Please review my Risk Analysis Table

S

s_g_robertson

#1
As part of my risk analysis document we are including a table (attached) to record the identified hazards, risk estimation, risk evaluation, risk control, reference to risk implementation and residual risk evaluation.

I'm just interested in other peoples comments on this approach and what other people are doing.

Thanks
Stephen
 

Attachments

Elsmar Forum Sponsor

Marcelo

Inactive Registered Visitor
#2
Re: Risk Analysis Table

I think you mean as part of your risk management, right? Risk analysis does not include "risk evaluation, risk control, reference to risk implementation and residual risk evaluation".

Anyway, if you are trying to follow ISOi 14971, your table is lacking some, for example, the risk evaluation itself (you have a "risk index", but not a step of analysis of this).

Take a look at the attachment on this post - http://elsmar.com/Forums/showpost.php?p=572821&postcount=8 for a more detailed risk management summary.
 
S

s_g_robertson

#3
Re: Risk Analysis Table

Yes Risk Management as opposed to Risk Analysis. We have some bad habits internally in how we have referred to things, and that certainly causes confusion!

In terms of the risk evaluation we have earlier in the risk management summary document a definition of the severity and probabilities and a "semi-quantitative" risk evaluation matrix similar to Figure D.5 in ISO 14971.

The risk index in the table I referenced is derived from the application of the severity and probability to that matrix. This section also defines the acceptability mentioned in the footnote to my attached table.

1 = Acceptable
2= Tolerable if as low as possible given the state of the art
3 = Undesirable and subject to specific risk/benefit analysis
4 = Unacceptable

I like the reference to the clauses in the table you referenced. I was thinking about adding the same. It certainly makes it nice and clear how you are meeting each of them.

We produce a risk management report and we have systems in place for production/post-production information but I'm not sure what I would put in the summary document against each individual hazard?

Thanks very much for your reply. It's great to get some input from others and have a discussion as we strive to improve.

Thanks
Stephen
 

Marcelo

Inactive Registered Visitor
#4
In terms of the risk evaluation we have earlier in the risk management summary document a definition of the severity and probabilities and a "semi-quantitative" risk evaluation matrix similar to Figure D.5 in ISO 14971.

The risk index in the table I referenced is derived from the application of the severity and probability to that matrix. This section also defines the acceptability mentioned in the footnote to my attached table.

1 = Acceptable
2= Tolerable if as low as possible given the state of the art
3 = Undesirable and subject to specific risk/benefit analysis
4 = Unacceptable
Ah, ok. This is one of the problems with "risk index", as it is not a requirement of ISO 14971, and usually a "risk index" is usually seen as a number related to the probability and severity (this come from the use of FMEA).

Anyway, and as I mentioned above this will probably create confusion, my suggestion would be to use risk evaluation instead of risk index, this would avoid confusions (and would be more in line with the formal requirement of ISO 14971)

Some additional comments:

You mentioned that "we have earlier in the risk management summary document ". In fact, the risk acceptability criteria is required to be in the risk management plan for each medical device.

Also, 3 = Undesirable and subject to specific risk/benefit analysis. Risk/benefit analysis in ISO 14971 is only performed if an unacceptable risk cannot be controlled. I think the way you wrote it is confusing, and also wrong, unless 3 is also unacceptable.

We produce a risk management report and we have systems in place for production/post-production information but I'm not sure what I would put in the summary document against each individual hazard?
I think I don?t understand you question.

The risk management report is a one-page document that checks if the plan was followed, overall residual risk is acceptable and information gathering is in place.
 
S

s_g_robertson

#5
Ah, ok. This is one of the problems with "risk index", as it is not a requirement of ISO 14971, and usually a "risk index" is usually seen as a number related to the probability and severity (this come from the use of FMEA).

Anyway, and as I mentioned above this will probably create confusion, my suggestion would be to use risk evaluation instead of risk index, this would avoid confusions (and would be more in line with the formal requirement of ISO 14971)
Our procedures now do refer to this as Risk Evaluation resulting in a "Risk Rating" I think I will update my table as you suggest

You mentioned that "we have earlier in the risk management summary document ". In fact, the risk acceptability criteria is required to be in the risk management plan for each medical device.
Yes you are correct, we have defined this in the plan, it is currently repeated, I would presume for ease of use, in the risk management summary. I'm not keen on that as having the same thing in two places always get's out of step. I think it may be better to refer to the plan rather than repeat ourselves.

Also, 3 = Undesirable and subject to specific risk/benefit analysis. Risk/benefit analysis in ISO 14971 is only performed if an unacceptable risk cannot be controlled. I think the way you wrote it is confusing, and also wrong, unless 3 is also unacceptable.
Reading that again (I did not originally define these criteria) I see what you mean in it not being clear. Looking back in our procedures to where it is defined the exact wording is

Undesirable Risk – Tolerable only if reduction is impractical, subject to a risk-benefit analysis.
This looks like a hangover from before we updated our procedure to go from "As low as reasonably practical" to "As low as possible" I think we should update this to be "unacceptable" the same as a rating of 4. With the distinction being that it is our policy that 3 is unacceptable but can be justified if a risk/benefit analysis supports it, but a 4 is always unacceptable.

I think I don?t understand you question.

The risk management report is a one-page document that checks if the plan was followed, overall residual risk is acceptable and information gathering is in place.
Yes that is what we have in place for the report. In your example table there is a column (8 - Risk Management Report) for the reference document, do you enter the document number against each hazard? I wasn't clear what that column was adding to the table.

Thanks
Stephen
 

Marcelo

Inactive Registered Visitor
#6
Quote:
In Reply to Parent Post by Marcelo Antunes View Post

Also, 3 = Undesirable and subject to specific risk/benefit analysis. Risk/benefit analysis in ISO 14971 is only performed if an unacceptable risk cannot be controlled. I think the way you wrote it is confusing, and also wrong, unless 3 is also unacceptable.
Reading that again (I did not originally define these criteria) I see what you mean in it not being clear. Looking back in our procedures to where it is defined the exact wording is

Quote:
Undesirable Risk ? Tolerable only if reduction is impractical, subject to a risk-benefit analysis.
This looks like a hangover from before we updated our procedure to go from "As low as reasonably practical" to "As low as possible" I think we should update this to be "unacceptable" the same as a rating of 4. With the distinction being that it is our policy that 3 is unacceptable but can be justified if a risk/benefit analysis supports it, but a 4 is always unacceptable.
This would still makes no sense under ISO 14971. The concept is that, if the risk is acceptable, no risk control is needed. If the risk is unacceptable, then risk control is always required. If, after analyzing the risk control options, you conclude that the risk cannot be achieved by practicable means, then you can perform a risk/benefit analysis. Also, if you implement risk control measures and then, after the second analysis, identify that they did not reduce the risk as expected and additional measures would not reduce the risk (it?s still unacceptable) then you can perform a risk/benefit analysis.


IN your case, is seems that you said that 3 is unacceptable but needs no risk control if a risk benefit/analysis is performed. This is what is wrong. The risk control option analysis is always mandatory, and then, if the analysis shows that risk control is impractical, you can proceed to the risk/benefit analysis.

Also, I don?t think you need a separate 3 and 4, they should be the same.
 

Marcelo

Inactive Registered Visitor
#7
Quote:
In Reply to Parent Post by Marcelo Antunes View Post

I think I don?t understand you question.

The risk management report is a one-page document that checks if the plan was followed, overall residual risk is acceptable and information gathering is in place.
Yes that is what we have in place for the report. In your example table there is a column (8 - Risk Management Report) for the reference document, do you enter the document number against each hazard? I wasn't clear what that column was adding to the table.
Oh, sorry, I put that for completeness sake. You can either remove the column or answer with only one document for all hazards and hazardous situations.
 
S

s_g_robertson

#8
This would still makes no sense under ISO 14971. The concept is that, if the risk is acceptable, no risk control is needed. If the risk is unacceptable, then risk control is always required. If, after analyzing the risk control options, you conclude that the risk cannot be achieved by practicable means, then you can perform a risk/benefit analysis. Also, if you implement risk control measures and then, after the second analysis, identify that they did not reduce the risk as expected and additional measures would not reduce the risk (it?s still unacceptable) then you can perform a risk/benefit analysis.


IN your case, is seems that you said that 3 is unacceptable but needs no risk control if a risk benefit/analysis is performed. This is what is wrong. The risk control option analysis is always mandatory, and then, if the analysis shows that risk control is impractical, you can proceed to the risk/benefit analysis.

Also, I don?t think you need a separate 3 and 4, they should be the same.
Sorry I'm not being very clear.

No for a 3 what I would say is that after any possible risk control has been considered (and implemented if possible) the residual risk evaluation still results in a 3 then a risk/benefit analysis is required to determine if the benefits outweigh the risks. I think that is what you are saying as well?

I'm not clear on the need for a 3 and a 4 but the four level scheme is currently standardised across all our products. Not that it can't change but our procedures do not allow me to deviate from that for a specific product.

A three level scheme is what is described in D8.5 and is very close to what we have defined.
 

Marcelo

Inactive Registered Visitor
#9
No for a 3 what I would say is that after any possible risk control has been considered (and implemented if possible) the residual risk evaluation still results in a 3 then a risk/benefit analysis is required to determine if the benefits outweigh the risks.
Ah, ok, now I understand what you are saying. But please note that a risk/benefit analysis is also required if the risk control option analysis identify that no risk control is possible. I?m still not sure if you are tying your risk/benefit analysis to the correct "spots" in the process as required by ISO 14971, that?s why I?m commenting.
 
S

s_g_robertson

#10
Ah, ok, now I understand what you are saying. But please note that a risk/benefit analysis is also required if the risk control option analysis identify that no risk control is possible. I?m still not sure if you are tying your risk/benefit analysis to the correct "spots" in the process as required by ISO 14971, that?s why I?m commenting.
Just been working through this some more, and this is more a comment that may help anyone else stumbling across this thread rather than another question.

If the intent is to comply with the MDD then Annex ZA of EN ISO 14971:2012 says in section 4

b) According to Section 1 of Annex I to Directive 93/42/EEC, an overall risk-benefit analysis must take
place in any case, regardless of the application of criteria established in the management plan of the
manufacturer. Furthermore, Section 6 of Annex I to Directive 93/42/EEC requires undesirable sideeffects to "constitute an acceptable risk when weighed against the performance intended"

c)Accordingly, the manufacturer must undertake the risk-benefit analysis for the individual risk and the
overall risk-benefit analysis (weighing all risks combined against the benefit) in all cases.
So a risk-beneift analysis seems is always required for the MDD.

Stephen
 
Thread starter Similar threads Forum Replies Date
K Risk Management Procedure - Please review AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 8
L Please review my ISO 9001:2015 Internal Audit Plan Process Audits and Layered Process Audits 7
S New Interaction of Processes ISO 9001:2015 - Please Review ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
M New Quality Policy for ISO 9001:2015 - Please Review ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
S Please Review my APQP Training Material APQP and PPAP 4
M Continual Improvement Procedure - Please review Document Control Systems, Procedures, Forms and Templates 1
P Please Review my Design and Development Plan Design and Development of Products and Processes 2
B Please review my Vernier Caliper Gauge R&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 8
N Please Review My Tracking System Document Control Systems, Procedures, Forms and Templates 12
M Quality Policy Draft - Please review Misc. Quality Assurance and Business Systems Related Topics 24
F Please review my Process Flow / PFMEA / Control Plan FMEA and Control Plans 12
A Sequence and Interaction of the Processes - Please review my Process Map ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
insect warfare Please Review my Quality Manual Draft Quality Management System (QMS) Manuals 11
R ISO 13485 Mind Map attached - Please review and comment ISO 13485:2016 - Medical Device Quality Management Systems 1
Q Method of Document Management (Control) in Engineering - Please Review ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
M Incoming (Receiving) Inspection Procedure - Please Review Supplier Quality Assurance and other Supplier Issues 7
B Please review my QMS Overview Map ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
B Product Realisation Process Map - Need some help, please review and comment ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
W Please review and critique our new Document Control Procedure ISO 13485:2016 - Medical Device Quality Management Systems 4
M Can anybody help me with Management Review scenario please? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
H Supplier Monthly Performance Score Card - Please Review Document Control Systems, Procedures, Forms and Templates 7
W Cpk, GD&T & Minitab? Please review my methods Capability, Accuracy and Stability - Processes, Machines, etc. 16
A Wolfram Mathematica 8 - Review or Opinions Please Quality Tools, Improvement and Analysis 1
A Development Project Template - Please Review and Critique Design and Development of Products and Processes 4
B 5 Why help needed Please kindly review Problem Solving, Root Cause Fault and Failure Analysis 15
6 Food Safety Objectives - Please Review Food Safety - ISO 22000, HACCP (21 CFR 120) 4
G Uncertainty Calculation in Excel - Please review my calculation General Measurement Device and Calibration Topics 2
J Quality Objective Measureables - Please Review ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 14
Colin Simple Preventive Action Procedure - Service Company (Please Review) Preventive Action and Continuous Improvement 20
Y Sample Data Charts (Excel table) - Please review Statistical Analysis Tools, Techniques and SPC 34
J Internal Audit Schedule - Please review my Internal Audit Schedule Internal Auditing 19
S Document Control Procedure Please Review Document Control Systems, Procedures, Forms and Templates 37
J Resume Critique - Please review my resume Career and Occupation Discussions 5
O ISO 9001 Quality Systems Manual (QSM) advice - Please review Quality Management System (QMS) Manuals 8
J Management Review "planned interval" define please ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 23
ScottK Soliciting Feedback for my final Black Belt project -please review my Project Charter Funny Stuff - Jokes and Humour 4
N Please review this Quality Policy ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
A Process description template - Please review ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
N Please review my Quality Policy ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 17
K Please Review my Product Realization Map ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
9 ECR (Engineering Change Request) process - Please critique / review Document Control Systems, Procedures, Forms and Templates 10
J Contract Review - Please help me define the requirement 7.2.2 Info needed Contract Review Process 9
M Quality Manual - please review Quality Management System (QMS) Manuals 6
R Please review my process map Process Maps, Process Mapping and Turtle Diagrams 5
W Global Phased PPAP and APQP Training - Please Review and Comment Training - Internal, External, Online and Distance Learning 8
H Please Review my Quality Manual (short manual) Quality Management System (QMS) Manuals 7
M Configuration Management - Please review my procedure AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
K Interpretation of 'Breakpoint' in MSA - Please review my data Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 1
H Please Review my High Level QM (Quality Management) Process Map Process Maps, Process Mapping and Turtle Diagrams 57
Anerol C Please Review and Critique my Metal Fabrication Industry Quality Manual ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12

Similar threads

Top Bottom