Risk is an interesting topic in any company. Historically, we have seen two styles:
We do not have time to waste on 14971 activities. It is so cumbersome and confusing! We do the minimum in order to (barely) meet the requirements.
We incorporate risk activities from the time a product begins design. This continues through to post-market surveillance.
As you can see, these are on opposite sides of the spectrum. But I bet you can recognize your company in one of them!
When one digs a little deeper into each of the styles, another interesting pattern comes out.
Style #1 is a company that generally does not understand the regulation and therefore cannot respect the regulation enough to follow it. They do the minimum which almost always equates to a simple FMEA chart. And sometimes this chart is only one page long. These companies have had this mentality for so long, that it is an uphill battle to even start the education of risk, let alone implement it.
Style #2 usually comes from the mouth of RA/QA management. They understand that the regulations are not optional and have educated themselves and their company on the process. Within this style are two more possibilities. A) The RA/QA management understands, but stands alone within the company. They have to fight tooth and nail to get people to support their risk activities. B) Upper management fully understands and supports the risk process and educates employees on the importance. Style 2B is a rarity in any industry, but such a breath of fresh air when encountered!
Both of these styles are historic and understandable considering the hit or miss inspection techniques by government auditors/inspectors. When the government reviews risk files, they used to accept the FMEA chart and move on without question. This was the expectation so most companies did what was expected.
Then In 2007 when ISO 14971 was updated, the standard reflected a stronger documentation of the entire risk process. But surprisingly enough, many government auditors/inspectors took quite a few years to catch up. They still were fine with the basic FMEA chart.
But then things slowly started to change…
We started to notice government auditors/inspectors that were starting to use the 2007 version of the standard. And many companies were caught off guard, not having sufficient files.
So everyone began to scramble and create these 14971 compliant risk files. Yes, I said entire risk FILES. When the standard is followed, it will generate an entire file for each device or device category. And the file is a living document to be updated. The management of the risk file is like management of the design file – continual updating when new information is brought in.
Back to the 2 styles.
What both styles should understand is that creation of a risk file is a value added activity.
- If risk is incorporated early in design, then design flaws are caught before retooling and expensive processes need to be edited
- If risk is incorporated during manufacturing, then manufacturing processes will be done to reduce defects and therefore lowering cost per unit to produce
- If risk is incorporated during post-market activities, then device failure trends will be caught prior to patient involvement or recall activities are necessary
All of these activities are adding value by cutting potential expensive mistakes anywhere in the process.
Yes, creation of a new risk file when the product has already been established is a headache. We all understand and have been there. ISO 14971 is a well written guidance document and when read cover to cover, can provide a blueprint on how to create the risk file.
Of course, if you still need help, Regulatory Specialists is here to assist. We have everything you need, from procedures to work instructions to the forms. Even if you need it done quickly and completely, please give us a call. We can walk you through the process.