ISO 13485:2016 – A Risk Management System Idea

iso 13485 registrar news asr accreditedby Rand Winters, ASR ISO 13485 Auditor
November 2017

Risk requirements found in ISO 13485:2016 are different from those in the ISO 9001:2015 standard. ISO 13485:2016 has specific risk requirements addressed in......

4.1.5 - outsourced processes

7.1 - product realization Section 7.

7.3.3 - design and development inputs need output from risk management.

7.3.9 - design and development changes - evaluate effect on risk management.

7.4.1 - purchasing proportionate to risk associated with the medical devices.

7.6 - measurement devices software validation - specific approach to risk involved relating to use and effect on ability to meet specs.

8.2.1 - feedback (customer feedback) shall be an input to risk management.

ISO 13485:2016 is the first time a risk management system is required for medical device manufacturers and component suppliers.

ISO 9001:2015 states that risk must be addressed. However, a formal risk management system is not specified. Likewise, automotive, aerospace, and environmental standards follow ISO 9001:2015.

ISO 13485:2016 defines a risk management system as a combination of policies, procedures, and practices to analyze and control risk. ISO 13485:2016 defines risk as occurrence and the severity of harm. This is like the FMEA (Failure Mode and Effect Analysis) approach to reducing risk with the difference being detectability which is not included in the ISO 13485:2016 definition of risk. However, detectability could be included in a medical device firm's path to addressing risk and it might be useful.

Applying the FMEA criteria as an example, risk events are defined as one to ten (1 to 10) for both occurrence and severity. An organization determines the appropriate number for a specific event as there are no specifically stated rules for adding numbers together or multiplying together. Basic objective is to develop a number that would require an investigation and potentially an action plan for reducing the occurrence of harm and the severity of harm to people.

This FMEA methodology could be applied to the "risk management system" sections of ISO 13485:2016 that include out-sourced processes, design and development, inputs and design changes, purchasing, software validation, and feedback.
Prioritizing an action number (RPN – risk priority number) is the next step to set in motion investigation and response for risk reduction project(s).

Number of projects to undertake is an organization's decisions. Just keep in mind the standard requires procedure and records to be maintained, and results presented to top management in a regularly scheduled management review meeting and documented in meeting minutes. Key issues or problems might be discussed in special meetings with meeting results maintained.

This brief discussion of using the FMEA is one approach medical device manufacturers and suppliers could consider in addressing a risk management system and more importantly the reduction of risk.

Transfer your certificate to ASR

We make it easy,
and affordable.

  1. Contact Us
  2. ASR Review
  3. Legal Documents / Approval
  4. Transfer

News Delivered to Your Inbox

Standards of Interest:

Latest Poll

How do you train your employees?


  • IATF 16949
  • Intl. Automotive Task Force
  • BS 25999
  • OHSAS 18001

Medical Devices

  • ISO 13485
  • Product Safety
  • Device Recalls
  • Emergency Situations


  • AS9100
  • AS9110
  • AS9120
  • SAE Technical Standards


  • ISO 14001
  • EPA Regulations
  • EMS Tools
  • Emergency Preparedness