Many authorities and regulations refer to a risk-based approach (RBA) but do not define the term or provide examples.
This article provides an overview of how risk management and ISO 13485 interact and what a risk-based approach is and gives specific advice on how
- companies can comply with these regulatory requirements and
- how laws and standards should formulate requirements to fulfill their claim of risk-based regulation.
1. Risk management and ISO 13485
a) Risk-Based Approach: What risks are involved
ISO 14971 defines the term “risk” as the combination of the probability of harm and the severity of that harm. The standard defines harm primarily as physical injury and adverse effects on health. However, it also includes harm to property or the environment.
In contrast, the risk-based approach considers not only the physical harm to patients, users, and third parties but also the harm or consequences resulting from regulatory non-compliance, e.g.:
- Withdrawal of certificate
- Deviations in the audit
- Delayed or prevented the issuance of a new certificate
According to its recitals, the MDR aims for a risk-based classification of medical devices. Rule 11, however, classifies software based only on the severity of harm and does not consider the probability of that harm. This classification rule is not risk-based.
b) Risk-based approach: Adjusting the efforts to the risks
The risk-based approach involves companies adapting their efforts in the context of quality management (according to ISO 13485) to the risks. This serves the following objectives:
- Avoiding unnecessary efforts and quality paperwork
- Focusing resources on the “critical” aspects
- Increasing safety (e.g., of patients) and legal compliance
Examples of a risk-based approach are:
- Risk-based auditing
- Risk-based testing
- Risk-based maintenance
IEC 62304 defines the minimum level of software documentation for software safety classes. Since the safety classes are only partially determined on a risk-based basis, the documentation requirements are not consistently risk-based.
The risk-based approach can thus be defined as follows:
“A quality management approach that adjusts the efforts to minimize risks according to the size of those risks.”
Source: Johner Institute
2. Regulatory framework for a risk-based approach
a) Risk management and ISO 13485:2016
What the standard requires
The most extensive requirements for the risk-based approach are set out in ISO 13485:2016. This approach must be reflected in the quality management system:
- Control of internal processes (chapter 4)
- Control of outsourced processes and decisions on outsourcing (chapter 4)
- Validation of computerized systems (CSV) (chapter 4)
- Review of training effectiveness (chapter 6.2)
- Development of products (chapter 7.1–7.3)
- Evaluation and selection of suppliers (chapter 7.4)
- Control of suppliers, including verification of purchased products (chapter 7.4)
- Validation of processes and computer software (chapters 7.5 and 7.6)
- Prevention of undesired results by improving the QM system (chapter 8)
What is not required by the standard
In Chapter 4.1, ISO 13485:2016 does not require risk-based control of all processes but instead of the appropriate processes. The standard mentions in the respective chapters that process these are, at least. This corresponds to the list above, with the exception of development.
ISO 13485:2016 does not specify how and where the manufacturer must demonstrate how he implements the risk-based approach. In particular, there is no requirement to discuss this in every document. Corresponding demands by notified bodies lack a normative basis.
Johner Institute recommends presenting the risks and the risk-based approach in the quality management manual, for example. More on this later.
b) MDR
The MDR mentions the concept of a risk-based approach but does not formulate any specific requirements for manufacturers.
c) USA / FDA
Inspections
The FDA also bases inspection selection, intensity, and frequency on a risk-based approach. Companies are more likely to be inspected if
- their products can cause a great deal of harm,
- if they have a history of product-related problems or inspection issues.
With its risk-based approach, the FDA can achieve the highest possible effectiveness with limited resources.
Risk-based expenses in the guidance documents
In many of its guidance documents, the FDA requires a risk-based approach. This should be applied (as in ISO 13485) to QM-relevant processes such as the validation of processes and products:
- Off-The-Shelf Software Use in Medical Devices: The effort to select and review OTS components should be “safety-based”. The FDA wants to adapt the efforts to the possible severity of harm, not risk.
- General Principles of Software Validation: Software validation and revalidation efforts should be dependent on the risk of the software (change).
- Applying Human Factors and Usability Engineering to Medical Devices: The decision on the validation efforts (usability tests) should also be risk-based.
- Content of Premarket Submissions for Management of Cybersecurity in Medical Devices: “employ a risk-based approach to the design and development of medical devices with appropriate cybersecurity protections;”
d) Special case: ISO 9001 and risk management
Since the 2015 version, a risk-based approach in ISO 9001 has also been used. It states the following:
Measures for dealing with risks and opportunities must be proportionate to the potential impact on the conformity of products and services.
Source: ISO 9001:2015 Chapter 6.1
ISO 9001 has a partially different understanding of the term ‘risk’ than ISO 13485. It is also concerned with business risks.
3. Implementing the risk-based approach
a) Step 1: Identify risks per process
For example, list all relevant processes in your QM manual and identify the associated risks. This can be done in tabular form (see Table 1).
Consider both regulatory risks and risks in the sense of ISO 14971 (especially for physical integrity).
b) Step 2: Define measures
In another column, add the measures you intend to use to control risks. The possible types of measures according to ISO 9001:2015 include:
- avoiding risks
- accepting risks
- reducing risks by changing the severity or probability of harm
- eliminating risks (“inherent safety”), e.g., by eliminating the cause
This table could look like this as an example:
| Process (area) | Procedure and work instructions | Risks | Measures |
| Document control | SOP control of documents SOP control of records | Regulatory risks: documents are not controlled Risks according to ISO 14971: defective products due to incorrect test instructions. | Both SOPs require the use of a DMS; approval processes for new documents. |
| Human resources | SOP Training and continuing education WI Monitoring success | Regulatory risks: training is not provided or documented, and there is no monitoring of success. Risks according to ISO 14971: defective products because employees have developed or produced them incorrectly. | SOP requires monitoring of success and regular review of implementation. |
| Product realization | SOP Development SOP Purchasing WI Incoming goods SOP Production | Development: defective products. | SOP Development: Design Review verifies compliance with the process. |
| Purchasing: non-conforming products due to components that do not meet the specifications. | SOP requires suppliers to be qualified; WI requires incoming goods to be reviewed. |
c) Step 3: Define risk classes
In the third step, the manufacturers define risk classes, e.g.:
| Risk class | Regulatory risks | „risks“ according to ISO 14971 |
| A: low | Minor Non-Conformity | No significant physical harm |
| B: medium | Major Non-Conformity in audit | Product defect that could result in physical injury or impairment |
| C: high | Withdrawal or suspension of the certificate; legal proceedings | Product defect that could result in irreversible damage or death |
Note: Technically, the two right-hand columns do not describe risks, but rather the severity of harm when the probability is unclear. The latter should be understood as “reasonably foreseeable”.
d) Step 4: Adjusting the measures to the risk class
The scope of the measures (right column in Table 1) must now be adapted to the risk (risk class). This is the risk-based approach.
Example 1: Design Review
The effort required for design reviews can be adjusted according to the risk classes. It can be modified using adjusting screws, including:
- Frequency
- intensity: duration, test aspects
- Involved parties
| Risk class | Frequency | Intensity | Involved parties |
| A: low | Upon approval of the system specification and in conjunction with the design transfer. | Checklist A | Development and Project Leads, QM Lead, Production Lead |
| B: medium | Similar to A. Additionally, upon approval of the system architecture and before system testing. | Checklists A + B | Similar to A |
| C: high | At the end of every sprint (4–6 weeks). | Checklists A, B und C | The same as A. Additionally, “Product Owner” |
Example 2: Qualification of suppliers
ISO 13485:2016 requires the risk-based approach to be applied to the selection, evaluation, and monitoring of suppliers.
| Risk class | Certified QMS | QSV | Supplier audits | Self-disclosure |
| A: low | X | |||
| B: medium | X | X | X | |
| C: high | X | X | X | X |
Example 3: Validation of computer software
When validating computer software, manufacturers have several dimensions at their disposal to adjust the effort to the risks:
- Functionality: The validation can focus on “critical” functions of the software. These functionalities are expressed by:
- usage scenarios or use cases
- software requirements
- Test procedures: Depending on the risk, different test procedures can be used:
- “Happy path” versus error-based testing
- Systematic derivation of test cases using black box test procedures such as equivalence class-based testing, boundary value-based testing, testing with decision tables, etc.
- Test coverage: There are many ways to quantify test coverage, including:
- Proportion of use scenarios tested
- Instruction coverage
- Branch coverage
- Percentage of UI elements tested
- Testaspects according to ISO 25010
- Functionality
- Portability
- IT security
- Usability engineering
- Performance (time behavior, resource consumption)
- Interoperability
- Robustness
- Maintainability
- Test levels
- Unit tests
- Integration tests
- Software system tests
- Tests after installation and configuration in the target environment
- Other validation, e.g., usability tests
Read more about software testing and computerized systems validation (CSV) here.
Example 4: Incoming goods
When it comes to incoming goods, the levers for a risk-based approach include, for example,
- the percentage of inspected parts
- the AQL value
- the proportion of inspected properties of a part
Example 5: Software development
IEC 62304 already implements the risk-based approach in the form of safety classes. (The limitations of this approach are described above.) Depending on the class, manufacturers must carry out and document activities such as a detailed design.
Manufacturers are free to consider the respective software system’s risk, even more specifically in the development plan. Possible areas for adjustment include:
- Everything mentioned in example 1 (design review)
- Everything mentioned in example 3 (CSV)
- Modeling depth in the architecture
- Decision to automate tests, e.g., for the GUI
- process model
- Requirements for the competence of the team (explicit requirement of ISO 13485:2016)
- Decision on the use of SOUP and the outsourcing of parts of the development
4. Typical mistakes in risk management
a) Severity-based instead of risk-based approach
Although legislators, authorities, notified bodies, and manufacturers claim to act in a risk-based manner, they usually do not. They make their decisions primarily based on the severity of possible harm. In doing so, they overlook that many less serious harms could be less justifiable than a single possible serious harm that has not yet occurred.
b) Missing frame of reference
A reference framework is needed to compare and evaluate these scenarios. This would have to answer questions such as:
- How do you quantify the “total risk”?
- How do you take into account the benefits of the products? (The aim is to optimize the risk-benefit ratio.)
- Which risks need to be considered? (For example, it would be necessary to clarify how to assess risks from medical devices that are unavailable or not available to everyone (due to high costs).)
c) Egocentric point of view
Preliminary remark: The word “egocentric” is used in its original sense, meaning to place oneself at the center of one’s considerations.
Authorities, notified bodies, and manufacturers’ employees are (usually unconsciously) tempted by the risk-based approach to allow their own risks to influence their decisions.
If an authority or a notified body has approved a product that “publicly” endangers or even harms patients, it is likely to experience negative press coverage or come under pressure from a supervisory authority.
On the other hand, the probability is relatively low that the same organization will be held responsible for the illness or even death of patients because of its actions because they could not be adequately diagnosed or treated due to a lack of products. This is because the attribution of the action to the consequences of the action is unclear.
This results in an asymmetry of risk.
5. Conclusion
The interplay between risk management and ISO 13485 and, thus, the risk-based approach allows the various organizations to adapt their quality management efforts to the risks. Examples are:
- Manufacturers, when creating templates such as SOPs and work instructions
- Notified bodies during audits and reviews
- Authorities, when enforcing conformity and defining measures
- Courts, when determining penalties
This allows organizations to focus their efforts on the relevant aspects, i.e., high risks. Everyone should take advantage of this opportunity.
Manufacturers would be well advised to adopt a risk-based approach not only for analytical quality assurance (e.g., audits, inspections, testing) but also for constructive quality assurance (e.g., development, maintenance) and all post-market activities.
The risk-based approach must never result in manufacturers failing to comply with normative or legal requirements, especially since this would create a regulatory risk.
Sometimes, a “risk-based approach” can be translated as “common sense.” Manufacturers and auditors should apply it, and the standards give us the opportunity to do so.
Change history
- 2024-12-20: Chapter 4 added, editorial changes
- 2019-02-26: First version published
