Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Jennifer Chu
Findings point to faster way to find bacteria in food, water, and clinical samples
Matthew M. Lowe
Take this opportunity to prepare for the future
Etienne Nichols
QMSR for medical device companies
Kari Miller
CAPA systems require continuous management, effectiveness checks, and support
Etienne Nichols
The answers will reveal the truth about your product and get it to market faster

More Features

FDA Compliance News
Facilitates quick sanitary compliance and production changeover
Creates one of the most comprehensive regulatory SaaS platforms for the industry
Company’s first funding round will be used to accelerate product development for its QMS and MES SaaS offerings
Showcasing tech, solutions, and services at Gulfood Manufacturing 2022
Easy, reliable leak testing with methylene blue
Now is not the time to skip critical factory audits and supply chain assessments
Google Docs collaboration, more efficient management of quality deviations
Delivers time, cost, and efficiency savings while streamlining compliance activity
First trial module of learning tool focuses on ISO 9001 and is available now

More News

Tim Lozier

FDA Compliance

Managing Risk Has Its Rewards

No nasty surprises, for instance

Published: Tuesday, February 26, 2008 - 23:00

In today’s quality management systems, the ability to control and correct processes is key to maintaining a high level of compliance within an organization. Whether it’s tracking incoming customer complaints, identifying nonconforming materials from production, or using corrective and preventive actions (CAPA) to correct events within the system, defining quality management processes in place can improve quality, reduce legal liability, and make compliance a competitive advantage.

In many cases, the ability to discern the overall effect of events is a subjective determination, often relying on the individuals assigned to make the decision of whether the event is critical to the business. Being subjective can result in major errors and affect the overall compliance within an organization, and possibly lead to increased legal liability. Given that the increasing scrutiny of regulatory bodies leads to an ever-growing list of reported events, the likelihood of a severe noncompliance is greater than ever.

How can organizations effectively measure events from an objective standpoint to assess the overall effect? Through risk assessment and risk mitigation.

In this article, I will examine a real-world example of how using a risk assessment model in a quality management system can identify critical events, mitigate the risk, and prevent recurrence of these events.

Case in point: medical device manufacturer looking for a needle in a haystack

We enter into this story with a top-30 medical device manufacturer that’s a leader in its product niche. As with many medical device manufacturers, handling complaints from customers, patients, and health care professionals is part of the business. In this case, the device manufacturer receives thousands of complaints per month, of which hundreds are forwarded to the quality department for investigation, with varying degrees of severity.

The problem arose within their CAPA system. When any quality-related complaint came in, a CAPA was immediately issued. At this level within the organization, the CAPAs that came into the quality management system began to overrun the process—there were too many CAPAs issued, and it was impossible to dedicate the time and resources to handle every CAPA in an effective manner. The defining measure on what to work on became how long the CAPA was open. The company was faced with a "needle in a haystack” conundrum—how to sort through the long list of CAPAs to find the complaints that were most critical to the business.

A better solution was desperately needed to ensure that adverse events were reported in a timely manner to the Food and Drug Administration. Any delinquent reporting of adverse events meant risk of FDA 483 warning letters, or worse—loss of life.

Taking a risk-based approach and filtering the needle from the haystack
Action had to be taken. The quality department needed an effective way to filter their incoming complaints and designate a priority. Previously, the only way any complaint was flagged as critical was if a member of the complaint management team reviewed the complaint and set a priority level to it. This was a subjective measure, and the criteria for the severity of complaints was "hit or miss.” An objective measure was needed to assess the complaint and designate a corresponding action that was consistent each time.

The company decided to utilize the concept of risk assessment. Risk assessment enabled the organization to setup a matrix of risk criteria—in this case severity and probability—and, based on these severity and frequency levels, assign an action. As seen below in Figure 1, the risk matrix provides a threshold for critical and noncritical events. Using this method, the appropriate actions are automatically calculated and related actions are automatically generated, thereby providing an objective means of determining the level of risk and streamlining the overall process.

































ALARP – Evaluate








Figure 1 - Matrix of severity and Probability

Putting the risk-based approach into practice
As a complaint enters the system, the complaint handler decides whether to forward the event to the quality department. If so, the complaint is assigned, and the quality department performs an investigation using a risk-based approach.

The risk-based method for the company consists of two parts. The company first determines the risk criteria (severity, probability, etc.) within a special subject-matter group, and then the risk matrix determines the corresponding actions to be taken based on those criteria. In their system, the risk-assessment meeting automatically invites the group via email to review the complaint, assess the levels of severity and frequency, and calculate the actions to be taken. In this meeting, the group will review the details of the investigation, the severity of the complaint, and the frequency of occurrence. Based on these levels, the risk assessment tool will automatically provide the action to be taken.

If the risk is within the tolerance levels, it’s immediately corrected and the process ends there. If the risk is intolerable, then actions are automatically generated within the system—whether reportable to the FDA, whether a CAPA is needed, etc. The CAPA process in itself is directly tied to the risk level. The risk level is inherited into the CAPA, and direct links to the risk assessment and the complaint are displayed on the CAPA form.

At this point, the CAPA generates the action plan, which is designed to determine the root cause and corrective action of the complaint, much like in any other CAPA process. Where it’s different is in the CAPA-effectiveness phase in the workflow.

For an action to be truly corrective to the process, it must be effective. In the past, the company’s effectiveness measures were subjective. If the problem related to the complaint was visibly corrected, then it was deemed effective. There was no objective way to ensure that the event was corrected within the company’s compliance standards.

To solve this problem, the company incorporated a second risk assessment to measure risk mitigation as a result of the corrective action taken. This second risk assessment is automatically generated at the effectiveness phase in the workflow, and a meeting is held to determine the business effect. Once again, the subject-matter group looks at the actions taken and determines the new severity and frequency of the action, to ensure that it is within acceptable risk tolerances. If so, then the actions taken have been corrected. If it’s not within the risk tolerances, it must be sent back to the beginning of the CAPA process and reworked until it is corrected within the risk tolerance set forth by the company.

This concept of risk mitigation provides objective evidence that the event was corrected effectively and within acceptable risk levels. The risk mitigation history is automatically displayed throughout the lifecycle of the complaint, so that any risks associated with the complaint are traceable and reportable.

One step further: building risk portfolios on process and product
By implementing a risk-based approach to their process, the medical device manufacturer has effectively identified critical events and dedicated resources to solving the quality problems that affect the business most. As more and more complaints enter the system, a risk history builds. The benefit here is that, based on previous complaints and their risk levels, the company now has a growing knowledgebase of events with similar risk levels. This becomes a crucial reference point for the quality management process, in that any event with similar risk can be handled in a similar fashion, further streamlining the process. By referring to the knowledge base, the company can take action much more quickly and handle complaints more efficiently.

When a complaint is entered into the system, the product information is automatically recorded in the form. As more and more complaints enter the system, the corresponding risk histories are linked to the related products, effectively building a risk portfolio for each product in the company’s line. As a result, the company will now be able to report on the overall risk history of a particular product, enabling them to make a decision on whether this product incurs too much risk, and requires a rework, redesign, or recall.

This collaborative link of quality data into product life-cycle management allows the risk-assessment tool to cross from quality into product design and ensures that the data collected by the quality department is translated to other departments within the company.  From these data, the company is able to link in other risk methods, such as FMEA or decision-tree analysis, thus combining the methods of risk assessment from quality, to product design, to the entire enterprise.

Our medical device manufacturer’s experience is just one instance of how risk assessment is applied to the quality management system. The underlying concept of applying a quantitative risk assessment to an event is prevalent in other aspects of a quality management system. For example, handling product lots through nonconforming materials can utilize risk-assessment methods in measuring the level and severity of any product defects. If a process or design change is required, you can assess the total business effect or risk of that change from within your change-management process. You can review audit findings and determine the overall risk levels and take necessary actions. You can even take out-of-spec or out-of-calibration equipment and use risk assessment to determine the next actions. As you can see, there’s no limit to risk assessment’s benefits to the quality management system.

Risk management and risk assessment aren’t new to the quality and compliance industry. In fact, risk has been a prominent feature in such standards as ISO 13485, ISO 14971, and others. Using a risk-based methodology to streamline the CAPA process provides an objective way for companies to determine the effect of events and take the appropriate action.

We talked about how one such company is leading the charge for handling complaints, using risk assessment to filter critical events from noncritical events, and not only correcting the problem, but also mitigating the risk associated with the correction. We have discussed how building a risk matrix will objectively facilitate the decision-making process based on risk levels, and take out any subjective means of decision making.

In addition, we’ve explained how building risk into the effectiveness process will ensure that the actions taken correct the event to within the acceptable risk tolerances.

Finally, we talked about how risk histories can be linked to processes and products, providing a risk portfolio for analysis in determining the overall risk across the brand.

When looking into a quality system, look deeper into what areas of the process are subjective, and what areas are objective. If there are too many subjective measures taken to correct events, a risk-based approach can eliminate the guesswork.

In short, managing your risk has its rewards.


About The Author

Tim Lozier’s picture

Tim Lozier

Tim Lozier is the director of product strategy for EtQ, in Farmingdale, New York. He has extensive experience in the software industry, and has been involved in the creation of leading-edge technologies in user-interface design and development. He began his career in digital marketing before taking a turn into software design and marketing at Quark Inc. Since then, he’s never looked back—helping to foster the development (and blog about) leading quality management software solutions.