Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Jennifer Chu
Findings point to faster way to find bacteria in food, water, and clinical samples
Matthew M. Lowe
Take this opportunity to prepare for the future
Etienne Nichols
QMSR for medical device companies
Kari Miller
CAPA systems require continuous management, effectiveness checks, and support
Etienne Nichols
The answers will reveal the truth about your product and get it to market faster

More Features

FDA Compliance News
Facilitates quick sanitary compliance and production changeover
Creates one of the most comprehensive regulatory SaaS platforms for the industry
Company’s first funding round will be used to accelerate product development for its QMS and MES SaaS offerings
Showcasing tech, solutions, and services at Gulfood Manufacturing 2022
Easy, reliable leak testing with methylene blue
Now is not the time to skip critical factory audits and supply chain assessments
Google Docs collaboration, more efficient management of quality deviations
Delivers time, cost, and efficiency savings while streamlining compliance activity
First trial module of learning tool focuses on ISO 9001 and is available now

More News

Jon Speer

FDA Compliance

What a Risk-Based QMS Means

And how it relates to four critical concerns

Published: Monday, November 27, 2017 - 13:02

What exactly is a risk-based quality management system (QMS)? This is a timely topic to get into. In 2016, ISO 13485—“Medical devices”—“Quality management systems” was updated, and one of the key concepts presented is the idea of a risk-based QMS.

Historically, regulations have almost exclusively looked at risk in terms of either the design and direct product-related elements, or the manufacturing process. Design-focused risk was all about what might happen to the patient, whereas manufacturing-focused risk is the effect of risk elements on our ability to deliver the product. With design risk, you assume the product was manufactured correctly; with manufacturing risk, you assume it was designed correctly.

The new regulations describe the process behind risk management rather than these more traditional product-focused approaches.

Here are some key areas that medical-device developers need to focus on to apply a risk-based QMS.

Supplier management

You identify all vendors and resources (e.g., parts, pieces, services, packaging) that you need to buy to manufacture your device. You capture these vendors on an approved supplier list that you can share with your team.

Risk has been infused in this process for a long time. Usually you’ll put each supplier in a bucket or category, with the two major categories being “critical” and “noncritical.”

The level of criticality depends on the type of items you have qualified and approved for the supplier, and the risk to patients. You look at factors such as whether they’re supplying materials for implants or other vital aspects that can directly affect patient health. There should always be a connection between the supplier and the particular product being bought; suppliers are approved only for particular materials. Criticality can be measured in terms of either product- or business-critical.

With a risk-based QMS, companies need to examine their suppliers and determine what “critical” and “noncritical” mean. The wrong materials can have huge ramifications from both a patient and manufacturing standpoint. This is risk-based supplier management.

A key part of a risk-based approach is that you should monitor and evaluate suppliers with some frequency. If there are any issues with the things you are buying from the supplier, you should take action to mitigate your risk. This might mean issuing a current supplier with a formal corrective action, or even finding a new supplier. The overall idea is that you apply a process to assess risk to your supplier management process.

Here is a relevant excerpt from ISO 13485 for any outsourced processes:
“When the organization chooses to outsource any process that affects product conformity to requirements, it shall monitor and ensure control over such processes. The organization shall retain responsibility of conformity to this International Standard and to customer and applicable regulatory requirements for outsourced processes. The controls shall be proportionate to the risk involved and the ability of the external party to meet the requirements in accordance with [Clause] 7.4. The controls shall include written quality agreements.”


Nonconformance is closely associated with manufacturing. You’ll need to determine the disposition of the error by asking yourself the following questions:
• What do I do with this?
• Can I use it as it is?
• Do I need to rework it?
• Do I scrap it altogether?

The decision about what to do is part of the risk-based approach to nonconformance. The expectation for being risk-based is that you must factor in the risk of each decision on the manufacturing process and/or the patient.

Historically, companies didn’t go to this level. They had a checkbox on a form—“Was risk impacted by this?”—with a yes/no response. There was no connection made between the process and the risk documentation; it operated as a siloed function. With the new requirements, this is no longer the case. A holistic approach to risk management helps to avoid silos and improve transparency across the whole operation.

You can find the revised information under clauses 8.3 and 8.3.4 of ISO 13485:2016. They don’t mention the word risk, but they do use the term “adverse effect,” which can be understood to mean risk. The bottom line is that the standard tells you to take risk into account whenever you have to perform rework due to nonconformance.

Medical device companies must understand how ISO 13485:2016 compares with FDA 21 CFR Part 820.

Complaints or general feedback

Similar to the solution for nonconformances, companies often use a simple checkbox for complaints or feedback. They really should be shifting to a product-centric interpretation of risk. What does a complaint mean for the product or product family? Have you defined probability and severity? Was the issue already documented in your risk management file? Was the risk defined correctly, or does it need updating?

The real risk when you launch your product may well be higher than you first thought, so it’s important to keep assessing based on the feedback that you receive and any other incidents.

Have a risk management file for the product so that you can go back to a knowledge base for the product when complaints happen. As we have discussed in previous articles, risk management is an activity spanning the full product life cycle, not just something you do during design and production.

Within ISO 13485:2016, check out clauses 8.2, 8.2.1, and 8.2.2 for their advice on feedback and complaint handling. You need to have documented procedures for the feedback process, and include provisions to gather data from the production and post-production phases.

The feedback that you gather becomes potential inputs into risk management. You need to analyze it from a risk perspective, and evaluate with a view to the safety of the patient and the performance of the device as intended. Your feedback might provide you with cause to make changes to either the design or something in your processes, but again, you need to analyze the risk of these changes.


People often assess risk within the context of corrective and preventive action (CAPA). This is another example of risk handled in the same siloed way that we see in each of the above areas, rather than holistically across the product.

CAPA is for systemic issues. If the problem is product or manufacturing-related, it’s virtually guaranteed that risk is negatively impacted. You need to go back and update the risk management file, and doing so should be an action point as part of the CAPA.

An example of integrating risk management with CAPA is that your CAPA records could include extended data to show the likelihood and effect of such an event. This can help with sorting and filtering CAPA records to create some kind of priority view.

Final thoughts

A risk-based QMS means applying a process to assess risk to supplier management, nonconformances, complaints, and CAPA.

A QMS is our architecture for demonstrating all the things we do to comply with regulations. Those actions tend to be good business practices, too. If you think of risk as a hierarchy, we’re looking for those underlying QMS processes to be as risk-averse as possible.

The ISO 13485:2016 standard puts more emphasis on risk management before product realization. This means organizations need to show how they are making risk-based, rather than rule-based, decisions to comply with the regulations. Doing so can bring the benefit of better allocation of resources across your business.

Organizations still using a manual or paper-based approach to manage design controls or quality processes can benefit tremendously from employing a modern eQMS software platform exclusively for medical device companies.

First published on the greenlight guru blog.


About The Author

Jon Speer’s picture

Jon Speer

Jon Speer is the founder and vice president of quality assurance and regulatory affairs at Greenlight Guru, a software company that produces the only medical device quality management software solution. Device makers in more than 50 countries use Greenlight Guru to get safer products to market faster. Speer has served more than 20 years in the medical device industry and helped dozens of devices get to market. As a thought leader and speaker, he regularly contributes to numerous industry publications. He is also the host of Global Medical Device Podcast.



Risk Based QMS is an illusion

When I first read the 2015 version of ISO's various MMS's I said to myself, what happened to the basics of understanding business management, the customer and interested parties.  This new management systems attempts to open the doorway for auditors to step into the board room and start asking questions of the executives and their various planning methodologies.  The failure mode is related to the inability of most Quality or Environmental or Safety professionals or auditors to even remotely understand a profit and loss statement or a balance sheet.   Most quality or environmental or safety professionals barely understand the financial equation, much less the more finite manipulation of financial activities related to GAAP or financial regulation.   I can't wait for the first registrar auditor who attempts to write a non-conformance to the board of directors of an organization.  That day will be the beginning of the end of ISO and its various MMS's 

What ISO attempted to obtain with its 2015 revision was to force itself into the slot of decision making at the executive level of the business.  They will find that to be a territory for which they shall never be welcomed.  The strategic motivation for a business shall never be shared with some registrars auditors who inept to sound interpretation of said strategy.   THis approach by ISO from their unapproved Guide 83, and the prognostications of Agenda 21, remind me how little these ISO technical committees understand of business overall.  QMS was initially a form of supplier control, over time is morphed into a dictated system of business management, written by sources who have little understanding of Strategic, Tactical, and Operational management means.   Their lumping of Customers into the basket of interested parties is sufficient evidence that they are actually clueless as to how business actually works.   Common sense indicates the fact that without customers, there exist no interested parties 

Risk is not a repeatable activity, is one froth with conjecture and supposition.  Most quality professionals openly reject the idea of risk for that reason alone. How many risk items related to a PFMEA or FEMA are based upon the consensus of those performing the assessment?  

I have discovered after decades of auditing ISO management systems that their purpose is not aligned with the purpose of any given organization.   The Technical Committees instead are interested in dictating to the registered organizations what ISO determines they shall and shall not do, including this most recent aspect of forcing the Quality Management System into consideration and control of social media related to the organization (historically a Legal and Marketing position).  This is just one example of how ISO technical committees lost focus of their purpose in the construction of this current 2015 revision of its various MSS's 

The entire of any QMS can be summed up in comments made by Mr Deming ...and some simple common sense.   Fucus upon meeting the needs and Expectations of Customers and Interested Parties, by reducing variation based upon severity of its ipact for an organization to meet said expectations.   Within that simple statement any organization can achieve Quality, Meet the Environmental or Safety or Security or Financial regulations, as well as its investors, employees and suppliers. 

Tactical subsets of an organization, Quality, Environmental, Safety, Security, Financial etc. should focus upon delivering to the customer a product or service which meets their expectation, while meeting the expectation of Interested Parties usually regulatory in nature. These tactical professionals are not trained to deal with maters of ideological subversion and applied dialectics which have become pervasive via social media and propaganda news outlets. 

Marketing/Sales, Executives and Legal council are more suited to addressing social media and other such antithetical war fronts which could effect the public opinion of an organization.  

This inclusion of forcing tactical lever managers to respond to ideological subversion and applied dialectics is where the current revision of ISO MSS's have placed a burden upon middle management which is impossible for them to achieve. Assuming that ISO has kicked their way into the board room is not a reasonable expectation, as no registrar is prepared via its audit program to determine if any such actions taken by executive management are either valid or effective. Therefore the current glut of auditors which work for registrars will need be retrained to a level of business understanding not conducive to their historical experience.   If we are to take this current iSO revision to heart, gone are the days of a Quality professional becoming a registrar auditor, only those with Board level experience would ever be capable of auditing and with most of those being six figure and stock option entities, I doubt very meny registrars can afford them. 

This is why I have great disregard for the current version of ISO's Management System Standards.  Their basically, according to their own requirements (19011 etc.) unreasonable and unattainable.  Through the political pillar of phiosopha doctrine these prognosticators which are members of the Technical Committees have attempted to wield their sword down upon the Corporations of the world.   They shall find the backlash impossible to for them to adequately respond to. 

Rethinking Risk Management Integration

Thanks Jon, 

I was rather ignorant of the "risk" paradigm adopted by ISO 9001, until very recently, which measures "risk" by uncertainty of an outcome, good or bad.   Seems more like "measurement uncertainty" than the world we live in.

As we all know Medical Device Regulators we have to meet, and the ISO 13485 standard we now apply are focused on patient risk, first and foremost.  Yes, user risks matter too.  That is it.  I suppose you could link in damage to the environment, as a health risk too.

One of the things I have noted is that the normal approach to identifying, estimating, and mitigating risks, which get captured early in that "risk management file" it often isn't fluid when applied outside the "Design and Development" Process.   By that I mean, risk management activities used in the design and development process often don't sync well with other processes, like purchasing, complaint handling and control of nonconforminig product. 

I like the article.  Your suggestions also point to extending the risk management file out to utilize more features and other documents/forms in other ISO 13485 QMS processes.  As this is a brand new standard with so many little changes, its nice to see other articles out their trying to help picture what the future QMS might look like.  We need more of this.  Thanks!


Hi Jon,

Thanks for the article. We are in the midst of trying to determine how this requirement affects our QMS. We already have risk incorporated into supplier management, nonconformances, complaints, and CAPA. You started your article with a reference to "ability to deliver the product," but I didn't see that addressed within the article. Also, the standard defines risk as "safety or performance requirements of the medical device or meeting applicable regulatory requirements." Do you have any suggestions related to the other risk items?