Risk Management 15 min read

Integrating ISO 14971 with ISO 13485: Risk Management Guide

J

Jared Clark

March 07, 2026

Risk management is one of the most misunderstood topics I encounter when working with medical device manufacturers. After serving 200+ clients and maintaining a 100% first-time audit pass rate over 8+ years, I can tell you that the single most common gap I find is this: companies treat ISO 14971 and ISO 13485 as two separate compliance exercises. They're not. They're a paired system — and understanding how they integrate is the difference between a functional quality management system and a paper tiger that fails under audit scrutiny.

This guide is the definitive resource on how ISO 14971:2019 and ISO 13485:2016 work together. I'll cover the structural relationship between the standards, the specific clauses that interact, how to build your risk management process to satisfy both, and the most common mistakes that lead to nonconformities.

Why ISO 14971 and ISO 13485 Cannot Stand Alone

ISO 13485:2016 is the quality management system (QMS) standard for medical devices. It tells you that you must have a risk management process — but it does not tell you how to conduct risk management. That's by design.

ISO 14971:2019 is the dedicated risk management standard for medical devices. It provides the framework, vocabulary, and process requirements for identifying hazards, estimating and evaluating risks, controlling risks, and monitoring residual risks throughout the product lifecycle.

The relationship is codependent: ISO 13485 references ISO 14971 explicitly as the expected method for satisfying its risk-based requirements. ISO 14971, in turn, requires the risk management activities to be embedded within a documented, controlled system — which ISO 13485 provides.

According to the International Medical Device Regulators Forum (IMDRF), risk management is cited as a contributing factor in over 40% of medical device recalls globally. A disintegrated approach to these two standards is a leading structural cause of that failure rate.

Understanding the Standards: A Structural Overview

ISO 13485:2016 — The QMS Framework

ISO 13485:2016 establishes requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. Risk management is not confined to a single clause — it permeates the entire standard.

Key risk-touching clauses in ISO 13485:2016 include:

  • Clause 4.1.2(b): Requires risk-based approaches to be applied in the realization processes
  • Clause 6.2: Human resources — competency must consider risk implications
  • Clause 7.1: Planning of product realization — must include risk management activities
  • Clause 7.3: Design and development — risk activities are embedded in each phase
  • Clause 7.4: Purchasing — risk-based supplier evaluation and monitoring
  • Clause 8.2.1: Feedback — post-market data feeds back into risk management
  • Clause 8.5.1: Continual improvement — uses risk data as an input

ISO 14971:2019 — The Risk Management Process

ISO 14971:2019 defines the process for risk management as applied to medical devices. The 2019 revision brought significant changes from the 2007 version, including the elimination of the concept of "ALARP" (As Low As Reasonably Practicable) as a standalone decision framework and a stronger emphasis on overall residual risk evaluation.

The ISO 14971 process consists of five major phases:

  1. Risk Management Planning — Define scope, responsibilities, criteria for risk acceptability
  2. Risk Analysis — Identify intended use, hazards, hazardous situations, and estimate risk
  3. Risk Evaluation — Decide if each identified risk requires reduction
  4. Risk Control — Implement and verify measures; evaluate residual risk
  5. Post-Production Information — Monitor, review, and update the risk management file

Clause-by-Clause Integration Map

The following table maps the key interaction points between ISO 13485:2016 and ISO 14971:2019. This is the reference architecture I use with every Certify Consulting client.

ISO 13485:2016 Clause Requirement Summary ISO 14971:2019 Clause Risk Management Activity Required
4.1.2(b) Risk-based approach to processes 4.1 Risk management planning at QMS level
7.1 Product realization planning 4.2 Risk management plan per device
7.3.2 Design and development inputs 5.2 Intended use, hazard identification
7.3.3 Design and development outputs 6.2–6.3 Risk control measures
7.3.4 Design review 4.5 Review of risk management activities
7.3.6 Design verification 6.4 Verification of risk control implementation
7.3.7 Design validation 6.5 Residual risk evaluation post-control
7.3.9 Design and development changes 10 Re-assessment of risks after change
7.4.1 Purchasing process 4.2 / 6.2 Supplier risk in risk management plan
8.2.1 Feedback 9.1 Post-production information system
8.2.6 Reporting to regulatory authorities 9.2 Threshold events triggering risk review
8.5.1 Continual improvement 9.4 Risk management file updates

Building an Integrated Risk Management Process: Step-by-Step

Step 1: Establish Your Risk Management Policy at the QMS Level

Your ISO 13485 QMS must define how risk management is conducted across all applicable processes — not just for individual devices. This includes:

  • A documented risk management policy (often embedded in the Quality Manual or a standalone SOP)
  • Assignment of risk management responsibilities (ISO 14971 clause 4.1 requires top management accountability)
  • Criteria for risk acceptability that are approved at the appropriate organizational level

Citation hook: ISO 14971:2019 clause 4.1 requires that top management ensure that risk management responsibilities are assigned to individuals with appropriate competence, authority, and resources — a requirement that must be reflected in the ISO 13485-compliant organizational structure.

Step 2: Create a Device-Specific Risk Management Plan

ISO 14971:2019 clause 4.2 requires a risk management plan for each medical device. This document is not optional and must be version-controlled under your ISO 13485 document control system (clause 4.2.3).

Your risk management plan must include:

  • Scope of the plan — device, intended use, markets
  • Risk acceptability criteria (probability × severity thresholds)
  • Risk management activities and their integration into design phases
  • Methods to evaluate overall residual risk
  • Post-production activities and review triggers

Step 3: Integrate Risk Analysis into Design Inputs (ISO 13485 Clause 7.3.2)

One of the most common nonconformities I see is design input documentation that lists requirements without any traceability to risk analysis. ISO 14971:2019 clause 5.2 requires you to document the intended use and reasonably foreseeable misuse before hazard identification — and these become the foundation for design inputs under ISO 13485 clause 7.3.2.

Tools commonly used at this stage include: - Preliminary Hazard Analysis (PHA) - Failure Mode and Effects Analysis (FMEA) — design and/or process - Fault Tree Analysis (FTA) for complex systems - Use-Related Risk Analysis (per IEC 62366-1 for usability)

Step 4: Drive Risk Controls into Design Outputs

ISO 14971:2019 clause 6.2 establishes a priority hierarchy for risk controls:

  1. Inherently safe design — eliminate or reduce hazard through design
  2. Protective measures — alarms, safeguards in the device or manufacturing process
  3. Information for safety — warnings, labeling, instructions for use

This hierarchy must be documented and justified. Under ISO 13485:2016 clause 7.3.3, design outputs must include criteria for safety, and those criteria trace directly to your risk controls. The risk management file bridges these two requirements.

Step 5: Verify Risk Controls During Design Verification (ISO 13485 Clause 7.3.6)

ISO 14971:2019 clause 6.4 requires that you verify each risk control measure was implemented and is effective before confirming residual risk levels. This verification must be documented in the risk management file.

In an integrated system, design verification test protocols reference specific risk controls. Each verification activity has a corresponding entry in the risk management file demonstrating that the control was confirmed effective. This traceability is what auditors look for — and what most systems lack.

Step 6: Evaluate Overall Residual Risk Before Market Release

This is where ISO 14971:2019 made its most significant change from the 2007 version. Clause 7 now requires an explicit evaluation of the overall residual risk — not just individual residual risks — before declaring the device safe for market.

This evaluation must consider whether the overall residual risk is acceptable given the benefits of the device. If the overall residual risk is not acceptable, the device cannot be released — regardless of whether each individual risk has been reduced to ALAP (As Low As Achievable).

This overall residual risk evaluation must be documented in the risk management report, which in turn feeds into the ISO 13485 design transfer and release process.

Step 7: Build a Living Post-Market Risk Feedback Loop

ISO 14971:2019 clause 9 establishes requirements for a post-production information system. This directly maps to ISO 13485:2016 clauses 8.2.1 (feedback), 8.2.2 (complaints), and 8.2.6 (regulatory reporting).

Citation hook: Under the integrated requirements of ISO 14971:2019 clause 9 and ISO 13485:2016 clause 8.2.1, post-market surveillance data — including complaints, adverse events, and literature reviews — must be evaluated as inputs to the risk management file, with documented evidence that risk estimates remain valid or are updated accordingly.

Your post-market surveillance (PMS) procedure must explicitly state how surveillance data triggers risk management file review. This is not a one-time activity at product launch — it is a continuous lifecycle obligation.

The Risk Management File: Your Integration Artifact

The risk management file (RMF) is the central document that proves your integrated compliance. ISO 14971:2019 clause 4.4 requires that the RMF be maintained for the entire lifecycle of the device and be structured to allow traceability of each risk management activity.

A complete, audit-ready risk management file contains:

  1. Risk Management Plan (current version)
  2. Intended use and characteristics document
  3. Hazard identification records (FMEA, PHA, or equivalent)
  4. Risk estimation and evaluation records
  5. Risk control selection and justification
  6. Risk control verification records (linked to design verification)
  7. Residual risk evaluation records (individual and overall)
  8. Risk-benefit analysis (if overall residual risk required justification)
  9. Risk Management Report (summary with declaration of acceptability)
  10. Post-market surveillance inputs and updates

Under your ISO 13485 QMS, the RMF is a controlled record. It must be subject to document control (clause 4.2.3) and records control (clause 4.2.4). Version changes to the risk management file must go through your change control process.

Common Nonconformities: What Auditors Find

Based on my audit experience across 200+ clients, these are the most frequently cited nonconformities at the intersection of ISO 14971 and ISO 13485:

  1. Risk management activities not linked to design phases — The FMEA exists as a standalone document with no traceability to design inputs, outputs, or verification records.

  2. Risk acceptability criteria not defined before risk analysis — Criteria are defined retroactively after risks are estimated, which invalidates the process.

  3. No overall residual risk evaluation — Individual risks are documented but the aggregate evaluation required by ISO 14971:2019 clause 7 is absent.

  4. Post-market surveillance not feeding back into the risk management file — The RMF is treated as a closed document after product launch.

  5. Software risk not addressed per IEC 62304 — For software-containing devices, ISO 14971 must be read in conjunction with IEC 62304, and many organizations miss this integration layer.

  6. Supplier risk not documented in the risk management file — Component and supplier risks identified in purchasing evaluations (ISO 13485 clause 7.4.1) are not reflected in device-level risk analysis.

Regulatory Implications: FDA, EU MDR, and Global Markets

Integrating ISO 14971 with ISO 13485 is not just a standards compliance exercise — it has direct regulatory implications across major markets.

United States (FDA): The FDA recognizes ISO 14971:2019 as a consensus standard under the 21 CFR 820 Quality System Regulation framework and the updated Quality Management System Regulation (QMSR) effective February 2026, which aligns more closely with ISO 13485:2016. Risk management documentation is a standard expectation during 510(k) and PMA submissions.

European Union (EU MDR 2017/745): EU MDR Article 10(2) explicitly requires that manufacturers establish, implement, and maintain a risk management system in accordance with ISO 14971. Annex I (General Safety and Performance Requirements) requires documented risk management as a prerequisite for CE marking. Notified Bodies routinely audit the integration of the risk management file with the QMS.

Canada (Health Canada MDRSC): ISO 13485:2016 is the recognized QMS standard, and ISO 14971 is the expected risk management methodology for device licensing submissions.

Citation hook: As of the EU MDR 2017/745 Annex I, General Safety and Performance Requirements, manufacturers must demonstrate that risks associated with their device have been reduced as far as possible without adversely affecting the benefit-risk ratio — a determination that can only be made through a fully documented ISO 14971-compliant risk management process integrated with the ISO 13485 QMS.

Integration Checklist: Are Your Systems Actually Connected?

Use this checklist to assess the integration maturity of your current system:

  • [ ] Risk management policy is documented and references ISO 14971:2019 as the governing standard
  • [ ] Every device has a device-specific risk management plan under document control
  • [ ] Design inputs procedure requires traceability to risk analysis outputs
  • [ ] Design outputs procedure requires documentation of risk control measures
  • [ ] Design verification protocols reference specific risk controls by ID
  • [ ] Design transfer checklist includes confirmation of completed risk management report
  • [ ] Post-market surveillance procedure specifies risk management file review triggers
  • [ ] CAPA procedure includes risk re-assessment when corrective actions address safety issues
  • [ ] Supplier qualification procedure documents component-level risks in the device risk management file
  • [ ] Management review inputs include risk management file status and post-market risk data

If you check fewer than 7 of these, your integration has gaps that will likely surface as nonconformities in your next audit.

Frequently Asked Questions

Does ISO 13485:2016 require compliance with ISO 14971?

ISO 13485:2016 does not explicitly mandate ISO 14971 by name in its normative text — it references a risk-based approach throughout without prescribing the specific standard. However, ISO 14971 is the recognized industry standard for medical device risk management and is expected by virtually all regulatory bodies and certification bodies when assessing conformance to ISO 13485. In practice, using any methodology other than ISO 14971 requires significant justification.

What changed in ISO 14971:2019 compared to the 2007 version?

The 2019 revision made four key changes: (1) it removed the requirement to reduce risk "as low as reasonably practicable (ALARP)" as the decision criterion, replacing it with a risk acceptability determination based on the manufacturer's defined criteria; (2) it strengthened the requirement to evaluate overall residual risk as a distinct, documented step; (3) it clarified that risk-benefit analysis is an input to acceptability of overall residual risk, not a general license to accept high individual risks; and (4) it improved alignment with ISO/TR 24971:2020, which provides guidance on applying the standard.

How do I handle software risk under both ISO 14971 and ISO 13485?

For devices containing software, ISO 14971:2019 must be applied in conjunction with IEC 62304:2006+AMD1:2015 (software lifecycle processes for medical device software). Your risk management plan should explicitly identify software as a component subject to both standards. Software FMEAs, software hazard analysis, and cybersecurity risk assessments (increasingly referenced under IEC 81001-5-1) should all be documented in the risk management file and controlled under your ISO 13485 QMS.

How often does the risk management file need to be updated?

The risk management file must be reviewed and updated whenever: (a) a design change is made to the device; (b) post-market surveillance data reveals a new hazard, changed frequency of a known hazard, or inadequacy of an existing risk control; (c) regulatory requirements change in markets where the device is sold; or (d) the periodic safety update review (required by EU MDR) identifies new information. There is no fixed calendar interval — the trigger is information, not time.

What is the risk management report and when is it required?

The risk management report is a required output under ISO 14971:2019 clause 8. It summarizes the results of the entire risk management process, confirms that the risk management plan was implemented, documents the conclusion that overall residual risk is acceptable, and provides the basis for the declaration that the device is safe for its intended use. It is required before market release and must be updated whenever the risk management file is substantially revised.

Working with a Qualified Expert

Integrating ISO 14971 with ISO 13485 is not a documentation project — it's a systems design challenge. The standards interact at every stage of the product lifecycle, and getting the architecture right the first time saves enormous rework cost during certification audits and regulatory submissions.

At Certify Consulting, I've built and audited integrated risk management systems for 200+ medical device companies, from startup Class I device manufacturers to established Class III companies pursuing EU MDR transition. Every client has passed their first-time audit. That record is built on getting the ISO 14971 / ISO 13485 integration right before the auditor walks in the door.

If you're building a new QMS, preparing for a recertification audit, or transitioning to EU MDR, the risk management architecture is the place to start.

Last updated: 2026-03-06

J

Jared Clark

Certification Consultant

Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.

Back to all articles