/>

Support

Typically replies instantly

Start chat
1

ISO 13485 Medical Device QMS Risk Assessment

Identify, evaluate and control QMS risks for medical device design, manufacture, and post-market โ€” ISO 13485:2016 Clause 8.2.2 aligned

ISO 13485:2016 Auto-Save MDR / FDA / ISO 14971 CSV ยท TXT ยท JSON PDF Export Lifecycle Phase Tracking

New QMS Risk Entry

General Information
Risk Details
Risk Evaluation (Severity ร— Probability ร— Detectability โ€” FMEA-style)

Risk Priority Number (RPN) = Severity ร— Probability ร— Detectability. Threshold for mandatory action: RPN โ‰ฅ 50. Per ISO 14971, any catastrophic severity (S=5) requires action regardless of RPN.

Controls & Risk Treatment

ISO 14971 โ€” Medical Device Risk Management Link

ISO 13485 requires implementation of risk management throughout the product lifecycle (Clause 7.1). ISO 14971:2019 is the dedicated risk management standard for medical devices and provides the detailed risk management process referenced by ISO 13485. Together these standards ensure safe, effective devices reach patients.

Hazard Identification

ISO 14971 Clause 5: Identify all hazards associated with the device, its intended use, and foreseeable misuse. Consider physical, chemical, biological, electrical, and functional hazards.

Risk Estimation

Clause 6: Estimate probability of hazardous situation occurring and severity of resulting harm. Risk = Probability ร— Severity. Document all assumptions and data sources.

Risk Evaluation

Clause 7: Compare estimated risk against risk acceptability criteria defined in Risk Management Plan. Is the risk acceptable? Must benefit outweigh risk for medical devices.

Risk Control

Clause 8: Apply controls in priority order โ€” (1) Inherently safe design, (2) Protective measures in device or manufacture, (3) Information for safety/training. Verify effectiveness.

Residual Risk / Benefit-Risk

Clause 9: Evaluate overall residual risk. For medical devices, residual risk must be judged acceptable based on benefit to patient. Required for MDR Technical Documentation.

Post-Market Monitoring

Clause 10: Production & post-production information (PMS/PMCF). Review risk file in light of post-market data, complaints, vigilance reports, literature surveillance.

ISO 14971 vs ISO 13485: ISO 14971 governs product risk management (patient safety, device hazards). ISO 13485 governs QMS risk (process failures, quality system risks). This tool covers both dimensions โ€” use the Risk Type field to distinguish product risks (ISO 14971 scope) from QMS/process risks (ISO 13485 scope). For full product risk management per ISO 14971, a dedicated Risk Management File (RMF) is required.

Medical Device Lifecycle โ€” ISO 13485 Scope

ISO 13485 requires risk management throughout the entire medical device lifecycle. Risks must be identified and controlled at each phase, from initial concept through to decommissioning.

1Design & Development

Design inputs/outputs, V&V, DFMEA, biocompatibility, software development, usability engineering, clinical evaluation. Clause 7.3 requirements.

2Regulatory Approval

Technical documentation, clinical evidence, conformity assessment (MDR), 510(k)/PMA (FDA), Notified Body review. Risk file completeness.

3Manufacturing

Process validation (IQ/OQ/PQ), PFMEA, supplier qualification, incoming inspection, in-process controls, environmental monitoring, sterile barrier. Clauses 7.4โ€“7.5.

4Distribution & Installation

Cold chain / preservation requirements, installation procedures, traceability records, UDI labelling, distribution controls. Clauses 7.5.11, 7.5.3.

5Clinical Use

Use by healthcare professionals / patients, operator training, maintenance requirements, servicing procedures, customer feedback capture. Clauses 7.5.4, 8.2.1.

6Post-Market Surveillance

PMS plan/report, PMCF (MDR), complaint analysis, adverse event/vigilance reporting, FSCA, risk file updates, literature surveillance, PSUR. Clauses 8.2.1โ€“8.2.3.

ISO 13485:2016 โ€” Key Risk-Related Clauses

7.1 โ€“ Risk Management in Planning

Risk management must be part of product realisation planning. Risk management activities must be documented and planned across the entire lifecycle per ISO 14971.

7.3 โ€“ Design Controls

Design FMEA, design verification, design validation, design reviews, risk inputs/outputs. Risk management must be integrated into all D&D activities (7.3.1โ€“7.3.10).

7.5 โ€“ Production Controls

Process FMEA (PFMEA), process validation, sterilisation validation, contamination control, traceability. Risk drives validation requirements for special processes.

8.2.2 โ€“ Complaint Handling

All complaints must be evaluated for regulatory reportability. Risk assessment drives complaint decisions โ€” investigate, report, or close without CAPA.

8.5 โ€“ CAPA

Risk assessment determines CA/PA priority and scope. Effectiveness of actions must be verified and documented. 8.5.2 CA, 8.5.3 PA โ€” both risk-driven.

8.3 โ€“ Nonconforming Product

Risk assessment must be performed for all nonconforming product decisions โ€” rework, scrap, use-as-is, or concession. Documented risk justification required.

RPN Thresholds (FMEA approach):
RPN 1โ€“24: Negligible RPN 25โ€“49: Low RPN 50โ€“74: Medium RPN 75โ€“99: High RPN 100โ€“125: Critical

Note: Catastrophic severity (S=5) is always Critical regardless of RPN โ€” patient fatality or life-threatening injury cannot be accepted on probability grounds alone.

Medical Device QMS Risk Register

All QMS risks and product risks โ€” filter, edit, export. Auto-saved in browser.

0
Total Risks
0
Critical
0
High
0
Medium
0
Low
0
Open
0
CAPA Raised
IDDateTypeLifecycle PhaseCategory DescriptionSPDRPNRisk Level DecisionRegulationRes.RPNStatusOwnerTargetActions

No QMS risks recorded yet

Add your first medical device risk using the Tool tab above

Medical Device Risk Matrix

Severity ร— Probability โ€” ISO 14971-aligned 5ร—5 risk evaluation matrix

5ร—5 Risk Matrix (Severity ร— Probability)

S ร— P matrix (without detectability) for quick visual risk evaluation. For full FMEA scoring use RPN = S ร— P ร— D. Detectability does not reduce regulatory reportability obligations.

P=1
Incredible
P=2
Remote
P=3
Occasional
P=4
Probable
P=5
Frequent
Negligible (1โ€“4) Low (5โ€“8): Acceptable with controls Medium (9โ€“12): CAPA recommended High (15โ€“16): Urgent action required Critical (20โ€“25): Unacceptable

Negligible (Sร—P: 1โ€“4)

Risk is acceptable. Maintain current controls. Document in risk register. Review at scheduled intervals or on design/process change. No regulatory reporting required.

Low (Sร—P: 5โ€“8)

Risk is acceptable with controls. Verify controls are effective. Consider whether additional preventive actions would be beneficial. Monitor via post-market surveillance data.

Medium (Sร—P: 9โ€“12)

CAPA or additional risk controls recommended. Assign owner and target date. Evaluate regulatory reportability. Update Risk Management File. Review benefit-risk acceptability.

High / Critical (Sร—P: 15โ€“25)

Unacceptable. Immediate risk reduction required. Consider production hold or device recall if in-market. Mandatory regulatory reporting evaluation. Senior management escalation. CAPA required. Stop activities if S=5 (catastrophic).

Regulatory Framework Reference

Key regulations and standards applicable to medical device QMS risk management

ISO 13485:2016

Quality management system standard specifically for medical device manufacturers and suppliers. Recognised globally and referenced by EU MDR, MHRA, Health Canada and others.

Key Risk Clauses:
โ€ข 7.1 โ€“ Risk management throughout realisation
โ€ข 7.3 โ€“ Design controls (design FMEA)
โ€ข 7.4 โ€“ Purchasing controls & supplier risk
โ€ข 7.5 โ€“ Production risk & process validation
โ€ข 8.2.2 โ€“ Complaint risk assessment
โ€ข 8.3 โ€“ Nonconforming product risk decisions
โ€ข 8.5 โ€“ Risk-driven CAPA

EU MDR 2017/745

EU Medical Devices Regulation โ€” mandatory for CE marking of medical devices in European market. Significantly stronger requirements than previous MDD/AIMD.

Key Requirements:
โ€ข Risk management per Annex I (General Safety & Performance)
โ€ข Post-Market Surveillance (PMS) plan & report
โ€ข Post-Market Clinical Follow-Up (PMCF)
โ€ข Periodic Safety Update Report (PSUR)
โ€ข Serious Incident reporting (15 days)
โ€ข UDI system compliance
โ€ข Technical Documentation (Annex II/III)
โ€ข EUDAMED database registration

FDA 21 CFR Part 820 (QSR)

FDA Quality System Regulation for medical device manufacturers selling in the US. Now harmonised with ISO 13485 through FDA QMSR (2024).

Key Requirements:
โ€ข Design Controls (ยง820.30) โ€” design FMEA
โ€ข Process Validation (ยง820.75)
โ€ข CAPA (ยง820.100) โ€” risk-based prioritisation
โ€ข Complaint Handling (ยง820.198)
โ€ข MDR Reporting (21 CFR 803) โ€” 30-day/5-day
โ€ข Device Master Record & History Record
โ€ข 510(k) or PMA pre-market submission
โ€ข FDA QMSR (March 2024) aligns with ISO 13485

ISO 14971:2019 โ€” Risk Management

The dedicated medical device risk management standard. Required by ISO 13485, EU MDR, FDA, and all major regulatory frameworks. Mandatory for CE marking and 510(k)/PMA.

Key Process:
โ€ข Risk Management Plan (RMP)
โ€ข Hazard identification & hazardous situations
โ€ข Risk estimation (Probability ร— Severity)
โ€ข Risk evaluation vs acceptability criteria
โ€ข Risk control measures (3-step hierarchy)
โ€ข Benefit-risk analysis
โ€ข Residual risk evaluation & acceptance
โ€ข Risk Management Report (RMR)
โ€ข Production & post-production information

IEC 62304 โ€” Medical Device Software

Software lifecycle requirements for medical device software (MDSW) and Software as a Medical Device (SaMD). Mandatory for devices with software components.

Software Safety Classes:
โ€ข Class A โ€” No injury or damage
โ€ข Class B โ€” Non-serious injury possible
โ€ข Class C โ€” Serious injury or death possible
Key Requirements:
โ€ข Software development planning
โ€ข Software requirements analysis
โ€ข Software architecture design
โ€ข Software unit implementation & testing
โ€ข Software integration & system testing
โ€ข Maintenance & change management

IEC 62366 โ€” Usability Engineering

Usability engineering (human factors) for medical devices. Required by EU MDR Annex I, FDA guidance. Critical for risk reduction from use errors.

Key Activities:
โ€ข Intended use & user groups definition
โ€ข Use-related risk analysis (URRA)
โ€ข Formative usability studies
โ€ข Summative validation testing
โ€ข Usability engineering file
โ€ข Known use errors & misuse scenarios
โ€ข User interface design requirements
โ€ข Human factors engineering report

Note: This tool is designed to support ISO 13485 QMS risk management activities. For full medical device risk management per ISO 14971, a comprehensive Risk Management File (RMF) must be maintained separately. This tool does not replace legal or regulatory advice โ€” always consult qualified regulatory affairs professionals and verify compliance with applicable regulations in your target markets.

ISO Xpert

Contact ISO Xpert

Your ISO certification experts โ€” London-based, globally trusted

โš• Ready to achieve ISO 13485 Certification?

Our expert medical device QMS consultants guide you through every step of certification and regulatory compliance.

Call Now: +44 7853 109840 WhatsApp Us

ISO Xpert Ltd

71-75 Shelton Street, Covent Garden
London, WC2H 9JQ, United Kingdom
+44 7853 109840
WhatsApp: +44 7853 109840
info@iso-xpert.com
iso-xpert.com

Follow ISO Xpert

Medical device, ISO and regulatory news

ISO 13485 Services

  • โš• Gap analysis against ISO 13485:2016
  • ๐Ÿ“‹ QMS risk assessment & FMEA support
  • ๐Ÿ“„ Technical documentation review
  • โš–๏ธ Regulatory compliance assessment
  • ๐Ÿ“š Training for QMS staff
  • ๐Ÿ” Internal audit support
  • โœ… Notified Body/FDA liaison support
  • ๐Ÿ”„ Post-certification maintenance

All ISO Services

  • โš• ISO 13485 โ€“ Medical Devices
  • ๐Ÿ“‹ ISO 9001 โ€“ Quality Management
  • ๐Ÿฆบ ISO 45001 โ€“ Health & Safety
  • ๐ŸŒฟ ISO 14001 โ€“ Environmental
  • ๐Ÿ”’ ISO 27001 โ€“ Information Security
  • ๐Ÿฝ๏ธ ISO 22000 โ€“ Food Safety
  • ๐Ÿ›ก๏ธ ISO 50001 โ€“ Energy Management

Privacy Policy

ISO Xpert Ltd โ€” Last updated: January 2025

Privacy Policy

Last updated: January 2025

ISO Xpert Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom, is committed to protecting your personal data.

1. Data We Collect

Note: The ISO 13485 Risk Assessment Tool stores all data locally in your browser only. No risk register data is transmitted to our servers.

2. Legal Basis (UK GDPR)

Consent, Contract, Legitimate Interests, Legal Obligation (UK GDPR Article 6).

3. Your Rights

Access, rectify, erase, restrict, port, object. Contact info@iso-xpert.com. ICO complaints: ico.org.uk.

4. Retention

Client data retained 7 years post-contract or as required by law.

5. Contact

info@iso-xpert.com

Terms of Use

ISO Xpert Ltd โ€” Last updated: January 2025

Terms of Use

Last updated: January 2025

These Terms govern use of the website and digital tools provided by ISO Xpert Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

1. Acceptance

By using this tool, you confirm you are at least 18 years of age and agree to these Terms.

2. Intellectual Property

All content โ€” including the ISO 13485 Risk Assessment Tool, text, graphics, logos and software โ€” is the exclusive property of ISO Xpert Ltd, protected by UK copyright law and international treaties. ISO Xpertโ„ข and the ISO Xpert logo are proprietary trademarks. Reproduction without prior written permission is prohibited.

3. Important Medical Device Disclaimer

This tool is a practical QMS support aid only. It does not constitute professional regulatory, medical, clinical, legal or certification advice. Medical device risk assessments must be performed by qualified regulatory affairs professionals, qualified persons responsible for regulatory compliance (PRRC), and other competent experts as required by applicable regulations. This tool does not replace ISO 14971 Risk Management Files, Design Files, Technical Documentation, or any other regulatory submissions. Organisations are solely responsible for ensuring their devices and QMS comply with all applicable regulations in their target markets (EU MDR, FDA, MHRA, etc.).

4. Limitation of Liability

ISO Xpert Ltd shall not be liable for any regulatory, clinical, patient safety, or commercial consequences arising from use of this tool. Use of this tool does not constitute regulatory advice or warranty of regulatory compliance.

5. Governing Law

Laws of England and Wales. Disputes subject to exclusive jurisdiction of courts of England and Wales.

6. Contact

info@iso-xpert.com

Common Questions

ISO 13485 Medical Device โ€” Frequently Asked Questions

Quick answers about the ISO 13485 Medical Device gap analysis tool, data privacy, audit preparation, and ISO Xpert consulting.

What is the ISO 13485 Medical Device gap analysis tool and how does it work?
The ISO 13485 Medical Device gap analysis tool is a free browser-based checklist that compares your current management system against the clauses of ISO 13485 Medical Device. You answer clause-by-clause questions and rate each requirement as Compliant, Partial or Non-compliant. The tool calculates a live compliance score, highlights gaps on a heat-map, captures evidence and corrective-action notes, and exports the full assessment as JSON, CSV, TXT or print-ready PDF for management review and Stage 1 / Stage 2 audit preparation.
Is the ISO 13485 Medical Device gap analysis tool really free to use?
Yes โ€” the ISO 13485 Medical Device tool is 100% free with no sign-up, no email capture, no credit card, no watermarks, and no usage limits. It runs entirely in your browser; nothing is transmitted to ISO Xpert servers. You can clear or export your data at any time.
Where is my ISO 13485 Medical Device assessment data stored?
All ISO 13485 Medical Device assessment data is stored locally in your browser’s storage. Nothing is uploaded to our servers. This makes the tool GDPR-friendly and suitable for confidential audit data classified up to Restricted. Export anytime as JSON (re-importable), CSV (Excel-pivotable), TXT (executive summary) or PDF (audit-trail evidence).
Can I use this tool to prepare for ISO 13485 Medical Device certification or surveillance audits?
Yes. The ISO 13485 Medical Device gap analysis is designed to support preparation for certification by UKAS-, IAS- or ANAB-accredited bodies. Use the exported report as evidence of internal audit, feed it into management review, and prioritise high-severity non-conformities ahead of Stage 1 / Stage 2 visits. ISO Xpert consultants can assist with documented information, internal audits and full implementation if required.
How long does a ISO 13485 Medical Device gap analysis typically take?
Most users complete an initial ISO 13485 Medical Device gap analysis in 60 to 120 minutes for a single site, depending on system maturity and clause depth. The tool auto-saves continuously, so you can pause, switch devices via JSON export/import, and resume at any time. Re-assessments after corrective action usually take 20 to 40 minutes.
Does ISO Xpert offer ISO 13485 Medical Device consulting or training?
Yes. ISO Xpert Ltd (London, UK) provides ISO 13485 Medical Device gap analysis consulting, internal audits, Stage 1 and Stage 2 certification preparation, lead auditor / internal auditor training, and full management-system implementation. Contact info@iso-xpert.com or WhatsApp +44 7853 109840.

More questions? Contact ISO Xpert or browse other iso-risk-analysis tools.

Related Tools

More Iso Risk Tools

Explore other gap analysis and risk-assessment tools in the same category — useful for integrated management systems and cross-standard alignment.

Iso Risk
ISO 14001 Environmental Aspect & Risk Assessment Tool
Iso Risk
ISO/IEC 20000-1 IT Service Management Risk Assessment Tool
Iso Risk
ISO 22000 Food Safety Risk & Hazard Assessment Tool
Iso Risk
ISO 22301 Business Continuity Risk & BIA Assessment Tool
Iso Risk
ISO 27001 Information Security Risk Assessment Tool
Iso Risk
ISO/IEC 27701 Privacy Information Management Risk Assessment Tool

Browse the full Iso Risk category or all 125+ ISO Xpert tools.