Risk Management Under the QMSR Framework
Risk management has always been a fundamental expectation for medical device manufacturers, but the transition to the Quality Management System Regulation (QMSR) elevates its importance and demands a more systematic, integrated approach. Under the QMSR, risk management is not a standalone activity — it is a thread that must run through every element of the quality management system, from design and development through production, post-market surveillance, and continuous improvement.
The QMSR, by incorporating ISO 13485:2016 by reference, brings with it explicit requirements for risk management throughout the product lifecycle. ISO 13485 references risk management in multiple clauses, including design and development (7.3), purchasing (7.4), production and service provision (7.5), and monitoring and measurement (8.2). When combined with the FDA-specific additions in the QMSR, manufacturers face a comprehensive framework that demands genuine integration of risk-based thinking into daily operations.
The Role of ISO 14971
While the QMSR does not directly incorporate ISO 14971 by reference, the standard remains the foundational document for medical device risk management. ISO 14971:2019, Application of Risk Management to Medical Devices, provides the framework that most manufacturers use to satisfy the risk management requirements of both ISO 13485 and the QMSR. Understanding and properly applying ISO 14971 is essential for QMSR compliance.
ISO 14971 establishes a process for identifying hazards associated with medical devices, estimating and evaluating the associated risks, controlling those risks, and monitoring the effectiveness of risk controls throughout the product lifecycle. The standard applies to all stages of the device lifecycle and covers risks related to biocompatibility, data security, electricity, moving parts, radiation, usability, and any other hazards specific to the device.
The 2019 revision of ISO 14971 introduced important changes, including greater emphasis on the benefit-risk analysis, clearer requirements for information from production and post-production activities, and alignment with other standards in the ISO 13485 ecosystem. Manufacturers should ensure their risk management processes reflect the current version of the standard.
Integrating Risk Management Across the Quality System
True QMSR compliance requires risk management to be integrated across all quality system processes, not siloed in a single department or document. Here is how risk management should connect with key quality system elements.
In design and development, risk management must inform design inputs, guide design decisions, and be verified and validated alongside device functionality. The design risk management file should be a living document that evolves with the design, not a static deliverable created at the end of the process. Design reviews should include evaluation of risk management activities and findings, and design changes should trigger reassessment of associated risks.
In supplier management, risk-based thinking should guide supplier selection, evaluation, and monitoring. Higher-risk suppliers — those providing critical components or processes — should be subject to more rigorous evaluation and oversight. The QMSR expects that organizations have a clear rationale for their supplier management approach, and risk is a key factor in that rationale.
In production and process control, risk management should inform the identification of special processes, the establishment of process monitoring and control parameters, and the frequency and depth of in-process inspections. Processes that have a higher risk impact on device safety or performance should receive correspondingly greater attention.
In CAPA and complaint handling, risk assessment should guide the prioritization and urgency of corrective and preventive actions. Not all nonconformances carry the same risk, and the CAPA system should reflect this through risk-based prioritization of investigations and actions.
The Risk Management File
Central to an effective risk management system is the risk management file. This file serves as the repository for all risk management activities and documentation associated with a device or device family. Under ISO 14971 and by extension the QMSR, the risk management file should include the risk management plan, hazard identification results, risk analysis worksheets, risk evaluation results, risk control measures and their verification, assessment of overall residual risk, risk management review results, and production and post-production monitoring data relevant to risk.
The risk management file must be maintained throughout the device lifecycle. It is not a document that is completed during design and then filed away. As new information becomes available from production, complaint handling, post-market surveillance, and regulatory intelligence, the risk management file should be reviewed and updated as appropriate.
FDA Expectations Beyond ISO 14971
While ISO 14971 provides the framework, the FDA has additional expectations regarding risk management that manufacturers must address. The FDA expects that risk management activities are documented with sufficient detail to demonstrate that the process is thorough and objective. Generic or templated risk analyses that do not reflect device-specific considerations will not satisfy FDA expectations.
The FDA also places particular emphasis on the connection between risk management and post-market surveillance. Under the QMSR, manufacturers must demonstrate that information from complaint handling, MDR reporting, and other post-market feedback mechanisms is systematically fed back into the risk management process. This creates a continuous improvement loop that enhances device safety over time.
Another area of FDA focus is the benefit-risk determination. For higher-risk devices, the FDA expects a documented analysis demonstrating that the benefits of the device outweigh the residual risks. This analysis should be based on clinical evidence, literature data, and post-market experience, not simply engineering judgment.
Common Risk Management Gaps
Several common gaps appear in medical device risk management systems during audits. Static risk management files that have not been updated since initial design completion are among the most frequent findings. Risk management is a lifecycle activity, and files that do not reflect current knowledge and experience indicate a process that is not being maintained.
Incomplete hazard identification is another common issue. Organizations sometimes focus narrowly on device-specific hazards while overlooking hazards related to use environment, user population, interfacing devices, or information security. A thorough hazard identification process should consider all reasonably foreseeable hazards, guided by standards such as ISO 14971 Annex C.
Inadequate risk control verification is also frequently identified. When risk controls are implemented, they must be verified for effectiveness. This verification must be documented and must demonstrate that the control actually reduces the risk to an acceptable level. Simply documenting that a control was implemented, without evidence of its effectiveness, is insufficient.
Weak post-market risk monitoring represents another gap area. Organizations may have robust pre-market risk management processes but lack systematic approaches for monitoring risk in the post-market phase. The QMSR expects that post-market data — including complaints, adverse events, and literature — is systematically reviewed for risk implications.
Strengthening Your Risk Management System
To ensure your risk management system meets QMSR expectations, consider conducting a comprehensive review of your risk management process against both ISO 14971:2019 and the QMSR requirements. Evaluate the completeness of your risk management files, the integration of risk management across quality system processes, the effectiveness of your post-market risk monitoring, and the training and competence of personnel involved in risk management activities.
An independent audit focused specifically on risk management can provide valuable insights into the strength of your system and identify areas for improvement before they become inspection findings. Experienced auditors bring perspective from across the industry and can benchmark your practices against current expectations and best practices.
Partner with Qualyx Group
At Qualyx Group, we specialize in independent, audit-only services for regulated industries. Our experienced auditors bring deep domain expertise, bilingual capabilities, and an unwavering commitment to objectivity. Whether you need a gap analysis, a supplier audit, or preparation for an upcoming regulatory inspection, we are here to help.
Contact Qualyx Group today to discuss how our independent audit services can strengthen your quality system and support your compliance goals.