ISO 13485 and Risk Management: How to Build a Proactive QMS

1. Why risk management is part of the QMS

A QMS and risk management form the backbone of safe and effective medical devices. ISO 13485 provides the QMS framework, while ISO 14971 lays out the internationally accepted risk management process.

ISO 14971 frames risk management as a lifecycle activity: hazards are identified, risks are analysed and evaluated, controls are implemented, and then the whole system keeps monitoring whether those controls still work. This is exactly where ISO 13485 becomes practical. It turns “do risk management” into controlled processes: planning, responsibilities, records, traceability, and feedback loops. That is also why many regulatory expectations—EU MDR/IVDR as well as FDA requirements—are easier to meet when risk thinking sits inside the QMS rather than beside it.

One practical bridge between “risk-based” and daily execution is the device’s risk class. In the EU for example, risk class is typically derived from the intended use, invasiveness, duration of use, and the potential severity of harm. A consistent, written rationale for the classification matters, because that classification directly influences the depth of evidence expected: technical documentation, clinical evaluation, and the overall verification and validation workload.

When integration works, risk-based decisions become the default in product development, manufacturing, supplier management, and post-market surveillance. The QMS stops acting like a compliance shell and starts behaving like a learning system. Integration typically delivers four concrete advantages: safer and more effective devices; smoother compliance with strict regimes (MDR, FDA); higher efficiency through standardised workflows and traceability; and a quality culture that consistently prioritises patient safety.

Key standards and regulations

A QMS that embeds risk management is not a “nice to have”. Key jurisdictions effectively require it.

• ‍United States (FDA QMSR): The FDA’s Quality Management System Regulation emphasises risk-based decision making and risk-based thinking. From 2 February 2026, the QMSR applies in the US and incorporates requirements from ISO 13485:2016. In practical terms, this calls for a “proactive QMS”: a system that recognises risks systematically, translates them into controls, and then checks those controls through data streams such as complaints, trends, CAPA effectiveness, and similar signals.
• ‍Europe (EU MDR/IVDR): In Europe, risk management and QMS are basic conditions for access under MDR/IVDR. Annex I of both regulations frames risk management as a fundamental duty, and risk management also appears in Article 10 (among other places). Manufacturers must build a risk management system and monitor and manage risk continuously, iteratively, and across the lifecycle. For the QMS this means integrated mechanisms, change control, post-market surveillance, CAPA, supplier oversight, and risk-based controls in production.‍
• Australia (TGA Essential Principles): In Australia, the TGA’s Essential Principles (Schedule 1 of the Therapeutic Goods (Medical Devices) Regulations 2002) set legislative expectations that link safety, performance, and evidence. Manufacturers must hold scientific and other evidence that a device meets the Essential Principles before supply in Australia. In practice that evidence is hard to build without structured risk management, because it must show how risks were identified, controlled, and kept under review.

2. How QMS and risk management interact

The relationship between ISO 13485 and ISO 14971 becomes clearer when viewed as “wiring”, not as two parallel standards.

1. ISO 13485 expects risk management (in the sense of ISO14971) to feed QMS processes so that risk is considered in design, production, and post-market activities.
2. It expects a risk-based approach: decisions and controls scale with risk, visible in process planning (ISO 13485, Clause 7.1),supplier control, validation strategy, and more.
3. Both standards assume lifecycle coverage, meaning risk management does not end after design transfer; it stays active from concept through disposal.

That integration shows up through a small set of core activities that a functioning QMS must support, in one form or another: identify hazards, analyse risk (severity and probability), implement controls (design measures, protective features, information for safety), evaluate residual risk, and monitor whether the overall risk picture changes over time. The list matters less than the loop. “Proactive” means the loop runs continuously, especially when new data arrives.

3. Where risk management must show up inside the QMS

Risk management should run as a principle through the entire QMS, not as a single isolated process. Still, several QMS areas carry particularly high “risk weight”. These are the places where integration should be visible and auditable.

• ‍Process control. Risk should determine how deep controls go. Higher risk usually justifies tighter acceptance criteria, more formal reviews, stronger monitoring, and more extensive validation.‍
• Product realisation and planning. Risk management needs a firm place in planning: which RM activities happen when, what outputs are produced (plan, file, reports), and how these outputs feed design, purchasing, production, and PMS.‍
• Design and development. Risk management outputs must become design inputs, safety and performance requirements, with risk controls expressed as requirements. Formal design and development plans help here, with phases, milestones, and responsibilities that make risk work visible rather than assumed. Design reviews should also carry an explicit risk focus: checking whether hazards were recognised early and whether controls adequately address them. Those controls then need evidence through verification and validation. If testing cannot show coverage of risk controls, traceability weakens and audits become painful. Usability engineering belongs in this loops well, because use error and foreseeable misuse are hazards that need systematic controls, not afterthoughts.‍
• Purchasing and supplier controls. Supplier oversight must follow criticality. That criticality drives qualification depth, monitoring intensity, incoming inspection strategy, audit expectations, and change notification obligations; for critical suppliers, this often includes clear quality agreements that lock in responsibilities and notification rules.‍
• Production and process controls. “Special processes” where outcomes cannot be fully verified later rely on validation, and validation scope, frequency, and revalidation triggers are typically risk-driven. Work instructions also matter more than many systems admit: clear, understandable, risk-oriented instructions should make critical steps standout. Traceability should match the risk profile and regulatory expectation as well; where required, this means traceability at lot or serial-number level, not only at batch summary level.‍
• Change management. Every relevant change—design, software, process, supplier, specification—needs a structured risk impact analysis. The core questions stay pragmatic: does the change introduce new hazards, shift probabilities, create new failure modes, or affect clinical/performance evidence or labelling?‍
• CAPA and nonconformities. Proactivity means risk-based CAPA prioritisation and risk-based effectiveness checks, including clear escalation thresholds. Importantly, the risk management file must update when CAPAs affect the risk picture. Otherwise CAPA closes locally, while risk documentation drifts.‍
• Feedback, complaints, and PMS. ISO13485 expects feedback and complaint data to flow back into risk management: trends, new hazards, and real-world effectiveness of controls. A proactive system defines signal detection—trend thresholds and “weak signal” rules—so reassessment starts early, not only when incidents accumulate.

4. Step-by-step: integrating risk management into an existing QMS

Many manufacturers already run a QMS and hold a risk file. The real work lies in making risk drive everyday decisions.

4.1 Start with a gap check: “Risk management exists — but does it steer?”

A practical start is an RM integration assessment as a focused workshop (often one to two days). The workshop should map where risk is merely documented versus where it genuinely influences decisions. It should also identify which QMS processes have mandatory triggers for risk review, and which do not.

The baseline references typically include ISO 13485:2016 (risk-based process control; product realisation/planning; design and development; purchasing; production; CAPA/feedback/complaints; internal audits; management review) and ISO 14971 (risk process plus post-production information/monitoring).

• ‍Which additional national requirements to consider depends on where the product will be placed on the market. Depending on the target countries, this may include US requirements (FDA 21 CFR 820 elements such as design controls, CAPA, complaints, purchasing, and production/process controls), EU MDR/IVDR (especially Annex I and Article 10), or Australia’s TGA Essential Principles (Schedule 1) and the related evidence expectations before supply.‍
• Useful outputs are a gap matrix—process ↔ risk input ↔ risk output ↔ trigger ↔ evidence—and a prioritised set of “risk integration fixes” focused on patient safety and compliance exposure.

4.2 Governance: formalise risk decisions

Findings from the gap check only matter if governance turns them into practice. Risk decisions need clear ownership: who defines and changes acceptability criteria, who approves residual risk, and when escalation to management becomes mandatory. Many organisations achieve this without creating new bureaucracy by adding a fixed “risk” agenda item to existing forums such as design reviews, change control boards, or management review. Others create a small risk review board with defined decision rights.

A simple but powerful record here is a standardised Risk Impact Assessment form that becomes a normal QMS record, used consistently, not only during audits.

4.3 Wire risk triggers into core QMS processes

The goal is straightforward: every critical process has defined inputs from risk management and defined outputs back into risk management.

In design and development (ISO 13485: 7.3; FDA 820.30), risk controls should map to design inputs, and verification/validation should explicitly cover those controls through traceability. In purchasing (ISO 13485: 7.4; FDA820.50), supplier criticality should drive qualification and oversight, including change notification for critical suppliers. In production and process controls (ISO 13485: 7.5), validation and monitoring should focus on risk drivers, with clear revalidation triggers such as process changes, drift, or out-of-spec trends. In change control, a risk impact assessment should become mandatory for relevant changes; when the risk profile shifts, the system should trigger additional V&V (verification/ validation) and updates to the RM file and, where needed, labelling/IFU.

For CAPA, complaints, and feedback (ISO 13485: 8.2/8.5; FDA 820.198 and820.100), triage and prioritisation should follow risk (severity, frequency,detectability, potential harm), and RM file updates should be a defined output.

4.4 Set up post-market as an early warning system

Proactivity lives or dies in post-market work. Hard rules beat gut feel: trend thresholds for complaint rates, recurring failure modes, service data, and nonconformities help detect signals early. Clear capture criteria also matter, so the system consistently records what must be recorded—complaints, incidents, reportable events, and relevant trends—before they get debated case by case.

“Weak signal” rules clarify when a signal triggers investigation/CAPA versus when it triggers a targeted risk review. ISO 14971 monitoring becomes practical when data sources, review frequency, and responsible roles are fixed, and when reassessment produces a consistent record (for example, a quarterly or event-driven risk reassessment report). For higher-class products, this should sit inside a structured post-market surveillance plan and, where appropriate, include planned collection of clinical or performance data rather than relying solely on passive feedback.

4.5 Run internal audits and management review with a risk lens

Internal audits (ISO 13485: 8.2.4) should follow risk-based planning: critical processes should face deeper and more frequent audits. A useful audit test is not “does a risk document exist?” but “does risk truly influence decisions?” Management review (ISO 13485: 5.6) then acts as risk steering: top risks, new hazards, trend signals, CAPA effectiveness, and supplier risks should lead to concrete decisions on resources, priorities, acceptability criteria, and process adjustments, with owners and deadlines.

4.6 Training and competence with a risk focus

Integration also depends on people, and ISO 13485 explicitly requires organisations to ensure competence through training. Risk-relevant roles, typically design and verification teams, production and inspection, customer support, complaint handling, and vigilance, need defined competence requirements (training, experience, product knowledge, and process understanding). Training should build risk perspective, and its effectiveness should be checked for critical activities (for example through observation, testing, or a four-eyes release).

5. Conclusion

ISO 13485 and ISO 14971 do not ask for two separate systems. They push toward one integrated way of working: risk management that actively drives QMS decisions across the lifecycle. A proactive QMS recognises risk early, turns it into controls, and then checks those controls through real data: complaints, trends, CAPA effectiveness, supplier performance, and production signals. For medtech manufacturers, that integration strengthens safety, improves compliance readiness, and keeps quality efforts focused where they matter most.

QMS Learning Series

Meeting the requirements of ISO 13485 is one thing, putting them into practice is another. That’s why this article is part of a broader series developed for New Zealand’s HealthTech sector, aimed at helping teams turn regulatory expectations into working systems.

Over 12 months, this series explores ISO 13485 in four parts: from first steps and system setup to risk management and audit readiness. Each quarter combines practical content with interactive workshops to support implementation in real-world settings.

Explore all the QMS learning series resources here.

‍

The QMS Series is brought to you by the HealthTech Activator, in partnership with Elevate Medtech (formerly Johner Institute New Zealand).