In today’s regulatory landscape—especially in the medical device and life sciences industries—regulatory bodies expect manufacturers to not just follow procedures, but to demonstrate intelligent decision-making based on risk. Standards like ISO 13485, ISO 9001, and regulations such as the EU MDR and FDA QMSR emphasize the Risk-Based Approach (RBA) as a foundation for effective Quality Management Systems (QMS).
But what does that really mean in practice? More importantly, when are you expected to apply it, and how should it be documented?
- What the Risk-Based Approach is
- When it should be applied across key QMS functions
- How it should be reflected and documented in your quality system
What Is the Risk-Based Approach?
A risk-based approach means that an organization must have a clear understanding of the risks it is exposed to, and must apply proportionate measures to effectively mitigate or control those risks.
It is not optional—it is a foundational principle that supports compliance with all other QMS requirements. Risk-based thinking is embedded throughout ISO 13485, as well as other related standards and regulations.
- Identifying and assessing risks that could impact product quality, patient safety, or compliance
Applying mitigation controls at the appropriate levels, such as:
Top-level documents (e.g., Quality Manual, Risk Management Plan)- Design and development documents (e.g., risk analysis, usability reports)
- Standard Operating Procedures and Work Instructions
- Visual aids like warning labels, signs, or precautions
- Tailoring the level of control based on the significance of the risk
WHEN Is the Risk-Based Approach Applied in QMS?
In ISO 13485 and related standards, the risk-based approach is not confined to product safety (as addressed in ISO 14971), but extends across all quality system processes. The application of risk should guide how activities are planned, executed, controlled, and documented—with greater emphasis placed on higher-risk areas.
๐ Here’s how the Risk-Based Approach is typically applied across key QMS areas:
| QMS Area | Risk-Based Application |
|---|---|
| Design & Development | Risk is assessed during design inputs, reviews, and validation stages. Decisions about safety, usability, and performance are informed by product risk analysis (aligned with ISO 14971). |
| Supplier Control | Suppliers are selected, qualified, and monitored based on the risk they pose to product quality and patient safety. |
| Process Validation | Processes that cannot be fully verified through inspection are validated based on the impact of process failure. |
| Change Management | Changes are assessed for risk impact on safety, effectiveness, and compliance before approval. |
| Document Control | High-risk documents require stricter control, access, and review cycles. |
| Internal Audits | High-risk areas (e.g., complaints, sterilization) are audited more frequently with deeper focus. |
| CAPA | Risk evaluation drives CAPA depth and urgency. |
| Management Review | Trends in complaints, audit findings, and risk indicators influence management decisions. |
| Labeling & IFUs | Labeling and Instructions for Use are developed and reviewed with focus on risk of user error or misinterpretation. |
| Post-Market Surveillance | Post-market feedback is analyzed using risk scoring to trigger CAPAs or design changes where needed. |
| Personnel Competence | Staff competency is ensured based on the risk associated with their duties. |
| Infrastructure & Environment | Facility and equipment maintenance is driven by risk to product quality or patient safety. |
HOW Is Risk-Based Approach Documented in the QMS?
Risk-based thinking is not just conceptual — it must be traceable in documented processes, forms, and records. This aligns with ISO 13485 clause 4.1.2(b), which requires that the QMS “identify the processes needed... and their application throughout the organization... and apply a risk-based approach to the control of these processes.”
To demonstrate compliance and traceability, the risk-based approach must be embedded and documented at all levels of the Quality Management System. It is not limited to isolated risk assessments — it is reflected in how processes are structured, controlled, and justified throughout documentation.| Document Type | Risk-Based Elements |
|---|---|
| Quality Manual | Describes how the organization applies risk-based thinking across the QMS. |
| Design & Development Files | Identify critical design aspects that pose risks (e.g., usability, material safety). |
| Product Technical Files | Include summary of product-specific risks, risk-benefit analysis, and residual risks. |
| Document Type | Risk-Based Elements |
|---|---|
| SOPs (Standard Operating Procedures) | Outline how risk is assessed, monitored, and mitigated in a specific process. |
| Process Validation Protocols | Include rationale for risk-based validation (e.g., sterilization, sealing). |
| Change Control Forms | Require assessment of risk impact before change implementation. |
| Supplier Evaluation Plans | Use supplier risk classification to guide qualification and controls. |
| Audit Plans | Risk ranking of functions determines audit frequency and detail. |
| Document Type | Risk-Based Elements |
|---|---|
| Work Instructions | Detail steps to control process risks (e.g., gowning for sterile areas). |
| Training Records | Show that high-risk roles receive appropriate, role-based training. |
| CAPA Forms | Document risk scoring and prioritization for root cause actions. |
| Audit Checklists | Focus tailored questions based on process risk levels. |
| Labels / Signs | Highlight areas of safety risk or misuse prevention. |
| Management Review Minutes | Include review of high-risk trends and mitigation performance. |
- Top-level = Identify what’s critical
- Mid-level = Define how it’s controlled
- Execution-level = Show that it's done and working
This implementation demonstrates compliance and preparedness during audits — especially when auditors ask, “Where is this risk addressed in your system?”
Typical SOP Structure with Risk-Based Approach Integration
Standard Operating Procedure for “_______”
1. Scope
๐ Guiding Text:
Define the broad area of operation that this SOP covers. Scope helps the reader understand the full boundary of processes or systems involved. It may include overlapping or interconnected activities.
Include:
- The functional areas covered (e.g., Sterilization, Production, Dispatch)
- Whether the SOP applies to multiple processes or a single process
- If applicable, state the product types or device classes involved
- Any interfaces or links to other departments or procedures
๐ Tip: Define what process or activity the SOP covers. Explain boundaries — what is included and excluded.
Example: This SOP outlines the procedure for validating sterilization processes for medical device packaging.
Example:This SOP covers the overall sterilization process for finished medical devices, including pre-cleaning, packaging, labeling, and dispatch coordination.
Example: Applicable to operations under Quality Control that require product release decisions for Class II and III medical devices.
2. Applicability
๐ Guiding Text:
Specify the precise departments, personnel, roles, or products to which this SOP is applicable. This section should be narrow and targeted — not a repetition of the broad operational range described in the Scope.
Include:
- Teams, roles, or job titles (e.g., QC Inspector, Dispatch Officer)
- Device or product categories if applicable (e.g., sterile wound dressings, surgical masks)
- Any specific equipment, facility area, or process phase this SOP applies to
Note: If a process is shared across departments but this SOP only governs one part, clarify that here.
๐ Tip: Specify departments, teams, or roles this SOP applies to. State the product types or systems affected.
Example: This SOP applies to the Sterile Packaging team involved in final sealing and labeling of sterile medical devices.
Example: Applicable only to production staff operating Class B autoclaves in the sterilization suite.
Example: This SOP applies to the Quality and Manufacturing departments for products requiring sterile barrier systems.
3. References
- 3.1. Documents Referenced:
List all external regulatory guidance, standards, and internal QMS documents that form the basis or support the SOP’s content.- External: ISO 13485, ISO 14971, EU MDR, US FDA 21 CFR Part 820, WHO guidelines, etc.
- Internal: Related SOPs, Work Instructions, Policy documents, Quality Manual, Risk Management Files, etc.
- Reference documents using version/date or document control codes (e.g., SOP-QA-001 v2.0).
- 3.2. Abbreviations Used:
Define all acronyms used in this SOP — even if they seem common — to ensure clarity and consistency.
Example: QMS – Quality Management System, CAPA – Corrective and Preventive Action - 3.3. Definitions:
Define key terms, especially those related to compliance, risk, safety, or process ownership.- Consider defining: "Critical Process," "Non-conformance," "Mitigation," "Authority," "Responsibility"
๐ Explain terms, especially where they impact risk. Define "critical process," "risk mitigation," etc.
4. Responsibility
๐ Guiding Text: Assign risk-related accountability at various levels.
This section defines who is accountable for what — especially in relation to risk control, decision-making, and compliance.
- Role-based Responsibilities:
- Clearly outline the roles responsible for executing, supervising, or approving various steps of the SOP.
- Emphasize alignment with the organization’s Competence Matrix, where individuals must be trained, qualified, and authorized.
- Include responsibilities for risk assessment, escalation of nonconformities, implementation of controls, and review of effectiveness.
- Regulatory Expectation:
- Ensure roles comply with ISO 13485 Clause 5.5 (Responsibility and Authority), and ISO 14971 (Risk Management Responsibilities).
- Use phrases like “designated personnel,” “documented training,” or “qualified reviewer” as required by regulations.
- Risk-Centric Guidance:
- Define who is responsible for identifying, assessing, mitigating, and monitoring risks relevant to this SOP.
- Highlight authority limits — when must personnel escalate or seek higher approval?
| Role | Responsibilities |
|---|---|
| Top Management | Approve policy and ensure oversight of high-risk functions |
| Department Heads | Monitor departmental risk indicators and implement controls |
| Employees | Execute tasks within risk-controlled frameworks |
5. Process Operations
๐ Guiding Text:
This section defines the full sequence of operations — from preparation to execution and follow-up — with all risk controls, safety checks, and escalation steps included.
- Step-by-Step Procedure:
- Clearly number and describe each step in the process.
- Use flow-diagram reference where applicable (include in Annex).
- Prerequisites:
- List equipment, personnel training, environmental conditions, or approvals required before starting the process.
- Example: Ensure sterilizer validation is up-to-date before batch loading.
- Precautionary Measures:
- Highlight safety protocols, material handling cautions, or contamination controls.
- Note any EHS (Environment, Health & Safety) risk mitigations.
- In-Process Checkpoints & KPIs:
- Define process checkpoints (e.g., visual inspection, test data).
- Identify measurable indicators like yield rate, temperature, torque, seal integrity, etc.
- Post-Completion Actions:
- Define what validations, documentation, or logs must be completed.
- Specify approval or release criteria.
- Deviation Management:
- List conditions considered deviations or failures (nonconformances).
- Explain immediate containment steps, notification hierarchy, and who initiates CAPA or Incident Reports.
- Hazards & Emergency Actions:
- Identify task-specific hazards (burns, exposure, bio-risk, etc.).
- Include emergency shutdown or evacuation steps if relevant.
- Reporting:
- Detail what forms or systems must be used (e.g., batch record, NCR log, eQMS module).
- Specify if this process contributes to management review or quality metrics.
6. Annexes
๐ Guiding Text: Include supplementary tools like checklists, risk evaluation forms, decision trees.
This section lists all annexures that are supplementary to this SOP, whether directly referenced in the process steps or indirectly supportive to compliance, traceability, or monitoring. Each format must be included as a blank template with the SOP Master Copy.
- Annexures May Include:
- Risk Assessment Forms
- Process Flow Diagrams / Decision Trees
- Checklists used in daily operation (e.g., Pre-startup Checklist, Line Clearance Checklist)
- Training Attendance Record formats
- Maintenance Logs or Calibration Schedules (if equipment-based SOP)
- Audit Trail Record Sheet
- Format Handling Guidelines:
- All formats included must be blank.
- Each format must have a footer with the label: “MASTER COPY – FOR REFERENCE ONLY”
- Annexures should be uniquely numbered and referenced in the main SOP steps (e.g., “See Annex 2 – Operator Checklist”).
- Version Control of Annexures:
- Each annexure must carry its own version number and effective date.
- Revision history of annexures may either be included within the SOP or separately tracked in a Document Register.
7. Revision Information
๐ Guiding Text: Track document changes — especially risk-triggered updates (e.g., after adverse events or audits).
This section logs every revision to this SOP. Use it to capture what was changed, why it was necessary (e.g., audit finding, process deviation, regulatory update), who made the change, and the current revision number. This ensures compliance with documentation control per ISO 13485 / QSR / MDR.
- What to include:
- SOP Section(s) that were revised (e.g., “Section 5: Process Operations1”)
- Reason for change — e.g., new risk mitigation step, CAPA implementation, updated annexure format
- Revision Number — incremented for every change (starting from 0)
- Change Author — the responsible person or department (e.g., QA Head, Regulatory Affairs)
- Change Highlighting (Optional but Recommended):
- Use footnote-style references (e.g., 1) within the SOP body to point to relevant entries in the revision log
- In digital format, use <span class="rev-change">highlight</span> to mark updated content if tracked live
- Master Record Note:
- This template may itself be controlled via a governing SOP titled “SOP for Creation and Control of Standard Operating Procedures (DOC-QA-001)”
Note: This SOP format template shall be governed and maintained under the organization’s QMS via the governing SOP – “Procedure for Creation, Approval, and Maintenance of SOPs”.
| S. No. | Document/Section Revised | Reason | Current Revision No. | Change Author |
|---|---|---|---|---|
| 1 | All (Initial Release) | First version of this SOP format issued under QMS | 0 | QA Lead |