Exercise set

Medical Device Risk Management, FMEA, and Residual Risk Exercises

Worked medical-device risk exercises for RPN, residual risk, diagnostic coverage, reliability, sterilization, supplier change, complaints and release gates.

These exercises focus on medical-device engineering risk management: FMEA-style scoring, risk-control effectiveness, residual risk, diagnostic coverage, reliability, sterilization evidence, supplier change impact, complaints and release gates. Verification testing and validation evidence are covered in separate specialist exercise sets.

This page is not regulatory or clinical advice. It trains engineering reasoning around risk evidence, controls and release decisions; real device programs must follow the applicable standards, regulations and quality-system procedures.

How to use these exercises

Use the set as a risk-control release review. Exercises 1 to 4 establish initial RPN, risk-control effect, high-severity blockers and verification coverage. Exercises 5 to 8 check diagnostic coverage, residual hazardous exposure, reliability and zero-failure confidence. Exercises 9 to 13 add sterilization, corrosion, fatigue, supplier-change impact and proof-test intervals. Exercises 14 to 18 connect complaint trends, priority ranking, common-cause reliability, change-impact closure and the final risk release gate.

Before calculating, state the hazard, hazardous situation, harm, sequence of events, risk control, release configuration and evidence source. A lower RPN is not release evidence unless the control is verified and the residual risk is explicitly accepted. The engineering comment below each exercise identifies whether the result calls for mitigation, verification, benefit-risk rationale, change review, field investigation or hold.

Release Evidence Notes

Risk evidence should state hazard, hazardous situation, harm, sequence of events, initial risk, control, verification evidence, residual risk and release decision. A lower score does not close a risk if a high-severity blocker remains unresolved.

The evidence package should separate risk estimation, control verification and residual-risk disposition. Risk estimation prioritizes the problem. Control verification proves the mitigation exists on the release configuration. Residual-risk disposition decides whether the remaining harm scenario is acceptable, needs more mitigation or blocks release.

Lifecycle evidence should remain connected to the risk file. Supplier changes, sterilization process changes, complaint trends, common-cause dependencies and reliability shortfalls can reopen a risk even after the original design control was verified.

Engineering Boundary Notes

RPN and simplified probability calculations are screening tools. They do not replace a full risk-management file, clinical evaluation, usability engineering, software safety analysis, process validation or post-market surveillance.

The main boundary is severity. High-severity harms may require explicit disposition regardless of RPN. The second boundary is independence: reliability calculations and diagnostic coverage can overstate safety if common-cause failures, shared power, shared software, shared material lots or field-use dependencies are not considered.

Common Release Mistakes

  • using RPN reduction to hide unresolved high severity;
  • counting a risk control without verifying it on the release configuration;
  • ignoring false negative behavior in diagnostic controls;
  • multiplying independent reliabilities when a common cause exists;
  • treating sterilization log reduction as device-level safety by itself;
  • approving a supplier change without material, process and risk impact evidence.

Another common mistake is closing change impact by counting completed forms rather than affected evidence. A material, supplier, software or process change should map to requirements, risk controls, process validations, labeling, usability and post-market assumptions before release.

Do not treat complaint trend triggers as proof of causality or as harmless noise. A trigger is a governance signal: it should start investigation, risk-file review, CAPA screening or continued monitoring according to the predefined rule.

Scenario Map

ScenarioMain calculationRelease decision
FMEAseverity, occurrence and detectionPrioritize and control risk.
Residual riskcontrol effect and remaining exposureAccept, mitigate or block.
Reliabilitymission probability and confidenceRelease or extend test.
Process/material changeimpact count and coverageApprove change or repeat evidence.
Lifecycle signalcomplaints and CAPA triggerMonitor or investigate.

Validation Package Checklist

  • hazard, harm and initial risk rationale;
  • risk-control design and verification evidence;
  • residual-risk decision and high-severity disposition;
  • reliability, diagnostic and process evidence;
  • supplier/change impact and affected configurations;
  • post-release monitoring trigger and rollback action.
  • common-cause assumptions, shared dependencies and proof-test intervals;
  • complaint trend, CAPA screen and field feedback disposition;
  • release status states accept, mitigate, investigate, justify, restrict or hold.

A complete validation package should make the residual-risk decision auditable. Another engineer should be able to see why the risk was prioritized, how the control was verified, what residual harm remains, what lifecycle signal would reopen the file and who owns the release decision.

Exercise 1: Initial RPN

A failure mode has severity S=8, occurrence O=4 and detection D=5. Compute RPN.

Solution

RPN=SOD=8(4)(5)=160

Engineering Comment

RPN is a prioritization aid. Severity should still be reviewed separately.

Plausibility Check

The product of three one-digit scores can easily reach hundreds.

Exercise 2: RPN After Control

A design control reduces occurrence from 4 to 2 and improves detection from 5 to 3. Severity remains 8. Compute new RPN and reduction percentage.

Solution

RPN_{new}=8(2)(3)=48
R=\dfrac{160-48}{160}=70\%

Engineering Comment

The control must be verified; a planned reduction is not evidence.

Plausibility Check

Both occurrence and detection improved, so RPN falls substantially.

Exercise 3: Residual High-Severity Blocker

Residual severity is 9, occurrence 1 and detection 2, so RPN is low. A release rule blocks any unresolved severity 9 or 10 hazard without documented benefit-risk rationale. Does the low RPN close the risk?

Solution

Residual RPN:

RPN=9(1)(2)=18

But severity blocker applies:

S=9

The risk is not closed by RPN alone.

Engineering Comment

High-severity residual hazards need explicit disposition, not only score reduction.

Plausibility Check

The score is low, but the rule is severity-based.

Exercise 4: Control Verification Coverage

A risk control has 12 required verification cases. Ten pass, one fails and one is not executed. Compute clean closure.

Solution

C=\dfrac{10}{12}=83.3\%

The control is not closed.

Engineering Comment

Failed and unexecuted cases both keep the control open.

Plausibility Check

Two non-clean cases out of twelve leaves five sixths closed.

Exercise 5: Diagnostic Coverage

A diagnostic detects 186 of 200 injected hazardous faults. Compute diagnostic coverage.

Solution

DC=\dfrac{186}{200}=93.0\%

Engineering Comment

The undetected fault set is often more important than the headline coverage number.

Plausibility Check

Fourteen missed faults out of two hundred gives seven percent missed.

Exercise 6: Residual Hazardous Exposure

Hazardous event rate is 2.0\times10^{-5} per hour. Diagnostic coverage is 93\%. Estimate undetected hazardous rate.

Solution

\lambda_u=(1-0.93)(2.0\times10^{-5})=1.4\times10^{-6}\ \text{per h}

Engineering Comment

Residual exposure should be compared with the device-specific risk acceptance rule.

Plausibility Check

Seven percent of the original rate remains.

Exercise 7: Reliability Over Mission Interval

A device has MTBF 12000\ \text{h} and mission interval 24\ \text{h}. Estimate reliability:

R=e^{-t/MTBF}

Solution

R=e^{-24/12000}=0.9980

Engineering Comment

The assumption of constant failure rate should be justified for the use case.

Plausibility Check

The mission interval is tiny compared with MTBF, so reliability is close to one.

Exercise 8: Zero-Failure Confidence

Zero failures are observed in 75 independent tests. Approximate upper failure probability at 95\% confidence using the rule p_u\approx 3/n.

Solution

p_u\approx\dfrac{3}{75}=0.040=4.0\%

Engineering Comment

Zero failures do not prove zero risk; sample size controls the confidence bound.

Plausibility Check

With only seventy-five tests, a few percent upper bound is plausible.

Exercise 9: Sterilization Log Reduction

A process starts with bioburden 10^5 organisms and achieves 8 log reduction. Estimate remaining expected organisms.

Solution

N=10^5\times10^{-8}=10^{-3}

Engineering Comment

Sterilization evidence also needs process validation, packaging and configuration control.

Plausibility Check

Eight logs of reduction from five logs leaves negative three logs.

Exercise 10: Corrosion Rate Screen

A material coupon loses 0.012\ \text{mm} thickness in 90 days. Estimate annualized corrosion rate.

Solution

r=0.012\dfrac{365}{90}=0.0487\ \text{mm/year}

Engineering Comment

Coupon conditions must represent the device environment before the rate is used for risk evidence.

Plausibility Check

Ninety days is about one quarter of a year, so annual rate is about four times the loss.

Exercise 11: Fatigue Margin

Expected alternating stress is 42\ \text{MPa} and verified endurance limit is 70\ \text{MPa}. Compute stress margin ratio.

Solution

M=\dfrac{70}{42}=1.67

Engineering Comment

Fatigue evidence should include environment, surface finish, notches and manufacturing variation.

Plausibility Check

The limit is about two thirds higher than expected stress.

Exercise 12: Supplier Change Impact

A supplier material change affects 6 requirements, 4 risk controls and 3 process validations. How many evidence items need impact disposition?

Solution

n=6+4+3=13

Engineering Comment

The change cannot be approved until each affected evidence item is dispositioned.

Plausibility Check

All affected categories are counted.

Exercise 13: Interlock Proof-Test Interval

An interlock has dangerous undetected failure rate 8.0\times10^{-6} per hour and proof-test interval 200\ \text{h}. Estimate average probability of dangerous failure:

PFD_{avg}\approx\dfrac{\lambda T}{2}

Solution

PFD_{avg}=\dfrac{(8.0\times10^{-6})(200)}{2}=8.0\times10^{-4}

Engineering Comment

Proof-test interval must be compatible with the risk-control claim and service workflow.

Plausibility Check

The product is small, and division by two gives a value below 0.001.

Exercise 14: Complaint Trend Risk Trigger

Baseline serious-complaint rate is 0.6 per 1000 device-months. Current rate is 1.0. Trigger threshold is 50\% increase. Does it trigger?

Solution

\Delta=\dfrac{1.0-0.6}{0.6}=66.7\%

Since 66.7\%>50\%, it triggers risk review.

Engineering Comment

Trend triggers start investigation; they do not alone determine causality.

Plausibility Check

The current rate is more than one and a half times baseline.

Exercise 15: FMEA Priority Ranking

Three failure modes have RPN values 48, 96 and 72. Rank them for review priority by RPN.

Solution

Descending order:

96>72>48

The 96 item is reviewed first by RPN.

Engineering Comment

Severity overrides may change priority even if RPN is lower.

Plausibility Check

The largest product gets first numerical priority.

Exercise 16: Common-Cause Reliability Screen

Two redundant sensors each have reliability 0.98, but both share a power dependency with reliability 0.97. Estimate combined system reliability if either sensor can work but power is required.

Solution

Sensor layer:

R_s=1-(1-0.98)^2=0.9996

With shared power:

R=0.9996(0.97)=0.9696

Engineering Comment

The common dependency dominates the redundant sensor pair.

Plausibility Check

The final result is close to the shared power reliability.

Exercise 17: Change-Impact Coverage

A change-impact review identifies 13 affected evidence items. Eleven are closed, one is deferred and one is unassigned. Compute closure percentage.

Solution

C=\dfrac{11}{13}=84.6\%

Engineering Comment

Deferred and unassigned evidence should block release unless explicitly justified by the change board.

Plausibility Check

Two open items out of thirteen leaves closure in the mid eighties.

Exercise 18: Risk Release Gate

A risk package has RPN reduced from 160 to 48, one residual severity-9 blocker without disposition, diagnostic coverage 93\%, supplier-change impact closure 84.6\%, common-cause reliability 0.9696 against 0.98 target and a serious-complaint trend increase 66.7\% against a 50\% trigger. Decide release status.

Solution

The severity blocker is unresolved:

S=9

Change-impact closure is incomplete:

84.6\%<100\%

Reliability target fails:

0.9696<0.98

Complaint trend triggers review:

66.7\%>50\%

Release should be held.

Engineering Comment

RPN reduction is not enough when high-severity residual risk, incomplete change evidence, reliability shortfall and field trend triggers remain.

Plausibility Check

Multiple independent risk gates fail, so the release decision is negative.

REF

See also