deGRANDSON Global Blog

Medical Devices: Residual Risk and Risk Tolerance

johnf@degrandson.co.uk (Dr John FitzGerald) — Tue, 07 Apr 2026 09:22:24 GMT

QMSR & ISO 13485: On 02-Feb-26, the FDA Final Rule comes into force. The amendments incorporate by reference (and so align more closely with) the international standard ISO 13485:2016, Medical Devices - Quality Management Systems - Requirements for regulatory purposes.

Managing residual risk and understanding risk tolerance are crucial aspects of ISO 13485 compliance.

ISO 13485:2016 is an international standard that outlines the requirements for a quality management system (QMS) in the medical device industry. Clause 7.1 requires risk management in relation to operations and, in a note (not, therefore, a requirement), refers to ISO 14971. How, then, should you approach questions of residual risk and risk tolerance?

Why ISO 14001 Matters to SMEs

johnf@degrandson.co.uk (Dr John FitzGerald) — Wed, 25 Mar 2026 12:50:40 GMT

Even the smallest organization has a lot to gain from a certified Environmental Management System (EMS)

New businesses often ponder the benefits of ISO 14001 Certification and, being busy with start-up priorities, postpone certification until it is asked for in a tender document or by a prospective customer.

At that point, it is, of course, too late. Optimistically, getting certified takes at least five months, and the opportunity is lost.

It would be best if you were proactive about your business's impact on the environment (and the law requires it). The list of benefits here can help persuade you and your colleagues to get started sooner rather than later on the path to becoming ISO14001 Certified.

ISO 27001 in Manufacturing & Service Industries - the FAQs

johnf@degrandson.co.uk (Dr John FitzGerald) — Tue, 10 Mar 2026 10:15:00 GMT

Have you considered this possibility?

If you wait until this message greets you at work, a Notebook PC is stolen from a company vehicle, or staff members are working on their own PCs from home, it will be too late. It's not a question of whether your business will be targeted. You're already a target but have been lucky to date.

ISO Certification vs ISO Accreditation: what's the difference?

johnf@degrandson.co.uk (Dr John FitzGerald) — Fri, 06 Mar 2026 12:48:35 GMT

You've got the Certificate, but are you certified to the ISO Standard or accredited?

It may seem unimportant in the scheme of things, but people, like potential customers, will judge you based on your correct use of technical and allied terms.

Measuring Effectiveness with ISO 27004

johnf@degrandson.co.uk (Dr John FitzGerald) — Thu, 26 Feb 2026 15:52:31 GMT

On this topic, ISO 27001 provides no guidance and is of little help.

In deciding what to monitor and measure regarding your Information Security Management System (ISMS), ISO 27001 specifies no mandatory requirements (as emphasized in our ISO 27001 training courses).

Thankfully, ISO 27004 provides guidelines and principles for measuring and reporting the effectiveness of an organization's ISMS. The standard helps organizations to evaluate information security management processes, identify weaknesses, and take corrective actions.

This article will explore ISO 27004 and the importance of measuring information security effectiveness.

Most SaMD to be reclassified as MDR Class 1

johnf@degrandson.co.uk (Dr John FitzGerald) — Thu, 19 Feb 2026 10:45:00 GMT

The proposed EU MDR changes for Software as a Medical Device (SaMD) will be revolutionary.

And will be a relief for SMEs, University spin-offs, and Start-Ups, for whom a 6-figure buy-in for Notified Body services has been an insurmountable barrier. Currently, Europe-based developers of SaMD and those in other locations are avoiding the EU market and initially launching their products in the USA and the UK, where market-entry costs are much lower. The result is that European citizens who would benefit from these products are deprived of access to them.

deGRANDSON: your best choice

johnf@degrandson.co.uk (Dr John FitzGerald) — Tue, 17 Feb 2026 10:44:59 GMT

Master ISO Standards - Advance Your Career

Earn internationally recognized ISO auditor certification through flexible, self-paced online courses. Trusted by professionals in over 90 countries.

ISO 9001 Analysis and Evaluation - DOs & DON'Ts

johnf@degrandson.co.uk (Dr John FitzGerald) — Thu, 05 Feb 2026 09:09:39 GMT

Practical advice on implementing ISO 9001:2015 Clause 9.1.3

This article examines a subclause in ISO 9001:2015, Performance Evaluation, namely 9.1.3, Analysis & Evaluation.

Peter Drucker, the management guru (allegedly) said: 'If you can't measure it, you can't manage it'. And this certainly applies to Management. The reality is that many Quality Managers, or equivalent, ignore the requirements of clause 9.1.3. To put time and effort into a management system and not know whether it benefits your organization can only be described as a stupid error.

ISO 9001 Certification should be much more than a logo on your website. Performance evaluation is where you start.

NOTE: While the exact wording may vary across Standards, the advice provided here also applies to ISO 14001, ISO 27001, ISO 45001, and other Standards with the same HLS structure as ISO 9001.

ISO 13485 Risk Evaluation in Medical Devices explained

johnf@degrandson.co.uk (Dr John FitzGerald) — Tue, 20 Jan 2026 12:00:00 GMT

Two distinct and different requirements in ISO 13485:2016 for the management of risk.

From Dr John FitzGerald:

Misinformation about risk management is already too easy to find regarding the adoption of ISO 13485 in the FDA's QMSR regulations, which will come into force in February 2026. If you follow the advice of these self-appointed experts, you will likely become confused and perhaps implement a risk management regime for your company that is overly burdensome yet does not meet the standard's requirements. Here are the facts based on our experience working with this edition of the standard since its 2016 publication.

As the subheading says, ISO 13485:2016 has two distinct and different requirements regarding risk management.

One relates to the management of the processes that make up the ISO 13485 Quality Management system, and
The other relates to patient /end-user safety, that is, safety in manufacturing.

The difference between the two is often missed, especially by component manufacturers, as is the issue of patient safety. Let's consider what's required.

Environmental Aspects - the ISO 14001 requirements

johnf@degrandson.co.uk (Dr John FitzGerald) — Tue, 13 Jan 2026 13:04:16 GMT

Systematically identifying relevant ISO 14001 environmental aspects in implementing an EMS.

This is fundamental to the effectiveness of an Environmental Management System (EMS) and to ensuring that your organization meets ISO 14001 certification requirements.