© 2023 Quality Digest. Copyright on content held by Quality Digest or by individual authors. Contact Quality Digest for reprint information.
“Quality Digest" is a trademark owned by Quality Circle Institute, Inc.
Jon Speer Published: 04/20/2016
If you’re still using failure mode and effects analysis (FMEA) as your methodology to capture medical-device risk management activities, then your risk management process is out of date. Let me tell you why.
Here’s the definition of “risk management” as defined in ISO 14971:2007—“Medical devices—Application of risk management to medical devices”: Risk management is “a systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, controlling, and monitoring risk.” (See clause 2.22 on ISO’s online browsing platform.)
And to be fair, I’ll also share a definition of FMEA from ASQ: FMEA is “a step-by-step approach for identifying all possible failures in a design, a manufacturing or assembly process, or a product or service.”
Medical device risk management needs to be systematic. It considers the comprehensive use of a device, whether that use is correct or incorrect.
The basis of risk management is built on identifying hazards (i.e., potential sources of harm) and hazardous situations (circumstances in which people, property, or the environment are exposed to one or more hazards).
Once hazards and hazardous situations are identified, the severity of potential harms resulting from them are estimated. The probability of occurrence of these harms is also estimated. This estimation of severity of harm and probability of occurrence is what defines risk management.
FMEA is slightly different in its scope and purpose. The basis of FMEA is identifying failure modes. However, medical device risks are not solely a function of failure. A medical device might never exhibit a failure mode yet still have risks.
Don’t misunderstand me: FMEA is a very good tool and can be extremely helpful for design and development teams while evaluating the materials, components, and subassemblies that compose medical devices.
But FMEA is more of a reliability tool rather than a risk management system.
ISO 14971 uses terms such as “risk, hazards, hazardous situations, harm, severity, probability of occurrence, risk acceptability,” and “risk controls.”
FMEA uses terms such as “failure modes, effects of failure, severity, causes of failure, occurrence, process controls, detectability, risk priority number,” and “recommended actions.”
It’s pretty clear just by comparing the terminology of ISO 14971 and FMEA how this can be confusing.
“Hazards” and “hazardous situations” do sound similar to failure modes.
“Harm” seems similar to “effects of failure.”
“Risk” seems similar to “risk priority number.”
Certainly the terminology of FMEA seems close enough to risk management. Besides, you’re used to using FMEA, right? I get it. Everyone on the product development team is familiar with and somewhat comfortable using FMEA. You were using FMEA long before ISO 14971 become a harmonized standard. The intent and terminology is close enough... so why change?
Because doing only FMEA means that you will not comply with the ISO 14971 medical-device risk management standard.
Figure 1: ISO 14971 vs. FMEA comparison (courtesy of Gantus)
It’s clear from medical device regulatory bodies throughout the world that sound risk management processes are paramount for medical device companies. So much so that ISO 14971 was harmonized several years ago by most regulatory agencies, including the FDA, Health Canada, and the EU’s national competent authorities. (Note that the European Union published a harmonized risk management standard a few years ago called EN ISO 14971:2012.)
Regulatory agencies expect medical device companies to document risk management activities. And since ISO 14971 exists and is broadly accepted in the medical device regulatory world, I highly recommend using this standard as your framework.
As noted, ISO 14971 describes an entire system approach for risk management, as summarized in the following chart.
Figure 2: An entire system approach for risk management as described in ISO 14971
In a nutshell, a risk management process should include:
• Risk management planning
• Risk analysis
• Risk evaluation
• Risk controls
• Overall residual risk acceptability
• Risk management report
• Risk management file
• Production and post-production information
As you can see, ISO 14971 describes an entire system. It’s a process intended to be applied throughout the entire life cycle of a medical device.
Keep in mind that the whole idea behind risk management for medical devices is to ensure that medical devices are as safe as possible.
Regulatory bodies aside, make sure that your risk management process is established and implemented in such a way that it’s actually useful.
Let me leave you with a few tips from a previous post to help you:
1. Get a copy of ISO 14971:2007 and ISO TR 24971:2013—“Guidance on the application of ISO 14971” (and EN ISO 14971:2012—especially if you are based in the European Union).
2. Establish a risk management policy and procedure.
3. Keep your severity, probability, and risk levels simple.
4. Use risk management as a tool during design and development.
5. Use risk management as a tool after design and development.
First published March 10, 2016, on the greenlight.guru blog.
Jon Speer is the founder and vice president of quality assurance and regulatory affairs at Greenlight Guru, a software company that produces the only medical device quality management software solution. Device makers in more than 50 countries use Greenlight Guru to get safer products to market faster. Speer has served more than 20 years in the medical device industry and helped dozens of devices get to market. As a thought leader and speaker, he regularly contributes to numerous industry publications. He is also the host of Global Medical Device Podcast.
© 2023 Quality Digest. Copyright on content held by Quality Digest or by individual authors. Contact Quality Digest for reprint information.
“Quality Digest" is a trademark owned by Quality Circle Institute, Inc.
Links:
[1] http://asq.org/learn-about-quality/process-analysis-tools/overview/fmea.html
[2] https://www.iso.org/obp/ui/#iso:std:iso:14971:ed-2:v2:en
[3] http://blog.greenlight.guru/iso-14971-medical-device-risk-management
[4] http://blog.greenlight.guru/introduction-to-medical-device-risk-management
[5] http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=59587
[6] http://blog.greenlight.guru/fmea-is-not-iso-14971-risk-management