Getting started with a QMS from scratch: risk-based approach for processes
When setting up a QMS, the standards refer to a "risk-based approach".
However, they fail to define what this exactly means.
According to paragraph 0.2 of EN ISO 13485:2016, "risk" refers to safety or performance requirements of the medical device as well as meeting regulatory requirements.
The idea behind this is that you not only take into account risks that might have a direct impact on the medical devices' safety or performance but also risks related to compliance such as certification issues, audit nonconformities, delayed market approvals or withdrawals.
In general, a QMS is based on Plan-Do-Check-Act, where you define the inputs of a process, the activities themselves and the expected output. A risk-based approach takes into account which factors could cause a deviation from these expected outputs and defines measures to prevent or minimize negative effects.
Which processes are relevant?
According to paragraph 4.1.2. of EN ISO 13485:2016, the risk-based approach should be applied to all appropriate processes needed for the QMS, not only to product realization (as it was the case in the previous version of the standard).
The main focus should be on those processes where failure can lead (even indirectly) to unsafe products or products that do not perform as intended. Secondly, as mentioned before, you should also focus on processes that ensure regulatory compliance.
There are some particular sections of the standard that do mention that risk considerations need to be addressed:
6.2: effectiveness of training
7.4.1: selection and monitoring of suppliers
7.4.3: verification of purchased products
4.1.6, 7.5.6, 7.6: validation (including validation of software)
Others do not mention directly risk considerations, but are linked to it:
5.6: interval for management review meetings
7.5.1 control of production and service
8.3: handling of nonconforming products
8.5.2, 8.5.3: corrective and preventive actions
Which method should you use?
This is not defined in the standard. There is not even a requirement to do a formal risk management. What the standard wants you to do is to adopt this risk-based approach within the processes.
That means you choose the method you want to implement. It can be Strenght Weaknesses Opportunities and Threats (SWOT) analyses, What if questions, but as well methods that you might already use for your product development such as FME(C)A, FTA, etc.
Which method you choose is up to you, but in the end, it should give you a framework to know:
how to address risks, linked to product safety and performance and regulatory compliance
how to improve process outputs and prevent unwanted outputs
how to improve the effectiveness of your QMS
how to maintain and manage risk assessment
The way you handle the risk-based approach can be described in your quality manual or in dedicated procedures/processes.
You identified your risks, what's next?
You have to plan how to address them. Actions that have been determined based on the identified risks need to be incorporated in the processes and their effectiveness needs to be evaluated.
This can be really anything from adapting your processes to implementing additional checks, providing sufficient explanation, creating work instructions, clearly describing roles and responsibilities, identifying training needs, etc.
Adopting a risk-based approach means that you focus on preventive action, so it's a good idea to treat them accordingly, meaning identifying the actions, implementing them and checking their effectiveness.
How does MatrixQMS approach process-related risks?
MatrixQMS gives the possibility to document risks for each individual process and to document your risk control measures. As traceability is key in our software, we link the processes with the risks and their risk control measures.