Risk management is among the most consistently enforced requirements in the medical device quality system. ISO 13485:2016 and the FDA's Quality Management System Regulation (QMSR), which became effective on February 2, 2026, both treat risk management as a requirement that runs across the entire product lifecycle — from design inputs through post-market surveillance.

This article covers what risk management requires under both standards, how ISO 14971 fits into the picture, what FDA inspectors have been flagging in recent inspection cycles, and what a functional risk management program looks like in an audit-ready QMS.

What the QMSR says about risk management

The FDA finalized the QMSR in February 2024 after a multi-year harmonization effort. The regulation's central mechanism is incorporating ISO 13485:2016 by reference under 21 CFR 820.10(b). That means the ISO 13485 risk management requirements are now legally enforceable FDA requirements for U.S. medical device manufacturers.

ISO 13485:2016 uses the phrase "risk management" 33 times across its clauses. The standard requires manufacturers to document and apply a risk-based approach to design and development, production controls, purchasing decisions, corrective action, and process changes. Risk management appears as a requirement in Clause 4 (general quality management system), Clause 7 (product realization), and Clause 8 (measurement, analysis, and improvement).

The QMSR also preserves FDA-specific requirements that supplement ISO 13485. Under 21 CFR 820.10(c), FDA maintains its own design and development requirements, which manufacturers must meet alongside ISO 13485 Clause 7. For product-level risk documentation, this creates a dual obligation — and FDA inspectors check for compliance with both layers.

ISO 14971 and its role under the QMSR

ISO 14971:2019 defines the application of risk management to medical devices. Its process covers hazard identification, risk estimation, risk evaluation, risk control selection, residual risk evaluation, and overall risk-benefit analysis.

FDA does not incorporate ISO 14971 by reference within the QMSR. However, the FDA made clear in the Federal Register publication of the QMSR (February 2, 2024) that conformance to ISO 14971 is recognized as a well-documented method for satisfying the risk management requirements embedded in ISO 13485. Companies that already operate under ISO 14971 for notified body certification have methodology that maps directly to QMSR compliance. Companies that treated risk management as a design-phase activity only, handled separately from production and post-market processes, have a gap worth addressing before their next inspection.

Risk management requirements under ISO 13485

Clause 4.1 — General QMS requirements

Clause 4.1 requires that the organization apply a risk-based approach to the processes needed for the QMS itself. This is the foundation of the standard's risk philosophy: risk thinking shapes which processes receive monitoring controls and how those controls are designed.

Clause 7.1 — Planning of product realization

Clause 7.1 requires that risk management activities be included in the planning of product realization. The outputs of this planning must include identification of specific risk management activities and the records needed to demonstrate they were carried out. This is where many FDA Form 483 observations originate — companies plan risk management at a high level in their procedures but fail to generate records that trace back to individual product realization decisions.

Clause 7.3 — Design and development

Design and development is where risk management documentation is most specific. Clause 7.3 requires that risk management activities be performed as part of design planning, that risk outputs are documented with traceability to design inputs, that verification and validation activities address identified risks, and that design transfer documents include the results of risk management activities applied during development.

Clause 7.4 — Purchasing

Risk management applies to supplier selection and purchased material decisions. ISO 13485 requires that supplier selection criteria account for the risk associated with the product or process the supplier supports. This is enforced under QMSR through supplier qualification requirements that FDA investigators check against the actual qualification records.

Clause 8.5 — Improvement

CAPA processes under Clause 8.5 require that corrective and preventive actions account for the risk posed by the nonconformity being addressed. Risk assessment is a required input to any corrective action decision. High-risk deviations must be escalated and documented at a level proportionate to their risk — a requirement that FDA investigators verify by asking for the risk assessment attached to specific CAPA records.

What FDA inspectors have been flagging

FDA Form 483 observations published through 2025 and FDA enforcement data from the QMSR transition period show several repeated patterns in risk management-related findings.

Missing risk management records for legacy products. Companies transitioning from the old 21 CFR Part 820 Quality System Regulation to QMSR frequently have documented risk assessments for newer products but gaps for devices that pre-date formal ISO 14971 adoption. Under QMSR, those gaps are compliance issues.

Risk management files without traceability. FDA investigators regularly find risk management files that exist as standalone documents with no traceability to the device master record, the design history file, or the CAPA system. A risk management file must be a living record tied to the product's documentation architecture, not a submission artifact that gets filed and forgotten.

Missing residual risk evaluation. ISO 14971 requires a final residual risk evaluation after all risk controls have been implemented. FDA investigators have issued 483 observations for risk management files that document hazards and controls but never formally evaluate whether the post-control residual risk is acceptable under the manufacturer's risk criteria.

Post-market data not feeding back into the risk management file. Complaint data, field service reports, and post-market surveillance data must flow back into the risk management file. Companies that treat risk management as a pre-market activity and never update their risk management files with post-market information are consistently flagged. FDA's inspection guidance updated in February 2026 specifically calls out the post-market feedback loop as an inspection focus area.

The risk register and its practical function

A risk register is the working output of a formal risk management process. For medical device manufacturers, the risk register captures each identified hazard, the associated hazardous situation, the potential harm, the probability of occurrence, the severity of harm, the risk level before controls, the risk controls applied, and the residual risk after controls.

Under ISO 14971:2019, the risk register must be reviewed when a design change occurs, when a production process changes, when a complaint or adverse event reveals a previously unidentified hazard, or when a regulatory change alters applicable risk criteria. Companies that maintain their risk register as a static document — reviewed once at 510(k) submission and never updated — are issued 483 observations when investigators pull complaint records and ask for the corresponding risk file updates.

Risk management across the product lifecycle

Pre-market risk management

Pre-market risk management covers design and development planning, hazard identification, risk analysis, risk control selection, design verification and validation against identified risks, and risk management file outputs that feed into the 510(k) or PMA submission. The design history file must contain the risk management outputs for each design element.

Production risk management

Production-phase risk management covers manufacturing process assessments, supplier qualification decisions linked to product risk levels, in-process controls that are calibrated to the risk of the operations they monitor, and process change reviews that include a risk assessment of the change's impact on safety and performance.

Post-market risk management

Post-market risk management covers complaint analysis, adverse event investigation, audits of the production system, post-market clinical follow-up where required, and systematic updating of the risk management file based on real-world data. Gaps in post-market risk management are the most frequently unresolved finding category in FDA enforcement actions from 2024 and 2025.

CAPA and risk management — the feedback loop

Every deviation CAPA must include a risk assessment. ISO 13485 Clause 8.5.2 requires that the scope of a corrective action be proportional to the risk associated with the nonconformity. A CAPA for a labeling error on a low-risk device carries a different risk weight than a CAPA for an out-of-specification manufacturing step on an implantable device.

This connection between CAPA and risk management is the most frequently documented gap when both systems are reviewed together during an inspection. Companies often have a functioning CAPA process and a separate risk management program, but the two systems do not communicate. When an investigator asks for the risk assessment attached to a corrective action record, the record does not have one — because the risk assessment was stored in a different document and was never linked to the CAPA.

A well-configured eQMS addresses this by requiring a risk assessment as a mandatory field within the corrective action workflow. When the CAPA record cannot advance or close without a completed risk assessment, the gap is closed at the process level rather than through manual oversight.

Building a risk management program that holds up to inspection

The three most common root causes for risk management 483 observations are: risk management files that are not updated after design changes, risk assessments that exist in isolation from CAPA and complaint records, and post-market surveillance data that is analyzed separately from the risk management file rather than being used to update it.

A root cause investigation of any 483-cited risk management gap typically reveals a system-level disconnection rather than an individual documentation failure. The risk management process and the rest of the QMS need to share data, not just reference each other in procedures.

Cloudtheapp's platform includes native risk management functionality that connects risk records directly to CAPA, design control, and supplier management workflows. Risk assessments are required fields in corrective action workflows. Design change records trigger risk file review tasks. Post-market complaint data flows into risk registers without manual intervention. The platform is validated for 21 CFR Part 820 (QMSR), ISO 13485, and ISO 14971 application — which means the audit trail and traceability requirements that FDA investigators check are built into how the system operates.

If your organization is completing its transition to QMSR or building a risk management program designed to hold up to FDA scrutiny, schedule a demo at Cloudtheapp to see how the platform structures risk management across the full product lifecycle.

This post created by and appeared first on Cloudtheapp