The ISO 13485:2016 standard for medical devices requires that a“risk-based approach” be used in the control of appropriate process needed for the Quality Management System (QMS). This informative blog written by Senior Quality Engineer, Theresa Ramirez will clarify what a risk-based approach is, where it can be applied throughout a QMS, and provide sample models and best practice tables for implementing a risk-based approach.
WHAT IS RISK?
Per ISO 13485, Risk is a combination of the probability of occurrence of harm and the severity of harm; it pertains to the safety or performance requirements of the medical device or the ability to meet applicable regulatory requirements.
Applying a risk-based approach to quality management system processes simply means that quality management activities are prioritized and implemented proportionate to the level of risk.
In addition to maintaining compliance with ISO 13485, applying a risk-based approach can provide several key benefits to an organization when effectively implemented.
Key benefits to applying a risk-based approach are:
- Avoiding unnecessary activities (e.g. opening a CAPA for low-risk nonconformances, auditing low-risk, well controlled and mature processes too frequently, etc.)
- Focusing resources on critical problems and opportunities
- Increasing safety and regulatory conformity
MANAGING RISK IN A QUALITY MANAGEMENT SYSTEM
ISO 13845:2016 specifically identifies the following areas where a risk-based approach is required:
- Controls of outsourced processes (clause 4.1.5)
- Validation of the application of computer software used in the QMS (clause 4.1.6)
- Evaluation of the effectiveness of training (clause 6.2)
- Risk management as part of Product Realization (clauses 7.1 – 7.3)
- Evaluation and selection of suppliers and non-fulfillment of purchasing requirements (clause 7.4.1)
- Verification of purchased product (7.4.3)
- Validation of the application of computer software used in production and service provision, and in the monitoring and measurement of requirements (clauses 7.5.6 and 7.6, respectively)
The list above is by no means intended to be a complete list on the application of a risk-based approach to QMS processes. The intent of the standard is that an organization make every attempt to apply a risk-based approach across all QMS processes, not just those explicitly defined above.
The best way to do this is to evaluate each process defined within your QMS and identify the associated risks. Classify the risk based upon severity and occurrence and adjust the scope of the mitigating actions to be proportionate to the level of risk associated.
The following are a few areas where a risk-based approach is commonly applied in Quality Management processes for medical devices:
- Product Realization (design and development) – A risk-based approach is applied to the product realization process by means of the Risk Management Plan. A Risk Management Plan is developed for a medical device in order to define and carry-out risk management activities related to product realization. These activities include: performing a risk analysis to define the potential risks of a product, mitigating those risks, evaluating the acceptability of those risks, verifying the effectiveness of the mitigations, and ensuring the outputs of the risk management become inputs to the product requirements.
- CAPA (Corrective And Preventive Action) Process – A risk-based approach is used in determining when a corrective and/or preventive action should be initiated.
- Sample Size Determination – A risk-based approach is used in determining a statistical sample size for design verification testing by assigning confidence and reliability levels based upon the severity of the harm produced by the potential failure mode of the product under test.
- Qualification of Suppliers – A risk-based approach is used in establishing criteria for the evaluation, selection, and monitoring of suppliers.
IMPLEMENTING A RISK-BASED APPROACH – MODELS AND BEST PRACTICES
Probability of Occurrence, Severity, and Risk tables should be defined appropriately to address the particular type of risk that is to be evaluated, whether it is product, quality system, or business-related risk. The six sample tables listed below will be described in detail on the following pages, demonstrating how one can apply a risk-based approach to the Product Realization process, CAPA process, Sample Size Determination, and Qualification of Suppliers.
- Table 1: Harm Severity – Risk severity applied to product, business and the QMS
- Table 2: Probability of Occurrence of Harm – Probability of occurrence defined for issues that can be applied to the product, business, and the QMS
- Table 3: Product Risk Level – Risk applied to a Medical Device product
- Table 4: CAPA Risk Level – Risk applied to the Corrective And Preventive Action Process
- Table 5: Attribute Sample Size for a given Confidence and Reliability – Risk applied to sample size determination for design verification
- Table 6: Supplier Risk, Requirements, and Controls – Risk applied to the Supplier Management process.
In order to estimate risk, a qualitative or quantitative system is used to rank the severity of harm and the probability of occurrence of that harm.
Table 1 below is an example of ranking severity of harms applied to a patient/user, business, or quality system. When creating a Harm Severity table, it is important that the description of the harms, and number of associated classifications be customized to apply to the specific product(s) or process(es) for which risk is being evaluated.
Table 1: Harm Severity
Table 2 below is an example of ranking probability of occurrence of harm applied to a patient/user, business, or quality system. When creating a Probability of Occurrence of Harm table, it is important that the definition of occurrence, and number of associated classifications be customized to apply to the specific product(s) or process(es) for which risk is being evaluated.
Table 2: Probability of Occurrence of Harm
A Risk Level table combines the probability of occurrence of harm with the severity of harm to estimate the level of risk. When creating a Risk Level table, it is important that the description and number of risk levels, and actions required are customized to apply to the particular product(s) or process(es) for which risk is being evaluated.
Table 3 below provides an example of a risk levels applied to a medical device product; while Table 4 below is an example of risk levels applied to the CAPA process.
Table 3: Product Risk Level
- R3 (red) = Unacceptable risk; further action required to eliminate or continue to lower the risk as far as possible to the lowest level.
- R2 (yellow) = Unacceptable risk; further action required to eliminate or continue to lower the risk as far as possible to the lowest level. For residual risk that remain in this region, a Risk Benefit Analysis, in the absence of economic consideration, must be conducted for each risk to show the benefits outweigh the risk.
- R1 (green) = Acceptable risk; no further action is required.
Table 4: CAPA Risk Level
- RED = Risk is High (H): a CAPA is required
- YELLOW = Risk is Medium (M): a CAPA is required, unless justification is provided
- GREEN = Risk is Low (L): No CAPA is required; but can be initiated at the discretion of the CAPA Review Board or Management Review with rationale
A risk-based approach is often used when determining a statistical sample size for design verification testing. This approach links Confidence and Reliability to the Severity of the harm associated with the potential failure of the product being tested. Typically, the confidence level is kept constant at 95% and only the reliability level is adjusted based on the severity of harm. The more severe the potential failure mode, the higher the reliability required for product acceptance. The sample size needed for testing increases as the reliability level increases.
For tests that produce attribute data (pass/fail), the minimum sample size can be determined using the Binomial distribution. For Attribute Data, with zero failures, the minimum sample size can be estimated by the simplified formula below:
N = ln (1 – C) ÷ ln (R)
ln (x) = log e (x) – natural logarithm of x
N = sample size
C = Confidence (%) – percent probability of the reliability level being correct
R = Reliability (%) – percent acceptable
Note: when using this formula, make sure to express C and R in decimals. See Table 5 below for sample sizes with zero failures for a given confidence and reliability.
Example 1: Severity of Harm is Serious, C = 95% and R = 95%
N = ln (1 − 0.95) ÷ ln (0.95)
N = ln (0.05) ÷ ln (0.95) = 59 (rounding up)
Example 2: Severity of Harm is Negligible, C = 95% and R = 80%
N = ln (1 − 0.95) ÷ ln (0.80)
N = ln (0.05) ÷ ln (0.80) = 14 (rounding up)
Table 5: Attribute Sample Size for a given Confidence and Reliability (with zero failures allowed)
The Supplier Risk Classification table allows a company to apply risk to suppliers. This allows a different level of rigor in qualifying suppliers depending on the risk level associated with a supplier type. This prevents an inefficient one-size-fits-all approach to qualifying suppliers.
Table 6: Supplier Risk Classification, Requirements, and Controls
In summary, applying a risk-based approach throughout a Quality Management System provides many benefits. It provides the opportunity to adapt the time and effort spent on quality management based upon the level of risk associated and allows an organization to concentrate their efforts on the most relevant areas (e.g. highest risk to clients and business).
- Juran’s Quality Handbook, Fifth Edition, Juran, J.M. & Godfrey, B.A, Singapore: McGRAW-HILL, 2017
- Statistical Procedures for the Medical Device Industry, Wayne A. Taylor, Taylor Enterprises, Incorporated (2017)
- ISO 13485: 2016
- ISO 14971: 2012