Why You Need to Go Beyond Risk Analysis

Richard Vincins
Note: The views expressed in this article are those of the author and do not necessarily represent those of his/her employer, GxP Lifeline, its editor or MasterControl, Inc.

Traditionally companies have been performing risk analysis to identify hazards, categorize the risk, and find methods for mitigating those risks. This approach has only been focused on the finished product with a limited view during design controls, not on how product is actually used. The risk analysis has been done as part of design and development with the development team itself identifying the risks and hazards. What we are seeing over the last few years is that risk analysis or risk assessment is just a part of the entire picture. Organizations are realizing that a total risk management system must be implemented for their quality system to gain the full advantage. This article will discuss how companies can integrate risk management philosophies and techniques into their quality system processes.

The output of design activities is not a risk management file that sits on a shelf and gathers dust. The application of risk management is an active process requiring review of the risks and hazards throughout the product lifecycle. These include reviewing the risks when a significant process change or a change to a significant supplier is made.

In this article, the term "risk management" will be used to encompass traditional risk analysis methods and risk assessment. The definition of risk management can be found in a couple of standards, notably ISO 31000 and ISO 14971. The causes for conducting risk management encompass a myriad of reasons, mainly the identification of hazards and control of those hazards to an acceptable level. Conducting only risk analysis through Failure Modes and Effect Analysis (FMEA) or Fault Tree Analysis (FTA) typically does not include the entire lifecycle of the product. By performing only FMEA/FTA there are aspects of risk management that are lost, including the product lifecycle, processes within the quality system affecting the product, and understanding the application of the product once launched. Implementing total risk management for the quality system allows the organization not only to identify hazards related specifically to the product, but other processes that may impact the company's product.

Risk Management Steps

This is a journey that organizations may need to take for moving their risk management from a product-focused view to a total lifecycle view. The first step in the journey is to understand the application of risk management and how to apply this concept to the quality system (see Table 1 for an outline of step in the implementation process). What may be surprising is the number of individuals that may have not read the standards cited above! Reading and applying the standards may not be enough; obtain formal training in the application of the standards as needed.

The output of design activities is not a risk management file that sits on a shelf and gathers dust. The application of risk management is an active process requiring review of the risks and hazards throughout the product lifecycle. These include reviewing the risks when a significant process change or a change to a significant supplier is made. Other impacts from the product include proactive monitoring of customer feedback. The company should continually ask if the manufacturing process has serious failures or if a serious adverse event has occurred with the customer base that impacts the risk management.

Table 1
Applying Risk Management to the Quality Management System (QMS)
Obtain and apply a correct risk management process
Train employees on the concepts of risk management
Take one QMS process at a time to implement
Apply risk concepts and risk evaluation to the process
Monitor the QMS process and report on findings
Implement risk to the next process that is linked in the QMS

The next step to integrating a total risk management system is to identify those processes or services in the company requiring risk management. This is going beyond traditional FMEA/FTA that may be limited in scope. The company must understand all of the stakeholders in the risk management process—not just the end customer. Take into consideration all of the quality system processes, including outsourcing to suppliers, manufacturing activities, testing activities, and any changes to these that occur after product launch. Each of these processes within a company may have an impact on hazards or risks that are introduced further along in the product lifecycle. Organizations that have not endured this exercise unfortunately realize product failures the hard way. For example, a company that does not consider second-tier suppliers for a critical supplier may have to conduct a recall based on changes when the second-tier supplier makes changes to the process. The important thing to consider when evaluating quality system processes is that the total lifecycle of the product must be analyzed from birth to death.

The application of total risk management for the quality system can be taken in a step-by-step approach (see image below). This is particularly necessary if this is a new concept to the organization that has traditionally only performed risk analysis. One important point in this next step is that risk evaluation is usually different when applied to quality system processes than for a finished product. The concept of risk evaluation requires the severity levels and probability-of-occurrence levels to be established for either the entire quality system or individual processes in the quality system. As an example, the severity level of an event encountered with a supplier may be different than a severity level of an event in the manufacturing process. Establishing the risk evaluation allows the generation of an acceptability matrix to determine if the hazard introduced with the process is acceptable.

Image 1

If the hazard identified in the quality system process is not acceptable, then the company can implement a series of risk controls to minimize the risk. For example, when we look at controlling supplier hazards, they may include increased inspection or the requirement to conduct periodic supplier audits. Other risk controls could include the introduction of a new test or inspection at the final step to ensure the hazard identified in the manufacturing process is not realized.

The quality system process must be monitored continuously to make sure the risk assessment stays within the estimated severity and probability of occurrence. Identify risks that may not be easily controlled; decide whether the risk is acceptable to the organization, to the customers, and all of the stakeholders involved. Some risks may be deemed unacceptable, like sole-source suppliers that may have a significant impact on hazards introduced during the product lifecycle.

Risk Management and Supplier Control

Let's look at how we can apply risk management to the supplier control process. In today's quality system, many companies outsource component manufacturing or servicing needs. The risk management process discussed previously can be applied to initial supplier qualification and ongoing supplier evaluation. (See Table 2 to learn more about aspects of supplier control that can be utilized for risk evaluation.) This helps the company understand those hazards or risks that would impact its own manufacturing (purchasing components), the finished product (contract manufacturers), or how its customer calls are handled (call centers).

The identification of these risks allows companies to clearly communicate their expectations to suppliers, establish the requirements needed for high quality products or service, and make sure that risk controls are implemented, such as increased inspection activities and having a secondary supplier. Companies should monitor risks continuously and verify during supplier evaluation that the severity or occurrence has not changed. In addition to supplier control, the risk management process can be applied to many quality system processes including customer feedback, nonconforming material, process validations, or internal audits.

Table 2

Risks That Can Impact Supplier Control
Single-source suppliers with no contingency or secondary source
Continuous receipt of poor quality components delaying production
Late shipments or missing shipments that delay production
Unresponsiveness to corrective action requests, impacting the company's quality system effectiveness
Poor to no notification of changes to processes or components that can't be evaluated for product impact
Specialized processes that require validation and routine monitoring by the supplier
Contract manufacturers having proper controls for finished products
Increasing costs significantly, impacting the cost of goods

The discussion of supplier control just shows one example of how risk management concepts can be applied to the quality system. The main objective is the identification of hazards in the quality system that could have an impact on the quality of the product or quality system processes, or have a negative impact on the business. If we only control the risks associated with the product, we are missing out on other opportunities where risk is introduced within the product lifecycle. This article hopefully provides some thought and insight into how risk management techniques can be applied to the various quality system processes. Ultimately, if we identify all of the hazards with the product within and beyond design, we can provide our customers a high quality product with minimal risks.

Richard A. Vincins is part of the Emergo Group as Vice President Quality Assurance responsible for quality assurance and regulatory affairs activities. In this role he is responsible for the implementation of quality systems, conducting quality system audits, training on quality system tools, and providing regulatory expertise in national and international regulations. He brings over 20 years of experience in the medical industry including worldwide regulatory compliance efforts for medical device, IVD, and pharmaceutical companies. His work experience at companies like C.R. Bard, Medtronic, and bioMerieux include establishing quality systems to ISO standards, 510(k) submissions, and CE marking of multiple product lines. Vincins is an ASQ Certified Biomedical Auditor and Certified Quality Auditor and holds a Regulatory Affairs Certification for U.S. Regulations and European Union Regulations through the Regulatory Affairs Professional Society. Richard graduated from Bridgewater State College, MA, with a bachelor's degree in Biomedical Biology.