{ "@context": "https://schema.org", "@type": "Person", "name": "Dr. John FitzGerald", "jobTitle": "Founder and Director, deGRANDSON Global", "url": "https://www.degrandson.com/", "email": "johnf@degrandson.com", "description": "Founder of deGRANDSON Global. Consultant and trainer in management systems with over 25 years of experience.", "image": "https://2769805.fs1.hubspotusercontent-na1.net/hubfs/2769805/JohnF.png", "sameAs": [ "https://www.linkedin.com/company/degrandson-global", "https://twitter.com/de_GRANDSON", "https://www.facebook.com/deGRANDSONGlobal/", "https://www.youtube.com/channel/UCPa1lrybmc8YxRqCA5wTFgA" ], "role": "Author" }
a
.

    ..

    ISO 13485 Requires Risk Management & Risk-based Thinking

    Photo of a road sign that says Risks Ahead

    There are two distinct and different requirements in ISO 13485:2016 for the management of risk. 

     

    One relates to the management of the processes that go to make up the ISO 13485 Quality Management System and the other relates to patient /end-user safety, that is, safety in manufacturing. 

    The difference between the two is often missed, especially by component manufacturers, as is the issue of patient safety.  Let’s consider what’s required.

    Risk-based Thinking in Sub-clause 4.1.2 focused on threats to Quality Management System processes

     

    ISO 13485:2016 Sub-clause 4.1.2 states:

    The organization shall:

    • apply a risk-based approach to the control of the appropriate processes needed for the quality management system;

    • determine the sequence and interaction of these processes.

    New call-to-action

    Applying Risk-based Thinking to ISO 13485

    There is no guidance in the ISO 13485 Standard to exactly what’s required. We, therefore, have a requirement analogous to that of ISO 9001 for risk-based thinking. We can find it on ISO 9001 Annex A4, a guidance section, that states:

    'The concept of risk-based thinking has been implicit in previous editions of this International Standard, e.g. through requirements for planning, review and improvement.

    This International Standard specifies requirements for the organization to understand its context and determine risks as a basis for planning.

    This represents the application of risk-based thinking to planning and implementing quality management system processes and will assist in determining the extent of documented information.'

     

    Have you considered training in ISO 14971 Risk Management Methods?


    Formal Risk Management Methods

    Although ISO 9001:2015 Clause 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process.

    Organizations can decide whether or not to develop a more extensive risk management methodology than is required by this International Standard, e.g. through the application of other guidance or standards.

    Not all the processes of a quality management system represent the same level of risk in terms of the organization’s ability to meet its objectives, and the effects of uncertainty are not the same for all organizations.

    Under the requirements of ISO 9001 Clause 6.1, the organization is responsible for its application of risk-based thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks. 

    New call-to-action

     

    Limitations of Risk-Based Thinking

    The requirement then is for the application of risk-based thinking to planning and implementing all QMS processes with a view to controlling more tightly the more vulnerable processes from a product/service quality point of view.

    Most manufacturing organizations choose to retain documented evidence of compliance (both for ISO 9001 and ISO 13485) and to introduce a formal Risk Management process, focused on threats to QMS processes, with documented risk management tools, which usually includes a variant of FMEA.

    That deals with the requirement in sub-clause 4.1.2.  The requirement in clause 7.1 is different and will not be adequately addressed with risk-based thinking, or even risk management, in planning and implementing all QMS processes.

    Risk Management in ISO 13485 Clause 7.1 focused on threats to patient/end-user safety

    ISO 13485:2016 Clause 7.1, Planning of Product Realization, includes this sentence (our emboldening):

    'The organization shall document one or more processes for risk management in product realization. Records of risk management activities shall be maintained (see 4.2.5).'

    For such an important issue, the wording here is very vague. At the end of clause 7.1 reference is made to ISO 14971 for guidance.

    The introduction to ISO 14971:2007, Medical devices - Application of risk management to medical devices, is more helpful and tells us (again our emboldening):

    'As one of the stakeholders, the manufacturer makes judgments relating to the safety of a medical device, including the acceptability of risks, taking into account the generally accepted state of the art, in order to determine the suitability of a medical device to be placed on the market for its intended use.

    This International Standard specifies a process through which the manufacturer of a medical device can identify hazards associated with a medical device, estimate and evaluate the risks associated with these hazards, control these risks, and monitor the effectiveness of that control.'

    So, Clause 7.1 is concerned with the ‘suitability of a medical device to be placed on the market for its intended use’, and not about manufacturing processes (product realization). 

    Risk management here is about the application of risk management tools (and many examples are given in ISO 14971) focused on threats to patient/end-user safety.  The activities and records are closely related to the content of the Medical Device File (see clause 4.2.3).

    Recommended Action When Implementing Risk Management and Risk-based Thinking to ISO 13485

    ISO 13485 requires risk-based thinking regarding QMS processes (sub-clause 4.1.2) and risk management with regards to patient/end-user safety in using the medical device (clause 7.1). 

    Make sure that your management system distinguishes between the two and treats (and documents) their requirements separately.  Otherwise, you may well have a major non-compliance at your next Certification Audit.

    NOTE: The requirements here are covered in depth in our ISO 13485 Lead Implementer and other Courses.

     

     

    View Our ISO 13485 Lead Implementer Course

     

    Related Articles

     

    Note: First published in Feb 2019; revised and updated in Nov 2021.

     


    deGRANDSON Global is an ISO Certified Educational Organization

    In October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.

     

    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:
     

    Subscribe to Email Updates

    Recent Posts