Risk Management is part of ISO 13485:2003 and AS9100 Rev C.
These two standards need to be fully understood before an effectively implemented system can be developed. Some type of risk management plan might be valuable for all manufacturing and service industries.
Risk Management is a planning process to define the level of risk in a product, and to take appropriate actions to potentially reduce the risk and maintain risk within acceptable levels. The second portion of that statement (maintain risk) is to proactively address any problems found after the product is shipped.
ISO 13485:2003 addresses risk management in the product realization-planning segment. AS9100 Rev C also uses the planning section to discuss risk management requirements.
Addressing risk management is not a clause that can be excluded. Regardless of the supply change position, a risk management process must be included to protect your organization and your customer's from exposure to problems, recalls and regulatory action.
A risk management program can have four basic phases:
- Identify and inventory risks that require management. When appropriate, establish a risk management process.
- Prioritize your risks and define criteria to assist management in making decisions.
- Conduct a risk assessment and communicate risks throughout the product realization process.
- Develop a risk reduction program by establishing criteria for action to mitigate risks and implement the necessary internal and external actions.
AS 9100 Rev C provides more detailed requirements than the two sentences in ISO 13485:2003.
Phase I Identifying Your RisksIdentify and catalog your risks by collecting customer complaints, returns, internal quality rejections to include scrap and rework. Other sources to review include industry publications and newspaper articles about companies making similar products that may have resulted in a problem or had the potential to result in a regulatory recall.
Catalog risks by using the Process FMEA (Failure Mode Effects and Analysis) tool, or prioritize a list based upon occurrence, dollar value, and/or risk to the organization.
The Process FMEA approach uses the organization's manufacturing process as a guide through manufacturing, and stops at each process step and asks what kinds of failures are there at this process step.
It requires a thorough analysis regarding failures, effects on customers (internal and external), and problem causes. Using an industry standard scoring table or your own table, the FMEA identifies the severity (S) of a failure, its occurrence (O) and your organization's ability to detect (D) the problem before the product leaves your facility. All manufacturing and service providers can use the Process FMEA as a solid risk management tool. If your organization is design responsible, a Design FMEA can be developed.
Other methods include Fault Tree Analysis (FTA). This approach begins with the customer's problem and works back to the problem cause.
Phase II Developing Your Risk ProcessOnce all of the failure modes have been addressed using the FMEA approach, multiply the ranking for Severity (S) times Occurrence (O) times Detection (D) and create a Risk Priority Number (RPN) generally a 1 to 1000 number.
A new idea proposed in the Fourth Edition of the automotive FMEA manual is the assignment of a SO and SD number at the same time the RPN is created. Using an Excel spread sheet makes this easy.
Severity times the Occurrence has been used by the medical device industry for many years to define risk (1 to 100 number). The latest automotive FMEA manual suggests identifying serious issues that have a poor chance of detection by multiplying severity by detection.
Once all the scoring has been completed, the analysis begins
regarding which failure modes needs attention and risk reduction. The FMEA team evaluates the highest RPN's and selects the highest RPN's for action. Additionally any high -ranking severities that could injure a person, or violate a FDA or FAA regulation should be addressed.
If you elect to use the SO and SD evaluation, these indicators are very helpful when the RPN number is below about 150 (on a scale of 1 to 1000) to identify other items that need attention.
Phase III Conduct Your Risk AssessmentOnce your guidelines have been developed and finalized, the risk assessment is conducted, and a list of areas needing control is developed, the risks should be communicated to managers and employees of the identified areas.
Phase IV Developing a Risk Reduction ProgramTake your improvement list to management for their support and timely action. Develop the steps necessary to eliminate the problem or mitigate the issue to an acceptable residual risk level. Keep good records of your actions. Verify that the changes are effectively implemented, and continue to add inputs to your risk management system.
Phase V Maintaining Risk Management System for Life of ProductsRisk management is an ongoing process that should include data beyond the end of the manufacturing of cycle. A feedback system to the risk management process should be developed to ensure all customer complaints, returned product, and other information that could effect the level of risk is reviewed with appropriate change in the risk be evaluated for action if necessary. This action should be a loop that returns to Phase I.
What happens if some product reaches the market place? Management needs an action plan in place to address these issues and be proactive rather than waiting for some outside body (probably a regulatory body) to mandate a recall. A withdrawal from the market place is a voluntary action taken by a company to eliminate an issue before it becomes a real big problem costing a company millions of dollars. Proactive plans could work at various levels depending upon the risk.
At the lowest level might be a technical bulletin, or a notice to a route driver asking that the next time they are in the customer facility a review of the affected product and date code be made. Questionable product should be removed from the shelf and replaced with new product.
A slightly higher risk level might be a service or warranty bulletin. This bulletin could instruct the repair location to replace the product with a new one and let the customer know of the slight problem and the manufacturer would like the product back for evaluation. The customer can be told the manufacturer is replacing the old product with a new one.
In other cases, the manufacturer must notify the store or service location to recall all products that can be obtained. In the automotive business, the manufacturer or dealer sends a letter to owners. These are all voluntary programs. They cost money, but are conducted before some outside agency mandates a recall.
A couple of examples of problems not realized by the manufacturer, but widely publicized included lead paint found in millions of toys imported from China. How about the aspirin with small amounts of metal shavings discovered in the ingredients? These problems resulted in massive recalls and bad publicity for the manufactures as well as a great deal of lost revenue.
Advance planning for risk management could save an organization many dollars and eliminate the chance of bad publicity that could impact an organization's future sales.