Regulatory Open Forum

ISO 14971:2019 is a process standard applicable to all devices.

The process starts with identification of hazards followed by the sequence of events, followed by the resulting hazardous situation followed by the harm.

Notice that a hazard can be in either a normal or fault condition. The sequence of events is a number of things that can go wrong, usually in order.

As a result, an FMEA is not the appropriate tool. It deals with failures only, not normal conditions. Also, it deals with single point failures not a sequence of events. An FMEA misses a significant portion of the things to identify and analyze in medical device risk management. In addition, it doesn't meet the requirements of the standard.

The example hazards in the table are illustrative of types of hazards. There is no requirement to use any of them or to apply each one to the specific device. They are examples of how one might list hazards.

Each hazard could have one or more sequences of events. This is what leads to the hazardous situation. In some cases, different sequences of events can lead to the same hazardous situation. For example, for a medical electrical device there are usually more than one way that the user could receive an electrical shock. List each sequence of events and its associated hazardous situations. However, each hazardous situation will have only one set of harms, so when you analyze one of the duplicate hazardous situations, you have done all of them.

I agree with most of what Dan has said. There is one thing that is shown in ISO TR 24971:2020 Clause 5 in a diagram showing the pathway from Hazard to Hazardous Situation to Harm. 

I don't have my copy handy as I am on vacation, but the essence of the diagram is counter to Dan's statement that a Hazardous Situation results in one Harm. That is not true, it is possible that a Hazardous Situation can result in multiple Harms. Each of these must be looked at separately. 

An illustration of this may be a simple case that I personally experienced as a complaint investigator. If a siderail breaks on a hospital bed a patient may fall from the bed and experience no injury, a contusion, a broken bone, or in an extreme case, death. Each of these has a different probability of occurrence and needs to be explored and documented in the Risk Management File. 

ISO 14971:2019 is a process standard applicable to all devices.

The process starts with identification of hazards followed by the sequence of events, followed by the resulting hazardous situation followed by the harm.

Notice that a hazard can be in either a normal or fault condition. The sequence of events is a number of things that can go wrong, usually in order.

As a result, an FMEA is not the appropriate tool. It deals with failures only, not normal conditions. Also, it deals with single point failures not a sequence of events. An FMEA misses a significant portion of the things to identify and analyze in medical device risk management. In addition, it doesn't meet the requirements of the standard.

The example hazards in the table are illustrative of types of hazards. There is no requirement to use any of them or to apply each one to the specific device. They are examples of how one might list hazards.

Each hazard could have one or more sequences of events. This is what leads to the hazardous situation. In some cases, different sequences of events can lead to the same hazardous situation. For example, for a medical electrical device there are usually more than one way that the user could receive an electrical shock. List each sequence of events and its associated hazardous situations. However, each hazardous situation will have only one set of harms, so when you analyze one of the duplicate hazardous situations, you have done all of them.

Ed,

Thank you for the clarification. I said that each hazardous situation could lead to one set of harms. I didn't mean only one harm.

Your example of the hospital bed is great! "If a siderail breaks on a hospital bed a patient may fall from the bed and experience no injury, a contusion, a broken bone, or in an extreme case, death." These collectively are my set of harms. There is a hazardous situation where the patient falls out of bed. In the sequence of events, there is a broken siderail.

I could imagine another sequence of events in which the attending person fails to raise the siderail (a use error). The same hazardous situation occurs in which the patient falls out of bed.

My point is that when there are multiple sequences of events leading to the same hazardous situation, that hazardous situation leads to the same set of harms. I've seen cases where companies "start all over" with the hazardous situation and create the same harms with different severities and frequency of occurrence. This usually results in questions from an auditor or reviewer.

Dan

I agree with most of what Dan has said. There is one thing that is shown in ISO TR 24971:2020 Clause 5 in a diagram showing the pathway from Hazard to Hazardous Situation to Harm. 

I don't have my copy handy as I am on vacation, but the essence of the diagram is counter to Dan's statement that a Hazardous Situation results in one Harm. That is not true, it is possible that a Hazardous Situation can result in multiple Harms. Each of these must be looked at separately. 

An illustration of this may be a simple case that I personally experienced as a complaint investigator. If a siderail breaks on a hospital bed a patient may fall from the bed and experience no injury, a contusion, a broken bone, or in an extreme case, death. Each of these has a different probability of occurrence and needs to be explored and documented in the Risk Management File. 

ISO 14971:2019 is a process standard applicable to all devices.

The process starts with identification of hazards followed by the sequence of events, followed by the resulting hazardous situation followed by the harm.

Notice that a hazard can be in either a normal or fault condition. The sequence of events is a number of things that can go wrong, usually in order.

As a result, an FMEA is not the appropriate tool. It deals with failures only, not normal conditions. Also, it deals with single point failures not a sequence of events. An FMEA misses a significant portion of the things to identify and analyze in medical device risk management. In addition, it doesn't meet the requirements of the standard.

The example hazards in the table are illustrative of types of hazards. There is no requirement to use any of them or to apply each one to the specific device. They are examples of how one might list hazards.

Each hazard could have one or more sequences of events. This is what leads to the hazardous situation. In some cases, different sequences of events can lead to the same hazardous situation. For example, for a medical electrical device there are usually more than one way that the user could receive an electrical shock. List each sequence of events and its associated hazardous situations. However, each hazardous situation will have only one set of harms, so when you analyze one of the duplicate hazardous situations, you have done all of them.

ISO 14971:2019 is a process standard applicable to all devices.

The process starts with identification of hazards followed by the sequence of events, followed by the resulting hazardous situation followed by the harm.

Notice that a hazard can be in either a normal or fault condition. The sequence of events is a number of things that can go wrong, usually in order.

As a result, an FMEA is not the appropriate tool. It deals with failures only, not normal conditions. Also, it deals with single point failures not a sequence of events. An FMEA misses a significant portion of the things to identify and analyze in medical device risk management. In addition, it doesn't meet the requirements of the standard.

The example hazards in the table are illustrative of types of hazards. There is no requirement to use any of them or to apply each one to the specific device. They are examples of how one might list hazards.

Each hazard could have one or more sequences of events. This is what leads to the hazardous situation. In some cases, different sequences of events can lead to the same hazardous situation. For example, for a medical electrical device there are usually more than one way that the user could receive an electrical shock. List each sequence of events and its associated hazardous situations. However, each hazardous situation will have only one set of harms, so when you analyze one of the duplicate hazardous situations, you have done all of them.

ISO 14971 has the correct method for risk analysis. All three versions (2000, 2007, and 2019) use the same process steps – hazard, sequence of events, hazardous situation, and harm. In all three versions the analysis applies to both normal and to fault conditions. In none of these versions is FMEA an appropriate method since it applies to single fault conditions, not to normal operation and not to sequences of events.

I've worked with a lot of companies to help them implement the standard as written. I believe that FMEA arises in the mistaken belief that patient or user harm can only occur when the device fails. This turns risk management into a reliability activity and an FMEA is an appropriate method.

The ideas of P1 and P2 is purely pedological, not practical. It is not a requirement, only an explanation; Annex C is informative not normative.

Figure C.1 shows that P1 is the probabi9lity of a hazardous situation occurring. It is not the probability of a hazard occurring. A hazard may have many hazardous situations. P2 is the probability that the hazardous situation leads to harm.

One problem is that if the manufacturer attempts to estimate P1 and P2 they are very small numbers and when multiplied together result in even smaller numbers. The second problem is that P1 and P2 are nearly impossible to estimate. The third problem is that the estimates are not point estimates but ranges. This means the "multiplication" needs the P1 distribution, the P2 distributions, and the result of the convolution integral.

One of the requirements of the standard is to estimate risk when the manufacturer cannot estimate the probability. The paradigm case is the use error. The usability standard, IEC 62366-1 says that it is not possible to calculate the probability and the risk estimate should use severity only.

In summary, FMEA is not an appropriate method for ISO 14971. P! and P@ are not practical concepts and companies should not attempt to use them.

• ISO 14971 clearly prescribes FMEA as a possible technique in support of the ISO 14971 risk analysis.  Accordingly, rather than banishing FMEA, it is more sensible to use FMEA (if warranted at all by the given case) for its intended purpose while taking care not to misuse it.  For example, ISO 14971 emphasizes that we need to assess risk both in normal and in fault conditions.  When working up the clinical risk that could ultimately result from a device operating/used in fault condition, FMEA is a great tool to help that assessment along.  But as I said, be sure to use FMEA properly during that work-up.  I explain further how to do that properly in the following comments.
• Use FMEA, FTA, etc., to explore the device-centric problems and device-centric effects.  "Device-centric" means from the vantage point of the device itself and thus does not, on its own, measure up to the patient/user-centric analysis ultimately required by ISO 14971.  Yet that being the case, and as mentioned above, don't banish FMEA altogether just because some have misused it before.  ISO 14971 hasn't disqualified FMEA, and in fact instructs us to make use of it or similar techniques; therefore, therefore, nor should we disqualify FMEA when it is used as intended.
• Once the device-centric faults (and the corresponding probabilities) are understood where appropriate, then use those to thereafter extrapolate what clinical sequences of events and hazardous situations might arise therefrom if the faulty / dysfunctional device makes its way into the clinical environment.  In so doing, remember that ISO 14971 "sequences of events" and "hazardous situations" generally mean the clinical sequences of events and hazardous situations (i.e., the patient/user-centric ones), and thus are not to be confused with the preceding device-centric FMEA steps.  But this is simply another example showing how to avoid misusing FMEA; it is not a reason for banning FMEA.
• I generally aim to include or reference the essence/findings of the FMEA sub-steps in the ISO 14971 risk matrix in a column(s) preceding the columns for the clinical sequence of events and hazard situation.
• Indeed, P1 is ultimately the probability of a hazardous situation occurring.  Yet it is built up by the contribution of multiple factors.  One of those factors may be the probability of the underlying hazard and its initiators (see Figure H.1 of ISO/TR 24971 for an illustration of the contribution of the hazard to P1).  Accordingly, don't make the mistake of dismissing P1, nor of declaring that P1 isn't driven in part by the probability of the hazard.  It is critical that we make our best effort to give good-faith consideration to the P1 probability.
• As 14971 reminds us, sometimes that will simply be our best qualitative guess, whereas sometimes it will instead be impossible altogether.  In the latter situation, then we are left to focus entirely on the severity of the harm without consideration of the probability. Yet, although ISO 14971 reminds us that P1 may be quantitatively incalculable, don't make the mistake of altogether dismissing P1 as impractical or "pedological".  The qualitative presence and impact of P1 is profoundly present in every risk scenario and is an essential aspect for realizing a proper risk analysis.