This is the second post in the series “The Practical Guide to the ISO 13485:2016 Practical Guide.” If you missed the first installment, catch up by reading it here. This post explores how the Practical Guide defines “risk-based approach,” varying terminology, and which systems require it.
One of the points that complicate understanding where to apply a risk-based approach to the quality management system is the definition of “as appropriate” in section 0.2, meaning a requirement is assumed appropriate until justified otherwise, followed by the usage of a similar phrase in 4.1.2b): “apply a risk-based approach to the control of the appropriate processes needed for the quality management system.” (For more on the meaning and use of “as appropriate within ISO 13485:2016 see the MasterControl blog post Understanding the Use of “Where Appropriate/As Appropriate” Within the ISO 13485:2016 Standard).
Does the use of “the appropriate” as opposed to “as appropriate” infer the same expectations as defined in section 0.2? Should a “risk-based approach” be applied to each element of the QMS individually or as a whole? Does it only apply to patient safety risks (“safety or performance requirements for the medical device” as per section 0.2) or also regulatory risks (“meeting applicable regulatory requirements” as per section 0.2)? Why would ISO describe arguably the most pivotal phase of the standard with such vague and brief language? Well, the ISO will tell you its because a risk-based QMS was the intention of the ISO 13485 standard all along and the new wording was just clarifying existing expectations.
The Practical Guide does offer guidance, which seems to assert that organizations do not have any discretion in the determination of “appropriate” with statements like:
- “This risk-based approach should apply to all processes required for your QMS” (0.2 Guidance, page 14, bold mine) and
- “This edition of ISO 13485 makes the implementation of the risk-based approach a requirement throughout your QMS” (8.5.2 Guidance, page 206, bold mine).
When reading requirements for each QMS element throughout the standard, the use of the risk-based approach terminology is inconsistent at best. There are many sections where the standard does not outline risk considerations, but that does not mean you are exempt from applying a risk-based approach to those systems. The Practical Guide points out where particular sections of ISO 13485 specifically call out a risk-based approach should be used: training, supplier monitoring, verification of purchased product, and validation. However, the Practical Guide goes on to identify additional sections where the standard “does not specifically outline risk considerations” but yet the application of the risk-based approach is expected: interval of management review, control of production and service, nonconforming product, and corrective/ preventive actions (Guidance pages 36 and 37).
Adding to the inconsistency, ISO 13485:2016 gets even trickier when you realize how references to risk use varying terminology. Look at sections 8.5.2 (Corrective Action) and 8.5.3 (Preventive Action). These sections do not contain the word risk, let alone ‘risk-based approach; but they do use the important phrase “proportionate to the effects of the nonconformities encountered.” This wording is used several times throughout the standard. We are left to wonder if this is the same or different from a risk-based approach. Given that on page 37 of the Practical Guide, corrective and preventive actions are called out as subsystems where the risk-based approach is not specified but yet risk considerations are expected, one can extrapolate that “proportionate to the effects” is interchangeable with the risk-based approach.
The Practical Guide has told us where the risk-based approach applies (everywhere), but we’re all still wondering what it actually is. The Practical Guide mirrors 13485:2016 in that it begins to discuss the risk-based approach as if the concept has already been defined and already well understood by industry (it’s not).
- Justify all requirements or quality system elements deemed not appropriate with a written rationale. While a written justification is not required by the standard or Guide, having the rationale documented will help avoid discussions with an auditor debating the “appropriateness” of a particular requirement.
- Interpret “proportionate to the effects” to be synonymous with applying a risk-based approach.
- Apply a “risk-based approach” or justification to every QMS element.
Note these recommendations are based on my own conclusions after reading the ambiguous information available on the risk-based approach. The takeaways are not meant to infer a requirement from the standard or guide but rather reflect my own ideas on implementation.
If you still feel like you are left hanging for practical solutions to implement a risk-based approach, do not fear! The next blog installment will explore an example from the Practical Guide and propose workable solutions. Stay tuned and subscribe so you don’t miss out on the “The Practical Guide to the ISO 13485:2016 Practical Guide”!