Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

Hi All,

Most medical device manufacturers use the typical FMEA approach to mitigating risks found in the design of the device.  Numerous 3rd party publications mention the need for top-down analysis to determine all risks have been covered, where FMEA can miss certain things.  These authors specifically state that this is required by ISO 14971.  Other than the section for Fault Tree Analysis (G.3), where else in ISO 14971 does it specifically call out this approach and that it is required in addition to FMEA, HACCP, etc. in order to be fully compliant to the standard? 

Thank you!

The clause you refer to, G.3 is not a requirement.  Only the numbered clauses are requirements (ex. 4.3).  The clauses that start with alpha characters (A, B, C...) are informative and provide information on how you  can implement the standard.  I would like to also point to ISO TR 24971, a guidance that provides other valuable information on implementation, such as how to use product and process safety standards.

The "requirement" you perhaps may be trying to find is in clause 4.3, where it states you must "identify known and foreseeable hazards in both normal and fault conditions".  FMEA identifies single-fault conditions, and not all fault conditions, thus the use of FTA.  It does also not identify "normal condition" hazards.  That is another use of FTA.  As for "known hazards" Preliminary Hazard Analysis or PHA is a tool for looking at your own complaints, product and process safety standards, FDA's adverse event files like MAUDE and TPLC databases, and clinical literature to find those hazards already known.  One of the big issues with FMEA is covered by a requirement of ISO 13485 which requires risk management be a Design Input.  Since FMEA cannot be performed until the design is in the Design Output stage, FMEA fails to provide information early enough in the design process to avoid design changes.  FMEA is a good tool to provide a check to make sure all single-fault condition hazards have been identified after the design is closer to completion.  Of course, we all know that design is not a serial process, but has a lot of parallel activities, so Design Input does not close before going to Design Output.  Design elements may be found that are in different stages at the same time.  However, the basic description still applies. So use FMEA where it is appropriate, but you cannot perform Risk Management with only the use of FMEA, several tools are required.

------------------------------
Edwin Bills RAC, MA
Principal Consultant
ELB Consulting
Overland Park KS
United States
------------------------------

Original Message:
Sent: 03-Aug-2017 12:16
From: Anonymous Member
Subject: Risk Top-Down Analysis and ISO 14971

This message was posted by a user wishing to remain anonymous

Hi All,

Most medical device manufacturers use the typical FMEA approach to mitigating risks found in the design of the device.  Numerous 3rd party publications mention the need for top-down analysis to determine all risks have been covered, where FMEA can miss certain things.  These authors specifically state that this is required by ISO 14971.  Other than the section for Fault Tree Analysis (G.3), where else in ISO 14971 does it specifically call out this approach and that it is required in addition to FMEA, HACCP, etc. in order to be fully compliant to the standard?

Thank you!

Ed,

Your expertise is well met here with little to add.

For everyone,
I would just emphasize the requirement is to complete a risk analysis and manage the identified risks to an acceptable residual. Your tool should also take care of documenting this preventive action and the verification of effectiveness of that action (requirements of both 14971 and 13485).

Additionally, the use of these multiple tools likely will also require some sort of a risk management report that then can be updated as post market surveillance information (complaints and other feedback) is used to update each of the analysis documents. Good luck as you move forward with the multiple tools as Ed suggests!

------------------------------
Regards,
Mark Swanson, ASQ CBA, CMQ/OE, CQE MBA
Becker MN
United States
------------------------------

Original Message:
Sent: 04-Aug-2017 08:33
From: Edwin Bills
Subject: Risk Top-Down Analysis and ISO 14971

The clause you refer to, G.3 is not a requirement.  Only the numbered clauses are requirements (ex. 4.3).  The clauses that start with alpha characters (A, B, C...) are informative and provide information on how you  can implement the standard.  I would like to also point to ISO TR 24971, a guidance that provides other valuable information on implementation, such as how to use product and process safety standards.

The "requirement" you perhaps may be trying to find is in clause 4.3, where it states you must "identify known and foreseeable hazards in both normal and fault conditions".  FMEA identifies single-fault conditions, and not all fault conditions, thus the use of FTA.  It does also not identify "normal condition" hazards.  That is another use of FTA.  As for "known hazards" Preliminary Hazard Analysis or PHA is a tool for looking at your own complaints, product and process safety standards, FDA's adverse event files like MAUDE and TPLC databases, and clinical literature to find those hazards already known.  One of the big issues with FMEA is covered by a requirement of ISO 13485 which requires risk management be a Design Input.  Since FMEA cannot be performed until the design is in the Design Output stage, FMEA fails to provide information early enough in the design process to avoid design changes.  FMEA is a good tool to provide a check to make sure all single-fault condition hazards have been identified after the design is closer to completion.  Of course, we all know that design is not a serial process, but has a lot of parallel activities, so Design Input does not close before going to Design Output.  Design elements may be found that are in different stages at the same time.  However, the basic description still applies. So use FMEA where it is appropriate, but you cannot perform Risk Management with only the use of FMEA, several tools are required.

------------------------------
Edwin Bills RAC, MA
Principal Consultant
ELB Consulting
Overland Park KS
United States

Original Message:
Sent: 03-Aug-2017 12:16
From: Anonymous Member
Subject: Risk Top-Down Analysis and ISO 14971

This message was posted by a user wishing to remain anonymous

Hi All,

Most medical device manufacturers use the typical FMEA approach to mitigating risks found in the design of the device.  Numerous 3rd party publications mention the need for top-down analysis to determine all risks have been covered, where FMEA can miss certain things.  These authors specifically state that this is required by ISO 14971.  Other than the section for Fault Tree Analysis (G.3), where else in ISO 14971 does it specifically call out this approach and that it is required in addition to FMEA, HACCP, etc. in order to be fully compliant to the standard?

Thank you!

I think your question has already been clearly answered, but to just add some background if you are working on an active device;

60601-1-2 (EMC) Annex *F.3 also talks about top down and bottom up methods for risk analysis. 

*I refer to Edwin's comment on annexes as informative and clauses as a requirement.

------------------------------
Chris Barkway
United Kingdom
------------------------------

Original Message:
Sent: 03-Aug-2017 12:16
From: Anonymous Member
Subject: Risk Top-Down Analysis and ISO 14971

This message was posted by a user wishing to remain anonymous

Hi All,

Most medical device manufacturers use the typical FMEA approach to mitigating risks found in the design of the device.  Numerous 3rd party publications mention the need for top-down analysis to determine all risks have been covered, where FMEA can miss certain things.  These authors specifically state that this is required by ISO 14971.  Other than the section for Fault Tree Analysis (G.3), where else in ISO 14971 does it specifically call out this approach and that it is required in addition to FMEA, HACCP, etc. in order to be fully compliant to the standard?

Thank you!