ISO Registrars/CBs citing for use of "Detection" in Risk Management

G

g frias

#1
Hi all. I work for a medical device company that designs and manufactures class II devices. Our tool of choice for risk management has been FMEA (application, design and process). We are ISO certified and during a re-certification audit at one of our other sites the notified body cited them for the use of "Detection" in the application and design FMEAs. Their argument was that ISO 14971:2007 omits discussion of detection and that we were unduly placing the burden of detection of a hazard on the end user to avoid harm to the clinician and/or patient. As a result the company revamped the risk management tools to accommodate this finding.

My husband also works in the industry and this was news to him so I'd like to hear from others in the industry to see if this is the direction in which industry is moving or if someone at our sister site should have argued a little harder :lol:. Thanks for the input!
 
Elsmar Forum Sponsor

Bev D

Heretical Statistician
Staff member
Super Moderator
#2
This is the way the industry is moving. and I think it's a good thing.

My organization only uses 'detection' as a mitigation. If we have on-board error detection (we make diagnostic devices and instruments) to mitigate a failure it get's it's own 'assessment' as a function.

We've also gone a step further and prior to V&V risk assessment si restricted only to the severity of the effect. Only low severity failures can be excluded from V&V testing and/or mitigation beyond detect and repair. Post validation, we use the observed occurence rate to guide our risk management decisions.

We take the postion that "risk isn't the probability of occurence but the severity of the effect should it occur" adn that drives our risk management decisions...

We cannot determine the liklihood of occurence or the occurence rate without testing. Without testing it's just guessing and opinion...

We can determine the severity based on knowledge of function and use. It's just physics.
 
M

MIREGMGR

#4
Regarding detection, ISO 14971 does not accept detectability in the equation. Risks for ISo 14971 are only based on the severity of the harm and probability of the harm.
Yes, but.

Clearly the intent of ISO 14971, and more importantly the overriding legal and ethical responsibility of the device maker, is that the device should be safe and effective.

In the US FDA system, risk analysis is a required part of product design. It's self-evident that if two alternate design solutions have comparable severities and comparable probabilities of occurrence, but one of the alternates has greater user detectability after occurrence but before the full extent of harm occurs, that alternate design is preferable. My understanding of US FDA's intent in regarding risk analysis as a part of design is to assure just this sort of consideration of harm-avoidance. Thus, at least in my view, detectability needs to be considered and documented as a part of the process, even though ISO 14971 does not require it...that is, such an implementation of risk analysis should go beyond the minimum requirements established by ISO 14971.

As an example, the above scenario particularly applies to simple, low-risk, professional-use devices for which the most likely risks involve user error, and the presence and training of the professional user result in a significant likelihood that that user will detect the incipient harm and act in a situationally appropriate manner to mitigate it.
 

Marcelo

Inactive Registered Visitor
#5
Re: ISO Notified Body citing for use of "Detection" in Risk Management

In the US FDA system, risk analysis is a required part of product design. It's self-evident that if two alternate design solutions have comparable severities and comparable probabilities of occurrence, but one of the alternates has greater user detectability after occurrence but before the full extent of harm occurs, that alternate design is preferable. My understanding of US FDA's intent in regarding risk analysis as a part of design is to assure just this sort of consideration of harm-avoidance. Thus, at least in my view, detectability needs to be considered and documented as a part of the process, even though ISO 14971 does not require it...that is, such an implementation of risk analysis should go beyond the minimum requirements established by ISO 14971.
The main problem with this type of example, is that this kind of "detectability", in terms of ISO/IEC standards, is related to the usability engineering process of IEC 62304. And the usability process is tied to the risk management process.


Anyway, ISO 14971 does permit that you make a decision regarding options for risk control measures, and you can, if you want, decide that one is more "detectable" by the other so you prefer that one.

However, both are primarily related to severity and probability. Detectability is in this case only a second-tier design decision.

One of the real main problems with detectability and why it does not fit into ISO 14971: essential principles require that risk control measures are defined in order, 1 - inherit safety, 2 - protective measures, 3 - information for safety.

If we put detectability in the mix and let the risk be lowered because of the detectability, it means that we could bypass the required order.
 

yodon

Staff member
Super Moderator
#6
Regarding detection, ISO 14971 does not accept detectability in the equation. Risks for ISo 14971 are only based on the severity of the harm and probability of the harm.
??? From the standard (G.4, FMEA):

FMEA can be extended to incorporate an investigation of the individual
component fault modes, their probability of occurrence and detectability (only to the degree that detection will
enable preventive measures in the context of this International Standard) and also the degree of severity of
the consequences.

I think this clearly indicates that detectability is a valid means to assess (and possibly reduce) the likelihood that the harm is realized.

I've seen detectability (by the system, not necessarily by the operator) used frequently. I can't imagine why an NB would prohibit this. Maybe it was too heavy a reliance on operator detectability?

14971 (for better or worse) is not a rigid Risk Management template but an overview of what needs to be done. How things are done are left to the user (to some degree, of course).
 
M

MIREGMGR

#7
This discussion further illustrates the conceptual differences in use of ISO 14971 in particular, and standards in general, among different national/regional regulatory systems.
 

Marcelo

Inactive Registered Visitor
#8
??? From the standard (G.4, FMEA):

FMEA can be extended to incorporate an investigation of the individual
component fault modes, their probability of occurrence and detectability (only to the degree that detection will
enable preventive measures in the context of this International Standard) and also the degree of severity of
the consequences.

I've seen detectability (by the system, not necessarily by the operator) used frequently. I can't imagine why an NB would prohibit this. Maybe it was too heavy a reliance on operator detectability?

***************

Annex G has comments on risk analysis techniques. It means that FMEA does use detectability. That´s it. I´m not sure why you are implying that this annex comment means that detectability can be used.

I think this clearly indicates that detectability is a valid means to assess (and possibly reduce) the likelihood that the harm is realized.
From 6.2 - Risk control option analysis:

NOTE 2 Risk control measures can reduce the severity of the harm or reduce the probability of occurrence of the harm, or both.
14971 (for better or worse) is not a rigid Risk Management template but an overview of what needs to be done. How things are done are left to the user (to some degree, of course).
Yes, you really can do anything you want, however, if you claim conformity to ISO 14971 and uses detectability, it´s really incorrect. That´s why the OP had a problem in the first place.
 
M

MIREGMGR

#9
If we put detectability in the mix and let the risk be lowered because of the detectability, it means that we could bypass the required order.
I've highlighted a key phrase above. I wouldn't argue that detectability is in itself a mechanism for lowering analyzed risk. Rather, it's a parameter for selecting the preferable design approach among alternatives. I.e., among design alternatives with equal risk, more detectability always is preferable.

This does of course raise the possibility of a scenario in which a higher risk design approach might be preferable to a lower risk one because the higher risk approach has much more detectability, and a present professional user would mitigate the harm. I would suggest though that in that scenario, the analyzed risk remains higher, and acceptability of the detectability-based design approach is a deviation from the normal procedure and would require documentation of why it can and should be accepted.
 
M

MIREGMGR

#10
Regarding the OP's issue, we've had this specific discussion with both our NB and our Authorized Representative. We initiated the discussion with our NB, who accepted our approach after discussion. Our Authorized Representative raised the point themselves, but again accepted our approach after discussion.

It may have been relevant in both cases that they recognize that we must comply to both the US FDA's and the EU's expectations.
 
Thread starter Similar threads Forum Replies Date
P List of ISO certificate registrars around the world - ISO certification databases ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
M Canada - Registrars that allow e-auditing for ISO 9001? Registrars and Notified Bodies 4
L Are ISO/TS Registrars also controlled or governed by ISO17021:2011? IATF 16949 - Automotive Quality Systems Standard 3
G Are there any ISO registrars that should not be selected and why? Registrars and Notified Bodies 9
J Registrars Doing Synchronized (Combined) Audits to AS9100 and ISO 13485 Registrars and Notified Bodies 8
C Changing ISO 9001 registrars (second triennial)? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
C Notified Body References and Reviews - Changing ISO 13485 Registrars EU Medical Device Regulations 8
T ISO 22000 Registrars in US Registrars and Notified Bodies 11
N Reputations of ISO 9001 Certifying Bodies (Registrars) - SGS, AJA, BVQI, SAI Global Registrars and Notified Bodies 5
X Where to start with ISO 13485 and Registrars near Seattle ISO 13485:2016 - Medical Device Quality Management Systems 2
Q Legitimacy of ISO 9001:2000 Registrars and Certificates Registrars and Notified Bodies 16
WCHorn ISO/IEC 17025 Registrars - I'm confused about "accredited" registrars for ISO 17025 ISO 17025 related Discussions 18
P Can I have 2 certificates under 2 different registrars for ISO 9001:2000? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
RoxaneB ISO 9001:1994 Certificates of Compliance - Are any registrars extending these? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
C Required Audit Days - ISO/IEC Guide 62 gives guidance to Registrars ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 15
H ISO 9001:2000 Registration Audit Findings by Registrars Registrars and Notified Bodies 30
A iso 17025 registrars ISO 17025 related Discussions 5
Marc ISO Guide 62 contains the mandays guideline used by registrars when auditing ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 0
S Need ISO 15189:2012 Documentation toolkit. Document Control Systems, Procedures, Forms and Templates 0
chris1price Archiving of paper records - ISO 9001 7.5.3.1b Records and Data - Quality, Legal and Other Evidence 4
M Transferring ISO 17025 from one company to another ISO 17025 related Discussions 1
D Common practices in ISO 9001 deployment ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 17
Q ISO 9001-2015 Internal audit finding Internal Auditing 12
B ISO 17025:2017 risk management Risk Management Principles and Generic Guidelines 0
P Audit check for IT company (ISO 9001) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
M Label Making & Printing Standards ISO / ASTM ISO 13485:2016 - Medical Device Quality Management Systems 5
Sidney Vianna Interesting Discussion Should ISO 9004 be changed from a guidance standard to a requirements standard? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
Ed Panek ISO 13485:2016 Section 5.5.3 ISO 13485:2016 - Medical Device Quality Management Systems 3
Q Do these certificates of calibration meet ISO 9001 requirements for traceability to NIST? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
ebrahim QMS as per ISO 13485, Clause 4.2 Requirements for regulatory purposes for Medical Devices Authorized Representatives. ISO 13485:2016 - Medical Device Quality Management Systems 3
S ISO 2768-mk print call out Other ISO and International Standards and European Regulations 11
T ISO 17024, clauses 4.3.8. and 5.1.1. Other ISO and International Standards and European Regulations 4
C ISO 14001:2015 6.1.3 Compliance Obligations - Legal requirements monitoring ISO 14001:2015 Specific Discussions 0
C Requirement to link Quality Manual to ISO 9001 clause numbers? ISO 13485:2016 - Medical Device Quality Management Systems 13
D ISO 13485 scope (implantable) - Polymers for dental application EU Medical Device Regulations 9
W First time being audited (ISO 9001), asking for advice ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
John C. Abnet ISO 26262 ISO 26262 - Road vehicles – Functional safety 3
Marc ISO 26262- Road vehicles – Functional safety ISO 26262 - Road vehicles – Functional safety 0
John C. Abnet ISO 26262 IATF 16949 - Automotive Quality Systems Standard 0
A ISO/DIS 15223-1:2020 - Country of manufacture label (IEC 60417 No. 6049) - Which national law requires this symbol? Other Medical Device Related Standards 0
P ISO 14644 Class 8 Cleanroom Air Filter Requirements Other Medical Device Related Standards 4
K PDCA cycle and ISO processes alternative model Quality Management System (QMS) Manuals 14
N ISO 13485 7.3.9 Change control in medical device software ISO 13485:2016 - Medical Device Quality Management Systems 6
A ISO 13485 procedure change and reflect to legacy manufacture items ISO 13485:2016 - Medical Device Quality Management Systems 2
D ISO 13485 & CE Certification for Surgical Gloves CE Marking (Conformité Européene) / CB Scheme 0
S ISO 11137- Simulated product vs SIP Other Medical Device Related Standards 2
D Which ISO Standard to purchase? ISO 13485:2016 - Medical Device Quality Management Systems 7
V ISO 10360-5: 2020 Gap analysis and Action plan Excel .xls Spreadsheet Templates and Tools 1
Q ISO 9001 - Reseller Exclusions ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
S Inventory Listing and ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 3

Similar threads

Top Bottom