Last month and as part of the R&Q Intelligence Series we conducted the webinar, Risk-Based Approach to ISO 13485:2016: Risk considerations and implementation. Risk considerations and implementation of a risk-based approach in your QMS processes is one of the most significant changes to the current version of ISO 13485. Medical device organizations must define how they manage risk in their processes and how the risk of one process affects other risk aspects of the QMS.
At the end of the webinar we answered several questions, and a sampling of those questions and answers is below. To read more about the webinar, read all questions and answers from the session, and gain access to the slides and recording, check out the on-demand webinar.
Q: Can you please explain the difference between product risk management & process risk management?
A: A clarification is necessary here. The difference to emphasize is the difference between risk management in product realization (product and process) and the implementation of the risk based approach in the Quality Management System (QMS) processes. It is required to document (establish, implement and maintain) one or more processes for risk management in product realization. This includes estimating, analyzing, mitigating and determination of risk acceptability for product and processes in product realization. The application of the risk based approach for all QMS processes does not require the documentation of processes, but that you consider the risk in each process and as you consider the risk, the organization must implement actions or activities to ensure the acceptability of risk in that process. For instance, to mitigate the risk of the loss of documents, an organization could implement an electronic system that performs regular backups (mitigating the possibility of the loss to minimize risk (combination of severity and probability of occurrence). The risk based approach mitigates the risk with regard to product safety and performance and meeting applicable regulatory requirements.
Q: If evidence means identifying risks within the process- are we expected to have a risk matrix of sorts for our various QMS processes as evidence?
A: No. It is implementation of the risk based approach not an identification, estimation and mitigation (not risk management) but that you have considered the risk within the QMS process and ensure you have the appropriate controls and activities within each process to reduce risk to an acceptable level.
Q: Can you explain initial vs residual risk and when they should be implemented during design control?
A: While this was not part of the topic for this webinar, within your documented processes for risk management in product realization, you have an initial risk assessment. Since the requirements for risk management start in the planning of product realization (the beginning of that process), this is where initial risk estimation starts and you follow through with the appropriate risk mitigation from there. As to final acceptance of risk, this is the estimation of residual risk and your determination that it is an acceptable residual (safety is the freedom from unacceptable risk). So, prior to product release, you must determine that each individual risk has an acceptable residual as well as the overall residual risk for the medical device is acceptable. Please see the process as outlined in ISO 14971.
Q: Can you please show us examples of evidence?
A: The implementation of a risk based approach must be applied in every QMS process. Examples are: The adjustment of management review intervals based on risk to the suitability, adequacy and effectiveness of the QMS. Similarly an organization can determine controls on supplier and supplied product needed to mitigate risk to the medical device (supplier agreements, audits, incoming inspection of product, etc.).
Q: How to apply risk approach to quality processes that do not directly relate to user/patient risk?
A: See section 0.2 on the application of risk within the context of the standard. The risk based approach considers the product safety AND performance AND meeting the applicable regulatory requirement. The application of the risk based approach considers the risk within the QMS process and ensure you have the appropriate controls and activities within each process to reduce risk to an acceptable level.