ISO 13485, the international standard for medical device quality systems, requires that all processes be done in a manner commensurate with risk. Sounds reasonable, but it must be thought out and planned.  We frequently apply risk management and different levels of risk management without thinking. For example, most of us use a seat belt when driving. This could be considered the minimum level of risk mitigation.  If we’re driving on slick roads (increased level of risk), we generally reduce our speed (plus have out seat belts buckled). This demonstrates a higher level of control; i.e., more commensurate with risk. These risk mitigations are largely “hard wired” into our thinking that we don’t really consider how we apply risk management.  And it’s the same in medical device development and management.

To be clear, this is not a discussion of ISO 14971, the international standard for medical device risk management. This is intended to be a discussion of a variety of processes required by ISO 13485 (the international standard for medical device quality systems) with consideration of how the processes introduce risk, how risks can be categorized, and how controls can be applied commensurate with risk.

We’ll kick off the discussion with some terminology review to ensure we’re on the same page throughout the chat. 

We’ll then consider a few risk management basics, like probability and severity tables and other methods to categorize risks.

We’ll then delve into specific processes and discuss methods of how risks can be categorized and how controls can be applied, commensurate with the risks, to mitigate them risk.

We’ll start with a discussion of the process that most companies have at least a rudimentary classification system: supplier qualification and approval.  Often, though, the risk levels are confusing or inconsistent and don’t provide the needed structure to properly manage supplier qualification and approval. Even if companies have a risk classification system for suppliers, they may not follow through on purchasing verification. This is another area where a risk classification system can be sued. Then pulling on the thread a little more, we can see how failures by suppliers to meet requirements can be classified and managed in a way commensurate with the risk.

We’ll next look at non-product computer system validation; i.e., validation of computer systems used in the execution of the quality management system. Once you start looking, you’ll likely be surprised by how many computer software applications you use in support of the Quality Management System. We’ll discuss ways to identify your software inventory, means to classify systems based on risk, and approaches to software validation based on the risk.

Next, we’ll look at training systems. This is clearly an area where the level of training can be driven by the risk; however, there’s one other aspect related to training that a lot of companies miss: effectiveness. How do you know if your training is effective?  What if it’s training on a critical process that, if not performed correctly, could lead to patient harm?  We’ll discuss means to assess effectiveness using a risk-based approach.

We’ll then take a short look at internal auditing and how a risk-based approach can be applied. We’ll look at one possible approach for setting up a risk-based audit schedule.

We’ll wrap up with a short discussion on other areas where a risk-based approach could be taken and how the tools previously discussed can be used to apply risk-based thinking. We’ll also speculate a bit on what the future holds for risk-based thinking.

Areas Covered

Who Should Attend

Why Should You Attend

ISO 13485, the international standard for medical device quality systems, requires that all processes be done in a manner commensurate with risk. Sounds reasonable, but when individuals are asked what this means, they often get the “deer in the headlights” look. We take a lot of risk management for granted. For example, most of us use a seat belt when driving. This is risk mitigation. If we’re driving on slick roads, we generally reduce our speed. These risk mitigations are largely “hard-wired” into our thinking that we don’t really consider how we apply risk management. And it’s the same in medical device development and management.

So why the panic when asked how we apply risk management to our processes? There’s always the “panic moment” in audits/inspections where folks tend to freeze up and lose the ability to think rational thoughts.  But most often, it’s simply just a lack of translating our “common sense” into the practical application of risk management. 

Everyone, from management to the folks on the shop floor, needs to be able to answer the question when it is posed to them, without any hesitation.  To do so, though, the folks need to be armed with the knowledge of how they are applying risk management in their work. We may not be able to help folks overcome the panic of being called into an audit, but we should be able to help them articulate their response in a way to satisfy the auditor/inspector.