Death by Risk-Based Approach, really just an internal audit?: Practical Guide

Joe Hage

🔥 Find me at MedicalDevicesGroup.net 🔥

January 2018

2 min reading time

The example provided in the Practical Guide for the implementation of a “risk-based approach” contains a single, one-paragraph example outlines three steps:
• SWOT “review your QMS to improve or verify compliance.” Back in my day, we called this an internal audit. How is the intent this example different from an internal audit?
• HACCP “an area of improvement in the QMS process then triggers use of a more detailed analysis.” So in the internal audit system, deficiencies and areas of improvement are identified in an audit report. Typically, each item is investigated in an audit response that involves a root cause investigation. Sounds like a “more detailed analysis” to me.
• Project Plan “create a strong project plan for improvement to address identified weaknesses.”Again, most audit response systems I have seen involve a corrective and preventive action plan coupled with effectiveness evaluation. How is a corrective or preventive action plan different from a “strong project plan for improvement”?
I fail to see why the Guide recommends creating a multi-layered risk-based analysis system when existing, long-standing systems within the QMS could be augmented with more risk-based concepts. The last thing small manufacturers need is to reinvent the wheel when existing systems can be utilized to fulfill the intent of the new risk-based approach requirement.
My last point of contention with the example is the number of layers and tools needed to conduct a comprehensive analysis of the QMS. Lets estimate the math.
• 1 SWOT x 5 major subsystems = at least 5 SWOT
• 5 SWOTS x identified 2 areas for improvement per system = 10 HACCP’s
• 10 HACCP’s x identified 3 areas in need of a project plan = 30 project plans
That’s a minimum of 45 new documents to effectively manage. This resource-intense example isn’t practical to small and mid sized manufacturers. And what does modeling a risk of not meeting a regulatory requirement look like? https://wp.me/p6wmF6-eG

Death by Risk-based Approach: The Practical Guide to the ISO 13485:2016 Practical Guide Part 3

This is the third post in the series “The Practical Guide to the ISO 13485:2016 Practical Guide”. (See the first installment and second installment.) This post explores examples and applicat…

source: https://www.linkedin.com/groups/78665/78665-6356179647553642496

Marked as spam

Posted by Joe Hage

Asked on January 8, 2018 12:00 am

182 views

	Private answer Eckhard Jokisch Michelle Lott , RAC thanks a lot for your extensive work on questioning the Practical Guide. To be very clear from the start: The practical guide is crap. Anybody can learn more in any of the free webinars (for example by greenlight.guru about 13485:2016 than in this "book". If you buy it you waste money and even worse you waste time reading it. The calculation above (1SWOTx 5 subsystems .......) contains an important flaw. The resulting assumption of at least 45 documents is not true. There is no need to have it all in documents. That's an old school way of thinking. You may have 45 sets of information but those may be managed very efficiently if formalized and structured in a database. The transition from "paper/document" to information driven management has been exercised in the automotive industry already one decade ago and it's now time to see that transition in Medical Devices industry as well. Marked as spam Report spam
	Private answer Naveen Agarwal, Ph.D. I tend to agree that there is little use in creating more systems. Instead, there is a need to focus on getting better at actually doing risk management. The "system" can outline requirements and procedures, but the actual practice of risk management needs an overhaul and a new approach. That will take developing a real expertise in understanding severity and frequency by leveraging data analytics. Also needed is skilled facilitation to make sure there is a common understanding of risk from a cross-functional view. Marked as spam Report spam
	Private answer Michelle Lott , RAC your analysis is so true - there is far too much intervention by analysts that are not involved in the reality and when a small situation can be resolved easily - so it should be, not turned into a complex equation. Marked as spam Report spam
	Private answer Joanne Daniels Marked as spam Report spam
	Private answer Julie Omohundro I haven't read either ISO 13485:2016 or the Practical Guide to it, and may never, since I'm in Regulatory, not Quality. But I don't need to read either one to know that a "practical guide" to a "risk-based" approach to anything can be provided in a single sentence: “If you have limited resources, allocate more resources where risk is higher, less resources where risk is lower." Done and done. Organizations and individuals have been taking a risk-based approach to many things since forever. Anyone who understands why FDA provides more rigorous oversight of Class III devices than Class II, and of Class II than Class I, already understands all they need to understand about a "risk-based" approach to apply it to QMS. How you determine where risk is higher versus lower, and what you do with the resources you allocate, those are completely separate topics. Marked as spam Report spam

« Back to Previous Page

Death by Risk-based Approach: The Practical Guide to the ISO 13485:2016 Practical Guide Part 3

Meet your next client here. Join our medical devices group community.