Instant downloadAuditor-writtenSecure Stripe checkout

Risk Management in ISO 13485 (ISO 14971)

ISO 13485 risk management isn’t a single clause you can tick off — it is woven through the entire standard, from design and purchasing to production and post-market activity. In practice, ISO 13485 risk management is delivered through ISO 14971, the dedicated standard for applying risk management to medical devices. This guide explains how the two fit together and why auditors scrutinise it so closely.

ISO 13485 risk management ISO 14971 toolkit
A toolkit that operationalises ISO 13485 risk management via ISO 14971.

ISO 13485 risk management, woven throughout

ISO 13485 doesn’t confine risk to a single clause — it expects a risk-based approach across product realization: design and development, purchasing, production, and servicing. For medical devices, risk isn’t a formality; it’s central to keeping patients safe.

What is ISO 14971?

ISO 14971 is the international standard for the application of risk management to medical devices. Where ISO 13485 says you must manage risk, ISO 14971 tells you how — providing a complete framework for identifying hazards, estimating and evaluating risks, controlling them, and monitoring effectiveness across the device’s life. The two standards are designed to be used together.

The ISO 14971 risk management process

  1. Risk management plan — define scope, responsibilities, and risk acceptability criteria.
  2. Risk analysis — identify hazards and estimate the associated risks.
  3. Risk evaluation — decide whether each risk is acceptable.
  4. Risk control — reduce unacceptable risks (by design, protective measures, or information for safety), then evaluate residual risk.
  5. Overall residual risk evaluation — judge whether the total residual risk is acceptable.
  6. Production & post-production monitoring — gather real-world data and feed it back into the assessment.

All of this is captured in a risk management file — the traceable record of your risk decisions for the device.

Risk management, ready to run.

The ISO 13485 Toolkit includes risk management procedures and templates aligned to ISO 14971 — risk management plan, analysis, control, and file — auditor-written and ready to tailor to your device.

Get the ISO 13485 Toolkit →

Why auditors focus on it

Risk management and design controls draw more audit scrutiny than almost anything else in a medical-device QMS — because that’s where patient safety is won or lost. A weak or disconnected risk file (one that doesn’t trace to your design outputs, verification, and post-market data) is a common source of findings.

It never really ends

Risk management is a lifecycle activity, not a launch gate. Post-market data — complaints, adverse events, field performance — must flow back into your risk assessment, potentially triggering updates or corrective action. This ties directly to the feedback and CAPA processes in your ISO 13485 documentation.

How ISO 13485 risk management works with ISO 14971

ISO 13485 requires a risk-based approach but points to ISO 14971 for the method. That process runs across the device life cycle: identify hazards, estimate and evaluate the associated risks, implement risk controls, and evaluate residual risk — then monitor real-world data to feed back into the analysis. Auditors focus on it because inadequate risk management is a leading cause of device recalls and adverse events. Your risk management file becomes central evidence, linking hazards to controls to verification. ISO 14971 is published by ISO, and strong ISO 13485 risk management is what ties your whole quality system to patient safety.

Frequently asked questions

Is ISO 14971 mandatory for ISO 13485?

ISO 13485 requires risk management but doesn’t force one specific method. In practice, ISO 14971 is the universally-accepted framework and is expected by regulators.

What is the risk management file?

The complete, traceable record of risk management activities and decisions for a given device — a core piece of evidence at audit.

New to the standard? Start with our complete guide to ISO 13485.

Bottom line: treat ISO 13485 risk management as continuous, not a one-time file. Feed production and post-market data back into your ISO 14971 analysis, and both your compliance and your devices get safer over time.

Shopping Cart