The standard ISO 13485 is widely known among medical device manufacturers, being an established standard. It places requirements on a quality management system for all stages of a medical device life cycle. However, its last revision in 2016 introduced an interesting approach that is still late-breaking: The risk-based approach as a part of quality management. There are different ways to address this concept. Yet, this article will focus on the risk-based approach for business process control according to ISO 13485.
General information on the ISO 13485:2016
This standard defines the requirements for a quality management system as to development, manufacturing, storage and distribution, installation, maintenance, final taking out of operation and disposal of medical devices.
The important aims of the ISO 13485 are the following aspects:
- Determine requirements for the quality management of medical device manufacturers and involved suppliers
- Demonstrate the company’s ability to provide medical devices compliant with the requirements, and related services
- Fulfil corresponding legal requirements by complying with the standard
- Harmonise the quality management systems according to legal requirements from various countries applicable to medical devices
- Define specific requirements for medical devices
In terms of documentation and records the ISO 13485:2016 does not only demand a quality manual, but also numerous procedure instructions, recording modes and further documentation requirements. This constitutes a greater extent and additional effort for medical device manufacturers, especially in comparison to other standards.
Section 4.1.2 b (“The organization shall [...] b) apply a risk based approach to the control of the appropriate processes needed for the quality management system.”), which is relevant for the risk-based approach, was only added with the new version of the ISO 13485 in 2016. Thus, this standard places extensive requirements on the risk-based approach, which is intended to ensure security in the processes and serves as a regulatory framework.
Chapter 4.1.2 b
Chapter 4 describes the quality management system and specifies the risk-based approach. Basically, the company should adapt its effort in the quality management to the risks. This also pursues certain aims, such as avoiding unnecessary effort and quality bureaucracy. Product safety and legal conformity should be increased and using resources should become more conscious. If the risk is high, more effort needs to be put into the process, if the risk is low, great effort can be neglected. The approach refers to (medical) device-related as well as economic risks.
But one should not overgeneralise! In chapter 4, the ISO does not require the risk-based control of all processes of the company, but only of the appropriate ones. In the following chapters it is specified what exact processes the standard has an impact on.
The risk-based approach is at least required for the following essential features:
- Control of QM processes (ch. 4.1.2)
- Control of outsourced processes (ch. 4.1.5)
- Activities for validation of software in the QMS (ch. 4.1.6), of software for production and service provision (ch. 7.5.6) as well as of software for monitoring and measuring of requirements (ch. 7.6)
- Effectiveness evaluation of training or other measures (ch. 6.2)
- Criteria for suppliers evaluation and management (ch. 7.4.1)
What is the benefit?
In order to market medical devices, it is a precondition in certain markets to implement a QM system according to the ISO 13485 and to become certified. It affects amongst others the EU, Canada or Japan. Referring to the European market it means that the MDR does mention the concept of a risk-based approach, but it does not give any further specifications. Conclusively, this approach must be applied by manufacturers as depicted in the standard.
However, the risk-based approach is not only in Europe a relevant topic, the FDA does also work with it in several areas. In parts, it serves as a basis for how often and to what extent some manufacturers are audited.
Contrary to other approaches, the risk-based approach is based on observing risks which result from non-compliance with regulatory requirements; thus, these are a nonconformity. Here, regulatory requirements refer to legal regulations (i.e. the MDR, country-specific law, FDA regulations, etc.).
Therefore, the risk-based approach cannot be compared with risk management in general. Implementing the risk-based approach means to identify insecurities within the company’s processes and apply controls to the relevant processes in order to minimise potential negative impacts and maximise positive ones. In this way, it helps the company to act preventively, to correctly prioritise existing resources and, in the long term, to guarantee (medical) products that conform to requirements as well as an effective quality management system, which also reduces company risks.
How to implement the risk-based approach?
First of all it is important to determine which processes are relevant and then the given risks need to be identified for each process. As part of the ISO 13485, in particular regulatory risks need to be taken into account. For a simpler overview, this can be illustrated in form of a table. After the first analysis the measures need to be determined, that will work against the risks or rather should work to minimise them. The risks are often divided into classes, consequently the respective measure is determined for each class.
Put into simpler words, the risk-based approach can be implemented in 3 major steps:
- Define, analyse and evaluate risks
- Define, implement, quantify (and evaluate regularly) measurements
- Improve the quality management system (and consequently the product, too)
For example, the following criteria can be used for evaluation:
Influencing regulatory requirements
Indirect influence on product safety/performance
Direct influence on product safety/performance
According to section 4.1.2 b, it is not necessary to demonstrate with a certain document that the risk-based approach has been implemented in the business processes. Only by implementing this approach, a third party can recognise that the company is acting upon it. For the procedures in the QMS by themselves and the decisions a company has taken about prioritisation, planning and control measures, provide information about that.
Not completely new, but still important
Eventually, the risk-based approach provides an opportunity for manufacturers to adjust their quality management processes to the existing risks and the effort for them. Even if not every detail of this concept is a complete novelty – in this constellation with the ISO 13485 it is new. Therefore, it is mandatory for every medical device manufacturer to implement the risk-based approach.
To not take any risks in doing so, we, the seleon gmbh, will give you our full support.
Please note that all data and listings do not have the claim of completeness, are without guarantee and serve the pure information.