What is a Risk Management File?

June 22, 2020

ISO 14971:2019 defines the Risk Management file as a “set of records and other documents that are produced by risk management”.

In practice, the risk management file must contain, or have reference to, the following documents:

  1. (4.2, Note 3) The policy for establishing criteria for risk acceptability.
  2. (4.4) The Risk Management Plan.
  3. (4.5) Traceability for each identified hazard to the risk analysis, the risk evaluation, the implementation and verification of the risk control measures and the results of the evaluation of the residual risks.
  4. (5.1) The Risk analysis.
  5. (5.2) Intended Use and Reasonably Foreseeable Misuse.
  6. (5.3) Qualitative and quantitative characteristics that could affect the safety of the medical device. Where appropriate, the manufacturer shall define limits of those characteristics.
  7. (5.4) Hazards, the reasonably foreseeable sequences or combinations of events that can result in a Hazardous Situation, and the resulting hazardous situation(s).
  8. (5.5) Risk Estimation.
  9. (5.5) The system used for qualitative or quantitative categorization of probability of occurrence of harm and severity of harm.
  10. (6) Risk Evaluation.
  11. (7.1) Risk Control Measures.
  12. (7.2) Verification of Implementation of the Risk Control Measures.
  13. (7.3) Evaluation of Residual Risk.
  14. (7.4) the results of the Benefit-Risk Analysis.
  15. (7.5) Risks arising from implemented risk control measures.
  16. (7.6) Review of completeness of risk controls.
  17. (8) Evaluation of Overall Residual Risk.
  18. (9) Risk Management Report, including Risk Management Review.
  19. (10.3) Results of the review of the post-production information.
  20. (10.4) Decision arising from the review of post-production information.

This seems a lot, but let’s look into the details of these items:

  • Items 1 and 5 are typically contained in separate documents in the DHF. Just link them.
  • Items 4, 5, 7, 8, 10, 11, 13, 15 are generally contained in each single risk analysis document.
  • Items 6 and 9 can be built into the Risk Management Plan 2.
  • Item 3 provides links for items 12 and can be built into the risk analysis documents. Alternatively, if each mitigation has a corresponding (traceable) requirement, the trace is taken care of by the requirement → verification traces.
  • Items 14, 16, 17 can be merged (end generally are) in the Risk Management Review and Report 18.
  • Items 19 and 20 are part of the PMS process. A pointer to the PMS plan and procedures will be sufficient. The PMS process itself should then be able to trigger the risk analysis process, as required.

Remember also that IEC 60601-1 is a good contributor to the Risk Management File. In most cases the requirements overlap with ISO 14971, but there are some additions:

  1. Definition of Essential Performance. You can read more about it here.
  2. Definition of Service Life.
  3. Identification of Applied Parts.
  4. (5.1) Multiple fault conditions.
  5. (8.4.4.1) Mechanical strength and resistance to heat.
  6. (9.2.2.6 and 9.8.4) Overtravel.
  7. (9.2.4) Emergency stops.
  8. (9.2.5) Emergency Release.
  9. (9.6.1) Acoustic Energy.
  10. (9.8.3) Strength of Patient or Operator support or suspension systems.
  11. (9.8.5) Mechanical Protection Devices.
  12. (10.1.2) X-radiation.
  13. (11.1.2) Temperature of Applied Parts.
  14. (11.2.2) ME equipment and ME systems used in conjunction with oxygen enriched environments.
  15. (11.5) ME equipment and ME systems intended for use in conjunction with flammable agents.
  16. (11.6) Overflow, spillage, leakage, ingress of water or particulate matter, cleaning, disinfection, sterilization and compatibility with substances used with the ME equipment. (multiple references)
  17. (14.4) Reference to the PEMS Validation plan in the Risk Management Plan.
  18. (14.11) All professional relationship between the members of the PEMS validation team with the members of the design team. (a very complicated way to state that V&V members and developers must be independent…)
  19. (15.4.1) Interchangeability of connectors.
  20. (15.4.2) Temperature and Overload control.
  21. (15.4.3) Batteries.
  22. (16.9.1) Connection terminals and connectors.

SoftComply Risk Manager and SoftComply Risk Manager Plus provide you with an ISO14971 compliant risk management template in Jira and support the establishment of full traceability between risks, requirements and tests. You can also generate the Risk Management Plan and Risk Management Report automatically from the SoftComply Risk Manager apps.

Table of Contents

Ready to get started?

Contact us to book a demo and learn how SoftComply can cover all your needs

GRC in Jira
Picture of Marion Lepmets

Marion Lepmets

CEO
September 1, 2025

GRC (Governance, Risk and Compliance) isn’t just corporate bureaucracy – it’s your company’s shield against costly surprises. Too many organizations scramble during audits, struggle with scattered risk registers, and face regulatory nightmares that could be avoided. Watch the full video above to see exactly how to implement GRC and how...

Confluence Validation
Picture of Marion Lepmets

Marion Lepmets

CEO
August 25, 2025

Medical device companies face a constant challenge: how do you validate cloud software tools that update daily? If you’re using Confluence Cloud for your quality management system, you need validation documentation that keeps pace with Atlassian’s frequent updates. I’ll walk you through exactly how to automate this process using the...

Risk Reporting
Picture of Marion Lepmets

Marion Lepmets

CEO
August 19, 2025

Risk reporting isn’t just another checkbox on your compliance list. It’s the backbone of effective risk management that keeps your team informed, your management happy, and your auditors satisfied. When you’re managing risks in Jira, you need clear, current reports that don’t require endless manual updates or screenshot juggling. Watch...