Featured Product
This Week in Quality Digest Live
Quality Insider Features
Kate Zabriskie
Misguided incentives create misaligned consequences
Chengyi Lin
The right metrics can align objectives in flexible work arrangements
Jake Mazulewicz
Three tips from high-reliability organizations
Aaron Heinrich
An optimal process requires an innovative control algorithm
Dave Gilson
Getting out of the boardroom for a stroll changes how women navigate

More Features

Quality Insider News
Sensors can be customized to meet unique operating and configuration specifications
Founders John Schuldt and Mary Chisholm retiring after 40 years
Reliable, remote visual inspections and diagnostics in hard-to-reach areas
Ideal for dusty manufacturing environments, explosive atmospheres
Optimized for cured tire runout and bulge measurement
With coupling capacitor approach that eliminates the need for an external sensor
High-performance standard and custom silicon and InGaAs photodetectors
Verifying performance of products on tubular disc and cable conveyors

More News

Mary McAtee

Quality Insider

Better Risk Assessment and Controls

Understand your roles and responsibilities

Published: Thursday, April 2, 2015 - 11:00

In almost everything in quality there are multiple facets of responsibility. The same applies when we talk about cybersecurity and threat assessment.

The last time I spoke about this topic I addressed our responsibility for protecting our own organization’s intellectual property and security. This time I’m concerned with how we protect those who depend on the products and services we provide. Market demands for increasingly intelligent products, coupled with rapidly evolving software and wireless technology, provides the means for companies to deliver exactly what the market demands. What is equally clear is that the ability of companies to assess the risk for the user and their privacy is not coming close to keeping pace with these advances. Just because the capability for smart devices is more readily available is no guarantee that prudent product management decisions are being made. The media is filled with stories about misuse of everything from baby monitors to auto-assist parking in late model vehicles.

I recently attended a seminar concerning FDA regulatory requirements specific to software as a part of a medical device, or in some cases, the device itself. Half of the two-day event was devoted to putting the attending companies on notice that the responsibility for prudent risk assessment and controls was squarely on the product provider. The FDA is strengthening their guidance documents and position on cybersecurity, governance, definitions, and controls for wireless devices in particular. Responsibilities related to enforcement are being shared with NIST and, in a smaller role, the FCC. A complete and cogent understanding of what is required for prudent development and risk management for software is currently all over the map, relative to compliance.

There are manufacturers of smart toys that communicate with your child, and smart TVs that record at least some of the interaction with the consumer and send it wirelessly back to the developer. Many companies partner with a software development organization and simply purchase the technology with little understanding of the potential for misuse and harm to the consumer. On the other end of the spectrum are companies like Google, who know they have a lot of skin in the game. They employ a tightly managed group of very savvy hackers who spend all their time doing their best to hack every line of code written by Google developers. The goal is to harden the code and thwart criminals before they can harm the Google user community.

Looking at litigation related to software as part of a product, the courts seem to be taking the same position as the FDA; that is, the product provider has the majority of responsibility for assuring that a prudent assessment of risk resulted in reasonable steps to mitigate the potential for misuse. This appears to extend to even inadvertent misuse, particularly by children and the elderly.

Risk assessment, mitigation, and controls are no longer a “nice to have” component of a quality and compliance system. Every company needs to ensure that they have included prudent risk assessment and controls against the potential misuse of all of their offerings. Extend your thinking about standard risk calculations to include normal, out of process, and misuse as conditions for assessment. Here’s how:
• Begin conducting regular design risk management meetings as part of your product management process.
• Make sure you include this mindset in your test and quality assurance programs, and in your assessment of warranty claims and customer feedback.
• Treat your CAPA and complaint process as your early warning system that the users of your product may be exposed to cyber threats and potential harm, even inadvertently.
• Take the proper steps to ensure that your company does not stumble in the race to embrace new technology.

The sizzle of enticing new features is great, but make sure your customers don’t choke on the steak.

First published March 17, 2015, on the Quality Management 2.0 Blog.

Discuss

About The Author

Mary McAtee’s picture

Mary McAtee

Mary McAtee has been a member of the Siemens organization for more than 20 years. She is a 40-year quality professional specializing in reliability engineering for semiconductor and nuclear devices. McAtee is an exam-qualified lead assessor for ISO 9001, ISO 14001, ISO 13485, IATF 16949, and TickIT. She has lead several organizations to successful registrations to various standards and has written and presented on the topic of compliance and quality extensively over the years. She is working with organizations in the United States and Europe to develop a broader uniform interpretation of primary norms and compliance standards.