Top 5 Tips for Integrating Risk Management into Your Quality Management System (QMS) to Prepare for the Quality Management System Regulation (QMSR)

 

Nathan Blazei, Senior Director, of Regulatory Affairs, Kymanox Corporation, and Naveen Agarwal, PhD, Let’s Talk Risk discuss the top 5 tips for integrating risk management into your Quality Management System to prepare for the Quality Management System Regulation 

The FDA’s new Quality Management System Regulation (QMSR) brings significant changes for medical device developers and manufacturers by aligning requirements to ISO 13485:2016 and placing more emphasis on integrating risk management practices throughout your Quality Management System (QMS). Even with an effective date of 02 February 2026, companies should start preparing for the transition now.  

If you currently sell or plan to sell medical devices in the US market, here are the top 5 tips for successfully integrating risk management into your QMS in preparation for the transition to the QMSR.

Do Not Treat Risk Management as a One-Time Paper Exercise

Risk management was never intended to be treated as a one-time, checklist-type activity during medical device design and development, but for some companies this practice may have historically been the reality. With the QMSR, a heavier emphasis is placed on risk management, as noted in the various clauses of ISO 13485:2016 as well as the commentary from FDA’s final rule to amend 21 CFR 820. Risk management practices must be systematically integrated throughout the entire product lifecycle and across various QMS processes, such as design, supplier management, production, and post-market surveillance. Operationalizing this integration requires mapping all your processes and intentionally defining where risk management activities interface as inputs and outputs to other quality processes.

Prioritize Effective Process Implementation Over Documentation

Simply maintaining risk management documentation will not be enough under the QMSR. Regulators will look for objective evidence that your risk management process is being properly implemented to control risks throughout all product lifecycle stages. Manufacturers will need to have practical methods to monitor and evaluate whether risks have changed over time compared to initial estimates. For example, connecting post-market data to the initial risk analysis by monitoring the same metrics and criteria used during design. Firms should define quantitative measures up front and have mechanisms to feed the data back for continual updates. Creating this traceability demonstrates an effective, working process rather than just a paper trail.

Identify Existing Data Sources First

For established manufacturers, a smart approach is to first examine where they already have risk-related data, like complaints, nonconformances, clinical studies or literature. Manufactures should enhance their risk management integration at those points before expanding across the full system. Start-ups still in development should prioritize building robust risk analyses by gathering as much data as possible up front through activities like usability studies, literature reviews of similar devices, and discussions with clinical experts. The key is identifying what relevant data already exists in your organization, assessing confidence levels, creating a plan to improve the data over time, and ensuring it gets properly integrated into risk decision-making improve the data over time, and ensuring it gets properly integrated into risk decision-making.

Develop Aligned Risk Measures Throughout the Product Lifecycle

Too often the specific risk estimates and criteria used in design do not translate to what is monitored in post-market surveillance. This disconnect makes it very difficult to determine if a risk profile has changed and needs to be updated. The QMSR will expect manufacturers to define explicit, quantitative risk measures up front, particularly as it relates to probability of hazardous situations occurring and leading to harm, that can be consistently tracked from development through production and post-production stages. Aligned measures allow objective comparisons to detect if real-world data suggest an increasing or decreasing risk compared to initial estimates. Companies should map out these metrics early and build feedback loops to fuel continual updates to the risk analysis based on actual performance data.

Adopt Cross-Functional Governance  

With risk management spanning the entire QMS, companies must ensure that all functional groups involved in risk management activities play an active role in the maintenance and governance of the process as well. When risk management is considered “some other group’s responsibility”, it becomes clear that the organization does not have an integrated process or appreciation for the role risk management plays in developing safe and effective products. If not already the case, ensure risk management activities are part of your management review process as a standalone topic but also as a key part of the other quality processes where it intersects.

Conclusion 

The QMSR will bring a greater focus on the establishment of an effective risk management process for medical device developers and manufacturers supplying products to the US market. With a 2-year transition period, companies have time to make the necessary updates to their QMS and ensure risk management is an integrated part of product development, commercialization, and lifecycle management, but they should not wait until the last minute to get started on their transition. Many firms will need to invest in modern software solutions to replace manual methods and enable automated traceability between risk data and other processes. There are numerous resources available to support you on your journey, including a future webinar scheduled for May 16 at 1:00 to answer additional questions about the QMSR.

 

About the Authors: 

Nathan Blazei, RAC, ASQ-CQA
Senior Director, Regulatory Affairs, Kymanox 

Nathan is a Senior Director of Regulatory Affairs at Kymanox. He has over two decades of experience in the life sciences across pharmaceuticals, biotechnology, medical devices, and combination products. He applies his expertise to client projects in an oversight or expert role to ensure that solutions are technically sound but also of high quality and compliant with current regulations. 

Nathan is a Certified Quality Auditor (CQA) through the American Society for Quality (ASQ) and holds a Regulatory Affairs Certification (RAC-US) through the Regulatory Affairs Professionals Society (RAPS). He is currently a Board Member for the Parenteral Drug Association (PDA), Southeast Chapter. Nathan has presented at domestic and international industry events on various topics relevant to the life sciences, and he continues to offer training internally and externally to share best practices, lessons learned, and new approaches to old problems. 

Naveen Agarwal, PhD
Prinicpal & Founder, Let’s Talk Risk
https://naveenagarwalphd.substack.com/about

Naveen is an Engineer by training with over 10 years of experience in Product Development, 5 years in Medical Device Quality Systems, and 3 years in Sales and Marketing Data Analytics. Naveen has developed a very broad and deep expertise in all of the core functions involved in the entire lifecycle of medical products. His experience allows him to identify any Quality issue within a broader context and identify solutions that can be implemented in harmony within an organization. 

Naveen is passionate about risk management of medical devices. His mission is to help elevate the collective capability in risk management across the global medical device industry to significantly improve patient safety, accelerate innovation and reduce cost. 

Get in touch if you like to be a guest on the show: http://www.kymanox.com/get-in-touch