Medical device manufacturers sometimes find themselves behind the eight ball when it comes to conducting risk management activities, and these challenges may become even more pronounced when the Quality Management System Regulation (QMSR) from the US Food and Drug Administration (FDA) comes into force on Feb. 2.
The QMSR harmonizes the current 1990s era Quality System Regulation (QSR) with international quality systems standard ISO 13485:2016. The FDA published its new rule in 2024. (Related Story: “QMSR: FDA Answers 21 Burning Questions From MedTechs,” QualityHub, Jan. 2, 2026.)
During an FDA Town Hall webinar on Jan. 14, these four agency officials answered a handful of questions from industry around risk management and the QMSR:
- Kimberly Lewandowski-Walker
- Regulatory Officer, FDA Inspections and Regulatory Audits Team, Office of Regulatory Programs, Office of Product Evaluation and Quality (OPEQ)
- Karen Masley-Joseph
- Senior Advisor, Office of Medical Devices & Radiological Health Inspectorate, Office of Inspections and Investigations (OII)
- Keisha Thomas
- Associate Director for Compliance & Quality, Office of Product Evaluation and Quality (OPEQ)
- Tonya Wilbon
- Assistant Director for Post-Market Industry, Education and Consumer Education, Division of Industry and Consumer Education (DICE)
[Editor’s Note: The questions and answers below were lightly edited by QualityHub for clarity and brevity.]
No. 1: What are the FDA’s requirements for risk management activities for low-risk Class I devices that are exempt from the QMSR’s Design and Development requirements?
Kimberly Lewandowski-Walker: Class I devices that are exempt from Design and Development requirements remain required to maintain records of risk management activities for other aspects of product realization, including – but not limited to – risk management for the production process, purchasing products and services, and labeling activities, as appropriate for the device. Additional requirements for risk management activities are included throughout ISO 13485, including in Subclauses 4.1, 7.3, and 7.4.
No. 2: What is the definition of “risk” that applies to the QMSR?
Karen Masley-Joseph: ISO 13485 defines “risk” as the combination of the probability of occurrence of harm and the severity of that harm. So, the FDA does consider that term to be appropriate, and we [use] that definition in the QMSR.
No. 3: What are the FDA’s requirements for documenting risk-based decisions within a manufacturer’s Quality Management System, or QMS?
KLW: An organization is required to apply a risk-based approach to the control of the appropriate processes needed for the Quality Management System as described in ISO 13485, Subclause 4.1.2. Now, the FDA recognizes that depending on the complexity of the device and the processes used to manufacture the device, different levels of risk exist … within those various processes within the QMS.
For example, some types of complaints may be lower risk versus other types of complaints. Therefore, different levels of investigation and corrective actions would be appropriate for complaints that, for example, allege a harm to the patient or user, versus complaints regarding, say, damaged outer carton packaging.
Another example is a device for which the entire design and manufacturing has been outsourced, versus another device that is assembled from parts [that are] machined in-house and where all assembly is performed in-house. So, [when] the entire device, design, and manufacturing is outsourced, the purchasing process … may have higher risk associated with it, versus [a possible lower risk for] the company that machines the parts in-house.
The FDA expects the manufacturer to document these types of risk-based decisions [in] Quality Management System documentation and maintain that as set forth in Subclause 4.2.5.
No. 4: The term “risk management” is used in ISO 13485 while the current Quality System Regulation uses the term “risk analysis.” Does this mean companies are required to also conform to international risk management standard ISO 14971?
Keisha Thomas: There is no QMSR requirement that calls out conformity to ISO 14971. The QMSR allows the flexibility for manufacturers to use any appropriately validated risk management process to carry out their risk management activities.
No. 5: Does the FDA require or expect quantitative information for describing risk?
Tonya Wilbon: The simple answer is that there is no requirement in the QMSR or in ISO 13485 for a quantitative description of risk. However, if data is available, it may be very, very useful in defining and quantifying your actual risk of that device. So, it’s helpful – it’s just not required.
No. 6: Does the FDA require specific risk management tools to be used by manufacturers?
KLW: No. Manufacturers may [use] whatever risk management tools are appropriate for the complexity of their device and their QMS process. We don’t require any specific risk management tools nor do we require the use of ISO 14971 for risk management activities.
No. 7: Can you provide some clarity to ISO 13485, Clauses 8.2.1, 8.4, and 8.5.1, as they relate to post-market surveillance and feedback into the risk management process?
KMJ: Clause 8.2.1 requires that information gathered in the feedback process serve as potential input into risk management for monitoring and maintaining product requirements, as well as for product realization or improvement processes. So that’s the requirement part … that connects to risk management.
For Clause 8.4, that requires the firm to collect and analyze data generated as a result of monitoring and measurement to demonstrate the suitability, adequacy, and effectiveness of the QMS. And Clause 8.5.1 … requires a firm to identify and implement any changes necessary to ensure and maintain the continued suitability, adequacy, and effectiveness of the QMS, as well as medical device safety and performance … through the use of post-market surveillance, among other QMS processes.
[All these] requirements can be implemented through a robust post-market surveillance process. Within that process, the data to be reviewed is going to depend on the nature of your operations and should include production information which … could be product monitoring and measurement data, nonconformities, [and/or] process performance. And this [post-market surveillance] process should include post-production information – we don’t want to forget about that – and [some examples of that are] complaints, adverse events, [and/or] customer feedback. [All of these make up a] robust post-market surveillance process.
The key to connecting [post-market surveillance] back to risk management is … ensuring that emerging risk information is captured and evaluated in a timely manner so you can maintain the effectiveness of your risk management process to then make … improvements as [needed] throughout your device’s lifecycle.
