Time to jump start this conversation again... I recently went through an audit that resulted in these two risk related findings:
1. Risk Analysis is incomplete. Cannot asses if all 3 risk control options(D.P.I.) have been applied to each risk mitigation.
2. Risk Benefit Analysis was not applied for each risk individually.
1. a) My risk assessment has a checkbox for "Design, Process, and Information" for each risk. Some of the risks only have one of three, others two of three, and some have all checked. According to the auditor and their interpretation of 14971:2012 ZA #5 The manufacturer must apply all control options even if previous control options have reduced the risk to an
acceptable level. Why would you apply "labeling" for something if you've already designed it out and it no longer needs labeling as a mitigation? You wouldn't! So how can I check that box if I didn't apply labeling? I can't. So what do I do? Provide a justification each time I apply less than all three options? Can anyone show me how you are meeting this requirement and what evidence you are providing to auditors because i'm at a loss as to how i can meet this requirement.
1. Risk Analysis is incomplete. Cannot asses if all 3 risk control options(D.P.I.) have been applied to each risk mitigation.
2. Risk Benefit Analysis was not applied for each risk individually.
1. a) My risk assessment has a checkbox for "Design, Process, and Information" for each risk. Some of the risks only have one of three, others two of three, and some have all checked. According to the auditor and their interpretation of 14971:2012 ZA #5 The manufacturer must apply all control options even if previous control options have reduced the risk to an
acceptable level. Why would you apply "labeling" for something if you've already designed it out and it no longer needs labeling as a mitigation? You wouldn't! So how can I check that box if I didn't apply labeling? I can't. So what do I do? Provide a justification each time I apply less than all three options? Can anyone show me how you are meeting this requirement and what evidence you are providing to auditors because i'm at a loss as to how i can meet this requirement.
Your auditor is going overboard in my opinion. It sounds like you've documented the risk management process quite well...
Presumably what they are wanting to see is that you've reduced risk "as far as possible" - but to assume this means that ALL possible risk controls must be applied is absurd! (as you've pointed out)
Perhaps you could point to a risk management system procedure, or plan where it's stated that you will apply risk-controls until risk is reduces as far as possible? A documented explanation in the procedure/plan (e.g. "application of controls stops once residual risk is evaluated to be as low as possible") may suffice to explain what you're doing, and justify why not all options are applied in all cases...?
2. a) How is everyone applying RB to individual items? My only thoughts mirror what Yodon mentioned earlier in the post, to just do some handwaving by adding a column with a canned statement for each item that RB has been assessed by the members of the cross-functional risk analysis team and determined that the benefits outweigh the risks. Pretty silly since the overarching RB assessment/conclusion already accomplishes this. Or do i need to provide a justification of how the team came to the conclusion specific to each line item?
Again, this may be overcome by documenting in a procedure/plan that "each identified risk is assessed for cost/benefit acceptability", and then simply include a checkbox on the documentation to show that you've done it.
It sounds like you have an overly-zealous auditor that wants to see some very specific format (even if it has questionable value). I guess we were lucky. We just grouped hazards into categories (e.g. materials, power, software...), and then included a short paragraph following the analyses in each category to the effect of "for each individual hazard in this category it has been assessed that the benefits to the patient outweigh the residual risks of harm...".
Last edited: