QMSR & ISO 13485: On 02-Feb-26, the FDA Final Rule comes into force. The amendments incorporate by reference (and so align more closely with) the international standard ISO 13485:2016, Medical Devices - Quality Management Systems - Requirements for regulatory purposes.
From Dr John FitzGerald:
Misinformation about risk management is already too easy to find regarding the adoption of ISO 13485 in the FDA's QMSR regulations, which will come into force in February 2026. If you follow the advice of these self-appointed experts, you will likely become confused and perhaps implement a risk management regime for your company that is overly burdensome yet does not meet the standard's requirements. Here are the facts based on our experience working with this edition of the standard since its 2016 publication.
As the subheading says, ISO 13485:2016 has two distinct and different requirements regarding risk management.
The difference between the two is often missed, especially by component manufacturers, as is the issue of patient safety. Let's consider what's required.
Risk-based Thinking in Sub-clause 4.1.2 focused on threats to Quality Management System processes. t states:
The organization shall:
There is no guidance in ISO 13485 on precisely what's required. Therefore, we have a requirement analogous to ISO 9001's risk-based thinking. We can find it in ISO 9001 Annex A4, a guidance section that states:
The concept of risk-based thinking has been implicit in previous editions of this International Standard, e.g., through requirements for planning, review, and improvement.
This International Standard specifies requirements for the organization to understand its context and determine risks as a basis for planning.
This represents the application of risk-based thinking to the planning and implementation of quality management system processes and will assist in determining the extent of documented information.
Although ISO 9001:2015 Clause 6.1 specifies that the organization shall plan actions to address risks, formal risk management methods or a documented risk management process are not required.
The situation is identical in ISO 13485:2016, where, in Clause 4.1.2, it states: b) apply a risk-based approach to the control of the appropriate processes needed for the quality management system;
Organizations can decide whether to develop a more extensive risk management methodology than is required by this International Standard, e.g., by applying other guidance or standards.
Not all processes in a quality management system carry the same level of risk to the organization's ability to meet its objectives, and the effects of uncertainty differ across organizations.
Under the requirements of Clause 4.1.2 b), the organization is responsible for applying risk-based thinking and its actions to address risk, including whether to retain documented information as evidence of its risk determinations.
The requirement, then, is to apply risk-based thinking to planning and implementing all QMS processes, with a view to more tightly controlling the more vulnerable processes from a product/service quality perspective.
Most manufacturing organizations choose to retain documented evidence of compliance (both for ISO 9001 and ISO 13485) and to introduce a formal Risk Management process, focused on threats to QMS processes, with documented risk management tools, which usually include a variant of FMEA.
That deals with the requirement in sub-clause 4.1.2. The requirement in clause 7.1 is different and will not be adequately addressed through risk-based thinking or even risk management in the planning and implementation of all QMS processes.
ISO 13485:2016 Clause 7.1, Planning of Product Realization, includes this sentence (our emboldening):
The organization shall document one or more processes for risk management in product realization. Records of risk management activities shall be maintained (see 4.2.5).
The wording here is very vague for such an important issue. At the end of clause 7.1, reference is made to ISO 14971 for guidance.
The introduction to ISO 14971:2019, Medical devices - Application of risk management to medical devices, is more helpful and tells us (again, our emboldening):
As one of the stakeholders, the manufacturer reduces risks and makes judgments relating to the safety of a medical device, including the acceptability of residual risks. The manufacturer takes into account the generally acknowledged state of the art in order to determine the suitability of a medical device to be placed on the market for its intended use.
This (international standard) specifies a process through which the manufacturer of a medical device can identify hazards associated with the device, estimate and evaluate the risks associated with these hazards, control these risks, and monitor the effectiveness of the controls throughout the medical device's life cycle.
So, Clause 7.1 concerns' the safety in use of a medical device, including the acceptability of residual risks' and is not concerned with manufacturing processes (product realization) alone.
Risk management here is about applying risk management tools (many examples are provided in ISO 14971), with a focus on threats to patient/end-user safety. The activities and records are closely related to the content of the Medical Device File (see clause 4.2.3).
ISO 13485 requires risk-based thinking regarding QMS processes (sub-clause 4.1.2) and risk management regarding patient/end-user safety when using medical devices (clause 7.1).
Ensure your management system distinguishes between the two and treats (and documents) their requirements separately. Otherwise, you may well have a major non-compliance at your next Certification Audit.
NOTE: The requirements here are covered in depth in our ISO 13485 Lead Implementer and other Courses.
In
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which we believe are commercially compromised), it is based on an independent third-party assessment. In addition, it is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.
We offer Certified Courses for ISO 9001, ISO 13485, ISO 14001, ISO 17025, ISO 27001, ISO 45001, Data Protection, and Risk Management.