ISO 13485 requires a lot of documents and records on production tests, but nowhere is there is a requirement to document why you selected those particular tests, test methods and criteria.
It has, on quality system planning - that?s where the justifications for your decisions should be. However, people (including assessors) usually think that to verify planning you need to verify the final procedures.
In risk management, manufacturers often use numerical representations for severity, probability and risk, but if you look closely ISO 14971 does not ask you to document why those numbers are selected; it just says to record the number.
Again, it does, in the risk management plan, and there?s specific reference in Note 3.
Even when applying the plan, the requirement is to:
For each identified hazardous situation, the associated risk(s) shall be estimated using available information or data.......The results of these activities shall be recorded in the risk management file.
So, the expectations are there, but people do not perform as expected. Why?
I see several factors:
1 - Standards are not meant to teach anything - they are usually a set of good practices from the past of an area, to be read and easily understood by someone with the correct background. In the specific case of risk management, for example, anyone with a background on reliably and safety engineering knows that it?s a good practice to have and record the rational for any estimate - see for example the historical case on the THERAC-25, where part of the problem was an incorrect estimate on some 10000 time the reliability of a part - and this was more than 30 years ago!
However, when those standards became somewhat "mandatory', a whole lot of people with no previous knowledge suddenly needs to be in conformity with standards, and what they do it to get the standard and read it, trying to figure out what is expected (instead of reading some books from the area). And they usually try to apply it in the easiest way possible. Assessors usually do not have the background either, so everything ends up being done generically - does not mean that it is correct.
The same case is for quality, I remember years ago when I was heading into quality, the first suggestion I?ve got was - read the standard. I preferred to get some book from Juran and Deming, and after reading those and some other sources, there?s was nothing "new" on the standard, everything there was a little obvious because i was based on those good practices. For example if you get one of the most knob books from Juran, "Quality Planning and Analysis", the planning stage for any QMS is there, very clear, but almost no one does that today.
2 - Another part of the answer is that standards and regulations became a business. So we need a certificate, and an auditor is coming, and we need the badge on the wall. Who?s is going to take the time do understand what we are doing?
And obviously, the assessors/auditors and even regulators do not always have the background to evaluate those things. You would need to either hire experts or give people the competency (meaning, years of studying and training) for things to be correct again.
But anyway, I do agree with you in general with your remarks: regulations are "clearance for sale" (I use the term "license to sell"), and part of the trade-off is that a regulator will verify some stuff, on a sampling basis...and the important part is, the manufacturer is still required to do the right thing, even if it was not spotted in an audit.
That?s why I usually say too: even if you passed an audit and/or your de ice is cleared for sale, it does not mean that you really fulfill the regulations and standards. It means that the sampling done (if any) did not show anything wrong in principle, but it?s still the manufacturer?s responsibility to ensure compliance.