A lot of authorities and regulations talk about a risk-based approach. However, they do not define the term or give any examples.
This article will give you an overview of what a “risk-based approach” is and provide you with concrete advice on how companies can meet these regulatory requirements.
ISO 14971defines the term “risk” as "the combination of the probability of occurrence of harm and the severity of that harm". The standard defines harm primarily as physical injuries and damage to health. But it also includes harm to goods and the environment.
In contrast, in addition to physical harm for patients, users and third parties, the risk-based approach also includes the harm and consequences resulting from regulatory non-compliance such as:
The risk-based approach is about companies adapting their quality management activities to the level of risk. This helps achieve the following objectives:
Fig. 1: Risk-based approach: focusing on high risk aspects and adapting activities to them (click to enlarge)
Examples of the risk-based approach are:
The risk-based approach can be defined as follows:
“A quality management approach that adapts activities to the size of a risk to minimize risks.”
Source: Johner Institute
The most comprehensive requirements for the risk-based approach are set out in ISO 13485:2016. This approach must be reflected in the quality management system:
In some places, the standard uses the term “risk-based”, and in others it uses “appropriate”.
In section 4.1, ISO 13485:2016 requires risk-based control of all processes and not just a “risk-based approach” to the processes named in the other sections.
What the standard does not require
ISO 13485:2016 does not impose any requirements on how and where the manufacturer must demonstrate how it is implementing the risk-based approach. In particular, there is no requirement to discuss it in any particular document. The corresponding requirements from notified bodies lack a legal basis.
The Johner Institute recommends describing the risks and the risk-based approach in, for example, the quality management manual. More on that later.
The MDR does indeed mention the concept of a risk-based approach. However, it does not establish specific requirements for manufacturers.
c) USA / FDA
The FDA also bases the selection, intensity and frequency of company inspections on a “risk-based approach”. Companies are more likely to be inspected if:
The risk-based approach enables the FDA to be as effective as possible with limited resources.
Risk-based efforts in the guidance documents
The FDA demands a “risk-based approach” in a lot of guidance documents. As with ISO 13485, this approach should be applied to QM processes such as the validation of processes and products:
ISO 9001 has referred to the principle of a risk-based approach since the 2015 version. It states:
"Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services."
Source: ISO 9001:2015 section 6.1
List, for example in your QM manual, all relevant processes and identify the associated risks. You can do this in a table (see Table 1).
You should consider both regulatory risks and risks as defined by ISO 14971 (regarding physical integrity in particular).
In an additional column, add the actions you will perform to control the risks. ISO 9001:2015 includes the following as possible types of action:
This table might look, for example, like this:
Process and work instructions
Document control process instruction, control of records process instruction
Regulatory risks: documents are not controlled
Both process instructions require the use of a DMS. Release process for new documents
Training and further education process instruction, performance review work instruction
Regulatory risks: training does not take place, is not documented, absence of performance review
Process instruction requires performance review and regular review of implementation
Development process instruction, purchasing process instruction, goods receipt work instruction, production process instruction
Development: defective products
Development process instruction: design reviews verifies compliance with the process
Purchasing: products that do not conform due to components that do not meet the specifications
Supplier process instruction requires qualification of suppliers, work instruction requires inspection of incoming goods
Table 1: Assignment of tasks to QM specifications
In the third step, manufacturers define risk classes, e.g.:
Risks according to ISO 14971
No noteworthy physical harm
Major non-conformity in audit
Product defect that could result in physical injury or disability
Withdrawal or suspension of certificate, court case
Product defect that could lead to irreversible harm or death
Table 2: Definition of risk classes
Note: Strictly speaking, the two right-hand columns do not describe risks, but instead describe the severity of harm with unclear probability. The probability should be understood as 'reasonably foreseeable'.
Now it is necessary to adjust the scope of the actions (right column in Table 1) to the risk (risk class). This is the risk-based approach.
The time and effort spent on the design review can be adapted to the risk classes. For example, this time and effort can be adjusted through:
When releasing the system specification and at the same time as the design transfer
Development and project manager, QM manager, production manager
As for A. Additionally when releasing the system architecture and before system tests
Checklists A + B
As for A
At the end of every sprint (4-6 weeks)
Checklists A + B and C
As for A. Additionally “product owner”
Table 3: Example of a risk-based approach to design review
Example 2: Qualification of suppliers
The “risk-based approach” must also be used for the selection, evaluation and monitoring of suppliers according to ISO 13485:2016.
Table 4: Example of a risk-based approach to supplier qualification
Example 3: Validation of computer software
For computer software validations, manufacturers can make use of several dimensions to adapt the time and effort to the risks:
Example 4: Incoming goods
In the case of goods receipt, aspects that can be adapted for a “risk-based approach” include:
Example 5: Software development
Manufacturers are free to consider the risk of the respective software even more granularly in the development plan. Possible adjustments include:
The risk-based approach gives manufacturers the opportunity to adapt the time and effort they spend on quality management to the risks. This enables them to concentrate their efforts on the relevant aspects - i.e. high risks.
Manufacturers should make use of this option. At the same time, they should not equate the risk-based approach with risk management. The risk-based approach is a preventive action and, therefore, it is at best a subsection for risk management.
Manufacturers should not just take a risk-based approach to analytical quality assurance (e.g., audits, inspections, testing), they should also use it for constructive quality assurance (e.g., development, maintenance) and all post-market activities.