Risk management, ISO 13485 and ISO 14971

[MRWardell]

We have been recently certified to ISO 13485 and 9001, and in our most recent external audit our auditor found that our risk management procedure did not meet the requirements of 14971, and wrote this up as a Level 1 nonconformance. I was not at the audit, and our Director of Operations was not able to determine (from the auditor) why he felt we needed to comply when 14791 is a note in the standard and not (apparently) a requirement of 13485. I have been tasked with revising our current risk management procedure to comply with 14971. I was wondering if anyone had run into this situation, and if there are any suggestions (examples?) of a risk management procedure which would conform.
Our company is a contract manufacturing concern, and we have been asked to build a non-invasive device by a design firm which has designed the device. Thanks for your thoughts!

 

[arios]

I don't understand either why the comment sounds like you have to implement ISO 14971 unless it has been declared as required in other parts of your QMS or in a Technical documentation. What is true is that you have to implement risk management in yous system and have records.

There is a guidance document of the GHTF which can serve you: http :// www .ghtf.org/documents/sg3/sg3n15r82005.pdf - OBSOLETE BROKEN 404 LINK(s) UNLINKED - PLEASE HELP - REPORT POSTS WITH BROKEN LINKS

On the other hand, ISO 14971 is a very complete standard, supported with very good information and annexes that help you understand how to implement a good Risk Management process. My advice for you is to acquire and get familiar with this standard. Risk management is not only a requirement, but also makes good business sense, and overall it help us think more on the patient on a proactive manner.

 

[MRWardell]

Arios - yes, 14971 is a good standard and I have been reviewing it in order to respond to the nonconformance. Our risk management procedure under 13485 is a little weak, but I guess my concern was that the auditor required our procedure to conform to 14971, while I did not see how he could do that when 13485 does not appear, at least to me, to make that requirement. Thanks for your input and the link.

 

[DrM2u]

Arios - yes, 14971 is a good standard and I have been reviewing it in order to respond to the nonconformance. Our risk management procedure under 13485 is a little weak, but I guess my concern was that the auditor required our procedure to conform to 14971, while I did not see how he could do that when 13485 does not appear, at least to me, to make that requirement. Thanks for your input and the link.

I suggest that you dispute the finding with the registrar. Note 3 under 7.1 says to look at ISO 14971 for guidance. Guidance is needed to compensate for lack of knowledge. There is no requirement in ISO 13485 that the organization has to comply with the 'guidance' of ISO 14971 or with auditor's interpretations of the standard.

To shine some light on WHY the finding was issued ... and this is just my educated guess ... The auditor gets to do extra work (and doesnt get paid for) if the review board rejects the audit package or asks for additional information. The chances are that the review board uses ISO 14671 for 'guidance' and hystorically they are a lot pickier than ISO 9001 review boards for example. Therefore the auditor probably figured that if your organization complies with ISO 14671 then he and the organization avoids a potential hurdle in the registration process. A good auditor should have explained this potential scenario and maybe documented an opportunity for improvement or area of concern, but not a finding.

Any additional feedback from other auditors or auditees?!?

 

[arios]

Arios - yes, 14971 is a good standard and I have been reviewing it in order to respond to the nonconformance. Our risk management procedure under 13485 is a little weak, but I guess my concern was that the auditor required our procedure to conform to 14971, while I did not see how he could do that when 13485 does not appear, at least to me, to make that requirement. Thanks for your input and the link.

I agree with DrM2U. You could further inquiry about the auditor's finding,
and if not fair challenge the auditor's conclusion. If you wish to appeal the finding also check ASAP the timing with your registrar to do that process. Like mentioned earlier you should also consider that the auditor may have raised the finding based on other technical reasons, which would be important to find out if there is any. It is sad he apparently did not mention the reasons.

 

[John Martinez]

We have been recently certified to ISO 13485 and 9001, and in our most recent external audit our auditor found that our risk management procedure did not meet the requirements of 14971, and wrote this up as a Level 1 nonconformance. I was not at the audit, and our Director of Operations was not able to determine (from the auditor) why he felt we needed to comply when 14791 is a note in the standard and not (apparently) a requirement of 13485. I have been tasked with revising our current risk management procedure to comply with 14971. I was wondering if anyone had run into this situation, and if there are any suggestions (examples?) of a risk management procedure which would conform.
Our company is a contract manufacturing concern, and we have been asked to build a non-invasive device by a design firm which has designed the device. Thanks for your thoughts!

Ok, please define "external auditor". If a Certification Body (registrar) then challenge the finding.

If Notified Body (CE Mark or CMDCS) then they may be accurate.

If a regulator or customer, then you may have to comply to continue business.

I'm not a Medical Device expert. Has the US CFR changed to require this specific ISO standard? If so, that would be a switch, since most regulators seem to be allergic to ISO standards, even though their CFR's reflect the Standard's requirements.

 

[MRWardell]

John - the external auditor is our ISO 13485 registrar. I think the time to challenge the finding is past, and I don't think our Director of Operations wants to take that course if we can address the finding and satisfy the auditor. I am working on a revised Risk Management procedure which I think addresses the requirements of 14971, but I guess we'll see. There have not been any changes to the standard, just this auditors view of what we need to do to comply. Thanks for your thoughts.

 

[John Martinez]

John - the external auditor is our ISO 13485 registrar. I think the time to challenge the finding is past, and I don't think our Director of Operations wants to take that course if we can address the finding and satisfy the auditor. I am working on a revised Risk Management procedure which I think addresses the requirements of 14971, but I guess we'll see. There have not been any changes to the standard, just this auditors view of what we need to do to comply. Thanks for your thoughts.

By accreditation standards, there are formal contestment processes in place. Your auditor is REQUIRED to advise you of this during the closing meeting.

If there is a non-conformance and you have not answered it or closed it yet, then the l time to contest is not too late.

Certainally, you can make a call to your registrar's technical department and inquire as to when this became a requirement. Perhaps is it an accreditation body's requirement that the registrar is pushing down.

Bottom line is, if you do not have all of the information; how do you exptect your response to this NC to be effective?

I'd make the call. If not as a contestment, then as an iquiry as to where this requirement came from so that you can address it properly.

I'm not stating that this document is not useful. It is. I'm stating that, obviously you are having a diffucult time with this, so utilize your registrar's technical department's insight.

 

[DrM2u]

To add to John's comments, your job is not to satisfy the auditor but to meet the requirements of the standard in a way that is beneficial to the organization. You can always ask for another auditor if you believe that your current auditor is not professional or has difficulties understanding your system. Keep in mind that you are the customer for the registrar, not the other way around!

 

[jkuil]

Documented requirements for risk management are obligatory per ISO 13485:2003 7.1.
ISO 14971:2007 is the EU harmonized / US, Canada, Japan... recognized standard to meet the essential requirements for risk management. This means that when you claim conformance to this standard authorities will accept this as conforming to the essential requirements for safety and efficacy as specified in legislation (e.g. MDD annex I).
However, standards are voluntary and you can use other standards or your own business standards to meet the requirements. However, that will not result in easy approval by the notified body and/or authorities as you experienced. They should verify that your QMS complies with the requirements of the recognized standard (as this is the expected minimum) even when you do not claim conformance. It is easier for them to require conformance to ISO 14971, but inappropiate.
Still, conforming to ISO 14971 is a sensible thing to do, as it will facilitate marketing approvals. So your operational director took a right decisiion.