Risk Managment is not permission to take risks. Risk management and the tools of risk analysis are there to justify doing what you should be doing, not what you want to do. There is a fundamental misunderstanding of the burden of risk management and how wide spread it is supposed to be within the organization.
The executives that do not get risk management paradigms see it as a vehicle for justifying their organizational goals. I wish that mode of thinking was rare.
Risk management is all encompassing. Get that first and foremost. Risk analysis is part of every step. It starts from development and design. It transitions from product to manufacturing process. It is in every part of the life cycle including retirement. For instance, you are ready to retire a product or a feature. You need to determine the risk to your customers on the elimination or retirement. Think about removing a headphone jack from a phone or taking a product that is fundamental to a small populations quality of life or survival. If you say your company has a risk management system think about how far it is implemented. Has it penetrated all aspects of every process? Are there feedback loops? Are there metrics about those feedback loops.
Is your product so good that it does not need improvement in some way? Not just in its intrinsic quality but also customer experience, supply chain, servicing, design and manufacturing processes?
Points to note:
- ISO 14971 impacts each device process and quality system
- ISO 62304 impacts medical device software in the same framework of risk as 14971
- Risk Management programs describe the program; tools and frameworks should be defined in sub-procedures such as risk analysis methods (i.e. FTA or FMEA)
- Continuous improvement and correction systems require feedback loops into all processes including design and manufacture.
- Servicing and kitting processes require all the same evaluations and risk controls as all other risk based processes.
- Outsourced services are to be included in risk evaluations and controls
- Quality Agreements to third parties need to account for responsibilities to risk management programs and feedback loops.
What are the next steps?:
- Obtain and read the associated regulations and guidance. Read all of the annexes as well.
- Ensure your technical file and 510K/PMAs
- Products require risk analysis; these need to be kept up to date
- A general risk narrative should be developed for the business processes
- A general risk analysis should be developed for the quality management system
- A risk analysis is required for all aspects of product realization and manufacturing (development, design, manufacturing and servicing)
Ensure that responsible people accept the residual risk and that the risk is as low as reasonably practical. Further for products put into commerce in the EU risk needs to be as low as possible.