Tuesday Sept 11th, 2018 AGENDA: 1. Pre-Meeting Clinic: Q&A on Risk and a Company s Risk Culture. 2. Risk Management

Transcription

1 Section 703 Tuesday Sept 11th, 2018 AGENDA: 1. Pre-Meeting Clinic: Q&A on Risk and a Company s Risk Culture 2. Risk Management

2

3 Clinic 1) Risk management is designed to: a) Solve all risks b) Correct problems as they happen, minimizing impact c) Resolve major problems proactively d) Create an environment where risks are dealt with appropriately

4 Clinic 1) Risk management is designed to: a) Solve all risks b) Correct problems as they happen, minimizing impact c) Resolve major problems proactively d) Create an environment where risks are dealt with appropriately

5 Clinic 2) Planning for risk management is focused on: a) Identifying risks b) Creating a risk culture c) Analyzing risks for probability and impact d) Choosing risk responses

6 Clinic 2) Planning for risk management is focused on: a) Identifying risks b) Creating a risk culture c) Analyzing risks for probability and impact d) Choosing risk responses

7 Clinic 3) Every risk consists of three key elements. They are: a) Event, probability and impact b) Strategy, approach and event c) Event, uncertainty and probability d) Time, cost and requirements

8 Clinic 3) Every risk consists of three key elements. They are: a) Event, probability and impact b) Strategy, approach and event c) Event, uncertainty and probability d) Time, cost and requirements

9 Clinic 4) One sign of poor risk management culture is: a) Team members talking about risk at every meeting b) Customers participating in the risk process c) Management being unpredictable in its response to individual concerns d) Proactive attitudes about the future

10 Clinic 4) One sign of poor risk management culture is: a) Team members talking about risk at every meeting b) Customers participating in the risk process c) Management being unpredictable in its response to individual concerns d) Proactive attitudes about the future

11 Clinic 5) The risk management plan should include: a) List of all identified risks b) Language of risk management as it will be used on the effort c) Details on the strategies to be deployed d) All of the above

12 Clinic 5) The risk management plan should include: a) List of all identified risks b) Language of risk management as it will be used on the effort c) Details on the strategies to be deployed d) All of the above

13 Clinic 6) Identifying points beyond which an organization will not go is the identification of: a) Tolerance b) Threshold c) Triggers d) All of the above

14 Clinic 6) Identifying points beyond which an organization will not go is the identification of: a) Tolerance b) Threshold c) Triggers d) All of the above

15 Clinic 7) A trigger is best defined as: a) Indication that a risk has passed b) Indication that a risk is happening or imminent c) Point beyond which an organization will not go d) Point at which organizational behavior should change

16 Clinic 7) A trigger is best defined as: a) Indication that a risk has passed b) Indication that a risk is happening or imminent c) Point beyond which an organization will not go d) Point at which organizational behavior should change

17 Clinic 8) Probability is the: a) Condition of total uncertainty b) Degree to which a risk will affect the organization c) Likelihood of the occurrence of a risk event d) The likelihood of the occurrence of a risk event coupled with the degree of impact

18 Clinic 8) Probability is the: a) Condition of total uncertainty b) Degree to which a risk will affect the organization c) Likelihood of the occurrence of a risk event d) The likelihood of the occurrence of a risk event coupled with the degree of impact

19 Clinic 9) In identifying risks, the goal is to: a) Identify all risks b) Identify most risks c) Identify as many risks as practicable d) Identify the big risks

20 Clinic 9) In identifying risks, the goal is to: a) Identify all risks b) Identify most risks c) Identify as many risks as practicable d) Identify the big risks

21 Clinic 10)Monte Carlo analysis generates: a) A list of specific risk events b) A chart of likely risk events c) A chart of the distrubution of possible outcomes d) A ranking of possible outcomes of specific risk events

22 Clinic 10)Monte Carlo analysis generates: a) A list of specific risk events b) A chart of likely risk events c) A chart of the distrubution of possible outcomes d) A ranking of possible outcomes of specific risk events

23 Clinic Bonus Question: How Many Risk Tools are There (FMEA, FTA, etc.)? a) 20 b) 40 c) 50 d) More than 70

24 Clinic Bonus Question: How Many Risk Tools are There (FMEA, FTA, etc.)? a) 20 b) 40 c) 50 d) More than 70

25 Welcome! Many thanks for this opportunity Lots of material Ask questions at any time I aim to finish on time, but I can stay as late as you d like Call me at any time My contact info is at the end

26 (possible) AGENDA 1) Basics 2) Risk: Context, Range and Elements 3) Sources of Risk 4) STANDARDS and Changes 5) Examples yours and mine

27 (possible) AGENDA 6) How Should I approach RM for my medical device? (Covey) 7) Desired future state: Risk Library / Risk Index / Risk Register PITA BUT EU and CER 8. Thank You

28 The Basics Everyone practices risk management (RM) in their own lives. My belief if that everyone is skilled at and might even be considered an expert on risk

29 1) The Basics Risk (per ISO 31000): the effect of uncertainty on objectives Bill Oates: Antinipcated unfavorable effect of uncertainty on objectives Opportunity: a potential outcome more favorable than originally expected Issue: an unfavorable event or outcome that ahs already occurred Don t confuse Risks and Issues!

30 1) The Basics Definitions in various standards: 9001, 13485, 14971, 62304, 62366, HFE, From 14971: risk combination of the probability of occurrence of harm and the severity of that harm [ISO/IEC Guide 51:1999, definition 3.2] 9 «risk» definitions in Every risk contains three common elements: Event, probability, impact

31 2) Risk: Context, Range and Elements (Oates): - Despite differences in products and industries. - Many commonalities - All issues were risks at one time - Formalizing risk management is the best way to improve it and make it part of the culture - VUCA Volatility, Uncertainty, Complexity and Ambiguity (Greg Hutchinson) - Q: Your Company s management of risk???: (a) Culture, (b) Regulatory Requirement, (c) Ad Hoc, (d) Practiced, (e) Measured, (f) Interconnected

32 2) Risk: Context, Range and Elements MICRO Personal Individual Business Automotive Historical Bicycle Financial me My Health MACRO Global Society Philanthropy Mass Transit Future Planning Aviation and cruise lines Financial multinational Welfare of the Nation

33 2) Risk: Context, Range and Elements On August 8 th, using the Washington Post and Indeed Jobs tool. - Bank & risk 125,865 hits - Drug & risk 81, 703 hits - Medical & risk 17,501 hits - Aviation & risk 14, 245 hits - Electronics & risk 27,497 - Risk and VP 20,963 hits

34 2) Risk: Context, Range and Elements Standards On August 11 th, using the IHS Standards Service. RISK - 95,712 standards (title, abstracts, most recent version and all document text) - 8,556 standards with risk (title, abstracts and most recent version - 2,019 standards (titles only and most recent version) - 1,658 standards (active status title only)

35 What is the Range of Risks that we must Face? Level of Effect Examples Comment Individual - Health - Accidents - Financial - Ancestry - Career? Family* - Health - Accidents - Financial - Ancestry Corporate - Product - Supply Chain - Financial Government - Famine - Outbreaks - Financial - War Global - Natural Disaster - Disease - War - Some risks we accept - Some risks we share - Actively seek assistance - Health condition - Prevent Obsolescence Similar to above * e-2-american-families/ Multiple risks in a global economy. Umbrella insurance. ERM. BCP Practices through drills and training. Large scale monitoring. Date sharing. Large scale monitoring. Data sharing.

36 Some Current Practices to List and Control Risk Product Area Practice / Requirement Intended Effect Consumer Electronics - UL / CSA / TUV electrical safety tests - Prevent electrical shocks - Addresses known risks - Assures proper functioning under varying conditions Commercial Aviation New Plane - Registration with FAA - Flight tests and certification program and results - Addresses known risks - Assures safe and stable flights under multiple conditions Medical Devices - Registration and listing through FDA - New product submission - Facility inspections Drugs - Registration and Orange Book listing through FDA - New product submission - Facility inspections Automobile?? - NHTSA - CPSC - Consumer Reports - Notifies FDA of your intentions - Product and facility subject to very broad inspectional powers - Notifies FDA of your intentions - Product and facility subject to very broad inspectional powers - Safe under various conditions - Rollover - Fire

37 Some Current Practices to List and Control Risk - FDA Product Area Practice / Requirement Intended Effect Devices, Drugs, IVD s Food and Other Approval of New Product Submissions - Notify the agency of a New Product - Allows FDA to review and approve safety and performance testing Import / Export notices - Notify the Agency of shipments of components, accessories and finished products - Allows FDA to inspect, hold, return or allow a shipment Annual Facility Registration - Notifies FDA that a firm is still in business - Provides accurate and timely location and contact information UDI Unique Device Identification - Precise and quick identification of all product variables Bar Coding / DHSCA - drugs

38 Some Current Practices to List and Control Risk FDA and Submissions Product New? Investigate in Humans? Document and Timeframe Drugs Yes o IND years o NDA = New Drug application years Me Too No o ANDA = Abbreviated New Drug Application years Devices and IVD s Yes o IDE years o PMA = Pre-Market Application years Me Too No - 510(k) Pre-Market Clearance days

39 3) Sources for Identifying Risk (Oates) o The NUDD Process anything about our project that is: New, Unique, Different, Difficult Industry-Specific Sources and Processes External: o Trade letters, captive suppliers, oversight and regulatory inquiries, customer, technology changes, AUDITS,?? Internal: o Mgmt Systems, Mgmt Review, Legal, Customer Service, Complaints, Returns, Consumer Reviews, Product Projects new and improvements, Design Reviews, technology changes, AUDITS,??

40 4) Standards and Changes Interesting Times What s Changed? 1) ISO ) ISO ) IEC ) ISO ) ISO ) IEC 60601

41 4) Standards and Changes Interesting Times What s Changed? 1) ISO ) ISO ) IEC Change and Themes: Each about 1/3 longer New sections ISO 9001 no longer has a structure or format like other standards Overall greater emphasis on risk particularly 9001 and especially ISO now requires risk to be addressed in every process

42 4) Standards and Changes Interesting Times What s Changed? 1) ISO ) ISO ) IEC ) ISO ) ISO Out for Revision Now See Handout for Summary 6) IEC 60601

43 4) Standards and Changes Interesting Times What s Changed? 1) ISO ) ISO ) IEC ) ISO ) ISO ) IEC )???? Standards are under constant revision per ISO regulations EU citation not to have current copies and show active management of standards that affect your company.. o Do you have a list of standards that affect your products? Changes by product family Annual / regular survey of stakeholders? Benefits (and costs) of using a standards service..

44 Software Q: How is software different than hardware? A: If managed properly each new version of software will be an improvement over the prior version. Improving with age. A: Hardware and electrical systems degrade with age and require specific maintenance Software has specific and unique risks and systems for development and risk management

45 Software + Cyber Nothing is secure over the internet (PBS Frontline Report) Who is attacking your system? 1) Individuals 2) Loosely organized groups (Anonymous) 3) State-sponsored attacks (Stuxnet, Sony)

46 Software + Cyber Q: What is the paradigm for cyber defense? A: Defense in Depth

47 5. Examples Aviation 1. Boeing 767 runs out of gas in mid-air No injuries dead-stick landing Back-up, air driven generator 2. Auto-Pilot Disengages with a simple touch no alerts 3. Space Shuttle 4 synchronous computer systems Medical 1. Pain pump with softwarecontrolled limits using barcoded drugs 2. Older x-ray system - software error 3. Recent CT systems 4. Plastic, sterile disposable set

48 6. How should I approach RM for my medical device? (Covey) - Begin With the End in Mind - 1) Which Market? ISO 14971: ) What are the present shortcomings? List AND Benchmark FDA 483 s and W/L s 3. Measure! Work / hours / topics Products (families): 4) Speak the same language. All sites / corporate Suppliers Customer inputs (complaints) Put risk rankings in consistent terms / per product family 5) Automate the process wherever possible 6) Make it relational (bidirectional) to both the QMS and ERM/Mgmt. Systems o o Old/Existing New

49 6. How should I approach RM for my medical device? (Covey) - Begin With the End in Mind - 7) The same training for everyone 8) Measure current and historical data 9) Align: training ^ standards ^ terms ^ regulatory expectations ^ concept = field ^ products (hardware, software, disposables, field services, installation)

50 7. Desired future state: Risk Library / Risk Index / Risk Register PITA BUT EU and CER You should develop a library or index of every risk you have seen for a specific product or family. Keep active until after a product is retired for continued access This may be a PITA In terms of efficiency you can quickly determine if an incident or issue is new or old each requires different investigations The index can be used and referred to in an unlimited number of ways Compare R&D vs. Manufacturing vs Field vs Lab..

51 7. Desired future state: Risk Library / Risk Index / Risk Register PITA BUT EU and CER For the EU.. An index is efficient and if managed properly can be quickly analyzed to determine risks year after year This is part of the Clinical Evaluation Report (CER) that is required for the EU Have you seen anything new? Have you seen any changes over time? How does your product history compare with competitors?

52 Thank You! Frank Pokrop Sotera Wireless

53 EN/ISO 14971:2012 Implementation Strategy Harvey Rudolph, Ph.D. Copyright HRRM 53

54 Changes Needed Address all identified risks Replace ALARP with As Low As Possible Revise meaning of risk acceptability criteria Adhere strictly to the risk control hierarchy Use only validated information for safety to reduce risk Mandatory risk/benefit analysis Copyright HRRM 54

55 Address all risks Carefully identify all risks Attempt to reduce all risks using the risk reduction hierarchy Document analysis Do not dismiss any identified risk (no matter how small) must analyze and document the attempt to reduce it Copyright HRRM 55

56 As Low As Possible Do not use ALARP as this implies that economic considerations (may) have been applied Reduce all risks to as low as possible within the state-of-the-art in risk control Determine state-of-the-art through research on similar devices and treatments or methods of diagnosis and document this research State-of-the-art means use of technology that is currently and generally accepted as proven and reliable best practice. It does not necessarily mean cutting edge technology, unless such technology has been or can be validated for use in the device. Copyright HRRM 56

57 Meaning of Risk Acceptability Criteria Establish a risk chart for each device or family Use risk/benefit considerations to define three areas of the risk chart: Area where benefits always outweigh risks and risk is acceptable Area where risks always outweigh benefits and risk is unacceptable Intermediate area where a risk/benefit analysis is necessary to determine risk acceptability Copyright HRRM 57

58 Example Risk Chart w/risk-benefit Probability Levels Severity Levels Negligible Moderate Serious Critical Frequent Risk > Benefit Risk > Benefit Risk > Benefit Risk > Benefit Probable Benefit > Risk Undetermined Risk > Benefit Risk > Benefit Occasional Benefit > Risk Undetermined Undetermined Risk > Benefit Remote Benefit > Risk Benefit > Risk Undetermined Risk > Benefit Improbable Benefit > Risk Benefit > Risk Benefit > Risk Benefit > Risk Copyright HRRM 58

59 Risk Control Hierarchy (in this order only) 1. Mandate that if possible risks will be reduced by inherently safe design and that all efforts at inherently safe design will be exhausted before attempting other means of risk control 2. Once all methods of inherently safe design (within the stateof-the-art) have been applied, try to further reduce risk by protective measures in the device or in the manufacturing process 3. Once all methods of reducing risk by protective measures have been exhausted, information about the safe use of the device may be used to further reduce the risk, but only if such information has been validated as a means of risk reduction (one may not assume this) Copyright HRRM 59

60 Risk/Benefit Analysis All individual residual risks must be weighed against the benefits of the device (or module or feature), unless that residual risk winds up in the region of the risk chart where benefits always outweigh the risk No residual risk may remain in the region of the risk chart where risks always outweigh benefits A risk/benefit analysis for the device as a whole is mandatory Copyright HRRM 60

61 What Makes Up a Sound Risk/Benefit Analysis? 1) SOP 2) Multiple dated signatures from different departments Risk specialist Medical / nurse / doctor / certified end-user 3) Q = 2Q.. Qualitative + quantitative. Data Text + opinions References: Literature, standards, articles 61