Nadia Ragnvald Caspersen
Senior consultant, Medical Device QA/RA – GBA Key2Compliance
Building better systems through respect, teamwork, and ongoing improvement
Quality management isn’t just about systems and standards—it’s about people. Every device we help bring to market is ultimately used by someone who trusts it with their wellbeing.
As QA/RA professionals, our responsibility goes far beyond compliance; it’s about safeguarding lives, supporting clinicians, and earning the trust of patients and their families.
Risk Management in Quality Management Systems
In the realm of Quality Management Systems (QMS), effective risk management encompasses the identification, assessment, and control of risks associated with both products and processes throughout their entire lifecycle. The focus includes not only patient safety but also the quality and reliability of the product itself. A poorly executed risk management system may fail to identify potential dangers, leading to device malfunctions, patient harm, or substantial financial repercussions.
Recognising and evaluating all potential risks is a complicated endeavour that necessitates a collaborative approach, going beyond the Quality Assurance (QA) department alone, and requires a comprehensive understanding of the product and its intended use.
Collaborative Approach
Effective risk management is a team effort that thrives on empathy and understanding. By listening to the experiences of clinicians, engineers, and even patients, we gain insights that technical data alone cannot provide. This collaborative spirit ensures that our risk assessments reflect real-world scenarios and genuine human needs—not just theoretical hazards.
One major challenge in risk management is anticipating all possible risks that could emerge during the product lifecycle. This requires a grasp of the product’s clinical applications, the patient demographic, the environment in which the device will operate, and any associated hazards. Organisations must adopt a systematic method and assemble a team with a varied skill set—spanning clinical, engineering, regulatory, and quality domains—to perform thorough risk assessments.
Risk management is an evolving process that should be regularly updated in response to changes in technology, market conditions, and trends. It is crucial for management to recognise their pivotal role in this field, as they possess the authority to allocate the necessary time and resources for this essential task.
Risk-Based Methodology
Given the various roles within the organisation, it is vital to establish the appropriate processes, their intended applications, the sequence of their execution, and their interactions with other processes. The level of oversight for these processes must be rooted in an understanding of risk. Organisations should identify the risks that could impair the effective and compliant functioning of their QMS.
When recognising risks, the organisation should prioritise the prevention or mitigation of undesirable outcomes through risk reduction and preventive measures. This approach represents a commitment to a risk-based strategy, which should be applied across all processes integral to the QMS.
Throughout the ISO 13485 standard, the concept of risk pertains specifically to the safety and efficacy of medical devices in addition to fulfilling regulatory obligations, rather than financial risks or business performance concerns. This is explicitly mentioned in clause 7.1, with clause 4.1.2(b) emphasising that a risk-based approach must also be integrated into relevant processes within your QMS. These processes must be identified and managed through your risk-based controls.
The emphasis lies in incorporating a risk-based strategy within processes where failures could lead to unsafe products or those that do not function as intended, while also ensuring compliance with regulatory standards. ISO 13485:2016 does not mandate formal risk management for identifying risks within QMS processes themselves; however, it does call for the execution of a risk-based approach within those processes. The organisation has the flexibility to choose the methods that best suit its needs, as long as they are justified and adequately described.
Strategic Considerations
Selecting the right risk management tools isn’t just a technical decision—it’s about understanding the unique challenges faced by those who use, maintain, and rely on our products. By considering the perspectives of everyone involved, we tailor our approach to fit not only the device, but also the people and environments it serves.
At a strategic level, various tools, such as SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis, PESTEL (Political, Economic, Socio-Cultural, Technological, Environmental, Legal Factors), and Porter’s Five Forces analysis, can be utilised.
A straightforward approach might involve posing “what if” scenarios, while brainstorming techniques can also serve as effective methods for illustrating a risk-based approach. Some techniques are more suitable for detailed analysis, such as Failure Mode and Effects Analysis (FMEA), Failure Mode, Effects and Criticality Analysis (FMECA), Hazard Analysis and Critical Control Points (HACCP), along with root cause and decision analysis tools, including Fault Tree Analysis (FTA) and 5 Whys.
It is important to select the methods or tools you will implement and to establish, execute, and maintain the necessary documentation for their usage. It quickly becomes apparent that “one size fits all” does not apply here; the best method often depends on the specific situation. Educating the entire organisation on every available risk management tool is impractical; thus, it is advisable to focus on a select few tools and implement them effectively within your organisation.
Execution
When we improve our processes, our goal is always to create safer, more reliable outcomes for real people. Each enhancement to our QMS is a step towards better patient experiences, smoother clinical workflows, and greater peace of mind for everyone who interacts with our products.
In addressing risks, organisations should adopt a risk-based strategy for the establishment, implementation, maintenance, and improvement of the QMS and its associated processes in order to:
- Determine how risks are managed during product design and development to ensure the safety and functionality of the medical device, elevate process performance, and prevent negative outcomes.
- Enhance the effectiveness of the QMS.
- Maintain and manage a system that inherently addresses risk and achieves objectives.
For instance, an organisation may choose to assess its QMS to enhance or confirm compliance. Initially, a SWOT analysis could be applied to each QMS process to pinpoint areas needing improvement. Discovering a need for enhancement in a QMS process could then lead to further assessment using a detailed method like HACCP. This in-depth analysis can provide the essential information necessary to create a robust project plan aimed at addressing identified weaknesses.
ISO 13485 Reference Points
ISO 13485 outlines specific sections that highlight risk considerations essential for the relevant processes within the QMS, such as:
- The method for assessing personnel training effectiveness (6.2).
- The criteria for selecting and monitoring suppliers (7.4.1).
- The extent of verification required for purchased products (7.4.3).
- The level of validation needed, encompassing software validation (4.1.6, 7.5.6, 7.6).
Additional Considerations for Risk Management
Once the risks impacting the QMS have been identified, organisations should strategies actions to mitigate them. These planned actions need to be integrated into QMS processes, with their effectiveness evaluated over time. Actions may involve establishing relevant controls for existing QMS processes. The depth of detail required for a given process depends on the complexity and variability of its activities:
- Simple processes may need only basic guidance.
- Complex processes necessitate detailed explanations so that team members can understand their roles and the interconnections among various tasks.
Numerous actions can be taken by organisations to address risks, many of which are covered within ISO 13485 requirements, such as:
- Clearly defining responsibilities and roles.
- Implementing inspection or other monitoring and measurement techniques for processes and products.
- Validating processes.
- Ensuring proper calibration of measuring and monitoring devices.
- Overseeing product and process design and development.
- Carrying out corrective actions and extending these measures to relevant areas of the organisation, considering cross-departmental implications.
- Documenting established methods and work instructions.
- Identifying training needs and ensuring the implementation of suitable training while assigning qualified personnel.
While ISO 13485 does not necessitate formal risk management for identifying risks at the QMS level, clause 7.1 mandates documentation of a process or series of processes focused on risk management during product realisation. This encompasses managing risks related to the safety and efficacy of medical devices, starting from design and development through to post-production activities. For insights into product risk management specific to medical devices, organisations can refer to ISO 14971:2019.
The Global Harmonisation Task Force (GHTF) has also issued guidance on implementing risk management principles and activities within a QMS, which offers valuable information regarding risk management in product realisation. Although published in 2005, its principles remain relevant today. Special attention should be given to section 4, which addresses management responsibility, as this provides foundational insights for implementing a risk-based approach throughout the QMS.
ISO 13485 cites ISO 14971 as the recommended methodology for satisfying risk management obligations, with further guidance available in ISO 24791:2020.
For inspiration, organisations may also explore ISO 31000:2018 and ISO 31010:2019, which, while focused on risks in an enterprise context, still offer useful insights.
Conclusion
Quality assurance is a discipline rooted in expertise, but it flourishes through empathy. By putting people at the heart of our risk management strategies, we ensure that our work makes a meaningful difference—protecting not just devices, but the lives and stories behind them.
Let’s continue to champion a culture of care, collaboration, and continuous improvement.