Blog

What Role Does a QMS Play in ISO 13485 and ISO 14971 Compliance?

Dot Compliance
by Brenda PercyAugust 28, 2025
ISO 13485 Risk Management

A quality management system sits at the center of medical device compliance. ISO 13485 sets the requirements for a device maker’s QMS. ISO 14971 sets the process for risk management across the product life cycle.

You meet both standards when your QMS runs the risk process end to end and keeps complete, retrievable records of what you decided and why.

What ISO 13485 Requires

ISO 13485 defines how you control your organization and its processes to make safe and effective devices. It asks you to plan, document, implement, and maintain procedures across the product life cycle. The standard focuses on consistency, traceability, and evidence.

Key topics include:

  • Documented procedures and records control
  • Design and development planning, inputs, outputs, reviews, verification, and validation
  • Purchasing and supplier controls
  • Production and process controls, identification, traceability, and preservation
  • Monitoring and measuring equipment control
  • Nonconformity, corrective action, and preventive action
  • Postmarket surveillance, complaints, and reporting
  • Internal audits and management review
  • Training and competence

The QMS is the system that houses these processes and the records that prove they happened.

What ISO 14971 Requires

ISO 14971 defines how you identify hazards, estimate and evaluate risks, control risks, and monitor residual risk over time. It expects a risk management plan, a risk management file, and a repeatable method to keep risk acceptable throughout the product life cycle.

Core elements include:

  • Risk management plan and scope
  • Intended use and reasonably foreseeable misuse
  • Hazard identification and hazardous situations
  • Risk estimation and evaluation
  • Risk control selection, implementation, and verification
  • Evaluation of overall residual risk
  • Production and postproduction information and feedback

The risk process does not sit on its own. It must connect to design, manufacturing, complaints, and postmarket data. The QMS provides those connections.

How The QMS Connects ISO 13485 And ISO 14971

You use the QMS to plan, execute, and record the risk process that ISO 14971 describes. ISO 13485 requires you to control design, purchasing, production, and feedback. ISO 14971 consumes information from those processes and returns risk controls that become design outputs, manufacturing controls, and training needs. The QMS links these flows so that every risk control has an owner, a record, and a verification step.

Practical integrations:

  • Design Controls To Risk Management: You link design inputs and outputs to identified hazards, risk control measures, and verification results. Design reviews confirm that risk controls meet the plan.
  • Change Control To Risk Management: Every change request triggers an impact on the risk file. You evaluate whether the change introduces new hazards or alters residual risk.
  • Supplier Controls To Risk Management: You factor supplier capability and history into risk analysis and incoming inspection plans.
  • Production And Process Controls To Risk Management: You convert risk controls into process parameters, in-process checks, labeling, and release criteria.
  • Postmarket Surveillance To Risk Management: Complaints, service reports, and vigilance feed new hazards and frequency data back into the risk file.

The Risk Management File Inside The QMS

An effective QMS treats the risk management file as a living set of records rather than a one-time report. You keep:

  • The risk management plan with roles, criteria, and methods
  • Hazard analyses, risk evaluations, and control selections
  • Verification evidence that shows controls work as intended
  • Benefit-risk decisions and acceptance rationale
  • Links to design documents, procedures, labeling, and training
  • Postproduction data, trend analyses, and file updates

Auditors and reviewers will ask two questions. How did you decide that risk is acceptable, and where is the proof? Your QMS should answer both from current, controlled records.

Design And Development Controls With Risk At The Core

You plan design work so that risk activities happen at the right time. You define acceptance criteria that reflect risk controls. You verify and validate to show that the device meets requirements and that residual risk remains acceptable. You document traceability from user needs to risk controls, verification, and validation. The QMS enforces this traceability and preserves it for audits and submissions.

Documented Information And Traceability

ISO 13485 and ISO 14971 both rely on accurate documented information. The QMS controls versions, approvals, and access. It preserves audit trails that show who did what and when. You can retrieve the exact version of a test protocol, a procedure, or a label that was in force at a given time. You can also show which risk control that document implements.

Change Control That Protects Risk Acceptability

You route changes through a controlled process that includes risk impact. The process asks whether the change creates new hazards, alters severity or occurrence, affects detectability, or changes benefit-risk conclusions. You update the risk file and any linked documents, training, validations, and labels. You verify that the revised controls remain effective before release.

Supplier Management That Reflects Risk

Suppliers influence product risk. The QMS qualifies suppliers, sets acceptance criteria, and tracks performance. You feed audit results, nonconformities, and incoming inspection data into risk reviews. When supplier risk increases, you adjust controls such as sampling levels, process audits, or second sources.

Training And Competence That Match Risk Controls

Risk controls often depend on people doing the right work. The QMS maps roles to procedures and records training completion before a process goes live. When a risk control changes, you assign training and verify it before release. This closes a common gap that leads to nonconformities.

Production, Release, And Postmarket Feedback

The QMS turns risk controls into production instructions, in-process checks, and final acceptance criteria. You release product when evidence shows that controls are in place and effective. After release, you capture complaints, service reports, and field data. You trend the data and update the risk file and related controls when needed.

Internal Audits And Management Review

You use internal audits to confirm that processes meet ISO 13485 and that risk management meets ISO 14971. You verify that records are complete, current, and consistent. Management review evaluates process performance, nonconformities, CAPA, supplier performance, and risk status. Leaders decide where to improve and allocate resources.

Common Pitfalls And How To Avoid Them

  • Treating the risk file as a one-time deliverable rather than a living set of records
  • Failing to link risk controls to design outputs, procedures, and labels
  • Approving changes without a documented risk impact
  • Allowing training to lag after updates
  • Missing feedback loops from complaints and service data back to risk analysis
  • Storing evidence in uncontrolled locations that break traceability

You avoid these pitfalls when the QMS owns the process, the records, and the links between them.

Implementation Steps That Work

  1. Define the risk management procedure and plan, including acceptance criteria and roles.
  2. Build traceability from user needs to hazards, risk controls, and verification.
  3. Integrate change control, supplier controls, and training with the risk file.
  4. Configure production and release records to implement risk controls.
  5. Set postmarket data sources and review cadence.
  6. Validate the QMS software features you use for regulated records.
  7. Train teams on how to create, review, and update risk records.

Unify ISO 13485 And ISO 14971 Through Your QMS

ISO 13485 tells you to build and run a controlled quality system. ISO 14971 tells you to manage risk throughout the life cycle. The QMS is the engine that connects the two. When you plan risk activities in the QMS, link them to design and production, and keep evidence current, you meet both standards with one set of consistent processes and records. You protect patients and users, and you build a device program that can withstand audits and scale with confidence.

Streamline the process of meeting compliance with ISO 13485. Download our checklist to help guide you.

Related Posts