Global Regulatory Pulse

ISO 13485:2016 and Risk Management

In European Market, Regulatory by Stephan Buttron

The term “risk” is referenced over 15 times in the revised Quality Management Standard (QMS) ISO 13485:2016. This is considerably more as compared to the previous revision, where it is mentioned only twice. The current MDD (M5) as amended references the term risk more than  50 times.

Risk Management is an intrinsic concept within Medical Device regulations. While ISO 13485:2003 mainly applied risk management for activities related to product realization with a primary focus on the design and development of medical devices, the revised ISO 13485 QMS expands risk management to include processes such as purchasing and training.

The new ISO 13485:2016 QMS section 4.2.1 states, “The organization shall apply a risk-based approach to the control of the appropriate processes needed for the quality management system.” In other words, anything that affects the quality system needs to be viewed from that risk perspective. This is not new, but what are appropriate processes?

The revised ISO QMS standard requires medical device companies to make risk-based decisions related to purchasing and product realization activities and other aspects of the quality management system, such as training.

The term risk, used in the standard, “pertains to safety and/or performance requirements of the medical device in the context of meeting applicable regulatory requirements at minimum.” A Failure Mode Effect Analyses (FMEA) is a standard technique used to assess and evaluate potential risks in the design development phase, which continues during production process controls. This and other related risk assessment techniques can also be used to incorporate other aspects of the quality management system (QMS).

Below, several processes of the ISO 13485:2016 are highlighted, and it is explained how risk management can be implemented pragmatically. Please refer to the following definitions to define the right mind-set for risk and risk management.

Definition: risk combination of the probability of occurrence of harm and the severity of that harm” – [SOURCE: EN ISO 14971:2012, 2.16]

Definition: risk managementsystematic application of management policies, procedures and practices to the tasks of analyzing, evaluating, controlling and monitoring risk” – [SOURCE: EN ISO 14971:2012, 2.22]

Clause 4 – Quality Management System

4.1 General Requirement

Expectation to apply a “risk based approach” to entire organization’s QMS processes:

  • Application of risk management methods and techniques to all QMS processes including outsourced processes.

When the organization chooses to outsource any process that affects product conformity to requirements, it shall monitor and ensure control over such processes. The organization shall retain responsibility of conformity to this International Standard and to customer and applicable regulatory requirements for outsourced processes. The controls shall be proportionate to the risk involved and the ability of the external party to meet the requirements in accordance with 7.4. The controls shall include written quality agreements.

When processes are outsourced, the new QMS standard requires the controls to be put in place for suppliers to be considered from a risk perspective. It starts with the selection of the supplier. Consider that the purchased item is a critical component for the device, what will be the risk if the supplier does not have a Quality Management System, including aspects like a complaint handling process?

In addition, when the supplier is selected, what happens if the supplier does not meet the specifications of the purchased components?

How will that affect the final device?

The standard determines that organizations should consider such risks, including risk controls, in place to mitigate potential hazards.

Clause 6 – Resource Management

6.2 Human Resources

User Training/Usability and Human Factors Design

The methodology used to check effectiveness of a training is proportionate to the risk associated with the work for which the training or other action is being provided.

The risks should be considered if the given training is not fully understood. Consideration should specifically be given to what could be the consequences if employees interpret the essence of a certain training incorrectly and what the subsequent impact could be on a product’s quality.

Design & Development Inputs New requirements for risk management outputs:

  • to clarify product usability and safety requirements.
  • to ensure that design input requirements can be verified or validated.
Clause 7 – Product Realization

7.4 Purchasing

7.4.1 Purchasing Process

The organization shall document procedures to ensure that purchased product conforms to specified purchasing information.

The organization shall establish criteria for the evaluation and selection of suppliers. The criteria shall be proportionate to the risk associated with the medical device. Non-fulfilment of purchasing requirements shall be addressed with the supplier proportionate to the risk associated with the purchased product and compliance with applicable regulatory requirements.

The extent of verification activities shall be based on the supplier evaluation results and proportionate to the risks associated with the purchased product. When formulating a risk-based approach to evaluate new or existing suppliers, it is important to first identify the critical control points for the purchased component.

These are the points in the process where failure could result in significant harm to patients and to the business. An FMEA process can also be used to identify areas of significant risk at suppliers that demand special attention, and to ensure that the risk stays as low as possible.

7.4.2 Supplier Performance Monitoring The new standard requires considering risk whenever suppliers underperform. In addition, the legal manufacturer needs to respond proportional to the risk.

The record of supplier evaluation must include supplier monitoring and re-evaluation activities.

Clause 8 – Measurement, Analysis and Improvement

8.2 Monitoring and Measurement

8.2.1 Feedback

The organization shall document procedures for the feedback process. This feedback process shall include provisions to gather data from production as well as post-production activities.

The information gathered in the feedback process shall serve as potential input into risk management for monitoring and maintaining the product requirements as well as the product realization or improvement processes.

With feedback obtained from users, patients and other stakeholders, an organization could consider to change the design of a medical device or certain processes, e.g. production, shipping, etc.

Feedback must be analyzed and evaluated to be an input to risk management in view of the safety of the patient and performance of the device as intended.

8.3 Control of Non-conforming Product

8.3.4 Rework

The organization shall perform rework in accordance with documented procedures that takes into account the potential adverse effect of the rework on the product.

The heading of this sub-clause is new in the standard; however, the clause itself remains the same.

The word “risk” is not mentioned in this clause, but “adverse effect” can be understood as a risk. Certainly something to focus on; if rework of the device can occur before or after delivery, it should be considered which risks are introduced into the device.

Also, if the device has been delivered and is returned due to a non-conformity, the potential risks should be considered before being returned back into the field.


From the above explanation of several clauses of the revised ISO 13485:2016 standard, it becomes evident that the new standard puts more emphasis on risk management beyond product realization.

There are more but also different sorts of activities as compared to the previous standard. Selected software for supporting the product realization processes should be included into the risk management process. Another focus is on training.

Could training affect the safety or performance of the device, and what are the risks and hazards if the training is misunderstood or wrongly interpreted ?

What will be the impact on the device when selecting a new supplier or when the device is reworked?

With a pragmatic approach, each organization should be able to update its quality management system appropriately to include risk-based decisions rather than rule based into its operations.

The result will not only be compliance to the risk management requirements of the new ISO standard, but also better allocation of the organization’s resources, i.e., the activities that would benefit most.


Stephan Buttron currently serves as NAMSA’s Senior Product Development Strategist. Mr. Buttron has over 20 years’ experience in achieving EU, U.S. FDA and other international regulatory medical device approvals and registrations. He has provided global consulting services on regulatory strategy development to medical device manufacturers regarding least burdensome pathways for 510(k)/PMA and MMD-CE mark applications. He has successfully managed FDA pre-submission meetings for Investigational Device Exemption (IDE) pathways with multiple FDA specialty branches. Stephan is considered a key industry thought leader on risk management, and has provided multiple training sessions to medical device manufacturers on structured risk management process per EN ISO 14971 & EU MDD 93/42 as amended with directive 2007/ 47. Mr. Buttron has also provided countless educational opportunities to international organizations regarding medical device design and development issues related to ISO 13485 & EU MDD 2007/47 compliance.