In system development and operation, risk assessment is an indispensable process. Generally, it begins with identifying what risks exist in the system as a whole, and evaluating the probability of occurrence and impact of potential problems and failures. However, many systems consist of numerous functions, and it is not realistic to verify and manage all of them at the same level. This is where functional risk assessment (detailed risk assessment) becomes crucial.
Concept of Functional Risk Assessment
Functional risk assessment is a methodology that, based on overall risk evaluation results, further subdivides and analyzes risks for each individual function that comprises the system. By evaluating the magnitude of risk at the functional level and concentrating resources on testing and countermeasures for functions determined to be high-risk, this approach enables both ensuring safety and quality while optimizing costs for testing and auditing.
Specifically, risk scores are calculated by considering factors such as the impact when each function malfunctions, frequency of use, interfaces with external systems, and history of past failures. Functions with high risk scores are of high importance and urgency, requiring focused and thorough quality assurance activities. Conversely, for functions with low risk, the scope and depth of testing and auditing can be appropriately limited. This makes it possible to ensure maximum safety and reliability within limited person-hours and budget.
Implementation of Risk-Based Approach
This method is a practical implementation of the so-called “risk-based approach.” The risk-based approach offers the advantage of being more efficient than traditional comprehensive and uniform testing while not overlooking critical risks. As a result, it can reduce costs associated with legal and regulatory compliance, providing significant business benefits.
This methodology is widely adopted not only in IT systems but also in fields requiring high reliability, such as pharmaceuticals, medical devices, and automobiles. In the medical device field, the international standard ISO 14971:2019 (JIS T 14971:2020), and in the pharmaceutical field, ICH Q9 (Quality Risk Management), define the fundamental framework for risk-based approaches. These standards define risk as “the combination of the probability of occurrence of harm and the severity of that harm,” and require risk assessment and management based on scientific evidence.
FMEA as a Risk Analysis Technique
FMEA (Failure Mode and Effects Analysis) is widely used as a specific implementation method for functional risk assessment. FMEA is a technique that systematically analyzes what failure modes might occur in each component of a product or system and what impact they would have on the whole.
However, caution is necessary when applying FMEA in the design phase of medical devices. In ISO 14971, FMEA is recommended for use in the risk analysis stage, but in risk evaluation, only “probability of occurrence × severity” is required. The “detectability” factor commonly used in general FMEA is not included in ISO 14971’s risk evaluation process. This is because in medical devices where patient safety is paramount, countermeasures are necessary for unacceptable risks regardless of detection difficulty.
On the other hand, in manufacturing process or business process improvement, utilizing FMEA including detectability is effective. In this case, the Risk Priority Number (RPN) can be calculated to determine the priority of countermeasures for most effective resource allocation.
Ensuring Traceability
To effectively implement functional risk assessment, it is important to ensure appropriate traceability throughout each process from requirements to design, implementation, testing, and verification. By utilizing a traceability matrix, one can clearly track which function corresponds to which requirement, what risks were identified, and what countermeasures were implemented.
This enables objective explanation of the validity of risk management in regulatory authority audits and internal audits. Additionally, throughout the product lifecycle, when new risks are discovered or design changes become necessary, the impact scope can be grasped quickly and accurately.
Continuous Risk Management
Risk management is not something that ends once implemented. Particularly for products such as medical devices and software, continuous risk management is required even after manufacturing and post-market. ISO 14971:2019 clearly requires information collection and continuation of risk management activities during and after manufacturing. It is important to continuously monitor customer feedback, complaint information, actual use in the market, verify whether the initial risk assessment was appropriate, and implement additional countermeasures as necessary.
Summary
In summary, functional risk assessment is a methodology that rationally conducts quality assurance by evaluating risks not only at the system level but also at individual functional levels, optimizing resource allocation. The greatest characteristic of this process is its ability to balance necessary and sufficient quality with efficient risk response. It is an important methodology that is easy for beginners to understand while maintaining professional essence in practicing risk-based approaches.
As indicated by international standards and guidelines, the risk-based approach is not merely a means of regulatory compliance, but a strategic approach to achieving truly effective quality management and patient safety. By implementing risk management based on scientific evidence, at an appropriate level of formality, and minimizing subjectivity, organizations can concentrate limited resources on the most critical areas.
| Aspect | Traditional Approach | Risk-Based Approach |
|---|---|---|
| Testing Strategy | Uniform testing for all functions | Focused testing based on risk level |
| Resource Allocation | Even distribution | Concentrated on high-risk areas |
| Efficiency | Lower efficiency, higher cost | Higher efficiency, optimized cost |
| Regulatory Compliance | Process-focused | Outcome-focused with scientific justification |
| Continuous Improvement | Periodic, comprehensive | Targeted, based on risk indicators |
The evolution from traditional quality management to risk-based approaches represents a paradigm shift in how organizations think about safety and quality. Rather than attempting to eliminate all possible failures through exhaustive testing—an impossible and inefficient goal—the risk-based approach acknowledges that resources are finite and should be allocated where they can have the greatest impact on patient safety and product quality.
Comment