deGRANDSON Global Blog

FDA QMSR and ISO 14971: What to do about Risk Management

johnf@degrandson.co.uk (Dr John FitzGerald) — Thu, 30 Apr 2026 13:00:03 GMT

Don't believe everything you read about ISO 14971!

The FDA's 'Medical Devices; Quality System Regulation Amendments' website explicitly states: All sections of ISO 13485 apply to device manufacturers. While there is much mention of 'incorporating by reference' and many misguided interpretations of that phrase, don't let anyone mislead you. To reiterate, the FDA's website explicitly states that all sections of ISO 13485 apply to device manufacturers.

What then of ISO 14971, Medical devices - Application of risk management to medical devices, which is mentioned in a note to Clause 7.1 of ISO 13485? The note states: 'Further information can be found in ISO 14971.' To use an old-fashioned expression, that's as clear as mud! Does it apply or does it not?

Let's unpick this confusing situation.

Correction, Corrective Action and Preventive Action explained

johnf@degrandson.co.uk (Dr John FitzGerald) — Tue, 28 Apr 2026 12:54:00 GMT

Badly written Corrective Action Clauses in ISO Management System Standards add to the confusion.

Correction, Corrective Action, and Preventive Action (CCAPA) are essential management systems components that help organizations identify, address, and prevent issues to ensure ongoing compliance and improvement. And all three expressions are defined and explained in this Post.

ISO 45001 Risk Assessment & Risk Treatment Tools

johnf@degrandson.co.uk (Dr John FitzGerald) — Thu, 16 Apr 2026 10:44:56 GMT

You'll need OH&S Risk Management Methods & Tools

Unlike ISO 9001, the Occupational Health and Safety Management System (OHSMS) Standard requires the application of OH&S Risk Management Methods in Clause 6.1. So, risk-based thinking alone does not meet requirements. Formal and documented Risk Assessment followed by Risk Treatment is required for compliance.

ISO Auditor Competence: who decides?

johnf@degrandson.co.uk (Dr John FitzGerald) — Wed, 15 Apr 2026 12:54:04 GMT

Your ISO Auditor Certificate doesn't make you competent

Being on a professional ISO auditor register isn't enough either

Competence is defined as the ‘ability to apply knowledge and skills to achieve intended results.’ And so it is with ISO Auditor Competence. Your Lead Auditor Certificate alone does not ensure competence. Nor, when competent, do you suddenly become incompetent three years after receiving your certificate.

Confused? Don't be. For Lead Auditors and their Audit Team Members, the requirements for competency have been defined in ISO standards.

ISO Certification vs ISO Accreditation: what's the difference?

johnf@degrandson.co.uk (Dr John FitzGerald) — Fri, 06 Mar 2026 12:48:35 GMT

You've got the Certificate, but are you certified to the ISO Standard or accredited?

It may seem unimportant in the scheme of things, but people, like potential customers, will judge you based on your correct use of technical and allied terms.

Measuring Effectiveness with ISO 27004

johnf@degrandson.co.uk (Dr John FitzGerald) — Thu, 26 Feb 2026 15:52:31 GMT

On this topic, ISO 27001 provides no guidance and is of little help.

In deciding what to monitor and measure regarding your Information Security Management System (ISMS), ISO 27001 specifies no mandatory requirements (as emphasized in our ISO 27001 training courses).

Thankfully, ISO 27004 provides guidelines and principles for measuring and reporting the effectiveness of an organization's ISMS. The standard helps organizations to evaluate information security management processes, identify weaknesses, and take corrective actions.

This article will explore ISO 27004 and the importance of measuring information security effectiveness.

Most SaMD to be reclassified as MDR Class 1

johnf@degrandson.co.uk (Dr John FitzGerald) — Thu, 19 Feb 2026 10:45:00 GMT

The proposed EU MDR changes for Software as a Medical Device (SaMD) will be revolutionary.

And will be a relief for SMEs, University spin-offs, and Start-Ups, for whom a 6-figure buy-in for Notified Body services has been an insurmountable barrier. Currently, Europe-based developers of SaMD and those in other locations are avoiding the EU market and initially launching their products in the USA and the UK, where market-entry costs are much lower. The result is that European citizens who would benefit from these products are deprived of access to them.

deGRANDSON: your best choice

johnf@degrandson.co.uk (Dr John FitzGerald) — Tue, 17 Feb 2026 10:44:59 GMT

Master ISO Standards - Advance Your Career

Earn internationally recognized ISO auditor certification through flexible, self-paced online courses. Trusted by professionals in over 90 countries.

ISO 9001 Analysis and Evaluation - DOs & DON'Ts

johnf@degrandson.co.uk (Dr John FitzGerald) — Thu, 05 Feb 2026 09:09:39 GMT

Practical advice on implementing ISO 9001:2015 Clause 9.1.3

This article examines a subclause in ISO 9001:2015, Performance Evaluation, namely 9.1.3, Analysis & Evaluation.

Peter Drucker, the management guru (allegedly) said: 'If you can't measure it, you can't manage it'. And this certainly applies to Management. The reality is that many Quality Managers, or equivalent, ignore the requirements of clause 9.1.3. To put time and effort into a management system and not know whether it benefits your organization can only be described as a stupid error.

ISO 9001 Certification should be much more than a logo on your website. Performance evaluation is where you start.

NOTE: While the exact wording may vary across Standards, the advice provided here also applies to ISO 14001, ISO 27001, ISO 45001, and other Standards with the same HLS structure as ISO 9001.

ISO 13485 Risk Evaluation in Medical Devices explained

johnf@degrandson.co.uk (Dr John FitzGerald) — Tue, 20 Jan 2026 12:00:00 GMT

QMSR & ISO 13485: On 02-Feb-26, the FDA Final Rule comes into force. The amendments incorporate by reference (and so align more closely with) the international standard ISO 13485:2016, Medical Devices - Quality Management Systems - Requirements for regulatory purposes.

Two distinct and different requirements in ISO 13485:2016 for the management of risk.

From Dr John FitzGerald:

Misinformation about risk management is already too easy to find regarding the adoption of ISO 13485 in the FDA's QMSR regulations, which will come into force in February 2026. If you follow the advice of these self-appointed experts, you will likely become confused and perhaps implement a risk management regime for your company that is overly burdensome yet does not meet the standard's requirements. Here are the facts based on our experience working with this edition of the standard since its 2016 publication.

As the subheading says, ISO 13485:2016 has two distinct and different requirements regarding risk management.

One relates to the management of the processes that make up the ISO 13485 Quality Management system, and
The other relates to patient /end-user safety, that is, safety in manufacturing.

The difference between the two is often missed, especially by component manufacturers, as is the issue of patient safety. Let's consider what's required.