July 26, 2023

In December 2023, the U.S. Food and Drug Administration (FDA) expects to issue its long-awaited overhaul of its Quality System Regulation (QSR).  

The biggest change is that the new Quality Management System Regulation (QMSR) will harmonize with ISO 13485 for medical device quality management. With it comes an increased focus on risk management, with significant implications for device manufacturers. 

Here we examine what ISO 13485 requires around risk management, common stumbling blocks and how QMS tools can streamline compliance. 

 Learn how the AssurX Risk Management Solution supports ISO 13485 compliance 

Risk in ISO 13485 vs. ISO 14971 

ISO 13485 specifies requirements for implementing a quality management system (QMS) in medical device manufacturing. ISO 13485 makes reference to ISO 14971, which looks specifically at formal risk management processes and requirements for medical devices.

The main difference: While ISO 13485 says an organization should apply risk-based thinking to their QMS, it doesn’t dictate how to get there. Manufacturers can look at risk-based thinking as a general approach to identifying, addressing and mitigating risk within QMS processes generally.  

Risk management under ISO 14971, on the other hand, is a more comprehensive, structured process. This includes specific methods for evaluating and mitigating risk in medical devices, including: 

  • Hazard identification 
  • Risk assessment 
  • Risk control measures

It’s worth noting that the current QSR (21 CFR Part 820) is already fairly similar to ISO 13485. FDA already expects risk to be part of manufacturers’ processes, though it only receives passing mention in Part 820. That said, the biggest gap between the two relates to risk management, making it a crucial area of focus.

ISO 13485 Requirements Related to Risk 

Despite the fact that ISO 13485 doesn’t require the same formalized approach to risk management as ISO 14971, several clauses do require a risk-based approach, including: 

  • Design and development planning: Your design and development procedures should specify how you’ll address risks so that products conform to quality, safety and performance requirements. 
  • Process validation: Validation of processes with a direct impact on quality should include looking at process risk and implementing controls to mitigate risk as needed. 
  • Monitoring and measurement: Processes for monitoring and measurement should consider how those processes could fail to detect quality issues.  
  • Corrective and preventive action (CAPA): Organizations should consider using tools like risk matrices to identify and prioritize CAPAs based on risk. You should also look at steps like KPI tracking and plant floor checks to monitor CAPA effectiveness. 
  • Post-market surveillance activities: Risk should also inform post-market surveillance activities, for instance by using a risk matrix in complaint management to prioritize action.

Using the QMS to Meet ISO 13485 Risk Requirements 

An automated QMS provides tools to help organizations incorporate a risk-based thinking approach into their operations.

Failure mode and effects analysis (FMEA) within your QMS risk management solution is one key example. FMEA documents potential failures, scoring each by severity, occurrence (likelihood) and detection to calculate a risk priority number (RPN).  

Beyond just the design phase, the FMEA can also be linked to other parts of the process. For instance, when changing a process, the QMS change control solution can help trigger an update to the related FMEA. 

Risk management solutions in the QMS allow you to: 

  • Initiate a risk assessment from events and processes such as complaints, deviations and nonconformances 
  • Use a risk matrix to calculate risk and determine whether it’s acceptable or unacceptable 
  • Get notifications when an FMEA update is needed 

Common Risk Management Challenges Under ISO 13485 

Device manufacturers face several challenges when it comes to complying with risk requirements in ISO 13485.  

First, organizations must ensure their processes account for the updates to risk management within the standard. This starts with updating your quality manual to reflect your overall approach to risks. If you have any specific standard operating procedures (SOPs) around managing risk or impact assessments, those should also be updated. 

Another common problem is the underutilization of ISO 14971 when looking to adopt a risk-based approach. Even if you don’t adopt ISO 14971 completely, it does provide a reference when you need help incorporating risk-based thinking. ISO 13485 also points to places where ISO 14971 requirements must be met, making it critical to understand both standards.  

Finally, companies should be sure to look at the entire product lifecycle when considering risk mitigation activities. The problem here is that companies sometimes just look at obvious places in the process where things can go wrong.  

Instead, they need to consider the process from start to finish. For example, what could go wrong with labeling and packaging? What if, during production, a product is labeled incorrectly? These questions should be included in your FMEA as well. 


It’s never too early to start preparing for change under the new QMSR. By harmonizing with ISO 13485, which calls directly to ISO 14971, the new law places increased emphasis on risk management. 

 To be prepared, manufacturers should leverage their QMS to incorporate risk tools at every stage of the product lifecycle. This includes everything from product planning to post-market surveillance, ensuring there are no gaps that will affect FDA compliance status. 


Download a free case study to learn how one device manufacturer used AssurX to reduce patient safety risks 


About the Author

Stephanie Ojeda is Director of Product Management for the Life Sciences industry at AssurX. Stephanie brings more than 15 years of leading quality assurance functions in a variety of industries, including pharmaceutical, biotech, medical device, food & beverage, and manufacturing.