Introduction
corrective actions repeat, and where auditors find the most painful non-conformities.
ISO 14971 and ISO 13485 form the twin pillars of medical-device safety and quality assurance. One governs risk management; the other regulates the quality management system (QMS) that must control it. Together they define not just what manufacturers should do, but how to prove they’ve done it safely.
When the two aren’t aligned, the result is predictable: incomplete technical documentation, certification delays, and regulatory findings that can derail market access.
Ensure your risk and quality systems work seamlessly together — speak to Patient Guard’s compliance experts →.
The Relationship Between ISO 14971 and ISO 13485
ISO 13485:2016 establishes the global framework for establishing and maintaining a medical-device quality management system. It covers everything from design and manufacturing to post-market feedback.
ISO 14971:2019, on the other hand, defines the formal risk-management process for identifying, evaluating, and controlling hazards throughout a device’s lifecycle.
Where ISO 13485 tells manufacturers to manage risk, ISO 14971 explains how to do so. ISO 13485’s risk-based approach to QMS depends entirely on the methods and documentation defined in ISO 14971.
In Team-NB’s 2024 survey, 75 % of MDR submissions reached Notified Bodies with less than 50 % of technical documentation complete at first review (36 % had < 25 %, 39 % had 25–50 %). Missing or weak risk documentation — often disconnected from the QMS — is one of the main reasons submissions stall.
BSI also lists Clause 7.1 Risk Management among the top ISO 13485 non-conformities, typically due to risk files not being updated or post-market data never feeding back into risk evaluation.
What ISO 14971 Risk Management Requires
ISO 14971 is both procedural and analytical. It requires manufacturers to create and maintain a documented process covering:
- Risk management plan: defines scope, responsibilities, and review frequency.
- Hazard identification – systematic listing of potential device harms.
- Risk analysis – estimation of probability × severity.
- Risk evaluation and control – deciding acceptability and applying mitigations.
- Verification of control effectiveness – ensuring mitigations actually work.
- Post-market surveillance (PMS) – feeding field data back into risk analysis.
A risk file is never finished. It evolves with design changes, CAPA findings, complaints, and regulatory updates. The best systems integrate risk with design controls, CAPA tracking, and production data, not as a document to file, but as an active decision-support tool.
Quick definition: ISO 14971 = risk process. ISO 13485 = system that governs it.
How ISO 13485 Embeds Risk Management into the QMS
ISO 13485 doesn’t treat risk as a standalone activity. It embeds it in nearly every clause:
- Clause 4.1.2: requires a risk-based approach to process validation and change control.
- Clause 7: links design and development directly to risk identification and control.
- Clause 8: expects CAPA, internal audits, and post-market data to be risk-driven.
Risk influences supplier selection, production validation, complaint handling, and even management reviews. A strong QMS ensures risk files are referenced, reviewed, and continually updated.
That’s the link between ISO 14971 and ISO 13485: risk data becomes the backbone of quality evidence, demonstrating to regulators that every process decision has a safety justification.
See also: Patient Guard’s ISO 13485 Internal Audit and CAPA Services
Certification insight: For new MDR certificates, 44% took 13–18 months and 31% took 6–12 months from application to issuance. Companies with traceable integration between ISO 14971 and ISO 13485 avoid most of these extended review cycles (Team-NB 2024).
Integrating Risk Management into the Quality-Management System
Step 1: Align Risk Procedures and QMS Documentation
Reference the risk-management procedure directly in your QMS manual. Map cross-links between clauses, for example, design controls → risk file, supplier evaluation → risk assessment. This ensures auditors can follow risk logic across documents.
Step 2: Create a Shared Risk Register
Replace siloed spreadsheets with a single risk log used across engineering, production, and quality. Include fields for hazard ID, mitigation status, residual-risk rating, and owner. One version of the truth prevents conflicting data during audits.
Step 3: Feed Risk Outputs into CAPA and Audits
Each CAPA should ask: Was this risk foreseen? If not, why? CAPA effectiveness checks should re-evaluate risk severity and likelihood.
Likewise, internal audit schedules should prioritise high-risk processes and suppliers.
Step 4: Leverage Technology for Traceability
Modern digital QMS tools can link risk controls directly to SOPs, training records, and design-history files. Automation reduces transcription errors and strengthens traceability, both of which are key expectations for compliance with medical-device standards.
According to Team-NB 2024, members reported 19,634 valid ISO 13485 certificates across their EU client base — a clear sign that quality management and risk management are no longer optional but foundational to EU market access.
Integrate risk and quality once, audit-proof forever. Partner with Patient Guard today →
Common Gaps Between ISO 14971 and ISO 13485 (and How to Fix Them)
Typical Gap | Why It Happens | How to Fix It |
Risk file created once, never updated | Treated as a design deliverable, not a living process | Tie risk reviews to the management-review cycle and post-market data |
No link between risk controls and production | Risk managed only by design teams | Include process engineers in risk-review boards |
CAPA system not connected to risk register | Separate ownership of CAPA vs risk | Add risk ID field in CAPA forms |
Design reviews miss risk evidence | Poor traceability | Add risk summary to every design-review template |
Supplier risk ignored | Purchasing focuses on cost, not safety | Introduce supplier-risk rating in qualification forms |
How Regulators Expect You to Demonstrate Compliance
Notified Bodies and regulators don’t just check that you have both standards; they check how they interact. Expect auditors to look for:
- A traceability matrix linking risk controls to QMS procedures and technical-file sections.
- Documented evidence that risk evaluation influences design, production, and CAPA.
- Management-review records showing risk-based decision-making.
- Supplier and process-risk assessments as part of purchasing controls.
An auditor’s checklist will include:
- Risk-management plan and updates?
- CAPA linked to risk files?
- Supplier-risk evaluation recorded?
- Risk-acceptability criteria defined and justified?
See also: Patient Guard blog article – ISO 13485 Audit Readiness for Medical Device Manufacturers.
Building a Harmonised Risk-Quality Framework
A harmonised system fuses risk thinking into every quality activity. Benefits include:
- Proactive hazard identification and fewer late-stage CAPAs.
Shorter audit preparation times. - Stronger data for management decisions and vigilance reporting.
Patient Guard’s integrated QMS and Risk Management framework helps manufacturers close gaps between ISO 14971 and ISO 13485, from procedure alignment to risk-culture training.
Post-market challenge: A 2024 MedTech Europe survey found that ~70% of manufacturers take up to 4 months to update post-market surveillance (PMS) reports and feed findings back into risk files, proof that closing the PMS → risk feedback loop remains a central industry pain point.
Contact Patient Guard to integrate your risk and quality systems for seamless compliance →
Wrapping Up
ISO 14971 and ISO 13485 aren’t parallel paths, but two halves of the same compliance framework. ISO 14971 defines how to manage risk; ISO 13485 ensures that management is systematic, documented, and auditable.
When properly integrated, they create a self-correcting system in which every design decision, CAPA, and supplier review is traceable to risk. That’s what regulators want to see, and what keeps products, patients, and businesses safe.
Speak to Patient Guard’s regulatory team to align your risk and quality systems with global standards and prepare for your next audit with confidence. Get in touch →
Frequently Asked Questions
ISO 14971 provides the process for risk identification, analysis, and control. ISO 13485 requires that these risk activities be integrated into the QMS, ensuring they are reviewed, approved, and continually maintained.
ISO 14971 addresses product risk, the hazards associated with the device. ISO 13485 covers process risk, the management of those hazards, and their verification within the quality system.
Refer to the risk procedure in your QMS manual, maintain a unified risk register, and link risk outputs to CAPAs, audits, and management reviews.
Key artefacts include the risk-management plan, risk report, design-review records, CAPA logs, supplier evaluations, and the management-review report, all cross-referenced through a traceability matrix.
Yes. ISO 13485 is the recognised QMS framework for MDR; ISO 14971 is the harmonised standard for risk management under MDR Annexe I (3). Using both demonstrates conformity and regulatory maturity.
Absolutely. Patient Guard provides gap analyses, risk-integration audits, and harmonised QMS-risk frameworks tailored to your device class and market strategy.
Patient Guards Recent Posts
CE Marking vs UKCA: 2026 Guide for Manufacturers
Post-Brexit, many medical device manufacturers are still navigating the split between CE marking and the UKCA mark — and the rules keep evolving. As the MHRA advances its “future regime” for medical devices, regulatory teams face the ongoing challenge of complying with both EU MDR obligations and the UK’s own UK MDR 2002 (as amended) framework.
ISO 10993-1:2025 – What’s New in Biological Evaluation
The newly revised ISO 10993-1:2025 has quietly done something big: it’s turned biological evaluation from a “tick-the-box biocompatibility test list” into a fully integrated risk narrative that regulators now expect to hold together scientifically, from chemistry through to clinical data.
EUDAMED Mandatory from May 2026: What You Need to Know
After years of “coming soon”, the EU has finally put a fixed date on reality: the first EUDAMED mandatory modules must be used from 28 May 2026.
Sources
– Team-NB Survey 2024 – MDR Certification Readiness
– BSI Notified Body Non-Conformity Analysis 2024
– MedTech Europe Regulatory Survey 2024
– ISO 14971:2019 – Application of Risk Management to Medical Devices
– ISO 13485:2016 – Quality Management Systems for Medical Devices
