Hi,
GHTF/SG3/N15R8 Implementation of risk management principles and activities within a Quality Management System defines in chapter 10.3. Process Validation:
[i]Process validation and the determination of the need for revalidation may be influenced by
the results of risk management activities. When performing process validation, risk
management tools, such as FTA, FMEA, HAZOP, HACCP, PAT, or others, should be
considered. Results of process validation or revalidation may identify the need for additional
risk control measures. One example may be confirming or refining specific process
parameters and controls when the source of an identified hazard is process variability.
When process changes are undertaken, current risk control measures should be reviewed for
suitability. This review should also ensure that no new hazards were introduced.[/i]
In this year ISO audit we got a remark that risks related to the process validation that are stated in Risk management file in Technical file are to general and that detailed risk analysis should be part of validation documentation. Remark was also that every validation task must come from its own (detailed) risk. We have in our validations together tasks that come from risk for the patient and tasks that come from businesses risks but these risks are not documented in detail in process validation documentation.
I have a question: where these risks related to process validation should be documented? Is the correct place the documentation for process validation (eg. Validation plan) with references to Risk management file for the product in Technical file or is the correct place in Risk management file for the product?
What about the businesses risks? Is there any regulatory requirement for producer of medical devices that he should have documented risk analysis also for validation tasks that come from businesses risk?
Bear in mind that the GHTF documents are NOT regulation. Certainly good guidance.
In many cases I’ve seen, there is no (manufacturing) process-based risk analysis. You do, of course, need to validate processes whose outputs are not fully verified.
It’s not a bad idea to walk through the manufacturing process and identify ways where the process could introduce failure. The approach I’ve seen is an FMEA with each step analyzed to determine what could go wrong.
But unless your Quality System requires it / compliance with GHTF, they shouldn’t give you a NC for not having it.
[quote=yodon]Bear in mind that the GHTF documents are NOT regulation. Certainly good guidance.
In many cases I’ve seen, there is no (manufacturing) process-based risk analysis. You do, of course, need to validate processes whose outputs are not fully verified.
It’s not a bad idea to walk through the manufacturing process and identify ways where the process could introduce failure. The approach I’ve seen is an FMEA with each step analyzed to determine what could go wrong.
But unless your Quality System requires it / compliance with GHTF, they shouldn’t give you a NC for not having it.[/quote]
I am aware that GHTF are not regulation. But also ISO 13485 requires risk management throughout product realization (7.1). We got minior NC: “Risks are covered within product risk management summary, but there is no risk assessment on the individiual steps of the audited production process.”
We have many controls in our production procesess that are business risks related and for them we do not have risk analysis in risk management file for the product. For now we have only risks in risk managment for the product that are user/patient related and for which one of the risk control are process validation.
The auditor proposed these detailed risk analysis as attachment validation plan. These detailed risk analysis should include risk assessment on the individiual steps of the production process. Is this the correct solution of the problem?
Take business risks off the table. The only risks appropriate for 13485 / 14971 are the risks to patients, users, environment, etc. Your system hazard analysis should identify the potential hazards that need to be addressed.
In terms of risks introduced by the manufacturing process, without knowing your product or the processes, it’s hard to say whether such risks should be addressed in your risk management. If, for example, you had an implantable that had 2 pieces glued together, you probably would want to assess the risk of an improperly done gluing process. Clearly, components falling apart inside the body would pose a substantial risk.
Again, I’ve had clients that do process-based risk assessments and clients that didn’t. You have to justify why your existing risk assessment is complete OR incorporate process risk assessment into your RM file. If you believe that there are no significant risks introduced into from the manufacturing process, then you should document that and your rationale. You could include that in your Risk Report. The decision to do so should be risk based (so to speak ), not because an auditor thinks so.
This is where dFMEA meets pFMEA. We do a pFMEA for each process step, although for a simple process you may have a single pFMEA. The pFMEA looks at the process risks and how they are mitigated. The pFMEA can be a little challenging, because there really are different risks 1) Risks to the product which could impact the patient, 2) Risks to the operator, 3) Business risks such as down times, etc, We evaluate all of the above in the pFMEA and include specific risk rankings in our risk document for business risks.
), not because an auditor thinks so.