Risk Management and Configuration Management

alimary15

Involved In Discussions
#1
Hello everyone.

Has anyone experience or advice on how to perform Risk Management when dealing with configuration management problems ?

I have a medical device which might comprise of several small " apps", instruments and platforms. The configuration can be chosen by the costumer. What is done so far is a Risk Analysis at the level of the single component, but no analysis is done looking at the complete package or interaction between components.

I am trying to establish a process that would allow to perform also Risk Analysis on the complete System ( the final b?ndle of apps and components that the costumer will get ). However I am facing the isssue of how to maintain the risk Analysis, and more in General the risk Management file when dealing with different versioning of the components/apps.

Has anyone any piece of advice or experience to share?

Thanks
 
Elsmar Forum Sponsor

Wes Bucey

Quite Involved in Discussions
#2
Hello everyone.

Has anyone experience or advice on how to perform Risk Management when dealing with configuration management problems ?

I have a medical device which might comprise of several small " apps", instruments and platforms. The configuration can be chosen by the costumer. What is done so far is a Risk Analysis at the level of the single component, but no analysis is done looking at the complete package or interaction between components.

I am trying to establish a process that would allow to perform also Risk Analysis on the complete System ( the final b?ndle of apps and components that the costumer will get ). However I am facing the isssue of how to maintain the risk Analysis, and more in General the risk Management file when dealing with different versioning of the components/apps.

Has anyone any piece of advice or experience to share?

Thanks
You may be slightly off base in your understanding of "configuration management." In the generally accepted understanding of "configuration management" in the quality profession, we are referring to keeping obsolete versions of a design or product from being accidentally confused with current versions.

In your description, you are essentially dealing with different models of a current product and even the same model with different accessories. Think of an automobile for an analogy. A customer may order a car identical to his neighbor's except for color. The fact that one is blue and the other is red does not make one obsolete.

The problem is with the specialized jargon of the quality profession where one word "configuration" has a specific meaning different from a general dictionary definition.

In terms of risk management, we are on firmer ground. Still using the concept of an automobile as the analogy, there are some combinations of accessories on an automobile which may not interact well or even cause a dangerous risk. If, for example, we add air conditioning to a car, generally, we need to upgrade the electrical and engine cooling system to compensate for the extra load. If we put a high speed, powerful engine in, we probably need to upgrade the tires and braking system. If we put a high quality sound system in, we don't stint on the quality of the speakers, without making for an unhappy customer.

In terms of risk assessment, you could deal with the possible permutations of " apps", instruments and platforms similarly to auto manufacturers, since, I presume, you do not deliver the entire range of " apps", instruments and platforms to the customer for him to connect them together, but that he chooses from a catalog which of them, in what combination, he wants and your organization then delivers the completed assemblage, much as a car dealer delivers the model with the ordered accessories, color, etc. There may be as many as a hundred possible permutations. If each has unique risk factors, those are combined with the general risk factors of the basic device and the total risks are assigned to each particular permutation.
 

alimary15

Involved In Discussions
#3
You may be slightly off base in your understanding of "configuration management." In the generally accepted understanding of "configuration management" in the quality profession, we are referring to keeping obsolete versions of a design or product from being accidentally confused with current versions.

In your description, you are essentially dealing with different models of a current product and even the same model with different accessories. Think of an automobile for an analogy. A customer may order a car identical to his neighbor's except for color. The fact that one is blue and the other is red does not make one obsolete.

The problem is with the specialized jargon of the quality profession where one word "configuration" has a specific meaning different from a general dictionary definition.

In terms of risk management, we are on firmer ground. Still using the concept of an automobile as the analogy, there are some combinations of accessories on an automobile which may not interact well or even cause a dangerous risk. If, for example, we add air conditioning to a car, generally, we need to upgrade the electrical and engine cooling system to compensate for the extra load. If we put a high speed, powerful engine in, we probably need to upgrade the tires and braking system. If we put a high quality sound system in, we don't stint on the quality of the speakers, without making for an unhappy customer.

In terms of risk assessment, you could deal with the possible permutations of " apps", instruments and platforms similarly to auto manufacturers, since, I presume, you do not deliver the entire range of " apps", instruments and platforms to the customer for him to connect them together, but that he chooses from a catalog which of them, in what combination, he wants and your organization then delivers the completed assemblage, much as a car dealer delivers the model with the ordered accessories, color, etc. There may be as many as a hundred possible permutations. If each has unique risk factors, those are combined with the general risk factors of the basic device and the total risks are assigned to each particular permutation.
Thanks so much for your answer! It was very explanatory. So, getting back with configuration management, how would you deal with risks that are identified in v.1 of the product and then a v.2 of the product comes out? Are the risks from v.1 becoming part of the inherent design of the product for v.2? Do I start a risk analysis from scratch from v2? or do I need to keep all the risks identified in v.1 also in the risk analysis of v.2?

This topic is very confusing and I would really appreciate some help!

Thanks
 

Wes Bucey

Quite Involved in Discussions
#4
Thanks so much for your answer! It was very explanatory. So, getting back with configuration management, how would you deal with risks that are identified in v.1 of the product and then a v.2 of the product comes out? Are the risks from v.1 becoming part of the inherent design of the product for v.2? Do I start a risk analysis from scratch from v2? or do I need to keep all the risks identified in v.1 also in the risk analysis of v.2?

This topic is very confusing and I would really appreciate some help!

Thanks
I sympathize with your confusion. Sticking to the auto analogy, everything about the risk assessment really requires an engineer's eye and training. Some seemingly silly things can cause a chain of consequences.

One example:
If we change to larger, higher quality tires because we increase the engine size, does that affect the odometer and speedometer readings?

In the quality profession, we use a process called Failure Mode and Effects Analysis (FMEA) as a starting point for most risk analysis. In its simplest form, FMEA asks:

  1. What can possibly function differently from our plan if we change this detail?
  2. If it functions differently, does that have a good or bad outcome for the user?
  3. Does it affect the cost?
  4. Does it affect the useful life?
  5. Does it affect others (neighbors? environment? sales? reputation?)
  6. Putting all things in balance, is this a worthwhile change to make?
In general, trying to take a shortcut by eliminating the steps in the FMEA may mean an unintended consequence occurs which can be a costly misstep for the organization.
 
Thread starter Similar threads Forum Replies Date
G AATT Focus: Configuration Management & Risk Management AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
K Configuration, Risk Analysis and Project Management in one procedure AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
adir88 MDR requirement: Risk Management Plan for "each device" ISO 14971 - Medical Device Risk Management 5
D Risk Analysis & Technical File - What detail goes in the Risk Management Report ISO 14971 - Medical Device Risk Management 5
C AS9100 Rev D 8.1.1 & APQP - Operational risk management process AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 0
B ATP 5-19 "Risk Management" Misc. Quality Assurance and Business Systems Related Topics 2
N Risk Management besides mandated FDA requirements 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
M Identifying Hazards - Risk management process ISO 14971 - Medical Device Risk Management 6
R Risk Management in the Medical Device Industry ISO 14971 - Medical Device Risk Management 4
F Linking an ISO 31000 Risk management SOP to ISO 17025 ISO 17025 related Discussions 2
Ronen E The unbearable insensitivity of risk management language Other Medical Device and Orthopedic Related Topics 1
S ISO 14971 Risk Management - Questions for Hazard identification ISO 14971 - Medical Device Risk Management 2
M Risk/Benefit vs. benefit-risk - Revising an SOP covering Risk Management with the MDR in mind EU Medical Device Regulations 10
A Defining Expected Service Life in Risk Management File Reliability Analysis - Predictions, Testing and Standards 5
R Linking the Processes of Continual Improvement, Change Management, Risk Management, Action Planning, etc? Preventive Action and Continuous Improvement 5
D Risk management according to ISO 14971 - When to document risk controls? ISO 14971 - Medical Device Risk Management 10
J Software for Techfiles and Risk management ISO 14971 - Medical Device Risk Management 1
M Informational ISO TC 210 IEC SC 62A JWG 1 Medical device risk management – São Paulo meeting 2019 Medical Device and FDA Regulations and Standards News 6
M Medical Device News ISO TC 210 IEC SC 62A JWG 1 Medical device risk management – São Paulo meeting 2019 Medical Device and FDA Regulations and Standards News 0
D Where does FMEA fit in your ISO 14971 Risk Management process? ISO 14971 - Medical Device Risk Management 13
M Informational ISO TC 210 JWG 1 meeting in São Paulo – Revision of ISO 14971 and ISO TR 24971 – Medical Device Risk Management Medical Device and FDA Regulations and Standards News 0
T Risk Management Report as per MDR Requirements EU Medical Device Regulations 4
S Medical Device Cybersecurity Risk Management File ISO 14971 - Medical Device Risk Management 2
M Medical Device News Health Canada Notice of intent: Strengthening the post-market surveillance and risk management Canada Medical Device Regulations 1
Q Evidence of precautions (clinical evaluation report, risk management report) EU Medical Device Regulations 6
Q Risk / benefit Analysis in Risk Management Report CE Marking (Conformité Européene) / CB Scheme 12
A How to view supplier APQP timeline and do risk management APQP and PPAP 4
O Medical Device EMC Risk Management CE Marking (Conformité Européene) / CB Scheme 4
S ISO 13485:2016 - How I can integrate a risk management approach in our SOPs ISO 13485:2016 - Medical Device Quality Management Systems 1
B Time necessary for all Risk Management activities ISO 14971 - Medical Device Risk Management 2
W Virtual Manufacturer and Risk Management ISO 14971 - Medical Device Risk Management 3
O CQE Handbook - Missing Section VII - Risk Management Misc. Quality Assurance and Business Systems Related Topics 1
F Medical Device HACCP (Hazard Analysis and Critical Control Point) Risk Management ISO 14971 - Medical Device Risk Management 2
J Differences between a Risk Management Plan vs. Production Part Approval Process AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
M Free Risk Management Webinar - Design for Quality - May 2017 Risk Management Principles and Generic Guidelines 1
J Will this fulfill the AS9100D Risk Management Requirement AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 7
A Including all Processes in Risk Management - ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 8
F Risk Management vs. FMEA ISO 14971 - Medical Device Risk Management 11
T Using Risk Management in ISO 10993 - Medical Device Accessory 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
Q Risk Management - Additional Process in ISO 9001:2015? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
alonFAI How to define a Risk Based Approach for Supplier Management per ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
J What ever happened to Medical Device Risk Management, anyway? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 17
M AAMI draft report - Postmarket Risk Management ISO 14971 - Medical Device Risk Management 2
L Risk Management in an IVD, ISO 13485 certified company ISO 14971 - Medical Device Risk Management 2
S Informational Risk Management Implementation for ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 60
S Risk Management during Contract Review AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 14
M Risk Management File for Extra Oral RX Equipment ISO 14971 - Medical Device Risk Management 11

Similar threads

Top Bottom