The definitions of ‘process approach’ and ‘risk management’ in ISO 13485:2003[i] have definitely left some gray areas for organizations over the years, with one oversight becoming apparent -- that process risk management plans for every process carrying risk within the Quality Management System of the organization are lacking.
Companies that were developing new Quality Management Systems for the first time under the 2003 standard struggled with the somewhat vague descriptions and interpretations thereof, and they often applied risk management mainly to design control, verification, and validation activities. The result of this was exposure to audit observations for lack of process risk management plans that addressed system risks in their entirety.
The revised standard for 2016[i], that is now effective, and coming due for certification audits, has fortunately corrected this issue. It does bring to light, however, that if process risk management is currently missing from your system, it needs to be addressed.
Want to read the rest? Please fill out this form for access to a PDF of the entire article.
