What is a Risk Management File?

22 Jun 2020
by Marion Lepmets

ISO 14971:2019 defines the Risk Management file as a “set of records and other documents that are produced by risk management”.

In practice, the risk management file must contain, or have reference to, the following documents:

  1. (4.2, Note 3) The policy for establishing criteria for risk acceptability.
  2. (4.4) The Risk Management Plan.
  3. (4.5) Traceability for each identified hazard to the risk analysis, the risk evaluation, the implementation and verification of the risk control measures and the results of the evaluation of the residual risks.
  4. (5.1) The Risk analysis.
  5. (5.2) Intended Use and Reasonably Foreseeable Misuse.
  6. (5.3) Qualitative and quantitative characteristics that could affect the safety of the medical device. Where appropriate, the manufacturer shall define limits of those characteristics.
  7. (5.4) Hazards, the reasonably foreseeable sequences or combinations of events that can result in a Hazardous Situation, and the resulting hazardous situation(s).
  8. (5.5) Risk Estimation.
  9. (5.5) The system used for qualitative or quantitative categorization of probability of occurrence of harm and severity of harm.
  10. (6) Risk Evaluation.
  11. (7.1) Risk Control Measures.
  12. (7.2) Verification of Implementation of the Risk Control Measures.
  13. (7.3) Evaluation of Residual Risk.
  14. (7.4) the results of the Benefit-Risk Analysis.
  15. (7.5) Risks arising from implemented risk control measures.
  16. (7.6) Review of completeness of risk controls.
  17. (8) Evaluation of Overall Residual Risk.
  18. (9) Risk Management Report, including Risk Management Review.
  19. (10.3) Results of the review of the post-production information.
  20. (10.4) Decision arising from the review of post-production information.

This seems a lot, but let’s look into the details of these items:

  • Items 1 and 5 are typically contained in separate documents in the DHF. Just link them.
  • Items 4, 5, 7, 8, 10, 11, 13, 15 are generally contained in each single risk analysis document.
  • Items 6 and 9 can be built into the Risk Management Plan 2.
  • Item 3 provides links for items 12 and can be built into the risk analysis documents. Alternatively, if each mitigation has a corresponding (traceable) requirement, the trace is taken care of by the requirement → verification traces.
  • Items 14, 16, 17 can be merged (end generally are) in the Risk Management Review and Report 18.
  • Items 19 and 20 are part of the PMS process. A pointer to the PMS plan and procedures will be sufficient. The PMS process itself should then be able to trigger the risk analysis process, as required.

Remember also that IEC 60601-1 is a good contributor to the Risk Management File. In most cases the requirements overlap with ISO 14971, but there are some additions:

  1. Definition of Essential Performance. You can read more about it here.
  2. Definition of Service Life.
  3. Identification of Applied Parts.
  4. (5.1) Multiple fault conditions.
  5. ( Mechanical strength and resistance to heat.
  6. ( and 9.8.4) Overtravel.
  7. (9.2.4) Emergency stops.
  8. (9.2.5) Emergency Release.
  9. (9.6.1) Acoustic Energy.
  10. (9.8.3) Strength of Patient or Operator support or suspension systems.
  11. (9.8.5) Mechanical Protection Devices.
  12. (10.1.2) X-radiation.
  13. (11.1.2) Temperature of Applied Parts.
  14. (11.2.2) ME equipment and ME systems used in conjunction with oxygen enriched environments.
  15. (11.5) ME equipment and ME systems intended for use in conjunction with flammable agents.
  16. (11.6) Overflow, spillage, leakage, ingress of water or particulate matter, cleaning, disinfection, sterilization and compatibility with substances used with the ME equipment. (multiple references)
  17. (14.4) Reference to the PEMS Validation plan in the Risk Management Plan.
  18. (14.11) All professional relationship between the members of the PEMS validation team with the members of the design team. (a very complicated way to state that V&V members and developers must be independent…)
  19. (15.4.1) Interchangeability of connectors.
  20. (15.4.2) Temperature and Overload control.
  21. (15.4.3) Batteries.
  22. (16.9.1) Connection terminals and connectors.

SoftComply Risk Manager and SoftComply Risk Manager Plus provide you with an ISO14971 compliant risk management template in Jira and support the establishment of full traceability between risks, requirements and tests. You can also generate the Risk Management Plan and Risk Management Report automatically from the SoftComply Risk Manager apps.

Try us out on

SoftComply apps are available on Atlassian Marketplace – you can try them all out for free!