ISO 13485:2016 & ISO 9001:2015 Risk-Based Thinking

Risk-based decision making has always been implied in each version of ISO 9001 and ISO 13485, but with the release of ISO 9001:2015 last September and ISO 13485:2016 this March, it is now explicit throughout both standards. Though the standards vary somewhat on how risk is defined, the general principles of how risk-based thinking is applied are similar.

ISO 9001:2015 defines “risk” as the effect of uncertainty on an unexpected result and/or deviation from the expected. “Uncertainty” is clarified as a lack of information or knowledge about an event that can be expressed as a result of the likelihood and consequence of such an event, which may be either positive or negative. Whereas ISO 13485:2016 separates out risk as wholly negative and defines “risk” as a combination of the probability of occurrence of harm and the severity of that harm. Opportunities generated from uncertainty are considered independently.

Both standards stress the concept of risks and opportunities, which emphasizes identifying potential problems as well as opportunities for improvement as applicable to Quality Management System (QMS) processes, the conformity of products and services, and planning of QMS objectives. Effectiveness of risk management and opportunities for analysis must be evaluated and the effectiveness of the actions associated with objectives or planning must be included in them management review.

The risk-based approach to the control of appropriate processes needed for the QMS needs to be applied as well. For example:

  • The methodology used to check the effectiveness of training shall be proportionate to the risk associated with the work for which the training or other action is being provided.
  • The criteria for evaluation and selection of suppliers needs to be proportionate to the risk associated with the device.
  • Software used for making a device or maintaining a QMS must be evaluated for the risk associated with it.

All information gathered in the feedback process will serve as potential input into risk management.

Other Changes in ISO 13485 & 9001:

Other meaningful changes have been implemented in an effort to harmonize all of the top level standards. The overall goal is to provide a stable framework of requirements to satisfy industry needs for the next 10 years.

The standards previously dealt primarily with products, but equal attention must now be paid to goods and services.

They also recognize that the technological shift to electronic information systems allows for organizations to exclude parts of the standard from their scope where it is justified

The new standards introduce the concept of the context of the organization.

AlvaMed is here to help guide you and your organization through all of the changes in ISO 13485 & ISO 9001.

For more detailed information on these changes, visit