Transitioning from an FMEA Risk Analysis to a Total Risk Management System

Richard Vincins
Note: The views expressed in this article are those of the authors and do not necessarily represent those of their employer, GxP Lifeline, its editor or MasterControl Inc.

Traditionally companies have been performing risk analysis to identify hazards, categorize the risk, and find methods for mitigating those risks. This approach has only been focused on the finished product with a limited view during design controls, not on how product is actually used. The risk analysis has been done as part of design and development with the development team themselves identifying the risks and hazards. What we are seeing over the last few years is that risk analysis or risk assessment is just a part of the entire picture. Organizations are realizing that a total risk management system must be implemented for their quality system to gain the full advantage. This article will discuss how companies can integrate risk management philosophies and techniques into their quality system processes.

In this article, the term "risk management" is used to encompass the traditional risk analysis methods and risk assessment that have been performed. The definition of risk management can be found in several standards, notably ISO 310001 and ISO 149712. Risk management is conducted for a myriad of reasons, though mainly for the identification of hazards and control of those hazards at an acceptable level. Conducting risk analysis only through Failure Modes and Effect Analysis (FMEA) or Fault Tree Analysis (FTA) typically does not include the entire lifecycle of the product. By performing only FMEA/FTA, aspects of risk management are lost, including the product lifecycle, processes within the quality system affecting the product, and understanding the application of the product once launched. Implementing a total risk management for the quality system allows the organization to identify hazards related specifically to the product and spot other processes that may impact the company's product, as well.

Moving risk management from a product-focused view to a total lifecycle view requires several steps. The first step is to understand the application of risk management and how to apply this concept to the quality system. Surprisingly, many individuals have not read the standards previously cited! Reading and applying the standard may not be enough; formal training in the application of the standards may be needed.

The application of risk management is an active process requiring review of the risks and hazards throughout the product lifecycle. These include reviewing the risks when a significant process change or a change to a significant supplier is made.

Customer feedback may also impact the product lifecycle. A company should continually ask if the manufacturing process has serious failures or if a serious adverse event has occurred with the customer base that impacts the risk management.

Applying Risk Management to the Quality Management System (QMS)

  • Obtain and apply a correct risk management process
  • Train employees on the concepts of risk management
  • Take one QMS process at a time to implement
  • Apply risk concepts and risk evaluation to the process
  • Monitor the QMS process and report on findings
  • Implement risk to the next process that is linked in the QMS

The next step to integrating a total risk management system is to identify those processes or services in the company where risk management should be applied. This is going beyond the traditional FMEA/FTA design that may be limited in scope. The company must understand all of the stakeholders in the risk management process, not only the end customer. Take into consideration all of the quality system processes, including outsourcing to suppliers, manufacturing activities, testing activities, and any changes to these that occur after product launch. Each of these processes may present hazards or risks further along in the product lifecycle. Organizations that have not gone through this exercise often discover product failures that, unfortunately, have been revealed the hard way. For example, a company that does not consider a second tier supplier as critical may have to conduct a product recall based on changes made by the second tier supplier. The important thing to consider when evaluating quality system processes is that the total life cycle of the product must be realized from birth to death.

The application of total risk management for the quality system can be taken in a step-by-step approach (see image below). This is particularly necessary if this is a new concept to an organization that has traditionally only performed risk analysis. Note: risk evaluation is usually different applied to quality system processes than when applied to a finished product. The concept of risk evaluation requires the severity levels and probability of occurrence levels to be established for either the entire quality system or individual processes in the quality system. As an example, the severity level of an event encountered with a supplier may be different than a severity level of an event in the manufacturing process. Establishing the risk evaluation allows the generation of an acceptability matrix to determine if the hazard introduced with the process is acceptable.

If the hazard identified in the quality system process is not acceptable, then the company can implement a series of risk controls to minimize the risk. For example, when we look at supplier hazards, increased inspection might be needed or periodic supplier audits required. Other risk controls might include the introduction of a new test or inspection at the final step to assure the hazard identified in the manufacturing process is avoided. The quality system process must be continuously monitored to assure the risk assessment stays within the estimated severity and probability of occurrence.

Controlling risk once it has been identified is also an issue. A company must decide if the identified risk is acceptable to itself, its customers and to all of the stakeholders involved. The company may decide that some risks are just unacceptable, like using sole-source suppliers that may have a significant impact on hazards introduced during the product lifecycle.

With this information as an overview, let's look at a specific example that demonstrates how we can apply risk management to one quality system process. In today's quality system, many companies outsource component manufacturing or servicing needs. The risk management process discussed previously can be applied to initial supplier qualification and ongoing supplier evaluation. This helps the company to understand those hazards or risks that would impact their own manufacturing (purchasing components), the finished product (contract manufacturers), or how their customer calls are handled (call centers). The identification of these risks allows companies to clearly communicate their expectations or establish the requirements needed for high quality products or service. Applying risk management to supplier controls also assures that risk controls are implemented, such as increased inspection activities or assuring a secondary supplier is available. The risks should be monitored continuously by the organization to assure the risk assessment is still applicable. By monitoring the risk assessment, the organization verifies during the supplier evaluation that the severity or occurrence has not changed. In effect, the risk management process can be applied to many quality system processes including customer feedback, nonconforming material, supplier controls, process validations, or internal audits.

Risk Requiring Supplier Controls

  • Single-source suppliers with no contingency or secondary source
  • Continuous receipt of poor quality components delaying production
  • Late shipments or missing shipments that delay production
  • No responsiveness to corrective action requests impacting the effectiveness of a company's quality system
  • Poor to no notification of changes to processes or components that can't be evaluated for product impact
  • Specialized processes that require validation and routine monitoring by the supplier
  • Increasing costs significantly, impacting the cost of goods The discussion of supplier controls shows just one example of how risk management concepts can be applied to the quality system. The main objective is the identification of quality system hazards that could have an impact on the quality of the product, on the quality system processes, or have a negative impact on the business. If we only control the risks associated with the product, we are missing out on other opportunities where risk is introduced within the product lifecycle. If we look for hazards throughout the product lifecycle, we can minimize the risk associated with producing a high quality product for our customers.

  • References

    1. ISO 31000:2009, International Standards Organization, Risk Management - Principles and Guidelines
    2. ISO 14971:2007, International Standards Organization, Medical Devices - Application of Risk Management to Medical Devices

    Richard A. Vincins serves as Vice President of Quality Assurance at the Emergo Group, where he is responsible for quality assurance and regulatory affairs activities. In this role, he handles the implementation of quality systems, conducting quality system audits, training on quality system tools, and providing regulatory expertise in national and international regulations. He has more than 20 years of experience in the medical industry, including worldwide regulatory compliance efforts for medical device, IVD, and pharmaceutical companies. His work experience at companies like C.R. Bard, Medtronic, and bioMerieux include establishing quality systems to ISO standards, 510(k) submissions, and CE marking of multiple product lines. Vincins is an ASQ Certified Biomedical Auditor and Certified Quality Auditor and holds a Regulatory Affairs Certification for U.S. Regulations and European Union Regulations through the Regulatory Affairs Professional Society. He graduated from Bridgewater State College, MA, with a bachelor's degree in Biomedical Biology.
    [ { "key": "fid#1", "value": ["GxP Lifeline Blog"] } ]