I really appreciate your comments and your interpretation of the example in the Practical Guide. When I read it, it got my mind running in a different direction. I actually felt like it validated an approach I been using (at small to mid size companies) since the late 90's.
When I first join an organization, I complete an assessment through procedural/process review, interview, record review, on the QMS vs. the regulatory standards. I then take my "findings" and rate them based in 3 ways - risk to compliance, risk to business, and risk to human resource. What I end up with is the "quality plan" for the next few years based on risk. I have shown this (redacted strategically, if needed) to auditors/inspectors, and the resulting formal quality plan many times with great success.
Could this be considered a Gap Analysis, or an internal audit? Yes - but then I am usually more constricted in the documentation of what I have done and the format of the output, and the actual report also becomes a formal part of my quality system, as opposed to just the cleaned up/sanitized quality plan.
In addition, in my experience, the format matters....to the rest of my executive team. If I tell them - I have done an internal audit - they hear white noise. If I tell them, I completed a SWOT, or an assessment of our systems - they at least listen for a few minutes - and then when I am able to show them that I assessed risk to business and resources (and then throw in the compliance stuff...) they begin to understand the power of the QMS structure and why investing in its health is a business priority - not just a compliance necessity.
So while I agree in principle with your perspective, there could be some value in approaching the risk based QMS assessment in a different kind of package vs. an internal audit. Now - is that what the author's of the practical guide were thinking?? Hmmm... I can only hope.
------------------------------
Jackie Torfin
Global Director RA/QA
Maple Grove MN
United States
------------------------------
Original Message:
Sent: 08-Jan-2018 11:12
From: Michelle Lott
Subject: Death by risk based approach
In this post I explore examples and application provided in the Practical Guide for the implementation of a "risk-based approach." The guide contains a single, one-paragraph example outlining three steps:
- SWOT - "Your organization decides to review your QMS to improve or verify compliance." Back in my day, we called this an internal audit. In fact, ISO 13485:2016 uses just such terminology to define the purpose of an internal audit. How is the intent of the risk-based approach example process different from an internal audit?
- HACCP - "The identification of an area of improvement in the QMS process then triggers use of a more detailed analysis." So in the internal audit system, deficiencies and areas of improvement are identified in an audit report. Typically each item is investigated in an audit response that involves a root cause investigation. Sounds like a "more detailed analysis" to me.
- Project Plan - "This detailed analysis is then used to provide the information necessary to create a strong project plan for improvement to address identified weaknesses." Again, most audit response systems I have seen involve a corrective and preventive action plan coupled with effectiveness evaluation. How is a corrective or preventive action plan different from a "strong project plan for improvement"?
I fail to see why the Guide recommends creating a whole new, multi-layered risk-based analysis system when existing, long-standing systems within the QMS could be augmented with more risk-based concepts. The last thing small manufacturers need is to reinvent the wheel when existing systems can be utilized to fulfill the intent of the new risk-based approach requirement.
My last point of contention with the example is the number of layers and tools needed to conduct a comprehensive analysis of the QMS. Lets do the math.
Conservatively estimate:
1 SWOT x 5 major subsystems = at least 5 SWOT
5 SWOTS x identified 2 areas for improvement per system = 10 HACCP's
10 HACCP's x identified 3 areas in need of a project plan = 30 project plans
That's a minimum of 45 new documents, processes, and project plans for your company to effectively manage on top of the existing QMS processes.
Needless to say, that this resource-intense example isn't practical to small and mid sized manufacturers. The Practical Guide leaves this portion of industry without actionable guidance. Further the guidance is silent on what modeling a risk of not meeting a regulatory requirement would look like in this process.
https://wp.me/p6wmF6-eG
------------------------------
Michelle Lott RAC
Principal & Founder
Lean RAQA Systems, LLC
michelle@leanraqasystems.com
(520)275-9838
------------------------------