Regulatory Open Forum

 View Only

  • 1.  PFMEA

    Posted 02-Mar-2024 20:09
    Edited by Nicole Thibodeau 03-Mar-2024 09:21

    Hello,

    Is having a pFMEA a requirement? If so, what standard/guidance is there to help create one (I couldn’t find it in ISO 14971)? If not, can an auditor list not having a pFMEA as a finding during an ISO 13485 audit?

    Thank you in advance!

    Best,
    Nicole
    ---------------------------------
    Nicole Thibodeau
    Regulatory Affairs Specialist II
    Hamilton Thorne Inc.
    Beverly MA
    United States
    ---------------------------------



  • 2.  RE: PFMEA

    Posted 03-Mar-2024 11:14

    Hi Nicole,

    You won't find a requirement listing a PFMEA (or DFMEA or UFMEA) as these are all really just tools and the FMEA tool in its pure form is actually better for reliability than risk analysis. 

    The requirement flows from the second paragraph in section 7.1 in ISO 13485, "The organization shall document one or more processes for risk management in product realization. Records of risk management activities shall be maintained (see 4.2.5)."

    Since the manufacturing processes (even if outsourced) are directly part of product realization, you need to complete a risk analysis for the manufacturing processes (just as you need them for the use & design parts of product realization). 

    There are several places for you to obtain training (and examples of the tools) such as through AAMI (some of the best instructors there) or other courses. You may send me a message if you would like some other help.

    Good Luck!!



    ------------------------------
    Regards,
    Mark Swanson, ASQ CBA, CMQ/OE, CQE ASQ, MBA
    St. Cloud State University
    Becker MN
    United States
    ------------------------------

    Original Message


  • 3.  RE: PFMEA

    Posted 04-Mar-2024 09:12

    Mark has made a good explanation of the requirements vs. tools to meet the requirements. PFMEA is commonly used in process risk analysis, but it has some limitations, such as only being single-fault. That means it does not cover conditions where multiple events occur to cause a hazard to occur. Additionally it does not cover "normal conditions" as required in 14971. These are common problems with all forms of FMEA, which as Mark mentions are reliability analysis tools. 

    Additionally, while 14971 does not mention FMEA, it is not a requirement, so you will find the reference in ISO TR 24971:2020 Annex B along with other tools commonly used in medical device risk management. 24971 is the guidance document for implementing 14971 and you REALLY need it to properly implement 14971. 



    ------------------------------
    Edwin Bills
    Edwin Bills Consultant
    ASQ Fellow CQE, CQA, CQM/OE, RAPS RAC
    elb@edwinbillsconsultant.com
    ------------------------------

    Original Message


  • 4.  RE: PFMEA

    Posted 04-Mar-2024 03:13

    Hi Nicole

    For an EU Technical Documentation, having a pFMEA on its own is not a strict requirement as per MDR (EU) 2017/745 but you're required to minimize all known and foreseeable risks and you need to evaluate the impact of information from the production phase. You may manage this completely within you overall risk assessment by considering all causes from production that might lead to a hazardous situation within your documented sequence of events.

    However, the Team-NB position paper "Best Practice Guidance for the Submission of Technical Documentation under Annex II and III of Medical Device Regulation (EU) 2017/745" expects you to provide a production/process risk assessment, which is specified as a documented risk assessment for the production/manufacturing process aspects of the device. Again, this can be included in your product risk assessment as per ISO 14971 - however, this is a top-down approach which, depending on your product and production process, might not be appropriate to assess production risks. Therefore, conducting a pFMEA can be expected being state-of-the-art by a Technical Documentation reviewer, especially for more complex manufacturing processes or systems, unless justified why you did not.

    Also ISO 13485 requires manufacturers 

    • to document one or more processes for risk management in product realization and to maintain records of risk management activities, and
    • that production and service provision shall be planned [...] and controlled to ensure that product conforms to specification,

    which can be demonstrated respectively supported by means of a pFMEA.

    IEC 60812:2018 Failure modes and effects analysis (FMEA and FMECA) provides good guidance on how to plan, conduct and document different types of FMEA.

    Best regards,
    Roger



    ------------------------------
    Roger Christinger
    Lead RA/QM Consultant, RAC-Devices
    Zühlke Group, Switzerland

    https://www.zuehlke.com/en/industries/medical-device-healthcare
    ------------------------------

    Original Message


  • 5.  RE: PFMEA

    Posted 04-Mar-2024 04:17

    Hello Nicole,

    As the others have said, there is no explicit requirement for a Process Failure Modes and Effect Analysis or pFMEA - but there is expectation to conduct risk assessment and evaluation of not only the finished device, but the process used to make the device.  pFMEA is only a tool in the overall risk management process with some examples in standards and descriptions in other locations like white papers and blogs how these are generated.  There is a cross-over doing risk assessment of the finished product and the processes used to make the finished device, so there are various ways process risk assessment can be performed.  Though the simple answer is yes, a proper risk assessment of a product needs to include the processes involved to make the device, such as manufacturing, testing, inspection, packaging, labelling, etc., and many of the inspection or test activities would be considered part of risk control.



    ------------------------------
    Richard Vincins ASQ-CQA, MTOPRA, RAC
    Principal Strategy Consultant
    NAMSA
    ------------------------------

    Original Message


  • 6.  RE: PFMEA

    Posted 04-Mar-2024 04:21

    And just to add an additional note onto Roger's reply... Team-NB's recommendations in their Best Practice documents are inappropriate (with respect to the risk documentation) in my opinion. It defines a specific document type that is required, but that is not the requirement of ISO 14971:2019 or the EU MDR or IVDR. I feel it would be more appropriate for them to call for documented evidence of how the use, design and production of the device can contribute to risk and thus the controls in place etc. on those different elements. The Team-NB recommendation (because it infers FMEAs even if it does not say it outright) does not help industry in moving to the understanding that a FMEA is not a risk assessment and on its own is insufficient to meet the requirements of ISO 14971:2019, EU MDR and so on.



    ------------------------------
    Ed Ball
    Manager, Intelligence & Innovation
    United Kingdom
    ------------------------------

    Original Message


  • 7.  RE: PFMEA

    Posted 11-Mar-2024 22:12
    Edited by Beatrice NAJEM 11-Mar-2024 22:14

    Hi to all, I am aligned with what is said on the absence of a clear law/ standard text requiring in particular the pFMEA to assess manufacturing risk. 

    However, I would like to underlign the importance of the risk management in the medical devices lifecycle. What a LM is expected to have is a medical device that is safe and efficient from its design to its end of use. I have participed and build manay risk management files for medical devices, my favorites were those that is segmented by life cycle (Design/ manufacturing/ distribution/ use/ end of use). 

    It means that, you could eventually have a pFMEA or cover manufacturing step in the risk file or both if you bring back the manufacturing risks of the DFMEA to the global Risk assessment keeping consistensies. 

    I didn't want to add any text reference to what was said below and that was complete from RA point of view. I hope that this would give some practical ideas to assess possibilities that suit you. 

    good luck ! 

    Béatrice  



    ------------------------------
    Beatrice NAJEM
    CEO & Founder of Quarex Consulting LLC
    Belmont MA
    United States
    ------------------------------

    Original Message


  • 8.  RE: PFMEA

    Posted 12-Mar-2024 15:46

    In response to Nichole's question and Beatrice's response, I wish to restate, as has been done several times in this Forum, that no where is there a requirement to use FMEA in any form. In fact, there are limitations on the use of this Reliability tool in Risk Management, including that is NOT a Risk Analysis. 

    Among its limitations is the fact that it is a single-fault tool, which means It does not meet these two requirements:  first, it does not meet the requirement to identify all fault condition hazards, and second, it does not identify normal condition hazards, those where no fault has occurred.

    FMEA may be used at the Design Output stage to identify fault conditions which may have safety related effects  At that point, this information is transferred out of the FMEA to the Risk Analysis as a Hazard,  This is where the use of FMEA in any form, ends and moves to the Risk Management process.  FMEA only is used as a tool to identify Hazards in Risk Management and nothing else.  Its terminology definitions and usage is different from Risk Management and you can see excellent discussions on the proper use of FMEA in Risk Management such as a recent one by Kevin Randall  

    Additionally as Beatrice has indicated there are no regulatory requirements to perform any type of FMEA. It is only one tool that may be used when appropriate, which is many times not appropriate. US FDA, for example, may only cite for requirements in the regulations and since FMEA is not in the regulations they may not cite for failures in FMEA. However, if FMEA appears as a requirement in your Quality System, they can cite you for any failure to follow your own quality system. 

    As for the question about FMEA not appearing in ISO 14971, that is correct, there is no requirement in the standard. However, there is guidance on implementing ISO 14971 in another ISO document ISO TR 24971 which in Annex B describes several tools which may be used in the risk management process including FMEA, but there is not a description on how these tools may be used. 

    Hopefully we have helped you understand the issues around this topic. 



    ------------------------------
    Edwin Bills
    Edwin Bills Consultant
    ASQ Fellow CQE, CQA, CQM/OE, RAPS RAC
    elb@edwinbillsconsultant.com
    Member, ISO TC 210 JWG1
    ------------------------------

    Original Message


  • 9.  RE: PFMEA

    Posted 13-Mar-2024 14:46

    Hello Nicole

    As other distinguished colleagues have already pointed out, I agree with their comments that pFMEA (or FMEA of any sort) is not an explicit requirement. Only one of the many risk analysis techniques that can be used.

    I do want to understand more what you mean by " If not, can an auditor list not having a pFMEA as a finding during an ISO 13485 audit?"

    I am intrigued by this statement - are you confronting a situation that an auditor is giving you a finding that you don't have a pFMEA?

    I think this finding cannot be supported by any "crystal clear" requirement in ISO 13485. Perhaps they are using absence of a pFMEA as evidence to cite you against an explicit risk management requirement in ISO 13485?



    ------------------------------
    Naveen Agarwal, Ph.D.
    Problem Solver | Knowledge Sharer.
    Let's Talk Risk!
    @https://naveenagarwalphd.substack.com/
    ------------------------------

    Original Message


Related Content