Reduce risk by management review

[Tidge]

Hi, I was doing risk based approach for QMS because that was one of auditors finding.

If you do take a "risk-based" approach to a QMS, don't apply the concepts of 14971. The principles of 14971 derive from safety, a QMS is focused on compliance. Generally we think about compliance to regulations, but a QMS could be implemented in an unregulated industry as well. I think you should look for ideas from risk controls for project management before reaching for 14971.

I agree with @yodon comments that "management review" is a prima facie "bad idea" as a risk control, even in a non-14971 approach. Allow me to make up an imaginary risk for your QMS: Suppose there is a risk that barbarians will show up and destroy all of the paperwork in the building. Management reviewing whether or not the barbarians arrived is not controlling (or mitigating) that risk.

 

[Hi_Its_Matt]

Hi, I was doing risk based approach for QMS because that was one of auditors finding.

That's what I thought. Can you share the details of the nonconformity?

I find it very hard to imagine that your company has not implemented controls, based on some type of perceived risk (e.g., risk to regulatory compliance, risk to product safety, risk to employee safety, etc.), within its QMS processes. I do however find it believable that auditees were either not able to articulate the types of controls that are in place, or were unable to clearly lay out how those controls are risk-based.

The example you provided is a perfect example. Theoretically, there is a "risk" that employees could use or reference an out-of-date standard, or fail to apply a standard when it is applicable [call this the "Hazardous Situation"]. If this happened, it could theoretically lead to delays in product regulatory approval/clearance, or lead to some type of regulatory nonconformity [call this the "Harm"]. To mitigate against this risk (i.e., prevent the "Hazardous Situation" from happening), you have chosen to review new and revised standards within management review. I would assume then that you have also assigned one or more employees the responsibility of monitoring standards for updates, right? I would also assume that, for medical device development projects, you have (1) design plans that identify which standards are applicable, and (2) phase reviews, during which you check that there haven't been any updates to the applicable standards, right?

All of the things I just mentioned (reviewing standards in management review, assigning responsibility for watching for updates, documenting applicable standards in design plans, reviewing standards as part of design phase reviews) are various types of controls within your QMS. Your employees should be able to articulate those controls, and explain how/why they are risk-based.

 

[d_addams]

Hi, @yodon But if we find issue from internal audit, normally we process NC or CAPA and that can be control of risk. No?

no. Identifying risks does nothing to control risks.

What you are wanting to attribute as risk controls are monitors or activities which generate signals to IMPROVE risk controls. In the context of 14971, your post-production monitoring, which can include the types of activities you are mentioning, should be included as the sources of input signals to monitor risks. But only those actions which directly address the risks presented by the product/therapy are recognized as risk controls within the risk file in the context of 14971.

The business having robust programs and procedures would be recognized as an ENTERPRISE risk control measure. But enterprise risk management is outside the scope of 14971.

 

[d_addams]

Hi, I was doing risk based approach for QMS because that was one of auditors finding.

'Risk based approach' means that the level of quality should scale up with the risk associated with the activity. This will usually entail some type of risk assessment which then translates in the frequency, strength, or robustness of the controls to be applied.

Some examples of what this looks like in practice is a critical feature will require a higher level of assurance or more frequent inspections than non-critical features. Or perhaps a CAPA related to the safety of product in the field will require a higher level of evidence of effectivity (product overheats and can burn patients/users) vs another issue with no direct safety impact (the