The quality environment has evolved to require the use of a risk based approach throughout the quality management system. ISO 13485:2016 Medical devices—Quality management systems –Requirements for regulatory purposes published March 1, 2016, characterizes risk to include two components:

  • the safety or performance requirements of the medical device
  • meeting applicable regulatory requirements.

The 2016 version of ISO 13485 has an increased focus on risk compared to the prior 2003 edition of the standard. Risk management is now required throughout the quality management system (QMS) rather than being specific to product development. A risk based approach is needed for control of QMS processes. In fact, the word risk was found 40 times within the body of the ISO 13485:2016 whereas the 2003 version only mentions risk on four occasions all within Section 7, Product Realization. Table 1 identifies the sections of ISO 13485:2016 which now cite requirements for risk.

There is also a clear focus on meeting regulatory requirements in the 2016 standard to assist users in consistent application. Regulatory requirements is a broad term which includes requirements in any law applicable to the user of the regulatory standard where a user of the standard could be a regulatory body, manufacturer, supplier, or medical device service provider.

Challenge or Advantage?

The implementation challenge, which may also be seen as a benefit, is that there is not a single method for pragmatic application of the risk based approach. No standard will state what “acceptable” means to a specific business or what reducing risk As Far as Possible “AFAP” should mean for a given product. Therefore, the opportunity exists to generate customized solutions proportionate to the complexity of the processes and products.

The concepts of risk management and a risk based QMS are heightened for medical devices “because of the variety of stakeholders including medical practitioners, the organizations providing health care, governments, industry, patients and members of the public.” Risk is defined as the combination of the probability of occurrence of harm and the severity of that harm; whereas risk management is the systematic application of management policies, procedures and practices to the tasks of analyzing, evaluating, controlling and monitoring risk.

Four Qualities of a Comprehensive and Effective Risk Based QMS


Stand back and think strategically prior to moving forward with implementation of the new requirements for a risk based QMS. Consider the balance and interactions across business risk, product risk, process risk and regulatory risk. In the end, the goal is to do no harm to the health of people, property or the environment while maintaining a nimble QMS that meets all regulatory requirements.

It is important to take into account the markets in which sales are anticipated to occur over the course of several years such that requirements are not overlooked causing audit nonconformities to arise.


If the system is not easy to follow and applied in a realistic manner, the results may be of little value. It is human nature to resist change and imposed rules, particularly when the benefits of the changes may not be readily apparent. The response to implementation of the regulations often depends on the values of management; thus keeping the QMS user in mind when developing the system will create the environment for compliance rather than defiance. If the system becomes complex and burdensome, the result may become a pile of paperwork that doesn’t meet the intent of the regulations or improve company performance and may not be effective in reducing physical injury or damage to the health of people, or damage to property or the environment.


QMS processes with associated inputs and outputs are interrelated, with management leading the culture of compliance. Management commitment and follow-through drives the benefit to each company.


To maximize user compliance with the system and drive home a simple process, the same risk scheme can be applied in multiple QMS subsystems. For example, a scale such as low, medium and high, where the scales are clearly defined, can be utilized for supplier management, corrective and preventive actions (CAPA), nonconforming materials and complaints. All subsystems must be linked to operate efficiently.

Key Benefits of Risk Based QMS

  • Resource utilization is improved by focusing efforts on the aspects of the QMS with the highest risk
  • Application of risk techniques allows problems to be solved before they impact the product
  • Process efficiency improves when attention is placed on higher risk issues and requirements are dialed down for lower risk items
  • Improved regulatory compliance