Part I
By Matteo Gubellini, VP of Regulatory Affairs of SoftComply*
“Ok, let’s follow a few of these risk mitigation actions down to outputs and verification activities” says the auditor.
Typical question. Actually there couldn’t be a more typical audit question. Traceability.
We have been here dozens of times. And every time it’s the same feeling.
You just hope that the auditor will not pick an action that has accidentally slipped through the cracks.
No matter how bulletproof your quality system is, how many times you and your team have reviewed the risk documents and traceability matrices. You are always worried that there could be one of them that was missed by everyone.
Someone forgot to transfer it to the requirements, or forgot to trace it, or mixed it with something that sounded almost the same.
Because every project is the same; at the end of it, the final push, all hands on deck, everybody is rushing. Hundreds of requirements, risk mitigation actions, verification protocols, deviations, reports to write, approvers that are offsite or nowhere to be found.
Did we forget something…?
And sometimes it happens – “Oh, it seems we can’t find this one…”
Panic in the backroom
While I try to bring the attention of the auditor to another topic, I know a few meters away my colleagues are scrambling through the endless Excel files, trying to find that bloody risk mitigation action.
The auditor is getting impatient. It’s the last day, they are already behind schedule, they don’t need another delay.
Even if it was there, even when you print those gigantic excel files on A3, or on a plotter, you just can’t read them. They are just too big. And the page layout function of excel is not the best.
But to be completely fair to Mr. Gates, this is not what Excel was designed to do. It’s great when you can use a combo of Lookup, Match and so on to automatically populate the Risk column, but this is not its main purpose.
Excel is a Spreadsheet.
Spreadsheets are used to manipulate data. Not to manage risk and traceability.
“So this action..?” the auditor asks again.
“It’s here, it’s just a very large document, it may take a while to find it” and I smile (only on the outside).
The door behinds me opens and I hope the answer is coming. A colleague whispers in my ear: “6th page, 13th row”
Yes it’s there. I knew it! I smile again (this time on the inside too).
I point it to the auditor and we follow it through the end, without any damage. Well done team!
“Great, let’s pick another one…” the auditor continues.
Deep breaths. Deep breaths.
In the next week’s blog, I will tell you more about the Risk Management tool we developed for JIRA.
Also coming soon – articles about design control, guidance documents for software in or as a medical device, international standards and risk assessment for software based medical devices…
* SoftComply is a developer of Cloud and Server based tools that help companies manage their software risks and implement their quality systems based on the medical device software regulations www.softcomply.com
Read more about SoftComply Risk Manager
