Regulatory Open Forum

 View Only
  • 1.  Death by risk based approach

    Posted 08-Jan-2018 11:13

    In this post I explore examples and application provided in the Practical Guide for the implementation of a "risk-based approach." The guide contains a single, one-paragraph example outlining three steps:

    • SWOT - "Your organization decides to review your QMS to improve or verify compliance." Back in my day, we called this an internal audit. In fact, ISO 13485:2016 uses just such terminology to define the purpose of an internal audit. How is the intent of the risk-based approach example process different from an internal audit?
    • HACCP - "The identification of an area of improvement in the QMS process then triggers use of a more detailed analysis." So in the internal audit system, deficiencies and areas of improvement are identified in an audit report. Typically each item is investigated in an audit response that involves a root cause investigation. Sounds like a "more detailed analysis" to me.
    • Project Plan - "This detailed analysis is then used to provide the information necessary to create a strong project plan for improvement to address identified weaknesses." Again, most audit response systems I have seen involve a corrective and preventive action plan coupled with effectiveness evaluation. How is a corrective or preventive action plan different from a "strong project plan for improvement"?

    I fail to see why the Guide recommends creating a whole new, multi-layered risk-based analysis system when existing, long-standing systems within the QMS could be augmented with more risk-based concepts. The last thing small manufacturers need is to reinvent the wheel when existing systems can be utilized to fulfill the intent of the new risk-based approach requirement.

     My last point of contention with the example is the number of layers and tools needed to conduct a comprehensive analysis of the QMS. Lets do the math.

     Conservatively estimate:

    1 SWOT x 5 major subsystems = at least 5 SWOT

    5 SWOTS x identified 2 areas for improvement per system = 10 HACCP's

    10 HACCP's x identified 3 areas in need of a project plan = 30 project plans

    That's a minimum of 45 new documents, processes, and project plans for your company to effectively manage on top of the existing QMS processes.

    Needless to say, that this resource-intense example isn't practical to small and mid sized manufacturers. The Practical Guide leaves this portion of industry without actionable guidance. Further the guidance is silent on what modeling a risk of not meeting a regulatory requirement would look like in this process.

     

    https://wp.me/p6wmF6-eG



    ------------------------------
    Michelle Lott RAC
    Principal & Founder
    Lean RAQA Systems, LLC
    michelle@leanraqasystems.com
    (520)275-9838
    ------------------------------


  • 2.  RE: Death by risk based approach

    Posted 09-Jan-2018 09:34
    ​I really appreciate your comments and your interpretation of the example in the Practical Guide.  When I read it, it got my mind running in a different direction.  I actually felt like it validated an approach I been using (at small to mid size companies) since the late 90's.

    When I first join an organization, I complete an assessment through procedural/process review, interview, record review, on the QMS vs. the regulatory standards.  I then take my "findings" and rate them based in 3 ways - risk to compliance, risk to business, and risk to human resource.  What I end up with is the "quality plan" for the next few years based on risk. I have shown this (redacted strategically, if needed) to auditors/inspectors, and the resulting formal quality plan many times with great success.

    Could this be considered a Gap Analysis, or an internal audit?  Yes - but then I am usually more constricted in the documentation of what I have done and the format of the output, and the actual report also becomes a formal part of my quality system, as opposed to just the cleaned up/sanitized quality plan. 

    In addition, in my experience, the format matters....to the rest of my executive team.  If I tell them - I have done an internal audit - they hear white noise. If I tell them, I completed a SWOT, or an assessment of our systems - they at least listen for a few minutes - and then when I am able to show them that I assessed risk to business and resources (and then throw in the compliance stuff...) they begin to understand the power of the QMS structure and why investing in its health is a business priority - not just a compliance necessity.

    So while I agree in principle with your perspective, there could be some value in approaching the risk based QMS assessment in a different kind of package vs. an internal audit.  Now - is that what the author's of the practical guide were thinking??  Hmmm...  I can only hope.

    ------------------------------
    Jackie Torfin
    Global Director RA/QA
    Maple Grove MN
    United States
    ------------------------------



  • 3.  RE: Death by risk based approach

    Posted 11-Jan-2018 13:32
    Michelle,

    You've done a great job of quantifying my exact concerns about this "not so practical" guide recommendations. I like to think that to some extent, we've always used a risk based approach - to CAPA escalation, product improvement selection, supplier requirements etc etc. However, this idea that you always have to not only be assessing improvement opportunities based on compliance or business priority, but documenting it all in a manner that goes beyond internal audit and preventive actions seems to me to be just creating an excessive paperwork burden.

    I see Jackie's reference to Quality Plan methods in a response, and I too have done that, but typically when these rose to a compelling business need in "fix it" type situations, or when the interactions between preventive actions was so complex we needed a better way to manage it. I am opposed to "improving for improving sake" when it might not be the right priority in a small company - for instance, why are Quality executives not able to decide it is more important to fix or improve a product rather than use their people to "improve" the QS? And particularly to spend time creating a bunch of additional documentation to show how these opportunities were assessed in a risk based manner? Crazy.

    I know they were probably trying to solve the problem of companies that don't continue to evolve their QS as internal and external drivers change and would be better served by better processes, but the QS exists to serve the business (by means of product quality, service quality and safety etc), not as an end in itself. Too many of these recent standards seem to be trying to make the QS run the business, rather than the other way around.

    In companies that have large and dedicated quality departments this is probably managable, but in really small companies it just adds needless complexity and more opportunities for technical non-conformities.

    g-

    ------------------------------
    Ginger Glaser RAC
    Chief Technology Officer
    MN
    ------------------------------