ISO 14971 Risk File Structure Explained
A detailed guide to the ISO 14971 Risk File Author skill: what it includes, how to prompt it, the file structure it creates, references it uses, and the validation checks it runs.
The ISO 14971 Risk File Author skill helps you build and maintain a risk management file for medical devices in line with ISO 14971:2019 and ISO/TR 24971. This guide explains what the skill covers, how to use it, what structure it produces, what references it relies on, and what checks it runs so you can use it effectively in Rakenne.
What the skill includes
The skill guides the full risk management lifecycle for a medical device:
- Risk management plan — Scope of risk management, acceptability criteria (e.g. severity × probability matrix or risk classes), and planned review activities.
- Hazard identification — Identifying hazards and hazardous situations and linking them to foreseeable events and sequences.
- Risk analysis — Estimating probability of occurrence and severity of harm (e.g. via FMEA, FTA, or other methods) and documenting risk estimates.
- Risk evaluation — Comparing estimated risk to your acceptability criteria and deciding which risks need risk control.
- Risk control — Defining and implementing risk control measures, verifying their effectiveness, and assessing residual risk.
- Residual risk and benefit–risk — For any residual risk that remains above your acceptability criteria, documenting a benefit–risk rationale (that benefits outweigh risks) in the risk management report.
- Production and post-market — Using production and post-market information as inputs and updating the risk file when needed.
The agent follows this workflow when you ask it to structure or update the risk file, define criteria, document controls, or write benefit–risk rationale. It does not impose a single file layout; it helps you elaborate content that fits your existing or desired structure.
What you can prompt
You can ask the agent to do any of the following (alone or in combination):
| Goal | Example prompts |
|---|---|
| Structure or update the risk file | “Structure our risk management file with acceptability criteria and benefit–risk rationale.” |
| Define criteria and matrix | “Define severity and probability scales and our risk acceptability matrix for this device.” |
| Document controls and residual risk | “Document risk control measures and residual risk for each hazard.” |
| Add benefit–risk rationale | “Write benefit–risk rationale for the risks we’ve marked as above acceptability.” |
| Validate coverage | “Check that every risk above threshold has risk control or benefit–risk justification.” |
Example conversation:
You: Our risk analysis has several risks we’ve marked as “high” or “unacceptable”. I need to make sure each has either risk control or a benefit–risk justification in the risk management report.
Agent: I’ll run
check_risk_acceptance_criteriaon your risk file to find any high/unacceptable risk mentions that don’t have clear risk control or benefit–risk rationale nearby. Then we can add the missing controls or rationale.
Agent: The tool found three places where “high” or “unacceptable” risk is mentioned. One has a risk control and residual risk note; the other two don’t yet reference control measures or benefit–risk. I’ve added a “Risk control” and “Benefit–risk (if residual above criteria)” column to your risk table and drafted benefit–risk rationale for the two remaining items.
Add your source materials (e.g. hazard list, existing FMEA, design docs) to the project workspace and activate the ISO 14971 Risk File Author skill; the agent will guide you step by step.
Created file structure
The skill does not create a fixed folder or file set by default. It helps you elaborate content that belongs in a risk management file. You (or the agent with your approval) typically end up with documents such as:
- Risk management plan — Scope, acceptability criteria (e.g. severity × probability matrix), methods (FMEA/FTA), and review plan.
- Hazard list / risk analysis — Hazards, hazardous situations, severity and probability estimates, risk level, and (after elaboration) risk control and residual risk.
- Risk management report (RMR) — Summary of risk management activities and conclusions, including benefit–risk rationale for any residual risks above acceptability criteria.
A typical risk evaluation table the skill helps you build or complete looks like this:
| Hazard | Severity | Probability | Risk level | Risk control | Residual risk | Benefit–risk (if above criteria) |
|---|---|---|---|---|---|---|
| Electrical shock (user) | 4 | 2 | High | Double insulation; PE connection; user IFU | Low | N/A (residual acceptable) |
| Incorrect dose (software) | 4 | 3 | Unacceptable | Limits; confirmation step; alarm | Medium | Clinical benefit (therapy) outweighs residual risk; documented in RMR. |
| Latex allergy | 3 | 2 | Medium | Material change to non-latex | Low | N/A |
The exact files and names (e.g. risk-management-plan.md, risk-analysis.md, risk-management-report.md) depend on your project; the skill focuses on making the content complete and compliant, not on enforcing a single file tree.
What is used as reference
The skill uses an internal reference that summarizes ISO 14971:2019 structure and expectations:
- Risk management process — Risk analysis, risk evaluation, risk control, residual risk acceptability, benefit–risk determination, and production/post-market feedback.
- Risk acceptability criteria — Need to define and document criteria (e.g. severity × probability matrix, ALARP, risk classes); risks above threshold must have risk control and/or benefit–risk justification.
- Risk management report — Must summarize activities and conclusions and include benefit–risk rationale for residual risks above acceptability criteria.
Standards referenced conceptually are ISO 14971:2019 (medical devices — application of risk management) and ISO/TR 24971 (guidance on application). The skill does not reproduce the standards; it guides structure and content so your file aligns with them. For exact clause wording or compliance arguments, use the official standards alongside the skill.
What checks are made
The skill ships with an extension tool: check_risk_acceptance_criteria. The agent can run it on your risk management file or risk analysis document (markdown or text). It does the following:
1. Detecting high or unacceptable risk
The tool scans the document for patterns that suggest a risk above acceptability, for example:
- Phrases like: risk level/estimate/score: high/unacceptable; severity/probability: high/unacceptable/4/5/critical
- Residual risk is above/exceeds threshold/acceptability
- Numeric severity or probability (e.g. severity = 4 or 5)
It also focuses on the “risk” part of the document by locating a section that mentions risk analysis, risk evaluation, residual risk, risk control, or 14971, and scanning that section if no explicit high/unacceptable mention is found in the rest of the file.
2. Checking for risk control or benefit–risk justification
The tool looks for evidence of risk control or benefit–risk rationale anywhere in the document, using patterns such as:
- Risk control, control measure, mitigation, risk reduction
- Benefit–risk, benefit outweigh, rationale, justification, acceptable because
- Residual risk acceptable/evaluated, risk management report
3. Findings and report
- WARNING — The document mentions high or unacceptable risk but does not clearly reference risk control measures or benefit–risk justification. Per ISO 14971, risks above acceptability criteria require risk control and/or documented benefit–risk rationale.
- INFO — High/unacceptable risk and control or benefit–risk content are both present; the tool reminds you to verify that every such risk has explicit control or benefit–risk rationale in the risk management report.
- INFO — A substantial risk section was found (e.g. >200 characters in the risk block); the tool suggests ensuring acceptability criteria are defined and that each risk above threshold has control or benefit–risk justification.
The tool output is a short report, for example:
======================================================================
ISO 14971 RISK ACCEPTANCE & BENEFIT–RISK CHECK
======================================================================
Document: risk-management/risk-analysis.md
--- FINDINGS ---
[WARNING] Line 42: Document mentions high or unacceptable risk but does not clearly reference risk control measures or benefit–risk justification. Per ISO 14971, risks above acceptability criteria require risk control and/or documented benefit–risk rationale.
--- SUMMARY ---
Errors: 0
Warnings: 1
======================================================================
You (or the agent) run this on the risk file or risk analysis document after updates; address warnings before design freeze or submission.
Summary
| Topic | Summary |
|---|---|
| What’s in the skill | Full ISO 14971 workflow: plan, hazard ID, risk analysis/evaluation, risk control, residual risk, benefit–risk rationale, production/post-market. |
| What you prompt | Structure/update risk file, define criteria, document controls and residual risk, write benefit–risk rationale, or validate that every above-threshold risk has control or justification. |
| Created structure | No fixed file tree; the skill helps you produce risk management plan, hazard/risk analysis (e.g. tables with control and benefit–risk columns), and risk management report content. |
| References | Internal reference based on ISO 14971:2019 and ISO/TR 24971 (process, acceptability criteria, RMR); use official standards for exact wording. |
| Checks | check_risk_acceptance_criteria scans for high/unacceptable risk and for risk control or benefit–risk justification; reports WARNING or INFO and a short summary. |
Use the ISO 14971 Risk File Author skill when you need to build or maintain a risk management file that aligns with ISO 14971 and want the agent to guide structure, content, and validation in one place.