All terms
    Quality & RiskQuality SystemRMF

    Risk Management File

    Set of records and outputs from the ISO 14971 risk management process.

    Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

    Definition

    The Risk Management File is the set of records and other documents that are produced by the risk management process for a medical device, providing traceability for each identified hazard from analysis through control and post-production information.
    What the regulation says
    The FDA expects a Risk Management File (RMF) to demonstrate an ongoing risk management process throughout a device's lifecycle, as outlined in 21 CFR 820.30, Design Controls. The EU MDR, in Annex I, Section 3, requires a comprehensive and up-to-date RMF that documents the application of a risk management system. ISO 14971:2019, specifically clause 3.4, mandates the establishment and maintenance of a Risk Management File to provide evidence of the risk management process.

    What this means in practice

    The RMF is not a single document but a set of records assembled from the risk management process: risk management plan, risk analysis (hazards, hazardous situations, sequences of events), risk evaluation, risk control measures with verification of effectiveness, residual risk evaluation, overall residual risk analysis, risk management review, and production and post-production information. ISO 14971:2019 requires the RMF to be maintained for the lifetime of the device. Auditors expect direct traceability from each identified hazard to a control, verification of that control, and residual risk acceptance, with post-market data (complaints, CAPAs, field data) feeding back into the file.

    Examples

    • A Class III implantable device team maintains an eQMS-managed RMF where each hazard traces to a design output, verification test, and residual risk decision, with a monthly PMS review updating the file.
    • A SaMD manufacturer maintains a unified RMF combining ISO 14971 safety hazards and AAMI SW96 security threats, with bidirectional links to cybersecurity findings.
    Common pitfalls
    • Treating the RMF as a premarket-only artifact. ISO 14971:2019 explicitly requires post-production updates; auditors check for a living, dated history.
    • Missing traceability from hazard to control to verification. This is the single most common Notified Body observation on RMFs.
    • Failing to document risk control option analysis. Clause 7.1 requires considering inherently safe design first, then protective measures, then information for safety.
    • Not performing the overall residual risk evaluation. Clause 8 requires it as a separate, explicit step beyond individual residual risks.

    Frequently asked questions

    At minimum: risk management plan, risk analysis, risk evaluation, risk control implementation and verification, residual risk evaluation, overall residual risk analysis, risk management review, and production/post-production information procedures and records. ISO 14971:2019 clause 4.5 lists the required components.

    Cross-references

    Used by

    Shared paths + category

    Latest in MedTech

    Primary references

    3 sources
    Link health: 3 verified· last checked 2026-06-20
    ISO·2FDA·1
    1. 1
      ISO 14971:2019
      Verified
      ISOiso.org
    2. 2
      ISO/TR 24971:2020 Guidance
      Verified
      ISOiso.org
    3. 3
      FDA - Quality Systems
      Verified
      FDAfda.gov

    Inline markers like [1] jump to the matching reference above.