Regulatory Open Forum

 View Only

  • 1.  QMS Risk Assessment

    This message was posted by a user wishing to remain anonymous
    Posted 14-Jan-2020 09:03
    This message was posted by a user wishing to remain anonymous

    Does anyone have an acceptance criteria scale for QMS risk assessment that is used for MDSAP requirements?

    For example, in your NCR/CAPA process, how is QMS risk assessment defined?  What are the criteria?  High, Medium, Low.  How is this assessment conducted?


  • 2.  RE: QMS Risk Assessment

    Posted 15-Jan-2020 13:23
    MDSAP utilizes GHTF SG3 N19-Nonconformity Grading System for Regulatory Purposes, consisting of a two-step approach that leads to
    the calculation of a final grade for each nonconformity: Step 1 - A grading matrix that provides an initial grade and Step 2 - escalation rules to determine a final grade of 1 to 5.
     
    In Step 1, the matrix divides the clauses of ISO 13485:2016 into two categories:
    QMS clauses that have an indirect impact on the device's safety and performance (Clauses 4.1 through 6.3).
    QMS clauses that have a direct impact on the device's safety and performance (Clauses 6.4 through 8.5.3).
    A nonconformity would be graded a 1 or a 3, based on its potential to affect safety or performance whereas a repeat nonconformity would be graded 2 or 4 if it had been previously identified

    In Step 2, the Step 1 score may be increased by +1 for the absence of a documented process and by +1 for the release of a nonconforming product. 


    The final nonconformity grade will be between 1 and 6. However, grades of 6 will be listed as 5. A grade of 4 or above is determined to carry a high enough risk that intervention is required. 

    Hope it helps.




    ------------------------------
    Jo Huang RAC
    Sr. Regulatory Affairs Specialist
    Athens TX
    United States
    ------------------------------

    Original Message


  • 3.  RE: QMS Risk Assessment

    Posted 16-Jan-2020 07:55
    Hi Anon,

    Please be aware of a couple of things.

    1) There is NO REQUIREMENT for a formal risk assessment in you QMS processes. 
    NOTE: The requirement for risk management (including acceptance criteria) is the one or more process for risk management required in product realization.

    2) There is NO acceptable level for many QMS processes. The risk based approach only looks for proportionate response (not no response). For example in the corrective action section (8.5.2), "Corrective actions shall be proportionate to the effects of the nonconformities encountered." This means you don't use a risk assessment to justify no action, but you make your response proportionate to the risk level (low, medium or high).

    It seems many people out there are trying to implement risk management in QMS processes. This is NOT necessary. The risk based approach (risk-based thinking) does not require any formal processes. While ISO 13485 does not state this clearly, the concept is closely linked to risk-based thinking outlined in ISO 9001. In section A.4 of ISO 9001, you find this statement, "Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process." This intent follows through the risk based approach outlined in ISO 13485. 

    Hope this helps. Good luck!

    ------------------------------
    Regards,
    Mark Swanson, ASQ CBA, CMQ/OE, CQE ASQ, MBA
    Becker MN
    United States
    ------------------------------

    Original Message


  • 4.  RE: QMS Risk Assessment

    Posted 16-Jan-2020 08:11

    There are no MDSAP requirements. MDSAP is a method to audit compliance with QMS requirements from ISO 13485:2016, the five MDSAP regulatory systems, and any other country requirements covered by the ISO 13485:2016, 4.1.1.

    ISO 13485:2016, 0.2 says, "When the term 'risk' is used, the application of the term within the scope of this International Standard pertains to safety or performance requirements of the medical device or meeting applicable regulatory requirements".

    QMS risk assessment means, in my opinion, risk pertaining to "meeting applicable regulatory requirements".

    My recommendation is to make it simple. Is there a chance that your QMS could fail to meet a regulatory requirement? This is a Yes/No question. Assess your QMS by listing all the countries where you market a device, all the roles in each country, and all the regulatory requirements for each role. Then following 4.1.2, develop processes to meet those requirements. Note that 4.1.2 requires a risk-based approach to control of the processes, but doesn't define or describe what this means.

    In 4.1.3, "determine criteria and methods needed to ensure that both the operation and control of these processes are effective". This is the key! If your processes are effective, then you will meet the regulatory requirements.

    Review your criteria and metrics over a suitable period (12 months) to determine if your processes meet the criteria. Pay particular attention to the 5.4.1 quality objectives and their associated metrics.

    The Yes/No question becomes, "In my historical view has the QMS failed to meet a regulatory requirement?" If the answer is Yes then you have a risk of another failure. Implement corrective to eliminate the cause of nonconformance. If the answer is No, continue to monitor the process indicators.

    Include all of this in Management Review.



    ------------------------------
    Dan O'Leary CQA, CQE
    Swanzey NH
    United States
    ------------------------------

    Original Message


Related Content