Leanabl Logo
Contact Us
Blog
Back to Blog
designdesign-controlsrisk-managementiso-13485documentation

ISO 14971 Risk Management: Design Integration, Not Documentation Theater

7 min read

Risk management built into design controls produces audit-defensible files at half the rework cost. A practical guide with Korea MFDS / KGMP specifics.

Leanabl Editorial
ISO 14971 Risk Management: Design Integration, Not Documentation Theater

The Two Risk Management Modes

In medical device organizations we work with, the ISO 14971 risk management process tends to operate in one of two modes.

Mode 1 — design-integrated. Risk analysis begins with the user-needs draft. Hazards inform design inputs. Risk controls become design requirements. The Risk Management File grows as the design grows. By design freeze, the file is complete because the design is the file.

Mode 2 — documentation theater. Engineering builds the device. Just before submission, a regulatory analyst writes a Risk Management File that justifies the existing design. The file is internally consistent but disconnected from how the device was actually developed. Auditors smell it.

The cost difference between the two modes is substantial. Mode 1 produces audit-defensible files with limited rework. Mode 2 generates findings every audit cycle and requires periodic rebuilds — typically 6-8 weeks of senior RA time per cycle, plus the residual risk of an inspector pulling the thread.

This post is about how to operate in Mode 1, with specific Korea MFDS / KGMP considerations layered in.

ISO 14971 Core Structure (Recap)

The standard organizes risk management as a continuous lifecycle activity, not a one-time analysis. Six core activities:

  1. Risk analysis — identify hazards and hazardous situations
  2. Risk evaluation — assess severity × probability for each hazardous situation
  3. Risk control — design and verify measures that reduce risk
  4. Residual risk evaluation — assess remaining risk after controls
  5. Overall residual risk acceptability — total picture vs benefit
  6. Production and post-production information — feedback loop from manufacturing and field

The 2019 revision (and 2024 amendment) sharpened the emphasis on intended use phrasing, reasonably foreseeable misuse, and risk-control verification. Auditors increasingly expect explicit traceability between each of these activities.

Where Design Integration Happens

Five integration points that distinguish Mode 1 from Mode 2.

Point 1 — User Needs Drive Hazard Identification

Hazards do not emerge from a brainstorm; they emerge from the user needs document. For each user need (e.g., "the device shall enable rapid biopsy in confined surgical fields"), the design team asks: what could go wrong, for whom, when?

In Mode 1, this question is answered before design inputs are baselined. In Mode 2, hazards are reverse-engineered from the design later, which systematically under-identifies user-error and use-environment hazards.

Point 2 — Hazardous Situations Map to Use Scenarios

A hazard alone is abstract. A hazardous situation — "operator triggers biopsy collection while patient anatomy is misaligned" — anchors the risk to a specific use scenario. In Mode 1, hazardous situations come from use scenarios already documented in the human factors / usability work (see our Testing Management & Usability Engineering guide for the Korean specifics).

Point 3 — Risk Controls Become Design Inputs

This is the highest-leverage point. When a risk control is identified ("interlock prevents trigger while alignment sensor disengaged"), it must enter the design input register, with its own verification protocol. In Mode 1, the linkage is structural — the same PLM/eQMS object family. In Mode 2, controls live in a Risk Management File that the design team never opens.

Point 4 — Verification Evidence Closes the Loop

For each risk control listed in the Risk Management File, ISO 14971 §7 expects evidence that the control is implemented and effective. That evidence is V&V data — the same V&V data the design team produces for design verification. In Mode 1, the link is automatic. In Mode 2, the file says "see V&V report XYZ" and the V&V report doesn't reference the hazard it addresses; auditors flag this gap.

Point 5 — Post-Production Feedback Is Wired In

Production and post-market data (complaints, vigilance, manufacturing non-conformances, field service) must update the risk file. In Mode 1, the PMS procedure explicitly identifies which signals trigger Risk Management File review. In Mode 2, the file is updated periodically (annually) and treats post-market data as a documentation exercise rather than a live input.

The Risk Management File: Practical Structure

A working Risk Management File contains:

Section What it captures
Risk management plan Methodology, acceptability criteria, responsible roles, planned reviews
Hazard analysis Hazards, hazardous situations, harms — populated from user needs and use scenarios
Risk estimation Severity, probability, risk score per hazardous situation (initial and residual)
Risk control table Each control + design input it satisfies + verification evidence + post-control risk
Risk-benefit analysis For situations where residual risk remains above lower acceptability threshold
Production / post-production information Procedure references, signal review cadence, file update triggers
Risk management report Periodic summary signed by the risk management responsible person

The Risk Traceability Matrix — often a separate Excel artifact in Mode 2 — should be a live query from the underlying PLM/eQMS in Mode 1, not a maintained spreadsheet.

Korea MFDS / KGMP Specifics

The Korean MFDS and KGMP frameworks accept ISO 14971 in the same way as FDA and EU MDR, but several local emphases matter.

Korean Risk Management File expectation. During KGMP audits and MFDS submission review, the Korean reviewer expects a Korean-language Risk Management Report (the summary, not the full file). A bilingual approach — full file in English, summary in Korean — is the workable pattern.

Traceability emphasis. Korean KGMP auditors specifically probe the hazard → design input → verification evidence linkage. A clean traceability matrix that resolves to actual document references (not "see file XYZ") survives inspection. A loose matrix with section-level references does not.

Use environment for Korean clinical settings. Korean hospital clinical environments — particularly tertiary academic centers — operate at higher throughput and often with different staff role distributions than US/EU equivalents. Hazardous situations involving clinical workflow should be reviewed for Korean applicability. We routinely add 2-3 hazardous situations specific to Korean use environment during MFDS submission preparation.

Cybersecurity risk integration. Per the 2026 MFDS cybersecurity guidance (covered in our Korea Cybersecurity 2026 Update), cybersecurity threats now integrate explicitly into the ISO 14971 risk file for connected devices. The threat model is a Risk Management File annex, not a separate document.

Risk Traceability Matrix — Working Example

A simplified row from a real engagement (sanitized):

Hazard ID Hazardous situation Initial severity × prob Control Design input Verification Residual
HZ-014 Misaligned biopsy trigger during retraction 4 × 3 = 12 (high) Mechanical interlock + alignment sensor DI-072, DI-073 V&V-018 (pass), V&V-019 (pass) 2 × 2 = 4 (acceptable)

Every column is a live link to the underlying object in PLM. Auditors clicking through any single cell produce the supporting evidence. This is what "design integration" looks like operationally.

Six Practical Recommendations

  1. Begin risk analysis at user needs, not at design baseline. The hazards you find in the first two weeks shape inputs that would otherwise require rework.
  2. Treat each risk control as a design input with its own verification protocol. Do not let controls live in a sidecar file.
  3. Use the same PLM/eQMS for design objects and risk objects. Cross-system links break under change pressure.
  4. Wire post-market signals to file update triggers via the PMS procedure. Annual review is too coarse.
  5. For Korea, prepare a Korean Risk Management Report summary. Bilingual file is workable; Korean-only summary is required for KGMP audit and MFDS review.
  6. Audit your own Risk Traceability Matrix by clicking through random cells. If you cannot reach the supporting evidence in two clicks, the matrix is not integrated.

Where Leanabl Plugs In

For organizations operating in Mode 2 and wanting to migrate to Mode 1, the Discovery & Design solution rebuilds the risk file alongside the existing design controls, with bilingual Korean summary work integrated. For Korean-specific design lock and change control that depends on a current Risk Management File, the Korea Design Lock solution carries the operational work post-clearance.

Have a regulatory question?

Talk to a Korea regulatory specialist about your device, your timeline, or your next submission.

Talk to a specialist

You might also like

EU MDR Vigilance: MIR and FSCA Reporting
vigilance

EU MDR Vigilance: MIR and FSCA Reporting

EU MDR vigilance reporting uses MIR forms and FSCA notifications under tight timelines. A working guide to EUDAMED submission and multi-state narrative consistency.

Regulatory Information Management (RIM): Foundations for Multi-Region Submissions
rim

Regulatory Information Management (RIM): Foundations for Multi-Region Submissions

Once a manufacturer is filing in three or more regions, the spreadsheet-based regulatory tracker breaks. A working RIM strategy turns submissions into a managed asset.

What Is a Korea License Holder (KLH)? Independent vs. Distributor Models
klh

What Is a Korea License Holder (KLH)? Independent vs. Distributor Models

Every imported medical device in Korea is registered under a KLH. Choosing between an independent KLH and a distributor-tied KLH shapes your market exit options.