{domain:"www.qualitydigest.com",server:"169.47.211.87"} Skip to main content

        
User account menu
Main navigation
  • Topics
    • Customer Care
    • Regulated Industries
    • Research & Tech
    • Quality Improvement Tools
    • People Management
    • Metrology
    • Manufacturing
    • Roadshow
    • QMS & Standards
    • Statistical Methods
    • Resource Management
  • Videos/Webinars
    • All videos
    • Product Demos
    • Webinars
  • Advertise
    • Advertise
    • Submit B2B Press Release
    • Write for us
  • Metrology Hub
  • Training
  • Subscribe
  • Log in
Mobile Menu
  • Home
  • Topics
    • Customer Care
    • Regulated Industries
    • Research & Tech
    • Quality Improvement Tools
    • People Management
    • Metrology
    • Manufacturing
    • Roadshow
    • QMS & Standards
    • Statistical Methods
    • Supply Chain
    • Resource Management
  • Login / Subscribe
  • More...
    • All Features
    • All News
    • All Videos
    • Training

Applying FMEA to AI-Augmented Medical Devices

A practical risk management framework

wedmoments.stock/Adobe

Sai Ranjith
Bio

Sanofi

Mon, 07/20/2026 - 12:03
  • Comment
  • RSS

Social Sharing block

  • Print
Body

The U.S. Food and Drug Administration scrutiny of AI and machine learning in medical devices is intensifying. Yet most companies still apply failure mode and effects analysis (FMEA) methods designed for deterministic hardware failures. AI failures are probabilistic, context-dependent, and often silent. A model trained on one population drifts in deployment. An algorithm confident in a prediction is fundamentally wrong.

ADVERTISEMENT

This article provides a practical, step-by-step framework for integrating AI-specific risk management into ISO 14971 and IEC 62304 workflows to reduce regulatory risk, accelerate FDA approvals, and achieve competitive differentiation.

The challenge: Why traditional FMEA falls short

Consider a medical imaging device with AI lesion detection. Traditional FMEA identifies hardware risks (detector failure) and software risks (processing crashes). But it misses critical AI-specific failures. The following scenarios illustrate how.

Model drift: Trained on Western populations with modern equipment; accuracy drops 8–15% when deployed internationally or in sites with older equipment.

Edge case failures: The model encounters unusual anatomies, artifacts, or degraded images, and produces confident but spectacularly wrong predictions.

Silent degradation: Model performance drops from 94% to 87% over six months without triggering alerts.

Integration failures: Clinicians don’t trust opaque recommendations, so they ignore or override them incorrectly.

These are systematic, predictable, and manageable, but only if you expand your FMEA methodology to address AI-specific failure modes.

A 4-step framework for AI risk management

Step 1: Identifying AI-specific hazard modes

Systematically identify failure modes unique to probabilistic algorithms. For each AI component, document training data characteristics (e.g., populations, distributions, gaps), model boundaries (operating envelope), edge cases (unusual inputs), integration hazards (clinical workflow interactions), and continuous learning risks (post-launch retraining).

Regulatory alignment: ISO 14971:2019, Clause 5, Section 5.4—“Identification of hazards and hazardous situations”; IEC 62304:2006+A1:2015, Clause 7—“Software risk management process.” Trace each hazard back to product requirements.

Step 2: Adapting severity, occurrence, and detection scoring

Recalibrate traditional FMEA scoring for AI.

Severity: Rate patient impact. Be explicit about affected populations.

Occurrence: Base on validation data (i.e., if 94% accuracy, failure rate ~6%), real-world performance, and scenario frequency. Score 1–3 (rare) to 10 (almost certain).

Detection: AI failures are often silent. Score based on real-time monitoring, clinical feedback loops, and fallback logic. Detection scores typically 6–10, elevating RPN for high-impact failures.

Regulatory alignment: ISO 14971:2019, Section 5.5—“Risk estimation” and Clause 6—“Risk evaluation.” Document S/O/D rationale clearly; regulators will ask.

Step 3: Implementing AI-aware controls

Design controls throughout four dimensions.

1. Training data governance: Dataset audit documenting demographics. Identify underrepresented populations. Establish performance thresholds by subgroup and data quality standards.

2. Robustness testing: Adversarial testing—fast gradient sign method (FGSM) and projected gradient descent (PGD) to identify problematic inputs. Test edge cases from real sites. Establish acceptance criteria and fallback logic (flag low-confidence predictions for human review).

3. Real-time monitoring: Automated dashboards track accuracy, sensitivity, and specificity by site and population. Set alert thresholds and define fallback procedures.

4. Explainability and integration: Provide visual explanations (e.g., saliency maps, feature importance) and confidence scores. Validate that clinicians interpret explanations correctly.

Regulatory alignment: IEC 62304:2006+A1:2015, Sections 5.3–5.4 (software architectural design and software detailed design) and Sections 5.5–5.7 (software implementation, verification, and testing). Map controls quality management system requirements. Maintain traceability: requirement > hazard > control > verification test.

Step 4: Establishing post-launch verification and continuous monitoring

Implement continuous monitoring dashboards to track primary metrics—accuracy, sensitivity, specificity, negative predictive value (NPV), positive predictive value (PPV) by site and demographic group. Document performance baselines. Any sustained 5% drop triggers investigation. Set specific alert thresholds.

If your regulatory strategy includes post-launch model updates, establish formal change management: trigger criteria (when to retrain), validation requirements (side-by-side comparison with predicate model for all scenarios), approval authority, and traceability. Plan periodic FDA communication to share real-world performance data.

Regulatory alignment: IEC 62304:2006+A1:2015, Section 5.8—“Software release” and Clause 6—“Software maintenance process.” FDA expectations for postmarket surveillance and real-world performance monitoring.

Real-world implementation challenges

Siloed teams and cross-functional coordination

AI-aware risk management requires R&D (who built the model), quality (FMEA/QMS), clinical affairs (clinical use), and regulatory (FDA expectations) working seamlessly. These teams often don’t speak the same language.

Solution: Establish a cross-functional AI risk management team that meets regularly with shared risk vocabulary.

Model opacity and continuous learning

Even creators might not fully understand why the model makes predictions. If it retrains on real-world data, you’re continuously changing the product post-launch, and FDA guidance is still evolving.

Solution: Invest in explainability—Shapley Additive Explanations (SHAP), attention maps. Establish clear governance and communicate with the FDA early. Define what constitutes a modification requiring premarket approval vs. maintenance requiring postmarket notification.

FDA expectations and outcomes

A well-documented FMEA addressing AI-specific failure modes and mitigation demonstrates regulatory maturity and reduces requests for evidence (RFEs) or denials. Companies engaging with the FDA early via Q-submissions often experience faster review cycles. Rigorous, transparent risk management also earns clinical trust and competitive advantage in an AI-driven market.

Conclusion

FDA scrutiny of AI in medical devices is intensifying. The four-step framework identifying AI-specific hazards, adapting S/O/D scoring, implementing AI-aware controls, and establishing post-launch verification provides a practical road map. It integrates seamlessly with ISO 14971 and IEC 62304 processes, and aligns with FDA expectations.

Implementation is challenging and requires cross-functional coordination, investment in explainability and monitoring infrastructure, and honest FDA engagement. But the payoff is reduced regulatory risk, faster approvals, and confidence that your device is genuinely safe and effective in real-world use. In an AI-driven device landscape, rigorous risk management is your competitive advantage.

Add new comment

The content of this field is kept private and will not be shown publicly.
About text formats
Image CAPTCHA
Enter the characters shown in the image.

© 2026 Quality Digest. Copyright on content held by Quality Digest or by individual authors. Contact Quality Digest for reprint information.
“Quality Digest" is a trademark owned by Quality Circle Institute Inc.

footer
  • Home
  • Print QD: 1995-2008
  • Print QD: 2008-2009
  • Videos
  • Privacy Policy
  • Write for us
footer second menu
  • Subscribe to Quality Digest
  • About Us