![What are the Risk Management Documentation Requirements of ISO 14971]()
Managing risk is one of the most important areas in medical device manufacturing today. Not only does it protect users and patients, it’s also a major requirement of most regulatory bodies around the world.
But alongside the risk management process are the equally important procedures for documenting these activities. In the US, the approach of FDA has long since been, “If you didn’t document it, it didn’t happen.”
That’s why so many medical device manufacturers turn to the international standard ISO 14971 - Application of Risk Management to Medical Devices. While there are in-depth requirements for the documentation alone, meeting the requirements of ISO 14971:2019 is not as cumbersome as it seems. In fact, when followed properly by medical device manufacturers, the result is a safer product and can result in lower total costs.
FREE TEMPLATE: Download your free PDF copy of our previously confidential Risk Management Plan by clicking here.
What are the ISO 14971 documentation requirements for managing medical device risk?
Though risk management documentation is mentioned throughout ISO 14971, our attention will focus on Sections 4.4 and 4.5 of the standard, which outline the requirements for the risk management plan and risk management file, respectively.
In ISO 14971:2019, Section 4.4, the standard states that:
Risk management activities shall be planned. For the particular medical device being considered, the manufacturer shall establish and document a risk management plan in accordance with the risk management process.
Pay special attention to the language used; the standard uses the term “shall” to denote that this is a requirement, not a suggestion. Risk management plans are crucial to effectively managing and mitigating risk. As such, there is specific documentation for alignment with ISO 14971.
Your risk management plan must include:
-
Scope of the planned risk management activities throughout the entire product life cycle
-
Assignment of risk management responsibilities and management’s role
-
Requirements for review of risk management activities
-
Criteria for risk acceptability, based on the manufacturer’s policy for determining acceptable risk, including criteria for accepting risks when the probability of occurrence of harm cannot be estimated
-
A method to evaluate the overall residual risk
-
Activities for verification of the implementation and effectiveness of risk control measures
-
Activities related to collection and review of relevant production and post-production information
Now that we have an idea of what’s required in the risk management plan documentation, we can turn our attention to Section 4.5, which states all risk management activities, including the risk management plan, are required to be documented and all versions placed in a risk management file (RMF).
The RMF is a convenient way of recording your risk management activities and shall contain documents identifying the results of each activity, including planning and showing how risk management activities are performed.
Per ISO 14971, your risk management file must include documentation of:
Another important detail to keep in mind for both the risk management plan and the risk management file is that these must be produced for each device or device family.
What is the significance of traceability in ISO 14971?
With such a broad range of risk management activities and various forms of documentation needed, keeping these records connected is imperative for internal and external audits, as well as for any regulatory submissions. So, it makes sense that ISO 14971 specifically mentions the need for traceability.
In Section 4.5, the standard states, “In addition to the requirements of other clauses of this document, the risk management file shall provide traceability for each identified hazard.” Traceability is explained more fully in Annex A.2.4.5, found in ISO 14971:2019:
This document uses this term to signify where the manufacturer can locate or find the locations of all the records and other documents applicable to risk management. This facilitates the risk management process and enables more efficient auditing to this document. Traceability is necessary to demonstrate that the risk management process has been applied to each identified hazard.
Traceability is also vital to ensure completeness. When a risk management activity is left incomplete, it may mean that an identified hazard and its potential risk to cause harm are not controlled. Incompleteness can occur anywhere throughout the risk management process, including:
-
Unidentified hazards
-
Risks not assessed
-
Unspecified risk control measures
-
Risk control measures not implemented
-
Risk control measures that prove ineffective
As it usually requires multiple tools to identify all risks and to evaluate them, a tool such as a risk traceability matrix can be hugely helpful.
You can also learn more about the traceability requirements in this free, on-demand session on Documenting Risk Management to Meet Requirements of ISO 14971:2019, from the Risk Management True Quality Summit Series by Greenlight Guru.
What does ISO 14971 require for maintaining a risk management file?
Another hugely important risk management requirement under ISO 14971 is that all risk management files be living documents. Of course, this means keeping the documentation up-to-date, in both the production and post-production phases. Thus, you’ll need to establish a process for documenting and maintaining a risk management system for collecting and reviewing this information.
ISO 14971 Information Collection Guidelines
Quoting directly from ISO 14971,
The manufacturer shall collect, where applicable
One of the greatest takeaways in this excerpt is the need to connect risk management files to post-production collection of customer complaints and feedback. This data can come from anywhere in the supply chain, whether it’s during shipping activities, while being installed or set up by providers, used by actual patients, or even in published articles surrounding the safety of the device type.
ISO 14971 Information Review Guidelines
Quoting directly from ISO 14971,
The manufacturer shall review the information collected for possible relevance to safety, especially whether:
These guidelines connect back to the importance of establishing criteria for acceptable levels of risk. It also reminds us that this is in no way a one-and-done activity. ISO 14971 requires that the risk management file shall be kept up-to-date throughout the product lifecycle, until the last product in the field is removed from use and properly disposed of.
This is pertinent for devices that may have reached an end of their lifecycle and are being removed from circulation, and all field models being replaced by an updated or brand new device type.
In either case, the entire RMF may only be destroyed following Document Control requirements after a device is no longer available for use, and following legal and regulatory requirements.
FREE TEMPLATE: Download your free PDF copy of our previously confidential Risk Management Plan by clicking here.
Documenting risk management according to ISO 14971 requires a purpose-built QMS solution
Risk management is much more than paperwork; it’s a product-level process that can protect developers, manufacturers, providers, and actual patients from potential harm or even death.
So when you turn to your QMS solution, why not choose one that is purpose-built to keep you in compliance with ISO 14971:2019? Greenlight Guru offers the only integrated risk management software built specifically for MedTech companies and that aligns directly with ISO 14971:2019.
![Total Product Lifecycle]()
If you’re ready to experience the Greenlight Guru difference, get a deep dive into our Risk Management Software, ask questions, and see your risk matrix come to life with a free demo today →
