23 Mar 2021

Managing Risks related to ISO 13485

ISO 13485 sets the requirements for a quality management system for those organizations in the medical device industry. While there are many mandatory regulatory requirements issued by each country related to medical devices, ISO 13485 remains a voluntary standard. The need for certification to the standards stems either from a customer requirement or from a need to market to customers that the organization used a system and risk-based approach to managing quality and continual improvement.
The standard was recently revised in 2016 and includes a greater emphasis on risk than that of the 2003 revision. Risk-based thinking has been emphasized across all ISO requirement standards and is core to implementing a system that is proactive in nature. Risk in its new avatar encourages organizations to look beyond just product safety risk. Organizations complying with ISO 13485 now have to also consider organizational risk and the risk or not meeting compliance obligations. The lifecycle of the product needs to be considered in assessing risks.
Risk however can be a subjective topic and to ensure that an organizational appetite for risk is developed a risk criterion must be determined by the leadership that will then be the basis for all risk assessments. Risk assessment for medical devices use the same basis of likelihood of occurrence and severity in calculating the overall risk. Organizations may consider a third factor prescribed by FMEA that takes into account the probability of detection. Either before the risk occurs or as soon as it occurs so that the consequence can be minimized.
ISO 13485 clause 4.1.2(b) requires “The organization shall apply a risk-based approach to the control of appropriate processes needed for the quality management system.” ISO 14971 is another standard that provides guidelines on the risk management framework. In addition to the requirements prescribed per this standard organizations need to account for performance and compliance risks. In order to address risks posed by software validation and verification organizations may refer to Good automated Manufacturing Practices (GAMP). Other risks to consider are the risks from outsourced processes and supplier risks.
Competence of personnel per clause 6.2 of ISO 13485 also poses the potential or risk and organizations must ensure they have the competent personnel needed for the work to be done. Human error owing incompetent personnel is a common cause of risk within an organization. Mistake proofing identified risk areas is an effective way of addressing risks within the system. High risks should be addressed to reduce them to an acceptable level. Risks may at times be addressed by accepting them, avoiding them and even sharing of the risks with another entity. The risk must be addressed using a planned approach and monitored for effectiveness. QMII’s ISO 13485 training provide students with the knowledge of how to identify, analyze, evaluate and address risks within the system.