ISO 13485:2016 requires a risk-based assessment of your processes within your quality management system (QMS). Many companies ask themselves whether only production processes should be considered, or whether all processes should be considered. Furthermore, the question often arises whether the risk assessment should be based on the product and patient perspective or on business interests.
My answer:
- a) All processes in your quality management system are affected.
- b) Why not both views? – The QMS should ultimately provide both stable processes and also serve economic purposes.
With a risk-based approach, both areas, i.e. the business area and the impact on product quality, can be assessed and a joint assessment can be created.
TIP: Classification assessment of risk areas should not be too detailed – I advise you to clearly classify your processes in a not too detailed manner. Otherwise, the discussion about the respective process becomes too long and prevents careful maintenance.
The assessment matrix is defined in the QM manual and is used as a basis for all processes. This means that the risk matrix is defined and applicable to all processes.
As an example, you can see the classification based on the approximate chapters of ISO 13485 in the risk matrix. Using the two axes for business risk and product risk, each process can now be assessed, and the process is assigned a classification as a characteristic.
The specific classification of each individual process is handled in the process or procedural instructions themselves. This makes it more flexible for individual processes and makes it easier to maintain an overview. To avoid having to include the matrix in the processes, each procedure and process is given its own rationale within the process.
As an example of classification and rational description:
ISO13485 Chapter 8.4 Analysis of data: High risk process:
- The evaluation of economic and error data is relevant to business success. Business Risk Level 5
- Failure rate and trend detection have a significant impact on early detection of product failure and patient safety. Product Risk Level 5
Advantage 1: During the audit
Each process is assessed individually and can also be used for audits according to the risk classification.
Example:
All critical processes in the red zone are audited annually. In the yellow zone, I set the audit benchmark every two years, and in the least critical zone, the blue zone, the topics are audited as needed and on a three-year cycle.
This allows audit time to be planned efficiently and focused on the processes.
Advantage 2: QM
Each process can be assessed according to its criticality. This begins to establish a rationale for audits and audit depth. This helps the internal auditor, as they can justify their audit planning in a comprehensible and transparent manner, and the external auditor, as they can more easily compare their assessments and priorities. It also helps QM staff, as they can respond more quickly to training and audit needs.
Advantage 3: Management
For management, this approach is useful for trend assessment, allowing them to respond more precisely to deviations in specific, higher-priority areas and also provide a better estimate of their contribution to business continuity. Changes and processes with high error rates are identified more quickly with the overall risk impact, and measures can be initiated more precisely. The required additional analysis of the impact prior to the change is no longer necessary.
Conclusion:
The evaluation of processes in the QMS is an important step toward an efficient quality management system. It is thus even more of a planning and control tool for an efficient structure and a balanced quality culture. In this sense, it is not an additional requirement to fulfill; rather, it provides a better rationale and control of risk tolerance in the self-assessment and design of the QMS. Each change is then considered in its entirety, taking into account the rationale for risk assessment, and the process's sphere of influence throughout the entire change cycle is designed to be predictable.
FINAL TIP: Since risk management is an iterative cycle, you should also review the classification regularly. For example, at every management report or, if necessary, at the relevant Q&A meetings.
Left
For all those who are concerned with the MDR topic, we also recommend the link: