A Risk-Based Approach to QMS: ISO 13485:2016 Requirements

Among numerous major changes contained within the revised ISO 13485:2016 standard, a risk-based approach is perhaps the most notable alteration affecting all areas of the quality system. The 2003 version of the standard addressed risk management in relation to product realization—strictly speaking, risk management was explicitly required by the standard only for design and development activities conducted by the organization. Risk was such a minimal part of the standard, in fact, that a formal definition was not provided. Consequently, regulatory and quality professionals were forced to rely primarily on the referenced ISO 14971 standard for any details regarding risk management.

Increased Focus on Risk
ISO 13485:2016 defines risk consistently with ISO 14971. However, the standard further defines risk management as the “systematic application of management policies, procedures and practices to the tasks of analysing, evaluating, controlling and monitoring risk,” thereby expanding the practice of risk management to a much broader purpose than simply product realization. The standard further specifies that a risk-based approach must be employed for the “appropriate processes needed for the quality management system.” Diving further into specifics, the standard overtly requires a risk-based approach to outsourced processes, verification of training effectiveness, supplier criteria, and verification of purchased product. In addition, manufacturers must employ a risk-based approach to computer software used in the quality management system, for production or service, and for measuring and monitoring. The standard also requires that one or more processes be employed during design and development, and otherwise expands on the risk requirement for product realization. The general mandate, though, should be given greater consideration than only the specific areas detailed by the standard.

This increased focus on risk is also evident in areas of the standard where the term “risk” is not specifically used. For example, more detailed requirements are provided for circumstances in which non-conforming material is detected after delivery. This slightly more instructional section is intended to trigger a field action for non-conforming product detected by the manufacturer after it is delivered to a customer or end user. Similar changes peppered throughout the standard lead to lower risks for end users and patients as well as reduced risks within the quality management system, particularly regarding compliance to regulatory requirements.

Implementation of Risk-Based QMS
For guidance in implementing a global risk management approach to the quality management system (QMS), look no further than the existing risk processes currently used by medical device organizations. Extrapolating the risk process from design and development to the entire quality system may initially seem like a monumental undertaking but the tools currently used for product realization risk processes are also well suited for assessing and mitigating risk in quality management systems. While the Failure Modes and Effects Analysis (FMEA) may not be used as the sole means of identifying, evaluating, and mitigating device risk, it is an excellent primary tool for managing risk in quality management systems. Analyzing the risks associated with quality processes allows companies to preemptively mitigate them and employ a comprehensive preventive action process. This approach not only ensures compliance to the risk-based ISO 13485:2016 standard, it also eliminates sources of quality system non-conformities. When creating a QMS FMEA, areas that require greater risk focus by the standard (e.g. purchasing and software) may be given greater attention. For example, a general QMS FMEA and a specific QMS FMEA for suppliers might be developed or those areas could be addressed in greater detail in a single FMEA. Outsourced manufacturing processes should specifically be addressed in the Process Failure Modes and Effects Analysis or other risk strategy for processes but risks associated with the general quality system controls should be assessed in the QMS FMEA.

Obviously, the elaborate details typically used in FMEAs need not be employed for the QMS FMEA. Rather, each process and sub-process should be identified, along with all associated risks. This approach employs the brainstorming process of the FMEA with less of the rigid structure used in design FMEAs. Therefore, marathon risk management meetings would not likely be necessary as they often are for product FMEAs. A representative example for a limited scope is provided in the chart below.

The prior example is just one of many ways to approach this task in an effective and compliant manner. Listing ISO clauses in the first column and procedures in the second column clearly identifies to the ISO assessor the method used to comply with a risk-based approach to the quality system. This activity may also be combined with a gap assessment to the ISO 13485:2016 standard. Mapping in this way demonstrates line-by-line compliance to the new standard and implementation of the risk-based system. Also, take credit for risk-based additions to the 2016 standard in this activity. For example, the new requirement in 7.4.2 to include notification of changes in purchased product is a risk mitigation measure. As such, organizations should specifically identify this as a method of managing risk in their supplier management programs.


This activity also can potentially help medtech companies meet the new requirement of identifying the sequence and interaction of QMS processes. Arranging the table in the sequence of operations demonstrates the sequence of events for QMS processes. In choosing this method, companies must ensure they also show how the outputs of one process become the inputs to the next process. This exercise allows them to readily see the outputs of inputs of each process, a required activity for truly assessing the risk of each process.

Implementation Suggestions

• In addition to the changes related to risk, ISO 13485:2016 also includes increased focus on management responsibility. Be sure to foster executive management’s participation in this activity. The assignment of appropriate resources is critical to implementing increased regulatory requirements and new processes. Presenting management with a plan for transition and QMS risk management, providing periodic updates on the status, and reporting the completion to management are advisable at a minimum.
• While applying risk-based strategies at a high level, follow these requirements down through “lower level” procedures as well (procedures, work instructions, forms, etc.) to ensure the principles established in the higher-level documents are being acted upon. Demonstrate this top-down approach in a quality manual documentation diagram.
• Thorough application of the ISO monitoring and measurement principles to quality management systems is a robust risk mitigation activity. Ensure quality metrics undergo a thorough evaluation for improvement and continued effectiveness. For example, in addition to trending complaint data for product safety, review complaint process metrics (e.g. complaint investigation time) to improve QMS performance. Establish goals in procedures or quality objectives and trend against these goals. If such parameters and trending are already in place, consider expanding the performance criteria of QMS subsystems.
• Establish a training matrix or other tool to readily identify the risk-based approach to training verification. In the simplified example below, an assessment of the operation technician assembling a device and the quality inspector reviewing carry the greatest risk to product; therefore, a documented assessment of the employees performing these tasks would best demonstrate competency. A sales representative must understand the proper channels and requirements for reporting complaints but otherwise does not need to know the requirements for the actual investigation; therefore, a written competency assessment is adequate. Due to their roles in the process, the operation technician and quality inspector need to be familiar with the other’s roles; however, independent verification of training on one another’s responsibilities is not required.
• Internal audit planning must account for the status of the process audited, the importance (risk) of the process audited, and results of previous audits of the process audited. The depth and frequency of the audit (e.g. quarterly, semi-annual, annual) must therefore take these factors into account. Furthermore, internal audits conducted after implementation of risk-based changes discussed in this column should evaluate all changes for effectiveness. 

---

Bryan Brosseau’s experience has been forged in over 15 years in the medical device and biologics industries. With numerous domestic and international regulatory approvals for medical devices and biologics, his thorough understanding of the regulatory maze means a clear roadmap for regulatory success. Bryan’s creative solutions have been effective in resolving FDA 483s and warning letters, addressing compliance and operations challenges, creating compliant and convincing technical marketing material, and getting medical devices and biologics to market quickly. Bryan received his bachelor’s degree in Biology from the University of Georgia and maintains a Regulatory Affairs Certification from the Regulatory Affairs Professionals Society. Prior to joining SBME in 2015, Bryan served in various operations, quality, and regulatory roles at several medical device and biologics companies.