Update of SOPs for ISO 13485:2016 / MDSAP

[Wolf.K]

Hi,

I wonder how others are updating their SOPs/QSPs for the transition to ISO 13485:2016 (and/or MDSAP), regarding the risk management aspect(s).

I heard, that some people (1) just add a new chapter "Risk Management" to all SOPs and (2) update all other parts as necessary.

Have you already started with the transition?

Truly yours
Wolf

 

[Ajit Basrur]

Re: Update of SOPs for 13485:2016 / MDSAP

While I have read the new standard, haven't started work on 2016 version yet ... plan to start mid 2017

 

[yodon]

Re: Update of SOPs for 13485:2016 / MDSAP

Haven't started the transition yet but have certainly been thinking about it.

I think it's important to keep the 13485:2016 definition of risk (and qualifiers) in mind. In 0.2 Clarification of Concepts, they say: When the term “risk” is used, the application of the term within the scope of this International Standard pertains to safety or performance requirements of the medical device or meeting applicable regulatory requirements.

There is additional commentary on risk in Table A.1 (comparing 13485:2003 with 13485:2016):

Limits application of risk to the safety or performance requirements of the medical device or meeting applicable regulatory requirements.

The intent is clearly to keep the focus remaining on risk to the patients / end users. Not the broad "risk based thinking" in 9001:2015.

Given that, there are a few "themes" regarding risk in the standard (in addition to what I would consider standard product Risk Management per 14971):

• (non-product) software validation - mentioned 3 times (4.1.6, 7.5.6, 7.6) - validation is to be proportional to the risk (of using the software)

• purchasing (effectively cited in 4.1.5, 7.4.1, & 7.4.3) - ensuring suppliers posing the greatest risk get the greatest control, ensuring that non-fulfillment is managed based on risk, and that verification of purchased product is commensurate with the risk

• feedback - ensuring that feedback is looped back into the product risk management process

There are a couple other mentions of "risk" in the standard:

• 4.1.2 - take a risk-based approach to the control of processes in the QMS

• 6.2 - assessing effectiveness [of actions taken to ensure competency of personnel] are proportionate to the risk associated with they work they are doing - which again would be scoped back to the risk associated with the product

While adding "Risk Management" to every SOP wouldn't necessarily be a bad thing (sounds like that's driving more towards the broad risk-based thinking in 9001), the focus to meet the standard needs to remain on risk associated with the product.

That's my take; would sincerely like to hear others' thoughts.

 

[SteveK]

I have been updating my SOPs ISO 13485:2016. Under the Scope of each Procedure I have added this statement and clause reference (as alluded to by Yodon).

4.1.2b A risk based approach will be applied to the control of the appropriate processes within this Procedure.

Then in e.g. in my ‘Purchasing’ SOP, the criteria for evaluation and selection of suppliers has a bullet point – ‘All decisions will be proportionate to the risk associated with the final medical device.’ Similarly where other clauses reference ‘risk’ and fit in with an SOP I reference it.

At the end of my SOPs I reference and quote all the relevant standard clauses associated with that particular subject - so I had to update this section specifically. All these SOPs will be kept in draft form; apart from a new "Software Validation" SOP which I have used in practice, as my next audit (early next year) will be to the old standard. I also reference the relevant clauses of ISO 9001:2015 (but not the text) - as I will try to retain both quality standards in my QMS.

Steve

 

[Wolf.K]

Thanks, Steve!

 

[cdhoopes]

Our updates will start in January 2017. Like Steve, we are going to try meeting both 9001:2015 and 13485:2016 (and 21CFR820) as we are working on both medical and commercial products.

Carol

 

[gretzles]

We are not accredited to 2003, so I am implementing 2016 from scratch. My plan is to do something like a failure modes analysis for each process as a way to identify control measures.

When processes are updated we would revisit the risks to see if any new risks are being introduced.

Audit findings, non conformances or complaints may also require risk documents to be updated (if occurrence has increased or new risks identified)

 

[shruti_hiregange]

Hello Everyone,

Has anyone done a risk assessment specific for the following section to demonstrate compliance to the revised ISO 13485 standard:

Clause 6 Resource management
6.2 Human Resources

The methodology used to check effectiveness of a training is proportionate to the risk associated with the work for which the training or other action is being provided.

If yes then would FMEA be the right technique to evaluate the risks associated with ineffective training?

 

[Marcelo]

4.1.2b A risk based approach will be applied to the control of the appropriate processes within this Procedure.

Adding this really is not what the standard is requiring. (Also, this is the same common problem of translating a standard requirement into another requirement in the documentation - the requirement - the what - is already defined in the standard, what needs to be done is to implement the requirement - the how).

To fulfill this requirement, you need to identify the processes, identify risks in which the the process in both normal and fault conditions are part of the sequence of events that leads to a hazardous situation and to risks, and then establish controls for unacceptable risks.

As mentioned in 0.2, we are talking about two different risks here:
- risk of harm to people, in particular, to patient/user (this would be part of "product risk management" under ISO 14971
- risks of the process not fulfilling regulatory requirement (this is not covered in ISO 14971)

 

[Marcelo]

Has anyone done a risk assessment specific for the following section to demonstrate compliance to the revised ISO 13485 standard:

Quote:
Clause 6 Resource management
6.2 Human Resources

The methodology used to check effectiveness of a training is proportionate to the risk associated with the work for which the training or other action is being provided.

If yes then would FMEA be the right technique to evaluate the risks associated with ineffective training?

I think there is some misunderstanding here.

The requirement mentioned is related to the "level" of the methodology to check the effectiveness, based on the work (activities) being trained. So this is not related to risks of ineffective training (although it's part of the analysis), but risks related to not doing the work correctly.

You should be doing an analysis of the work not being done correctly as part of requirement 4.1.2b. There, one of the sources (a possible initiating event in the risk analysis) can be that training is innefective.

Then, based on the the results of the analysis of the risks related to that activity, you should define a methodology for verifying the effectiveness of the training.

For example, if the risk related to the work activity not being fulfilled is very high (for example, the death of a patient), you may have to use a very stringent and detailed process for evaluation of effectiveness.

One real example of this would be in the case of unintentional ingress of particles from the manufacturing process into the device, leading to a high risk condition in the patient. In this case, if for example visual manual inspection of particles would be the risk control measure, there would need to be a training on how to perform the inspection. If you decompose the inspection process, you will find something like what is show in the attached file. In the case of this high risk outcome, your would probably need to detailed evaluation of the inspection training with relation to the human factors aspect of the inspection (focused on the cognitive component of the infection process), using human factors techniques such as task analysis to create a formal method of verification of cognitive components (between other components, obviously there would be a need to evaluate other things, too)

Now, let's say that the inspection is for something that, if not done correctly (again, this would come from the process risk analysis related to product risk management), will not harm the patient (for example, it's inspection to verify that the device is clean, but if it's not, there's no harm to patient). In this case, maybe only a general training on inspection, with a quick evaluation of each student, would be ok.


Also, FMEA is a technique focused on failure mode of components of a product, and related outcomes. There are other, better techniques to analyze the risks of problems like the ones mentioned (for example, knowing the harm to the patient due to a non-fulfillment of the work, you can use an FTA do derive the hazardous situation and possible sequence or combination of events).