Exercise set
Medical Device Risk Management, FMEA, and Residual Risk Exercises
Worked medical-device risk exercises for RPN, residual risk, diagnostic coverage, reliability, sterilization, supplier change, complaints and release gates.
These exercises focus on medical-device engineering risk management: FMEA-style scoring, risk-control effectiveness, residual risk, diagnostic coverage, reliability, sterilization evidence, supplier change impact, complaints and release gates. Verification testing and validation evidence are covered in separate specialist exercise sets.
This page is not regulatory or clinical advice. It trains engineering reasoning around risk evidence, controls and release decisions; real device programs must follow the applicable standards, regulations and quality-system procedures.
How to use these exercises
Use the set as a risk-control release review. Exercises 1 to 4 establish initial RPN, risk-control effect, high-severity blockers and verification coverage. Exercises 5 to 8 check diagnostic coverage, residual hazardous exposure, reliability and zero-failure confidence. Exercises 9 to 13 add sterilization, corrosion, fatigue, supplier-change impact and proof-test intervals. Exercises 14 to 18 connect complaint trends, priority ranking, common-cause reliability, change-impact closure and the final risk release gate.
Before calculating, state the hazard, hazardous situation, harm, sequence of events, risk control, release configuration and evidence source. A lower RPN is not release evidence unless the control is verified and the residual risk is explicitly accepted. The engineering comment below each exercise identifies whether the result calls for mitigation, verification, benefit-risk rationale, change review, field investigation or hold.
Release Evidence Notes
Risk evidence should state hazard, hazardous situation, harm, sequence of events, initial risk, control, verification evidence, residual risk and release decision. A lower score does not close a risk if a high-severity blocker remains unresolved.
The evidence package should separate risk estimation, control verification and residual-risk disposition. Risk estimation prioritizes the problem. Control verification proves the mitigation exists on the release configuration. Residual-risk disposition decides whether the remaining harm scenario is acceptable, needs more mitigation or blocks release.
Lifecycle evidence should remain connected to the risk file. Supplier changes, sterilization process changes, complaint trends, common-cause dependencies and reliability shortfalls can reopen a risk even after the original design control was verified.
Engineering Boundary Notes
RPN and simplified probability calculations are screening tools. They do not replace a full risk-management file, clinical evaluation, usability engineering, software safety analysis, process validation or post-market surveillance.
The main boundary is severity. High-severity harms may require explicit disposition regardless of RPN. The second boundary is independence: reliability calculations and diagnostic coverage can overstate safety if common-cause failures, shared power, shared software, shared material lots or field-use dependencies are not considered.
Common Release Mistakes
- using RPN reduction to hide unresolved high severity;
- counting a risk control without verifying it on the release configuration;
- ignoring false negative behavior in diagnostic controls;
- multiplying independent reliabilities when a common cause exists;
- treating sterilization log reduction as device-level safety by itself;
- approving a supplier change without material, process and risk impact evidence.
Another common mistake is closing change impact by counting completed forms rather than affected evidence. A material, supplier, software or process change should map to requirements, risk controls, process validations, labeling, usability and post-market assumptions before release.
Do not treat complaint trend triggers as proof of causality or as harmless noise. A trigger is a governance signal: it should start investigation, risk-file review, CAPA screening or continued monitoring according to the predefined rule.
Scenario Map
| Scenario | Main calculation | Release decision |
|---|---|---|
| FMEA | severity, occurrence and detection | Prioritize and control risk. |
| Residual risk | control effect and remaining exposure | Accept, mitigate or block. |
| Reliability | mission probability and confidence | Release or extend test. |
| Process/material change | impact count and coverage | Approve change or repeat evidence. |
| Lifecycle signal | complaints and CAPA trigger | Monitor or investigate. |
Validation Package Checklist
- hazard, harm and initial risk rationale;
- risk-control design and verification evidence;
- residual-risk decision and high-severity disposition;
- reliability, diagnostic and process evidence;
- supplier/change impact and affected configurations;
- post-release monitoring trigger and rollback action.
- common-cause assumptions, shared dependencies and proof-test intervals;
- complaint trend, CAPA screen and field feedback disposition;
- release status states accept, mitigate, investigate, justify, restrict or hold.
A complete validation package should make the residual-risk decision auditable. Another engineer should be able to see why the risk was prioritized, how the control was verified, what residual harm remains, what lifecycle signal would reopen the file and who owns the release decision.
Exercise 1: Initial RPN
A failure mode has severity S=8, occurrence O=4 and detection D=5. Compute RPN.
Solution
Engineering Comment
RPN is a prioritization aid. Severity should still be reviewed separately.
Plausibility Check
The product of three one-digit scores can easily reach hundreds.
Exercise 2: RPN After Control
A design control reduces occurrence from 4 to 2 and improves detection from 5 to 3. Severity remains 8. Compute new RPN and reduction percentage.
Solution
Engineering Comment
The control must be verified; a planned reduction is not evidence.
Plausibility Check
Both occurrence and detection improved, so RPN falls substantially.
Exercise 3: Residual High-Severity Blocker
Residual severity is 9, occurrence 1 and detection 2, so RPN is low. A release rule blocks any unresolved severity 9 or 10 hazard without documented benefit-risk rationale. Does the low RPN close the risk?
Solution
Residual RPN:
But severity blocker applies:
The risk is not closed by RPN alone.
Engineering Comment
High-severity residual hazards need explicit disposition, not only score reduction.
Plausibility Check
The score is low, but the rule is severity-based.
Exercise 4: Control Verification Coverage
A risk control has 12 required verification cases. Ten pass, one fails and one is not executed. Compute clean closure.
Solution
The control is not closed.
Engineering Comment
Failed and unexecuted cases both keep the control open.
Plausibility Check
Two non-clean cases out of twelve leaves five sixths closed.
Exercise 5: Diagnostic Coverage
A diagnostic detects 186 of 200 injected hazardous faults. Compute diagnostic coverage.
Solution
Engineering Comment
The undetected fault set is often more important than the headline coverage number.
Plausibility Check
Fourteen missed faults out of two hundred gives seven percent missed.
Exercise 6: Residual Hazardous Exposure
Hazardous event rate is 2.0\times10^{-5} per hour. Diagnostic coverage is 93\%. Estimate undetected hazardous rate.
Solution
Engineering Comment
Residual exposure should be compared with the device-specific risk acceptance rule.
Plausibility Check
Seven percent of the original rate remains.
Exercise 7: Reliability Over Mission Interval
A device has MTBF 12000\ \text{h} and mission interval 24\ \text{h}. Estimate reliability:
Solution
Engineering Comment
The assumption of constant failure rate should be justified for the use case.
Plausibility Check
The mission interval is tiny compared with MTBF, so reliability is close to one.
Exercise 8: Zero-Failure Confidence
Zero failures are observed in 75 independent tests. Approximate upper failure probability at 95\% confidence using the rule p_u\approx 3/n.
Solution
Engineering Comment
Zero failures do not prove zero risk; sample size controls the confidence bound.
Plausibility Check
With only seventy-five tests, a few percent upper bound is plausible.
Exercise 9: Sterilization Log Reduction
A process starts with bioburden 10^5 organisms and achieves 8 log reduction. Estimate remaining expected organisms.
Solution
Engineering Comment
Sterilization evidence also needs process validation, packaging and configuration control.
Plausibility Check
Eight logs of reduction from five logs leaves negative three logs.
Exercise 10: Corrosion Rate Screen
A material coupon loses 0.012\ \text{mm} thickness in 90 days. Estimate annualized corrosion rate.
Solution
Engineering Comment
Coupon conditions must represent the device environment before the rate is used for risk evidence.
Plausibility Check
Ninety days is about one quarter of a year, so annual rate is about four times the loss.
Exercise 11: Fatigue Margin
Expected alternating stress is 42\ \text{MPa} and verified endurance limit is 70\ \text{MPa}. Compute stress margin ratio.
Solution
Engineering Comment
Fatigue evidence should include environment, surface finish, notches and manufacturing variation.
Plausibility Check
The limit is about two thirds higher than expected stress.
Exercise 12: Supplier Change Impact
A supplier material change affects 6 requirements, 4 risk controls and 3 process validations. How many evidence items need impact disposition?
Solution
Engineering Comment
The change cannot be approved until each affected evidence item is dispositioned.
Plausibility Check
All affected categories are counted.
Exercise 13: Interlock Proof-Test Interval
An interlock has dangerous undetected failure rate 8.0\times10^{-6} per hour and proof-test interval 200\ \text{h}. Estimate average probability of dangerous failure:
Solution
Engineering Comment
Proof-test interval must be compatible with the risk-control claim and service workflow.
Plausibility Check
The product is small, and division by two gives a value below 0.001.
Exercise 14: Complaint Trend Risk Trigger
Baseline serious-complaint rate is 0.6 per 1000 device-months. Current rate is 1.0. Trigger threshold is 50\% increase. Does it trigger?
Solution
Since 66.7\%>50\%, it triggers risk review.
Engineering Comment
Trend triggers start investigation; they do not alone determine causality.
Plausibility Check
The current rate is more than one and a half times baseline.
Exercise 15: FMEA Priority Ranking
Three failure modes have RPN values 48, 96 and 72. Rank them for review priority by RPN.
Solution
Descending order:
The 96 item is reviewed first by RPN.
Engineering Comment
Severity overrides may change priority even if RPN is lower.
Plausibility Check
The largest product gets first numerical priority.
Exercise 16: Common-Cause Reliability Screen
Two redundant sensors each have reliability 0.98, but both share a power dependency with reliability 0.97. Estimate combined system reliability if either sensor can work but power is required.
Solution
Sensor layer:
With shared power:
Engineering Comment
The common dependency dominates the redundant sensor pair.
Plausibility Check
The final result is close to the shared power reliability.
Exercise 17: Change-Impact Coverage
A change-impact review identifies 13 affected evidence items. Eleven are closed, one is deferred and one is unassigned. Compute closure percentage.
Solution
Engineering Comment
Deferred and unassigned evidence should block release unless explicitly justified by the change board.
Plausibility Check
Two open items out of thirteen leaves closure in the mid eighties.
Exercise 18: Risk Release Gate
A risk package has RPN reduced from 160 to 48, one residual severity-9 blocker without disposition, diagnostic coverage 93\%, supplier-change impact closure 84.6\%, common-cause reliability 0.9696 against 0.98 target and a serious-complaint trend increase 66.7\% against a 50\% trigger. Decide release status.
Solution
The severity blocker is unresolved:
Change-impact closure is incomplete:
Reliability target fails:
Complaint trend triggers review:
Release should be held.
Engineering Comment
RPN reduction is not enough when high-severity residual risk, incomplete change evidence, reliability shortfall and field trend triggers remain.
Plausibility Check
Multiple independent risk gates fail, so the release decision is negative.