Probably the most significant concern for anyone responsible for implementing, deploying, and maintaining a quality management system is the integration of risk-based thinking. This article is an expansion on the idea presented by John Vanhouwe, QA manager at IAC Group. Vanhouwe authored an article titled Risk Based Thinking: Making Use of a New FMEA Tool Called O-FMEA.
The real issue in developing a QMS failure mode effects analysis (qFMEA) for the quality management system (QMS) is how to develop the scales traditionally used to calculate the risk priority number (RPN): severity, probability of occurrence, and probability of detection. These traditional scales need to be exchanged in order for the RPN to enhance the qFMEA's functionality.
A qFMEA utilizes three ratings: compliance risk, requirement maturity, and internal audit effectiveness. The compliance risk rating replaces the severity. The requirement maturity rating replaces the probability of occurrence. The internal audit effectiveness rating is substituted for the probability of detection.
Compliance Risk Rating
The compliance risk rating (CRR) uses values from 1 to 5 as shown in Table 1. A rating value of 5 indicates high compliance risk and a rating value of 1 represents low compliance risk.
Table 1: Example Compliance Risk Rating Scale
To develop the compliance risk rating, FDA 483 citations from Oct. 1, 2015 through March 31, 2016 were used. A Pareto analysis of the 483 citations was constructed from the downloaded data based on the number of 483s issued by subpart requirement (see Figure 1).
Figure 1: FDA 483 citations from Oct 1, 2015 through March 31, 2016 using Pareto analysis (source: FDA.gov).
Using the Pareto analysis, a severity rating was assigned to each of the requirements of 21 CFR 820, Quality System Regulation for Medical Devices. The data was used to develop the compliance rating scale. Partial results are displayed in Table 2. It should be noted that any QMS requirement not listed in Figure 1 was assigned a compliance risk rating of 1.
Table 2: Quality System Compliance Risk Rating (Partial)
Once the compliance risk rating is assigned in a qFMEA it cannot be decreased, only increased because unlike a traditional user (uFMEA), design (dFMEA), or process (pFMEA), the requirements cannot be reengineered or redesigned. Essentially, the CRR rating is established by external factors. Because of the external influence, from time to time it is a good idea to evaluate the data source used to determine the CRR. This is the only time CRR can be reduced.
Requirement Maturity Rating
The requirement risk rating (RMR) utilizes values from 1 to 5 as shown in Table 3. A rating value of 5 indicates a low level of QMS requirement maturity and a rating value of 1 represents a high level of QMS requirement maturity.
Table 3: Example Compliance Risk Rating Scale
Assigning requirement maturity rating requires a working knowledge of how the QMS is and has been performing. A review of complaints, customer satisfaction ratings, supplier performance metrics, corrective and preventive actions (CAPAs), nonconformance reports (NCRs), management reviews, and internal and external audit findings can be used when making the assignments. The RMR may be lowered over time as the QMS matures.
Internal Audit Effectiveness Rating
The internal audit effectiveness (IAER) rating uses values from 1 to 5 as shown in Table 4. A rating value of 5 indicates a low level of internal audit effectiveness and a rating value of 1 represents a high level of internal audit effectiveness.
Table 4: Example Compliance Risk Rating Scale
Assigning the internal audit effectiveness rating requires a working knowledge of how the internal audit function is and has been performing. A review of internal and external audit findings can and should be used when making the assignments. The IAER may be lowered over time as the internal audit function matures.
Risk Priority Numbers
qFMEA quantifies and prioritizes risk using compliance risk, requirement maturity, and internal audit effectiveness ratings that when multiplied together produce the Risk Priority Number (RPN. The output of a qFMEA is an RPN that is a relative risk rating for each quality system requirement used to prioritize the QMS risks. Table 6 is an example of a qFMEA rating scheme using a five-point scale. It must be emphasized that different values of compliance risk, requirement maturity, and internal audit effectiveness ratings and the resulting risk acceptability threshold should be utilized based upon an organization’s risk acceptance determination threshold, industry practice, guidance documents, and regulatory requirements.
RPNs are used to rank and assess risk. To calculate the RPN, a team must rate the compliance risk, requirement maturity, and internal audit effectiveness of each QMS requirement. Once this is completed, calculate the RPN by multiplying the three ratings:
RPN = Compliance Risk x Requirement Maturity x Internal Audit Effectiveness
Example: A qFMEA has been developed for a new QMS. 21 CFR 820.50 Purchasing Controls has compliance risk of 4, a requirement maturity of 4, and internal audit effectiveness of 3. The RPN is calculated as follows:
RPN = 4 x 4 x 3 = 48
As shown in Table 6, an RPN of 48 is considered undesirable. However, the compliance risk and requirement maturity should also be evaluated for this characteristic. Table 7 indicates that for a compliance risk of 4 and a requirement maturity of 4, the risk is unacceptable.
Because the result is considered unacceptable, it was decided to hire a consultant and send the Supplier Quality Engineer (SQE) for training to increase the requirements’ maturity levels. As a result, the requirements now have a compliance risk of 4, a requirement maturity of 2, and an internal audit effectiveness of 3.
Recalculating the RPN results in:
RPN = 4 x 2 x 3 = 24
According to Table 6, an RPN of 24 is tolerable. However, the compliance risk and requirement maturity should also be evaluated for this characteristic. Table 7 indicates that for a compliance risk of 4 with a requirement maturity of 2, the risk is as low as reasonably possible (ALARP).
Table 5: Reduction In The RPN Score
RPNi = Initial RPN
RPNr = Revised RPN
From Table 5:
By reducing the requirement maturity from 3 to 2, we have made a 50 percent reduction in the RPN, which takes us from an unacceptable risk level to a tolerable risk level.
Table 6: Example RPN Action Requirements
Another consideration is evaluating compliance and maturity. Table 7 provides example compliance and maturity action requirements.
Table 7: Example Compliance And Maturity Action Requirements
The example presented above shows a tool to aid the process of identifying and integrating risk management applied directly to the QMS. Although the example was based upon 21 CFR 820, Quality System Regulation for Medical Devices, the method can be readily applied to any QMS standard or regulation.
I cannot emphasize enough the importance of proceduralizing (documenting the tools and methods used. Best practice includes providing rationale for your organization’s use of risk management tools and activities. The requirements and risk management tools presented in this article can and should be utilized based upon industry practice, guidance documents, and regulatory requirements.
About The Author:
Mark Allen Durivage is the managing principal consultant at Quality Systems Compliance LLC and an author of several quality-related books. He earned a B.A.S in computer aided machining from Siena Heights University and an MS in quality management from Eastern Michigan University. Durivage is an ASQ Fellow and holds several ASQ certifications including CQM/OE, CRE, CQE, CQA, CHA, CBA, CPGP, CSQP, and CSSBB. He also is a Certified Tissue Bank Specialist (CTBS) and holds a Global Regulatory Affairs Certification (RAC). Durivage resides in Lambertville, Michigan. Please feel free to email him at firstname.lastname@example.org with any questions or comments, or connect with him on LinkedIn.