Hi there,
I was hoping someone could help me, we received a very strange NC (IMO) from a certification body recently.
The NC states 'Process of risk management is not fully effective as: The organization shall document one or more processes for risk management in product realization. Records of risk management activities shall be maintained.'
We are a SaMD manufacturer, and when the auditor asked for evidence of process risk assessments, I stated as we are a SaMD manufacturer, still in development, the main processes affected are design controls, risk management, SDLC and process and computer system validation.
All of which, within the body of the procedures have details of process control steps, risk categorisation of activities and requirements associate with each risk level, roles, responsibilities and competencies of staff working in the development and those responsible for approval etc.
We will have a design risk assessment in line with ISO 14971, and do risk assessments of each software tool we use in development.
The auditor stated this was not appropriate, and I should have a risk assessment for every line of section 7 product realisation of ISO 13485, I've worked in a number of ISO 13485 certified QMSs in the past and have never seen such a process risk assessment for a process which does not generate a physical product.
The example given by the auditor was 'In your audit process, you need to assess, document and control the risk of an internal audit being performed by someone who is not independent of the process', to me, this is basic - write a control step in the SOP, I feel like creating a risk assessment is overkill.
(PS, I know audits are in section 8, this was the e.g. I was given)
I am wondering has anyone else experience of this kind of request? or knows of a way around it without creating a risk assessment, which will effectively mirror the quality manual compliance table, for the sake of it.
Thanks in advance,
A
I was hoping someone could help me, we received a very strange NC (IMO) from a certification body recently.
The NC states 'Process of risk management is not fully effective as: The organization shall document one or more processes for risk management in product realization. Records of risk management activities shall be maintained.'
We are a SaMD manufacturer, and when the auditor asked for evidence of process risk assessments, I stated as we are a SaMD manufacturer, still in development, the main processes affected are design controls, risk management, SDLC and process and computer system validation.
All of which, within the body of the procedures have details of process control steps, risk categorisation of activities and requirements associate with each risk level, roles, responsibilities and competencies of staff working in the development and those responsible for approval etc.
We will have a design risk assessment in line with ISO 14971, and do risk assessments of each software tool we use in development.
The auditor stated this was not appropriate, and I should have a risk assessment for every line of section 7 product realisation of ISO 13485, I've worked in a number of ISO 13485 certified QMSs in the past and have never seen such a process risk assessment for a process which does not generate a physical product.
The example given by the auditor was 'In your audit process, you need to assess, document and control the risk of an internal audit being performed by someone who is not independent of the process', to me, this is basic - write a control step in the SOP, I feel like creating a risk assessment is overkill.
(PS, I know audits are in section 8, this was the e.g. I was given)
I am wondering has anyone else experience of this kind of request? or knows of a way around it without creating a risk assessment, which will effectively mirror the quality manual compliance table, for the sake of it.
Thanks in advance,
A