With sophistication and technology advances in products and services, there is an increasing need for designers, manufacturing and service organizations to incorporate risk management processes and protocols into their Quality Management Systems (QMS). While manufacturers must perform risk management activities, they are most critical for military, aerospace, automotive and medical device companies. Malfunctioning and defective equipment can pose high risks for customers and end-users. Even minor non-conformities and defects can have tremendous impact on Original Equipment Manufacturers — including fines, product recalls and permanent damage to a company’s reputation. While every company function should be involved in developing risk management policies and processes, it is especially critical for the engineering, quality and regulatory functions to take the lead to minimize potential risks at every stage of the product design, prototype, production and post-production processes. While regulatory bodies acknowledge and stress the importance of minimizing and managing risks of product failure, it can be challenging to interpret best practices from the ambiguous language of government and regulatory standards.
What is Risk Management? - Risk management is the ability to identify real and potential process and product failure risk(s), assess it, and eliminate or minimize it to acceptable levels. There are many definitions of risk management and related reference standards are proliferating like weeds. ISO is currently developing
ISO 31000 - Risk Management Principles and Guidelines on Implementation. The critical elements of this proposed standard are:
- Risk identification. Identifies the sources of risk, risk events and their potential consequences.
- Risk analysis. Analyzes the causes and sources of the risks and the likelihood that they will occur.
- Risk evaluation. Determines whether risks need to be addressed and treated.
- Risk treatment. Determines strategies and tactics to mitigate or control risks.
FDA 21 CFR Part 820 only references risk in the context of design validation for medical products.
ISO 13485, the medical device quality standard and
AS9100C, the quality standard for aerospace products, both recognize that risk management should be performed during design phases, continuously during manufacturing, distribution and throughout the product lifecycle, but offer no specific guidelines about best practices. ISO 14971 - the risk management standard for medical device manufacturers, offers more details on how to perform hazard analysis and risk mitigation.
ISO 9001 Quality Management Systems and the automotive standard
ISO/TS 16949 do not specifically address risk management but allude to it in the design and product realization verification and validation processes.
Product risk assessment and mitigation should be a major part of every quality management system, from design to manufacturing and post-delivery cycles. This applies to companies responsible for design as well as component and contract manufacturers. In following a few guiding principles to integrating quality and risk, manufacturers can strengthen their quality management function while minimizing the impact of product failure and potential harm to users.
Integrate Risk Management Into Processes and Products. - Before start-up of a new design or initiating a major design change of an existing product or family of products, OEMs must identify the potential hazards their products may pose or be subjected to. Quality and Engineering design team members should collaborate to gather information about potential hazards from a number of sources, such as historical data of same or similar product designs, laws, codes and standards, informed hypotheses, industry research and customer feedback. When armed with a thorough, realistic understanding of the risk landscape, manufacturers can then more effectively design safer components and products.
While careful quality planning makes it possible to minimize or eliminate certain product/process risks, there are still inherent risks and weaknesses in any type of manufacturing environment. It is the responsibility of manufacturers to analyze the severity and likelihood of each potential risk, determine an acceptable level of risk and develop programs to control them. Failure Mode Effects Analysis (FMEA) is a popular method for managing product-related risk. This technique helps manufacturers identify potential sources of failure and measure the consequences of defects. It also enables manufacturers to prioritize most real and potential failures when deciding on actions to help them reduce risk. The FMEA method is necessary not only for products themselves, but also for associated manufacturing processes and associated operating protocols. Designers and Manufacturers should devise control plans for any potential process failures, such as poorly trained employees, malfunctioning equipment, and supplier capabilities. These plans should include steps for minimizing the likelihood of these failures (requiring mandatory training sessions, scheduling regular equipment maintenance and calibrations, supplier qualifications, etc.,) and steps for lessening the impact if such failures occur. The Engineering and Quality functions usually have primary responsibility for reviewing and planning for risks in the post-production phase. They should ask the following questions: Does product verification and process validation produce the product as designed? Is the product packaged to minimize damage during handling, storage and shipping? What hazards may occur when a customer misuses or abuses my product? When critical product designers and manufacturers honestly attempt to account for functional and user possibilities, they minimize the risks of product failure, liability and injury to an end-user.
It is imperative that OEMs and contract manufacturers fully document their risk management activities during the advanced product quality planning (APQP) stages. This helps to demonstrate their processes to regulatory bodies and serves as a reference later in the product cycle. An electronic document control system is best for storing and organizing vast amounts of product-related data, because it enables constant revision of documentation with no confusion about which version is current. Systems with search capabilities enable easy search-and retrieval of information. Companies that have built-in processes for communicating changes to management for review and approval, expedite efficient quality planning.
Continually Perform Risk Activities - While quality planning is the critical first step toward risk management, it is vital that manufacturers continue to practice risk management long after the design and development phases. Consistent attention to risks during manufacturing processes is the best way to improve product safety and minimize the impact of hazards. The quality function should establish written procedures and/or refer to other relevant procedures for continual risk assessment and control.
Top Management should impress the importance of controlling risk on its employees, on a continual basis, and reward those who demonstrate commitment to the company’s risk policies. Risk Management is particularly challenging to manufacturers who outsource all or part of their production. It is difficult to regulate suppliers, but since the OEM will face the consequences of its suppliers’ quality problems, it must insist on applicable risk management standards. Some OEMs require their suppliers adhere to the same risk management policies they must follow; others audit suppliers to ensure their quality practices meet their standards. Some OEMs continually evaluate the risk potential of outsourced products and component parts based on past performance history and reputation.
Continuous, on-going inspection and testing is the best way for OEMs to control risks, internally and from outsourced goods. They also must regularly inspect finished goods to design specifications and collect and trend data to identify any larger product problems that may not immediately be apparent. These processes should be detailed in the product control plan, and results should always be appropriately documented as evidence and summaries presented for top management review.
Re-evaluate Processes Based on Real-World Criteria - Once a product is released to the general marketplace, quality managers must keep apprised of defects and failures to strengthen their risk management processes. Customer complaints, customer surveys, non-conformances, product performance feedback reports and product recalls all are sources of information for product failures and hazards. Management must assess whether post-market problems exceed the level of acceptable risks they determined during the design, pre-production quality planning stages. If so, they must analyze and pinpoint the cause of the issue(s) using methods such as fault tree analysis (FTA), which offers a top-down approach to identify component failure as a cause of functional failure. Manufacturers that generate and maintain detailed, well-documented information about their designs, quality planning, manufacturing processes and customer satisfaction, should be able to identify the sources of problems. From there, top management must assess whether required actions taken were sufficient to mitigate the problem. If the risk controls proved inadequate, or if problems arise that are outside the scope of previously identified risks, companies must adapt their processes to account for these findings. Top Management may balk at the costs and efforts of changing product designs or manufacturing processes. But, failing to correct inherent problems in their QMS can have major effects down the line. Companies that demonstrate willingness to learn from their mistakes win favor not only with auditors, customers and the marketplace, but show improvement in the bottom line.
Because of the inherent risks involved in manufacturing critical sophisticated and complex products in today’s marketplace, companies and organizations must define rigorous processes for identifying, evaluating and controlling real and potential risks. By building risk management into their quality processes and procedures, manufacturing and supplier organizations avoid government and regulatory censure and continuously improve customer relations.