2. What is Risk Management?
A process which will:
Identify risks
Weigh costs versus benefits
Eliminate unnecessary risk
Three rules of risk management:
Benefits must exceed Cost
Accept no unnecessary Risk
Decisions must be made at the appropriate Level
2
3. What is Risk Management for?
For ensuring the safety of
medical devices!
3
5. Standards for Risk Management
In USA
- “Design Control Guidance for Medical Device Manufacturers”
• March 11, 1996
- “Guidance for the Content of Premarket Submission for
Software Contained in Medical Devices” “ODE Guidance”
• May 29, 1998
5
6. Standards for Risk Management
In China YY/T0316-2003/ISO14971:2000
- YY/T0316-2001 Medical devices—Application of risk
management to medical devices
• IDT ISO14971-1:1998
医疗器械 风险管理对医疗器械的应用
- YY/T0316-2003
• IDT ISO14971:2000
- GB 9706.X-200X
• IDT IEC601-1-4:1996
6
8. Risk Management Terms
1. Intended Use/Purpose
Use of a Product, Process or Service in accordance with the
specifications, instructions and information provided by the
manufacturer.
ANSI/AAMI/ISO 14971:2000, definition 2.5
预期用途/目的
按照制造商提供的规范、说明书和信息,对产品、过程或服务的使
用。
8
9. Risk Management Terms
2. Harm
Physical injury or damage to health of people, or damage to
property or the environment.
ISO/IEC Guide 51:1999, definition 3.3“Guidelines for inclusion of safety
aspects in standards.”
损害
对人体健康的实际伤害或侵害,或是对财产或环境的侵
害。
9
11. Risk Management Terms
4. Risk
Combination of the probability of occurrence of harm and the
severity of harm.
ISO/IEC Guide 51:1999, definition 3.2
风险
损害的发生概率与损害严重程度的结
合。
11
12. Risk Management Terms
5. Residual Risk
Risk remaining after protective measures have been taken.
ISO/IEC Guide 51:1999, definition 3.9
剩余风险
采取防护措施后余下的风
险。
12
13. Risk Management Terms
6. Risk analysis
Systematical use of available information to identify hazards
and to estimate the risk.
ISO/IEC Guide 51:1999, definition 3.10
风险分析
系统运用可得资料,判定危害并估计风
险。
13
14. Risk Management Terms
7. Risk evaluation
Judgment, on the basis of risk analysis, of whether a risk
which is acceptable has been achieved in a given context
based on the current values of society.
ISO/DIS 14971:1999-07
风险评价
在风险分析的基础上,根据给定的现行社会价值观,对风险是否达到可接
受水平的判断。
14
15. Risk Management Terms
8. Risk assessment
Overall process of risk analysis and risk evaluation.
ISO/IEC Guide 51:1999, definition 3.12
风险评定
包括风险分析和风险评价的全部过
程。
15
16. Risk Management Terms
9. Risk control
The process through which decisions are reached and
implemented for reducing risks to or maintaining risks within
specified levels.
ISO/DIS 14971:1999-07
风险控制
作出决策并实施保护措施,以便降低风险或把风险维持在规定水平的过
程。
16
17. Risk Management Terms
10. Risk management
Systematic application of management policies, procedures
and practices to the tasks of analyzing, evaluating and
controlling risk.
ISO/IEC Guide 51:1999
风险管理
用于风险分析、评价和控制工作的管理方针、程序及其实践的系统运
用。
17
18. What Risks Must Be Managed?
Risk to safety of
patients, users, handlers
Business Regulatory
Product liability
18
19. Risk Management Process
Risk assessment
Risk analysis
• Intended use/intended purpose identification
• Hazard identification
• Risk estimation (likelihood x severity)
Risk management
Risk evaluation
• Risk acceptability decisions
ISO 14971
Figure 1
Risk control
• Option analysis
• Implementation
• Residual risk evaluation/Overall risk acceptance
Post-production information
• Post-production experience
• Review of risk management experience
19
21. Risk Assessment
Applications of Risk Analysis
1. Design 5. MDR
2. Production 6. Change Control
3. Premarket Notifications 7. Failure Analysis
4. Complaints 8. Etc.
21
22. Risk Assessment
Life Cycle
Concept & Feasibility Development Scale-Up & Transfer Production
System Level Assessment
Design Assessment
Process Assessment
Customer Feedback
Assessment
22
23. Risk Assessment
Design Control
Concept
Planning Development Scale-Up & Transfer Production
& Feasibility
Test
Design Requirements Plan Specifications Methods & Productions Change
Control Results Methods Records
Risk Preliminary Risk Risk
Detailed Analysis Risk
Assessment Hazard Management Management
(FMEA, FTA, HACCP, etc.) Reviews
Analysis Plan Report
23
24. Risk Assessment
Key Concepts of Risk
--The frequency of the potential harm;
• How often the loss may occur;
--The consequences of that loss;
• How large the loss might be;
--The perception of the loss;
• How seriously the stakeholders view the
risk that might affect them.
24
25. Risk Assessment
Step 1 – Identify Hazards
Laws
Codes
Standards
Events
Hazards MDRs List of
Identification Accidents Hazards
Etc.
Brainstorming
PHA FTA
FMEA
Note: Make it simple---Make it COMPLETE
25
26. Risk Assessment
Step 2 – Assess Hazards
Determine each hazard’s risk level before
controls are in place. (Initial risk level)
Assess:
The likelihood/probability that an accident will
occur because of the hazard.
The most likely result of such an accident.
The overall risk level of each hazard.
The overall operation initial risk level.
26
27. Risk Assessment
Risk Likelihood (Frequency Codes)
based on IEC60601-1-4
Frequent Individual: Occurs repeatedly in career
>1
经常发生 All: Continuous experienced
Probable Individual: Occurs often in career
1 – 10-1
有时发生 All: Occurs frequently
Occasional Individual: Occurs sometime in career
10-1 – 10-2
偶然发生 All: Occurs sporadically or several times
Remote Individual: Seldom chance of occurrence
10-2 – 10-4
很少发生 All: Expected to occur sometime
Improbable Individual: Probably will not occur in career 10-4 – 10-6
非常少发生 All: Possible but not probable, rare
Incredible Individual:Occurs so implausibly as to elicit disbelief
< 10-6
极少发生 All: Not plausible or believable
27
28. Risk Assessment
Risk Severity (Severity of Consequence Codes)
based on IEC60601-1-4
Negligible First aid or minor supportive medical treatment,
轻度的 minor system impairment, minor property damage
Minor injury, lost workday accident, compensable
Marginal injury or illness, minor system damage, minor
严重的
property damage
Permanent partial disability, temporary total
Critical disability in excess of 3 months, major system
致命的
damage, significant property damage
Catastrophic Death or permanent total disability, system loss,
灾难的 major property damage
28
29. Risk Assessment
Risk Regions Example based on ISO 14971, Fig E.1
Frequent
Intolerable
Probable
Likelihood
Occasional ALARP
As Low As Reasonably
Remote Practicable
Improbable
Broadly
Acceptable
Incredible
Negligible Marginal Critical Catastrophic
Severity 29
30. Risk Assessment
ALARP Curve
Increasing Probability of Occurrence
Intolerable Region
ALARP
Maximum
Broadly Tolerable
Acceptable Risk
Region
Increasing Severity of Harm
30
31. Preliminary Hazard Analysis (PHA)
Typically a screening tool used in the early
phases of design and development
For some projects it is the only tool needed
Not as quantitative as FMEA/FMECA and
doesn’t require detailed product design
31
32. PHA Steps
Risk Matrix Form
Severity rankings
Frequency codes
Estimated risk codes
PHA Form
Once established should remain same for
similar product classes.
32
33. Estimation of Risk Codes
H: High Risk must be reduced
I: Intermediate Reduced to ALARP-cost a
minor factor
L: Low Reduce to ALARP-consider
cost/benefit
T: Trivial Broadly acceptable
ALARP=As Low As Reasonably Possible
33
34. Risk Matrix
Frequency Severity
Negligible Minor Major Severe
Frequent L I H H
Probable L I H H
Occasional T I I H
Remote T L I I
34
35. PHA Form
Hazards Arising From Product Design
Hazard Investigation/ Sev Freq Imp.
Controls
35
37. PHA
Start with general product type
Sterile (aseptic) liquids
Applicable standards
Move to product class
Contact lens solutions
Specific product
Daily contact lens cleaning solution
Address
Habit—tendency to use as always
Mistake instructions
Abuse
37
38. PHA Form
Hazards Arising From Product Design
Hazard Investigation/ Sev Freq Imp.
Controls
Wrong Material SOPs, Crosscheck Sev Rem I
Lack of Stability Stability studies Min Occ I
38
39. FMEA vs FTA
FMEA FTA
1.Assumes 1.Assumes failure of
component or part the functionality of a
failure product
2.Identifies 2.Identifies
functional failure part/module failure
as a result of part as cause of
failure functional failure
39
40. FMEA vs FTA
FMEA FTA
3.Done for entire design 3.Too difficult to do for entire design
4.Systematic way to predict 4.Systematic way to predict causes
new problems for usually know problems
5.A bottoms-up analysis 5.A top down analysis
6.People expect the same 6.People do not expect the same
results from FTA which is results from and FMEA
not true
7.Often a fault tree is used for a
problem or an accident
40
41. FTA
• Assumes fault and analyzes possible causes
• Connection tool for PHA* to subsystems or modules
• Top down
• Deductive
• Evaluate system (or subsystem) failures
• Considered more structured than FMEA
• Graphical presentation--visual picture
* Preliminary Hazard Analysis
41
42. FTA Limitations
Only as good as input
Needs FMEA as a complement
Needs input from many experts-can bog down
Human errors may be difficult to predict
Many potential fault trees for a system
Some more useful
Need to evaluate contribution
42
43. FTA Basic Symbols
Basic Flow
FAULT Fault in a box indicates that it is a result of
subsequent faults
OR Connects a preceding fault with a
subsequent fault that could cause a failure
AND Connects two or more faults that must
occur simultaneously to cause the
preceding fault
43
44. FTA Basic Symbols
End Points & Connector
BASIC FAULT Basic fault (part failure, software error,
human error, etc.)
Fault to be further analyzed with more
time or information if needed
In Transfer-in and transfer-out events
44
45. FTA-Additional Symbols
Exclusive OR Gate: Fault occurs if only
one of the input faults occurs
Priority AND Gate: Fault occurs if all inputs
occur in a certain order
m Voting OR Gate: Fault occurs if m or more
out of n input faults occurs
45
46. FTA Conventions
TRANSFER TO NEXT
A
PAGE
TOP LEVEL
EVENT(FAULT)
OR GATE;--EITHER OR
BASIC FAULT
INPUT FAULT MAY
RESULT IN AN AND GATE-BOTH
OUTPUT FAULT INPUT FAULTS
MUST OCCUR AND
FOR AN OUTPUT
FAULT
UNDEVELOPED
FAULT/HAZARD
46
47. FTA Conventions
TRANSFER TO
B
ANOTHER PAGE
TRANSFER
FROM OTHER OR
BASIC FAULT
EVENT
AND GATE-BOTH
INPUT FAULTS
MUST OCCUR AND
FOR AN OUTPUT
FAULT
UNDEVELOPED
A
FAULT/HAZARD
47
48. Constructing a Fault Tree
Write functional requirements in negative
Functional requirement: Package Opens
Negative: Package Does NOT Open
Add additional potential failures
Select one failure to address at a time
Develop paths of possible causes of failure
Branch where necessary
Follow one branch to end
Root cause
Basic event
Undeveloped event
Develop action plans 48
50. FTA
Evaluate system (or subsystem) failures
Primary--Due to internal causes that include poor
design or use of inappropriate materials
Secondary--Due to failures in the operation that
include equipment failure
Control--Due to failures in the systems that are
in place to protect the quality and safety
e.g. raw material outside specification
failure of safety switch
failure of test method
50
51. FTA Example
BALL TOO BALL
LARGE DIAMETER
BALL POINT EQUIPMENT
ESTABLISH PM
NOT NOT
PROGRAM
FUNCTIONING MAINTAINED
INCORRECT MFG
OF HOUSING
EQUIP.
CANNOT
MEET
PEN WILL
REQMTS
NOT WRITE
WRONG
VISCOSITY
INK NOT
FLOWING PARTICLES FILTER INK
IN INK
FLOW
BLOCKED
INK DRIED IN
PEN
NO INK IN
A
RESERVOIR
51
53. FTA Lab Failure
Other Outliers
Calibration
OOS OR
Error
Lab Error OR Systematic OR Interference
Other
Random
53
54. FTA During Reliability
AND gates are multiplied
P(AND)= P(A)*P(B)
OR Gates are additive
P(OR) ≈ P(A)+P(B)
54
55. FTA During Reliability
HAZARD
4. x 10-9
SYSTEM DRIFT>
FAILURE LIMIT
1. x 10-16 + 4. x 10-9
REFERENCE
CMPT A FAILS CMPT B FAILS CMPT C DRIFTS
DRIFTS
5. x 10 -9
x 2. X 10 -8
3. x 10-9 + 1. x 10 -9
55
56. What is FMEA?What is FMECA?
FMEA
- Failure Mode and Effects Analysis
FMECA
- Failure Mode Effects and Criticality Analysis
56
57. What is FMEA?
Powerful prioritization tool
Inductive
High effective tool for identifying critical quality attributes
High structured
Methodical
Breaks large complex designs into manageable steps
57
58. FMEA
Bottom up approach
Evaluates specific failures
Detailed analysis tool
- Use in conjunction with PHA and FTA
Complements FTA
- May lead to different failure results
58
59. Advantages of FMEA
Less analyst dependent than FTA
Allows direct criticality assessment of components
Valuable troubleshooting aid
Identifies areas of weak design
Identifies areas of high risk
Prevention planning
Identifies change requirements
59
60. Disadvantages of FMEA
Disadvantages of FMEA
Does not consider operator error
Tedious
May not apply to all systems--especially software
May require extensive testing to gain information
May miss some failure modes
Time pressures
Information missing
60
61. Definitions
Criticality --Weighting of hazard severity with the probability of
failure
Severity--Seriousness of effect through its impact of the system
function
Occurrence--Likelihood a specific failure will be caused by a
specific cause under current controls
Verification --Ability of the current evaluation technique to detect
potential failure during design
Detection --Ability of the current manufacturing controls to detect
potential failure before shipping
61
62. Definitions
Risk Priority Number
(RPN)= (S) x (O) x (D) or (V)
- Severity (S)
- Likelihood of occurrence (O)
- Likelihood of detection (D)
- Likelihood of verification (V)
62
63. Process FMEA
Identifies potential product-related process failure
modes
Assesses the potential customer effects of the failures
Identifies the potential internal and external
manufacturing or assembly process causes
Identifies process variables on which to focus controls
for
- reducing occurrence, or
- increasing detection of the failure conditions
63
64. Sources of Process Defects?
Omitted processing Adjustment error
Processing errors Processing wrong work piece
Errors setting up Mis-operation
work pieces
Equipment not set up
Missing parts properly
Wrong parts Tools and fixtures improperly
prepared
64
65. FMEA Summary
Powerful tool for summarizing:
Important modes of failure
Factors causing these failures
Effects of these failures
Risk prioritization
Identifying plan to control and monitor
Cataloging risk reduction activities
65
66. HAZOP
Hazard and Operability Study
Bottom up analysis
Deviations from design intentions
Systematic brainstorming based on guide words
66
67. HAZOP
Guide Words
No/Not
More
Less
As well as
Other than
67
68. HAZOP Model
Design Statement
Activity Material Destination
Transfer Powder Hopper
68
69. HAZOP
Transfer Powder Hopper
Valve closed
Valve closed
No Line blocked Tank empty
Hopper full
Pump broken
Larger tank
More Pump fast Inaccurate gage
Other Liquid Wrong
than powder
69
70. HAZOP Plan
Guide Deviation Causes Risk Action Who
NO Powder flow Valve Low Interlock
closed
Line Med Operator
blocked Training
Pump Med PM
broken
70
71. HACCP
Risk Management System
Biological Hazards
Chemical Hazards
Physical Hazards
Requires
Prerequisite Quality System Program
Traditionally GMPs
71
72. HACCP Steps
1. Conduct hazard analysis and identify
preventive measures
2. Identify Critical Control Points
3. Establish critical limits
4. Monitor each critical control point
5. Establish corrective action to be taken when
deviation occurs
6. Establish verification procedures
7. Establish record-keeping system
72
74. HACCP Worksheet
Firm Name: Product Description:
Firm Address: Method of Storage and Distribution:
Intended Use and Consumer:
1 2 3 4 5 6
Material/pro Identify potential Are any potential Justify your What preventative Is this step a
cessing step hazards introduced, safety hazards decisions for measures can be critical
controlled or significant? (Y/N) column 3. applied to prevent control point?
enhanced at this the significant (Y/N)
step(1) hazards?
Biological
Chemical
Physical
74
75. HACCP Plan
Firm Name: Product Description:
Firm Address: Method of Storage and Distribution:
Intended Use and Consumer:
(1) (2) (3) (8) (9) (10)
Critical Significant Critical Monitoring Corrective Records Verification
Control Hazards Limits for Actions
Point each Action
(4) (5) (6) (7)
What How Frequency Who
75
76. Risk Control
Develop Controls, Implement Controls, Assess
Residual Risk and Make Risk Decision
Develop specific controls for each hazard.
Do not lump controls together for multiple hazards.
Be specific – don’t reference other documents.
Controls should result in reduction of severity, or
probability or both
If there is no reduction re-look the controls
76
77. Risk Control
Develop Controls, Implement Controls, Assess
Residual Risk and Make Risk Decision
Assign responsibility for implementation of
controls.
Communicate requirements to all involved.
Incorporate into mission documents and
briefings.
SOPs
Orders
Briefings and back-briefs
Training
Rehearsals
77
78. Risk Control
Develop Controls, Implement Controls, Assess
Residual Risk and Make Risk Decision
Risk acceptance decision must be made at
appropriate level based on residual risk.
Acceptance authority mandated by ? .
Risk acceptance must be documented by appropriate
individual signing the RMWS.
78
79. Risk Control
Extreme risk Commanding General level
High risk Brigade/group commander or appropriate
level
Moderate risk Major unit commander or appropriate
level
Low risk As determined by major unit commander
79
80. Post-production information
Surveil
All staffs are responsible for:
Performing to standard
Executing controls
Recognizing unsafe acts and conditions
Leaders are also responsible for enforcement
Evaluate
Effectiveness of controls (adjust/update)
Feedback
80
82. CONSIDER:
ACCIDENT CAUSE FACTORS
Human Error - 80%
an individual’s actions or performance is
different than what is required and
results in or contributes to an accident.
82
83. ACCIDENT CAUSE FACTORS
Materiel Failure/Malfunction - 5%
a fault in the equipment that keeps it from
working as designed, therefore causing or
contributing to an accident.
83
84. ACCIDENT CAUSE FACTORS
Environmental Conditions - 15%
any natural or manmade surroundings that
negatively affect performance of individuals,
equipment or materiel and causes or
contributes to an accident.
84
85. SOURCES
of
HUMAN ERROR
Individual - 48%
Staffs knows and is trained to standard but elects
not to follow the standard (self-discipline).
Example
Soldier knows there is a requirement to be
certified on servicing tires and although he isn’t
certified, he attempts to service the tire anyway
so he won’t have to wait for maintenance
personnel.
85
86. SOURCES
of
HUMAN ERROR
Leader - 18%
Leader does not enforce known standard.
Example
Leader sees the unqualified soldier changing the
tire and doesn’t stop him.
86
87. SOURCES
of
HUMAN ERROR
Training - 18%
Staffs not trained to known standard
(insufficient, incorrect or no training on task).
Example
Soldier has never had any training on how to
service split rims and didn’t know that a tire
cage and air extension is required for inflation.
87
88. SOURCES
of
HUMAN ERROR
Standards - 8%
Standards/procedures not clear or practical, or do not
exist.
Example
The unit SOP requires the use of a tire cage,
however it does not require the use of a twelve foot
air gage extension.
88
89. SOURCES
of
HUMAN ERROR
Support - 8%
Equipment/material improperly
designed resources/not provided.
Example
The unit tire cage was not properly constructed
and the unit does not have a twelve foot
extension for the air gage.
89
90. Stop Worrying...It Does Add Up
Individual 48%
Leader 18%
Training 18%
Standards 8%
Support 8%
= Total 100%
90