Featured Video
This Week in Quality Digest Live
FDA Compliance Features
Jon Speer
And how it relates to four critical concerns
Grant Ramaley
The program attempts to ensure absolute confidence in medical-device certification, but at too great a cost
Mike Richman
Overcoming stress at work, the benefits of AS9100, and meaningless food labels
Brandon McFadden
Consumers will become ever-more mystified about what’s on a label
The QA Pharm
The most important lessons I’ve learned in pharmaceutical quality assurance during the last 40 years

More Features

FDA Compliance News
Strategic investment positions EtQ to accelerate innovation efforts and growth strategy
The FDA’s RMAT designation goes live
Awards help states implement multiyear produce-safety systems
The future of medical product development?
Manage risk while meeting regulatory requirements and compliance
FDA believes you can use openFDA to create products that promote public health
Company headquarters and 30 jobs in Dayton, operations in Europe, stay in place

More News

Jon Speer

FDA Compliance

What a Risk-Based QMS Means

And how it relates to four critical concerns

Published: Monday, November 27, 2017 - 12:02

What exactly is a risk-based quality management system (QMS)? This is a timely topic to get into. In 2016, ISO 13485—“Medical devices”—“Quality management systems” was updated, and one of the key concepts presented is the idea of a risk-based QMS.

Historically, regulations have almost exclusively looked at risk in terms of either the design and direct product-related elements, or the manufacturing process. Design-focused risk was all about what might happen to the patient, whereas manufacturing-focused risk is the effect of risk elements on our ability to deliver the product. With design risk, you assume the product was manufactured correctly; with manufacturing risk, you assume it was designed correctly.

The new regulations describe the process behind risk management rather than these more traditional product-focused approaches.

Here are some key areas that medical-device developers need to focus on to apply a risk-based QMS.

Supplier management

You identify all vendors and resources (e.g., parts, pieces, services, packaging) that you need to buy to manufacture your device. You capture these vendors on an approved supplier list that you can share with your team.

Risk has been infused in this process for a long time. Usually you’ll put each supplier in a bucket or category, with the two major categories being “critical” and “noncritical.”

The level of criticality depends on the type of items you have qualified and approved for the supplier, and the risk to patients. You look at factors such as whether they’re supplying materials for implants or other vital aspects that can directly affect patient health. There should always be a connection between the supplier and the particular product being bought; suppliers are approved only for particular materials. Criticality can be measured in terms of either product- or business-critical.

With a risk-based QMS, companies need to examine their suppliers and determine what “critical” and “noncritical” mean. The wrong materials can have huge ramifications from both a patient and manufacturing standpoint. This is risk-based supplier management.

A key part of a risk-based approach is that you should monitor and evaluate suppliers with some frequency. If there are any issues with the things you are buying from the supplier, you should take action to mitigate your risk. This might mean issuing a current supplier with a formal corrective action, or even finding a new supplier. The overall idea is that you apply a process to assess risk to your supplier management process.

Here is a relevant excerpt from ISO 13485 for any outsourced processes:
“When the organization chooses to outsource any process that affects product conformity to requirements, it shall monitor and ensure control over such processes. The organization shall retain responsibility of conformity to this International Standard and to customer and applicable regulatory requirements for outsourced processes. The controls shall be proportionate to the risk involved and the ability of the external party to meet the requirements in accordance with [Clause] 7.4. The controls shall include written quality agreements.”


Nonconformance is closely associated with manufacturing. You’ll need to determine the disposition of the error by asking yourself the following questions:
• What do I do with this?
• Can I use it as it is?
• Do I need to rework it?
• Do I scrap it altogether?

The decision about what to do is part of the risk-based approach to nonconformance. The expectation for being risk-based is that you must factor in the risk of each decision on the manufacturing process and/or the patient.

Historically, companies didn’t go to this level. They had a checkbox on a form—“Was risk impacted by this?”—with a yes/no response. There was no connection made between the process and the risk documentation; it operated as a siloed function. With the new requirements, this is no longer the case. A holistic approach to risk management helps to avoid silos and improve transparency across the whole operation.

You can find the revised information under clauses 8.3 and 8.3.4 of ISO 13485:2016. They don’t mention the word risk, but they do use the term “adverse effect,” which can be understood to mean risk. The bottom line is that the standard tells you to take risk into account whenever you have to perform rework due to nonconformance.

Medical device companies must understand how ISO 13485:2016 compares with FDA 21 CFR Part 820.

Complaints or general feedback

Similar to the solution for nonconformances, companies often use a simple checkbox for complaints or feedback. They really should be shifting to a product-centric interpretation of risk. What does a complaint mean for the product or product family? Have you defined probability and severity? Was the issue already documented in your risk management file? Was the risk defined correctly, or does it need updating?

The real risk when you launch your product may well be higher than you first thought, so it’s important to keep assessing based on the feedback that you receive and any other incidents.

Have a risk management file for the product so that you can go back to a knowledge base for the product when complaints happen. As we have discussed in previous articles, risk management is an activity spanning the full product life cycle, not just something you do during design and production.

Within ISO 13485:2016, check out clauses 8.2, 8.2.1, and 8.2.2 for their advice on feedback and complaint handling. You need to have documented procedures for the feedback process, and include provisions to gather data from the production and post-production phases.

The feedback that you gather becomes potential inputs into risk management. You need to analyze it from a risk perspective, and evaluate with a view to the safety of the patient and the performance of the device as intended. Your feedback might provide you with cause to make changes to either the design or something in your processes, but again, you need to analyze the risk of these changes.


People often assess risk within the context of corrective and preventive action (CAPA). This is another example of risk handled in the same siloed way that we see in each of the above areas, rather than holistically across the product.

CAPA is for systemic issues. If the problem is product or manufacturing-related, it’s virtually guaranteed that risk is negatively impacted. You need to go back and update the risk management file, and doing so should be an action point as part of the CAPA.

An example of integrating risk management with CAPA is that your CAPA records could include extended data to show the likelihood and effect of such an event. This can help with sorting and filtering CAPA records to create some kind of priority view.

Final thoughts

A risk-based QMS means applying a process to assess risk to supplier management, nonconformances, complaints, and CAPA.

A QMS is our architecture for demonstrating all the things we do to comply with regulations. Those actions tend to be good business practices, too. If you think of risk as a hierarchy, we’re looking for those underlying QMS processes to be as risk-averse as possible.

The ISO 13485:2016 standard puts more emphasis on risk management before product realization. This means organizations need to show how they are making risk-based, rather than rule-based, decisions to comply with the regulations. Doing so can bring the benefit of better allocation of resources across your business.

Organizations still using a manual or paper-based approach to manage design controls or quality processes can benefit tremendously from employing a modern eQMS software platform exclusively for medical device companies.

First published on the greenlight guru blog.


About The Author

Jon Speer’s picture

Jon Speer

Jon Speer is the founder and VP of QA/RA at greenlight.guru, a software company that produces the only modern quality management software solution exclusively for medical device companies. Device makers in more than 250 cities in 26 countries use greenlight.guru to get safer products to market faster with less risk while ensuring compliance.

Jon is a medical device industry veteran with over 18 years experience having helped dozens of devices get to market over his career in a variety of roles including product development, project management, quality and regulatory. He is also a thought leader, speaker and regular contributor at numerous leading industry publications like MedCity News, MD+DI, Quality Digest, and more.


Rethinking Risk Management Integration

Thanks Jon, 

I was rather ignorant of the "risk" paradigm adopted by ISO 9001, until very recently, which measures "risk" by uncertainty of an outcome, good or bad.   Seems more like "measurement uncertainty" than the world we live in.

As we all know Medical Device Regulators we have to meet, and the ISO 13485 standard we now apply are focused on patient risk, first and foremost.  Yes, user risks matter too.  That is it.  I suppose you could link in damage to the environment, as a health risk too.

One of the things I have noted is that the normal approach to identifying, estimating, and mitigating risks, which get captured early in that "risk management file" it often isn't fluid when applied outside the "Design and Development" Process.   By that I mean, risk management activities used in the design and development process often don't sync well with other processes, like purchasing, complaint handling and control of nonconforminig product. 

I like the article.  Your suggestions also point to extending the risk management file out to utilize more features and other documents/forms in other ISO 13485 QMS processes.  As this is a brand new standard with so many little changes, its nice to see other articles out their trying to help picture what the future QMS might look like.  We need more of this.  Thanks!


Hi Jon,

Thanks for the article. We are in the midst of trying to determine how this requirement affects our QMS. We already have risk incorporated into supplier management, nonconformances, complaints, and CAPA. You started your article with a reference to "ability to deliver the product," but I didn't see that addressed within the article. Also, the standard defines risk as "safety or performance requirements of the medical device or meeting applicable regulatory requirements." Do you have any suggestions related to the other risk items?