Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

Needed a clarification about risk management. Are the severity, detection and probability levels in an FMEA, 'specific to the company'- that they would be determined based on the amount of risk. Also once we have the RPN, what is the standard method to assess the risk? Would it be company specific again as to what RPN it categorizes as minor and what is major. Any Major RPN would have some corrective actions or mitigating factors to it. Any references and guidance would be helpful!

There are two kinds of risk management to consider. One is the risk of harm to the patient or user and is the subject of ISO 14971:2007. In that case, an FMEA is not the appropriate tool. Notice that the harms occur after the device has been shipped.

 

The other is risk commonly associated with internal activities, such as a production process. In these cases an FMEA or an FMECA is appropriate. There many methods to assign values to severity, detection, and probability of, say, a failure of a process step in a certain mode. The most common methods use a 5-point numerical scale or a 10-point numerical scale. The values are multiplied together to get an RPN. It is really important to recognize that this is not a measure of risk, but of priority. It tells the order in which you work on the identified issues.

 

This method of assigning priority is common, but not required. In an FMECA, you are trying to determine the criticality – one convention is the RPN. Any way you want to do it is fine. Other industries, such as automotive, have prescriptive standards; medical devices do not.

 

There are fundamental problems with RPNs. Consider a 10-point scale. At first glance, one might think there are 1,000 different values. However, there are actually about 260. For example, 17 cannot be an RPN nor can any number between 901 and 999 inclusive.

 

Many RPNs can occur in multiple ways. For example a severity of 10, probability of 9, and detection of 4 has an RPN of 360. However a severity of 4, probability of 9, and detection of 10 also has an RPN of 360. By the RPN scale they have the same priority, but the higher severity should take preference. IEC 60812:2006 addresses this issue and provides a solution.

 

There are other problems with RPNs discussed in an article by Don Wheeler "Problems With Risk Priority Numbers". He explains the issues and provides an alternate method.

 

Because RPNs are not a measure of risk, assigning Major or Minor is not usually appropriate. The idea in the pFMEA is to put process controls in place to lower the RPN. Usually, companies have a threshold for the RPN, and don't work on failures below the threshold.

------------------------------
Dan O'Leary
Swanzey NH
United States
------------------------------

Original Message:
Sent: 01-Feb-2018 17:54
From: Anonymous Member
Subject: Risk Management

This message was posted by a user wishing to remain anonymous

Needed a clarification about risk management. Are the severity, detection and probability levels in an FMEA, 'specific to the company'- that they would be determined based on the amount of risk. Also once we have the RPN, what is the standard method to assess the risk? Would it be company specific again as to what RPN it categorizes as minor and what is major. Any Major RPN would have some corrective actions or mitigating factors to it. Any references and guidance would be helpful!

This message was posted by a user wishing to remain anonymous

Thank you so much. I would refer to the references you mentioned.
Original Message:
Sent: 02-Feb-2018 11:06
From: Dan O'Leary
Subject: Risk Management

There are two kinds of risk management to consider. One is the risk of harm to the patient or user and is the subject of ISO 14971:2007. In that case, an FMEA is not the appropriate tool. Notice that the harms occur after the device has been shipped.

 

The other is risk commonly associated with internal activities, such as a production process. In these cases an FMEA or an FMECA is appropriate. There many methods to assign values to severity, detection, and probability of, say, a failure of a process step in a certain mode. The most common methods use a 5-point numerical scale or a 10-point numerical scale. The values are multiplied together to get an RPN. It is really important to recognize that this is not a measure of risk, but of priority. It tells the order in which you work on the identified issues.

 

This method of assigning priority is common, but not required. In an FMECA, you are trying to determine the criticality – one convention is the RPN. Any way you want to do it is fine. Other industries, such as automotive, have prescriptive standards; medical devices do not.

 

There are fundamental problems with RPNs. Consider a 10-point scale. At first glance, one might think there are 1,000 different values. However, there are actually about 260. For example, 17 cannot be an RPN nor can any number between 901 and 999 inclusive.

 

Many RPNs can occur in multiple ways. For example a severity of 10, probability of 9, and detection of 4 has an RPN of 360. However a severity of 4, probability of 9, and detection of 10 also has an RPN of 360. By the RPN scale they have the same priority, but the higher severity should take preference. IEC 60812:2006 addresses this issue and provides a solution.

 

There are other problems with RPNs discussed in an article by Don Wheeler "Problems With Risk Priority Numbers". He explains the issues and provides an alternate method.

 

Because RPNs are not a measure of risk, assigning Major or Minor is not usually appropriate. The idea in the pFMEA is to put process controls in place to lower the RPN. Usually, companies have a threshold for the RPN, and don't work on failures below the threshold.

------------------------------
Dan O'Leary
Swanzey NH
United States

Original Message:
Sent: 01-Feb-2018 17:54
From: Anonymous Member
Subject: Risk Management

This message was posted by a user wishing to remain anonymous

Needed a clarification about risk management. Are the severity, detection and probability levels in an FMEA, 'specific to the company'- that they would be determined based on the amount of risk. Also once we have the RPN, what is the standard method to assess the risk? Would it be company specific again as to what RPN it categorizes as minor and what is major. Any Major RPN would have some corrective actions or mitigating factors to it. Any references and guidance would be helpful!