Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Michael King
Augmenting and empowering life-science professionals
Meg Sinclair
100% real, 100% anonymized, 100% scary
Alonso Diaz
Consulting the FDA’s Case for Quality program
Four data layers that matter
Kari Miller
Regulations and increased complexity are pushing the industry to adopt innovation more quickly

More Features

FDA Compliance News
Recognized among early adopters as a leading innovation for the life sciences industry
Streamlines annual regulatory review for life sciences
Facilitates quick sanitary compliance and production changeover
Creates one of the most comprehensive regulatory SaaS platforms for the industry
Company’s first funding round will be used to accelerate product development for its QMS and MES SaaS offerings
Showcasing tech, solutions, and services at Gulfood Manufacturing 2022
Easy, reliable leak testing with methylene blue
Now is not the time to skip critical factory audits and supply chain assessments
Google Docs collaboration, more efficient management of quality deviations

More News

Stephanie Ojeda

FDA Compliance

Risk Management in ISO 13485

The FDA’s new QMSR will harmonize with ISO 13485 for medical device quality management

Published: Tuesday, November 7, 2023 - 11:03

In December 2023, the U.S. Food and Drug Administration (FDA) expects to issue its long-awaited overhaul of its Quality System Regulation (QSR). The biggest change is that the new Quality Management System Regulation (QMSR) will harmonize with ISO 13485 for medical device quality management. With it comes an increased focus on risk management, with significant implications for device manufacturers.

Here we examine what ISO 13485 requires around risk management, common stumbling blocks, and how quality management system (QMS) tools can streamline compliance.

Risk in ISO 13485 vs. ISO 14971

ISO 13485 specifies requirements for implementing a QMS in medical device manufacturing. ISO 13485 makes reference to ISO 14971, which looks specifically at formal risk management processes and requirements for medical devices.

The main difference: While ISO 13485 says an organization should apply risk-based thinking to its QMS, it doesn’t dictate how to get there. Manufacturers can look at risk-based thinking as a general approach to identifying, addressing, and mitigating risk within QMS processes generally.

Risk management under ISO 14971, on the other hand, is a more comprehensive, structured process. This includes specific methods for evaluating and mitigating risk in medical devices, including:
• Hazard identification
• Risk assessment
• Risk control measures 

It’s worth noting that the current QSR (21 CFR Part 820) is already fairly similar to ISO 13485. The FDA already expects risk to be part of manufacturers’ processes, though it only receives passing mention in Part 820. That said, the biggest gap between the two relates to risk management, making it a crucial area of focus.

ISO 13485 requirements related to risk

Despite the fact that ISO 13485 doesn’t require the same formalized approach to risk management as ISO 14971, several clauses do require a risk-based approach.

Design and development planning: Your design and development procedures should specify how you’ll address risks so that products conform to quality, safety, and performance requirements.  

Process validation: Validation of processes with a direct impact on quality should include looking at process risk and implementing controls to mitigate risk as needed.  

Monitoring and measurement: Processes for monitoring and measurement should consider how those processes could fail to detect quality issues.  

Corrective action and preventive action (CAPA): Organizations should consider using tools like risk matrices to identify and prioritize CAPAs based on risk. You should also look at steps like key performance indicators (KPI) tracking and plant floor checks to monitor CAPA effectiveness.  

Postmarket surveillance activities: Risk should also inform postmarket surveillance activities, for instance by using a risk matrix in complaint management to prioritize action. 

Using the QMS to meet ISO 13485 risk requirements

An automated QMS provides tools to help organizations incorporate a risk-based thinking approach into their operations.

Failure mode and effects analysis (FMEA) within your QMS risk management solution is one key example. FMEA documents potential failures, scoring each by severity, occurrence (likelihood), and detection to calculate a risk priority number (RPN).

Beyond just the design phase, FMEA can also be linked to other parts of the process. For instance, when changing a process, the QMS change control solution can help trigger an update to the related FMEA.

Risk management solutions in the QMS allow you to:

• Initiate a risk assessment from events and processes such as complaints, deviations, and nonconformances
• Use a risk matrix to calculate risk and determine whether it’s acceptable or unacceptable
• Get notifications when an FMEA update is needed  

Common risk management challenges under ISO 13485

Device manufacturers face several challenges when it comes to complying with risk requirements in ISO 13485.

First, organizations must ensure their processes account for the updates to risk management within the standard. This starts with updating your quality manual to reflect your overall approach to risks. If you have any specific standard operating procedures (SOPs) around managing risk or impact assessments, those should also be updated.

Another common problem is the underutilization of ISO 14971 when looking to adopt a risk-based approach. Even if you don’t adopt ISO 14971 completely, it does provide a reference when you need help incorporating risk-based thinking. ISO 13485 also points to places where ISO 14971 requirements must be met, making it critical to understand both standards.

Finally, companies should look at the entire product life cycle when considering risk mitigation activities. The problem here is that companies sometimes just look at obvious places in the process where things can go wrong.

Instead, consider the process from start to finish. For example, what could go wrong with labeling and packaging? What if, during production, a product is labeled incorrectly? These questions should be included in your FMEA as well.


It’s never too early to start preparing for change under the new QMSR. By harmonizing with ISO 13485, which calls directly to ISO 14971, the new law places increased emphasis on risk management.

To be prepared, manufacturers should leverage their QMS to incorporate risk tools at every stage of the product life cycle. This includes everything from product planning to postmarket surveillance, ensuring there are no gaps that will affect FDA compliance status.


About The Author

Stephanie Ojeda’s picture

Stephanie Ojeda

Stephanie Ojeda is the director of product management for the life sciences industry at AssurX.


Article comment

Thank you Stephanie for a good overall review (and reminder!) of what's to come when the FDA's QSR is overhauled.

We await the official FDA announcment!