ISO 14971 Risk Management questions and comments

[Marcelo]

A Hazard analysis is a part of the risk analysis, which is a part of the risks management process as whole (in fact, a "hazardous situation analysis" would be best, after the clarification of the 2007 edition )

The risk managemente file (defined as "set of records and other documents that are produced by risk management") must contain everything that is an output to the risk management process...basically, everything that the standard requires has to be in the RMF (not necessarilyphisically).

Besides that, 3.5 has the traceability requirement my advise would have to have this traceability phisically in the RMF to help in assessments (for example, on the new IEC 60601 seris).

 

[Marcelo]

I think some examples might help...

- clause 3.4 requires a risk management plan...so this has to be in the risk management file...

- clause 6.2 requires that risk controls measures to mitigate the identified risks of the hazardous situations be defined / identified ....so this list has to be in the RMF...

I think you can get the point....

In fact this is all written on the standard....when it says "Compliance is checked by inspection of the risk management file."

 

[Watchwait]

Thanks Marcelo. The verbiage is clear. Nevertheless, I, and I think many others would really benefit by a tangible, physical example of, for example, a "risk management plan". I learn very much by example and seeing how others have documented this requirement would, at least to me, be very helpful. It would also be something I could take to my team and show them. Then, instead of glassy-eyed stares when I read them the regulation..they might go "oh yeah - now I get it". As they say...a picture is worth a thousand words and I think that holds especially true here.

Also, I don't think the company or device type would matter. The requirements are agnostic so the elements of "the risk management plan" and the "risk management file" from any medical device manufacturer would be beneficial.

Any takers? Here's a chance to be a real hero

 

[Marcelo]

yeah, i do understand what you´re saying..my main problme with this is,as a consultant, i just cannot show what i´ve been implementing in my clients...and, incredibly as it may seen, i still do not have a template for a risk management plan or file.....well, i DO need a template for them (and i´ve been doing some implementation for some time so i do have the informarion needed) so it seems the best choice would be do make these templates...i will share them when i do that (which could take some time )

 

[Marcelo]

Just found an article on outsourcing and the risk management problem: Risk Management Drives Supplier Development... and Demise

Another good one: Outrage...Over Risk Acceptance Criteria?

The source is Crimson, a translation company which is ISO 14971 certified...they are one of the driving voices of the "system parity" movement i mentioned...more articles here: http://www.crimsonlanguage.com/en/about_publications.html

 

[gholland]

Our product risk management plan (PRM plan) consists of the following:

- List of activities (FTA/FMEAs/Hazard Analysis) complete with who is going to do them, when they are completed, and where they are located (in our case the path to get to the file in our system).

- Establishment of risk acceptace criteria. In this section we establish what exactly has to happen for the product to be acceptable. If you have specific RPN levels or whatever then that goes here. We say that there are no risks in the 'unacceptable' region of a chart we use, or if there are risks that fall in that region a rationalization must be documented as to why it is acceptable to move forward. This must be reviewed/approved by VP or higher level upper management plus the Quality VP.

- Explanation of how you are going to verify your risk control measures. In our case we would list our verification tests here.

- Explanation of post production activities. How does your company integrate risk management into CAPA, complaints, and ongoing production?

The document is then signed off by the project team and upper management representatives. It is updated as required.

These are the basic sections of our risk management plan without uploading a company document here... don't want to get in trouble...

 

[WisdomseekerSC]

This thread has been very informative for me. I work for a company that is also a contract manufacturer. We make components for medical device manufacturers. We are also struggling to get a handle on what risk management means for us. We are establishing a program for ISO 13485 now and the documents are in draft form. I can share my rendition of a "Risk Management Process", I would definitely welcome comments.

 

[Roland Cooke]

This thread has been very informative for me. I work for a company that is also a contract manufacturer. We make components for medical device manufacturers. We are also struggling to get a handle on what risk management means for us. We are establishing a program for ISO 13485 now and the documents are in draft form. I can share my rendition of a "Risk Management Process", I would definitely welcome comments.

After a very brief review, it looks okay to me. I'm sure Marcelo will be along in a bit to tear it to pieces.

I would consider what your criteria for assessing effectiveness of your system are.

What I would also suggest you could do is also create a process risk management report template, your Appendix B focuses mostly on the design of the finished product. That's obviously critical, but it's far from the only factor, especially for contract manufacturers.

In addition, even if everything is 'perfect' today, tomorrow might be a whole different story. So build into your risk management plan some kind of 'anticipation of change' system.

Obviously ECOs are a good chunk of this, but things like Management Review and Resource Management come into play as well.

For example, what happens if your volume of orders doubles overnight? It's the same manufacturing process, and (nominally) the same end product, so your original risk plan is obviously still fine....?

Of course not, obviously there absolutely are significant risks posed by that change: including workspace, training, increased pressure on suppliers etc.

But if you can formally build in some foresight as part of Management Review (including input from Marketing), then you can get into a routine of balancing those risks, and demonstrating that your risk management is a living system...not just a report.

Sure, arguably that is more strictly part of a Preventive Action system, rather than 'pure' Risk Management. I wouldn't necessarily debate that, but to be honest, why get bogged down in descriptors?

The point is to end up with a living system that is effective, and to generate the documentary evidence to support that claim.

 

[blueapple]

I didn't get to read everything below in this thread , but I was wondering: if we apply ISO:13485, and we do not have our own CE Mark, but we produce under another company's CE Mark, do we need to have Risk Analyses (we started preparing FMEA)? And who should actually be involved in making the FMEA?

 

[Roland Cooke]

The first thing to do is to read this thread, and then do searches for ISO14971 and Risk Management.


First, what do you mean "we produce under another company's CE mark"?

Do you mean private labelling? Or do you mean subcontract manufacture/assembly?

If the former, the vast majority of risk management should have already been done. The risks your company might introduce are traceability, translation, shipping, etc.


If the former, then it depends on what exactly your company has been tasked with doing, MIREGMGR has made some good posts in this regard.