Regulatory Open Forum

Hello all,
What are the contents of the Risk Management File in a medical Device and how FMEAs differs from Risk management File? How is Risk Managed and captured in documentation.

A comprehensive list of the contents of a RMF is given below. It´s based on what is directly required by the standard (current edition - 2009). Please note that the RMF is per device.

1 - Reference to the qualification of people performing the risk management activities

2 - Risk management plan for the evaluated device

3 - Intended use (suggestion - verify IEC 62366) including answers to questions that can be used to identify medical device characteristics that could impact on safety

4 - Reasonable foreseeable misuse (suggestion - verify IEC 62366)

5 - Identification of essential performance (if for medical electical equipment)

6 - Identification of hazards and hazardous situations, including all the relevant information for all identified hazards and hazardous situations; this includes foreseeable sequence or combination of events that can result in hazardous situations. This also includes P1 and P2 (see annex E)

7 - Data used and the sources (e.g. accident history, experience gained from risk reduction applied to similar medical devices, etc.)

8 - Any relevant assumption that have been made (e.g. users, environment, safety factors, means of protection)

9 -Tools for failure analysis and result of failure analysis (list of different tools used and explanation of how they are been used)

10 - Explanation of the system used to categorize quantitatively or qualitatively the probability of ocurrence and severity of the harm

11 - Estimation of the risk of each hazardous situation

12 - Risk evaluation

13 - Acceptability levels, if used

14 - Risk control information, including list of control measure, evaluation if controls are not of level 1 - inherit safe or 2 - protective measures, procedures to verify implementation and effectivesses of risk control measures

15 - The uncertainty associated with the data used and its impact on the risk evaluation

16 - Risk reduction (residual risk evaluation for control measures not derived from an international standard) + decisions regarding information on residual risk. Review of risks originating from risk control measures

17 - Overall risk control evaluation

18 - Overall risk acceptability evaluation (+ methods, risk/benefit analysis if needed, and information about overall residual risk)

19 - Risk management report

20 - Production and post production information gatherer system


FMEA and other tools  can be used to fulfill certain aspects of the ISO 14971 risk management process, but what the tools can provide is only some limited information for the whole process.

You can see some more discussion in this thread: https://elsmar.com/Forums/iso-14971-medical-device-risk-management/52848-iso-14971-medical-device-risk-management-faq.html





------------------------------
Marcelo Antunes
Regulatory Strategy Consultant
SQR Consulting
Sao Paulo
Brazil
------------------------------

Original Message:
Sent: 18-Dec-2017 19:48
From: Devang Barot
Subject: Risk Management File

Hello all,
What are the contents of the Risk Management File in a medical Device and how FMEAs differs from Risk management File? How is Risk Managed and captured in documentation.

​Hi Devang,

We consolidated all of the data that Marcelo references into the following documents that comprise our RMF:

RM Plan
PHA
dFMEA
pFMEA (we have multiple pFMEAs for any given device)
RM Report

Hope this helps!

Tina

------------------------------
Tina O'Brien RAC, MS
Director of Regulatory Affairs
Aroa Biosurgery
Auckland
New Zealand
------------------------------

Original Message:
Sent: 18-Dec-2017 20:23
From: Marcelo Antunes
Subject: Risk Management File

A comprehensive list of the contents of a RMF is given below. It´s based on what is directly required by the standard (current edition - 2009). Please note that the RMF is per device.

1 - Reference to the qualification of people performing the risk management activities

2 - Risk management plan for the evaluated device

3 - Intended use (suggestion - verify IEC 62366) including answers to questions that can be used to identify medical device characteristics that could impact on safety

4 - Reasonable foreseeable misuse (suggestion - verify IEC 62366)

5 - Identification of essential performance (if for medical electical equipment)

6 - Identification of hazards and hazardous situations, including all the relevant information for all identified hazards and hazardous situations; this includes foreseeable sequence or combination of events that can result in hazardous situations. This also includes P1 and P2 (see annex E)

7 - Data used and the sources (e.g. accident history, experience gained from risk reduction applied to similar medical devices, etc.)

8 - Any relevant assumption that have been made (e.g. users, environment, safety factors, means of protection)

9 -Tools for failure analysis and result of failure analysis (list of different tools used and explanation of how they are been used)

10 - Explanation of the system used to categorize quantitatively or qualitatively the probability of ocurrence and severity of the harm

11 - Estimation of the risk of each hazardous situation

12 - Risk evaluation

13 - Acceptability levels, if used

14 - Risk control information, including list of control measure, evaluation if controls are not of level 1 - inherit safe or 2 - protective measures, procedures to verify implementation and effectivesses of risk control measures

15 - The uncertainty associated with the data used and its impact on the risk evaluation

16 - Risk reduction (residual risk evaluation for control measures not derived from an international standard) + decisions regarding information on residual risk. Review of risks originating from risk control measures

17 - Overall risk control evaluation

18 - Overall risk acceptability evaluation (+ methods, risk/benefit analysis if needed, and information about overall residual risk)

19 - Risk management report

20 - Production and post production information gatherer system


FMEA and other tools  can be used to fulfill certain aspects of the ISO 14971 risk management process, but what the tools can provide is only some limited information for the whole process.

You can see some more discussion in this thread: https://elsmar.com/Forums/iso-14971-medical-device-risk-management/52848-iso-14971-medical-device-risk-management-faq.html





------------------------------
Marcelo Antunes
Regulatory Strategy Consultant
SQR Consulting
Sao Paulo
Brazil

Original Message:
Sent: 18-Dec-2017 19:48
From: Devang Barot
Subject: Risk Management File

Hello all,
What are the contents of the Risk Management File in a medical Device and how FMEAs differs from Risk management File? How is Risk Managed and captured in documentation.

It appears that you have fallen into the same trap as many.  FMEA is NOT risk management, but rather is a tool that can be used to identify the effects of failure which may relate to product safety.  It is inadequate to meet the requirements of both ISO 14971 and ISO 13485:2016 by itself.  As ISO 13485 points out, the results of risk management are a Design Input and thus must occur before Design Input. FMEA can only be done when you have Design Output, which is later in the process, and thus is a good check tool to make sure you have identified all hazards that result from failures.  This points to another limitation of FMEA.  ISO 14971 requires the identification of all hazards (and not just single fault failures) resulting in NORMAL and FAULT conditions.  FMEA only identifies those from single fault failures, and not the normal condition failures (when everything is operating correctly).  Human Factors/Usability usually identifies those hazards.

A Risk Management File contains all documents that result from actions taken in each step (Clauses 3-9) of ISO 14971 as indicated in other responses, such as the Risk Management Plan, the Traceability Summary (required in Clause 3.5), each of the tools used to identify hazards, such as Preliminary Hazard Analysis (extremely valuable tool), Fault Tree Analysis (used to identify hazards resulting from multiple fault conditions), and many others. A Risk Management File should have a number of documents contained and be continuous updated as new information is gathered throughout the product lifecycle.  A Risk Management File must be accessible to the complaint team for analysis of complaints, to the team reporting adverse events and recalls, and to those developing new products, to use information gathered previously, to avoid repeating unnecessarily those activities that have already gathered risk information.  You should also review ISO TR 24971 to find information on how to use standards to improve your risk management process and reduce work.

Risk Management is not a checkbox activity, but rather a process to improve product safety, reduce costs, save time, and improve product liability.  If you are only doing FMEA, you are doing a disservice to your customers, and patients, as well as your company and its shareholders.

ISO 14971 and its companion guidance ISO TR 24971 are both being revised to include more information on the process for release in 2019.

------------------------------
Edwin Bills RAC, MA
Principal Consultant
Edwin Bills Consultant
Overland Park KS
United States
------------------------------

Original Message:
Sent: 18-Dec-2017 19:48
From: Devang Barot
Subject: Risk Management File

Hello all,
What are the contents of the Risk Management File in a medical Device and how FMEAs differs from Risk management File? How is Risk Managed and captured in documentation.

Edwin has put it very well. I see too many files where people think FMEA is risk management and vice versa, the truth is that FMEA is only ever a part, and in some cases not even an important or appropriate part. I have two concerns with FMEA:

• teams tend to be engineering focused, thus product rather than patient focused and often to not appreciate the potential for dire consequences to the patient from a common fault
• FMEAs tend to give a false impression of accuracy: the difference between RPNs 28 and 32 can appear highly significant, but they originate from multiplying three numbers together which are often guesses from a team (subject to all sorts of "group-think" and leadship issues) and both may really mean: "somewhere between 20 and 40 .... I think, I'll get back to you when we have some data"

FMEAs are an important tool, but only one tool in the risk management toolbox. Don't be fooled by the apparent similarlty between FMEA and Risk Analysis matrices!

All the best

Neil

------------------------------
Neil Armstrong FRAPS
CEO
MeddiQuest Limited
Peterborough
United Kingdom
------------------------------

Original Message:
Sent: 19-Dec-2017 12:20
From: Edwin Bills
Subject: Risk Management File

It appears that you have fallen into the same trap as many.  FMEA is NOT risk management, but rather is a tool that can be used to identify the effects of failure which may relate to product safety.  It is inadequate to meet the requirements of both ISO 14971 and ISO 13485:2016 by itself.  As ISO 13485 points out, the results of risk management are a Design Input and thus must occur before Design Input. FMEA can only be done when you have Design Output, which is later in the process, and thus is a good check tool to make sure you have identified all hazards that result from failures.  This points to another limitation of FMEA.  ISO 14971 requires the identification of all hazards (and not just single fault failures) resulting in NORMAL and FAULT conditions.  FMEA only identifies those from single fault failures, and not the normal condition failures (when everything is operating correctly).  Human Factors/Usability usually identifies those hazards.

A Risk Management File contains all documents that result from actions taken in each step (Clauses 3-9) of ISO 14971 as indicated in other responses, such as the Risk Management Plan, the Traceability Summary (required in Clause 3.5), each of the tools used to identify hazards, such as Preliminary Hazard Analysis (extremely valuable tool), Fault Tree Analysis (used to identify hazards resulting from multiple fault conditions), and many others. A Risk Management File should have a number of documents contained and be continuous updated as new information is gathered throughout the product lifecycle.  A Risk Management File must be accessible to the complaint team for analysis of complaints, to the team reporting adverse events and recalls, and to those developing new products, to use information gathered previously, to avoid repeating unnecessarily those activities that have already gathered risk information.  You should also review ISO TR 24971 to find information on how to use standards to improve your risk management process and reduce work.

Risk Management is not a checkbox activity, but rather a process to improve product safety, reduce costs, save time, and improve product liability.  If you are only doing FMEA, you are doing a disservice to your customers, and patients, as well as your company and its shareholders.

ISO 14971 and its companion guidance ISO TR 24971 are both being revised to include more information on the process for release in 2019.

------------------------------
Edwin Bills RAC, MA
Principal Consultant
Edwin Bills Consultant
Overland Park KS
United States

Original Message:
Sent: 18-Dec-2017 19:48
From: Devang Barot
Subject: Risk Management File

Hello all,
What are the contents of the Risk Management File in a medical Device and how FMEAs differs from Risk management File? How is Risk Managed and captured in documentation.

First of all, for the original poster, listen to Ed. He spends a lot of time on this topic and sits on a lot of the committees that design the standards. I do have some minor quibbles as a product developer though, for instance

"13485 points out, the results of risk management are a Design Input and thus must occur before Design Input" - well yes, and it is one of my many frustrations with the standard - it tries to shove everything into "inputs and outputs" and tie timing into them. In reality, many top level hazards and hazardous situations (risk) can be identified as requirements at the beginning of the process. However, other risks can only be identified after there is an initial design - for instance, one can't be worried specifically about silicone particle shedding and migrating in the body until the design has identified use of silicone material. However, one could identify "adverse tissue/organ material reaction" earlier. Design inputs are by their very nature iterative and come into the design throughout the life of the design and process development. Yes, they can be grouped into inputs "requirements" and outputs "proof requirements are met" but they are not tied so neatly in a linear time sequence.
I suspect Ed's point though, was one with which I heartily agree - don't wait until the "end" of a design project and then do an FMEA. That effort would be pretty worthless.

I also tend to disagree that "risk management" as currently constituted in the standards and regulations, actually reduces costs. Robust design processes, which include treating risk mitigations as a design requirement and integrating them early, ultimately do save time and money. However, the paperwork required by the standards "RM files, RM reports, RM plans" adds nothing to the process but overhead and paperwork designed to make it easier for auditors and inspectors (and occasionally regulatory and quality people, but let's not trick ourselves into thinking it helps the designer) - it adds no robustness to a good, requirements driven design process with integrated risk management. The overhead and paperwork tend to have very significant costs, opportunity and cash.

g-

------------------------------
Ginger Glaser RAC
Chief Technology Officer
MN
------------------------------

Original Message:
Sent: 19-Dec-2017 12:20
From: Edwin Bills
Subject: Risk Management File

It appears that you have fallen into the same trap as many.  FMEA is NOT risk management, but rather is a tool that can be used to identify the effects of failure which may relate to product safety.  It is inadequate to meet the requirements of both ISO 14971 and ISO 13485:2016 by itself.  As ISO 13485 points out, the results of risk management are a Design Input and thus must occur before Design Input. FMEA can only be done when you have Design Output, which is later in the process, and thus is a good check tool to make sure you have identified all hazards that result from failures.  This points to another limitation of FMEA.  ISO 14971 requires the identification of all hazards (and not just single fault failures) resulting in NORMAL and FAULT conditions.  FMEA only identifies those from single fault failures, and not the normal condition failures (when everything is operating correctly).  Human Factors/Usability usually identifies those hazards.

A Risk Management File contains all documents that result from actions taken in each step (Clauses 3-9) of ISO 14971 as indicated in other responses, such as the Risk Management Plan, the Traceability Summary (required in Clause 3.5), each of the tools used to identify hazards, such as Preliminary Hazard Analysis (extremely valuable tool), Fault Tree Analysis (used to identify hazards resulting from multiple fault conditions), and many others. A Risk Management File should have a number of documents contained and be continuous updated as new information is gathered throughout the product lifecycle.  A Risk Management File must be accessible to the complaint team for analysis of complaints, to the team reporting adverse events and recalls, and to those developing new products, to use information gathered previously, to avoid repeating unnecessarily those activities that have already gathered risk information.  You should also review ISO TR 24971 to find information on how to use standards to improve your risk management process and reduce work.

Risk Management is not a checkbox activity, but rather a process to improve product safety, reduce costs, save time, and improve product liability.  If you are only doing FMEA, you are doing a disservice to your customers, and patients, as well as your company and its shareholders.

ISO 14971 and its companion guidance ISO TR 24971 are both being revised to include more information on the process for release in 2019.

------------------------------
Edwin Bills RAC, MA
Principal Consultant
Edwin Bills Consultant
Overland Park KS
United States

Original Message:
Sent: 18-Dec-2017 19:48
From: Devang Barot
Subject: Risk Management File

Hello all,
What are the contents of the Risk Management File in a medical Device and how FMEAs differs from Risk management File? How is Risk Managed and captured in documentation.

Ginger,

i understand and your points, but don't overlook, first of all, that Risk Management is clearly an iterative process which must be started early to save the costs of redesign at late stages in design or worse, marketed product. An overlooked document, ISO TR 24971 explains how to use standards at the beginning of design to reduce risk and eliminate some of the risk activities by taking advantage of known hazards identified in Standards. Another step at beginning of process is to use known hazards from complaints and adverse event reports such as from FDA's MAUDE and TPLC databases. All these can be done before design hits "paper" or these days electronic files. 

Costs of expensive product litigation can on can be reduced or eliminated with good risk management. Unfortunately companies don't often take the costs of product failure after release into total product costs.

------------------------------
Edwin Bills RAC, MA
Principal Consultant
Edwin Bills Consultant
Overland Park KS
United States
------------------------------

Original Message:
Sent: 20-Dec-2017 14:11
From: Ginger Glaser
Subject: Risk Management File

First of all, for the original poster, listen to Ed. He spends a lot of time on this topic and sits on a lot of the committees that design the standards. I do have some minor quibbles as a product developer though, for instance

"13485 points out, the results of risk management are a Design Input and thus must occur before Design Input" - well yes, and it is one of my many frustrations with the standard - it tries to shove everything into "inputs and outputs" and tie timing into them. In reality, many top level hazards and hazardous situations (risk) can be identified as requirements at the beginning of the process. However, other risks can only be identified after there is an initial design - for instance, one can't be worried specifically about silicone particle shedding and migrating in the body until the design has identified use of silicone material. However, one could identify "adverse tissue/organ material reaction" earlier. Design inputs are by their very nature iterative and come into the design throughout the life of the design and process development. Yes, they can be grouped into inputs "requirements" and outputs "proof requirements are met" but they are not tied so neatly in a linear time sequence.
I suspect Ed's point though, was one with which I heartily agree - don't wait until the "end" of a design project and then do an FMEA. That effort would be pretty worthless.

I also tend to disagree that "risk management" as currently constituted in the standards and regulations, actually reduces costs. Robust design processes, which include treating risk mitigations as a design requirement and integrating them early, ultimately do save time and money. However, the paperwork required by the standards "RM files, RM reports, RM plans" adds nothing to the process but overhead and paperwork designed to make it easier for auditors and inspectors (and occasionally regulatory and quality people, but let's not trick ourselves into thinking it helps the designer) - it adds no robustness to a good, requirements driven design process with integrated risk management. The overhead and paperwork tend to have very significant costs, opportunity and cash.

g-

------------------------------
Ginger Glaser RAC
Chief Technology Officer
MN

Original Message:
Sent: 19-Dec-2017 12:20
From: Edwin Bills
Subject: Risk Management File

It appears that you have fallen into the same trap as many.  FMEA is NOT risk management, but rather is a tool that can be used to identify the effects of failure which may relate to product safety.  It is inadequate to meet the requirements of both ISO 14971 and ISO 13485:2016 by itself.  As ISO 13485 points out, the results of risk management are a Design Input and thus must occur before Design Input. FMEA can only be done when you have Design Output, which is later in the process, and thus is a good check tool to make sure you have identified all hazards that result from failures.  This points to another limitation of FMEA.  ISO 14971 requires the identification of all hazards (and not just single fault failures) resulting in NORMAL and FAULT conditions.  FMEA only identifies those from single fault failures, and not the normal condition failures (when everything is operating correctly).  Human Factors/Usability usually identifies those hazards.

A Risk Management File contains all documents that result from actions taken in each step (Clauses 3-9) of ISO 14971 as indicated in other responses, such as the Risk Management Plan, the Traceability Summary (required in Clause 3.5), each of the tools used to identify hazards, such as Preliminary Hazard Analysis (extremely valuable tool), Fault Tree Analysis (used to identify hazards resulting from multiple fault conditions), and many others. A Risk Management File should have a number of documents contained and be continuous updated as new information is gathered throughout the product lifecycle.  A Risk Management File must be accessible to the complaint team for analysis of complaints, to the team reporting adverse events and recalls, and to those developing new products, to use information gathered previously, to avoid repeating unnecessarily those activities that have already gathered risk information.  You should also review ISO TR 24971 to find information on how to use standards to improve your risk management process and reduce work.

Risk Management is not a checkbox activity, but rather a process to improve product safety, reduce costs, save time, and improve product liability.  If you are only doing FMEA, you are doing a disservice to your customers, and patients, as well as your company and its shareholders.

ISO 14971 and its companion guidance ISO TR 24971 are both being revised to include more information on the process for release in 2019.

------------------------------
Edwin Bills RAC, MA
Principal Consultant
Edwin Bills Consultant
Overland Park KS
United States

Original Message:
Sent: 18-Dec-2017 19:48
From: Devang Barot
Subject: Risk Management File

Hello all,
What are the contents of the Risk Management File in a medical Device and how FMEAs differs from Risk management File? How is Risk Managed and captured in documentation.