How Risk Management is integrated in the revised ISO 13485:2016

#How Risk Management is integrated in the revised ISO 13485:2016

The word “risk” is mentioned over 15 times in the revised ISO 13485:2016; which is considerably more compared to the previous version, where it is mentioned twice. In the ISO 13485:2003, risk management was applicable for activities related to product realization, including the design and development of medical devices.  The revised ISO expands risk management to more processes; e.g., purchasing and training. This means quality management systems need to be updated.

In the new ISO 13485:2016 clause 4.2.1 it is mentioned: The organization shall apply a risk-based approach to the control of the appropriate processes needed for the quality management system. Anything that affects the quality system needs to be viewed from that risk perspective. This is nothing new, but what are appropriate processes? In general, the revised ISO requests companies to make risk-based decisions related to purchasing and product realization activities and other aspects of the quality management system, like training.

The term risk, used in the standard, pertains to safety or performance requirements of the medical device, or meeting applicable regulatory requirements. Failure Mode Effect Analyses (FMEA) are typically used to assess design or production controls, but can also be used to incorporate other aspects of the quality system. Below, several chapters of the ISO 13485:2016 are highlighted, the italic phrasings are literally from the standard, and it is explained how risk management can be implemented pragmatically. Clauses regarding risk management that were already addressed in the previous version of the standard, are not dealt with as they are already known for many years. But first, to define the right mind-set, the definition of risk and risk management, according to the revised standard, is the following:

Clause 3 Terms and definitions

Definition: risk

"combination of the probability of occurrence of harm and the severity of that harm" - [SOURCE: ISO 14971:2007, 2.16]

Definition: risk management

"systematic application of management policies, procedures, and practices to the tasks of analysing, evaluating, controlling and monitoring risk" - [SOURCE: ISO 14971:2007, 2.22]

Clause 4 Quality management system

4.1 General requirements


When the organization chooses to outsource any process that affects product conformity to requirements, it shall monitor and ensure control over such processes. The organization shall retain responsibility of conformity to this International Standard and to customer and applicable regulatory requirements for outsourced processes. The controls shall be proportionate to the risk involved and the ability of the external party to meet the requirements in accordance with 7.4. The controls shall include written quality agreements.

When processes are outsourced, the standard requires that the controls that are going to be put in place for suppliers should be considered from a risk perspective. It starts with the selection of the supplier. Consider that the purchased item is a critical component for the device, what will be the risk if the supplier does not have a Quality Management System, including aspects like a complaint handling process? And when the supplier is selected, what happens if the supplier doesn't meet the specifications of the purchased components? How will that affect the final device? The standard determines that organizations should consider such risks and that they should have risk controls in place to mitigate possible hazards.


The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software.

For some cases where software is used, the approach is straightforward. If electronic batch records are used, the risks of the software should be considered, which is normal routine. Also for implementing ERP-software systems, a risk-based approach is appropriate in the organization. But what if data of equipment is sent to a server and used in an Excel-spreadsheet to determine the process capability of the equipment, should that be validated? Software validation can be very complex and organizations often do not know what exactly, or how to validate the software. Therefore, a risk based approach to determine the criticality of the software is strongly recommended, it provides justification that any possible hazard of the software has been anticipated.

Clause 6 Resource management

6.2  Human Resources

The methodology used to check the effectiveness of a training is proportionate to the risk associated with the work for which the training or other action is being provided.

The risks should be considered if the given training is not fully understood. Consideration should specifically be given to what could be the consequences, if employees interpret the essence of a certain training incorrectly and what the subsequent impact could be on a product’s quality.

The aspect ‘proportionate’ is clarified further by the following comparison:  Training on the job in the field of final inspection of a medical device should be properly checked for effectiveness, as the risk of an improperly performed inspection is fairly obvious. However, if an employee wishes to improve his or her level of the English grammar, then the check of the English course that was followed is of less importance. However, if it is a desire to have all procedures in English and the employees are not native English speakers, the risk can be considered to be higher. An ineffective training could have consequences for the safety of the device and the hazard involved. Therefore, the organization should have risk controls in place to avoid mistakes and should have preventive procedures in place also for training.

Clause 7 Product realization

7.4 Purchasing

7.4.1 Purchasing process

The organization shall document procedures to ensure that purchased product conforms to specified purchasing information. The organization shall establish criteria for the evaluation and selection of suppliers. The criteria shall be proportionate to the risk associated with the medical device. And non-fulfillment of purchasing requirements shall be addressed with the supplier proportionate to the risk associated with the purchased product and compliance with applicable regulatory requirements.

The extent of verification activities shall be based on the supplier evaluation results and proportionate to the risks associated with the purchased product. When formulating a risk-based approach to evaluate new or existing suppliers, it is important to first identify the critical control points for the purchased component. These are the points in the process, where failure could result in significant harm to patients and to the business. FMEA can also be used to identify areas of significant risk at suppliers that demand special attention and to ensure that the risk stays as low as possible.

Clause 8 Measurement, analysis and improvement

8.2 Monitoring and measurement

8.2.1 Feedback

The organization shall document procedures for the feedback process. This feedback process shall include provisions to gather data from production as well as post-production activities. The information gathered in the feedback process shall serve as potential input into risk management for monitoring and maintaining the product requirements as well as the product realization or improvement processes.

With feedback obtained from users, patients, and other stakeholders, an organization could consider changing the design of a medical device or certain processes, e.g. production, shipping, etc. In the case where a device should be stored and distributed in a temperature range of 15 - 25 °C, which is assumed “room temperature”, consider what would be the harm to the safety and performance of the device when it is shipped by plane under “normal” conditions. Is the impact negligible when shipped at higher or lower temperature? So the question is whether the actual situation is aligned with the required temperature range? And if not, would this result in negative feedback from the user? Feedback needs to be evaluated and could be an input to risk management, bearing in mind the safety of the patient and performance of the device.

8.3 Control of non-conforming product

8.3.4 Rework

The organization shall perform rework in accordance with documented procedures that take into account the potential adverse effect of the rework on the product.

The heading of this sub-clause is new in the standard, however, the clause itself remains the same. The word “risk” is not mentioned in this clause, but “adverse effect” can be understood as a risk. Certainly something to focus on; if rework of the device can occur before or after delivery, it should be considered which risks are introduced into the device. For example, the device is packaged and during inspection there is an irregularity in the seal, could the device be re-packaged? And how many times is re-packaging allowed? And what is the effect of the device during re-packaging? Is extra heat treatment safe for the device and will the device still function according to the requirements? Are the features of the whole batch of devices completely equal with the included reworked devices and what is the hazard of having differences of these features in one batch?

Also, if the device has been delivered and is returned due to a non-conformity (e.g. equipment for analyzing purposes), the potential risks should be considered, before being returned back into the field.


From the above explanation of several clauses of the revised ISO 13485:2016 standard, it is clear that the new standard puts more emphasis on risk management; there are more but also different sorts of activities, in comparison to the previous standard. Selected software for supporting the product realization processes should be challenged with risk management. Focus should also be kept on training. Could this training affect the safety or performance of the device, and what are the risks and hazards if the training is misunderstood or wrongly interpreted. And further, what will be the impact on the device when selecting a new supplier or when the device is reworked? With a pragmatic approach and the examples given above, each organization should be able to update its quality management system appropriately. The result will not only be compliance to the risk management requirements of the new standard but also the better allocation of the organization’s resources, i.e. the activities that would benefit most, will be appropriately addressed.

For consideration:

Although the standard mentions nothing about risk management regarding management reviews, these meetings are a huge opportunity for achieving improvements. When conducting management review meetings, it should be specifically addressed how risk management is incorporated into the areas under review. As mentioned before; all Quality Management System processes can be approached risk based.

Blog by: Claar van Berge Henegouwen

Request a review!

Subscribe to newsletter