Many medical device manufacturers are working with FMEA. The concern is, does FMEA meet the regulatory requirements as to mark? Is FMEA the same as risk analysis? Or even risk management according to ISO 14971?
This video is an extract from the online course Risk Management for Medical Devices and ISO 14971:2019.
What is FMEA?
FMEA stands for Failure Modes and Effects Analysis. Did you know that there is a standard for FMEA? It is called IEC 60812. When I refer to FMEA, I mean FMEA as it is defined in the IEC 60812 standard. And, why do I do that? The advantage of using the standards’ terms and concepts are that someone else has done the work for you on defining it. In fact, it is not only “someone” but a group of international experts that have done so.
This is what FMEA could look like. In this example, you can see a Design-FMEA or D-FMEA. The D-FMEA looks at components and what failure of such components would lead to. In this example, you can see how design choices or design failures leads to a breakdown of system performance. The risk is measured using an RPN number, which is short for risk priority number.
Here is another example, in this case, it is a Process-FMEA or P-FMEA. Instead of looking at how parts of the design could fail, you look at how the production process could fail. Please note the Pd, which is an abbreviation of the probability of detection or detectability. This is a measure of how easy it is to detect the failure and prevent it from being released and then actually having an impact on the reliability of the product. The more likely the failure is to be detected, the lower the Pd score, meaning the risk would receive lower priority on the RPN scale if you are likely to detect the failure.
How do you perform FMEA?
Having looked at these examples, you may have noticed that FMEA starts with details or components. You would be looking at how specific components or process steps could fail. And there was no mention of harm in these FMEAs, were there? And since you have only looked at failure, risks relating to normal use have not been included. FMEA…:
- starts with details / components
- looks only at how they fail
- does not include harm, and
- does not include risks in normal use
Let’s compare this with ISO 14971 risk management.
The 4 major differences between FMEA and ISO 14971:2019
1. Normal and fault conditions
Risk management according to ISO 14971 includes risks both from normal use, reasonably foreseeable misuse and fault conditions. Whereas FMEA only looks at risks relating to failure. This means that ISO 14971 would include for example the risk of infection when using a urinary catheter. As you may know, you could get such an infection even if the catheter was used exactly as prescribed, nothing was broken and the device was sterile when opening the packaging. You can still get an infection. This means that you get the infection during normal use, and it is a risk that should be addressed.
It may not mean that we can reduce it, but what we can do is to inform the users of this residual risk, so that they can make an informed decision on whether they want to use the product or not. This risk would never be captured when using FMEA.
2. Risk analysis starting with hazards
Below is an example of a hazard traceability matrix or risk analysis. Please note what you should start with on the left-hand side.
Risk analysis starts with hazards on the left-hand side of the table.
Hazards are potential sources of harm. The good thing about starting your risk management work with hazards is that in most cases you can identify the most important risks without doing any detailed design whatsoever.
In fact, you are likely to be able to come up with quite a few important risks already in the conceptual stage of product development.
Examples of potential sources of harm or hazards:
- Sharp edges
- Toxic residues from production.
And these hazards can be identified at a very early stage. And finding risks at an early stage usually saves a lot of money compared to finding them and having to mitigate them later on in a product development project. Or even worse, mitigating them after you have released your product.
On the other hand, if you are going to be looking at components or process steps in production, it requires that the design or process, in general, is quite mature. And this, by definition, will happen late in your product development, resulting in a late start in risk management.
3. Severity should be based on harm
Another major difference between ISO 14971 risk management and FMEA is that the severities are rated differently.
ISO 14971 will be looking at the severity based on the harm to people. Whereas FMEA looks at severity from a system performance point of view. Meaning that a small loss of function would be a low severity and a total breakdown of system performance is a high severity. Even if the partial loss of function kills a few patients, it is still low severity, because FMEA does normally not look at harm. And if you identify risks that kill people, they should have the highest severity in risk management when done according to regulatory requirements and ISO 14971.
4. Managing all risks?
The last major difference that I would like to bring up is that ISO 14971 risk management is a very comprehensive approach that will address and manage all risks related to a medical device. There are some minor exceptions to this, so using the word all is a very strong expression, but as a rule of thumb, it does hold water.
FMEA, on the other hand, is a reliability tool. Which by definition does not include all risks. BUT, if the safety of your system is dependent on reliability, for example as in the case of a life supporting medical device, using FMEA may be a good idea to achieve reliability and thereby also safety.
So, now you’ve seen the major differences between ISO 14971 risk management and FMEA according to the IEC 60812 standard. It is important to remember that if you only use FMEA, you do not meet the requirements of the ISO 14971 standard.
And this in turn usually means that you do not meet the requirements of the medical device regulation, nor are you likely to meet FDA’s expectations on risk management in the US.
If the product you are working with has essential performance, i. e. it has to function to be safe. If the product needs to function to be safe, the reliability is important, thus the FMEA should be considered. Even so, the FMEA will only be part of the overall risk management process and primarily focus on parts of the system that are essential to the performance.
If you perform only FMEA as defined in IEC 60812, you will not comply with the requirements of ISO 14971.