My current role is that of process engineer at my company, within the manufacturing and science technology division. During this phase of the products life cycle we have to assess risks that arise from global investigations usually related to user complaint rates. So far I have been a part of 2 global investigations that are launched and initially we always assess the risk using a simple risk matrix as outlined in Dr. Simon's lecture to categorize the risk. During this time we have all key stakeholders involved in the process to align on the categorization. Once this is completed we utilize FMECA from the information we have gathered in order to evaluate the risk and see if it is high enough to result in implementation of changes in the manufacturing process.

My company utilizes FMEA while the planning phase to assess risk. As mentioned in the lecture, FMEA is Failure Mode Effects Analysis. This systematic approach allows primarily those within the healthcare industry to evaluate a process to identify how failure may occur and how can this be handled so the company, hospital, the patient is not affected. Failures are prioritized according to how serious the risk consequences can be along with the occurrence associated with the risk. As a Quality Engineer, we have checks in place to handle the risk such as CAPAs which aim to investigate an issue, some given priority to business standard issues.

My company also uses the FMEA (Failure Modes Effects Analysis) technique to evaluate the risk associated with the medical device or production process for risk assessment. It is a process to identify all possible failures during all stages of design controls. Failure is any defect of the device or any error that may potentially harm the patient and analyzing the severity and preventing of the failure in the future is the analysis process part of the FMEA. Failures are categorized by its severity, frequency and mode of detection. There is an input from the entire design team, quality team, and manufacturing in identifying the possible modes of failures. The main goal of the FMEA process is to put controls in place to eliminate and/or reduce failures. The controls are part of the design, and are also used in the production process to manufacture the products. Overall, FMEA technique is used most widely to mitigate and take action items to reduce or eliminate the risk throughout the lifetime of the device.

There are many ways risk are identified and dealt with in a company. In every department there are different risk factors that are considered for different perspective and that are sometimes only applicable to their department. In my experience risk is defined in process development and in manufacturing is managed when deviations occur. Because I work in process development a lot of out risk management go into making sure the process for the product is risk free. We manage risk by using batch records that spell out the process and must be followed and verified by another operator.

I do not have experience. But I searched about it online and found that for risk identification, the project team should review the program scope, cost estimates, schedule (to include evaluation of the critical path), technical maturity, key performance parameters, performance challenges, stakeholder expectations vs. current plan, external and internal dependencies, implementation challenges, integration, interoperability, supportability, supply-chain vulnerabilities, ability to handle threats, cost deviations, test event expectations, safety, security, and more. In addition, historical data from similar projects, stakeholder interviews, and risk lists provide valuable insight into areas for consideration of risk.

Risk identification is an iterative process. As the program progresses, more information will be gained about the program (e.g., specific design), and the risk statement will be adjusted to reflect the current understanding. New risks will be identified as the project progresses through the life cycle.

Documentation review is one of the main risk management analysis. Since the place I work uses all written documentations and no electronic, documentation review and should be under FDA regulated therefore, documentation review is very very important.

To identify and prioritize the risks for a project, you need to start with looking up in the design history files for other similar projects for reference. This will cost less time when you hold meetings to have every member brainstorm the risks within their job duties. However, more effort still needs to be put on the risks related to highly specific details in the project design and manufacture. After all the risks have been enlisted in the documents, then ranking them in the descending order of frequency and severity to prioritize the risks. Also, for each risk, quality members should also evaluate the emergency of addressing that potential risk to make adjustment, then the priority order will be finalized for that development stage.

My company manufactures a blood-based infusion product that is currently undergoing its clinical phase in trials, so it is common for errors to occur along the process which are then handled under a risk-based approach. One such approach in which risk is handled in my company is to categorize the most common types of errors throughout the clinical phase, such as errors regarding labeling, calculations, transcription, entry errors, mishandling, etc. These risk factors are then plotted along with their frequency of occurrence to show which parts of the manufacturing process need analysis and mitigation. For example, if technicians makes too many calculation errors during any or all parts of a process, then the risk management department will assign a verifier to double-check the calculations before the batch record is passed onto the next process. This is essential because the sooner an error is addressed, the less harm there will be later on for the error to propagate into.

According to the Bonezone article posted, a part of risk-based decision making can be to apply the technique of FMEA (Failure Modes and Effect Analysis) which analyzes risk by making worst-case scenario assumptions about a device to determine which aspects of its design require changes. In order to evaluate the safety and integrity of a device, FMEA must take into account factors such as each component in a device failing, a subsystem or sub-function within the device failing, improper usage of the device, or any negative impact from the device that can result from a loss of power. Knowing this, what design changes can be derived from examining the likelihood of a power failure of an external electromagnetic bone-healing device? What about the improper usage of a blood-glucose reader? Are there any other official risk-management techniques that are known to effectively mitigate risk?

Reference:
Gagliard, John et al, "Design Controls, Design Verification and Validation" (2010) MidWest Process Innovation

Multiple different teams in R&D, at least at my company, must assess risks when developing a new product or update in software. On my team, we validate products and the software updates and test any bugs or even unexpected behaviors along the way. Anything that we notice, we immediately record and then discuss among each other of how high of a risk do the addressed issues possess. We strive to resolve all issues, however, addressing the severity of the risks helps us prioritize our resolutions. Often times, we call in our corresponding team in Europe and coordinate with our dental technicians to accurately measure the risks in certain cases. There have been times when we noticed issues with high risks and immediately worked on resolving it and even released a software patch just so they could be resolved as soon as possible. I believe the risk assessment strategies my team currently follows is both realistic and effective in managing different problems with our products.

The Risk management increases the probability and impact of positive events and decrease the probability and impact of negative events. This process of identifying the risks includes risk management planning, identification, analysis, response planning and monitoring and control on a project. Once a risk is identified through the indentification process, risks are prioritized for further analysis or action by assessing and combining their probability of occurrence and impact. Risk response plan is implemented to track identified risks, monitor residual risks, identifying new risks and evaluating the risk process throughout the project.

Hello Viraj: I see you are interested in the identification of risk and its prioritization; me, too. Never had experience dealing with medical device risk analysis. And you are right "Managing risk early is the best way to avoid issues later".

Discussion on this topic so far has been quite enlightening; for example,jtl27 posting code 1377 remarks that "a risk is a risk" if it threatens a company wellbeing. When a risk enters a major disaster level and customer suffers major harm in the process, the company could be sued and claims could be heavy enough to threaten the company's existence especially when the company's life is at its infancy.

If I may suggest, perhaps one of the best approaches to understanding how to identify and deal with risk is to study the concept of CAPA. It's documentation and analysis should include:

i) - any prior risk scoring of the procedures covered by CAPA, as well as any prior risk mitigating
efforts such as Failure Mode Effects Analysis (FMEA)

ii) - Any related regulatory risk reduction such as Serious Reportable Events

iii) - Discussion of metrics to measure forward - any early warnings that similar problems are developing

iv) - Circuit breakers to prevent cascading failures - true catastrophes usually start small and then
snowball into disaster

v) - Specific documentation updates and changes to procedures and processes together with data monitoring
plan

No CAPA is complete without risk mitigation and risk mitigation never happens by chance.

One of the best tools available to risk analysis and mitigation is the Bow Tie analysis - a highly structured analytical process used to address high risk processes.

More so, one of the important ideas Dr. Simon emphasized early on in his lectures is the need to avoid re-inventing the wheel.
If a company has existed for a while it will have acquired documentation on risk analysis; hopefully by device design. It is always a wise idea to take a pick at records of previous projects the company handled as may be related to the project at hand. This may throw in some ideas on precautions taken, as safeguards.

Customer input, as always, - may be, with the help of a prototype - should always be the source of initial medical device design input. Not only will this provide valuable ideas on what the customer wants, but also on intended usage which will give added knowledge on what precautions to take in designing the medical device.

As it was discussed in the slides by dr.simon, Risk management plan identifies and evaluates all the risk. One method that analyzes risk is by FMECA which stands for Failure Mode Effects and Criticality Analysis. Then documentation reviews take place where the list of all risks are assessed and evaluated through FMECA. A solution is to the risk is analyzed and checked or re-evaluated twice to measure if risks are dealt with properly.

I don't have the industry experience yet, but from what I was reading on the PMI website, I understand that the risk identification is always followed by the risk management planning step. Risks can always be identified through a detailed studying and analyzing of the Risk Management Plan. This could be done by understanding the project objectives, the success factor of that project, and the way to avoid these risks. Information from different sources could be useful in this process as they could find a similar risk that occurs earlier at a different company and learn how they avoided it and earn from others mistakes as well. Also, another tip is to document the possible risks along with their long-term consequence, causes, etc. All the steps during risk identification should be recorded for future projects and improvements.
More steps could be found at study dot com website (risk-identification-process-analysis)

In terms of the how risk is prioritzied in my company, an assessment is made on the impact of the risk (monetary, time, liability, etc.) If the issue is one deemed high risk (will cost much money, and has high liability) these are deemed higher priority and are dealt with as soon as possible (think resulting in NC's and CAPA's or dealing with production issues). In addition, issues that impact production or customer service are treated witht he highest priority. Other risks that are considered moderate cost or liablity are dealt with after those, with not as much urgency. Even lower risks will be pushed off until there is funding and need to alleviate those risks.

Severity of harm or risk is classified into three levels, each of which includes a duration
component. The three levels are medical device-related deaths or serious injuries, medical
device-related non-serious adverse events, and medical device-related events without reported
harm.
Medical device-related deaths and serious injuries include those events (including
procedure related complications) that may have been or were attributed to the use of the
medical device and that cause or contribute to a death or injury or illness that is life threatening,
results in permanent impairment or damage to the body, or requires medical or
surgical intervention to prevent permanent harm to the body.
Medical device-related non-serious adverse events include those events (including procedure related complications) that may have been or were attributed to the use of the medical device and that cause or contribute to minor, temporary or medically reversible injuries that do not meet the criteria for classification as a medical device-related serious injury.
Medical device-related events without reported harm include medical device
non-conformities which have no related harm, medical device malfunctions which have no
related harm, procedure related complications with no related harm, and instances where a
nonconformity or regulatory noncompliance was observed at the medical device
manufacturing facility and no defective devices were released to the market. A medical
device nonconformity or malfunction can include the failure of a medical device to meet
its performance specifications even though the device still performs adequately to meet the
needs of a given patient.