What is a Risk Management File?

June 22, 2020

ISO 14971:2019 defines the Risk Management file as a “set of records and other documents that are produced by risk management”.

In practice, the risk management file must contain, or have reference to, the following documents:

  1. (4.2, Note 3) The policy for establishing criteria for risk acceptability.
  2. (4.4) The Risk Management Plan.
  3. (4.5) Traceability for each identified hazard to the risk analysis, the risk evaluation, the implementation and verification of the risk control measures and the results of the evaluation of the residual risks.
  4. (5.1) The Risk analysis.
  5. (5.2) Intended Use and Reasonably Foreseeable Misuse.
  6. (5.3) Qualitative and quantitative characteristics that could affect the safety of the medical device. Where appropriate, the manufacturer shall define limits of those characteristics.
  7. (5.4) Hazards, the reasonably foreseeable sequences or combinations of events that can result in a Hazardous Situation, and the resulting hazardous situation(s).
  8. (5.5) Risk Estimation.
  9. (5.5) The system used for qualitative or quantitative categorization of probability of occurrence of harm and severity of harm.
  10. (6) Risk Evaluation.
  11. (7.1) Risk Control Measures.
  12. (7.2) Verification of Implementation of the Risk Control Measures.
  13. (7.3) Evaluation of Residual Risk.
  14. (7.4) the results of the Benefit-Risk Analysis.
  15. (7.5) Risks arising from implemented risk control measures.
  16. (7.6) Review of completeness of risk controls.
  17. (8) Evaluation of Overall Residual Risk.
  18. (9) Risk Management Report, including Risk Management Review.
  19. (10.3) Results of the review of the post-production information.
  20. (10.4) Decision arising from the review of post-production information.

This seems a lot, but let’s look into the details of these items:

  • Items 1 and 5 are typically contained in separate documents in the DHF. Just link them.
  • Items 4, 5, 7, 8, 10, 11, 13, 15 are generally contained in each single risk analysis document.
  • Items 6 and 9 can be built into the Risk Management Plan 2.
  • Item 3 provides links for items 12 and can be built into the risk analysis documents. Alternatively, if each mitigation has a corresponding (traceable) requirement, the trace is taken care of by the requirement → verification traces.
  • Items 14, 16, 17 can be merged (end generally are) in the Risk Management Review and Report 18.
  • Items 19 and 20 are part of the PMS process. A pointer to the PMS plan and procedures will be sufficient. The PMS process itself should then be able to trigger the risk analysis process, as required.

Remember also that IEC 60601-1 is a good contributor to the Risk Management File. In most cases the requirements overlap with ISO 14971, but there are some additions:

  1. Definition of Essential Performance. You can read more about it here.
  2. Definition of Service Life.
  3. Identification of Applied Parts.
  4. (5.1) Multiple fault conditions.
  5. (8.4.4.1) Mechanical strength and resistance to heat.
  6. (9.2.2.6 and 9.8.4) Overtravel.
  7. (9.2.4) Emergency stops.
  8. (9.2.5) Emergency Release.
  9. (9.6.1) Acoustic Energy.
  10. (9.8.3) Strength of Patient or Operator support or suspension systems.
  11. (9.8.5) Mechanical Protection Devices.
  12. (10.1.2) X-radiation.
  13. (11.1.2) Temperature of Applied Parts.
  14. (11.2.2) ME equipment and ME systems used in conjunction with oxygen enriched environments.
  15. (11.5) ME equipment and ME systems intended for use in conjunction with flammable agents.
  16. (11.6) Overflow, spillage, leakage, ingress of water or particulate matter, cleaning, disinfection, sterilization and compatibility with substances used with the ME equipment. (multiple references)
  17. (14.4) Reference to the PEMS Validation plan in the Risk Management Plan.
  18. (14.11) All professional relationship between the members of the PEMS validation team with the members of the design team. (a very complicated way to state that V&V members and developers must be independent…)
  19. (15.4.1) Interchangeability of connectors.
  20. (15.4.2) Temperature and Overload control.
  21. (15.4.3) Batteries.
  22. (16.9.1) Connection terminals and connectors.

SoftComply Risk Manager and SoftComply Risk Manager Plus provide you with an ISO14971 compliant risk management template in Jira and support the establishment of full traceability between risks, requirements and tests. You can also generate the Risk Management Plan and Risk Management Report automatically from the SoftComply Risk Manager apps.

Table of Contents

Ready to get started?

Contact us to book a demo and learn how SoftComply can cover all your needs

6 Steps to Agile Risk Management in Jira
Picture of Marion Lepmets

Marion Lepmets

CEO
June 19, 2025

Balancing agile development with regulatory compliance feels like trying to mix oil and water. But what if I told you there’s a way to integrate risk management directly into your Jira workflow without sacrificing speed or compliance?  Based on a recent webinar with Aaron Morris, I’ve distilled the process into...

Solution Partners to verticals and business users
Picture of Marion Lepmets

Marion Lepmets

CEO
June 11, 2025

For years, Atlassian solution partners have built successful businesses around helping IT teams configure Jira and Confluence, manage licenses, and handle technical implementations. But that world is rapidly changing. Atlassian is shifting its focus from IT admins to business users in specific departments and industries – and partners who don’t...

Agile
Picture of Monika Isak

Monika Isak

Head of Growth
June 2, 2025

For regulated industries – such as Pharma, MedTech, FinTech and Aviation – compliance isn’t optional; it’s mandatory. Tools like Jira and Confluence are powerful, but their true potential is only realized when configured to meet industry-specific regulatory requirements. This is where industry consultants come into play, offering expertise that goes...