ISO 14971:2019 defines risk management as a systematic process that begins before design inputs are finalised and continues until a device is decommissioned. The standard requires manufacturers to identify hazards, estimate the probability and severity of harm, evaluate whether each risk is acceptable, and implement controls, then verify that those controls work and that residual risks remain acceptable. Critically, ISO 14971 does not permit manufacturers to simply write down a risk estimate and move on. Every control measure must be implemented, verified, and tracked against the original hazard.
Risk management under ISO 14971 is a live process, not a document produced once at design release. Under ISO 13485, the FDA Quality Management System Regulation, and the EU MDR, the risk file must be maintained throughout the product lifecycle. That means every design change triggers a risk management review. Every post-market surveillance signal, complaint, or CAPA must feed back into the risk file so the benefit-risk analysis reflects the device as it actually performs in the field, not as it was theorised to perform on a bench.
Notified body auditors and FDA investigators consistently cite the same failures: risk files frozen at design release with no change history, control measures listed but never verified, and residual risk acceptability decisions made by personnel who lack documented competence for that judgment. A competent person, as ISO 14971 requires, must formally accept overall residual risk. That acceptance must be traceable, repeatable, and visible to auditors without reconstructing records from multiple unlinked systems.
Connecting the risk file to design controls, CAPAs, post-market surveillance, and vigilance reporting is where many QMS implementations break down. The risk management process is only as strong as the links between it and every other quality process that can introduce new hazard information. Organisations that treat risk management as a standalone activity discover those gaps during inspections, not before them.
The whitepaper below shows how qmsWrapper structures ISO 14971 risk files so they stay connected to CAPAs, design changes, and post-market data throughout the product lifecycle.




