Risk Based Approach for ISO 13485:2016 Form/Procedure

SLandry92

Will audit for food.
#1
Hi everyone, first post, but I've been lurking a bit. I dove head first in the medical sector after 5+ years in oil & gas as QA manager.

Since we're a small company (~50 employees), I'll be doing an "as simple as I can" method for evaluating risks for complying with 4.1.2 (b).

Basically, there is result low, medium and high in a grid of occurence versus impact. Medium and High need actions put in place, while low does not.

Changes/risks will have two categories, one for ressources changes and the other for all other change types with each level of risk (low, medium and high) along with each set (level / hierarchical) of staff required to approve the action plan. For example, high level risks for ressources need the management commity, while medium level risks require QA, engineering and affected departement manager while low level risks if, deemed worthy of an action plan would require only the departement manager (and RH if ressources).

This would make a 3*3 grid for evaluating the risk itself, while a 2*3 grid for specifying who needs to approve the action plans, which will be detailed in the procedure managing this form.

Would this be enough to satisfy requirements?
 
Last edited:
Elsmar Forum Sponsor

yodon

Staff member
Super Moderator
#2
If you're talking about product risk, you need to get a copy of ISO 14971 and follow that. Depending on your target market, you may need 14971:2012 which throws quite a few curves, especially regarding requirements to mitigate ALL risks to the greatest extent possible (i.e., you can't just waive low risks). (I'm not sure how well a "simple" approach and 14971 align - you'll have to judge).

Change approval is not addressed in the standard (but certainly the impact to the risk analysis from the change is).

If you're not talking about product risk, apologies, I misunderstood.
 

iVivien

Starting to get Involved
#3
Slandry mentioned section 4.1.2 b) of the ISO 13485:2016, so I guess he's not focusing only on product risks but also on meeting applicable regulatory requirements as stated in the standard.

The main challenge here is to properly detail the main risks originating from your firm processes without getting bogged down.
Once you've done that, the mitigations (what you call "actions put in place") shall be what you currently do to control your processes : procedures / KPI / review / etc.

One can then, for instance, justify using or not KPI for some parts of a process, from a risk-based approach.

Concerning your approbation matrix, I think you'r beyond the formal requirement :)
 

Ronen E

Problem Solver
Staff member
Moderator
#4
ISO 13485:2016 s. 4.1.2(b) requires that The organization shall apply a risk based approach to the control of the appropriate processes needed for the quality management system.

The processes needed for the QMS shall be determined by the organization (4.1.2(a)).

What are the "appropriate" processes to which the requirement in 4.1.2(b) applies? Based on s. 0.2, they are the ones necessary for allowing the product to meet its requirements; for compliance with regulatory requirements; for allowing corrective actions; and for risk management. Essentially, all or most of the QMS processes...

S. 4.1.2(b) relates to the "control" of the appropriate processes. What is "control"? It is the application of measures to ensure that the controlled entity is kept within predefined boundaries. In my understanding, "control" of QMS processes means ensuring that they take place as prescribed. So the question that remains is what measures need to be applied to ensure that the QMS processes take place as prescribed.

S. 4.1.2(b) provides part of the answer - it says that the determination of those measures should be risk-based. To me this means that the higher the risk of a given QMS process not taking place as prescribed (ie going out of specification), the more action / stricter measures need to be taken to counter the risk.

Effective control involves monitoring and feedback. In this case a properly functioning internal audit process can provide such feedback, so that the perceived risks and effectiveness of mitigation means can be continuously adjusted.
 

Wolf.K

Involved In Discussions
#5
Finally, I updated our QMS for the risk-based approach by updating our "quality planning" procedure with a short "risk-management for processes" chapter for all (!) QMS processes, and renamed our "risk management" procedure to "product risk management".

So, all QMS processes requiring a formal risk management according to 14971 (e.g. during design and development) reference to the SOP "product risk management", and the control of all QMS processes is controlled by the SOP "quality planning".

Next month we are audited by our notified body - then I will know if this approach is alright...
 

Tatian

Starting to get Involved
#9
We are taking the following approach; all my QMS major processes (4.1.2a/c) had their risks individually evaluated and the mitigation actions specified (in turtle like diagram) as well as their KPI (Key Performance Indicator).
As 4.1.2 b does not require a documented procedure, I did not document a specific procedure. The quality manual specifies that the QMS processes are mapped and that the controls are stablished, the method is left in open.
Any thoughts?
 

Ronen E

Problem Solver
Staff member
Moderator
#10
We are taking the following approach; all my QMS major processes (4.1.2a/c) had their risks individually evaluated and the mitigation actions specified (in turtle like diagram) as well as their KPI (Key Performance Indicator).
As 4.1.2 b does not require a documented procedure, I did not document a specific procedure. The quality manual specifies that the QMS processes are mapped and that the controls are stablished, the method is left in open.
Any thoughts?
I think that in essence you comply. The question is whether a stiff auditor will accept it (I guess not, which is a shame). Today it seems that auditors prefer piles of non-value-adding documentation with questionable implementation over a lean org that actually works according to what they say and according to the standard.
 
Thread starter Similar threads Forum Replies Date
G Any good examples of CAPA forms that include a risk based approach? ISO 13485:2016 - Medical Device Quality Management Systems 8
D Validation of existing equipment - Risk based approach example ISO 13485:2016 - Medical Device Quality Management Systems 3
C Usability IEC 62366-1:2015 and MDR 2017/745 - Risk based approach IEC 62366 - Medical Device Usability Engineering 1
M Informational USFDA draft guidance – A Risk-Based Approach to Monitoring of Clinical Investigations Questions and Answers Guidance for Industry Medical Device and FDA Regulations and Standards News 0
Pmarszal ISO 19011:2018 - Risk Based Approach for planning, conducting and reporting of internal audits Internal Auditing 8
Q Questions about the Risk-based approach to QMS processes ISO 13485:2016 - Medical Device Quality Management Systems 17
S ISO 13485:2016 - Risk-based Approach ISO 13485:2016 - Medical Device Quality Management Systems 3
S Risk based approach - Procedures already take a risk-based approach to QMS processes ISO 13485:2016 - Medical Device Quality Management Systems 3
alonFAI How to define a Risk Based Approach for Supplier Management per ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
B Risk Requirements to meet the explicit Risk Based Approach of ISO 13485:2016 Examples ISO 13485:2016 - Medical Device Quality Management Systems 21
V Evolving QA from 'Compliance-based' to 'Science/Risk-based' approach US Food and Drug Administration (FDA) 2
AnaMariaVR2 Risk Based Approach to Validation [article] Qualification and Validation (including 21 CFR Part 11) 3
C ISO/ PAS 28000 Implementation Guide - I'm interested in its risk based approach Other ISO and International Standards and European Regulations 4
Sidney Vianna Risk Based Audits - Will the industry change it's approach? Registrars and Notified Bodies 0
Scott Catron Any difference in FDA inspections since the risk-based approach was announced? US Food and Drug Administration (FDA) 6
S Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
S Risk based internal auditing Internal Auditing 6
D Reduction of software class based on multiple external risk controls IEC 62304 - Medical Device Software Life Cycle Processes 5
D Requirement of Pharmacovigilance (Drug Safety) Risk Based Strategic and Tactical Audit Plan General Auditing Discussions 0
Ed Panek Are audit non conformances also risk based? ISO 13485:2016 - Medical Device Quality Management Systems 1
P Looking for Risk Assessment Template - Not necessarily Asset based IEC 27001 - Information Security Management Systems (ISMS) 1
S Can anybody share a sample risk assessment prepared based on ISO 17025:2017? ISO 17025 related Discussions 15
E Basic Risk based thinking questions Risk Management Principles and Generic Guidelines 5
Jen Kirley Risk Based Thinking and acts of God/Mother Nature Business Continuity & Resiliency Planning (BCRP) 1
T What is Risk-based Design? ISO 14971 - Medical Device Risk Management 15
Sidney Vianna FAA and DCMA to leverage OASIS data to assist in planning risk-based oversight audits Federal Aviation Administration (FAA) Standards and Requirements 3
Q Risk Based Thinking - Is a Documented Procedure required? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 15
Chennaiite But who said we are new to Risk based thinking Imported Legacy Blogs 1
Y Examples of Risk and Opportunities based on ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
Q Is it worth the effort to implement ISO 31000 Risk based on ISO 9001:2015? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
Sidney Vianna Are the TC 176 Documents on Risk Based Thinking useful to you? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
A Informational Risk Management (and Risk Based Thinking) in ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 54
J Timeframes for Risk-Based Biocompatibiilty Assessment Other Medical Device Related Standards 3
S Help me with preparing Internal Audit Schedule based on Risk analysis 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
D Risk Based Inspection: Injection Molding Inspection, Prints (Drawings), Testing, Sampling and Related Topics 6
A Risk Based Internal Quality Audit Scheduling and Planning Internal Auditing 2
T Risk based Impact Level related to Customer Complaints 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
G Why do we use Sampling Plans based on Producer's Risk? Inspection, Prints (Drawings), Testing, Sampling and Related Topics 20
RoxaneB Risk-Based Audit Results - Audit Program for Multiple Locations General Auditing Discussions 8
W Customer wants 'Risk Based Compliance' for our Plastic Component Other Medical Device and Orthopedic Related Topics 3
D PA, CA and Risk-Based Decision Making - Need Input Preventive Action and Continuous Improvement 7
C Is Risk Based Decision Making part of Preventive Action Preventive Action and Continuous Improvement 5
Ajit Basrur Risk Based Internal Auditing - Pharmaceutical Plants Internal Auditing 3
J Overall Residual Risk Procedure based on the 2007 version of ISO 14971 ISO 14971 - Medical Device Risk Management 4
S Supplier Risk Check Sheet based on Quality and Delivery needed Supplier Quality Assurance and other Supplier Issues 1
Jen Kirley Some Options for Risk Based Auditing The Reading Room 14
sathis Risk Based Certification General Auditing Discussions 2
C How is risk management handled in a software-based product ISO 13485:2016 - Medical Device Quality Management Systems 1
E Risk Based Audits ocussing on those areas of identified risk General Auditing Discussions 3
R Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4

Similar threads

Top Bottom