PREVENTIVE ACTION RISK ASSESSMENT

1. Purpose

This document provides the process for Quality Risk Assessment in compliance with ISO 13485 for processes, products, events such as non conformance, as applicable and required by regulations.

2. Approval

(Version at end of page)

Signed V16 RB 15.07.2024 

3. Scope

The process covers all documents and process and products as defined in the SOP.

4. Responsibilities

Approval: Author of the document, Marelize Robertson

Changes: Author of the document, Dean Kowalski

5. Definitions

Benefit: The positive impact or desirable outcome of the use of the medical device on the health of an individual, or a positive impact on patient management or public health.

Preventive Action: To prevent a hazard and/or risk from occurrence using a risk-based approach and/or a risk assessment.

Harm: Is the injury or damage to the health of people, or damage to property or the environment.

Risk: Combination of the probability of occurrence of harm and the severity of that harm.

Hazard: Something with the potential to cause harm.

Hazardous Outcome: A description of how someone could be hurt or damage could occur as a result of interacting with the hazard.

Risk Rating: The overall judgement of the level of risk which may arise from the hazard, based upon the likelihood of the event occurring and the potential severity of the consequence.

Mitigation / Control Measures: Method used to reduce or control risks arising from identified hazards; in consideration of mitigating (justifying / qualifying) circumstances, which are provided by the level of risk from the risk evaluation, the Control and Risk Management Decision.

Residual Risk: The level of risk remaining once control measures have been applied to reduce.

Probability: The extent to which an event is likely to occur, measured by the ratio of the favorable cases to the whole number of cases possible.

Severity: Measure of the possible consequences of a hazard; the fact or condition (of something bad or undesirable) happening / occurring, very great; intense.

Critical Control Point (CCP): Is the point where the failure of a process, procedure, activity that could cause harm to customers and to the business, or even loss of the business itself.

Intended use: The use for which a product, process or service is intended according to the specifications, instructions and information provided by the manufacturer.

Risk Analysis: Systematic use of available information to identify hazards and to estimate the risk.

Risk Assessment: Overall process comprising a risk analysis and a risk evaluation. 

Risk Control: The process in which decisions are made and measures implemented by which risks are reduced to, or maintained within, specified levels.

Risk Management: Systematic application of management policies, procedures and practices to the tasks of analysing, evaluating, controlling and monitoring risk.

Risk Management File: Set of records and other documents that are produced by risk management.

6. Abbreviations

SOP - Standard Operating Procedure

QMS - Quality Management System

SHEQ - Safety, Health, Environment and Quality

NCCA – Non-Conformance Corrective Action

CCP - Critical Control Point

RASE - Risk Assessment Safety Evaluation

7. References

ISO 13485 clauses 8.2.4 & 5.6

ISO 14971:2019 

Procedure for Preventative, Corrective Action and Handling of Non-Conformance Products 

8. Procedure

Product, Process & System Quality Risk assessments, and review thereof, determine action to eliminate the causes of potential non-conformities and prevent their occurrence. Preventative action will be processed on Trello.

The Risk assessment provides for:

1. determining potential non-conformities and their causes;

2. evaluating the need for action to prevent occurrence of non-conformities;

3. determining and implementing action needed;

4. recording of the results of any investigations and of action taken;

5. reviewing preventive action taken and its effectiveness. 

Preventative action identified will be logged, reviewed and processed on the Trello preventative action board.  

8.1. ISO 13485 Risk Requirements

Risk Management is covered in Design & Development (7.3) for manufactured products by the manufacturer

The standard mentions Risk (not limited to);

8.2. Process Risk Based Approach

The Risks identified for Processes are at the start of generating a new procedure and after a trigger for the review if the risk is identified as an outcome of management review, internal audits and any other identified improvement opportunity. 

The risk is evaluated using the following table where the justification for determining a Risk Aspect as Low, Medium or High, for the Probability and Severity, is includes in the table.

Overall Risk is

• High: High = High, Med: High = High

• High: Med = Med, Med: Med = Med, Low: High = Med, Low: Med = Med

• High: Low = Low, Low: Low = Low

• refer Document

8.3. Product Risk Assessment 

The guide of the general risk management process is followed for Manufacturers and for specific product risk a protocol, plan and record as a "RASE" Risk assessment safety evaluation is performed with the following included in the document.

• 1. a Risk Management Plan; 

  2. a report of the following: Identify the Risk, evaluation of the Risk and for Components & Product, determination of the risk acceptance, with Control Measures and 

  3. provision of a Risk reduction as required

8.4. General Risk Management Process 

• 1. The general process of Risk assessment is : Risk Quality risk management is a systematic process for the assessment (identification and Analysis), • evaluation, •control, • communication and • review of risks

  2.  The Assessment Criteria; the Product, system quality and safety evaluation is determined through the ALARP (as low as reasonably possible)

  3. The standard “This means that risks have to be reduced ‘as far as possible’, ‘to a minimum’, ‘to the lowest possible level’, ‘minimised’ or ‘removed’, according to the wording of the corresponding essential requirement.”

ALAP - AS LOW AS POSSIBLE

8.5. Techniques

Various techniques are used namely;

• 1.  HACCP – Hazard Analysis Critical Control Point, where the process is to Identify hazards and define acceptable levels, assess and Evaluate the organisation's hazards, with probability and severity evaluation the Selection of measures to control the hazards. There is the establishment of the Critical Control Point with monitoring and verification to control the High Risk Hazard.

  2.  FMEA - Failure Mode Effects Analysis, a "bottom up" approach looking at the basic defect / hazards at the component level, assessing the effect, identifying potential solutions, . Failure mode effects criticality analysis (FMECA) adds the Probability of occurrence and severity of failure to the FMEA.

  3. Fault Tree Analysis (FTA) is a deductive, "top-down" approach to failure mode analysis, which identifies a failure or safety hazard where an attempt is made to identify all possible ways to create that hazard; a chart is constructed using logic symbols such as "and" plus "or" gates.  

8.6. Quality Risk Assessment and Plan 

A spreadsheet is used to record the Risk Assessment events refer Document for a template, which can be changed to suit the product, event, item; and activities in line with SANS ISO14971 (notations if (Step)) and SA GMP guideline:

1) PROCESS

2) Item

3) Activity

4) Hazard Sources; KNOWN or FORESEEABLE HAZARD

5) Type of Risk (Quality, Product Safety, OHS), categorised Biological, Physical, Chemical, Allergenic, Analytical, System, not applicable (B, P, C, Al, An, S, n/a)               

6) RISK EFFECT                  

7) SEVERITY x PROBABILITY (Rating step 3) goes to Assessment Criteria

8) CONTROLS                     

9) Legal and Other Requirements

10) "Risk Reduction necessary Y/N (Step 4)"

11) Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds a specified (acceptable) level (determined from the Assessment Criteria. Risk reduction might include actions taken to mitigate the severity and probability of harm).

12) "5 Terminate/ Isolate/ Substitute/ Prevent, 4 Behaviour based/ Training/ Reduce, 3 Engineering/ SOP, 2 Administrative/ Recovery/ Supervisor approval, 1 PPE/Treatment"

13) Detectability (H,M,L)

14) Risk Management Decision: Terminate, Treat, Tolerate, Transfer, Maintain "(Step 5)

15) Control Measures - List SOP" / control description where applicable to mitigate the Risk / Hazard as established.        

16) CCP                      

17) "Risk Reducible Y/N (Step 5)"                  

18) "MANAGEMENT PLAN (Step 6)"

19) "MONITORING"

20) "VERIFICATION RESPONSIBILITY'

21) "RESOURCES"

22)  "Residual Risk acceptable Y/N (Step 7)"              

23) "Other Hazards introduced Y/N (Step 9)"             

24) "All identified Hazards considered Y/N (Step 10)"            

25) "Overall residual Risk Acceptable Y/N (Step 11)" - evaluation to verifying that the action does not adversely affect the ability to me applicable regulatory requirements or the safety and performance of the medical device.

26) "Plan and eta Date" to record planning and documenting action needed and implementing such action, including, as appropriate, updating documentation.

In the event that a CORRECTIVE ACTION is required then follow PROCEDURE FOR CONFORMANCE AND CORRECTIVE ACTION

9. Risk Based Approach

In the event of non-compliance follow SOP Non-Conformance Corrective Action.

The Risk Assessment to is found in SOP Preventative Action Risk Assessment refer Document.

9.1 Trend Analysis and Continual Improvement

The analytical reviews of internal audits, and any other quality related matters, are reported through Data Analysis to management and as part of the input to management review.

The Trend analysis may identify any potential and recurring incidents, where corrective action must be reported at the management review to facilitate continual improvement.

10. Revision History

Revision 16; 15.07.2024 - RB - Change over to SharePoint Site

Revision 15; 14.10.2022 - HJM - 8.2 PROCESS RISK BASED APPROACH redefined for establishing High, Medium and Low overall risk

Revision 14; 19.07.2022 - MR -  DK 19.07.2022 - Moved duplicate preventative action process to preventative risk assessment SOP under 8. Procedure, Updated 11. Records - Added Trello

Revision 13; 07.01.2022 - MR - 5.Added definitions ; 7. References

Revision 12; 14.10.2021 - MR - Updated Responsibilities

Revision 11; 05.08.2021 - MR - Reviewed

Revision 10, 24.06.2021  - TNA - New format with Approval, Scope,  Responsibilities, Risk based approach and Records added.  amending links

Revision 9, Digitally signed on 23.01.2020 by WJW

Revision 1-8, unknown due to google site change to new google site

11. Records

Name Retained in Retention period Hard copies Destroyed by

Preventative Action Processing Platform      Trello N/A N/A