"Death by Risk-Based Approach: The Practical Guide to the ISO 13485:2016 Practical Guide, Part 3"

This is the third post in the series, “The Practical Guide to the ISO 13485:2016 Practical Guide” (read the first installment and second installment). This post explores examples and applications provided within the Practical Guide for the implementation of a “risk-based approach,” along with color commentary from yours truly. 

In the last installment, we left off at, “The Practical Guide has told us where the risk-based approach applies (everywhere), but we’re all still wondering what it actually is. The Practical Guide mirrors 13485:2016 in that it begins to discuss the risk-based approach as if the concept has already been defined and well understood by industry (it’s not).”

So what does the Practical Guide give us that is concrete? While more helpful than the standard, the Guide does reference risk- based approach methods. Some of these methods will be familiar to you—FMEA/FMECA, HACCP, FTA, ‘5 Why’s’, SWOT, Porter’s 5 forces, ‘what if’ questioning and brainstorming. The Practical Guide gives a single example for the application of a risk-based approach to QMS processes. The one-paragraph example suggests starting with a strength, weakness, opportunities and threats (SWOT) analysis for each QMS process. The SWOT becomes an input to a hazard, analysis and critical control points (HACCP) analysis, which is then used as an input to a project improvement plan intended to address QMS weaknesses.  

I have a few bones to pick with this example. Let’s explore some concepts to implement a risk-based approach defined in the Practical Guide. (All examples are from page 36.)

• “Your organization decides to review your QMS to improve or verify compliance.”

Back in my day, we called this an internal audit. In fact, in ISO 13485:2016, the very purpose of an internal audit by definition is: “to determine whether the quality management system:

• a) conforms to planned and documented arrangements, requirements of this International Standard, quality management system requirements established by the organization, and applicable regulatory requirements;

• b) is effectively implemented and maintained.”

How is the intent of the risk-based approach example process different from an internal audit?

• “The identification of an area of improvement in the QMS process then triggers use of a more detailed analysis.”

So, in the internal audit system, deficiencies and areas of improvement are identified in an audit report. Typically, each item is investigated in an audit response that involves a root cause investigation. Sounds like a “more detailed analysis” to me.

• “This detailed analysis is then used to provide the information necessary to create a strong project plan for improvement to address identified weaknesses.”

Again, most audit response systems I have seen involve not only root cause analysis but corrective and preventive action plans coupled with effectiveness evaluations. How is a corrective or preventive action plan different from a “strong project plan for improvement”? 

I fail to see why the Guide recommends creating a whole new, multi-layered risk-based analysis system when existing, long-standing systems within the QMS could be augmented with more risk-based concepts. The last thing small manufacturers need is to reinvent the wheel to meet a new expectation when existing systems can be made to fulfill the intent of the new risk-based approach requirement.

My last point of contention with the example is the number of layers and tools needed to conduct a comprehensive analysis of the quality management system. Let's do the math. (All examples are from page 36.)

• “As a start, you apply a strengths, weaknesses, opportunities and threats (SWOT) analysis to each QMS process identifying areas of needed improvement.” (italics added)

By my count, there are five main overarching processes defined in the standard, not counting subsystems under each main process.  Let’s just stick with these five for purposes of this example. At this point your company conducts five SWOTs.

• “The identification of an area of improvement in the QMS process then triggers use of a more detailed analysis such as a hazard, analysis and critical control points (HACCP) approach.”

Let’s conservatively assume that each SWOT identified two areas of improvement. Now your company conducts 10 HACCPs.

• “This detailed analysis is then used to provide the information necessary to create a strong project plan for improvement to address identified weaknesses.”

Let’s assume each HACCP identified three areas of weakness needing project plans. So now you have five SWOTs, 10 HACCPs and 30 project plans. That’s a minimum of 45 new documents, processes and project plans for your company to effectively manage on top of the existing QMS processes. And we all know that a single SWOT on the very large subsystems, like product realization, is impractical. 

Needless to say, this resource-intense example isn’t practical to small- and mid-sized manufacturers and the Practical Guide leaves this portion of industry without actionable guidance. With only one example, some companies will find it difficult or impossible to extrapolate the structure of the risk-based approach and then apply it to their organization’s processes. Furthermore, the guidance is silent on what modeling a risk of not meeting a regulatory requirement would look like in this process.

ISO 13485:2016 Takeaway:

• Give consideration to how your internal audit system can be augmented to fulfill the risk-based approach.

In the next installment, we will conduct a historical review of the evolution of risk management, cross-link references to risk throughout the regulations and look at how all of these factors influence risk-based thinking. As my high school history teacher once told me, ""You have to understand where you have been to understand where you are going.""  Stay tuned!