Patrick Blumentritt
Head of Consulting North,
Quality Management & Regulatory Affairs

Tel.: 07131 2774-40


Questions on this topic?

Send us a message!



ISO 13485 and the Risk-Based Approach for Medical Devices

A risk-based approach is often used in connection with quality management processes of medical devices. Every company should act on it, but such an approach is not always defined in the established regulations. This blog entry will help!


[Translate to Englisch:]


[Translate to Englisch:]


[Translate to Englisch:]


[Translate to Englisch:]

The standard ISO 13485 is widely known among medical device manufacturers, being an established standard. It places requirements on a quality management system for all stages of a medical device life cycle. However, its last revision in 2016 introduced an interesting approach that is still late-breaking: The risk-based approach as a part of quality management. There are different ways to address this concept. Yet, this article will focus on the risk-based approach for business process control according to ISO 13485.


General information on the ISO 13485:2016

This standard defines the requirements for a quality management system as to development, manufacturing, storage and distribution, installation, maintenance, final taking out of operation and disposal of medical devices.

The important aims of the ISO 13485 are the following aspects:

  • Determine requirements for the quality management of medical device manufacturers and involved suppliers
  • Demonstrate the company’s ability to provide medical devices compliant with the requirements, and related services
  • Fulfil corresponding legal requirements by complying with the standard
  • Harmonise the quality management systems according to legal requirements from various countries applicable to medical devices
  • Define specific requirements for medical devices

In terms of documentation and records the ISO 13485:2016 does not only demand a quality manual, but also numerous procedure instructions, recording modes and further documentation requirements. This constitutes a greater extent and additional effort for medical device manufacturers, especially in comparison to other standards.

Section 4.1.2 b (“The organization shall [...] b) apply a risk based approach to the control of the appropriate processes needed for the quality management system.”), which is relevant for the risk-based approach, was only added with the new version of the ISO 13485 in 2016. Thus, this standard places extensive requirements on the risk-based approach, which is intended to ensure security in the processes and serves as a regulatory framework.


Chapter 4.1.2 b

Chapter 4 describes the quality management system and specifies the risk-based approach. Basically, the company should adapt its effort in the quality management to the risks. This also pursues certain aims, such as avoiding unnecessary effort and quality bureaucracy. Product safety and legal conformity should be increased and using resources should become more conscious. If the risk is high, more effort needs to be put into the process, if the risk is low, great effort can be neglected. The approach refers to (medical) device-related as well as economic risks.

But one should not overgeneralise! In chapter 4, the ISO does not require the risk-based control of all processes of the company, but only of the appropriate ones. In the following chapters it is specified what exact processes the standard has an impact on.


The risk-based approach is at least required for the following essential features:

  • Control of QM processes (ch. 4.1.2)
  • Control of outsourced processes (ch. 4.1.5)
  • Activities for validation of software in the QMS (ch. 4.1.6), of software for production and service provision (ch. 7.5.6) as well as of software for monitoring and measuring of requirements (ch. 7.6)
  • Effectiveness evaluation of training or other measures (ch. 6.2)
  • Criteria for suppliers evaluation and management (ch. 7.4.1)


What is the benefit?

In order to market medical devices, it is a precondition in certain markets to implement a QM system according to the ISO 13485 and to become certified. It affects amongst others the EU, Canada or Japan. Referring to the European market it means that the MDR does mention the concept of a risk-based approach, but it does not give any further specifications. Conclusively, this approach must be applied by manufacturers as depicted in the standard.

However, the risk-based approach is not only in Europe a relevant topic, the FDA does also work with it in several areas. In parts, it serves as a basis for how often and to what extent some manufacturers are audited.

Contrary to other approaches, the risk-based approach is based on observing risks which result from non-compliance with regulatory requirements; thus, these are a nonconformity. Here, regulatory requirements refer to legal regulations (i.e. the MDR, country-specific law, FDA regulations, etc.).

Therefore, the risk-based approach cannot be compared with risk management in general. Implementing the risk-based approach means to identify insecurities within the company’s processes and apply controls to the relevant processes in order to minimise potential negative impacts and maximise positive ones. In this way, it helps the company to act preventively, to correctly prioritise existing resources and, in the long term, to guarantee (medical) products that conform to requirements as well as an effective quality management system, which also reduces company risks.


How to implement the risk-based approach?

First of all it is important to determine which processes are relevant and then the given risks need to be identified for each process. As part of the ISO 13485, in particular regulatory risks need to be taken into account. For a simpler overview, this can be illustrated in form of a table. After the first analysis the measures need to be determined, that will work against the risks or rather should work to minimise them. The risks are often divided into classes, consequently the respective measure is determined for each class.

Put into simpler words, the risk-based approach can be implemented in 3 major steps:

  1. Define, analyse and evaluate risks
  2. Define, implement, quantify (and evaluate regularly) measurements
  3. Improve the quality management system (and consequently the product, too)

For example, the following criteria can be used for evaluation:

Risk potential

Defining example


Influencing regulatory requirements


Indirect influence on product safety/performance


Direct influence on product safety/performance


According to section 4.1.2 b, it is not necessary to demonstrate with a certain document that the risk-based approach has been implemented in the business processes. Only by implementing this approach, a third party can recognise that the company is acting upon it. For the procedures in the QMS by themselves and the decisions a company has taken about prioritisation, planning and control measures, provide information about that.


Not completely new, but still important

Eventually, the risk-based approach provides an opportunity for manufacturers to adjust their quality management processes to the existing risks and the effort for them. Even if not every detail of this concept is a complete novelty – in this constellation with the ISO 13485 it is new. Therefore, it is mandatory for every medical device manufacturer to implement the risk-based approach.

To not take any risks in doing so, we, the seleon gmbh, will give you our full support.



Please note that all data and listings do not have the claim of completeness, are without guarantee and serve the pure information.

Every product is unique – the mandatory tasks and measures for entering the market need to be specified individually. seleon advises you on your individual questions without any obligation.


[Inhalt: Englisch]



Further entries from the "Quality management" category

Quality Management

The manufacture of medical devices must comply with the latest scientific data and regulations, including the MDR. Clinical trials and evaluations form the basis for this. And on the far side, constantly adapted input brings about innovations, which in turn benefit the...

Quality Management

With a focus on the essentials, the one or other extra pound (not only on the scales, but also in the company process) becomes clear. Put your risk management in order, get an overview of clinical data and more.

Quality Management

What do the MDCG's new approaches to the MDSAP mean for Europe's manufacturers and the audits by notified bodies? Read here about the opportunities, but also the stumbling blocks, as well as details on responsibilities and consequences.

Regulatory Affairs

Gaining approval for medical devices is complex and quite often also confusing. We bring clarity…


> Regulatory Affairs

Clinical Affairs

Clinical affairs of medical devices requires numerous evidences and evaluations. What we know about it …


> Clinical Affairs

Development Excellence

Product development of medical devices is subject to its own rules. We bring light into the darkness …


> Development Excellence