Find every ISO 14971 risk gap before your auditor does.
What Gordios checks, and why it matters.
Book a demoISO 14971 in practice: what the standard actually requires.
The standard doesn't just require a risk analysis. It requires a system — iterative, documented, traceable — that runs across the entire device lifecycle.
A process, not a document
ISO 14971 is often treated as a project deliverable. It is in fact a continuous process: every device change, every incident, every field feedback should feed it. The analysis written during design is only a starting point.
End-to-end traceability
Every identified risk must be linked to its control measure, itself tied to a verification proof. Without this complete chain, the risk analysis exists on paper — but won't survive an audit.
The risk management report
Often written under pressure as a closing document, it must demonstrate that the overall residual risk is acceptable. Reduced to a formality, it becomes the first blind spot an experienced auditor will point out.
Links with the rest of the file
Labelling, IFU, verification tests — each of these documents must be traceable back to the risk analysis. A device that evolves without the analysis keeping pace creates silent inconsistencies — hard to detect, costly in audit.
What Gordios examines, point by point.
Every check is located in your documents. Every gap is explained — not a global score, but a traceable, actionable result.
| Domain checked | What Gordios verifies | Coverage |
|---|---|---|
| Risk analysis | Hazard identification, risk estimation and evaluation, consistency with device characteristics | Audited |
| Control measures | Presence, hierarchy (design / protection / information), traceability to verification proofs | Audited |
| Residual risks | Post-mitigation evaluation, disclosure in labelling and IFU, consistency with user information | Audited |
| Risk management report | Presence, completeness, conclusion on overall residual risk acceptability | Audited |
| Lifecycle and revisions | Traceability of updates after device modification or field feedback | Audited |
| Cross-document consistency | Links between the risk analysis and other technical file deliverables (tests, labelling, IFU) | Audited |
The chain every auditor follows.
A risk only holds up when it can be traced end to end. Gordios checks that the chain is unbroken.
ISO 14971 analysis points
of audit-prep time saved
to your first report
They trust us
A true digital auditor that pinpointed the gaps in my technical file in just a few minutes.
Thomas BalverdeRegulatory Affairs ManagerConnecting with Gordios early in the project saved me valuable time.
Sarah Souheil GebaiCEO, TrembLessHow Gordios audits your QMS.
Three steps, on your real documents. No configuration, no prior training needed.
You import your documents
Risk analysis, Quality Manual, test reports, labelling, IFU — you upload what you have. Gordios adapts to your documentation structure.
Gordios audits against the 14971 grid
The tool verifies every point of the standard against your documents: presence, consistency, traceability. Automatically, with no manual intervention.
You receive a traceable report
Every result is located in your documents. Every gap is explained. You know what holds up and what needs attention — with the exact source to back it up.
The most frequent gaps Gordios detects.
Not poorly-made files — but files built without the auditor's perspective.
The analysis and the device no longer match
The device has evolved. The risk analysis still reflects an earlier version. The inconsistencies are seen only during audit time.
Control measures without proof
The measure is documented in the analysis. The proof that it was verified is not attached. The link is missing.
Residual risks not in the IFU
The analysis identifies residual risks to disclose to the user. The IFU, however, doesn't mention them — or not in a traceable way.
The report written at the last minute
Completed right before submission, the risk management report doesn't reflect the real process. The auditor sees it. The manufacturer, rarely.
Incidents not propagated
A field feedback or post-market incident should trigger a revision of the analysis. That trigger is often missing.
The measure hierarchy ignored
ISO 14971 enforces a hierarchy: design first, then protection, then information. In practice, teams jump straight to information — without documenting why.
ISO 14971 audit — common questions.
Want to learn more?
Schedule a meeting with one of our specialists to best address your needs!
Book a demo