Question on One Sentence in 7.1 of ISO 13485:2016

Dear Colleagues,

The second paragraph of section 7.1 of the standard has a rather odd requirement in it. It says we have to “document one or more processes for risk management in product realization.” What sort of “document” is meant here? Does this mean we need a procedure for doing risk management or does it mean we have to pick one ("or more") of the various “product realization” processes (such as the order acceptance process, the purchasing process, or any of the actual manufacturing processes) and document our risk analysis of them (for example, a Process Failure Modes and Effects Analysis)? Perhaps it means something else altogether. We are really struggling with understanding this one sentence!

Thanks in advance to all who reply.

Kind regards,
Diane Hunt
Portland, Oregon USA

 

This is one of the errors that ISO 13485:2016 has, because this is the one of only two instances where the standard requires you to "document a process" (the other one is in 6.2).

This problem happened because the group decided to use only the word "document" instead of establishing, maintaining, etc. (this is explained in 0.2 -
When a requirement is required to be “documented”, it is also required to be established,implemented and maintained) and ended up up changing those instances to document. However, in those two cases, it does not make sense (the correct way would be to require to document a procedure) but the group did not this problem (and I only noticed it when translating the standard to Portuguese). Anyway, the idea is to apply ISO 14971, as can be seen by the note.

 

Dear Marcelo,

Many thanks for the quick reply and for the insight in what the standard writers were thinking when revising ISO 13485. I can see how this got mixed up, but I would still like to ask if I'm understanding you correctly. If we have a documented procedure for risk management (especially if it takes ISO 14971 into account), would we meet this awkwardly-stated requirement?

Kind regards,
Diane

 

\

Not only to have a procedure, but to establish, implement and maintain it, too (only having the procedure does not meet the requirement, you have to show that you are applying it). Also, please note that although I mentioned that the idea is to follow ISO 14971, this is not mandatory (for several reasons).

 

Dear Marcelo,

Ah yes! We would (of course!) "establish, implement, and maintain" that procedure, too. For us, that goes without saying, but I imagine there are companies that write procedures they have no intention of following.

Again, I thank you heartily for your reply....which I will now run with!

Kind regards,
Diane