Historically, the term “where appropriate” and/or “as appropriate” have been implied within the ISO 13485 standards as well as the FDA 21 CFR 820 Quality System Regulations. The FDA has always explained that “as appropriate” means it is appropriate unless you can justify why it isn’t appropriate. The recent changes in ISO 9001:2015 introduced the concept of risk-based thinking. Risk-based thinking establishes the foundation to make decisions based on the business risk – both positive and negative risk. The key is to make decisions based on a level of risk that is acceptable to an organization. ISO 13485:2016 also uses risk-based decision making as a foundation. The ISO references “where appropriate” 26 other times within the standard. Essentially, this was done to allow companies the flexibility to “right size” the QMS (quality management system) to meet appropriate business and regulatory needs.
Because the standard did not convert to the new ISO format there is no explicit clause related to risk-based thinking. As you can see below, the “where appropriate” requirement ties the risk- based thinking approach to business and QMS management. The risk-based thinking approach enables the organization to make better decisions about the processes and opportunities for overall improvement.
“When a requirement is qualified by the phrase "as appropriate," it is deemed to be appropriate unless the organization can justify otherwise. A requirement is considered appropriate if it is necessary for: