Struggling with ISO 13485:2016 Clause 6.2 - Level of Risk Associated with Work


Involved In Discussions

I know this clause has been discussed, however, I think I'm getting a little wrapped around the axle with how to implement the requirements.

The company for which I work is a team of 8 with 3 people manufacturing and the remainder doing operations (excluding me with QA/RA), therefore, I want to keep this procedure manageable and simple.

However, I'm stuck with level of risk associated with work not being done properly and demonstrating competency regarding the different levels of risk. Does the risk level have to be defined for each training task (this would be cumbersome)? Or, can the procedure be more generalized with an overview of high or low risk? For example, training for technical procedures is high risk and (e.g. laboratory processes, shipping of product, etc.) shall consist of trainee observation of processes and demonstration of processes under the supervision of a qualified trainer. Once the trainer finds the trainee competent, the trainee is signed off for that process.

For low risk, non-technical procedures, the training platform may be a read/understand, discussion, presentation.

Any assistance would be most helpful.



Super Moderator
Without intending to wax philosophical, I think it's important to consider how 13485:2016 addresses risk:

When the term “risk” is used, the application of the term within the scope of this International Standard pertains to safety or performance requirements of the medical device or meeting applicable regulatory requirements.

So when assessing effectiveness of training (or other action!), the methodology should be based on the risk (per the above) of that individual failing to properly perform that function.

So the point is that I don't know if equating all "technical procedures" to high risk is appropriate. There are some functions that, if not performed correctly, would either be caught immediately or pose no real risk (per the context above).

Further, for truly high-risk functions, maybe a one-time observation is not sufficient. Is there any follow-up to ensure no regression? I know of one company that has the supervisor observe each operator doing "high risk" functions during the course of the week to ensure comprehension / competence. Maybe that's too much for your organization but is just intended to show that it's a journey sometimes.

Without knowing your business or the risks (per above), it's hard to say if the system you proposed is sufficient to check effectiveness. It may well be.


Trusted Information Resource
Considering the increased alignment between the 2016 edition of the 13485 standard and the lack of change from the previous standards for this clause, some implicit meaning could perhaps be gleamed from interpreting the FDA QSR personnel clause (21 CFR 820.25).

Personnel (especially, but not limited to manufacturing alone) needs to be aware which defects may occur from their improper performance. (From 21 CFR 820.25, (1))

Furthermore, personnel performing verification and validation need to be aware both of what defects, and what errors, they may encounter in their tasks. (From 21 CFR 820.25, (2))
To my mind this applies to knowing what to check for (defect) and what can result in false positives/negatives in checking (errors).

It might be best if someone else confirms whether this interpretation holds for the 13485 in all regions.

21 CFR 820.25 extract:
(1) As part of their training, personnel shall be made aware of device defects which may occur from the improper performance of their specific jobs.
(2) Personnel who perform verification and validation activities shall be made aware of defects and errors that may be encountered as part of their job functions.
The pertinent parts for risk then seem to be linked to process risk management (possibly through PFMEA/Control plans) on critical aspects of the product (usually determined in the risk management of the design phase, and updated through post-market surveillance).



Did you ever come up with a solution? I'm assuming you've already changed the Employee Training SOP to reflect the ISO 13485:2016 modifications.

I researched some of the same issues you were discussing, and want to make this the least burdensome as possible. Should I implement a training matrix, with a grading system of risk levels associated with the training module? This seems tedious.....
Top Bottom