How 1980’s pop culture can help us make risk-based decisions in healthcare

6 minute read.
This article uses 1980’s pop culture to describe purchasing requirements in ISO 13485 and the Medical Device Single Audit Program, MDSAP.
In the 1986 film “Crocodile Dundee,” a gang in New York attempted to rob a crocodile-hunter visiting from Australia. They flashed a knife, and he replied with a line that’s been quoted for 30 years: “That’s not a knife. This is a knife!”
Crocodile Dundee made a risk-driven decision. A flow-chart for his decision would look like this:

Medical device companies are required to make risk-based decisions by international regulations and standards, such as ISO 13485 and MDSAP, which state that all company process should be linked by a common goal of reducing risk. This article focuses on risk-driven decisions in purchasing processes, but can be applied to any department in your company.
Purchasing is important
To understand why “Purchasing” is so important for risk-based decisions and processes, consider the 1986 Challenger Space Shuttle explosion.Seven people died, including a civilian high-school teacher.

The explosion originated near a small O-ring that was allowing fuel to leak. That O-ring was purchased from a vendor, but no one in the purchasing department knew the significance of that part. In fairness, it would be hard to see the significance of an O-ring, which emphasizes that Risk isn’t just about the part, it’s about what happens if that part fails.
Regulations for purchasing
The scene from Crocodile Dundee that led to a risk-based decision, “That’s not a knife,” has been viewed two million times:

Your company must have an approved quality system to sell medical devices. The international standard for this is ISO 13485, which is the foundation of a new audit method, the Medical Device Single Audit Program (MDSAP). Both require that quality systems function as a “risk-driven process.” ISO 13485:2016 training videos have, collectively, been viewed a few thousand times, but impact the lives of billions of people.

A ‘process approach’ that reduces risk to patients is the foundation of ISO13485 and MDSAP. Together, these programs help improve healthcare for 7.2 billion people. But, they don’t detail how to analyze risk. For that, use ISO 14971, Risk Management, and the supplement used in the European Union, EN 2012 : ISO 14971. Both include using teams to identify, analyze, and document “Hazardous Situations” in which the failure of a part would lead to unforeseen risks.
In the case of the Space Shuttle Challenger, a Hazardous Situation Analysis would have included asking “what happens if the O-ring fails?” and “what if the weather is colder on launch-day than purchasing specifications for the O-ring?” Those questions were being asked by engineers, but there wasn’t a way for their voices to be heard; modern Risk Management standards ensure a diverse team identifies, analyzes, and documents hazardous situations so they can be used by all departments. In the language of ISO13485 and MDSAP, risk analysis would be “linked” to processes used by other departments, such as the NASA launch team and purchasing departments.
That’s not a process.This is a process!
Let’s look at what ISO 13485:2016 considers a process, using a diagram provided by Crocodile Dundee’s home country, Australia, which is one of five countries pioneering MDSAP.

“Risk Management”

and “Purchasing” surround all departments. The diagram shows that Purchasing is driven by Risk Management, which means that oversight of vendors is based on reducing risk, which requires information from all departments through a series of linked processes.

All of these risk-driven processes create outputs; each output is used by other processes within a company, sometimes in different departments, with the goal of reducing risk to patients. In other words:
A process receives inputs and creates outputs. Outputs become inputs for other processes, creating a continuous flow of information and actions. A company’s quality system oversees these processes, and uses inputs from the real-world to generate outputs in the form of improved products and services.
Risk-driven process
For more clarity on how ISO defines a process, please see my blog, “MC Hammer, Vanilla Ice, & the process approach for quality systems,” where I illustrated concepts for what is, and what is not, a process. The bottom-line is that a flow-chart is not a process; to be a process by ISO definitions, you must show that outputs become inputs for other processes in a closed-loop system of continuous improvement.
MDSAP requires evidence that your company uses risk-driven decision points for purchasing, either for high-risk parts or high-risk vendors. Examples of decision points for vendor selection or oversight include:
Is it a high-risk part?Is this a high-risk vendor? i.e., are they not ISO 13485 certified, not MDSAP audited, have a history of mistakes, etc.Is it a “Black Box” part? i.e., Is the part is assembled by a vendor, and when we receive the part are critical features hidden from our inspection process?Does the vendor use sub-vendors that introduce risk into your supply chain?
An example of a risk-driven purchasing process is:

In this example, processes are linked between departments using “Risk Management Documents,” and receive real-world input for continuous improvement through incoming inspections and CAPA’s (Corrective And Preventive Actions). Risk-driven decisions are made for vendors based on the part they’re making and their capabilities, which complies with ISO 13485, clause 4.1.5:
“controls shall be proportionate to the risk and the ability of the external party…”
In other words, risk for purchasing is a combination of the part and the vendor. You can reduce risk from purchasing in many ways, such as:
Selecting vendors that are ISO 13485 compliant or have passed a MDSAP auditOn-site inspections of their quality systemIncrease the percentage of parts inspected in your receiving departmentRequest first-article inspections for custom-made partsWorking with design engineering to reduce risk from that part
Because there are so many ways to reduce risk from purchasing, I strongly recommend starting with a plan. A plan that includes including scope, goals, team-members, etc. could be the starting point of brainstorming best ways to reduce risk. And, it’s likely that unforeseen situations may arise in your Hazard Analysis. For standardized ways to analyze risk, see my article on “Medical Device Risk,” based on ISO’s standard for Risk Management, ISO 14971. For this article on purchasing, the most important requirements from ISO 14971 and ISO 13485 are:
Start with a team-driven risk management plan, including what’s an acceptable level of risk. Remember the Space Shuttle time-line pressures? Pre-determined risk analysis reduces the human tendency to push boundaries when pressured.
Share Risk Management processes between departments through linked processes. In the example I created, “Risk Management Documents” would probably begin with Design Controls, and extend through manufacturing, purchasing, supplier audits, field maintenance, etc. Again, the Space Shuttle illustrated that one department knowing the risk was insufficient risk management because not all departments had access to that information.
Document all assumptions, ensuring there’s a process linking post-market surveillance to update assumptions. In a way, that’s what every iteration of ISO 13485 and 14971 are doing for us; they use information from events all over the world to continuously improve standards so that patients have safer healthcare.
Documentation could be done in many ways, such as with an engineering change order, ECO, following ISO 13485 change-control guidelines, and should be described in your company’s quality system. A comprehensive Risk Management policy is part of a company’s overall quality system, which is a responsibility of each company’s executive management.
Next Steps
Hopefully, Risk Management policies in your company are sufficient and easy to implement across all departments. If not, consider leading from within your company, proactively identifying ways to improve, and initiating a project to apply new standards of Risk Management. You can use compliance with ISO 13485:2016 and MDSAP to support your case, and use the resources below to help you plan.
Oriel STAT-A-MATRIX (I consult with Oriel)

MaetricsLNE G-MedMDI Consultants

Me(Jason 🙂
Modern quality system regulations reduce risk to patients by requiring pre-determined risk management policies, links between departments, and processes that allow continuous improvement.
requires a medical device company’s quality system to be a series of risk-driven processes.Risk can come from non-obvious Hazardous Situations, as described by

Purchasing is critical for ISO 13485 and , and purchasing decisions should be traced to risk-driven processes that are linked to processes in other departments.
Please share
If you think this has been entertaining and useful, please “like” it, link to it, or forward it for others to benefit.