This is a great discussion with many good points. In gaining a further understanding of ISO 14971, I find there are many who have not read the Rationale, Annex A In ISO 14971:2019 This section discusses the reasoning behind each of the requirements, which Lee identifies as one reason for these overly complex risk management systems that are forced on companies without understanding the requirements.
Dan identifies that ISO 13485 does not have a normative requirement for ISO 14971. It was a big discussion between the two standards committees back when the 2003 edition of ISO 13485 was under development. BUT, 13485 does require that the outputs of risk management are a design input in 7.3.3 (c) and does identify the definitions of "risk"(3.17) And "risk management"(3.18) as being from ISO 14971. There is also a reference to ISO 14971:2007 in the Bibliography (which no one reads). Risk is used as a term more than 20 times in the standard (I counted once but forgot the exact number). So in reality the two standards are linked. And in ISO 14971:2019 Clause1 Scope it states that "Risk management can be An integral part of a quality management system".
in another discussion, Ginger thought that the standard is too complicated for small companies and startups to implement. My thoughts are that these companies are not adopting something appropriate for the size of company and the particular product. As Lee is mentioning, there is not a "one size fits all" and way too many consultants and auditors are trying to apply a "one size fits all" solution which is not appropriate and comes from a lack of deep understanding of risk management and ISO 14971. It is also a sign of incorrect implementation when you find the use of only FMEA (or FMECA) as the risk Analysis.
As a member of the standards committee, since 2000, that wrote ISO 14971, we have been trying to provide the information to properly implement the standard in the guidance document ISO TR 24971:2020, now 100 pages of help for those implementing risk management in their companies. Unfortunately we have been frustrated that it was not released in parallel with ISO 14971:2019. This was due to several small communications problems that compounded and led to a 12-week revote of the EN version that, according to the rules linking the two, delays the ISO version.
Any company using a consultant or other expertise, including internal, should determine they are qualified to provide the recommendations on risk management. For consultants this is part of supplier evaluation and selection under ISO 13485:2016 Clause 7.4.1 Purchasing process. For internal personnel, the requirements under 6.1 Resources and 6.2 Human Resources, apply.
------------------------------
Edwin Bills MEd, CQA, RAC, BSc, CQE, ASQ
Principal Consultant
Overland Park KS
United States
elb@edwinbillsconsultant.com------------------------------
Original Message:
Sent: 20-Apr-2020 08:12
From: Dan O'Leary
Subject: Risk Management - A call to action
Unlike the other standards I listed, ISO 13485:2016 does not have any version of 14971 as a normative reference.
One could have a fully compliant implementation of ISO 13485:2016 without even opening ISO 14971:2007 or ISO 14971:2019.
------------------------------
Dan O'Leary CQA, CQE
Swanzey NH
United States
Original Message:
Sent: 20-Apr-2020 07:41
From: Rem Siekmann
Subject: Risk Management - A call to action
Hi Dan,
Thank you for your typically thorough and structured mini-treatise. I will admit to not always being as inclusive as both you and the standard state so you've helped me with your call and attachments.
The reason why I'm commenting is that in your list of standards requiring risk management you left out ISO 13485:2016. Not that you needed to be completely inclusive but especially in this Forum I would have expected that one to be there. In the service of clarity and understanding, am I missing something?
------------------------------
Rem Siekmann BSE, MBA, ASQ CBA
Senior Principal Engineer
Bellaire MI
United States
Original Message:
Sent: 18-Apr-2020 18:22
From: Dan O'Leary
Subject: Risk Management - A call to action
The Forum, on occasion, includes issues related to risk management. Often these issues suggest a lack of understanding of risk management. I also see these problems in my consulting practice. Typically, companies don't follow the standard as written. Worse, they create unnecessary complexity.
In my opinion, the industry has the sense that "compliance requires complexity". I take the opposite view; simplicity is essential.
In risk management, I see a lot of problems, but they generally fall into two categories: failure to follow the standard and failure to recognize that the standard is the basis for other standards.
ISO 14971:2019 is a process standard. It is well written and describes a simple and straight forward process. The process steps follow in a logical order. Most implementations use an Excel workbook. The column headings should be the process steps in order. The rows are the individual instances; there could be many rows, but each row follows the process.
Before developing the Hazard Analysis, identify the device and its characteristics. Write the Risk Management Plan (or plans) that cover the life cycle of the device.
After completing the Hazard Analysis analyze the overall residual risk, review the process, and release the device to production.
After release to production, monitor the production and post-production information.
The major problems I see in this category are:
Failure to recognize that the Hazard Analysis is not an FMEA or FMECA. A hazard can lead to patient or user harm. The harm can occur either a normal or a fault condition. In contrast, an FMECA is a reliability tool that analyzes single point failures in a failure mode. An FMECA misses half the Hazard Analysis issues (harm in a normal condition) and does not follow the standard.
Failure to identify the sequence of events. Often patient or user harm requires more than one thing to go wrong. This is the sequence of events and is a strong component of accident prevention and investigation. The key to sequence of events is the connection to risk reduction, which should address the sequence steps. In the best case, the risk reduction measure breaks the chain in the sequence.
Confusing risk reduction with mitigation. Risk reduction addresses the severity or probability of the patient or user harm. The methods apply before the harm. Mitigation applies after the harm occurs and reduces it impact on the patient or user. Risk reduction prevents the loss of a body function. Mitigation compensates for the loss should it happen.
Not linking the tools. For example, a risk reduction measure in the manufacturing process should be part of t PFMECA. If the PFMECA shows that a nonconforming product could escape, analyze the effect in the Hazard Analysis.
The second problem is applications of risk management.
There are some standards that require risk management because they deal with patient or user harm. Typically, these standards have a file to collect the associated documentation. These files could be either part of the ISO 14971:2019 Risk Management File or separate files linked to the Risk Management File and its contents.
In each case, implement ISO 14971:2019 as a basis for the specific application. There may be specific files or specific requirements beyond ISO 14971:2019. Determine the file structure, any specific changes to the basic flow, and any specific documents required for the application.
I've identified the following standards and other applications that require risk management.
EU-MDR
EU-IVDR
FDA's guidance documents on changes to a 510(k) device
IEC 60601-1 on medical electrical equipment
IEC 62366-1:2015 on usability engineering
ISO 62304 on software
FDA's guidance documents on pre-market and post-market cyber security
ISO 10993-1:2018 and associated family members on biocompatibility
ISO 22442-1:2015 and associated family members on the use of animal tissue
Call to action
When writing about risk management, follow the standard as written. In particular, do not suggest that an FMEA or FMECA satisfies the standard.
Understand the standard and advocate its use as written.
Eschew complexity!
------------------------------
Dan O'Leary CQA, CQE
Swanzey NH
United States
------------------------------