During the next three years I guarantee that every single medical device manufacturer will eventually become sick and tired of hearing the phrase “risk-based approach.” I’ve been there for about 5 years, but there are a few new updates to the standards and regulatory requirements that are worth mentioning:

– The European national version of ISO 14971 (i.e., EN ISO 14971:2012) is causing many manufacturers to respond to Notified Body audit findings to address the 7 deviations identified in Annexes ZA, ZB and ZC..

– ISO 9001 is being revised to emphasize a risk-based approach (i.e., ISO 9001:2015).

– ISO 13485 is being revised to emphasize a risk-based approach (i.e., ISO 13485:2016).

For medical device manufacturers, have there been any significant changes to the regulations?

No.

No changes to the MDD, AIMD or the IVDD. Revisions are being negotiated between the EU Parliament and the Council, but the earliest possible draft would be April 2016. Implementation would be fall of 2016 with a 3-year transition period–at the earliest.

Minor change to Canadian MDR in July 2015, but not affecting the application of risk management.

No change by the FDA to 21 CFR 820.

So what’s the big deal?

Definitions, how many times the word “risk” appears in the Standards and the emphasis upon risk management by quality system auditors.

First, ISO 9001 has a new proposed definition for risk. Unfortunately, the definition is not even close to the ISO 14971 definition. This is one of many reasons I think ISO 9001 certification will be practical for most medical device companies in the future. In addition, ISO 9001:2008 used the word “risk” only 3 times while the proposed draft of ISO 9001:2015 includes 43 instances of the word “risk.”

Second ISO 13485 continues to reference ISO 14971, and the definition of risk has not changed, but the usage of the word “risk” has increased from 4 to 47 times in the latest draft of the Standard.

By way of comparison, 21 CFR 820 only uses the word “risk” once.
I have been recommending a guidance document from the Canadian Standards Association since 2010 that emphasizes a risk-based approach to quality system management. The document is “13485 Plus.” It uses the word “risk” 60 times. More is better right?

If you want to apply a risk-based approach you have to do two things. First, you need to be able to estimate the severity of quality issues. Second, you need to be able to estimate the probability of occurrence for those quality issues. If you are going to take a risk-based approach to quality system management, you need to monitor and measure the actual frequency of occurrence for those quality issues and verify that the severity of the problems is really as terrible as you thought it would be–and not worse. Then you need to implement risk controls to reduce those risks. Therefore, I anticipate most companies will beef up their monitoring and measuring of quality system processes (Clause 8.2.3), analyze more data (Clause 8.4), apply statistical techniques (21 CFR 820.250) and implement corrective actions in a timely manner (Clause 8.5.2/8.5.3 and 21 CFR 820.100). None of this is really new, but auditors will beat this drum really hard for the next three years.

Next Tuesday, September 29, Joe Hage will be hosting a free live webinar with Green Light Guru on the topic of “Risk Management for Medical Devices: An Overview of ISO 14971 & How To Apply a ‘Risk Based Approach’ to Your QMS Processes to Address the Upcoming ISO 13485 Changes.” In order to register for the webinar, please click on the following link to register for the presentation: http://medgroup.biz/ISO-13485-webinar.

If you are interested in reading more about the application of risk management to medical device manufacturing, you might try reading some of my 13 blogs on the topic: http://medicaldeviceacademy.com/category/risk-management/.

source: https://www.linkedin.com/groups/2070960/2070960-6052448567082176516