defines the four steps of risk analysis: intended use and identification of characteristics related to safety (Clause 5.2), identification of hazards and hazardous situations (Clause 5.3), risk estimation for each identified hazardous situation (Clause 5.4).

Identifying characteristics related to safety (Clause 5.2): ISO 14971 Annex A provides a comprehensive set of questions to structure this activity — covering intended use, patient population, use environment, user characteristics, device operating principles, interfaces with other devices, maintenance requirements, and potential failure modes. The answers to these questions are the starting point for hazard identification.

Hazard identification (Clause 5.3): For each characteristic identified in Clause 5.2, analyze what could go wrong (the hazard or hazardous situation). A hazard is a potential source of harm. A hazardous situation is the circumstance in which people, property, or the environment are exposed to one or more hazards.

Risk estimation (Clause 5.4): For each identified hazardous situation, estimate the probability of occurrence and the severity of the harm. The risk management plan must define the estimation scales used, and the estimation must be documented for each hazardous situation. Where quantitative probability data is available (reliability data from similar devices, published failure rate data), quantitative estimates are preferred. Where only qualitative judgment is available, the basis for the judgment must be documented.

Risk analysis methods: FMEA (Failure Mode and Effects Analysis) is the most commonly used risk analysis method for medical devices. Fault Tree Analysis (FTA) is used when multiple failure modes must combine to produce a hazardous situation. Use Error Analysis (based on usability engineering) addresses hazards from incorrect use. The risk management file should document which methods were used and why they were selected.

Risk Controls and Residual Risk Documentation

After risk estimation, risks that exceed your acceptability criteria require risk control. ISO 14971:2019 Clause 6 defines risk control requirements, including the hierarchy of risk controls and verification requirements.

Risk control implementation records: For each implemented risk control, the risk management file must document: the specific control measure implemented, the risk control category (inherent safety by design, protective measures, or information for safety), the risk estimation after the control is implemented (residual risk), and the verification that the control measure was implemented and is effective.

Risk control verification: The risk management file must contain objective evidence that each risk control was implemented as described. This evidence links the risk management file to design outputs (drawings, specifications that incorporate the risk control), process validation records (confirming the risk control can be consistently manufactured), and verification testing records (confirming the risk control performs as intended).

New hazards introduced by risk controls: ISO 14971 requires analysis of whether risk controls themselves introduce new hazards. The file must document this analysis for each control measure. For example, an alarm that warns users of a dangerous condition could be so sensitive that it produces frequent false alarms, leading to alarm fatigue — a new hazard introduced by the control.

Residual risk evaluation and overall residual risk: After all risk controls are implemented, the residual risk for each hazardous situation must be evaluated against acceptability criteria. Additionally, the overall residual risk — considering all residual risks in combination — must be evaluated. ISO 14971:2019 requires that the overall residual risk be evaluated using data from clinical literature or post-market experience if available. This is a more demanding requirement than the 2007 version and requires connection between the risk management file and clinical evaluation.