A lot of authorities and regulations talk about a risk-based approach. However, they do not define the term or give any examples.
This article will give you an overview of what a “risk-based approach” is and provide you with concrete advice on how companies can meet these regulatory requirements.
ISO 14971defines the term “risk” as "the combination of the probability of occurrence of harm and the severity of that harm". The standard defines harm primarily as physical injuries and damage to health. But it also includes harm to goods and the environment.
In contrast, in addition to physical harm for patients, users and third parties, the risk-based approach also includes the harm and consequences resulting from regulatory non-compliance such as:
The risk-based approach is about companies adapting their quality management activities to the level of risk. This helps achieve the following objectives:
“A quality management approach that adapts activities to the size of a risk to minimize risks.”
Source: Johner Institute
The most comprehensive requirements for the risk-based approach are set out in ISO 13485:2016. This approach must be reflected in the quality management system:
In some places, the standard uses the term “risk-based”, and in others it uses “appropriate”.
In section 4.1, ISO 13485:2016 requires risk-based control of all processes and not just a “risk-based approach” to the processes named in the other sections.
What the standard does not require
ISO 13485:2016 does not impose any requirements on how and where the manufacturer must demonstrate how it is implementing the risk-based approach. In particular, there is no requirement to discuss it in any particular document. The corresponding requirements from notified bodies lack a legal basis.
The Johner Institute recommends describing the risks and the risk-based approach in, for example, the quality management manual. More on that later.
b) MDR
The MDR does indeed mention the concept of a risk-based approach. However, it does not establish specific requirements for manufacturers.
c) USA / FDA
Inspections
The FDA also bases the selection, intensity and frequency of company inspections on a “risk-based approach”. Companies are more likely to be inspected if:
The risk-based approach enables the FDA to be as effective as possible with limited resources.
Risk-based efforts in the guidance documents
The FDA demands a “risk-based approach” in a lot of guidance documents. As with ISO 13485, this approach should be applied to QM processes such as the validation of processes and products:
ISO 9001 has referred to the principle of a risk-based approach since the 2015 version. It states:
"Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services."
Source: ISO 9001:2015 section 6.1
List, for example in your QM manual, all relevant processes and identify the associated risks. You can do this in a table (see Table 1).
You should consider both regulatory risks and risks as defined by ISO 14971 (regarding physical integrity in particular).
In an additional column, add the actions you will perform to control the risks. ISO 9001:2015 includes the following as possible types of action:
This table might look, for example, like this:
Process (area) | Process and work instructions | Risks | Actions |
Document control | Document control process instruction, control of records process instruction | Regulatory risks: documents are not controlled | Both process instructions require the use of a DMS. Release process for new documents |
Human resources | Training and further education process instruction, performance review work instruction | Regulatory risks: training does not take place, is not documented, absence of performance review | Process instruction requires performance review and regular review of implementation |
Product realization | Development process instruction, purchasing process instruction, goods receipt work instruction, production process instruction | Development: defective products | Development process instruction: design reviews verifies compliance with the process |
|
| Purchasing: products that do not conform due to components that do not meet the specifications | Supplier process instruction requires qualification of suppliers, work instruction requires inspection of incoming goods |
Table 1: Assignment of tasks to QM specifications
In the third step, manufacturers define risk classes, e.g.:
Risk class | Regulatory risks | Risks according to ISO 14971 |
A: Minor | Minor non-conformity | No noteworthy physical harm |
B: Medium | Major non-conformity in audit | Product defect that could result in physical injury or disability |
C: Major | Withdrawal or suspension of certificate, court case | Product defect that could lead to irreversible harm or death |
Table 2: Definition of risk classes
Note: Strictly speaking, the two right-hand columns do not describe risks, but instead describe the severity of harm with unclear probability. The probability should be understood as 'reasonably foreseeable'.
Now it is necessary to adjust the scope of the actions (right column in Table 1) to the risk (risk class). This is the risk-based approach.
The time and effort spent on the design review can be adapted to the risk classes. For example, this time and effort can be adjusted through:
Risk class | Frequency | Intensity | People involved |
A: Minor | When releasing the system specification and at the same time as the design transfer | Checklist A | Development and project manager, QM manager, production manager |
B: Medium | As for A. Additionally when releasing the system architecture and before system tests | Checklists A + B | As for A |
C: Major | At the end of every sprint (4-6 weeks) | Checklists A + B and C | As for A. Additionally “product owner” |
Table 3: Example of a risk-based approach to design review
Example 2: Qualification of suppliers
The “risk-based approach” must also be used for the selection, evaluation and monitoring of suppliers according to ISO 13485:2016.
Risk class | Certified QMS | QAA | Supplier audit | Self-declaration |
A: Minor |
|
|
| X |
B: Medium |
| X | X | X |
C: Major | X | X | X | X |
Table 4: Example of a risk-based approach to supplier qualification
Example 3: Validation of computer software
For computer software validations, manufacturers can make use of several dimensions to adapt the time and effort to the risks:
Read more on the topics of software testing and computerized systems validation (CSV).
Example 4: Incoming goods
In the case of goods receipt, aspects that can be adapted for a “risk-based approach” include:
Example 5: Software development
IEC 62304 already implements the risk-based approach in the form of safety classes. Depending on these classes, manufacturers must perform and document activities such as a detailed design.
Manufacturers are free to consider the risk of the respective software even more granularly in the development plan. Possible adjustments include:
The risk-based approach gives manufacturers the opportunity to adapt the time and effort they spend on quality management to the risks. This enables them to concentrate their efforts on the relevant aspects - i.e. high risks.
Manufacturers should make use of this option. At the same time, they should not equate the risk-based approach with risk management. The risk-based approach is a preventive action and, therefore, it is at best a subsection for risk management.
Manufacturers should not just take a risk-based approach to analytical quality assurance (e.g., audits, inspections, testing), they should also use it for constructive quality assurance (e.g., development, maintenance) and all post-market activities.