diff --git a/.codex/skills-index.json b/.codex/skills-index.json index dc7f48a..0187498 100644 --- a/.codex/skills-index.json +++ b/.codex/skills-index.json @@ -255,7 +255,7 @@ "name": "risk-management-specialist", "source": "../../ra-qm-team/risk-management-specialist", "category": "ra-qm", - "description": "Senior Risk Management specialist for medical device companies implementing ISO 14971 risk management throughout product lifecycle. Provides risk analysis, risk evaluation, risk control, and post-production information analysis. Use for risk management planning, risk assessments, risk control verification, and risk management file maintenance." + "description": "Medical device risk management specialist implementing ISO 14971 throughout product lifecycle. Provides risk analysis, risk evaluation, risk control, and post-production information analysis." } ], "categories": { diff --git a/ra-qm-team/risk-management-specialist/SKILL.md b/ra-qm-team/risk-management-specialist/SKILL.md index c41223e..69cd6d9 100644 --- a/ra-qm-team/risk-management-specialist/SKILL.md +++ b/ra-qm-team/risk-management-specialist/SKILL.md @@ -1,225 +1,537 @@ --- name: risk-management-specialist -description: Senior Risk Management specialist for medical device companies implementing ISO 14971 risk management throughout product lifecycle. Provides risk analysis, risk evaluation, risk control, and post-production information analysis. Use for risk management planning, risk assessments, risk control verification, and risk management file maintenance. +description: Medical device risk management specialist implementing ISO 14971 throughout product lifecycle. Provides risk analysis, risk evaluation, risk control, and post-production information analysis. +triggers: + - risk management + - ISO 14971 + - risk analysis + - FMEA + - fault tree analysis + - hazard identification + - risk control + - risk matrix + - benefit-risk analysis + - residual risk + - risk acceptability + - post-market risk --- -# Senior Risk Management Specialist +# Risk Management Specialist -Expert-level medical device risk management implementing ISO 14971 throughout the complete product lifecycle with comprehensive risk analysis, evaluation, control, and post-production monitoring capabilities. +ISO 14971:2019 risk management implementation throughout the medical device lifecycle. -## Core Risk Management Competencies +--- -### 1. Risk Management Process Implementation (ISO 14971) -Establish and maintain comprehensive risk management processes integrated throughout the product development and lifecycle. +## Table of Contents + +- [Risk Management Planning Workflow](#risk-management-planning-workflow) +- [Risk Analysis Workflow](#risk-analysis-workflow) +- [Risk Evaluation Workflow](#risk-evaluation-workflow) +- [Risk Control Workflow](#risk-control-workflow) +- [Post-Production Risk Management](#post-production-risk-management) +- [Risk Assessment Templates](#risk-assessment-templates) +- [Decision Frameworks](#decision-frameworks) +- [Tools and References](#tools-and-references) + +--- + +## Risk Management Planning Workflow + +Establish risk management process per ISO 14971. + +### Workflow: Create Risk Management Plan + +1. Define scope of risk management activities: + - Medical device identification + - Lifecycle stages covered + - Applicable standards and regulations +2. Establish risk acceptability criteria: + - Define probability categories (P1-P5) + - Define severity categories (S1-S5) + - Create risk matrix with acceptance thresholds +3. Assign responsibilities: + - Risk management lead + - Subject matter experts + - Approval authorities +4. Define verification activities: + - Methods for control verification + - Acceptance criteria +5. Plan production and post-production activities: + - Information sources + - Review triggers + - Update procedures +6. Obtain plan approval +7. Establish risk management file +8. **Validation:** Plan approved; acceptability criteria defined; responsibilities assigned; file established + +### Risk Management Plan Content + +| Section | Content | Evidence | +|---------|---------|----------| +| Scope | Device and lifecycle coverage | Scope statement | +| Criteria | Risk acceptability matrix | Risk matrix document | +| Responsibilities | Roles and authorities | RACI chart | +| Verification | Methods and acceptance | Verification plan | +| Production/Post-Production | Monitoring activities | Surveillance plan | + +### Risk Acceptability Matrix (5x5) + +| Probability \ Severity | Negligible | Minor | Serious | Critical | Catastrophic | +|------------------------|------------|-------|---------|----------|--------------| +| **Frequent (P5)** | Medium | High | High | Unacceptable | Unacceptable | +| **Probable (P4)** | Medium | Medium | High | High | Unacceptable | +| **Occasional (P3)** | Low | Medium | Medium | High | High | +| **Remote (P2)** | Low | Low | Medium | Medium | High | +| **Improbable (P1)** | Low | Low | Low | Medium | Medium | + +### Risk Level Actions + +| Level | Acceptable | Action Required | +|-------|------------|-----------------| +| Low | Yes | Document and accept | +| Medium | ALARP | Reduce if practicable; document rationale | +| High | ALARP | Reduction required; demonstrate ALARP | +| Unacceptable | No | Design change mandatory | + +--- + +## Risk Analysis Workflow + +Identify hazards and estimate risks systematically. + +### Workflow: Conduct Risk Analysis + +1. Define intended use and reasonably foreseeable misuse: + - Medical indication + - Patient population + - User population + - Use environment +2. Select analysis method(s): + - FMEA for component/function analysis + - FTA for system-level analysis + - HAZOP for process deviations + - Use Error Analysis for user interaction +3. Identify hazards by category: + - Energy hazards (electrical, mechanical, thermal) + - Biological hazards (bioburden, biocompatibility) + - Chemical hazards (residues, leachables) + - Operational hazards (software, use errors) +4. Determine hazardous situations: + - Sequence of events + - Foreseeable misuse scenarios + - Single fault conditions +5. Estimate probability of harm (P1-P5) +6. Estimate severity of harm (S1-S5) +7. Document in hazard analysis worksheet +8. **Validation:** All hazard categories addressed; all hazards documented; probability and severity assigned + +### Hazard Categories Checklist + +| Category | Examples | Analyzed | +|----------|----------|----------| +| Electrical | Shock, burns, interference | ☐ | +| Mechanical | Crushing, cutting, entrapment | ☐ | +| Thermal | Burns, tissue damage | ☐ | +| Radiation | Ionizing, non-ionizing | ☐ | +| Biological | Infection, biocompatibility | ☐ | +| Chemical | Toxicity, irritation | ☐ | +| Software | Incorrect output, timing | ☐ | +| Use Error | Misuse, perception, cognition | ☐ | +| Environment | EMC, mechanical stress | ☐ | + +### Analysis Method Selection + +| Situation | Recommended Method | +|-----------|-------------------| +| Component failures | FMEA | +| System-level failure | FTA | +| Process deviations | HAZOP | +| User interaction | Use Error Analysis | +| Software behavior | Software FMEA | +| Early design phase | PHA | + +### Probability Criteria + +| Level | Name | Description | Frequency | +|-------|------|-------------|-----------| +| P5 | Frequent | Expected to occur | >10⁻³ | +| P4 | Probable | Likely to occur | 10⁻³ to 10⁻⁴ | +| P3 | Occasional | May occur | 10⁻⁴ to 10⁻⁵ | +| P2 | Remote | Unlikely | 10⁻⁵ to 10⁻⁶ | +| P1 | Improbable | Very unlikely | <10⁻⁶ | + +### Severity Criteria + +| Level | Name | Description | Harm | +|-------|------|-------------|------| +| S5 | Catastrophic | Death | Death | +| S4 | Critical | Permanent impairment | Irreversible injury | +| S3 | Serious | Injury requiring intervention | Reversible injury | +| S2 | Minor | Temporary discomfort | No treatment needed | +| S1 | Negligible | Inconvenience | No injury | + +See: [references/risk-analysis-methods.md](references/risk-analysis-methods.md) + +--- + +## Risk Evaluation Workflow + +Evaluate risks against acceptability criteria. + +### Workflow: Evaluate Identified Risks + +1. Calculate initial risk level from probability × severity +2. Compare to risk acceptability criteria +3. For each risk, determine: + - Acceptable: Document and accept + - ALARP: Proceed to risk control + - Unacceptable: Mandatory risk control +4. Document evaluation rationale +5. Identify risks requiring benefit-risk analysis +6. Complete benefit-risk analysis if applicable +7. Compile risk evaluation summary +8. **Validation:** All risks evaluated; acceptability determined; rationale documented + +### Risk Evaluation Decision Tree -**Risk Management Process Framework:** ``` -ISO 14971 RISK MANAGEMENT PROCESS -├── Risk Management Planning -│ ├── Risk management plan development -│ ├── Risk acceptability criteria definition -│ ├── Risk management team formation -│ └── Risk management file establishment -├── Risk Analysis -│ ├── Intended use and reasonably foreseeable misuse -│ ├── Hazard identification and analysis -│ ├── Hazardous situation evaluation -│ └── Risk estimation and documentation -├── Risk Evaluation -│ ├── Risk acceptability assessment -│ ├── Risk benefit analysis -│ ├── Risk control necessity determination -│ └── Risk evaluation documentation -├── Risk Control -│ ├── Risk control option analysis -│ ├── Risk control measure implementation -│ ├── Residual risk evaluation -│ └── Risk control effectiveness verification -└── Production and Post-Production Information - ├── Information collection and analysis - ├── Risk management file updates - ├── Risk benefit analysis review - └── Risk control measure adjustment +Risk Estimated + │ + ▼ +Apply Acceptability Criteria + │ + ├── Low Risk ──────────► Accept and document + │ + ├── Medium Risk ───────► Consider risk reduction + │ │ Document ALARP if not reduced + │ ▼ + │ Practicable to reduce? + │ │ + │ Yes──► Implement control + │ No───► Document ALARP rationale + │ + ├── High Risk ─────────► Risk reduction required + │ │ Must demonstrate ALARP + │ ▼ + │ Implement control + │ Verify residual risk + │ + └── Unacceptable ──────► Design change mandatory + Cannot proceed without control ``` -### 2. Risk Analysis and Hazard Identification -Conduct systematic risk analysis identifying all potential hazards and hazardous situations throughout device lifecycle. +### ALARP Demonstration Requirements -**Risk Analysis Methodology:** -1. **Intended Use and Context Analysis** - - Medical indication and patient population - - Use environment and conditions - - User characteristics and training - - **Decision Point**: Define scope of risk analysis +| Criterion | Evidence Required | +|-----------|-------------------| +| Technical feasibility | Analysis of alternative controls | +| Proportionality | Cost-benefit of further reduction | +| State of the art | Comparison to similar devices | +| Stakeholder input | Clinical/user perspectives | -2. **Hazard Identification Process** - - **For Hardware Components**: Mechanical, electrical, thermal, chemical hazards - - **For Software Components**: Software failure modes per IEC 62304 - - **For Combination Products**: Drug-device interaction risks - - **For Connected Devices**: Cybersecurity and data privacy risks +### Benefit-Risk Analysis Triggers -3. **Hazardous Situation Analysis** - - Sequence of events leading to hazardous situations - - Foreseeable misuse and use error scenarios - - Single fault condition analysis - - Multiple fault condition evaluation +| Situation | Benefit-Risk Required | +|-----------|----------------------| +| Residual risk remains high | Yes | +| No feasible risk reduction | Yes | +| Novel device | Yes | +| Unacceptable risk with clinical benefit | Yes | +| All risks low | No | -### 3. Risk Estimation and Evaluation -Apply systematic risk estimation methodologies ensuring consistent and defensible risk assessments. +--- -**Risk Estimation Framework:** -- **Probability Assessment**: Statistical data, literature, expert judgment -- **Severity Assessment**: Clinical outcome evaluation and classification -- **Risk Level Determination**: Risk matrix application and documentation -- **Risk Acceptability Evaluation**: Criteria application and justification +## Risk Control Workflow + +Implement and verify risk control measures. + +### Workflow: Implement Risk Controls + +1. Identify risk control options: + - Inherent safety by design (Priority 1) + - Protective measures in device (Priority 2) + - Information for safety (Priority 3) +2. Select optimal control following hierarchy +3. Analyze control for new hazards introduced +4. Document control in design requirements +5. Implement control in design +6. Develop verification protocol +7. Execute verification and document results +8. Evaluate residual risk with control in place +9. **Validation:** Control implemented; verification passed; residual risk acceptable; no unaddressed new hazards + +### Risk Control Hierarchy + +| Priority | Control Type | Examples | Effectiveness | +|----------|--------------|----------|---------------| +| 1 | Inherent Safety | Eliminate hazard, fail-safe design | Highest | +| 2 | Protective Measures | Guards, alarms, automatic shutdown | High | +| 3 | Information | Warnings, training, IFU | Lower | + +### Risk Control Option Analysis Template -**Risk Evaluation Decision Tree:** ``` -RISK EVALUATION PROCESS -├── Is Risk Acceptable? (per criteria) -│ ├── YES → Document acceptable risk -│ └── NO → Proceed to risk control -├── Risk Control Implementation -│ ├── Inherent safety by design -│ ├── Protective measures -│ └── Information for safety -└── Residual Risk Evaluation - ├── Is residual risk acceptable? - ├── Risk benefit analysis - └── Final risk acceptability decision +RISK CONTROL OPTION ANALYSIS + +Hazard ID: H-[XXX] +Hazard: [Description] +Initial Risk: P[X] × S[X] = [Level] + +OPTIONS CONSIDERED: +| Option | Control Type | New Hazards | Feasibility | Selected | +|--------|--------------|-------------|-------------|----------| +| 1 | [Type] | [Yes/No] | [H/M/L] | [Yes/No] | +| 2 | [Type] | [Yes/No] | [H/M/L] | [Yes/No] | + +SELECTED CONTROL: Option [X] +Rationale: [Justification for selection] + +IMPLEMENTATION: +- Requirement: [REQ-XXX] +- Design Document: [Reference] + +VERIFICATION: +- Method: [Test/Analysis/Review] +- Protocol: [Reference] +- Acceptance Criteria: [Criteria] ``` -### 4. Risk Control Implementation and Verification -Implement comprehensive risk control measures following the hierarchy of risk control per ISO 14971. +### Risk Control Verification Methods -**Risk Control Hierarchy:** -1. **Inherent Safety by Design** - - Design modifications eliminating hazards - - Fail-safe design implementation - - Redundancy and diversity application - - Human factors engineering integration +| Method | When to Use | Evidence | +|--------|-------------|----------| +| Test | Quantifiable performance | Test report | +| Inspection | Physical presence | Inspection record | +| Analysis | Design calculation | Analysis report | +| Review | Documentation check | Review record | -2. **Protective Measures in the Medical Device** - - Alarms and alert systems - - Automatic shut-off mechanisms - - Physical barriers and shields - - Software safety functions +### Residual Risk Evaluation -3. **Information for Safety** - - User training and education - - Labeling and instructions for use - - Warning systems and alerts - - Contraindications and precautions +| After Control | Action | +|---------------|--------| +| Acceptable | Document, proceed | +| ALARP achieved | Document rationale, proceed | +| Still unacceptable | Additional control or design change | +| New hazard introduced | Analyze and control new hazard | -**Risk Control Verification:** -- Risk control effectiveness testing and validation -- Verification protocol development and execution -- Test results analysis and documentation -- Risk control performance monitoring +--- -## Advanced Risk Management Applications +## Post-Production Risk Management -### Software Risk Management (IEC 62304 Integration) -Integrate software lifecycle processes with risk management ensuring comprehensive software safety assessment. +Monitor and update risk management throughout product lifecycle. -**Software Risk Management Process:** -- **Software Safety Classification**: Class A, B, or C determination -- **Software Hazard Analysis**: Software contribution to hazardous situations -- **Software Risk Control**: Architecture and design safety measures -- **Software Risk Management File**: Integration with overall risk management file +### Workflow: Post-Production Risk Monitoring -### Cybersecurity Risk Management -Implement cybersecurity risk management per FDA guidance and emerging international standards. +1. Identify information sources: + - Customer complaints + - Service reports + - Vigilance/adverse events + - Literature monitoring + - Clinical studies +2. Establish collection procedures +3. Define review triggers: + - New hazard identified + - Increased frequency of known hazard + - Serious incident + - Regulatory feedback +4. Analyze incoming information for risk relevance +5. Update risk management file as needed +6. Communicate significant findings +7. Conduct periodic risk management review +8. **Validation:** Information sources monitored; file current; reviews completed per schedule -**Cybersecurity Risk Framework:** -1. **Cybersecurity Threat Modeling** - - Asset identification and vulnerability assessment - - Threat source analysis and attack vector evaluation - - Impact assessment on patient safety and device functionality - - Cybersecurity risk estimation and prioritization +### Information Sources -2. **Cybersecurity Controls Implementation** - - **Preventive Controls**: Authentication, authorization, encryption - - **Detective Controls**: Monitoring, logging, intrusion detection - - **Corrective Controls**: Incident response, recovery procedures - - **Compensating Controls**: Additional safeguards and mitigations +| Source | Information Type | Review Frequency | +|--------|------------------|------------------| +| Complaints | Use issues, failures | Continuous | +| Service | Field failures, repairs | Monthly | +| Vigilance | Serious incidents | Immediate | +| Literature | Similar device issues | Quarterly | +| Regulatory | Authority feedback | As received | +| Clinical | PMCF data | Per plan | -### Human Factors and Use Error Risk Management -Integrate human factors engineering with risk management addressing use-related risks. +### Risk Management File Update Triggers -**Use Error Risk Management:** -- **Use-Related Risk Analysis**: Task analysis and use scenario evaluation -- **Use Error Identification**: Critical task and use error analysis -- **Use Error Risk Estimation**: Probability and severity assessment -- **Use Error Risk Control**: Design controls and user interface optimization +| Trigger | Response Time | Action | +|---------|---------------|--------| +| Serious incident | Immediate | Full risk review | +| New hazard identified | 30 days | Risk analysis update | +| Trend increase | 60 days | Trend analysis | +| Design change | Before implementation | Impact assessment | +| Standards update | Per transition period | Gap analysis | -## Risk Management File Management +### Periodic Review Requirements -### Risk Management Documentation -Maintain comprehensive risk management files ensuring traceability and regulatory compliance. +| Review Element | Frequency | +|----------------|-----------| +| Risk management file completeness | Annual | +| Risk control effectiveness | Annual | +| Post-market information analysis | Quarterly | +| Risk-benefit conclusions | Annual or on new data | -**Risk Management File Structure:** -- **Risk Management Plan**: Objectives, scope, criteria, and responsibilities -- **Risk Analysis Records**: Hazard identification, risk estimation, evaluation -- **Risk Control Records**: Control measures, verification, validation results -- **Production and Post-Production Information**: Surveillance data, updates -- **Risk Management Report**: Summary of risk management activities and conclusions +--- -### Risk Management File Maintenance -Ensure risk management files remain current throughout product lifecycle. +## Risk Assessment Templates -**File Maintenance Protocol:** -- **Design Change Impact Assessment**: Risk analysis updates for design changes -- **Post-Market Information Integration**: Surveillance data incorporation -- **Risk Control Effectiveness Review**: Ongoing effectiveness verification -- **Periodic Risk Management Review**: Systematic file review and updates +### Hazard Analysis Worksheet -## Cross-functional Integration +``` +HAZARD ANALYSIS WORKSHEET -### Quality Management System Integration -Ensure seamless integration of risk management with quality management system processes. +Product: [Device Name] +Document: HA-[Product]-[Rev] +Analyst: [Name] +Date: [Date] -**QMS-Risk Management Interface:** -- **Design Controls**: Risk management integration in design and development -- **Document Control**: Risk management file configuration management -- **CAPA Integration**: Risk assessment for corrective and preventive actions -- **Management Review**: Risk management performance reporting +| ID | Hazard | Hazardous Situation | Harm | P | S | Initial Risk | Control | Residual P | Residual S | Final Risk | +|----|--------|---------------------|------|---|---|--------------|---------|------------|------------|------------| +| H-001 | [Hazard] | [Situation] | [Harm] | [1-5] | [1-5] | [Level] | [Control ref] | [1-5] | [1-5] | [Level] | +``` -### Regulatory Submission Integration -Coordinate risk management documentation with regulatory submission requirements. +### FMEA Worksheet -**Regulatory Integration Points:** -- **FDA Submissions**: Risk analysis and risk management summaries -- **EU MDR Technical Documentation**: Risk management file integration -- **ISO 13485 Certification**: Risk management process compliance -- **Post-Market Requirements**: Risk management in post-market surveillance +``` +FMEA WORKSHEET -### Clinical and Post-Market Integration -Integrate risk management with clinical evaluation and post-market surveillance activities. +Product: [Device Name] +Subsystem: [Subsystem] +Analyst: [Name] +Date: [Date] -**Clinical-Risk Interface:** -- **Clinical Risk Assessment**: Clinical data integration with risk analysis -- **Clinical Investigation**: Risk management in clinical study design -- **Post-Market Surveillance**: Risk signal detection and evaluation -- **Clinical Evaluation Updates**: Risk-benefit analysis integration +| ID | Item | Function | Failure Mode | Effect | S | Cause | O | Control | D | RPN | Action | +|----|------|----------|--------------|--------|---|-------|---|---------|---|-----|--------| +| FM-001 | [Item] | [Function] | [Mode] | [Effect] | [1-10] | [Cause] | [1-10] | [Detection] | [1-10] | [S×O×D] | [Action] | -## Resources +RPN Action Thresholds: +>200: Critical - Immediate action +100-200: High - Action plan required +50-100: Medium - Consider action +<50: Low - Monitor +``` -### scripts/ -- `risk-assessment-automation.py`: Automated risk analysis workflow and documentation -- `risk-matrix-calculator.py`: Risk estimation and evaluation automation -- `risk-control-tracker.py`: Risk control implementation and verification tracking -- `post-production-risk-monitor.py`: Post-market risk information analysis +### Risk Management Report Summary -### references/ -- `iso14971-implementation-guide.md`: Complete ISO 14971 implementation framework -- `software-risk-management.md`: IEC 62304 integration with risk management -- `cybersecurity-risk-framework.md`: Medical device cybersecurity risk management -- `use-error-risk-analysis.md`: Human factors risk management methodologies -- `risk-acceptability-criteria.md`: Risk acceptability frameworks and examples +``` +RISK MANAGEMENT REPORT -### assets/ -- `risk-templates/`: Risk management plan, risk analysis, and risk control templates -- `risk-matrices/`: Standardized risk estimation and evaluation matrices -- `hazard-libraries/`: Medical device hazard identification libraries -- `training-materials/`: Risk management training and competency programs +Product: [Device Name] +Date: [Date] +Revision: [X.X] + +SUMMARY: +- Total hazards identified: [N] +- Risk controls implemented: [N] +- Residual risks: [N] Low, [N] Medium, [N] High +- Overall conclusion: [Acceptable / Not Acceptable] + +RISK DISTRIBUTION: +| Risk Level | Before Control | After Control | +|------------|----------------|---------------| +| Unacceptable | [N] | 0 | +| High | [N] | [N] | +| Medium | [N] | [N] | +| Low | [N] | [N] | + +CONTROLS IMPLEMENTED: +- Inherent safety: [N] +- Protective measures: [N] +- Information for safety: [N] + +OVERALL RESIDUAL RISK: [Acceptable / ALARP Demonstrated] +BENEFIT-RISK CONCLUSION: [If applicable] + +APPROVAL: +Risk Management Lead: _____________ Date: _______ +Quality Assurance: _____________ Date: _______ +``` + +--- + +## Decision Frameworks + +### Risk Control Selection + +``` +What is the risk level? + │ + ├── Unacceptable ──► Can hazard be eliminated? + │ │ + │ Yes─┴─No + │ │ │ + │ ▼ ▼ + │ Eliminate Can protective + │ hazard measure reduce? + │ │ + │ Yes─┴─No + │ │ │ + │ ▼ ▼ + │ Add Add warning + │ protection + training + │ + └── High/Medium ──► Apply hierarchy + starting at Level 1 +``` + +### New Hazard Analysis + +| Question | If Yes | If No | +|----------|--------|-------| +| Does control introduce new hazard? | Analyze new hazard | Proceed | +| Is new risk higher than original? | Reject control option | Acceptable trade-off | +| Can new hazard be controlled? | Add control | Reject control option | + +### Risk Acceptability Decision + +| Condition | Decision | +|-----------|----------| +| All risks Low | Acceptable | +| Medium risks with ALARP | Acceptable | +| High risks with ALARP documented | Acceptable if benefits outweigh | +| Any Unacceptable residual | Not acceptable - redesign | + +--- + +## Tools and References + +### Scripts + +| Tool | Purpose | Usage | +|------|---------|-------| +| [risk_matrix_calculator.py](scripts/risk_matrix_calculator.py) | Calculate risk levels and FMEA RPN | `python risk_matrix_calculator.py --help` | + +**Risk Matrix Calculator Features:** +- ISO 14971 5x5 risk matrix calculation +- FMEA RPN (Risk Priority Number) calculation +- Interactive mode for guided assessment +- Display risk criteria definitions +- JSON output for integration + +### References + +| Document | Content | +|----------|---------| +| [iso14971-implementation-guide.md](references/iso14971-implementation-guide.md) | Complete ISO 14971:2019 implementation with templates | +| [risk-analysis-methods.md](references/risk-analysis-methods.md) | FMEA, FTA, HAZOP, Use Error Analysis methods | + +### Quick Reference: ISO 14971 Process + +| Stage | Key Activities | Output | +|-------|----------------|--------| +| Planning | Define scope, criteria, responsibilities | Risk Management Plan | +| Analysis | Identify hazards, estimate risk | Hazard Analysis | +| Evaluation | Compare to criteria, ALARP assessment | Risk Evaluation | +| Control | Implement hierarchy, verify | Risk Control Records | +| Residual | Overall assessment, benefit-risk | Risk Management Report | +| Production | Monitor, review, update | Updated RM File | + +--- + +## Related Skills + +| Skill | Integration Point | +|-------|-------------------| +| [quality-manager-qms-iso13485](../quality-manager-qms-iso13485/) | QMS integration | +| [capa-officer](../capa-officer/) | Risk-based CAPA | +| [regulatory-affairs-head](../regulatory-affairs-head/) | Regulatory submissions | +| [quality-documentation-manager](../quality-documentation-manager/) | Risk file management | diff --git a/ra-qm-team/risk-management-specialist/assets/example_asset.txt b/ra-qm-team/risk-management-specialist/assets/example_asset.txt deleted file mode 100644 index d0ac204..0000000 --- a/ra-qm-team/risk-management-specialist/assets/example_asset.txt +++ /dev/null @@ -1,24 +0,0 @@ -# Example Asset File - -This placeholder represents where asset files would be stored. -Replace with actual asset files (templates, images, fonts, etc.) or delete if not needed. - -Asset files are NOT intended to be loaded into context, but rather used within -the output Claude produces. - -Example asset files from other skills: -- Brand guidelines: logo.png, slides_template.pptx -- Frontend builder: hello-world/ directory with HTML/React boilerplate -- Typography: custom-font.ttf, font-family.woff2 -- Data: sample_data.csv, test_dataset.json - -## Common Asset Types - -- Templates: .pptx, .docx, boilerplate directories -- Images: .png, .jpg, .svg, .gif -- Fonts: .ttf, .otf, .woff, .woff2 -- Boilerplate code: Project directories, starter files -- Icons: .ico, .svg -- Data files: .csv, .json, .xml, .yaml - -Note: This is a text placeholder. Actual assets can be any file type. diff --git a/ra-qm-team/risk-management-specialist/references/api_reference.md b/ra-qm-team/risk-management-specialist/references/api_reference.md deleted file mode 100644 index a2c821a..0000000 --- a/ra-qm-team/risk-management-specialist/references/api_reference.md +++ /dev/null @@ -1,34 +0,0 @@ -# Reference Documentation for Risk Management Specialist - -This is a placeholder for detailed reference documentation. -Replace with actual reference content or delete if not needed. - -Example real reference docs from other skills: -- product-management/references/communication.md - Comprehensive guide for status updates -- product-management/references/context_building.md - Deep-dive on gathering context -- bigquery/references/ - API references and query examples - -## When Reference Docs Are Useful - -Reference docs are ideal for: -- Comprehensive API documentation -- Detailed workflow guides -- Complex multi-step processes -- Information too lengthy for main SKILL.md -- Content that's only needed for specific use cases - -## Structure Suggestions - -### API Reference Example -- Overview -- Authentication -- Endpoints with examples -- Error codes -- Rate limits - -### Workflow Guide Example -- Prerequisites -- Step-by-step instructions -- Common patterns -- Troubleshooting -- Best practices diff --git a/ra-qm-team/risk-management-specialist/references/iso14971-implementation-guide.md b/ra-qm-team/risk-management-specialist/references/iso14971-implementation-guide.md new file mode 100644 index 0000000..c801176 --- /dev/null +++ b/ra-qm-team/risk-management-specialist/references/iso14971-implementation-guide.md @@ -0,0 +1,468 @@ +# ISO 14971:2019 Implementation Guide + +Complete implementation framework for medical device risk management per ISO 14971:2019. + +--- + +## Table of Contents + +- [Risk Management Planning](#risk-management-planning) +- [Risk Analysis](#risk-analysis) +- [Risk Evaluation](#risk-evaluation) +- [Risk Control](#risk-control) +- [Overall Residual Risk Evaluation](#overall-residual-risk-evaluation) +- [Risk Management Report](#risk-management-report) +- [Production and Post-Production Activities](#production-and-post-production-activities) + +--- + +## Risk Management Planning + +### Risk Management Plan Content + +| Element | Requirement | Documentation | +|---------|-------------|---------------| +| Scope | Medical device and lifecycle stages covered | Scope statement | +| Responsibilities | Personnel and authority assignments | Organization chart, RACI | +| Review Requirements | Timing and triggers for reviews | Review schedule | +| Acceptability Criteria | Risk acceptance matrix and policy | Risk acceptability criteria | +| Verification Activities | Methods for control verification | Verification plan | +| Production/Post-Production | Activities for ongoing risk management | Surveillance plan | + +### Risk Management Plan Template + +``` +RISK MANAGEMENT PLAN + +Document Number: RMP-[Product]-[Rev] +Product: [Device Name] +Revision: [X.X] +Effective Date: [Date] + +1. SCOPE AND PURPOSE + 1.1 Medical Device Description: [Description] + 1.2 Intended Use: [Statement] + 1.3 Lifecycle Stages Covered: [Design/Production/Post-Market] + 1.4 Plan Objectives: [Objectives] + +2. RESPONSIBILITIES AND AUTHORITIES + | Role | Responsibility | Authority | + |------|----------------|-----------| + | Risk Management Lead | Overall RM process | RM decisions | + | Design Engineer | Risk identification | Design changes | + | QA Manager | RM file review | File approval | + | Clinical | Clinical input | Clinical risk assessment | + +3. RISK ACCEPTABILITY CRITERIA + 3.1 Risk Matrix: [Reference to matrix] + 3.2 Acceptability Policy: [Acceptable/ALARP/Unacceptable definitions] + 3.3 Benefit-Risk Considerations: [When applicable] + +4. VERIFICATION ACTIVITIES + 4.1 Risk Control Verification Methods: [Test, Analysis, Review] + 4.2 Verification Timing: [Design phase, V&V] + 4.3 Acceptance Criteria: [Pass/fail criteria] + +5. PRODUCTION AND POST-PRODUCTION + 5.1 Information Collection: [Sources] + 5.2 Review Triggers: [Events requiring review] + 5.3 Update Process: [RM file update procedure] + +6. REVIEW AND APPROVAL + Prepared By: _________________ Date: _______ + Reviewed By: _________________ Date: _______ + Approved By: _________________ Date: _______ +``` + +### Risk Acceptability Criteria Definition + +| Risk Level | Definition | Action Required | +|------------|------------|-----------------| +| Broadly Acceptable | Risk so low that no action needed | Document and monitor | +| ALARP (Tolerable) | Risk reduced as low as reasonably practicable | Verify ALARP, consider benefit | +| Unacceptable | Risk exceeds acceptable threshold | Risk control mandatory | + +### Risk Matrix Example (5x5) + +| Probability \ Severity | Negligible | Minor | Serious | Critical | Catastrophic | +|------------------------|------------|-------|---------|----------|--------------| +| Frequent | Medium | High | High | Unacceptable | Unacceptable | +| Probable | Low | Medium | High | High | Unacceptable | +| Occasional | Low | Medium | Medium | High | High | +| Remote | Low | Low | Medium | Medium | High | +| Improbable | Low | Low | Low | Medium | Medium | + +**Risk Level Actions:** +- **Low (Acceptable):** Document, no action required +- **Medium (ALARP):** Consider risk reduction, document rationale +- **High (ALARP):** Risk reduction required unless ALARP demonstrated +- **Unacceptable:** Risk reduction mandatory before proceeding + +--- + +## Risk Analysis + +### Hazard Identification Methods + +| Method | Application | Standard Reference | +|--------|-------------|-------------------| +| FMEA | Component/subsystem failures | IEC 60812 | +| FTA | System-level failure analysis | IEC 61025 | +| HAZOP | Process hazard identification | IEC 61882 | +| PHA | Preliminary hazard assessment | - | +| Use FMEA | Use-related hazards | IEC 62366-1 | + +### Intended Use Analysis Checklist + +| Category | Questions to Address | +|----------|---------------------| +| Medical Purpose | What condition is treated/diagnosed? | +| Patient Population | Age, health status, contraindications? | +| User Population | Healthcare professional, patient, caregiver? | +| Use Environment | Hospital, home, ambulatory? | +| Duration | Single use, repeated, continuous? | +| Body Contact | External, internal, implanted? | + +### Hazard Categories (Informative Annex C) + +| Category | Examples | +|----------|----------| +| Energy | Electrical, thermal, mechanical, radiation | +| Biological | Bioburden, pyrogens, biocompatibility | +| Chemical | Residues, degradation products, leachables | +| Operational | Incorrect output, delayed function, unexpected operation | +| Information | Incomplete instructions, inadequate warnings | +| Use Environment | Electromagnetic, mechanical stress | + +### Hazardous Situation Documentation + +``` +HAZARD ANALYSIS WORKSHEET + +Product: [Device Name] +Analyst: [Name] +Date: [Date] + +| ID | Hazard | Hazardous Situation | Sequence of Events | Harm | P1 | P2 | Initial Risk | +|----|--------|--------------------|--------------------|------|----|----|--------------| +| H-001 | [Hazard] | [Situation] | [Sequence] | [Harm] | [Prob] | [Sev] | [Level] | + +P1 = Probability of hazardous situation occurring +P2 = Probability of harm given hazardous situation +Initial Risk = Risk before controls +``` + +### Risk Estimation + +**Probability Categories:** + +| Level | Term | Definition | Frequency | +|-------|------|------------|-----------| +| 5 | Frequent | Expected to occur | >10⁻³ | +| 4 | Probable | Likely to occur | 10⁻³ to 10⁻⁴ | +| 3 | Occasional | May occur | 10⁻⁴ to 10⁻⁵ | +| 2 | Remote | Unlikely to occur | 10⁻⁵ to 10⁻⁶ | +| 1 | Improbable | Very unlikely | <10⁻⁶ | + +**Severity Categories:** + +| Level | Term | Definition | Patient Impact | +|-------|------|------------|----------------| +| 5 | Catastrophic | Results in death | Death | +| 4 | Critical | Results in permanent impairment | Permanent impairment | +| 3 | Serious | Results in injury requiring intervention | Injury requiring treatment | +| 2 | Minor | Results in temporary injury | Temporary discomfort | +| 1 | Negligible | Inconvenience or temporary discomfort | No injury | + +--- + +## Risk Evaluation + +### Evaluation Workflow + +1. Apply risk acceptability criteria to estimated risk +2. Determine if risk is acceptable, ALARP, or unacceptable +3. For ALARP risks, document ALARP demonstration +4. For unacceptable risks, proceed to risk control +5. Document evaluation rationale +6. **Validation:** All risks evaluated against criteria; rationale documented + +### Risk Acceptability Decision + +| Initial Risk | Benefit Available | Decision | +|--------------|-------------------|----------| +| Acceptable | N/A | Accept, document | +| ALARP | No | Verify ALARP | +| ALARP | Yes | Include in benefit-risk | +| Unacceptable | No | Design change required | +| Unacceptable | Yes | Benefit-risk analysis | + +### ALARP Demonstration + +| Criterion | Evidence Required | +|-----------|-------------------| +| Technical feasibility | Analysis of alternatives | +| Economic proportionality | Cost-benefit assessment | +| State of the art | Review of similar devices | +| User acceptance | Stakeholder input | + +--- + +## Risk Control + +### Risk Control Hierarchy + +| Priority | Control Type | Examples | +|----------|--------------|----------| +| 1 | Inherent safety by design | Remove hazard, substitute material | +| 2 | Protective measures in device | Guards, alarms, software limits | +| 3 | Information for safety | Warnings, training, IFU | + +### Risk Control Option Analysis + +``` +RISK CONTROL OPTION ANALYSIS + +Hazard ID: [H-XXX] +Risk Level: [Unacceptable/High] + +| Option | Control Type | Effectiveness | Feasibility | New Risks | Selected | +|--------|--------------|---------------|-------------|-----------|----------| +| Option 1 | [Type] | [H/M/L] | [H/M/L] | [Yes/No] | [Yes/No] | +| Option 2 | [Type] | [H/M/L] | [H/M/L] | [Yes/No] | [Yes/No] | + +Selected Option: [Option X] +Rationale: [Justification] +``` + +### Risk Control Implementation Record + +``` +RISK CONTROL IMPLEMENTATION + +Control ID: RC-[XXX] +Related Hazard: H-[XXX] + +Control Description: [Description] +Control Type: [ ] Inherent Safety [ ] Protective Measure [ ] Information + +Implementation: +- Specification/Requirement: [Reference] +- Design Document: [Reference] +- Verification Method: [Test/Analysis/Review] +- Verification Criteria: [Pass criteria] + +Verification: +- Protocol Reference: [Document] +- Execution Date: [Date] +- Result: [ ] Pass [ ] Fail +- Evidence Reference: [Document] + +New Risks Introduced: [ ] Yes [ ] No +If Yes: [New Hazard ID references] + +Residual Risk: +- P1: [Probability] +- P2: [Severity] +- Residual Risk Level: [Level] + +Approved By: _________________ Date: _______ +``` + +### Risk Control Verification Methods + +| Method | Application | Evidence | +|--------|-------------|----------| +| Test | Quantifiable control effectiveness | Test report | +| Inspection | Physical control presence | Inspection record | +| Analysis | Design analysis confirmation | Analysis report | +| Review | Document/drawing review | Review record | + +--- + +## Overall Residual Risk Evaluation + +### Evaluation Process + +1. Compile all individual residual risks +2. Consider cumulative effects of residual risks +3. Assess overall residual risk acceptability +4. Conduct benefit-risk analysis if required +5. Document overall evaluation conclusion +6. **Validation:** All residual risks compiled; overall evaluation complete + +### Benefit-Risk Analysis + +| Factor | Assessment | +|--------|------------| +| Clinical Benefit | Documented therapeutic benefit | +| State of the Art | Comparison to alternative treatments | +| Patient Expectation | Benefit patient would accept | +| Medical Opinion | Clinical expert input | +| Risk Quantification | Residual risk characterization | + +### Benefit-Risk Documentation + +``` +BENEFIT-RISK ANALYSIS + +Product: [Device Name] +Date: [Date] + +BENEFITS: +1. Primary Clinical Benefit: [Description] + - Evidence: [Reference] + - Magnitude: [Quantification] + +2. Secondary Benefits: [List] + +RISKS: +1. Residual Risks Summary: + | Risk Category | Count | Highest Level | + |---------------|-------|---------------| + | Acceptable | [N] | Low | + | ALARP | [N] | Medium/High | + +2. Cumulative Considerations: [Assessment] + +COMPARISON: +- State of the Art: [How device compares] +- Alternative Treatments: [Risk comparison] +- Patient Acceptance: [Expected acceptance] + +CONCLUSION: +[ ] Benefits outweigh risks - Acceptable +[ ] Benefits do not outweigh risks - Not Acceptable + +Rationale: [Justification] + +Approved By: _________________ Date: _______ +``` + +--- + +## Risk Management Report + +### Report Content Requirements + +| Section | Content | +|---------|---------| +| Results of Risk Analysis | Summary of hazards and risks identified | +| Risk Control Decisions | Controls selected and implemented | +| Overall Residual Risk | Evaluation and acceptability conclusion | +| Benefit-Risk Conclusion | If applicable | +| Review and Approval | Formal sign-off | + +### Risk Management Report Template + +``` +RISK MANAGEMENT REPORT + +Document Number: RMR-[Product]-[Rev] +Product: [Device Name] +Date: [Date] + +1. EXECUTIVE SUMMARY + - Total hazards identified: [N] + - Risk controls implemented: [N] + - Residual risks: [N] acceptable, [N] ALARP + - Overall conclusion: [Acceptable/Not Acceptable] + +2. RISK ANALYSIS SUMMARY + - Methods used: [FMEA, FTA, etc.] + - Scope coverage: [Lifecycle stages] + - Hazard categories addressed: [List] + +3. RISK EVALUATION SUMMARY + | Risk Level | Before Control | After Control | + |------------|----------------|---------------| + | Unacceptable | [N] | [N] | + | High | [N] | [N] | + | Medium | [N] | [N] | + | Low | [N] | [N] | + +4. RISK CONTROL SUMMARY + - Inherent safety controls: [N] + - Protective measures: [N] + - Information for safety: [N] + - All controls verified: [Yes/No] + +5. OVERALL RESIDUAL RISK + - Individual residual risks: [Summary] + - Cumulative assessment: [Conclusion] + - Acceptability: [Acceptable/ALARP demonstrated] + +6. BENEFIT-RISK ANALYSIS (if applicable) + - Conclusion: [Statement] + +7. PRODUCTION AND POST-PRODUCTION + - Monitoring plan: [Reference] + - Review triggers: [List] + +8. CONCLUSION + [Statement of overall risk acceptability] + +9. APPROVAL + Risk Management Lead: _________________ Date: _______ + Quality Assurance: _________________ Date: _______ + Management Representative: _________________ Date: _______ +``` + +--- + +## Production and Post-Production Activities + +### Information Sources + +| Source | Information Type | Review Frequency | +|--------|------------------|------------------| +| Complaints | Use-related issues, failures | Continuous | +| Service Reports | Field failures, repairs | Monthly | +| Vigilance Reports | Serious incidents | Immediate | +| Literature | Similar device issues | Quarterly | +| Regulatory Feedback | Authority communications | As received | +| Clinical Data | Post-market clinical follow-up | Per PMCF plan | + +### Risk Management File Update Triggers + +| Trigger | Action Required | +|---------|-----------------| +| New hazard identified | Risk analysis update | +| Control failure | Risk control reassessment | +| Serious incident | Immediate risk review | +| Design change | Impact assessment | +| Standards update | Compliance review | +| Regulatory feedback | Risk evaluation update | + +### Risk Management Review Record + +``` +RISK MANAGEMENT REVIEW RECORD + +Review Date: [Date] +Review Type: [ ] Periodic [ ] Triggered +Trigger (if applicable): [Description] + +INFORMATION REVIEWED: +| Source | Period | Findings | +|--------|--------|----------| +| Complaints | [Period] | [Summary] | +| Vigilance | [Period] | [Summary] | +| Literature | [Period] | [Summary] | + +RISK MANAGEMENT FILE STATUS: +- Current and complete: [ ] Yes [ ] No +- Updates required: [ ] Yes [ ] No + +ACTIONS: +| Action | Owner | Due Date | +|--------|-------|----------| +| [Action 1] | [Name] | [Date] | + +CONCLUSION: +[ ] No changes to risk profile +[ ] Risk profile updated - see [Document Reference] +[ ] Further investigation required + +Reviewed By: _________________ Date: _______ +``` diff --git a/ra-qm-team/risk-management-specialist/references/risk-analysis-methods.md b/ra-qm-team/risk-management-specialist/references/risk-analysis-methods.md new file mode 100644 index 0000000..e1ac146 --- /dev/null +++ b/ra-qm-team/risk-management-specialist/references/risk-analysis-methods.md @@ -0,0 +1,415 @@ +# Risk Analysis Methods + +Systematic techniques for hazard identification and risk analysis in medical device development. + +--- + +## Table of Contents + +- [Method Selection Guide](#method-selection-guide) +- [FMEA - Failure Mode and Effects Analysis](#fmea---failure-mode-and-effects-analysis) +- [FTA - Fault Tree Analysis](#fta---fault-tree-analysis) +- [HAZOP - Hazard and Operability Study](#hazop---hazard-and-operability-study) +- [Use Error Analysis](#use-error-analysis) +- [Software Hazard Analysis](#software-hazard-analysis) + +--- + +## Method Selection Guide + +### Method Application Matrix + +| Method | Best For | Standard | Complexity | +|--------|----------|----------|------------| +| FMEA | Component/process failures | IEC 60812 | Medium | +| FTA | System-level failure analysis | IEC 61025 | High | +| HAZOP | Process deviations | IEC 61882 | Medium | +| PHA | Early hazard screening | - | Low | +| Use FMEA | Use-related hazards | IEC 62366-1 | Medium | +| STPA | Software/system interactions | - | High | + +### Selection Decision Tree + +``` +What is the analysis focus? + │ + ├── Component failures → FMEA + │ + ├── System-level failure → FTA + │ + ├── Process deviations → HAZOP + │ + ├── User interaction → Use Error Analysis + │ + └── Software behavior → Software FMEA/STPA +``` + +### When to Use Each Method + +| Project Phase | Recommended Methods | +|---------------|---------------------| +| Concept | PHA, initial FTA | +| Design | FMEA, detailed FTA | +| Development | Use Error Analysis, Software HA | +| Verification | FMEA review, FTA validation | +| Production | Process FMEA | +| Post-Market | Trend analysis, FMEA updates | + +--- + +## FMEA - Failure Mode and Effects Analysis + +### FMEA Overview + +| Aspect | Description | +|--------|-------------| +| Purpose | Identify potential failure modes and their effects | +| Approach | Bottom-up analysis from component to system | +| Output | Failure mode list with severity, occurrence, detection ratings | +| Standard | IEC 60812 | + +### FMEA Process Workflow + +1. Define scope and system boundaries +2. Develop functional block diagram +3. Identify failure modes for each component/function +4. Determine effects of each failure mode (local, next level, end) +5. Assign severity rating +6. Identify potential causes +7. Assign occurrence rating +8. Identify current controls (detection) +9. Assign detection rating +10. Calculate Risk Priority Number (RPN) or use risk matrix +11. Determine actions for high-priority items +12. **Validation:** All components analyzed; RPNs calculated; actions assigned for high risks + +### FMEA Worksheet Template + +``` +FMEA WORKSHEET + +Product: [Device Name] +Subsystem: [Subsystem] +FMEA Lead: [Name] +Date: [Date] + +| ID | Item/Function | Failure Mode | Effect (Local) | Effect (End) | S | Cause | O | Controls | D | RPN | Action | +|----|---------------|--------------|----------------|--------------|---|-------|---|----------|---|-----|--------| +| FM-001 | [Item] | [Mode] | [Local Effect] | [End Effect] | [1-10] | [Cause] | [1-10] | [Detection] | [1-10] | [S×O×D] | [Action] | + +S = Severity (1=None, 10=Catastrophic) +O = Occurrence (1=Remote, 10=Frequent) +D = Detection (1=Certain, 10=Cannot Detect) +RPN = Risk Priority Number +``` + +### Severity Rating Scale + +| Rating | Severity | Criteria | +|--------|----------|----------| +| 10 | Hazardous | Death or regulatory non-compliance | +| 9 | Serious | Serious injury, major function loss | +| 8 | Major | Significant injury, major inconvenience | +| 7 | High | Minor injury, significant inconvenience | +| 6 | Moderate | Discomfort, partial function loss | +| 5 | Low | Some performance loss | +| 4 | Very Low | Minor performance degradation | +| 3 | Minor | Noticeable effect, no function loss | +| 2 | Very Minor | Negligible effect | +| 1 | None | No effect | + +### Occurrence Rating Scale + +| Rating | Occurrence | Probability | +|--------|------------|-------------| +| 10 | Almost Certain | >1 in 2 | +| 9 | Very High | 1 in 3 | +| 8 | High | 1 in 8 | +| 7 | Moderately High | 1 in 20 | +| 6 | Moderate | 1 in 80 | +| 5 | Low | 1 in 400 | +| 4 | Very Low | 1 in 2,000 | +| 3 | Remote | 1 in 15,000 | +| 2 | Very Remote | 1 in 150,000 | +| 1 | Nearly Impossible | <1 in 1,500,000 | + +### Detection Rating Scale + +| Rating | Detection | Likelihood of Detection | +|--------|-----------|------------------------| +| 10 | Absolute Uncertainty | Cannot detect | +| 9 | Very Remote | Very remote chance | +| 8 | Remote | Remote chance | +| 7 | Very Low | Very low chance | +| 6 | Low | Low chance | +| 5 | Moderate | Moderate chance | +| 4 | Moderately High | Moderately high chance | +| 3 | High | High chance | +| 2 | Very High | Very high chance | +| 1 | Almost Certain | Will detect | + +### RPN Action Thresholds + +| RPN Range | Priority | Action | +|-----------|----------|--------| +| >200 | Critical | Immediate action required | +| 100-200 | High | Action plan required | +| 50-100 | Medium | Consider action | +| <50 | Low | Monitor | + +--- + +## FTA - Fault Tree Analysis + +### FTA Overview + +| Aspect | Description | +|--------|-------------| +| Purpose | Determine combinations of events leading to top event | +| Approach | Top-down deductive analysis | +| Output | Fault tree diagram with cut sets | +| Standard | IEC 61025 | + +### FTA Process Workflow + +1. Define top event (undesired system state) +2. Identify immediate causes using logic gates +3. Continue decomposition to basic events +4. Draw fault tree diagram +5. Identify cut sets (combinations causing top event) +6. Calculate probability if quantitative analysis required +7. Identify single points of failure +8. **Validation:** All branches complete; cut sets identified; single points documented + +### Fault Tree Symbols + +| Symbol | Name | Meaning | +|--------|------|---------| +| Rectangle | Intermediate Event | Event resulting from other events | +| Circle | Basic Event | Primary event, no further development | +| Diamond | Undeveloped Event | Not analyzed further | +| House | House Event | Event expected to occur (condition) | +| AND Gate | AND | All inputs required for output | +| OR Gate | OR | Any input causes output | + +### FTA Worksheet Template + +``` +FAULT TREE ANALYSIS + +Top Event: [Description of undesired state] +System: [System name] +Analyst: [Name] +Date: [Date] + +BASIC EVENTS: +| ID | Event | Description | Probability | Control | +|----|-------|-------------|-------------|---------| +| BE-001 | [Event] | [Description] | [P] | [Control] | + +CUT SETS: +| Cut Set | Events | Order | Probability | +|---------|--------|-------|-------------| +| CS-001 | BE-001 | 1 | [P] | +| CS-002 | BE-001, BE-002 | 2 | [P] | + +SINGLE POINTS OF FAILURE: +| Event | Risk | Mitigation | +|-------|------|------------| +| [Event] | [Risk assessment] | [Mitigation strategy] | +``` + +### Cut Set Analysis + +| Cut Set Order | Meaning | Criticality | +|---------------|---------|-------------| +| First Order | Single event causes top event | Highest - single point of failure | +| Second Order | Two events required | High | +| Third Order | Three events required | Moderate | +| Higher Order | Four+ events required | Lower | + +--- + +## HAZOP - Hazard and Operability Study + +### HAZOP Overview + +| Aspect | Description | +|--------|-------------| +| Purpose | Identify deviations from intended operation | +| Approach | Systematic examination using guide words | +| Output | Deviation analysis with consequences and safeguards | +| Standard | IEC 61882 | + +### HAZOP Guide Words + +| Guide Word | Meaning | Example Application | +|------------|---------|---------------------| +| NO/NOT | Complete negation | No flow, no signal | +| MORE | Quantitative increase | More pressure, more current | +| LESS | Quantitative decrease | Less flow, less voltage | +| AS WELL AS | Qualitative increase | Extra component, contamination | +| PART OF | Qualitative decrease | Missing component | +| REVERSE | Logical opposite | Reverse flow, reverse polarity | +| OTHER THAN | Complete substitution | Wrong material, wrong signal | +| EARLY | Time-related | Early activation | +| LATE | Time-related | Delayed response | + +### HAZOP Process Workflow + +1. Select study node (process section or component) +2. Describe design intent for the node +3. Apply guide words to identify deviations +4. Determine causes of each deviation +5. Assess consequences +6. Identify existing safeguards +7. Recommend actions if needed +8. **Validation:** All nodes analyzed; all guide words applied; actions assigned + +### HAZOP Worksheet Template + +``` +HAZOP WORKSHEET + +System: [System Name] +Node: [Node Description] +Design Intent: [What the node is supposed to do] +Team Lead: [Name] +Date: [Date] + +| Guide Word | Deviation | Causes | Consequences | Safeguards | Actions | +|------------|-----------|--------|--------------|------------|---------| +| NO | [No + parameter] | [Causes] | [Consequences] | [Existing] | [Recommendations] | +| MORE | [More + parameter] | [Causes] | [Consequences] | [Existing] | [Recommendations] | +| LESS | [Less + parameter] | [Causes] | [Consequences] | [Existing] | [Recommendations] | +``` + +--- + +## Use Error Analysis + +### Use Error Analysis Overview + +| Aspect | Description | +|--------|-------------| +| Purpose | Identify use-related hazards and mitigations | +| Approach | Task analysis combined with error prediction | +| Output | Use error list with risk controls | +| Standard | IEC 62366-1 | + +### Use Error Categories + +| Category | Description | Examples | +|----------|-------------|----------| +| Perception Error | Failure to perceive information | Missing alarm, unclear display | +| Cognition Error | Failure to understand | Misinterpretation, wrong decision | +| Action Error | Incorrect physical action | Wrong button, slip, lapse | +| Memory Error | Failure to recall | Forgotten step, omission | + +### Use Error Analysis Process + +1. Identify user tasks and subtasks +2. Identify potential use errors for each task +3. Determine consequences of each use error +4. Estimate probability of use error +5. Identify design features contributing to error +6. Define risk control measures +7. Verify control effectiveness +8. **Validation:** All critical tasks analyzed; errors identified; controls defined + +### Use Error Worksheet Template + +``` +USE ERROR ANALYSIS + +Device: [Device Name] +Task: [Task Description] +User: [User Profile] +Analyst: [Name] +Date: [Date] + +| Step | User Action | Potential Use Error | Error Type | Cause | Consequence | S | P | Risk | Control | +|------|-------------|--------------------| -----------|-------|-------------|---|---|------|---------| +| 1 | [Action] | [Error] | [Type] | [Cause] | [Harm] | [S] | [P] | [Level] | [Control] | + +Error Types: Perception (P), Cognition (C), Action (A), Memory (M) +``` + +### Human Factors Risk Controls + +| Control Type | Examples | +|--------------|----------| +| Design | Forcing functions, constraints, affordances | +| Feedback | Visual, auditory, tactile confirmation | +| Labeling | Clear instructions, warnings, symbols | +| Training | User education, competency verification | +| Environment | Adequate lighting, noise reduction | + +--- + +## Software Hazard Analysis + +### Software Hazard Analysis Overview + +| Aspect | Description | +|--------|-------------| +| Purpose | Identify software contribution to hazards | +| Approach | Analysis of software failure modes and behaviors | +| Output | Software hazard list with safety requirements | +| Standard | IEC 62304 | + +### Software Safety Classification + +| Class | Contribution to Hazard | Rigor Required | +|-------|------------------------|----------------| +| A | No contribution possible | Basic | +| B | Non-serious injury possible | Moderate | +| C | Death or serious injury possible | High | + +### Software Hazard Categories + +| Category | Description | Examples | +|----------|-------------|----------| +| Omission | Required function not performed | Missing safety check | +| Commission | Incorrect function performed | Wrong calculation | +| Timing | Function at wrong time | Delayed alarm | +| Value | Function with wrong value | Incorrect dose | +| Sequence | Functions in wrong order | Steps reversed | + +### Software FMEA Worksheet + +``` +SOFTWARE FMEA + +Software Item: [Module/Function Name] +Safety Class: [A/B/C] +Analyst: [Name] +Date: [Date] + +| ID | Function | Failure Mode | Cause | Effect on System | Effect on Patient | S | P | Risk | Mitigation | +|----|----------|--------------|-------|------------------|-------------------|---|---|------|------------| +| SW-001 | [Function] | [Mode] | [Cause] | [System effect] | [Patient effect] | [S] | [P] | [Level] | [Control] | + +Failure Mode Types: Omission, Commission, Timing, Value, Sequence +``` + +### Software Risk Controls + +| Control Type | Implementation | +|--------------|----------------| +| Defensive Programming | Input validation, range checking | +| Error Handling | Exception handling, graceful degradation | +| Redundancy | Dual channels, voting logic | +| Watchdog | Timeout monitoring, heartbeat | +| Self-Test | Power-on diagnostics, runtime checks | +| Separation | Independence of safety functions | + +### Traceability Requirements + +| From | To | Purpose | +|------|------|---------| +| Software Hazard | Software Requirement | Hazard addressed | +| Software Requirement | Architecture | Requirement implemented | +| Architecture | Code | Design realized | +| Code | Test | Verification coverage | +| Test | Hazard | Control verified | diff --git a/ra-qm-team/risk-management-specialist/scripts/example.py b/ra-qm-team/risk-management-specialist/scripts/example.py deleted file mode 100755 index a6218fc..0000000 --- a/ra-qm-team/risk-management-specialist/scripts/example.py +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env python3 -""" -Example helper script for risk-management-specialist - -This is a placeholder script that can be executed directly. -Replace with actual implementation or delete if not needed. - -Example real scripts from other skills: -- pdf/scripts/fill_fillable_fields.py - Fills PDF form fields -- pdf/scripts/convert_pdf_to_images.py - Converts PDF pages to images -""" - -def main(): - print("This is an example script for risk-management-specialist") - # TODO: Add actual script logic here - # This could be data processing, file conversion, API calls, etc. - -if __name__ == "__main__": - main() diff --git a/ra-qm-team/risk-management-specialist/scripts/risk_matrix_calculator.py b/ra-qm-team/risk-management-specialist/scripts/risk_matrix_calculator.py new file mode 100644 index 0000000..958b55b --- /dev/null +++ b/ra-qm-team/risk-management-specialist/scripts/risk_matrix_calculator.py @@ -0,0 +1,419 @@ +#!/usr/bin/env python3 +""" +Risk Matrix Calculator + +Calculate risk levels based on probability and severity ratings per ISO 14971. +Supports multiple risk matrix configurations and FMEA RPN calculations. + +Usage: + python risk_matrix_calculator.py --probability 3 --severity 4 + python risk_matrix_calculator.py --fmea --severity 8 --occurrence 5 --detection 6 + python risk_matrix_calculator.py --interactive + python risk_matrix_calculator.py --list-criteria +""" + +import argparse +import json +import sys +from typing import Tuple, Optional + + +# Standard 5x5 Risk Matrix per ISO 14971 common practice +PROBABILITY_LEVELS = { + 1: {"name": "Improbable", "description": "Very unlikely to occur", "frequency": "<10^-6"}, + 2: {"name": "Remote", "description": "Unlikely to occur", "frequency": "10^-5 to 10^-6"}, + 3: {"name": "Occasional", "description": "May occur", "frequency": "10^-4 to 10^-5"}, + 4: {"name": "Probable", "description": "Likely to occur", "frequency": "10^-3 to 10^-4"}, + 5: {"name": "Frequent", "description": "Expected to occur", "frequency": ">10^-3"} +} + +SEVERITY_LEVELS = { + 1: {"name": "Negligible", "description": "Inconvenience or temporary discomfort", "harm": "No injury"}, + 2: {"name": "Minor", "description": "Temporary injury not requiring intervention", "harm": "Temporary discomfort"}, + 3: {"name": "Serious", "description": "Injury requiring professional intervention", "harm": "Reversible injury"}, + 4: {"name": "Critical", "description": "Permanent impairment or life-threatening", "harm": "Permanent impairment"}, + 5: {"name": "Catastrophic", "description": "Death", "harm": "Death"} +} + +# Risk matrix: RISK_MATRIX[probability][severity] = risk_level +RISK_MATRIX = { + 1: {1: "Low", 2: "Low", 3: "Low", 4: "Medium", 5: "Medium"}, + 2: {1: "Low", 2: "Low", 3: "Medium", 4: "Medium", 5: "High"}, + 3: {1: "Low", 2: "Medium", 3: "Medium", 4: "High", 5: "High"}, + 4: {1: "Medium", 2: "Medium", 3: "High", 4: "High", 5: "Unacceptable"}, + 5: {1: "Medium", 2: "High", 3: "High", 4: "Unacceptable", 5: "Unacceptable"} +} + +# Risk level definitions and required actions +RISK_ACTIONS = { + "Low": { + "acceptable": True, + "action": "Document and accept. No further action required.", + "color": "green" + }, + "Medium": { + "acceptable": "ALARP", + "action": "Reduce risk if practicable. Document ALARP rationale if not reduced.", + "color": "yellow" + }, + "High": { + "acceptable": "ALARP", + "action": "Risk reduction required. Must demonstrate ALARP if residual risk remains high.", + "color": "orange" + }, + "Unacceptable": { + "acceptable": False, + "action": "Risk reduction mandatory. Design change required before proceeding.", + "color": "red" + } +} + +# FMEA scales (1-10) +FMEA_SEVERITY = { + 1: "No effect", + 2: "Very minor effect", + 3: "Minor effect", + 4: "Very low effect", + 5: "Low effect", + 6: "Moderate effect", + 7: "High effect", + 8: "Very high effect", + 9: "Hazardous with warning", + 10: "Hazardous without warning" +} + +FMEA_OCCURRENCE = { + 1: "Remote (<1 in 1,500,000)", + 2: "Very low (1 in 150,000)", + 3: "Low (1 in 15,000)", + 4: "Moderately low (1 in 2,000)", + 5: "Moderate (1 in 400)", + 6: "Moderately high (1 in 80)", + 7: "High (1 in 20)", + 8: "Very high (1 in 8)", + 9: "Extremely high (1 in 3)", + 10: "Almost certain (>1 in 2)" +} + +FMEA_DETECTION = { + 1: "Almost certain detection", + 2: "Very high detection", + 3: "High detection", + 4: "Moderately high detection", + 5: "Moderate detection", + 6: "Low detection", + 7: "Very low detection", + 8: "Remote detection", + 9: "Very remote detection", + 10: "Cannot detect" +} + + +def calculate_risk_level(probability: int, severity: int) -> dict: + """Calculate risk level from probability and severity ratings.""" + if probability < 1 or probability > 5: + return {"error": f"Probability must be 1-5, got {probability}"} + if severity < 1 or severity > 5: + return {"error": f"Severity must be 1-5, got {severity}"} + + risk_level = RISK_MATRIX[probability][severity] + risk_info = RISK_ACTIONS[risk_level] + + return { + "probability": { + "rating": probability, + **PROBABILITY_LEVELS[probability] + }, + "severity": { + "rating": severity, + **SEVERITY_LEVELS[severity] + }, + "risk_level": risk_level, + "acceptable": risk_info["acceptable"], + "action_required": risk_info["action"], + "risk_index": probability * severity + } + + +def calculate_rpn(severity: int, occurrence: int, detection: int) -> dict: + """Calculate FMEA Risk Priority Number.""" + if not all(1 <= x <= 10 for x in [severity, occurrence, detection]): + return {"error": "All FMEA ratings must be 1-10"} + + rpn = severity * occurrence * detection + + # Determine priority level + if rpn > 200: + priority = "Critical" + action = "Immediate action required" + elif rpn > 100: + priority = "High" + action = "Action plan required" + elif rpn > 50: + priority = "Medium" + action = "Consider risk reduction" + else: + priority = "Low" + action = "Monitor" + + return { + "severity": { + "rating": severity, + "description": FMEA_SEVERITY[severity] + }, + "occurrence": { + "rating": occurrence, + "description": FMEA_OCCURRENCE[occurrence] + }, + "detection": { + "rating": detection, + "description": FMEA_DETECTION[detection] + }, + "rpn": rpn, + "priority": priority, + "action_required": action, + "max_rpn": 1000, + "rpn_percentage": round(rpn / 10, 1) + } + + +def display_risk_matrix(): + """Display the full risk matrix.""" + print("\n" + "=" * 70) + print("ISO 14971 RISK MATRIX (5x5)") + print("=" * 70) + + # Header + print("\n" + " " * 15, end="") + for s in range(1, 6): + print(f"S{s:^10}", end="") + print() + + print(" " * 15, end="") + for s in range(1, 6): + print(f"{SEVERITY_LEVELS[s]['name'][:10]:^10}", end="") + print() + + print("-" * 70) + + # Matrix rows + for p in range(5, 0, -1): + print(f"P{p} {PROBABILITY_LEVELS[p]['name'][:10]:>10} |", end="") + for s in range(1, 6): + level = RISK_MATRIX[p][s] + print(f"{level:^10}", end="") + print() + + print("\n" + "-" * 70) + print("Risk Levels: Low (Acceptable) | Medium (ALARP) | High (ALARP) | Unacceptable") + print("=" * 70) + + +def display_criteria(): + """Display probability and severity criteria.""" + print("\n" + "=" * 70) + print("PROBABILITY CRITERIA") + print("=" * 70) + for level, info in PROBABILITY_LEVELS.items(): + print(f"\nP{level}: {info['name']}") + print(f" Description: {info['description']}") + print(f" Frequency: {info['frequency']}") + + print("\n" + "=" * 70) + print("SEVERITY CRITERIA") + print("=" * 70) + for level, info in SEVERITY_LEVELS.items(): + print(f"\nS{level}: {info['name']}") + print(f" Description: {info['description']}") + print(f" Harm: {info['harm']}") + + print("\n" + "=" * 70) + print("RISK LEVEL ACTIONS") + print("=" * 70) + for level, info in RISK_ACTIONS.items(): + acceptable = "Yes" if info['acceptable'] == True else ("ALARP" if info['acceptable'] == "ALARP" else "No") + print(f"\n{level}:") + print(f" Acceptable: {acceptable}") + print(f" Action: {info['action']}") + + +def format_result_text(result: dict, analysis_type: str) -> str: + """Format result for text output.""" + lines = [] + lines.append("\n" + "=" * 50) + + if analysis_type == "risk": + lines.append("RISK ASSESSMENT RESULT") + lines.append("=" * 50) + lines.append(f"\nProbability: P{result['probability']['rating']} - {result['probability']['name']}") + lines.append(f" {result['probability']['description']}") + lines.append(f"\nSeverity: S{result['severity']['rating']} - {result['severity']['name']}") + lines.append(f" {result['severity']['description']}") + lines.append(f"\n{'-' * 50}") + lines.append(f"RISK LEVEL: {result['risk_level']}") + lines.append(f"Risk Index: {result['risk_index']} (P × S)") + lines.append(f"Acceptable: {result['acceptable']}") + lines.append(f"\nAction Required:") + lines.append(f" {result['action_required']}") + + elif analysis_type == "fmea": + lines.append("FMEA RPN CALCULATION") + lines.append("=" * 50) + lines.append(f"\nSeverity: {result['severity']['rating']}/10") + lines.append(f" {result['severity']['description']}") + lines.append(f"\nOccurrence: {result['occurrence']['rating']}/10") + lines.append(f" {result['occurrence']['description']}") + lines.append(f"\nDetection: {result['detection']['rating']}/10") + lines.append(f" {result['detection']['description']}") + lines.append(f"\n{'-' * 50}") + lines.append(f"RPN: {result['rpn']} / {result['max_rpn']} ({result['rpn_percentage']}%)") + lines.append(f"Priority: {result['priority']}") + lines.append(f"\nAction Required:") + lines.append(f" {result['action_required']}") + + lines.append("=" * 50) + return "\n".join(lines) + + +def interactive_mode(): + """Run interactive risk assessment.""" + print("\n" + "=" * 50) + print("RISK MATRIX CALCULATOR - Interactive Mode") + print("=" * 50) + + print("\nSelect analysis type:") + print("1. Risk Matrix (ISO 14971 style)") + print("2. FMEA RPN Calculation") + print("3. Display Risk Matrix") + print("4. Display Criteria") + print("5. Exit") + + choice = input("\nEnter choice (1-5): ").strip() + + if choice == "1": + display_criteria() + print("\n" + "-" * 50) + try: + p = int(input("Enter Probability (1-5): ")) + s = int(input("Enter Severity (1-5): ")) + result = calculate_risk_level(p, s) + if "error" in result: + print(f"\nError: {result['error']}") + else: + print(format_result_text(result, "risk")) + except ValueError: + print("Invalid input. Please enter numbers.") + + elif choice == "2": + print("\nFMEA Scales:") + print(" Severity: 1 (No effect) to 10 (Hazardous without warning)") + print(" Occurrence: 1 (Remote) to 10 (Almost certain)") + print(" Detection: 1 (Almost certain) to 10 (Cannot detect)") + print("-" * 50) + try: + s = int(input("Enter Severity (1-10): ")) + o = int(input("Enter Occurrence (1-10): ")) + d = int(input("Enter Detection (1-10): ")) + result = calculate_rpn(s, o, d) + if "error" in result: + print(f"\nError: {result['error']}") + else: + print(format_result_text(result, "fmea")) + except ValueError: + print("Invalid input. Please enter numbers.") + + elif choice == "3": + display_risk_matrix() + + elif choice == "4": + display_criteria() + + elif choice == "5": + print("Exiting.") + return + + else: + print("Invalid choice.") + + +def main(): + parser = argparse.ArgumentParser( + description="Calculate risk levels per ISO 14971 or FMEA RPN", + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=""" +Examples: + # ISO 14971 risk matrix calculation + python risk_matrix_calculator.py --probability 3 --severity 4 + + # FMEA RPN calculation + python risk_matrix_calculator.py --fmea --severity 8 --occurrence 5 --detection 6 + + # Interactive mode + python risk_matrix_calculator.py --interactive + + # Display risk matrix + python risk_matrix_calculator.py --show-matrix + + # Display criteria definitions + python risk_matrix_calculator.py --list-criteria + + # JSON output + python risk_matrix_calculator.py -p 4 -s 3 --output json + """ + ) + + parser.add_argument("-p", "--probability", type=int, help="Probability rating (1-5)") + parser.add_argument("-s", "--severity", type=int, help="Severity rating (1-5 for risk, 1-10 for FMEA)") + parser.add_argument("-o", "--occurrence", type=int, help="FMEA occurrence rating (1-10)") + parser.add_argument("-d", "--detection", type=int, help="FMEA detection rating (1-10)") + parser.add_argument("--fmea", action="store_true", help="Use FMEA RPN calculation") + parser.add_argument("--output", choices=["text", "json"], default="text", help="Output format") + parser.add_argument("--show-matrix", action="store_true", help="Display risk matrix") + parser.add_argument("--list-criteria", action="store_true", help="Display probability and severity criteria") + parser.add_argument("--interactive", action="store_true", help="Run in interactive mode") + + args = parser.parse_args() + + if args.interactive: + interactive_mode() + return + + if args.show_matrix: + display_risk_matrix() + return + + if args.list_criteria: + display_criteria() + return + + if args.fmea: + if not all([args.severity, args.occurrence, args.detection]): + parser.error("FMEA requires --severity, --occurrence, and --detection") + + result = calculate_rpn(args.severity, args.occurrence, args.detection) + if "error" in result: + print(f"Error: {result['error']}") + sys.exit(1) + + if args.output == "json": + print(json.dumps(result, indent=2)) + else: + print(format_result_text(result, "fmea")) + + else: + if not all([args.probability, args.severity]): + parser.error("Risk calculation requires --probability and --severity") + + result = calculate_risk_level(args.probability, args.severity) + if "error" in result: + print(f"Error: {result['error']}") + sys.exit(1) + + if args.output == "json": + print(json.dumps(result, indent=2)) + else: + print(format_result_text(result, "risk")) + + +if __name__ == "__main__": + main()