Risk Analysis as an Input in Management Review

[Michael J]

We had an auditor write a nonconformance stating the following:

5.6.2 Risk Management is not formally listed as a management review input item in Sect. 5.4.1 of the Management Review procedure.

I have been through ISO 13485 and 14969 and cannot find any requirement for this. Am I missing something or is my auditor mistaken for having written this nonconformance. If he is mistaken, then of course we screwed up by accepting it, but that's spilt milk.

Thoughts?

[GStough]

Quote:

Originally Posted by Michael J

We had an auditor write a nonconformance stating the following:

5.6.2 Risk Management is not formally listed as a management review input item in Sect. 5.4.1 of the Management Review procedure.

I have been through ISO 13485 and 14969 and cannot find any requirement for this. Am I missing something or is my auditor mistaken for having written this nonconformance. If he is mistaken, then of course we screwed up by accepting it, but that's spilt milk.

Thoughts?

Hi Michael and welcome to the Cove!

5.6.2(h) Management Review Input states "new or revised regulatory requirements", which alludes to the FDA's requirements for risk management.

That's the only place in that section I can see where it might apply.

[Michael J]

Gidget,

I was wondering if that might be where he is hanging his hat. Still, I am a literalist and this would be a bit of a stretch.

It may be pertinent to mention that we are not an FDA-registered company, but we endeavor to behave like one for the most part. This is not in writing anywhere in our QMS of course - we're not crazy.

[db]

A couple of thoughts. It looks like he is refering to section 4.5.1 of your procedure. If you mention it there, then you gotta either do it, or change your procedure. If he is stating it is a requirement of the standard, ask him to show you the direct "shall" (audit criteria).

[GStough]

Quote:

Originally Posted by Michael J

Gidget,

I was wondering if that might be where he is hanging his hat. Still, I am a literalist and this would be a bit of a stretch.

It may be pertinent to mention that we are not an FDA-registered company, but we endeavor to behave like one for the most part. This is not in writing anywhere in our QMS of course - we're not crazy.

Michael,

If there's not any other regulatory agency involved where 5.6.2(h) might apply, then you may be able to "argue" this one. Or at least address it with a CAR and state why it doesn't apply.

[Doug Tropf]

Even though ISO 13485 refers to ISO 14971 regarding how
to establish the risk management process and ISO 14971
does state that risk assessment and review is the
responsibility of "top management", I believe your auditor
is out of line because compliance with ISO 14971 is not a
requirement for certification to ISO 13485.

[Michael J]

Everyone,

Thank your for your great responses.

The auditor was stating which section in our procedure the change needed to be added to. I know that's supposed to be verboten, but what ya gonna do.

It seems I am pretty well calibrated with others on their interpretation. My colleagues read your replies as well and were impressed.

We especially like Gidget's idea of issuing a CAR. This will serve to prove that we formally addressed the nonconformance, but are not going to act on it.

Thanks again,

Michael

P.S. If anyone is looking for a QE job, we have several openings. Send me your resume by email and I'll pass it along to the right people.

[Roland Cooke]

It isn't a requirement.


That said, reviews of past product performance (which ARE a requirement) might indicate that some corrective changes are needed. Risk management control would naturally be required before and during those changes.

Additionally, I encourage management reviews to be as much forward-looking as well reviews of historical data (and indeed this is often the case, albeit usually not well-structured). Thus introduction of new products, development of new processes, changes to facilities etc would be discussed, and risk management strategies, to safeguard those changes, could begin to be formulated.

So I do commend companies that build risk management discussions into the management reviews. As a bonus it is also easy evidence of pro-active preventive action taking place.