Hi, I was doing risk based approach for QMS because that was one of auditors finding.
That's what I thought. Can you share the details of the nonconformity?
I find it very hard to imagine that your company has not implemented controls, based on some type of perceived risk (e.g., risk to regulatory compliance, risk to product safety, risk to employee safety, etc.), within its QMS processes. I
do however find it believable that auditees were either not able to articulate the types of controls that are in place, or were unable to clearly lay out how those controls are risk-based.
The example you provided is a perfect example. Theoretically, there is a "risk" that employees could use or reference an out-of-date standard, or fail to apply a standard when it is applicable
[call this the "Hazardous Situation"]. If this happened, it could theoretically lead to delays in product regulatory approval/clearance, or lead to some type of regulatory nonconformity
[call this the "Harm"]. To mitigate against this risk (i.e., prevent the "Hazardous Situation" from happening), you have chosen to review new and revised standards within management review. I would assume then that you have also assigned one or more employees the responsibility of monitoring standards for updates, right? I would also assume that, for medical device development projects, you have (1) design plans that identify which standards are applicable, and (2) phase reviews, during which you check that there haven't been any updates to the applicable standards, right?
All of the things I just mentioned (reviewing standards in management review, assigning responsibility for watching for updates, documenting applicable standards in design plans, reviewing standards as part of design phase reviews) are various types of controls within your QMS. Your employees should be able to articulate those controls, and explain how/why they are risk-based.