This is just my opinion, but this all depends a lot on what your risk management process says and how your design control process works.
Your risk file should be considered "live" throughout the process lifecycle to the same extent that the rest of your documentation is. Generally you'd complete everything iteratively as your risk process should follow along with the rest of the design and process development. Your risk documents should correlate to each other in some way so you may not be able to finalize certain documents until other documents are complete.
Usually the hazard analysis is one of the first things that gets completed as this should feed everything else. The HA would collect hazards associated with the therapy/device type and identify the harm and severity. The hazard analysis is important because the severity assigned to a pre-RCM harm should be consistent across all your risk documents (eg, if your
pFMEA identifies the severity as 3 and your
dFMEA as 2 for the same hazardous situation, something is wrong). You should also ensure that your PHA reflects any new hazards that emerge throughout the risk process. For example, if you add a blade to your design for some reason, make sure you have captured any risks related to blades.
If you choose to use analysis tools that exist at a "point in time" as part of your initial risk analysis (eg, if you use a fishbone diagram or input/output diagram or something like that), then I don't think you need to maintain those. However, you should be cautious that your risk process is clear about how and when those tools should be used.
