21 CFR Part 820 Risk Management: Requirements and How to Implement Them

TLDR

On February 2, 2026, FDA's Quality Management System Regulation (QMSR) replaced the legacy Quality System Regulation (QSR) under 21 CFR Part 820. The QMSR incorporates ISO 13485:2016 by reference and fundamentally expands risk management requirements beyond design controls to every part of a manufacturer's quality system. If your risk management program still looks like it did under the old QSR, it is no longer compliant. This article explains exactly what QMSR demands, how ISO 14971:2019 fits in, what a complete risk management file looks like, and the most common gaps FDA investigators find in 2026.

What QMSR Now Requires for Risk Management

The QMSR, which took effect on February 2, 2026, represents the most significant overhaul of U.S. medical device quality regulations in decades. The rule amends 21 CFR Part 820 by incorporating ISO 13485:2016 by reference, replacing the prescriptive QSR subsystem requirements with the internationally recognized framework used by regulators in the EU, Canada, Japan, Brazil, and Australia. (FDA)

Under QMSR, risk management is no longer a design-phase activity. ISO 13485:2016 requires manufacturers to apply a risk-based approach across the entire quality management system, as described in Subclause 4.1.2. That means risk thinking must inform decisions in purchasing, production, complaint handling, supplier qualification, corrective and preventive actions, and every other process within the QMS.

FDA's official definition of risk, drawn directly from ISO 13485, is: the combination of the probability of occurrence of harm and the severity of that harm. This definition governs how manufacturers must frame, document, and evaluate all risk-related decisions throughout the product lifecycle.

The QMSR also requires manufacturers to document their risk-based decisions as part of QMS documentation, maintained per ISO 13485 Subclause 4.2.5. Undocumented risk decisions are, in the eyes of an FDA investigator, decisions that were never made.

ISO 13485:2016 Incorporation by Reference: What It Means for Risk

Before the QMSR, 21 CFR Part 820 contained its own written requirements for each QMS element. The new Part 820 is dramatically shorter. Most requirements now appear as references to specific clauses of ISO 13485:2016, the full text of which manufacturers must have and follow.

For risk management, the relevant ISO 13485 clauses are:

• Clause 4.1.2 requires a risk-based approach to control of QMS processes.
• Clause 7.1 requires risk management to be addressed during product realization planning.
• Clause 7.3 connects risk management to design and development.
• Clause 7.4 applies risk thinking to purchasing processes, meaning supplier risk must be evaluated and documented.
• Clause 8.2.1 requires feedback from post-market surveillance to serve as input into risk management.
• Clause 8.4 requires data analysis to demonstrate the suitability and effectiveness of the QMS.
• Clause 8.5.1 requires the manufacturer to identify and implement changes necessary for continued safety and performance.

This framework demands a living, connected risk management system, not a one-time design phase exercise. Post-market data must flow back into your risk files. Supplier risk must be evaluated and re-evaluated. Process risk must inform how you control and monitor production.

QMSR Risk Management vs. the Old QSR: Key Differences

Under the old QSR, risk analysis was primarily located in 21 CFR 820.30(g), tied to design controls. Risk analysis was largely a design-phase deliverable. The scope of risk management was narrower, inspection was more procedural, and the QSIT inspection technique focused on defined subsystems independently.

QMSR changes this in three important ways.

First, risk management now spans the entire QMS. FDA's January 2026 Town Hall on QMSR risk and design topics made clear that even Class I devices exempt from design controls must maintain records of risk management activities for production processes, purchasing, and labeling. (FDA Town Hall, January 14, 2026)

Second, FDA's inspection approach changed on the same day the QMSR took effect. The agency replaced the QSIT technique with Compliance Program 7382.850, a risk-driven, lifecycle-focused inspection model. Investigators now evaluate end-to-end risk controls holistically, not as isolated subsystems.

Third, management review records are now inspectable. Under the old QSR, they were explicitly exempt. Under QMSR, FDA investigators can request and review them. Any candid language, incomplete documentation, or unresolved action items in those records becomes inspection evidence.

The shift in expectation is significant: where the old QSR asked "do you have a procedure?", QMSR asks "can you demonstrate that risk-based decisions were made consistently across your entire QMS?"

ISO 14971:2019 and QMSR: The Practical Alignment

FDA made clear at the January 2026 Town Hall that ISO 14971 is not a mandatory requirement under QMSR. There is no QMSR clause that explicitly mandates conformity to ISO 14971. Manufacturers may use any validated risk management process appropriate for their device and QMS.

However, the practical reality is this: ISO 14971:2019 is the gold standard framework for medical device risk management, and without a process of equivalent rigor, demonstrating that your risk management is effective, systematic, and defensible is extremely difficult. FDA investigators will probe the logic of your risk decisions. If you cannot point to a structured framework, the burden of proof rests entirely on you.

ISO 14971:2019, the third edition of the standard, was confirmed current in 2025 and represents the most comprehensive version to date. It applies to all types of risks throughout the device lifecycle, from conception through decommissioning, and specifically covers software as a medical device (SaMD) and in vitro diagnostic devices.

For manufacturers seeking QMSR compliance while maintaining global market access, ISO 14971:2019 combined with ISO 13485:2016 provides a dual-compliance architecture that satisfies FDA, MDR, Health Canada, and most other major regulatory frameworks simultaneously.

The ISO 14971:2019 Risk Management Process

The ISO 14971:2019 process consists of five core activities that form a closed loop across the product lifecycle.

Risk Analysis

Risk analysis starts with the intended use and reasonably foreseeable misuse of the device. The manufacturer identifies all hazards associated with the device, determines the hazardous situations that could arise from each hazard, and estimates the risk for each hazardous situation. A Hazard Analysis is typically the primary output, with supporting tools like Failure Mode and Effects Analysis (FMEA) providing structured documentation of potential failure modes, their causes, effects, current controls, and risk levels.

Risk Evaluation

Once risks are estimated, the manufacturer evaluates each against pre-defined risk acceptability criteria. These criteria must be established in the risk management plan before analysis begins. ISO 14971 does not specify acceptable risk levels, since acceptability depends on device type, intended patient population, and clinical benefit context. What the standard requires is objective, documented criteria and a consistent methodology for applying them.

Risk Control

When a risk is judged unacceptable, the manufacturer must implement controls using a strict priority hierarchy:

1. Inherently safe design (eliminate or reduce the hazard at source)
2. Protective measures in the device or manufacturing process
3. Information for safety (labels, warnings, instructions for use)

Risk controls must be verified for effectiveness. New hazards introduced by the controls themselves must be identified and evaluated. This is an area where many manufacturers fall short: they implement a control but fail to assess whether the control created a new or modified risk.

Residual Risk Evaluation

After controls are implemented, the residual risk for each hazard must be evaluated against the acceptability criteria. If the residual risk remains unacceptable and further risk reduction is not practicable, the manufacturer must weigh the residual risk against the clinical benefit of the device. This benefit-risk analysis must be documented.

The overall residual risk must then be evaluated in totality. Even if individual residual risks are acceptable, the aggregate residual risk across the device may not be.

Risk Management Report

The risk management report is the formal summary that ties the entire process together. It confirms that the risk management plan was executed, all identified risks were evaluated, the overall residual risk is acceptable, and appropriate post-production information collection methods are in place. This report is a required output of ISO 14971 and a critical component of the risk management file.

What a Complete Risk Management File Contains

The risk management file (RMF) is the organized collection of documents and records that demonstrate a manufacturer's risk management activities for a specific device. Under both ISO 14971 and QMSR, the RMF must be traceable, complete, and maintained throughout the product lifecycle.

A compliant risk management file typically includes:

• Risk management plan: Scope, intended use, life cycle phases covered, risk acceptability criteria, and responsibilities.
• Hazard identification records: Comprehensive list of hazards and hazardous situations derived from intended use analysis.
• Risk estimation records: For each hazardous situation, the estimated probability of harm and severity, with supporting rationale.
• Risk evaluation records: Comparison of estimated risks to acceptability criteria, with documented decisions for each.
• Risk control records: Description of selected controls, verification of effectiveness, and evaluation of any new risks introduced.
• Residual risk evaluation: Post-control risk assessments and benefit-risk analysis where required.
• Risk management report: Summary document confirming plan execution, risk acceptability, and post-production monitoring methods.
• Post-market surveillance records: Evidence that post-market data is fed back into risk management per ISO 13485 Clauses 8.2.1 and 8.5.1.

The Risk Register functions as the living backbone of the RMF, aggregating risks across the device and QMS processes in a single, auditable record.

Every document in the risk management file must carry an Audit Trail, showing who created, reviewed, and approved each record and when. Under 21 CFR Part 11 requirements, if your QMS is electronic, electronic signatures and records must comply with FDA's electronic record requirements.

Common QMSR Risk Management Gaps at FDA Inspections

As FDA investigators begin operating under CP 7382.850 and QMSR, certain deficiency patterns are already emerging. Quality Directors and Regulatory Affairs Managers should conduct gap assessments against these areas before the next inspection.

Risk management confined to design controls. The most prevalent gap is treating risk management as a design-phase-only activity. QMSR requires risk-based thinking across complaints, supplier qualification, production processes, and corrective actions. If your Deviation CAPA process does not include a documented risk-based prioritization decision, that is a gap.

Undocumented risk-based decisions. FDA's Town Hall guidance was explicit: risk-based decisions must be documented in QMS records. A complaint investigation that differentiates between a packaging defect and a patient harm complaint is exercising risk-based thinking. If that differentiation is not documented, it cannot be demonstrated during an inspection. Audit Finding records that do not reflect the risk-based rationale for corrective action timing or scope are another common observation.

No post-market feedback loop into risk management. ISO 13485 Clauses 8.2.1 and 8.5.1 require that post-market data informs the risk management process. Many manufacturers have complaint handling procedures and post-market surveillance programs, but no documented mechanism connecting post-market data back to their risk files. This traceability gap is increasingly cited at inspections.

Missing or incomplete risk management files. The risk management file must exist as an organized collection, not a scattered set of documents across different folders or systems. Missing risk management reports, unapproved hazard analysis records, or unverified risk controls are among the most direct pathways to an FDA Form 483 observation.

Risk acceptability criteria not established in advance. Defining acceptability criteria after risk analysis is complete is a significant procedural violation. The criteria must be in the risk management plan before hazard analysis begins.

Supplier risk not evaluated or documented. ISO 13485 Clause 7.4 applies risk thinking to purchasing. Under QMSR, if you have outsourced critical processes or use critical suppliers, there must be documented risk evaluations supporting your supplier qualification and monitoring decisions. Cloudtheapp's Supplier Quality Management module directly addresses this requirement by enabling documented risk-based supplier evaluation workflows.

Root Cause Investigation records disconnected from risk management. When a nonconformance triggers a root cause investigation, the findings should feed back into the risk management file if they reveal a new hazard or previously underestimated risk. Systems where CAPA and risk management operate in silos fail this expectation.

How an eQMS Supports 21 CFR Part 820 Risk Management

Managing QMSR risk management requirements manually or across disconnected spreadsheets is increasingly untenable. Risk data lives across multiple device files, supplier records, production nonconformances, complaints, and management reviews. Without a connected system, demonstrating end-to-end traceability to an FDA investigator is extremely difficult.

An electronic QMS (eQMS) built for QMSR and ISO 13485 dual compliance closes this gap by connecting risk management to every relevant QMS process in a single platform.

Cloudtheapp's Enterprise Risk Management application provides a centralized environment for building and maintaining risk management files, tracking risk controls, and documenting residual risk evaluations with full audit trail support. The platform's Hazard Analysis and FMEA tools guide users through the ISO 14971:2019 process step by step, ensuring that risk analysis, evaluation, control, and reporting activities are structured, linked, and version-controlled.

The Risk Assessments module connects directly to Design Controls, so design changes automatically trigger risk impact evaluations, keeping the risk management file current throughout the product development lifecycle. Supplier risk records in the Supplier Qualification Management module link to the purchasing risk evaluation requirements of ISO 13485 Clause 7.4, creating the documented evidence FDA expects.

Post-market surveillance data from complaints, deviations, and nonconforming material records feeds back into the risk management environment automatically, satisfying the ISO 13485 Clauses 8.2.1 and 8.5.1 loop that FDA now actively inspects.

Because Cloudtheapp is a fully validated platform compliant with 21 CFR Part 820 (QMSR), ISO 13485:2016, and ISO 9001, manufacturers can maintain their own QMS compliance while operating on infrastructure that already satisfies FDA's Computer System Validation requirements. Every update comes with a complete validation package, removing the burden of managing platform compliance in-house.

For quality and regulatory teams managing QMSR transition, this means less time on documentation administration and more time on the substantive risk decisions that protect patients and keep devices on the market.

Conclusion

QMSR risk management is not a design controls update. It is a fundamental shift in how risk thinking must be embedded across every element of a medical device manufacturer's quality system. With FDA inspections now operating under CP 7382.850 and ISO 13485:2016 as the binding framework, manufacturers who treat risk management as a pre-market exercise will face growing inspection risk.

The ISO 14971:2019 process remains the most rigorous and defensible framework available, and the combination of ISO 14971 and ISO 13485 provides the strongest foundation for both FDA and global regulatory compliance.

For Quality Directors, Regulatory Affairs professionals, and Risk Managers navigating this transition, the starting point is a documented gap assessment: where does risk-based thinking exist in your QMS today, where is it absent, and what records demonstrate that risk decisions were made intentionally and consistently?

If you are building or restructuring your QMSR risk management program, request a demo at cloudtheapp.com to see how Cloudtheapp's validated eQMS platform supports end-to-end 21 CFR Part 820 risk management, from hazard analysis and FMEA through post-market surveillance feedback and audit-ready documentation.