What risk-based approach to QMS means?

The new version of the ISO 13485:2016 standard expects companies to apply a “risk-based approach” to all their QMS processes, exactly stating they will need to apply risk management approaches and methods to each process, including outsourced ones. Specifically…

“The organization shall: (…)

Apply a risk-based approach to the control of the appropriate processes needed for the quality management system;” (…)

Why is it necessary? A risk-based approach is necessary to ensure that decision-making is consistent throughout a product lifecycle, the company, and the industry. Anything that might have an effect on the quality system needs to be observed from that risk perspective.

A risk perspective is sought because it forces users to think about the upside and downside of their actions, basically what could go wrong if it did go wrong, and try to deal with it before it becomes a problem.

Previously, risk management was mainly applied for the activities related to product realization with a focus on design and development, but now, the risk approach is expanded and includes other processes.

These are key areas where medical device developers need to apply a “risk-based” approach and thinking:

  1. Resource management
    The ISO 13485:2016 standard says: “The methodology used to check effectiveness is proportionate to the risk associated with the work for which the training or other action is being provided.”

    This means that risk should be considered if training is not understood well and what could be consequences on product/service.
  2. Product realization
    Standard says: “The organization shall document one or more processes for risk management in product realization.”

    Product development supports risk-based decision-making by assuring that information about hazards is used systematically during product development to eliminate or minimize risk.
  3. Design change
    What is said in the standard: “The review of design and development changes shall include evaluation of the effect of the changes on constituent parts and product in process or already delivered, inputs or outputs of risk management and product realization processes.”

    The review of the changes must contain an evaluation of the effect of the changes on parts and products in the process and any changes to the risk management.
  4. Purchasing
    Standard says that the company shall establish criteria for the evaluation and selection of suppliers. The criteria shall be proportionate to the risk associated with the medical device.

    Companies need to “inspect” their suppliers because the quality of their products/services can have a huge impact on the medical device. This activity should be performed frequently because if some issue pops up, can be addressed immediately.
  5. Monitoring and measurement
    Standard states: “The information gathered in the feedback process shall serve as potential input into risk management for monitoring and maintaining the product requirements as well as the product realization or improvement processes.”

    Feedback must be investigated and estimated to be an input to risk management in view of the safety of the patient and the performance of the device as planned. When a product is in commercial use, defined risks can be estimated and defined values (severity and likelihood) can be tested in real. The real risk may be higher than thought. Of course, in this manner, new risks could be identified as well because gathered feedbacks become potential inputs for risk management.
  6. CAPA
    Related to CAPAs, in standard clauses “risk” isn’t clearly mentioned, but it’s well known that many of them will impact the product in some way. So, CAPA actions need to address risk management. By implementing a risk‐based approach to the CAPA process, the company will more efficiently identify critical events and devote resources to resolving the quality problems that distress the company most.

Applying a “risk-based approach” means that companies need to show that they are making a risk-based decision, instead of rule-based decisions, according to which they gain a benefit with better allocation of resources within it. This will also prepare companies for potential opportunities and protect them from any downside risks.

5 responses to “What risk-based approach to QMS means?”

  1. A motivating discussion is definitely worth comment. Theres no doubt that that you need to write more on this subject matter, it may not be a taboo matter but generally folks dont discuss such subjects. To the next! Kind regards!!

Leave a Reply

Your email address will not be published. Required fields are marked *