This is the third post in the series “The Practical Guide to the ISO 13485:2016 Practical Guide.” (See the first installment and second installment.) This post explores examples and application provided within Practical Guide for the implementation of a “risk-based approach” along with color commentary from yours truly.
In the last installment, we left off at: “The Practical Guide has told us where the risk-based approach applies (everywhere), but we’re all still wondering what it actually is. The Practical Guide mirrors 13485:2016 in that it begins to discuss the risk-based approach as if the concept has already been defined and already well understood by industry (it’s not).”
So what does the Practical Guide give us that is concrete? While more helpful than the standard, the Guide does reference risk-based approach methods. Some of these methods will be familiar to you – FMEA/FMECA, HACCP, FTA, ‘5 Why’s’, SWOT, Porter’s 5 forces, ‘what if’ questioning, and brainstorming. The Practical Guide gives a single example of the application of a risk-based approach to QMS processes. The one-paragraph example suggests starting with a Strength, Weakness, Opportunities, and Threats (SWOT) analysis for each QMS process. The SWOT becomes an input to a Hazard, Analysis, and Critical Control Points (HACCP) analysis, which is then used as an input to a project improvement plan intended to address QMS weaknesses.
I have a few bones to pick with this example. Let’s explore some concepts to implement a risk-based approach defined in the Practical Guide. (All examples are from page 36.)
- “Your organization decides to review your QMS to improve or verify compliance.”
Back in my day, we called this an internal audit. In fact, in ISO 13485:2016, the very purpose of an internal audit by definition is:
“to determine whether the quality management system:
- a) conforms to planned and documented arrangements, requirements of this International Standard, quality management system requirements established by the organization, and applicable regulatory requirements;
- b) is effectively implemented and maintained.”
How is the intent of the risk-based approach example process different from an internal audit?
- “The identification of an area of improvement in the QMS process then triggers use of a more detailed analysis.”
So in the internal audit system, deficiencies and areas for improvement are identified in an audit report. Typically each item is investigated in an audit response that involves a root cause investigation. Sounds like a “more detailed analysis” to me.
- “This detailed analysis is then used to provide the information necessary to create a strong project plan for improvement to address identified weaknesses.”
Again, most audit response systems I have seen involve not only root cause analysis but corrective and preventive action plans coupled with effectiveness evaluations. How is a corrective or preventive action plan different from a “strong project plan for improvement”?
I fail to see why the Guide recommends creating a whole new, multi-layered risk-based analysis system when existing, long-standing systems within the QMS could be augmented with more risk-based concepts. The last thing small manufacturers need is to reinvent the wheel to meet a new expectation when existing systems can be made to fulfill the intent of the new risk-based approach requirement.
My last point of contention with the example is the number of layers and tools needed to conduct a comprehensive analysis of the quality management system. Let’s do the math. (All examples are from page 36.)
- “As a start, you apply a Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis to each QMS process identifying areas of needed improvement.” (italics mine)
By my count, there are five main overarching processes defined in the standard, not counting subsystems under each main process. Let’s just stick with these five for purposes of this example and we all know that a single SWOT on the very large subsystems like Product Realization is impractical. Your company conducts five SWOT’s.
- “The identification of an area of improvement in the QMS process then triggers use of a more detailed analysis such as a Hazard, Analysis, and Critical Control Points (HACCP) approach.”
Let’s conservatively assume that each SWOT identified two areas of improvement. Now your company conducts ten HACCP’s.
- “This detailed analysis is then used to provide the information necessary to create a strong project plan for improvement to address identified weaknesses.”
Let’s assume that each of the ten HACCP’s identified three areas of improvement. Now your company conducts 30 project plans. So now you have 5 SWOT’s, 10 HACCP’s, and 30 project plans. That’s a minimum of 45 new documents, processes, and project plans for your company to effectively manage on top of the existing QMS processes.
Needless to say that this resource-intense example isn’t practical for small and mid-sized manufacturers and the Practical Guide leaves this portion of industry without actionable guidance. With only one example, some companies will find it difficult or impossible to extrapolate the structure of the risk-based approach and then apply it to their organization’s processes. Further, the guidance is silent on what modeling a risk of not meeting a regulatory requirement would look like in this process.
Take away:
- Give consideration how your internal audit system can be augmented to fulfill the risk-based approach.
In the next installment, we will conduct a historical review of the evolution of risk management, cross-link references to risk throughout the regulations, and how all of these factors influence risk-based thinking. As my high school history teacher once told me, you have to understand where you have been to understand where you are going. Stay tuned!