ISO 14971 and ISO 13485
corrective actions repeat, and where auditors find the most painful non-conformities.
ISO 14971 and ISO 13485 form the twin pillars of medical-device safety and quality assurance. One governs risk management; the other regulates the quality management system (QMS) that must control it. Together they define not just what manufacturers should do, but how to prove they’ve done it safely.
When the two aren’t aligned, the result is predictable: incomplete technical documentation, certification delays, and regulatory findings that can derail market access.
Need an Introduction to ISO 14971?
This article explains how ISO 14971 and ISO 13485 work together to support medical device compliance. If you're looking for a complete overview of ISO 14971, including risk management planning, hazard identification, risk analysis, risk controls, residual risk evaluation and post-market monitoring, read our Complete Guide to ISO 14971.
Ensure your risk and quality systems work seamlessly together — speak to Patient Guard’s compliance experts →.
The Relationship Between ISO 14971 and ISO 13485
ISO 13485:2016 establishes the global framework for establishing and maintaining a medical-device quality management system. It covers everything from design and manufacturing to post-market feedback.
ISO 14971:2019, on the other hand, defines the formal risk-management process for identifying, evaluating, and controlling hazards throughout a device’s lifecycle.
Where ISO 13485 tells manufacturers to manage risk, ISO 14971 explains how to do so. ISO 13485’s risk-based approach to QMS depends entirely on the methods and documentation defined in ISO 14971.
In Team-NB’s 2024 survey, 75 % of MDR submissions reached Notified Bodies with less than 50 % of technical documentation complete at first review (36 % had < 25 %, 39 % had 25–50 %). Missing or weak risk documentation — often disconnected from the QMS — is one of the main reasons submissions stall.
BSI also lists Clause 7.1 Risk Management among the top ISO 13485 non-conformities, typically due to risk files not being updated or post-market data never feeding back into risk evaluation.
What ISO 14971 Risk Management Requires
ISO 14971 is both procedural and analytical. It requires manufacturers to create and maintain a documented process covering:
- Risk management plan: defines scope, responsibilities, and review frequency.
- Hazard identification – systematic listing of potential device harms.
- Risk analysis – estimation of probability × severity.
- Risk evaluation and control – deciding acceptability and applying mitigations.
- Verification of control effectiveness – ensuring mitigations actually work.
- Post-market surveillance (PMS) – feeding field data back into risk analysis.
A risk file is never finished. It evolves with design changes, CAPA findings, complaints, and regulatory updates. The best systems integrate risk with design controls, CAPA tracking, and production data, not as a document to file, but as an active decision-support tool.
Quick definition: ISO 14971 = risk process. ISO 13485 = system that governs it.
How ISO 13485 Embeds Risk Management into the QMS
ISO 13485 doesn’t treat risk as a standalone activity. It embeds it in nearly every clause:
- Clause 4.1.2: requires a risk-based approach to process validation and change control.
- Clause 7: links design and development directly to risk identification and control.
- Clause 8: expects CAPA, internal audits, and post-market data to be risk-driven.
Risk influences supplier selection, production validation, complaint handling, and even management reviews. A strong QMS ensures risk files are referenced, reviewed, and continually updated.
That’s the link between ISO 14971 and ISO 13485: risk data becomes the backbone of quality evidence, demonstrating to regulators that every process decision has a safety justification.
See also: Patient Guard’s ISO 13485 Internal Audit and CAPA Services
Certification insight: For new MDR certificates, 44% took 13–18 months and 31% took 6–12 months from application to issuance. Companies with traceable integration between ISO 14971 and ISO 13485 avoid most of these extended review cycles (Team-NB 2024).
Integrating Risk Management into the Quality-Management System
Step 1: Align Risk Procedures and QMS Documentation
Reference the risk-management procedure directly in your QMS manual. Map cross-links between clauses, for example, design controls → risk file, supplier evaluation → risk assessment. This ensures auditors can follow risk logic across documents.
Step 2: Create a Shared Risk Register
Replace siloed spreadsheets with a single risk log used across engineering, production, and quality. Include fields for hazard ID, mitigation status, residual-risk rating, and owner. One version of the truth prevents conflicting data during audits.
Step 3: Feed Risk Outputs into CAPA and Audits
Each CAPA should ask: Was this risk foreseen? If not, why? CAPA effectiveness checks should re-evaluate risk severity and likelihood.
Likewise, internal audit schedules should prioritise high-risk processes and suppliers.
Step 4: Leverage Technology for Traceability
Modern digital QMS tools can link risk controls directly to SOPs, training records, and design-history files. Automation reduces transcription errors and strengthens traceability, both of which are key expectations for compliance with medical-device standards.
According to Team-NB 2024, members reported 19,634 valid ISO 13485 certificates across their EU client base — a clear sign that quality management and risk management are no longer optional but foundational to EU market access.
Integrate risk and quality once, audit-proof forever. Partner with Patient Guard today →
Common Gaps Between ISO 14971 and ISO 13485 (and How to Fix Them)
Typical Gap | Why It Happens | How to Fix It |
Risk file created once, never updated | Treated as a design deliverable, not a living process | Tie risk reviews to the management-review cycle and post-market data |
No link between risk controls and production | Risk managed only by design teams | Include process engineers in risk-review boards |
CAPA system not connected to risk register | Separate ownership of CAPA vs risk | Add risk ID field in CAPA forms |
Design reviews miss risk evidence | Poor traceability | Add risk summary to every design-review template |
Supplier risk ignored | Purchasing focuses on cost, not safety | Introduce supplier-risk rating in qualification forms |
How Regulators Expect You to Demonstrate Compliance
Notified Bodies and regulators don’t just check that you have both standards; they check how they interact. Expect auditors to look for:
- A traceability matrix linking risk controls to QMS procedures and technical-file sections.
- Documented evidence that risk evaluation influences design, production, and CAPA.
- Management-review records showing risk-based decision-making.
- Supplier and process-risk assessments as part of purchasing controls.
An auditor’s checklist will include:
- Risk-management plan and updates?
- CAPA linked to risk files?
- Supplier-risk evaluation recorded?
- Risk-acceptability criteria defined and justified?
See also: Patient Guard blog article – ISO 13485 Audit Readiness for Medical Device Manufacturers.
Building a Harmonised Risk-Quality Framework
A harmonised system fuses risk thinking into every quality activity. Benefits include:
- Proactive hazard identification and fewer late-stage CAPAs.
Shorter audit preparation times. - Stronger data for management decisions and vigilance reporting.
Patient Guard’s integrated QMS and Risk Management framework helps manufacturers close gaps between ISO 14971 and ISO 13485, from procedure alignment to risk-culture training.
Post-market challenge: A 2024 MedTech Europe survey found that ~70% of manufacturers take up to 4 months to update post-market surveillance (PMS) reports and feed findings back into risk files, proof that closing the PMS → risk feedback loop remains a central industry pain point.
Contact Patient Guard to integrate your risk and quality systems for seamless compliance →
Wrapping Up
ISO 14971 and ISO 13485 aren’t parallel paths, but two halves of the same compliance framework. ISO 14971 defines how to manage risk; ISO 13485 ensures that management is systematic, documented, and auditable.
When properly integrated, they create a self-correcting system in which every design decision, CAPA, and supplier review is traceable to risk. That’s what regulators want to see, and what keeps products, patients, and businesses safe.
Speak to Patient Guard’s regulatory team to align your risk and quality systems with global standards and prepare for your next audit with confidence. Get in touch →
Frequently Asked Questions Relating to ISO 14971 and ISO 13485
ISO 14971 provides the process for risk identification, analysis, and control. ISO 13485 requires that these risk activities be integrated into the QMS, ensuring they are reviewed, approved, and continually maintained.
ISO 14971 addresses product risk, the hazards associated with the device. ISO 13485 covers process risk, the management of those hazards, and their verification within the quality system.
Refer to the risk procedure in your QMS manual, maintain a unified risk register, and link risk outputs to CAPAs, audits, and management reviews.
Key artefacts include the risk-management plan, risk report, design-review records, CAPA logs, supplier evaluations, and the management-review report, all cross-referenced through a traceability matrix.
Yes. ISO 13485 is the recognised QMS framework for MDR; ISO 14971 is the harmonised standard for risk management under MDR Annexe I (3). Using both demonstrates conformity and regulatory maturity.
Absolutely. Patient Guard provides gap analyses, risk-integration audits, and harmonised QMS-risk frameworks tailored to your device class and market strategy.
David Small BSc (Hons), MSc, MTOPRA
Reviewed by
David Small, BSc (Hons), MSc, MTOPRA
Founder & CEO |
20+ years in medical device regulatory affairs, MDR/IVDR compliance and quality systems.
Patient Guards Recent Posts

EU Authorised Representative Services for Medical Device & IVD Manufacturers
Selling medical devices or IVDs in Europe? If your company is based outside the EU, appointing an EU Authorised Representative (EC Rep) is a legal requirement under EU MDR 2017/745 and IVDR 2017/746. Patient Guard provides expert EU Authorised Representative services, EUDAMED support, regulatory guidance, and ongoing compliance management to help manufacturers access and maintain the European market with confidence.

Predetermined Change Control Plans (PCCPs): The Future of Agile Compliance for Medical Device Software
Learn how PCCPs help medical device software manufacturers manage updates, support AI systems, and enable agile compliance under evolving MDR and UKCA frameworks.

The AI Act Omnibus Explained: What the 2026 EU Rules Mean for Medical Device and IVD Manufacturers
Discover how the EU AI Act Omnibus affects AI medical devices and IVD manufacturers. Learn about the No Duplication principle, transparency rules, key 2026 and 2028 deadlines, and how MDR and IVDR compliance are converging with AI regulation.
Patient Guards Related Services
Patient Guards Regulatory Tools
Need Training?
Do you need training on Quality Management Systems or EU MDR/ EU IVDR? then check out our training courses.