In ISO 13485, a risk-based approach is a cornerstone for ensuring the effectiveness and compliance of a Quality Management System (QMS). This approach means that actions, controls, and evaluations be proportionate to the risks associated with specific processes, products, and activities.
The following list outlines key requirements across various clauses of ISO 13485, highlighting how risk assessment and mitigation strategies are integrated into personnel training, supplier management, purchased product control, and software validation. Each section provides paraphrased requirements and actionable interpretations to align practices with the standard’s expectations.
PERSONNEL
Clause 6.2
Paraphrase:
The methodology used to check effectiveness is proportionate to the risk associated with the work for which the training and other action is being provided.
Interpretation & Actions:
- Assess risk of not adequately performing tasks; product safety/performance and compliance
- Build risk-based competence matrix – education, training, skills and experience
- Achieve and maintain competence
- Establish procedures and maintain records
SUPPLIERS
Clause 7.4.3
Paraphrase:
Outsourced processes – controls shall be proportionate to the risk involved and the ability of the external part to meet requirements.
Clause 7.4.1
Paraphrase:
Supplier evaluation and selection – criteria shall be proportionate to the risk associated with the medical device.
Interpretation & Actions:
- Assess risk to process(es) affected by supplier
- Develop and implement measurable criteria
- Consider past performance
- Implement written Quality Agreements
- Establish procedure and maintain records
PURCHASED PRODUCT
Clause 7.4.3
Paraphrase:
Outsourced processes – controls shall be proportionate to the risk involved and the ability of the external part to meet requirements.
Interpretation & Actions:
- Assess risk to process(es) affected by supplier
- Develop and implement measurable criteria
- Consider past performance
- Implement written Quality Agreements
- Establish procedure and maintain records
SOFTWARE VALIDATION
Clauses 4.1.6, 7.5.6, 7.6
Paraphrase:
Software used in QMS, production and service provision, monitoring and measurement – The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of software
Interpretation & Actions:
- Assess risk to final product quality and compliance
- Establish risk-based acceptance criteria
- Refer to guidance documents for scope and definitions
- Establish procedures and maintain records