James A. Dunning • Principal, QPC Services LLC
Many companies currently are transitioning from ISO 13485:2003 to ISO 13485:2016, the updated standard drafted to help medtech firms evolve with the industry and address changes in the underlying ISO 9001 benchmark. Some companies, however, are finding it difficult to understand the additional requirements imposed by the 2016 version of this Quality Management System standard.
There are many publicly available resources that describe in excruciating detail the differences between the two ISO standards. But these explanations can be hard to follow and may not adequately answer questions associated with the update, thereby leaving companies confused and unaware of the steps necessary for compliance. .
For quite some time, I struggled to understand the new standard, and even when I did, I still had a hard time explaining the changes to others. Eventually, the lightbulb came on, but I nonetheless can only help companies and medtech executives focus on one aspect of the 2016 update—risk management. There’s one key concept in this area that companies must keep in mind: 13485:2016 represents a paradigm shift for the industry, as it encompasses much more than the “risk management file.”
While I am aware of multiple risk management standards, my expertise in the medical device sector is ISO 14971 (Risk Management for Medical Devices) and the resulting risk management file. In the quality management systems I have previously worked with, risk management was typically owned by the design and development function within the company. It was primarily focused on the product and associated production processes, including post-market activities.
There are significant differences in the risk management mandates between the two ISO 13485 standards. Medtech companies with a solid command of the risk-based approach to risk management will likely find it easier to digest the disparities, since this method is specifically referenced in the new standard.
In ISO 13485:2016, a risk-based approach.to risk management is based on three main points: (1) actions taken in operational and management areas must contain measures for controlling risk; (2) “risk/benefit” considerations must be included in the decision-making process; and (3) executive level decision-making must consider risk.
Let’s dig a little deeper on each of these three key points.
- Actions taken in operational and management areas must contain measures for controlling risk. Stated simply, this mandate requires risk management be addressed not only in design, manufacturing, and post-market, but also in operations and business management. The 13485:2016 update falls short of requiring an enterprise risk management system, but it does push companies much closer to that kind of system. Management must now apply risk management methodologies to its daily business operations. While this directive does not mandate companies produce more Failure Modes and Effect Analyses (FMEAs) or risk management plans, it does require they gauge the risk level of their operations and consider the most effective method of controlling those risks.
- Risk/Benefit considerations must be included in the decision-making process. This decree makes it sound like each decision must come with a risk/benefit analysis, but that is not true. The key change here is ensuring that companies document the rationale for all decisions (especially key rulings) and verifying their quality management systems contain mechanisms for capturing the rationale as well as the risk/benefit considerations, associated with any decisions.
- Executive-level decision making must consider risk. Despite how it sounds, this is not a repeat of the second mandate. This key point focuses on executive-level decision making to drive home the concept that a risk-based approach must be implemented at the highest corporate levels. Planning becomes significantly more important in an ISO 13485:2016 quality management system.
In transitioning to the new ISO 13485:2016 standard, medtech companies must remember that risk management is part of the management controls function, and should be owned by top management rather than design and development. They should also bear in mind that quality management system evaluations are effective, as they allow organizations to discover previously uncredited sources of a risk-based approach. Some examples of quality management system evaluations follow:
- Corrective and Preventive Actions (CAPA): Organizations must consider the significance of an issue when deciding on a CAPA. Companies that make such determinations should ensure a risk-based approach is embedded in the quality management system.
- Management review: Risk considerations should be made about trends or issues highlighted in the management review process. In addition, a risk-based approach should clearly be captured in the management review procedures and records. Moreover, that management review should be identified in a company’s quality management system as a process that uses the risk-based approach.
- Internal audits: Ideally, internal audits should be scheduled based on compliance history. This potentially could lead to more frequent CAPA audits for companies with significant compliance issues; such incidences should be documented in the firm’s internal audit procedures and records. Companies also should ensure the internal audit process identified in the quality management system uses a risk-based approach.
- Supplier management: It is befitting for companies to categorize suppliers based on the criticality of the products and/or processes they provide, as this categorization can help improve supplier oversight. Such oversight should be documented in a company’s supplier management procedures and records. And, not surprisingly, the supplier management process identified in a firm’s quality management system should incorporate a risk-based approach.
Most medical device quality management systems do take a risk-based approach, but most also fall short of properly capturing where and how this risk-based approach is applied within the quality management system. ISO 13485:2016, stripped down to its most basic components, attempts to address this shortfall.
James A. “Jim” Dunning’s consulting career began in 2001. He has provided quality and regulatory consulting services for various companies ranging from Fortune 500 medical device firms to startups. Dunning’s passion, however, lies with startups and small companies, especially those in regulatory distress. He has amassed significant experience in preparing 510(k) applications, developing complete quality management systems, providing quality system training, and advising on quality, business, and leadership issues. Dunning is a senior member of the American Society for Quality (ASQ) and a member of the Regulatory Affairs Professional Society (RAPS). He can be reached at firstname.lastname@example.org.