Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

Dear all,

Would it be acceptable to build a risk management file using only Design, process and usability FMEAs and still be compliant to ISO 14971:2019?

If yes, could you please provide a guidance on how to do so?

If no, what would be the best strategy to use? (apart from redoing the risk Management from scratch). 

Please note that the product is a class IIb and is already on the market for 3 years and is therefore in the transition period.
Note that questionnaire from Appendix A of TR24971 has been filled in.

Thank you,
Best regards,

The short answer is no, you cannot use only FMEA and be compliant to ISO 14971.

FMEA focuses only on single fault conditions (see also B5 of the TS 24971) with the scope of improving the reliability/robustness of the system.

ISO14971 focuses on hazards (safety for patient/user) that might result from a sequence of events (so a far more complex situation than only single fault).

FMEA provides valuable input and is an important part of the risk management file (a failure being one of the events within the sequence).

------------------------------
Stephan Jansen
Quality Assurance Coordinator
Eindhoven
Netherlands
------------------------------

Original Message:
Sent: 26-Nov-2021 12:41
From: Anonymous Member
Subject: Risk management file solely based on FMEAs and compliance to EU MDR requirements

This message was posted by a user wishing to remain anonymous

Dear all,

Would it be acceptable to build a risk management file using only Design, process and usability FMEAs and still be compliant to ISO 14971:2019?

If yes, could you please provide a guidance on how to do so?

If no, what would be the best strategy to use? (apart from redoing the risk Management from scratch).

Please note that the product is a class IIb and is already on the market for 3 years and is therefore in the transition period.
Note that questionnaire from Appendix A of TR24971 has been filled in.

Thank you,
Best regards,

Hi Stephan,

Thank you for getting back to me.

Best regards,

------------------------------
Thomas Buhaceanu

Best,
Netherlands
------------------------------

Original Message:
Sent: 29-Nov-2021 01:40
From: Stephan Jansen
Subject: Risk management file solely based on FMEAs and compliance to EU MDR requirements

The short answer is no, you cannot use only FMEA and be compliant to ISO 14971.

FMEA focuses only on single fault conditions (see also B5 of the TS 24971) with the scope of improving the reliability/robustness of the system.

ISO14971 focuses on hazards (safety for patient/user) that might result from a sequence of events (so a far more complex situation than only single fault).

FMEA provides valuable input and is an important part of the risk management file (a failure being one of the events within the sequence).

------------------------------
Stephan Jansen
Quality Assurance Coordinator
Eindhoven
Netherlands

Original Message:
Sent: 26-Nov-2021 12:41
From: Anonymous Member
Subject: Risk management file solely based on FMEAs and compliance to EU MDR requirements

This message was posted by a user wishing to remain anonymous

Dear all,

Would it be acceptable to build a risk management file using only Design, process and usability FMEAs and still be compliant to ISO 14971:2019?

If yes, could you please provide a guidance on how to do so?

If no, what would be the best strategy to use? (apart from redoing the risk Management from scratch).

Please note that the product is a class IIb and is already on the market for 3 years and is therefore in the transition period.
Note that questionnaire from Appendix A of TR24971 has been filled in.

Thank you,
Best regards,

I have written about your question, based on the GHTF Risk Management guidance SG3/N15
 
ISO 14971 has had a requirement for traceability since the first edition. It has not been well implemented though.  But Annex C in GHTF SG3/N15 had a good start with the requirement, but I expanded that in my article in AAMI Horizons Spring 2015 issue Documenting Medical Device Risk Management through the Risk Traceability Summary

The article also discusses why FMEA, a reliability tool and not a safety tool, does not, by itself, meet the requirements of ISO 14971 (Now Clause 5.4 of the 2019 standard).  FMEA does not address hazards caused all faults, since it is a single fault tool. FMEA does not address the requirement for normal condition hazards.  So be cautious in the use of the tool, which does have its good points.

Also you should look at ISO TR 24971:2020 for information on traceability in 4.5 and the use of international standards in risk management in Annex E.  This is a real time saver, as you can, when you use standards, and you implement them as required in the international standard, you can directly document this activity, skipping some lengthy meetings discussing hazards that have already been covered by the standard.

Hopefully this has been helpful.


------------------------------
Edwin Bills MEd, CQA, RAC, BSc, CQE, ASQ
Principal Consultant and Member, ISO TC 210 JWG1
Overland Park KS
United States
elb@edwinbillsconsultant.comPrincipal Consultant
------------------------------

Original Message:
Sent: 26-Nov-2021 12:41
From: Anonymous Member
Subject: Risk management file solely based on FMEAs and compliance to EU MDR requirements

This message was posted by a user wishing to remain anonymous

Dear all,

Would it be acceptable to build a risk management file using only Design, process and usability FMEAs and still be compliant to ISO 14971:2019?

If yes, could you please provide a guidance on how to do so?

If no, what would be the best strategy to use? (apart from redoing the risk Management from scratch).

Please note that the product is a class IIb and is already on the market for 3 years and is therefore in the transition period.
Note that questionnaire from Appendix A of TR24971 has been filled in.

Thank you,
Best regards,

I would suggest using Fault Tree Analysis either on its own or combined with a Preliminary Hazard Analysis. FMEA has been widely used but it has been done so more out of familiarity than best practice. FMEA caught on with device companies many many years ago, and companies struggle to move away from it or augment it with another tool to make it more compliant with ISO 14971. You can likely leverage a lot of the FMEA content you have now, or perhaps build a bridge to the FMEA with a PHA. But as others noted already, you need to address the shortcomings of the FMEA tool to get a more compliant risk management file established.

I will add that some inspectors/reviewers are not as skilled in this area and may not flag your current risk management file during inspection/review. I have audited companies over the years and saw some really poor attempts at risk management, yet they had approved products. We have a ways to go as an industry to address risk management more effectively. 

Regards,
Nathan

------------------------------
Nathan Blazei
Head of Quality
Morrisville NC
United States
------------------------------

Original Message:
Sent: 26-Nov-2021 12:41
From: Anonymous Member
Subject: Risk management file solely based on FMEAs and compliance to EU MDR requirements

This message was posted by a user wishing to remain anonymous

Dear all,

Would it be acceptable to build a risk management file using only Design, process and usability FMEAs and still be compliant to ISO 14971:2019?

If yes, could you please provide a guidance on how to do so?

If no, what would be the best strategy to use? (apart from redoing the risk Management from scratch).

Please note that the product is a class IIb and is already on the market for 3 years and is therefore in the transition period.
Note that questionnaire from Appendix A of TR24971 has been filled in.

Thank you,
Best regards,

ISO 14971:2019 address patient or user harm (and a few other things). It does this by identifying hazards, sequences of events leading to hazardous situations, leading to harm. Then apply risk reduction measures to reduce the frequency and severity of the harm.

An FMEA addresses a different problem, failures, and specifically single point failures.

Patient or user harm can occur in either normal of fault conditions. An FMEA doesn't cover harm from normal conditions. In addition, device failures don't always result in harm. Designs should be fail-safe.

The only solution is to follow the ISO 14971:2019 process which means analyzing hazards not failures. The good news that you could reuse much of the information from the FMEAs. Also, recognize the usability in 62366-1 is a specific application of ISO 14971:2019, so it follows the same process, but addresses specific sources of risk.

------------------------------
Dan O'Leary CQA, CQE
Swanzey NH
United States
------------------------------

Original Message:
Sent: 26-Nov-2021 12:41
From: Anonymous Member
Subject: Risk management file solely based on FMEAs and compliance to EU MDR requirements

This message was posted by a user wishing to remain anonymous

Dear all,

Would it be acceptable to build a risk management file using only Design, process and usability FMEAs and still be compliant to ISO 14971:2019?

If yes, could you please provide a guidance on how to do so?

If no, what would be the best strategy to use? (apart from redoing the risk Management from scratch).

Please note that the product is a class IIb and is already on the market for 3 years and is therefore in the transition period.
Note that questionnaire from Appendix A of TR24971 has been filled in.

Thank you,
Best regards,

Annex G of ISO/TR 24971 also gives some good advice on planning / remediating the risk management aspects most applicable to the current lifecycle phase.

------------------------------
Anne LeBlanc
United States
------------------------------

Original Message:
Sent: 29-Nov-2021 12:17
From: Dan O'Leary
Subject: Risk management file solely based on FMEAs and compliance to EU MDR requirements

ISO 14971:2019 address patient or user harm (and a few other things). It does this by identifying hazards, sequences of events leading to hazardous situations, leading to harm. Then apply risk reduction measures to reduce the frequency and severity of the harm.

An FMEA addresses a different problem, failures, and specifically single point failures.

Patient or user harm can occur in either normal of fault conditions. An FMEA doesn't cover harm from normal conditions. In addition, device failures don't always result in harm. Designs should be fail-safe.

The only solution is to follow the ISO 14971:2019 process which means analyzing hazards not failures. The good news that you could reuse much of the information from the FMEAs. Also, recognize the usability in 62366-1 is a specific application of ISO 14971:2019, so it follows the same process, but addresses specific sources of risk.

------------------------------
Dan O'Leary CQA, CQE
Swanzey NH
United States

Original Message:
Sent: 26-Nov-2021 12:41
From: Anonymous Member
Subject: Risk management file solely based on FMEAs and compliance to EU MDR requirements

This message was posted by a user wishing to remain anonymous

Dear all,

Would it be acceptable to build a risk management file using only Design, process and usability FMEAs and still be compliant to ISO 14971:2019?

If yes, could you please provide a guidance on how to do so?

If no, what would be the best strategy to use? (apart from redoing the risk Management from scratch).

Please note that the product is a class IIb and is already on the market for 3 years and is therefore in the transition period.
Note that questionnaire from Appendix A of TR24971 has been filled in.

Thank you,
Best regards,