RISK VS. RISK
"Risk-based ...", a source of confusion to the medical products industries.
Some say this should be a generalized approach throughout a company. This is partially correct. If a company is primarily addressing ISO 9001, then they are focused on ISO 31000, Risk Management, which addresses all manner of business risk.
However, if we are dealing with medical products, the U.S. FDA want to see “risk” tied specifically to to patient (and user) risk.
I have always recommended that companies tie such key medical product risk-based decisions to a Product Risk Document - ISO 14971 Risk Management File / Report, or ICH Q9;
- Cite specific line items, e.g., from a FMECA;
- Include “Normal” as well as “Failure / Fault” in Hazard List / FMECAs.
“Risk” in FDA-regulated industries usually means patient risk, not business, IT, legal, etc., risks, though some are obviously tied together. If you are marketing medical products both in the U.S. and EU / overseas, then your documentation will have to clearly address both types of risk, product / patient, and business.
ISO 14971 patient risk / safety vs. ISO 31000 business risk / “safety”.
Understanding such patient “risk” will determine how far to proceed on test cases, failure investigations / root cause analysis, degree of documentation, etc., needed to resolve a medical product risk issue.
"FDA has identified a risk-based orientation as one of the driving principles of the CGMP initiative. The progress outlined below reflects FDA's commitment to the adoption of risk management principles that will enhance the Agency's inspection and enforcement program, which is focused on protecting the public health." (emphasis added)
"Pharmaceutical cGMPs for the 21st Century - A Risk-Based Approach", September 2004:
John E. Lincoln firstname.lastname@example.org