# Rakenne vs ChatGPT for an ISO 14971 Risk Management File

> A reproducible, fictional ISO 14971 risk-file comparison: where a guided workflow and deterministic checks add structure to ordinary prompting.

Author: map[bio:Founder and editorial owner; quarterly review linkedin:https://www.linkedin.com/in/ricardocabral/ name:Ricardo Cabral]
Published: 2026-07-10
Tags: iso-14971, medical-devices, comparison, risk-management, validation
URL: https://rakenne.app/learn/best-practices/rakenne-vs-chatgpt-iso14971-risk-management-file/index.md


An ordinary chat prompt can help a team turn known risk information into a draft. It does not, by itself, make a risk-management plan complete, prove a risk control works, or decide whether residual risk is acceptable. This comparison shows where a checked-in workflow adds explicit structure and a deterministic check—without presenting the result as a regulatory decision.

We use the same fixed, fictional [LumaFlow scenario](https://github.com/ricardocabral/rakenne/blob/main/docs/mkt/comparison-scenarios/iso14971-risk-management-file-fictional-brief.md) for both approaches. The examples are synthetic and focus on one setup-selection hazard in a first draft. They are not a customer record, a clinical evaluation, a regulatory submission, or a benchmark of all ChatGPT configurations.

## The same drafting brief

LumaFlow is a fictional battery-powered infusion pump for trained clinicians in supervised outpatient settings. Its hypothetical manufacturer needs a first-pass risk-management-plan excerpt and one risk-analysis row for an incorrect-rate-selection hazard.

The brief supplies intended use, foreseeable misuse, a P1/P2/severity assessment, a fictional unacceptable-risk threshold, candidate controls, and a planned usability-test record. It requires the drafter to show the control hierarchy, verification need, residual-risk status, and any questions for a qualified reviewer.

| Comparison baseline | What is deliberately held constant |
| --- | --- |
| Plain-chat drafting | The fictional brief is given to a generic chat session as one prompt, without a pre-built risk-file workflow or deterministic checker. |
| Rakenne workflow | The same brief is used with the checked-in [ISO 14971 Risk File Author](/skills/iso14971-risk-file-author/) skill. Its workflow covers plan, hazard identification, risk analysis, risk control, residual-risk evaluation, report, and post-market feedback. |

This is a workflow comparison, not a claim that a model in plain chat cannot draft a useful table. A knowledgeable team can add equivalent review steps manually; the distinction is whether the process and checks are available as part of the drafting workflow.

## What the workflow adds

| Concern | Plain-chat baseline in this comparison | Rakenne's checked-in skill workflow |
| --- | --- | --- |
| Plan context | The author must ask for and retain intended use, foreseeable misuse, and acceptance rules. | Begins with a risk management plan that records intended use, misuse, acceptance criteria, and planned reviews. |
| Risk analysis | The author must request a consistent severity/probability method and inspect each row. | Calls for severity plus P1 and P2, then a comparison with the defined acceptability criteria. |
| Control order | The author must remember to evaluate design before lower-priority measures. | Specifies design → protective measures → information for safety as the control priority. |
| Verification and residual risk | The author must ensure a draft does not imply unverified effectiveness. | Calls for implementation/effectiveness verification before residual-risk evaluation, and a separate overall residual-risk conclusion. |
| Validation | Any guardrail is manual unless the author introduces another tool. | Provides `check_risk_acceptance_criteria`, which identifies high/unacceptable risks lacking control or benefit-risk content and checks for key file elements. |

The Rakenne entries above are verifiable in the checked-in [skill instructions](https://github.com/ricardocabral/rakenne/blob/main/packages/backend/assets/skill-library/iso14971-risk-file-author/SKILL.md) and extension source. They describe the workflow and its checker, not a promise of regulatory compliance or approval.

## The output difference is a reviewable risk record

Both approaches can format a risk table. The useful question is whether the draft makes the initial risk, control priority, verification requirement, and unresolved decision visible to a reviewer.

**Synthetic prompt-only illustration** — this intentionally incomplete excerpt is not an executed ChatGPT transcript:

{{% output-excerpt %}}

```md
## Risk analysis

Hazard: Incorrect rate selected during setup
Severity: 4; P1: 3; P2: 2
Risk level: Unacceptable
```

{{% /output-excerpt %}}

The excerpt tells a reviewer that the starting risk is serious, but it does not capture risk-control options, whether a control is verified, the residual-risk decision, or an overall conclusion.

**Synthetic structured illustration** — the same fictional facts arranged in the target shape of the Rakenne workflow:

{{% output-excerpt %}}

```md
## Risk analysis — incorrect rate selected during setup

**Risk estimate:** Severity 4; P1 3; P2 2. Initial risk: unacceptable under
the plan's acceptability criteria.

**Control options considered in priority order:**
1. Inherent safety by design: constrain rate entry to the prescribed range.
2. Protective measure: require an independent confirmation screen before start.
3. Information for safety: state the setup verification step in the IFU.

**Verification required:** Usability-test record demonstrating the constrained
entry and confirmation flow were implemented and evaluated.

**Residual-risk decision:** Pending the verification record and human review.
```

{{% /output-excerpt %}}

The structured illustration is not a completed risk-management file. In particular, it does not assert the controls are effective or that residual risk is acceptable; it makes the missing verification and reviewer decision explicit.

## A finding that an ordinary prompt does not enforce

The fictional fixture includes the intentionally incomplete unacceptable-risk excerpt above. When the checked-in `check_risk_acceptance_criteria` tool evaluates that text, it finds an unacceptable risk but no risk-control measure or benefit-risk justification. It emits an ERROR explaining that the uncontrolled risk is a regulatory non-conformity, then reports missing plan elements.

This does not mean ChatGPT cannot identify the omission if a user asks it to. It establishes a narrower, reproducible fact: the plain-chat baseline has no built-in Rakenne validator applying this rule. The team must inspect the draft manually or provide an equivalent control.

## Where human review remains essential

Rakenne does not make a medical-device risk decision, certify conformity, replace regulatory affairs expertise, or replace the manufacturer's quality-system responsibilities. A qualified reviewer should still:

- confirm intended use, foreseeable misuse, hazard sequences, and all risk estimates;
- decide the risk acceptability criteria and evaluate risk-control feasibility;
- review verification evidence before concluding that a control is implemented and effective;
- make and approve residual-risk and benefit-risk determinations; and
- maintain the risk-management file and post-market feedback process.

Plain chat can be a practical drafting aid when that review discipline and the governing risk-file structure already exist. The Rakenne workflow is most useful when a team wants the plan, hierarchy, verification prompts, and repeatable checker close to the drafting work.

## Continue the ISO 14971 workflow

Use the [ISO 14971 risk management file template](/templates/iso-14971-risk-management-file-template/) for a template-first route, read the [ISO 14971 risk file structure guide](/learn/tutorials/iso14971-risk-file-structure-explained/) for the full workflow, or inspect the [ISO 14971 Risk File Author](/skills/iso14971-risk-file-author/) skill and its validation scope.

<a id="comparison-cta" href="/a/?skill=iso14971-risk-file-author" class="btn btn-primary" rel="nofollow">Try the ISO 14971 risk-file workflow</a>

For the cybersecurity counterpart, see [Rakenne vs ChatGPT for SOC 2 control narratives](/learn/best-practices/rakenne-vs-chatgpt-soc2-control-narratives/).

## Methodology, limitations, and review

- **Method:** Both columns use the same checked-in fictional scenario. Product statements are limited to the current skill instructions, references, and extension code. Output excerpts are synthetic illustrations labelled as such; no performance, accuracy, time, or cost benchmark is claimed.
- **Limitations:** Results vary with the prompt, model, supplied source material, and reviewer. The generic-chat baseline is one deliberately untooled workflow, not a review of ChatGPT as a product or of all integrations.
- **Last reviewed:** 2026-07-10. **Editorial owner:** Ricardo Cabral. Review this page quarterly and after a material skill or validation change.
- **Measurement:** With analytics consent, the primary CTA records the `try_skill_cta_clicked` event from the #295 taxonomy with this page path, `iso14971-risk-file-author`, and `comparison_primary` placement. Review organic/referral entrances, CTA starts, first-document completions, signups, and assisted conversions after 30 days.

<script>
  (function () {
    var cta = document.getElementById('comparison-cta');
    if (!cta) return;

    cta.addEventListener('click', function () {
      var attribution = {
        skill_slug: 'iso14971-risk-file-author',
        domain: 'medical-devices',
        content_type: 'comparison',
        locale: 'en',
        landing_page_path: window.location.pathname,
        cta_placement: 'comparison_primary'
      };

      if (typeof window.rakenneTrackEvent === 'function' && window.rakenneTrackEvent('try_skill_cta_clicked', attribution)) {
        try {
          sessionStorage.setItem('rakenne:analytics:attribution', JSON.stringify(attribution));
        } catch (_err) {
          // Attribution must never interrupt navigation to the app.
        }
      }
    });
  })();
</script>


---

Back to [Best Practices](https://rakenne.app/learn/best-practices/index.md)

