Calculating Risk Estimation

[agrpyl]

My product design already has the inherent risk control because I already planned it in the Product requirements document (origin of the requirement is the basic knowledge of the engineer), so when I am calculating my risk (probability of occurrence of the hazardous situation) should I consider the control I already planned in my design?
For Example:
Hazard- electric shock,
Hazardous situation- wire is exposed which can cause electric shock
Harm- The user can get a mild electric shock
Probability- option A: 4 (because wire getting exposed is high chances without the control)
option B: 2 (because my inherent design consists of insulating coating on the wire which reduces the probability)

PS: I am making my risk file in the product design phase itself.

 

[Enghabashy]

Design FMEA & process FMEA should be parallelly initiated , The design crew should be part of process core team also , the FMEA manual of Automotive parts tables could be taken from IATF manuals also , the 3 parameters & risk priority Number RPN , this guidance is beneficiary to brain storming of FMEA groups

 

[Bev D]

But will the coating always be there?

I have both personal experience and industrial knowledge of cases where the wire is attached or routed such that normal usage (not abuse or even exposure to hazardous conditions) causes the coating material to break, shred or peel. This is due to material properties and repeated cumulative stresses such as simple bending. Then boom - you get a shock. As a design engineer you should be aware of the stresses and conditions that use will impose as well as the factors of your design (wire length, attachment angle, material properties, etc.) that can interact with use conditions or even assembly factors that interact with your design (wire length, stresses of attachment, etc.) because of your design.

Then - despite what many teachers of FMEA may say - you shouldn’t guess at the probability. You should test your design under worst case conditions to validate the probability of failure. Anyone can guess, it takes an engineer to test. In fact that is the definition of an engineer: knowing how to test the situation and validate the ’hypothesis’ of the design.

 

[Tidge]

I work in the medical device industry, using Hazard Analysis as the "top document" for risk analysis, supported by FME&A (design, use, mfg process). As a further point of reference, within FME&A, a scale of 1-5 was used for the (S)everity, (O)currence, (D)etection ratings, where "1" is "good" and "5" is "bad"... where "bad" implies a more obvious need for specific risk controls. The FME&A use a typical "left side" (pre-controls) assessment and a "right side" assessment of effectiveness of implemented risk controls.

Specific for Design FME&A, I would advise design teams still on the "left side" of the analysis that they could use the following ratings for the (D)etection:

• D=5, as the default rating
• D=4, as the rating for those general circumstances where the (documented, established) training of the design engineers specifically aligned with the identified failure mode
• D=3, as the rating where the failure mode involved an area where there was an implemented tool or process (in design space) specifically to address this type of failure mode... this would have to be prior to anything like a specific test.

An example of the D=3 might be implementing specific features in a CAD tool, or mandating (by process) to pick certain components (think fuses, certain plastics) for designs. The reasons I suggested these pre-control ratings is that I see the DFME&A as the tool to make it more obvious where specific risk controls need to be implemented in designs. My opinion is this: without some pre-controls assessment of the "rating" of a design failure mode, we back design teams into having to put the exact same amount of effort into developing risk controls and test methods for EVERY identified failure mode, and as we know from experience FME&A documents often include some pretty ridiculous failure modes. Tossing out one of three possible factors makes it that much harder to tell the difference between ridiculous and non-ridiculous failure modes.

As this sort of thinking is uncomfortable for folks who are quick to believe that this approach implies that there may be (design) failure modes that don't "need" risk controls, and that all risks require controls to be reduced "as low as possible", I get a LOT of pushback. In fact, we are in an era where many folks are (loudly) arguing against the inclusion of (D)etection in Design FME&A. If a DFME&A is a subordinate document to a Hazard Analysis, this can't possibly be the case, so I (gently) ask opponents of (D)etection if they believe that the safety of the device in question is established in their FME&A or at a higher level.

 

[Bev D]

Two clarifying points:
Detection is being removed from the “RPN” calculation but not FMEA. Detection is rightly seen as a control. The other move (less accepted perhaps) is to use Measurement Systems Analysis to assess the effectiveness of the detection control as part of validation activities instead of guessing at a rating.
Just being a bit picky but FMEA stand for Failure Mode and Effects Analysis so if we are compelled to add an ampersand it should go between M and E. Words do matter and the method is to analyze the failure modes and their effects…

 

[Tidge]

Fair point about the ampersand, I was simply trying to defeat the auto-link to the decade-old pages I'm a measurement guy, so if the failure mode has no effect I'm deprioritizing it. Rehobam had a lot of children, but we know the names of very few of them.

I'm all for applying justifiable techniques to arrive at ratings... but if there is a mathematically valid result I am not sure why we'd ever assign a single integer instead of just using the derived number. I still see FM&EA as an exercise in prioritization; I have an appreciation that they can serve a role in patient/user/stakeholder safety of course.

 

[Enghabashy]

RPN is not enough criteria for measuring & assessing the risks but also SOD criteria which should be specify the maximum values of Severity, the Occurrences & detection , the severity 5 in all cases is rejected 'this mean it's against standard requirement ; could cause harmful or death cases as example the brake, therefore the designer shall consider the passing of high detection which could be 100% automatic detection internally in the process with stop alert & externally checking in car service free during the 1st year ; with gathering & detect the information & data field failure

 

[Tidge]

Typically an automobile is not a medical device. I think it is important to remember this whenever trying to bring automotive examples into a discussion on medical devices.

 

[Enghabashy]

My product design already has the inherent risk control because I already planned it in the Product requirements document (origin of the requirement is the basic knowledge of the engineer), so when I am calculating my risk (probability of occurrence of the hazardous situation) should I consider the control I already planned in my design?
For Example:
Hazard- electric shock,
Hazardous situation- wire is exposed which can cause electric shock
Harm- The user can get a mild electric shock
Probability- option A: 4 (because wire getting exposed is high chances without the control)
option B: 2 (because my inherent design consists of insulating coating on the wire which reduces the probability)

PS: I am making my risk file in the product design phase itself.

Dear Sir/
the severity is main issue regarding design parameter , the severity could by 5 ; but you made isolation as part of design to reduce the severity ; therefore the severity is reduced lower than 5 ; the probability/occurrences could be internally & externally measure also by isolation test records & if received field failure

 

[Jim Wynne]

Typically an automobile is not a medical device. I think it is important to remember this whenever trying to bring automotive examples into a discussion on medical devices.

But there are analogs between the two, and the process of failure mitigation can be generically considered because the process should be the same or very similar in all cases. I used to work for a company that designed and manufactured toxic-gas detection devices. A toxic-gas detection device is not a medical device, but think about Bhopal disaster - Wikipedia. If you tie yourself to a single codified process, there will inevitably be holes.