Our auditor requires us to attend a training on EN ISO 14971:2012

[Alyana]

Hi All,

Our auditor requires us to attend a training on EN ISO 14971:2012 so that we could prepare the risk management documents accordingly. It seems that unless we attend the training, they would be happy with the risk management document. Currently we hold a document complying to ISO 14971:2007. And that this EN ISO 14971:2012 is required for EU market.

Alyana.

 

[Randy]

You're auditor requires? On what basis and what type of auditor, internal, external, CB?

 

[Jean_B]

Your auditor can require you to have personnel competent in the relevant areas of risk management as determined through your risk management planning. Usually this team includes a resource that ensures the process delivers according to necessary risk management standards (such as ISO 14971). Assessment would occur by evaluating qualifications of the risk management team versus planning, and looking whether deliverables meet the risk standard requirement. A technical file reviewer might have specific comments on the subject matter within the deliverable (and this role is sometimes performed by an auditor if they have that expertise).
He cannot require you to perform such a specific training, as the path to competence for a compliant risk management file is yours to choose (outsource with appropriate controls, hire expertise (consultant or in-house), train in general).
This does not mean it is a bad idea, as only having 1 person within the team having the standard's knowledge and ensuring application is usually inefficient and fraught with compliance risk. Yet don't have the best person on the job undercut by other persons with less training and experience (but do address any evidence such junior personnel bring forward, as they are in the team for a reason).

 

[yodon]

@Jean_B is spot on here. The requirement is for competency, not training. There are more (and probably better) ways than training to attain competency but that's a different story.

There are a few things in your post that are a bit concerning.

First, did your company know that BS EN ISO 14971:2012 was the harmonized version of the standard in the EU? If not, why not? The company needs to be staying current on all relevant standards.

Second, risk management is not a document, it's a process and it's continuously applied throughout the life of the device. Are you actively managing risk throughout the life of the device?

Finally, just as an aside, auditors and reviewers are now taking a very close look at who participated in the risk management activities. If you don't show that you had individuals competent on the clinical aspects of the device, you may have further troubles ahead.