Hello all
Sometime ago a member, emailed me privately with some questions he had about ISO 14971 and risk management. I tried to return to him but his email had some problem. So, i will put his questions (no personal information) here as a way for him to see and also because i think the information might help others.
Questions
1- Risk Management Plan- I understand the risk management plan identifies the device and provides a description, states the action levels, etc... can a product development plan serve the same purpose?
2- We have decided to use the FMEA method, does the FMEA for a particular device have to be all encompassing: include PFMEA, SFMEA, etc... how thorough does it have to be?
3- Risk Management Report: can this report be a part of the management review?
Answers / comments
1 - the interface between RM and product development is, in my experience, the most problematic aspect manufacturers have with the risk management process. This depends on what kind of product development process your using. Is your product development based on NPD (whole product life-cycle from initial planning and concept until product disposal) or the old approach which only lasts until product launch (the old "project" phase)? As risk management is a life-cycle approach, for it to be fully included in the rpoduct developemnt, the product development process also have to use the life-cycle approach. But just this is not enough, because of some other points related to the RM process and regulatory requirements in general.
First, let´s get some things straight: you said "I understand the risk management plan identifies the device and provides a description, states the action levels, etc."... identification and description of the device is the last important thing in the plan IMHO (and this surely can be easily tied to the producr development plan)...what is really important in the plan (in any of those plans) is HOW, meaning, the actions, we will perform to achieve the objectives (as you seem to have a lot of experience in other industries maybe i would not need to make this clear, but as some people has a "weird "vision of planning, i usually repeat this "mantra" so we are on the same level of understanding irf we were not: plannning means,you plan the actions, then you do as planned...simple as that). So your product development plan serves to detail the steps you will take to develop the product, and in then the rest of your product development process will simply perform what you planned. The RM plan is the same, you plan the actions you will take to fulfill your RM process objectives, and then follow the actions.
One of the problems is here: the objectives of the product development process and the RM process are different (although you can always say that the objective of the development process is to develop safe product, this in practice cannot be done).
Second problem: as with every regulatory requirement, RM is a "control" to something.....and as a control, it has to be "put" on some defined points in the process it´s trying to control, and, worse, it has to begin in a specific time. Where do the risk management, as defined by regulatory requirements and ISO 14971, begins? Well, again it depends on the development process you use.
Let´s assume you use the life-cycle approach to development. Then, planned stages of your development would be something like:
1 - strategic planning for products (or product portifolio plannning) - for the strategic development of all products
2 - product planning (for the product in question - this would be what you call "product development plan" )
3 - informational project
4 - conceptual project (at the end of this phase you would choose between some concepts and then commit to develop the the concecpt of choice)
5 - detailed project
6 - manufacturing preparation
7 - product launch
8 - product use/ service/ etc.
9 - product disposal
Let´s also assume that you make you RM plan in conjunction with the development planning (stage 2). When will RM for the product begins? In fact, the regulatory/ISO 14971 RM is a "life-cycle aprroach", in fact the activities of the process (after planning) can only begin at the detailed project phase (5), after a concept has been choosen...before that, you do not have a "product" but a lot of product ideas.
(Important: You sure can (and i recommend this for my clients) use RM for the first phases, but these RM would not be the "product RM" required by regulations and ISo 14971. These will be more business risk management and project risk management)
There are some more problems, but i think you already got the point.
So, resuming point 1 - answer to your question "can a product development plan serve the same purpose?" is NO. But, you CAN do the RM plan in conjunction with product development plan, as long as your product development plan can accomodate a paralell RM plan (it need to be life-cycle based and some other detaisl). They´re are not the same because they don´t have the same objects / purpose but you have to take into account all these little problems (and others) i cited...in the end, thought, i would really advice you make a separate RM plan (in fact, the whole RMprocess), because it will facilitate, in the future, the audit of such system.
2 - let´s try to get it more quickly this time. Reg requirements (and ISO 14971) require that a product always be safe in the entire product lifecycle. So you have to make sure that at all stages the risk is minimized. This includes, design and development, manifacturing, services, everything. Take manufacturing for example: you could design a beautifully safe product in the design, but if your manufacturing process introduces other safety concerns, the you could end up in the end with a hazardous product to your client. So you have to use the risk management process in all phases to make sure that the product is always safe.
Regarding FMEA: as you know by expericence, FMEA is a risk analysis technique, meaning that it applies to a portion ot the RM process (important one, but not the process as a whole). There are a lot of debates on the use (or misuse) of FMEA in medical device risk management / analysis (take a look at this article by Mike Schmidt for example - The use and misuse of FMEA in risk analysis - http://www.devicelink.com/mddi/archive/04/03/001.html). The problem here is, manufacturers in general think that FMEA is synonymous with risk management. Thins means that they have a lot of trouble adjusting the process when they realize or are told (by an auditor NC?) that that´s not the case.
Just as a comment, what i always says to my costumers is: forget about the technique and think first about the whole process...then, use the right techniques at the right time (and know and do not forget the technique´s limitations - for example, , in the development process is described, FMEA is best used from the middle to the end of the detailed project phase (6) when you have more detailed components, and thus the "bottom-up" nature of FMEA makes more sense and can be used effectively).
3 - "Risk Management Report: can this report be a part of the management review?" - first and foremost, this document has to be part of the risk mangement file (as required by the standard) and of the planned "risk management process management review" (this can also be made in conjunction with the general management review, but you have to detail this in the risk management plan.
Anyway, you can USE the information, or even include the document (again) in the general management review (as defined, the risk management report "is intended to be a summary of the review of the final results of the risk management process.." so it´s is obviously an input for the general management review too as the management review have to review all enterprise processes).
Sometime ago a member, emailed me privately with some questions he had about ISO 14971 and risk management. I tried to return to him but his email had some problem. So, i will put his questions (no personal information) here as a way for him to see and also because i think the information might help others.
Questions
1- Risk Management Plan- I understand the risk management plan identifies the device and provides a description, states the action levels, etc... can a product development plan serve the same purpose?
2- We have decided to use the FMEA method, does the FMEA for a particular device have to be all encompassing: include PFMEA, SFMEA, etc... how thorough does it have to be?
3- Risk Management Report: can this report be a part of the management review?
Answers / comments
1 - the interface between RM and product development is, in my experience, the most problematic aspect manufacturers have with the risk management process. This depends on what kind of product development process your using. Is your product development based on NPD (whole product life-cycle from initial planning and concept until product disposal) or the old approach which only lasts until product launch (the old "project" phase)? As risk management is a life-cycle approach, for it to be fully included in the rpoduct developemnt, the product development process also have to use the life-cycle approach. But just this is not enough, because of some other points related to the RM process and regulatory requirements in general.
First, let´s get some things straight: you said "I understand the risk management plan identifies the device and provides a description, states the action levels, etc."... identification and description of the device is the last important thing in the plan IMHO (and this surely can be easily tied to the producr development plan)...what is really important in the plan (in any of those plans) is HOW, meaning, the actions, we will perform to achieve the objectives (as you seem to have a lot of experience in other industries maybe i would not need to make this clear, but as some people has a "weird "vision of planning, i usually repeat this "mantra" so we are on the same level of understanding irf we were not: plannning means,you plan the actions, then you do as planned...simple as that). So your product development plan serves to detail the steps you will take to develop the product, and in then the rest of your product development process will simply perform what you planned. The RM plan is the same, you plan the actions you will take to fulfill your RM process objectives, and then follow the actions.
One of the problems is here: the objectives of the product development process and the RM process are different (although you can always say that the objective of the development process is to develop safe product, this in practice cannot be done).
Second problem: as with every regulatory requirement, RM is a "control" to something.....and as a control, it has to be "put" on some defined points in the process it´s trying to control, and, worse, it has to begin in a specific time. Where do the risk management, as defined by regulatory requirements and ISO 14971, begins? Well, again it depends on the development process you use.
Let´s assume you use the life-cycle approach to development. Then, planned stages of your development would be something like:
1 - strategic planning for products (or product portifolio plannning) - for the strategic development of all products
2 - product planning (for the product in question - this would be what you call "product development plan" )
3 - informational project
4 - conceptual project (at the end of this phase you would choose between some concepts and then commit to develop the the concecpt of choice)
5 - detailed project
6 - manufacturing preparation
7 - product launch
8 - product use/ service/ etc.
9 - product disposal
Let´s also assume that you make you RM plan in conjunction with the development planning (stage 2). When will RM for the product begins? In fact, the regulatory/ISO 14971 RM is a "life-cycle aprroach", in fact the activities of the process (after planning) can only begin at the detailed project phase (5), after a concept has been choosen...before that, you do not have a "product" but a lot of product ideas.
(Important: You sure can (and i recommend this for my clients) use RM for the first phases, but these RM would not be the "product RM" required by regulations and ISo 14971. These will be more business risk management and project risk management)
There are some more problems, but i think you already got the point.
So, resuming point 1 - answer to your question "can a product development plan serve the same purpose?" is NO. But, you CAN do the RM plan in conjunction with product development plan, as long as your product development plan can accomodate a paralell RM plan (it need to be life-cycle based and some other detaisl). They´re are not the same because they don´t have the same objects / purpose but you have to take into account all these little problems (and others) i cited...in the end, thought, i would really advice you make a separate RM plan (in fact, the whole RMprocess), because it will facilitate, in the future, the audit of such system.
2 - let´s try to get it more quickly this time. Reg requirements (and ISO 14971) require that a product always be safe in the entire product lifecycle. So you have to make sure that at all stages the risk is minimized. This includes, design and development, manifacturing, services, everything. Take manufacturing for example: you could design a beautifully safe product in the design, but if your manufacturing process introduces other safety concerns, the you could end up in the end with a hazardous product to your client. So you have to use the risk management process in all phases to make sure that the product is always safe.
Regarding FMEA: as you know by expericence, FMEA is a risk analysis technique, meaning that it applies to a portion ot the RM process (important one, but not the process as a whole). There are a lot of debates on the use (or misuse) of FMEA in medical device risk management / analysis (take a look at this article by Mike Schmidt for example - The use and misuse of FMEA in risk analysis - http://www.devicelink.com/mddi/archive/04/03/001.html). The problem here is, manufacturers in general think that FMEA is synonymous with risk management. Thins means that they have a lot of trouble adjusting the process when they realize or are told (by an auditor NC?) that that´s not the case.
Just as a comment, what i always says to my costumers is: forget about the technique and think first about the whole process...then, use the right techniques at the right time (and know and do not forget the technique´s limitations - for example, , in the development process is described, FMEA is best used from the middle to the end of the detailed project phase (6) when you have more detailed components, and thus the "bottom-up" nature of FMEA makes more sense and can be used effectively).
3 - "Risk Management Report: can this report be a part of the management review?" - first and foremost, this document has to be part of the risk mangement file (as required by the standard) and of the planned "risk management process management review" (this can also be made in conjunction with the general management review, but you have to detail this in the risk management plan.
Anyway, you can USE the information, or even include the document (again) in the general management review (as defined, the risk management report "is intended to be a summary of the review of the final results of the risk management process.." so it´s is obviously an input for the general management review too as the management review have to review all enterprise processes).
