What is an ISO 14971:2019 risk management plan?

An ISO 14971:2019 risk management plan is the governing document that defines how risk management will be conducted for a specific medical device. It is required by Clause 4.4 and must be established before any risk analysis begins. The plan specifies the scope of risk management activities, assignment of responsibilities and authorities, risk acceptability criteria (the severity and probability scales and the risk evaluation matrix), requirements for verifying risk control measures, review milestones, post-production monitoring requirements, and the method for evaluating overall residual risk. Without an approved plan, risk analysis results have no defined acceptance criteria to compare against.

What must ISO 14971:2019 risk acceptability criteria include?

ISO 14971:2019 Clause 4.4(d) requires risk acceptability criteria to include: a severity scale describing the potential harm, a probability of occurrence scale, the risk evaluation matrix mapping severity and probability to Acceptable / ALARP / Unacceptable zones, and required actions for each zone. Clause 4.4(f) separately requires criteria for situations where probability of harm cannot be estimated. Clause 4.4(g) requires the method for evaluating overall residual risk to be defined in the plan — this is distinct from evaluating individual risks and considers the cumulative effect of all residual risks against the clinical benefit of the device.

What is the difference between a risk management plan and a hazard log?

A risk management plan defines the framework: the scope, roles, acceptability criteria, review milestones, and post-production monitoring requirements. A hazard log is the operational register that records the execution of that framework — every identified hazard, its initial and residual risk scores, the risk controls implemented, verification status, and ALARP justifications. The risk management plan must be approved before the hazard log is populated, because the hazard log entries are scored against the criteria defined in the plan. Both are required artifacts in the ISO 14971 risk management file.

Is a benefit-risk analysis required by ISO 14971?

Yes. ISO 14971:2019 Clause 7.5 requires a benefit-risk analysis when a risk classified as Unacceptable cannot be further reduced by risk control measures. The analysis compares the medical benefits of the intended use against the residual risk — if the benefit outweighs the risk, the device may still be released with documented justification. Benefit-risk justification is also required when accepting ALARP-classified residual risks: the manufacturer must demonstrate that further risk reduction is not practicable and that the benefit-risk ratio is favorable. The Risk Management Report documents the outcome of both analyses.

Free Risk Management Plan Template

You cannot evaluate risk acceptability without criteria. ISO 14971 requires those criteria to be defined before analysis begins.

A free ISO 14971:2019 Risk Management Plan template for medical device development. Ten-section Word document covering scope, roles and responsibilities, 5×5 risk matrix with Acceptable / ALARP / Unacceptable thresholds, risk control verification, lifecycle review milestones, post-production monitoring, and a full traceability chain from hazard to test report. No account, no gate.

Download RMP Template (.docx) All free templates →

Document structure

§1–2 Introduction & Scope

Document info, referenced documents table linking all Risk Management File artifacts, device description, intended use, and foreseeable misuse per Clause 5.2.

§3–4 Responsibilities & Criteria

Role and responsibility table, competence requirements per Clause 4.3, 5×5 risk matrix, ALARP and Unacceptable thresholds, overall residual risk method per Clause 4.4(g).

§5–6 Controls & Review

3-tier risk control hierarchy, verification activity table, new-hazards evaluation, and six lifecycle review milestones from Design Input through Post-Production.

§7–10 Post-Production, Traceability, Techniques & Schedule

Post-production information sources and update criteria per Clause 10, full Hazard → REQ-xxx → VER-xxx → TR-xxx traceability chain, risk analysis method selection, and activity schedule.

What a risk management plan requires you to do

A Risk Management Plan is not a risk register. It is the governing document that defines how risk management will be conducted before any risk analysis begins. ISO 14971 Clause 4.4 specifies what it must contain. Without an approved plan, risk analysis results have no defined acceptance criteria to compare against — and retroactively adjusting criteria to fit scoring already done is a major audit finding.

Acceptability criteria must come first

Severity and probability scales, the 5×5 matrix, and ALARP / Unacceptable thresholds must be defined and approved before any risks are scored. Every row in the hazard log and every RPN in the FMEA is evaluated against these criteria. Changing them after scoring invalidates the analysis.

"Acceptable" is not unconditional

ISO 14971:2019 Clause 7.1 requires further risk reduction to be considered for every risk, including those already in the acceptable zone. The plan documents how that obligation is discharged — you must demonstrate that further reduction is not practicable, not simply accept the score.

Post-production is in scope

Clause 10 (significantly expanded in 2019) requires collecting and acting on field data throughout the device lifetime. The plan must define what information sources are monitored, at what frequency, and what triggers a risk analysis update. Post-market surveillance connects directly to the risk management file.

Section reference

Complete sections in order during design planning. §4 (risk acceptability criteria) must be approved before any risk analysis activity begins.

Section	What it covers	When to complete
§1 Introduction	Document purpose, device identification, classification, applicable standards and regulations, and a referenced documents table linking all artifacts in the Risk Management File (hazard log, FMEA, V&V Plan, Risk Management Report, RTM, and others).	At plan creation.
§2 Scope	Device description and scope boundaries (accessories, software components, packaging, lifecycle phases covered). Intended use statement and foreseeable misuse scenarios per Clause 5.2 — these feed hazard identification in the hazard log.	During design planning. Update if device description or intended use changes.
§3 Responsibilities	Role and responsibility table (Risk Management Lead, Risk Management Authority, Clinical Expert, Design Engineer, QA/Reg) and competence requirements per Clause 4.3. The Risk Management Authority has the right to halt product release if overall residual risk is unsatisfactory.	At plan creation. Update if team changes.
§4 Risk Acceptability Criteria	5-level severity scale, 5-level probability scale, 5×5 risk evaluation matrix, Acceptable / ALARP / Unacceptable thresholds with required actions per zone, overall residual risk evaluation method (Clause 4.4(g)), and criteria when probability cannot be estimated (required by Clause 4.4(f)).	Before any risk analysis begins — must be approved first. Do not revise to fit existing scoring.
§5 Risk Control & Verification	3-tier risk control hierarchy (inherent safety by design → protective measures → information for safety), verification activity table (method, acceptance criteria, responsible party), and evaluation of new hazards introduced by risk controls per Clause 7.3.	After risk controls are identified in the hazard log and FMEA.
§6 Review Activities	Six lifecycle review milestones (Design Input, Design Output, Design Verification, Design Validation, Risk Management Review pre-release, Post-Production). Participants and scope for each. Pre-release checklist per Clause 9 confirming plan execution, overall residual risk acceptability, and Risk Management Report approval.	At plan creation. Update if milestone structure changes.
§7 Post-Production	Seven information sources with review frequencies (complaints, field safety corrective actions, adverse event reports, literature, CAPA, service records, similar device field data) and criteria that trigger a risk analysis update per Clause 10 of the 2019 revision.	At plan creation. Maintained actively throughout the product lifetime.
§8 Traceability	Full traceability chain: Hazard → Hazardous Situation → Risk Control → REQ-xxx → VER-xxx → TR-xxx (test report). Risk control measures assigned REQ-xxx identifiers and traced downstream in the RTM to verification activities and test report IDs providing objective evidence.	Maintained continuously throughout development.
§9 Risk Analysis Techniques	Selection of risk analysis methods (FMEA, FTA, HAZOP, PHA, use-related risk analysis per IEC 62366-1) with lifecycle stage mapping, required inputs, and output documentation locations.	At plan creation.
§10 Activity Schedule	Milestone plan or Gantt chart reference mapping risk management activities to design phase gates. Identifies which activities must complete before design transfer.	At plan creation. Keep updated through design phases.

Risk acceptability criteria — what §4 defines

The risk acceptability section is the most consequential part of the plan. Everything in the hazard log and FMEA is scored against these criteria. ISO 14971:2019 also requires the method for evaluating overall residual risk (Clause 4.4(g)) to be defined here — considering the cumulative effect of all residual risks against the clinical benefit of the device.

Acceptable Score 1–4

Risk is within acceptability criteria. ISO 14971:2019 Clause 7.1 still requires further risk reduction to be considered — "acceptable" is not unconditional. The manufacturer must document that further reduction is not practicable before accepting the residual risk.

ALARP Score 5–12

Risk shall be reduced as low as reasonably practicable. Acceptance requires documented justification that further reduction is impracticable and that the benefit-risk ratio is favorable. The hazard log Notes column is where this justification is recorded.

Unacceptable Score 15–25

Risk shall be reduced. If risk cannot be reduced below this threshold, a documented benefit-risk analysis per Clause 7.5 is required before the device can be released. Risk reduction measures must be implemented before this analysis can justify acceptance.

When probability cannot be estimated

For novel technologies, rare failure modes, or limited clinical history, probability of harm cannot be reliably quantified. Clause 4.4(f) requires the plan to define how risk acceptability is determined in these cases. The template specifies that severity alone governs: Severity 4 or 5 is treated as Unacceptable unless the risk is reduced by design or supported by a benefit-risk analysis per Clause 7.5.

Standards coverage

A Risk Management Plan is required by ISO 14971 and referenced by every other regulated-product standard. The specific integration points and depth of evidence differ by standard.

Standard	Relevant clause	What the plan addresses
ISO 14971:2019	Clause 4.4 (plan requirements), Clause 9 (review), Clause 10 (post-production)	The primary standard. The plan addresses all items in Clause 4.4: scope of activities, responsibilities, personnel competence (4.4(e)), acceptability criteria including criteria when probability cannot be estimated (4.4(f)), the overall residual risk evaluation method (4.4(g)), risk control verification requirements, review milestones, and the post-production information collection method (4.4(i)). Clause 10 post-production obligations are significantly expanded over the 2007 edition.
ISO 13485:2016	§7.1 risk-based approach, §7.3.2 design and development planning	ISO 13485 requires risk management to be integrated throughout design controls. The Risk Management Plan is typically referenced in the Design and Development Plan (§7.3.2). Risk management file completeness is a required element of the design history file, and auditors verify the plan was established before analysis activities began.
IEC 62304:2006+A1	§7 Software risk management	Software risk management operates as a subset of the overall risk management process governed by this plan. Software safety class assignment, hazard identification for software failure modes, and risk control verification for software controls all execute within the framework defined here. The plan scope section should explicitly state whether software components are in scope.
EU MDR 2017/745	Annex I §3 General Safety and Performance Requirements, Chapter I §10	EU MDR requires a risk management system conforming to ISO 14971 as a condition of GSPR conformity (Annex I §3). The Risk Management Plan demonstrates that the system is established and followed. The clinical benefit-risk analysis required under Annex I §1 must align with the benefit-risk framework and acceptability criteria defined in §4 of this plan.
FDA QMSR (21 CFR 820)	§820.30 Design controls (effective February 2026)	QMSR incorporates ISO 13485 by reference and aligns design control requirements with §7.3.x. Risk management documentation — including the Risk Management Plan — is part of the design history file under §820.30. The plan's review milestones align with QMSR design review requirements, and the post-production monitoring section satisfies §820.30(g) post-market feedback obligations.

Using this alongside other templates

The Risk Management Plan defines the framework that the hazard log and FMEA operate within. The §4 acceptability criteria are the thresholds against which every risk score in every other template is evaluated.

Hazard Log

Executes under this plan. Every hazard log row is scored using the severity and probability scales defined in §4. ALARP justifications and verification status records become part of the Risk Management File listed in §1.

FMEA Template

Provides bottom-up failure mode analysis that feeds the hazard log. FMEA-identified hazards get rows in the hazard register. Their risk controls are verified using the activity table structure in §5 of this plan.

V&V Plan Template

Risk control verification activities (ISO 14971 §5.6) planned in the V&V Plan execute under the verification framework defined in §5 of this plan. VER-xxx activities linked to HAZ-xxx and FMEA-xxx IDs close the loop.

RTM Template

Risk control measures that become design requirements are assigned REQ-xxx IDs in the RTM. The traceability chain in §8 of this plan — Hazard → Control → REQ-xxx → VER-xxx → TR-xxx — is maintained in the RTM.

Download RTM Template (.xlsx) All free templates →

Download the Risk Management Plan template

Free ISO 14971:2019 Risk Management Plan template for medical device development. Word document (.docx), ready to fill in.

Download RMP Template (.docx) All free templates →