We had an auditor write a nonconformance stating the following:

5.6.2 Risk Management is not formally listed as a management review input item in Sect. 5.4.1 of the Management Review procedure.

I have been through ISO 13485 and 14969 and cannot find any requirement for this. Am I missing something or is my auditor mistaken for having written this nonconformance. If he is mistaken, then of course we screwed up by accepting it, but that's spilt milk.

Thoughts?

We had an auditor write a nonconformance stating the following:

5.6.2 Risk Management is not formally listed as a management review input item in Sect. 5.4.1 of the Management Review procedure.

I have been through ISO 13485 and 14969 and cannot find any requirement for this. Am I missing something or is my auditor mistaken for having written this nonconformance. If he is mistaken, then of course we screwed up by accepting it, but that's spilt milk.

Thoughts?

Hi Michael and welcome to the Cove! :bigwave:

5.6.2(h) Management Review Input states "new or revised regulatory requirements", which alludes to the FDA's requirements for risk management.

That's the only place in that section I can see where it might apply.

Gidget,

I was wondering if that might be where he is hanging his hat. Still, I am a literalist and this would be a bit of a stretch.

It may be pertinent to mention that we are not an FDA-registered company, but we endeavor to behave like one for the most part. This is not in writing anywhere in our QMS of course - we're not crazy. :)

A couple of thoughts. It looks like he is refering to section 4.5.1 of your procedure. If you mention it there, then you gotta either do it, or change your procedure. If he is stating it is a requirement of the standard, ask him to show you the direct "shall" (audit criteria).

Gidget,

I was wondering if that might be where he is hanging his hat. Still, I am a literalist and this would be a bit of a stretch.

It may be pertinent to mention that we are not an FDA-registered company, but we endeavor to behave like one for the most part. This is not in writing anywhere in our QMS of course - we're not crazy. :)

Michael,

If there's not any other regulatory agency involved where 5.6.2(h) might apply, then you may be able to "argue" this one. Or at least address it with a CAR and state why it doesn't apply.

Even though ISO 13485 refers to ISO 14971 regarding how
to establish the risk management process and ISO 14971
does state that risk assessment and review is the
responsibility of "top management", I believe your auditor
is out of line because compliance with ISO 14971 is not a
requirement for certification to ISO 13485. :2cents:

Everyone,

Thank your for your great responses. :applause:

The auditor was stating which section in our procedure the change needed to be added to. I know that's supposed to be verboten, but what ya gonna do.

It seems I am pretty well calibrated with others on their interpretation. My colleagues read your replies as well and were impressed.

We especially like Gidget's idea of issuing a CAR. This will serve to prove that we formally addressed the nonconformance, but are not going to act on it.

Thanks again,

Michael

P.S. If anyone is looking for a QE job, we have several openings. Send me your resume by email and I'll pass it along to the right people.

It isn't a requirement.


That said, reviews of past product performance (which ARE a requirement) might indicate that some corrective changes are needed. Risk management control would naturally be required before and during those changes.

Additionally, I encourage management reviews to be as much forward-looking as well reviews of historical data (and indeed this is often the case, albeit usually not well-structured). Thus introduction of new products, development of new processes, changes to facilities etc would be discussed, and risk management strategies, to safeguard those changes, could begin to be formulated.

So I do commend companies that build risk management discussions into the management reviews. As a bonus it is also easy evidence of pro-active preventive action taking place.

...Additionally, I encourage management reviews to be as much forward-looking ...
This is an excellent point. Too many times we think of reviews as just that, a review. And we tend to look at what kinds of things are mandated in the review to keep the registrar off our back. But they also need to be thought of in terms of strategic planning and what things we should be looking at to keep our system (and company) moving forward.

More good stuff to think about - thanks :thanx:

I think what the finding was is that you did not discuss risk management in relation to 5.6.2(h). If it was a 13485 audit, they would expect to see some discussion as to how you are planning on implementing the 14971:2007 revision which just came out this year. If nothing else, discuss it as a proposed change to the QMS. While compliance with 14971 is not explicit, The reason this is usually applicable is that most companies reference 14971 as the guide they use for performing risk management.

This is getting to be a pretty common finding in that most companies were unaware 14971 changed and have not made provisions for this, let alone implemented the revisions into thier risk management process. I could be off base here, but I think the auditor is right in his assessment, just maybe should have been more explicit about why.

Even though ISO 13485 refers to ISO 14971 regarding how
to establish the risk management process and ISO 14971
does state that risk assessment and review is the
responsibility of "top management", I believe your auditor
is out of line because compliance with ISO 14971 is not a
requirement for certification to ISO 13485. :2cents:

All
The new Risk Management Standard - ISO 14971:2007, main change is responsibility of "top management", and if this standart is referred by your Design SOP (and most probably YES) than this referace is the source of your non-compliance.