Medical Device Consulting Regulatory Quality Complaince

The Big Three of Medical Device Design

These three standards form the backbone of standards based processes for medical device product development. They provide the procedural structures within which medical device design takes place. ISO 13485 provides the overall Quality Management System, ISO 14971 speaks to Risk management and ISO 62366 speaks to designing devices with the end user in mind. The latter two work as details within the scope of ISO 13485.

ISO 13485 does not specifically mention a "Design History File". It speaks however to the maintenance of records.  The summation of the requirements to maintain matches the requirements under 21 CFR 820 to establish and maintain a Design History File. Comments here in general apply to 21 CFR 820.

Other, much more technical standards, help to specify a design (e.g. ISO 10993 or ISO 60601). The actual design of the device will be heavily influenced by these technical standards.

Each of the three calls out record sets and each of them allows combining/co-mingling these sets with those required by the other two. Efficient product development systems make use of this.  ISO 14971 is explicit about the interaction between it and ISO 13485. "Where a documented product realization process exists, such as that described in Clause 7 of ISO 13485:2003[8], it shall incorporate the appropriate parts of the risk management process." ISO 14971 specifically requires the close integration of activities under it into the ISO 13485 Quality Management System.

Design History File

Design History File

The Design History file is not a specific named requirement of ISO 13485 though it is in 21 CFR 820. In ISO 13485, within the requirements for Product Realization, the records generated are required to be maintained. Section 7.1 specifically calls out the following with respect of risk management:

"The organization shall establish documented requirements for risk management throughout product realization. Records arising from risk management shall be maintained (see 4.2.4)."

It is logical to use the definition of a Design History File from 21 CFR 820.30.(j):

Design history file. Each manufacturer shall establish and maintain a DHF for each type of device. The DHF shall contain or reference the records necessary to demonstrate that the design was developed in accordance with the approved design plan and the requirements of this part.

Risk Management File

In the notes to Section 3.5, ISO 14971 explicitly permits the integration of the requirements of the Risk Mangement File into the Design History file. To see this section, click

Usability Management File

In the notes to Section 4.2, ISO 62366 explicitly permits the integration of the requirements of the Usability Engineering File into the Design History file. To see this section, click

A List of Documents

The design history file can be a folder crammed full of records at the end of a project. However, this is impossible to maintain.

The design history file can be a list of documents.  Each document listed is individually controlled. The list can identify which documents are specifically part of the Risk Management File and/or the Usability Engineering File.

Interlocking Requirements

Starting with Harms

Both ISO 14971 & ISO 62366 require, at the initiation of a design (and as a retrofit if you are responding to an audit finding that effectively says you did not do this properly to start with) that you identify the potential sources of harm. The lists of potential harms, provided for reference in the appendices to the standards, heavily overlap.  Do this once; for your product develop one list of harms that are all inclusive and record the engineering output in the one record.

Failure Modes

Both ISO 14971 & ISO 62366 require the investigation of the design for failure modes. ISO 14971 speaks to failures in design.  ISO 62366 speaks to User Slips , Lapses and Mistakes. The same failure modes effects and criticality analysis records can take these inputs. Both views inform the optimization of the design and the content of the Instructions for Use.


Both ISO 14971 & ISO 62366 require the assessment of residual risk. Both standards, as per their 2012 revision, the standards do not meet the full requirements of the Essential Requirements.