QMSR / ISO 13485 §820.30(g)

QMSR / ISO 13485: §820.30(g)

ISO 13485: §7.1

ISO 14971: §entire standard

Risk management is the single most significant structural change in the QMSR. Under Part 820, risk was barely mentioned. Section 820.30(g) required 'design validation shall include risk analysis, where appropriate' as a brief clause within design controls. Risk analysis was treated as a design validation activity — something you do at the end of design to confirm safety — rather than as a lifecycle-integrated discipline. Many Part 820 companies interpreted this as 'do an FMEA during design validation and file it in the DHF,' with no ongoing risk management activities after product launch.

The QMSR fundamentally transforms this by incorporating ISO 14971:2019 as the risk management standard that must be applied. ISO 14971 is not a checklist — it is a comprehensive lifecycle risk management framework requiring: a documented risk management process (section 4), product-specific risk management plans with defined acceptability criteria (section 4.4), systematic hazard identification and risk estimation (section 5), risk evaluation against defined criteria (section 6), risk control with a mandated priority hierarchy and residual risk evaluation (section 7), overall residual risk evaluation considering interactions between individual risks (section 8), formal risk management review before product release (section 9), and ongoing post-production information collection and risk management file updates (section 10).

This is not an incremental change — it is a paradigm shift for companies that treated risk as a design validation sub-activity. Under the QMSR, risk management must be integrated throughout the product lifecycle, from concept through post-market surveillance. The risk management file is a living collection of documents (Risk Management Plan, Risk Table/FMEA, Risk Management Report) that must be maintained and updated as new information becomes available. Risk is no longer something you do once during development; it is a continuous organizational activity.

The integration requirements are equally important. ISO 14971 requires risk management to connect with design controls (risk analysis outputs feed design inputs; risk controls are verified through design verification/validation), production controls (process risk analysis, PFMEA), complaint handling (complaints are evaluated for risk implications), post-market surveillance (surveillance data triggers risk management file updates), and management review (risk management effectiveness is reviewed). For a company that previously had an FMEA buried in the design history file, building these cross-process linkages is substantial work.

The QMSR also incorporates the FDA's position on the 'as far as possible' (AFAP) principle from ISO 14971, which requires that risks be reduced as far as possible, not merely to an 'acceptable' level. This means companies must document why further risk reduction is not practicable even for risks that are already within the acceptable zone — a level of rigor that most Part 820-era risk analyses did not attempt.

Additionally, the QMSR requires that risk management be applied using recognized risk management techniques. While FDA has historically accepted FMEAs, the QMSR's incorporation of ISO 14971 means the risk management process must address all elements of the standard — not just failure modes analysis but also hazard identification from intended use and foreseeable misuse, risk estimation with defined probability and severity scales, risk evaluation against a defined acceptance matrix, and formal benefit-risk analysis where residual risks exceed acceptability. A standalone FMEA without the surrounding ISO 14971 framework (plan, report, post-market feedback loop) is no longer sufficient.