Regulatory Open Forum

Hello, 

The company I'm working for recently took over a medical device.  I've become responsible for the Technical file and in particular the Risk Management File. The device is currently only on the US market, 510(k) but the possibility to also enter the EU market is being considered. We are now working on updating the technical file so that the device can be included in the scope of our ISO13485 certificate. Here I see the risk management file as the biggest challenge. Currently the risk management file contains the following risk assessments:

-Design FMEA

-Useability FMEA

-2 production FMEAs (by two separate subcontractors performing different parts of the production process).

These does not fit directly into the risk assessment templates we have in our current risk management SOP, which is based on the ISO 14971:2019 format. I know there has been some debate in the forum around to which extent FMEAs are compliant to the latest ISO14971:2019. Not sure if a consensus has been reached 😊

However, this is also what I'm struggling with when adapting the risk management file to be compliant with our risk management SOP. I have been contemplating some alternatives:

-Update our SOP to include FMEAs in their current form

-Rewrite all risks (>200) to fit our current templates.

Both options will require significant efforts especially since requirement traceability needs to be maintained and this is currently not obvious. Risk management plan and report exists but will require revision depending on the chosen path.

Now I'm looking for suggestions for a pragmatic path to a ISO 14971 compliant file from anyone that has had  similar experiences.

Recommendations of consultants that could provide guidance is also appreciated.  

Thanks!

/Confused risk manager

Your scenario is quite common compared to the risk management remediations I've done for clients over the years.  Here are some typical ailments I've seen and fixed for clients time and again:

• As has been extensively established previously in this Forum, FMEA in its truest sense (e.g., per IEC 60812) is not risk "management". Instead, ISO 14971 allocates and prescribes FMEA as a technique that supports the clause 5 risk analysis step. FMEA is not risk management because it focuses on single-point failures and thus doesn't generally extrapolate to ISO 14971 "harm".  When I've remediated ailing risk management systems over the years, oftentimes I've found that either a) FMEA has been misappropriated as risk management thus causing the effort to fall short of complete extrapolation to ISO 14971 harms; or b) the organization is in fact doing risk management including extrapolation to ISO 14971 harms such as via ISO 14971 PHA, yet has mislabeling it as "FMEA".  The latter is an easier fix, as it is merely a terminology issue.  In contrast, the former requires additional risk analysis work, such as by integrating the FMEA output into ISO 14971 PHA; for example, by integrating the FMEA revelations into the ISO 14971 risk management sequences of events and hazardous situations that lead to harm.  That has been a very common solution that was needed in the risk management systems I've remediated.  We would need to see precisely how "FMEA" is being used in your scenario in order to determine what solutions are needed for your legacy documents.  Whatever is decided with respect to your existing "FMEAs", it needs to align with the foregoing principles, such as via proper handling of FMEA (a risk analysis technique) vs. PHA (a more robust risk management approach).

• Another common ailment I've encountered during risk management remediation work is incomplete or erroneous identification, articulation, and documentation of ISO 14971 "hazards", "sequences of events", "hazardous situations", and "harms" with respect to ISO 14971's formal definitions for these terms.  It is critical that the risk management SOP properly define and prescribe these, and then that the organization faithfully attends to them in the risk analysis and evaluation steps of the risk management process.

• Yet another ailment I've seen and resolved often is nebulous, mistimed criteria for risk acceptability (see 14971 clause 4.4 second paragraph indent d).  I can't emphasis enough how important it is to have properly timed (defined at the Risk Management Plan step) and objective/measurable (rather than ambiguous) risk acceptance criteria for assuring the ultimate integrity and day-to-day utility of the risk management mechanism (e.g., when deciding if corrective action, recall, etc., are needed as nonconformities occur).  Oftentimes in noncompliant risk management systems, the risk acceptance criteria aren't defined until the risk analysis step/document.  Or they are written ambiguously.  Or they aren't realistically representative/germane to the subject device's actual real risk profile.  This can lead to underreaction or overreaction when nonconformities arise.

• Closely related to the risk acceptance criteria is the step whereby the risk level is estimated and characterized (14971 clause 5.5).  This has led to much debate about the integrity of using "RPNs" to characterize and rank the risks.  Specifically, the aforesaid FMEA misuse-phenomenon has also led to misuse of FMEA "RPNs" as part of ISO 14971 risk management.  However, as I've mentioned in prior Forum posts, ISO 14971 and 24971 clearly emphasis the need to express risk in objective terms in relation to "severity and probability scales".  Organizations have often done this via an "RPN" assigned for scoring the combination of severity and probability.  Now, sometimes such RPN is indeed wrongly misappropriated from a true FMEA RPN (see prior Forum objections about misuse of RPNs in 14971 risk management).  But sometimes, sort of like the aforementioned misuse of the "FMEA" label yet while proper risk management is in fact happening, organization's will use the "RPN" acronym as the name for the score they've derived using their proper 14971 severity and probability scales.  In that case, I generally choose not to scold such organizations as long as they are using the scales and score properly (i.e., as a means to compare against the risk acceptance criteria) even though the RPN acronym has fallen into disfavor amongst risk management gurus.

Hope this summary of common risk management problems is helpful to you during your remediation campaign.

------------------------------
Kevin Randall, ASQ CQA, RAC (Europe, U.S., Canada)
Principal Consultant
Ridgway, CO
United States
© Copyright by ComplianceAcuity, Inc. All rights reserved.

Original Message:
Sent: 05-Jan-2024 08:12
From: Anonymous Member
Subject: Risk Management File overhaul

This message was posted by a user wishing to remain anonymous

Hello, 

The company I'm working for recently took over a medical device.  I've become responsible for the Technical file and in particular the Risk Management File. The device is currently only on the US market, 510(k) but the possibility to also enter the EU market is being considered. We are now working on updating the technical file so that the device can be included in the scope of our ISO13485 certificate. Here I see the risk management file as the biggest challenge. Currently the risk management file contains the following risk assessments:

-Design FMEA

-Useability FMEA

-2 production FMEAs (by two separate subcontractors performing different parts of the production process).

These does not fit directly into the risk assessment templates we have in our current risk management SOP, which is based on the ISO 14971:2019 format. I know there has been some debate in the forum around to which extent FMEAs are compliant to the latest ISO14971:2019. Not sure if a consensus has been reached 😊

However, this is also what I'm struggling with when adapting the risk management file to be compliant with our risk management SOP. I have been contemplating some alternatives:

-Update our SOP to include FMEAs in their current form

-Rewrite all risks (>200) to fit our current templates.

Both options will require significant efforts especially since requirement traceability needs to be maintained and this is currently not obvious. Risk management plan and report exists but will require revision depending on the chosen path.

Now I'm looking for suggestions for a pragmatic path to a ISO 14971 compliant file from anyone that has had  similar experiences.

Recommendations of consultants that could provide guidance is also appreciated.  

Thanks!

/Confused risk manager

Hello, 

The company I'm working for recently took over a medical device.  I've become responsible for the Technical file and in particular the Risk Management File. The device is currently only on the US market, 510(k) but the possibility to also enter the EU market is being considered. We are now working on updating the technical file so that the device can be included in the scope of our ISO13485 certificate. Here I see the risk management file as the biggest challenge. Currently the risk management file contains the following risk assessments:

-Design FMEA

-Useability FMEA

-2 production FMEAs (by two separate subcontractors performing different parts of the production process).

These does not fit directly into the risk assessment templates we have in our current risk management SOP, which is based on the ISO 14971:2019 format. I know there has been some debate in the forum around to which extent FMEAs are compliant to the latest ISO14971:2019. Not sure if a consensus has been reached 😊

However, this is also what I'm struggling with when adapting the risk management file to be compliant with our risk management SOP. I have been contemplating some alternatives:

-Update our SOP to include FMEAs in their current form

-Rewrite all risks (>200) to fit our current templates.

Both options will require significant efforts especially since requirement traceability needs to be maintained and this is currently not obvious. Risk management plan and report exists but will require revision depending on the chosen path.

Now I'm looking for suggestions for a pragmatic path to a ISO 14971 compliant file from anyone that has had  similar experiences.

Recommendations of consultants that could provide guidance is also appreciated.  

Thanks!

/Confused risk manager

Consensus on FMEA or not isn't relevant. You must follow the standard the way it is written. This means that an FMEA is the wrong approach. The standard requires identification of hazards in normal or fault conditions as well as a sequence of events. An FMEA looks at only failure and in a single fault condition.

Design FMEAs are not the right, because they do not meet the requirements in the standard.

Also, there is a problem with a usability FMEA. It doesn't meet the requirements of IEC 62366-1:2015.

By production FMEA I infer you mean process FMEAs. They don't belong in the risk management file because they don't address patient or user harm. They can provide an input to risk management when there is a possibility of an escape of nonconforming product that would result in patient or user harm. Process FMEAs are designed to keep this from happening.

The only viable path forward is to follow the standard, which means converting the incorrect documents you inherited.

If you are planning to go into the EU, then convert to EN ISO 14971:2019/A11:2020. The EU version of the standard is not the same as the international version since it is more restrictive. If you follow the EU version you will be in compliance with the international version.

When picking a consultant, determine that she will follow the standard as written. For some reason many people don't want to follow the standard and, as a result, make it far too complicated.

Hello, 

The company I'm working for recently took over a medical device.  I've become responsible for the Technical file and in particular the Risk Management File. The device is currently only on the US market, 510(k) but the possibility to also enter the EU market is being considered. We are now working on updating the technical file so that the device can be included in the scope of our ISO13485 certificate. Here I see the risk management file as the biggest challenge. Currently the risk management file contains the following risk assessments:

-Design FMEA

-Useability FMEA

-2 production FMEAs (by two separate subcontractors performing different parts of the production process).

These does not fit directly into the risk assessment templates we have in our current risk management SOP, which is based on the ISO 14971:2019 format. I know there has been some debate in the forum around to which extent FMEAs are compliant to the latest ISO14971:2019. Not sure if a consensus has been reached 😊

However, this is also what I'm struggling with when adapting the risk management file to be compliant with our risk management SOP. I have been contemplating some alternatives:

-Update our SOP to include FMEAs in their current form

-Rewrite all risks (>200) to fit our current templates.

Both options will require significant efforts especially since requirement traceability needs to be maintained and this is currently not obvious. Risk management plan and report exists but will require revision depending on the chosen path.

Now I'm looking for suggestions for a pragmatic path to a ISO 14971 compliant file from anyone that has had  similar experiences.

Recommendations of consultants that could provide guidance is also appreciated.  

Thanks!

/Confused risk manager

Consensus on FMEA or not isn't relevant. You must follow the standard the way it is written. This means that an FMEA is the wrong approach. The standard requires identification of hazards in normal or fault conditions as well as a sequence of events. An FMEA looks at only failure and in a single fault condition.

Design FMEAs are not the right, because they do not meet the requirements in the standard.

Also, there is a problem with a usability FMEA. It doesn't meet the requirements of IEC 62366-1:2015.

By production FMEA I infer you mean process FMEAs. They don't belong in the risk management file because they don't address patient or user harm. They can provide an input to risk management when there is a possibility of an escape of nonconforming product that would result in patient or user harm. Process FMEAs are designed to keep this from happening.

The only viable path forward is to follow the standard, which means converting the incorrect documents you inherited.

If you are planning to go into the EU, then convert to EN ISO 14971:2019/A11:2020. The EU version of the standard is not the same as the international version since it is more restrictive. If you follow the EU version you will be in compliance with the international version.

When picking a consultant, determine that she will follow the standard as written. For some reason many people don't want to follow the standard and, as a result, make it far too complicated.

Hello, 

The company I'm working for recently took over a medical device.  I've become responsible for the Technical file and in particular the Risk Management File. The device is currently only on the US market, 510(k) but the possibility to also enter the EU market is being considered. We are now working on updating the technical file so that the device can be included in the scope of our ISO13485 certificate. Here I see the risk management file as the biggest challenge. Currently the risk management file contains the following risk assessments:

-Design FMEA

-Useability FMEA

-2 production FMEAs (by two separate subcontractors performing different parts of the production process).

These does not fit directly into the risk assessment templates we have in our current risk management SOP, which is based on the ISO 14971:2019 format. I know there has been some debate in the forum around to which extent FMEAs are compliant to the latest ISO14971:2019. Not sure if a consensus has been reached 😊

However, this is also what I'm struggling with when adapting the risk management file to be compliant with our risk management SOP. I have been contemplating some alternatives:

-Update our SOP to include FMEAs in their current form

-Rewrite all risks (>200) to fit our current templates.

Both options will require significant efforts especially since requirement traceability needs to be maintained and this is currently not obvious. Risk management plan and report exists but will require revision depending on the chosen path.

Now I'm looking for suggestions for a pragmatic path to a ISO 14971 compliant file from anyone that has had  similar experiences.

Recommendations of consultants that could provide guidance is also appreciated.  

Thanks!

/Confused risk manager

The risk management systems I've audited and remediated invariably use the term "FMEA" in some capacity; sometimes correctly, sometimes incorrectly as described before.  So, it just isn't realistic or possible to properly audit and remediate such systems without tackling and addressing FMEA and the aforesaid FMEA dilemma.

Also noteworthy is that ISO 14971 (see ISO/TR 24971) itself unequivocally and specifically prescribes FMEA as a valid technique for use to support the risk analysis step.  For example, process FMEA can give insights into the probability of occurrence of sequences of related/consequent events which contribute to the probability of occurrence of harm. This holds true regarding FMEA related to the device itself, or its manufacturing process, or device use and misuse (called "Use FMEA" by 24971).  All three types of FMEAs are specifically given clear place by 24971, and thus 14971.

And if we decide to involve FMEA as permitted by 14971/24971, then its presence in the risk management file will be audited per clause 5.1 stating that "the implementation of the planned risk analysis activities and the results of the risk analysis shall be recorded in the risk management file."  Consequently, if we decide to quarantine our proper FMEA work from the risk management effort and file, then I think we really risk significant risk management nonconformities along with alienation from the letter and intent of ISO 14971 which clearly permits the use of FMEA as part of the risk management process.

Remember also that the "Use FMEA" defined by 14971 has its respective intended purpose, while the holistic application of usability engineering to medical devices per EN 62366-1 as amended has its respective purpose.  There is no problem that each has its own respective purpose.  The use of one shall not invalidate or disqualify the use of the other.  Instead, there are many scenarios where both are needed to fully comply with applicable regulatory requirements.

Consensus on FMEA or not isn't relevant. You must follow the standard the way it is written. This means that an FMEA is the wrong approach. The standard requires identification of hazards in normal or fault conditions as well as a sequence of events. An FMEA looks at only failure and in a single fault condition.

Design FMEAs are not the right, because they do not meet the requirements in the standard.

Also, there is a problem with a usability FMEA. It doesn't meet the requirements of IEC 62366-1:2015.

By production FMEA I infer you mean process FMEAs. They don't belong in the risk management file because they don't address patient or user harm. They can provide an input to risk management when there is a possibility of an escape of nonconforming product that would result in patient or user harm. Process FMEAs are designed to keep this from happening.

The only viable path forward is to follow the standard, which means converting the incorrect documents you inherited.

If you are planning to go into the EU, then convert to EN ISO 14971:2019/A11:2020. The EU version of the standard is not the same as the international version since it is more restrictive. If you follow the EU version you will be in compliance with the international version.

When picking a consultant, determine that she will follow the standard as written. For some reason many people don't want to follow the standard and, as a result, make it far too complicated.

Hello, 

The company I'm working for recently took over a medical device.  I've become responsible for the Technical file and in particular the Risk Management File. The device is currently only on the US market, 510(k) but the possibility to also enter the EU market is being considered. We are now working on updating the technical file so that the device can be included in the scope of our ISO13485 certificate. Here I see the risk management file as the biggest challenge. Currently the risk management file contains the following risk assessments:

-Design FMEA

-Useability FMEA

-2 production FMEAs (by two separate subcontractors performing different parts of the production process).

These does not fit directly into the risk assessment templates we have in our current risk management SOP, which is based on the ISO 14971:2019 format. I know there has been some debate in the forum around to which extent FMEAs are compliant to the latest ISO14971:2019. Not sure if a consensus has been reached 😊

However, this is also what I'm struggling with when adapting the risk management file to be compliant with our risk management SOP. I have been contemplating some alternatives:

-Update our SOP to include FMEAs in their current form

-Rewrite all risks (>200) to fit our current templates.

Both options will require significant efforts especially since requirement traceability needs to be maintained and this is currently not obvious. Risk management plan and report exists but will require revision depending on the chosen path.

Now I'm looking for suggestions for a pragmatic path to a ISO 14971 compliant file from anyone that has had  similar experiences.

Recommendations of consultants that could provide guidance is also appreciated.  

Thanks!

/Confused risk manager

We have had this discussion on FMEA innumerable times.  

Yes, ISO TR 24971:2020 Annex B.5 does list it as a technique that may be used.  But it also identifies some disadvantages of use of this reliability analysis technique in risk management.  You can use a technique ONLY when used CORRECTLY.  FMEA uses different definitions of Severity and Probability than those in ISO 14971, so one must be very careful in this application.  Properly used, FMEA identifies SINGLE-FAULT conditions and not those with multiple causes, nor those in NORMAL CONDITION (when the device is working and there is no fault).  So it is an incomplete tool and MUST be used with other techniques to cover the limitations of FMEA such as Fault Tree Analysis (FTA) and Preliminary Hazard Analysis (PHA).  The FMEA Effects from identified failures should be identified in the Risk Analysis as the Hazard, partially fulfilling only the requirements of Clause 5.4.  Then the remaining steps of the Risk Analysis (Clause 5) process (remainder of 5.4 identifying Hazardous Situation [exposure of hazard] and 5.5 risk estimation) are completed after the FMEA. 

ISO 13485 7.3.3 c) also places a limitation on the application of FMEA, as it requires the "outputs of risk management" be Design Inputs.  FMEA requires Design Outputs to perform so its application is late in the Design Process.  One of the problems it introduces is making design changes to fix problems FMEA uncovers late in design.  The causes cost and late release issues.  But it may uncover issues that were not discovered previously prior to release, that is its value in risk management.  FMEA is more suited to its original purpose and that is Reliability Analysis, but it can be, as Kevin indicates, used in Risk Management when applied correctly.

ISO TR 24971 also identifies IEC 60812 as the referenced standard for this technique.   The current version is 2018.  So other permutations are not covered under Annex B.5.

When ISO 24971:2020 comes up for revision, would you gentlemen (and any others) be sure to submit comments, including suggestions, about this area so more guidance can be provided on application of this and any other technique. This is how we improve standards.  ISO TC 210 JWG1 is currently working on an AI/ML guidance, and updates to 14971 and 24971 have not come up on the agenda yet, but 14971 is supposed to be reviewed at 5 years (December 2024) and 24971 is two years past its review time.  

The risk management systems I've audited and remediated invariably use the term "FMEA" in some capacity; sometimes correctly, sometimes incorrectly as described before.  So, it just isn't realistic or possible to properly audit and remediate such systems without tackling and addressing FMEA and the aforesaid FMEA dilemma.

Also noteworthy is that ISO 14971 (see ISO/TR 24971) itself unequivocally and specifically prescribes FMEA as a valid technique for use to support the risk analysis step.  For example, process FMEA can give insights into the probability of occurrence of sequences of related/consequent events which contribute to the probability of occurrence of harm. This holds true regarding FMEA related to the device itself, or its manufacturing process, or device use and misuse (called "Use FMEA" by 24971).  All three types of FMEAs are specifically given clear place by 24971, and thus 14971.

And if we decide to involve FMEA as permitted by 14971/24971, then its presence in the risk management file will be audited per clause 5.1 stating that "the implementation of the planned risk analysis activities and the results of the risk analysis shall be recorded in the risk management file."  Consequently, if we decide to quarantine our proper FMEA work from the risk management effort and file, then I think we really risk significant risk management nonconformities along with alienation from the letter and intent of ISO 14971 which clearly permits the use of FMEA as part of the risk management process.

Remember also that the "Use FMEA" defined by 14971 has its respective intended purpose, while the holistic application of usability engineering to medical devices per EN 62366-1 as amended has its respective purpose.  There is no problem that each has its own respective purpose.  The use of one shall not invalidate or disqualify the use of the other.  Instead, there are many scenarios where both are needed to fully comply with applicable regulatory requirements.

Consensus on FMEA or not isn't relevant. You must follow the standard the way it is written. This means that an FMEA is the wrong approach. The standard requires identification of hazards in normal or fault conditions as well as a sequence of events. An FMEA looks at only failure and in a single fault condition.

Design FMEAs are not the right, because they do not meet the requirements in the standard.

Also, there is a problem with a usability FMEA. It doesn't meet the requirements of IEC 62366-1:2015.

By production FMEA I infer you mean process FMEAs. They don't belong in the risk management file because they don't address patient or user harm. They can provide an input to risk management when there is a possibility of an escape of nonconforming product that would result in patient or user harm. Process FMEAs are designed to keep this from happening.

The only viable path forward is to follow the standard, which means converting the incorrect documents you inherited.

If you are planning to go into the EU, then convert to EN ISO 14971:2019/A11:2020. The EU version of the standard is not the same as the international version since it is more restrictive. If you follow the EU version you will be in compliance with the international version.

When picking a consultant, determine that she will follow the standard as written. For some reason many people don't want to follow the standard and, as a result, make it far too complicated.

Hello, 

The company I'm working for recently took over a medical device.  I've become responsible for the Technical file and in particular the Risk Management File. The device is currently only on the US market, 510(k) but the possibility to also enter the EU market is being considered. We are now working on updating the technical file so that the device can be included in the scope of our ISO13485 certificate. Here I see the risk management file as the biggest challenge. Currently the risk management file contains the following risk assessments:

-Design FMEA

-Useability FMEA

-2 production FMEAs (by two separate subcontractors performing different parts of the production process).

These does not fit directly into the risk assessment templates we have in our current risk management SOP, which is based on the ISO 14971:2019 format. I know there has been some debate in the forum around to which extent FMEAs are compliant to the latest ISO14971:2019. Not sure if a consensus has been reached 😊

However, this is also what I'm struggling with when adapting the risk management file to be compliant with our risk management SOP. I have been contemplating some alternatives:

-Update our SOP to include FMEAs in their current form

-Rewrite all risks (>200) to fit our current templates.

Both options will require significant efforts especially since requirement traceability needs to be maintained and this is currently not obvious. Risk management plan and report exists but will require revision depending on the chosen path.

Now I'm looking for suggestions for a pragmatic path to a ISO 14971 compliant file from anyone that has had  similar experiences.

Recommendations of consultants that could provide guidance is also appreciated.  

Thanks!

/Confused risk manager

I'm not a big fan of throwing out the baby with the bath water.  Although ISO/TR 24971 acknowledges that disadvantages of FMEA can arise from difficulties in dealing with redundancies (not a deal-breaker in my opinion) and the incorporation of repair or preventive maintenance actions, as well as its restriction to single-fault conditions (not deal-breakers in my opinion), I don't consider those to be sufficient grounds for banning FMEA from the risk management process.  For example, we should have no hesitation to rely on FMEA supplemented with PHA.

Proper risk management shall occur throughout the device life-cycle (defined by 14971 as spanning from initial conception to final decommissioning).  Thus, the fact that FMEA has a focus on proposed device/manufacturing/use specifications (i.e., initial design outputs) is not appropriate grounds for disqualifying the use of properly deployed FMEA.  In fact, once these initial specifications are proposed, there may be no better way to analyze the associated risk profile than via FMEA.

FMEA and its output probabilities for failure modes (i.e., of sequences of events and maybe also hazardous situations) can yield valuable characteristic and probabilistic insights into the ultimate probability of occurrence of harm resulting from those fault conditions. 14971 clearly reminds us of this.  And just because FMEA is limited to fault conditions, it doesn't prevent the manufacturer from also meeting the requirement to also consider the device's risk profile under normal operating conditions.  Indeed, my risk management trace matrices include an entry identifying whether each risk scenario is for a fault condition or normal operating condition.  That has quickly settled inquiring auditors who were looking to assure risk assessment was done under normal and fault conditions.  14971's and 24971's proper allowance for use of FMEA to identify manufacturing failures, design failures, and use failures can play a valuable role in articulating and estimating the sequences of events, hazardous situations, and harms that might ultimately result.

14971 hazards are simply generic categories (i.e., biological, energy, manufacturing, usability, etc.) used to organize and categorize our more detailed assessments of sequences of events, hazardous situations, and harms.  As mentioned earlier, I generally link FMEA insights to the sequences of events and hazardous situations more than, or rather than, to 14971's generic hazard categories. 14971 reminds us that relevant hazards associated with the medical device can be deduced from consideration of the intended use and reasonably foreseeable misuse as determined by a clause 5.2 analysis, and by the characteristics related to safety as determined by a clause 5.3 analysis.  It doesn't include FMEA as a way to derive hazards; though in practice, there seems to be a synergistic relationship between these analytical exercises (5.2 and 5.3) and the insights that can be gained from FMEA.  Thus, while FMEA can have value for identifying relevant hazards, I don't generally use FMEA as my primary way for identifying relevant hazards.

My opinion is that ISO 14971 and ISO/TR 24971 in their current embodiments do a fine job of balancing out these various nuances.  As a member of QM/WG04 (the U.S. Working Group providing U.S. input into ISO/TC 210's development of 14971), I don't just lodge such a defense due to pride in ownership/authorship; indeed, the current embodiment came before my involvement and was forged by the preceding hard work of folks like Edwin Bills and many others.  Instead, it is from my real-world use of ISO 14971 that I really do believe the current embodiment is on target regarding the integration of FMEA with risk management.  Thus, I would be sad to see further disparagement of FMEA make its way into the upcoming ISO 14971 standard review and revisions.  14971 is a faithful evolution of the state of the art when I think back to modern risk management's origins and founding documents like EN 1441 (yes, I'm that old and can remember using EN 1441 back when it was a gold standard). If stakeholders can make a careful reading of the current embodiment, then potential misuse of FMEA can be reduced.

We have had this discussion on FMEA innumerable times.  

Yes, ISO TR 24971:2020 Annex B.5 does list it as a technique that may be used.  But it also identifies some disadvantages of use of this reliability analysis technique in risk management.  You can use a technique ONLY when used CORRECTLY.  FMEA uses different definitions of Severity and Probability than those in ISO 14971, so one must be very careful in this application.  Properly used, FMEA identifies SINGLE-FAULT conditions and not those with multiple causes, nor those in NORMAL CONDITION (when the device is working and there is no fault).  So it is an incomplete tool and MUST be used with other techniques to cover the limitations of FMEA such as Fault Tree Analysis (FTA) and Preliminary Hazard Analysis (PHA).  The FMEA Effects from identified failures should be identified in the Risk Analysis as the Hazard, partially fulfilling only the requirements of Clause 5.4.  Then the remaining steps of the Risk Analysis (Clause 5) process (remainder of 5.4 identifying Hazardous Situation [exposure of hazard] and 5.5 risk estimation) are completed after the FMEA. 

ISO 13485 7.3.3 c) also places a limitation on the application of FMEA, as it requires the "outputs of risk management" be Design Inputs.  FMEA requires Design Outputs to perform so its application is late in the Design Process.  One of the problems it introduces is making design changes to fix problems FMEA uncovers late in design.  The causes cost and late release issues.  But it may uncover issues that were not discovered previously prior to release, that is its value in risk management.  FMEA is more suited to its original purpose and that is Reliability Analysis, but it can be, as Kevin indicates, used in Risk Management when applied correctly.

ISO TR 24971 also identifies IEC 60812 as the referenced standard for this technique.   The current version is 2018.  So other permutations are not covered under Annex B.5.

When ISO 24971:2020 comes up for revision, would you gentlemen (and any others) be sure to submit comments, including suggestions, about this area so more guidance can be provided on application of this and any other technique. This is how we improve standards.  ISO TC 210 JWG1 is currently working on an AI/ML guidance, and updates to 14971 and 24971 have not come up on the agenda yet, but 14971 is supposed to be reviewed at 5 years (December 2024) and 24971 is two years past its review time.  

The risk management systems I've audited and remediated invariably use the term "FMEA" in some capacity; sometimes correctly, sometimes incorrectly as described before.  So, it just isn't realistic or possible to properly audit and remediate such systems without tackling and addressing FMEA and the aforesaid FMEA dilemma.

Also noteworthy is that ISO 14971 (see ISO/TR 24971) itself unequivocally and specifically prescribes FMEA as a valid technique for use to support the risk analysis step.  For example, process FMEA can give insights into the probability of occurrence of sequences of related/consequent events which contribute to the probability of occurrence of harm. This holds true regarding FMEA related to the device itself, or its manufacturing process, or device use and misuse (called "Use FMEA" by 24971).  All three types of FMEAs are specifically given clear place by 24971, and thus 14971.

And if we decide to involve FMEA as permitted by 14971/24971, then its presence in the risk management file will be audited per clause 5.1 stating that "the implementation of the planned risk analysis activities and the results of the risk analysis shall be recorded in the risk management file."  Consequently, if we decide to quarantine our proper FMEA work from the risk management effort and file, then I think we really risk significant risk management nonconformities along with alienation from the letter and intent of ISO 14971 which clearly permits the use of FMEA as part of the risk management process.

Remember also that the "Use FMEA" defined by 14971 has its respective intended purpose, while the holistic application of usability engineering to medical devices per EN 62366-1 as amended has its respective purpose.  There is no problem that each has its own respective purpose.  The use of one shall not invalidate or disqualify the use of the other.  Instead, there are many scenarios where both are needed to fully comply with applicable regulatory requirements.

Consensus on FMEA or not isn't relevant. You must follow the standard the way it is written. This means that an FMEA is the wrong approach. The standard requires identification of hazards in normal or fault conditions as well as a sequence of events. An FMEA looks at only failure and in a single fault condition.

Design FMEAs are not the right, because they do not meet the requirements in the standard.

Also, there is a problem with a usability FMEA. It doesn't meet the requirements of IEC 62366-1:2015.

By production FMEA I infer you mean process FMEAs. They don't belong in the risk management file because they don't address patient or user harm. They can provide an input to risk management when there is a possibility of an escape of nonconforming product that would result in patient or user harm. Process FMEAs are designed to keep this from happening.

The only viable path forward is to follow the standard, which means converting the incorrect documents you inherited.

If you are planning to go into the EU, then convert to EN ISO 14971:2019/A11:2020. The EU version of the standard is not the same as the international version since it is more restrictive. If you follow the EU version you will be in compliance with the international version.

When picking a consultant, determine that she will follow the standard as written. For some reason many people don't want to follow the standard and, as a result, make it far too complicated.

Hello, 

The company I'm working for recently took over a medical device.  I've become responsible for the Technical file and in particular the Risk Management File. The device is currently only on the US market, 510(k) but the possibility to also enter the EU market is being considered. We are now working on updating the technical file so that the device can be included in the scope of our ISO13485 certificate. Here I see the risk management file as the biggest challenge. Currently the risk management file contains the following risk assessments:

-Design FMEA

-Useability FMEA

-2 production FMEAs (by two separate subcontractors performing different parts of the production process).

These does not fit directly into the risk assessment templates we have in our current risk management SOP, which is based on the ISO 14971:2019 format. I know there has been some debate in the forum around to which extent FMEAs are compliant to the latest ISO14971:2019. Not sure if a consensus has been reached 😊

However, this is also what I'm struggling with when adapting the risk management file to be compliant with our risk management SOP. I have been contemplating some alternatives:

-Update our SOP to include FMEAs in their current form

-Rewrite all risks (>200) to fit our current templates.

Both options will require significant efforts especially since requirement traceability needs to be maintained and this is currently not obvious. Risk management plan and report exists but will require revision depending on the chosen path.

Now I'm looking for suggestions for a pragmatic path to a ISO 14971 compliant file from anyone that has had  similar experiences.

Recommendations of consultants that could provide guidance is also appreciated.  

Thanks!

/Confused risk manager

Hello, 

The company I'm working for recently took over a medical device.  I've become responsible for the Technical file and in particular the Risk Management File. The device is currently only on the US market, 510(k) but the possibility to also enter the EU market is being considered. We are now working on updating the technical file so that the device can be included in the scope of our ISO13485 certificate. Here I see the risk management file as the biggest challenge. Currently the risk management file contains the following risk assessments:

-Design FMEA

-Useability FMEA

-2 production FMEAs (by two separate subcontractors performing different parts of the production process).

These does not fit directly into the risk assessment templates we have in our current risk management SOP, which is based on the ISO 14971:2019 format. I know there has been some debate in the forum around to which extent FMEAs are compliant to the latest ISO14971:2019. Not sure if a consensus has been reached 😊

However, this is also what I'm struggling with when adapting the risk management file to be compliant with our risk management SOP. I have been contemplating some alternatives:

-Update our SOP to include FMEAs in their current form

-Rewrite all risks (>200) to fit our current templates.

Both options will require significant efforts especially since requirement traceability needs to be maintained and this is currently not obvious. Risk management plan and report exists but will require revision depending on the chosen path.

Now I'm looking for suggestions for a pragmatic path to a ISO 14971 compliant file from anyone that has had  similar experiences.

Recommendations of consultants that could provide guidance is also appreciated.  

Thanks!

/Confused risk manager

Hello, 

The company I'm working for recently took over a medical device.  I've become responsible for the Technical file and in particular the Risk Management File. The device is currently only on the US market, 510(k) but the possibility to also enter the EU market is being considered. We are now working on updating the technical file so that the device can be included in the scope of our ISO13485 certificate. Here I see the risk management file as the biggest challenge. Currently the risk management file contains the following risk assessments:

-Design FMEA

-Useability FMEA

-2 production FMEAs (by two separate subcontractors performing different parts of the production process).

These does not fit directly into the risk assessment templates we have in our current risk management SOP, which is based on the ISO 14971:2019 format. I know there has been some debate in the forum around to which extent FMEAs are compliant to the latest ISO14971:2019. Not sure if a consensus has been reached 😊

However, this is also what I'm struggling with when adapting the risk management file to be compliant with our risk management SOP. I have been contemplating some alternatives:

-Update our SOP to include FMEAs in their current form

-Rewrite all risks (>200) to fit our current templates.

Both options will require significant efforts especially since requirement traceability needs to be maintained and this is currently not obvious. Risk management plan and report exists but will require revision depending on the chosen path.

Now I'm looking for suggestions for a pragmatic path to a ISO 14971 compliant file from anyone that has had  similar experiences.

Recommendations of consultants that could provide guidance is also appreciated.  

Thanks!

/Confused risk manager

Hello Anon - there are a lot of good suggestions and clarifications from colleagues on your situation. I would like to share the following article with you that offers a simple, hierarchical documentation structure for a risk management file. It has worked extremely well in my practice where we have found an easy way to integrate FMEAs with other documents in the RMF.

ISO 14971 fundamentals: risk management file

Hello, 

The company I'm working for recently took over a medical device.  I've become responsible for the Technical file and in particular the Risk Management File. The device is currently only on the US market, 510(k) but the possibility to also enter the EU market is being considered. We are now working on updating the technical file so that the device can be included in the scope of our ISO13485 certificate. Here I see the risk management file as the biggest challenge. Currently the risk management file contains the following risk assessments:

-Design FMEA

-Useability FMEA

-2 production FMEAs (by two separate subcontractors performing different parts of the production process).

These does not fit directly into the risk assessment templates we have in our current risk management SOP, which is based on the ISO 14971:2019 format. I know there has been some debate in the forum around to which extent FMEAs are compliant to the latest ISO14971:2019. Not sure if a consensus has been reached 😊

However, this is also what I'm struggling with when adapting the risk management file to be compliant with our risk management SOP. I have been contemplating some alternatives:

-Update our SOP to include FMEAs in their current form

-Rewrite all risks (>200) to fit our current templates.

Both options will require significant efforts especially since requirement traceability needs to be maintained and this is currently not obvious. Risk management plan and report exists but will require revision depending on the chosen path.

Now I'm looking for suggestions for a pragmatic path to a ISO 14971 compliant file from anyone that has had  similar experiences.

Recommendations of consultants that could provide guidance is also appreciated.  

Thanks!

/Confused risk manager

Thank you all, it's been really helpful!

The general advice seems to be to rewrite the risk assessment and that resonates well with me. The previous FMEAs are somewhat of a hybrid where the "Failure Effects" in about half of the risks identify harm and a hazards and sequence of event can be pulled out with some good will.

My thinking now is to consider the performed FMEAs as part of the systematic risk analysis for the risk assessment and use them for that purpose. Then we do a new risk assessment per ISO 14917, taking the FMEA hazards and risks into account and also including any additional risks identified.

One thing I'm still hesitant on is weather to include each and every risk from the FMEA as a separate risk in the risk assessment or if some can be combined (effectively combining the probabilities from several risks that identify the same hazard. I find that FMEAs often leads to large number of risks and that this may be counterproductive when trying to get an overview of the risk level of the device.

As an example our Design FMEA identifies 27 ways there can be something wrong with IFU and/or Labels and/or they are misunderstood. Although I cannot argue with any of them specifically in terms of risk assessment I would like to summarize these 27 into two basic risks:

1. There is something wrong in IFU/Labels leading to misuse and corresponding harm.
2. The IFU/labels are correct but the user does not understand the IFU, similarly leading to misuse and harm.

For context the device in our case is a standard device used by surgeons and it cannot be expected that the user reads anything except expiry date. 

Referring to the structure referenced by Naveen (Thanks!) this would be the transition from Level 2 to 3. Would be grateful for comments how you approach such situations to get a manageable and effective risk management file.

Getting less confused.

Hello Anon - there are a lot of good suggestions and clarifications from colleagues on your situation. I would like to share the following article with you that offers a simple, hierarchical documentation structure for a risk management file. It has worked extremely well in my practice where we have found an easy way to integrate FMEAs with other documents in the RMF.

ISO 14971 fundamentals: risk management file

Hello, 

The company I'm working for recently took over a medical device.  I've become responsible for the Technical file and in particular the Risk Management File. The device is currently only on the US market, 510(k) but the possibility to also enter the EU market is being considered. We are now working on updating the technical file so that the device can be included in the scope of our ISO13485 certificate. Here I see the risk management file as the biggest challenge. Currently the risk management file contains the following risk assessments:

-Design FMEA

-Useability FMEA

-2 production FMEAs (by two separate subcontractors performing different parts of the production process).

These does not fit directly into the risk assessment templates we have in our current risk management SOP, which is based on the ISO 14971:2019 format. I know there has been some debate in the forum around to which extent FMEAs are compliant to the latest ISO14971:2019. Not sure if a consensus has been reached 😊

However, this is also what I'm struggling with when adapting the risk management file to be compliant with our risk management SOP. I have been contemplating some alternatives:

-Update our SOP to include FMEAs in their current form

-Rewrite all risks (>200) to fit our current templates.

Both options will require significant efforts especially since requirement traceability needs to be maintained and this is currently not obvious. Risk management plan and report exists but will require revision depending on the chosen path.

Now I'm looking for suggestions for a pragmatic path to a ISO 14971 compliant file from anyone that has had  similar experiences.

Recommendations of consultants that could provide guidance is also appreciated.  

Thanks!

/Confused risk manager

Sounds like you're on the right track.

But I'll add that I generally be sure to itemize out each and every hazard / sequence of events / hazardous situation / harm scenario.  This is primarily because each one has its own individual probability even though they may have the same severity.  Without initial articulation of each scenario's individual probability (such as happens if we bundle multiple scenarios together), then we can lose one of the most important practical purposes for risk management: The ability to objectively decide on the need for corrections and corrective actions later when trouble arises.  That probability ranking is a critical aspect of deciding, for example, if a recall is needed.  If we have no record of originally accepting a certain scenario's projected frequency, then it is difficult to objectivity declare later whether the actual frequency observed later is or is not acceptable.  For example, when doing complaint data analysis, I like to be able to state that the observed frequency is no different than the frequency that was accepted in the original risk analysis.  That kind of objective risk analysis approach has served me well for justifying later decisions to forego corrective action.  Without such an objective approach, then it's just someone's opinion against another's which can get expensive and stressful when an auditor suggests that it seems like a recall or other action is needed.

Thank you all, it's been really helpful!

The general advice seems to be to rewrite the risk assessment and that resonates well with me. The previous FMEAs are somewhat of a hybrid where the "Failure Effects" in about half of the risks identify harm and a hazards and sequence of event can be pulled out with some good will.

My thinking now is to consider the performed FMEAs as part of the systematic risk analysis for the risk assessment and use them for that purpose. Then we do a new risk assessment per ISO 14917, taking the FMEA hazards and risks into account and also including any additional risks identified.

One thing I'm still hesitant on is weather to include each and every risk from the FMEA as a separate risk in the risk assessment or if some can be combined (effectively combining the probabilities from several risks that identify the same hazard. I find that FMEAs often leads to large number of risks and that this may be counterproductive when trying to get an overview of the risk level of the device.

As an example our Design FMEA identifies 27 ways there can be something wrong with IFU and/or Labels and/or they are misunderstood. Although I cannot argue with any of them specifically in terms of risk assessment I would like to summarize these 27 into two basic risks:

1. There is something wrong in IFU/Labels leading to misuse and corresponding harm.
2. The IFU/labels are correct but the user does not understand the IFU, similarly leading to misuse and harm.

For context the device in our case is a standard device used by surgeons and it cannot be expected that the user reads anything except expiry date. 

Referring to the structure referenced by Naveen (Thanks!) this would be the transition from Level 2 to 3. Would be grateful for comments how you approach such situations to get a manageable and effective risk management file.

Getting less confused.

Hello Anon - there are a lot of good suggestions and clarifications from colleagues on your situation. I would like to share the following article with you that offers a simple, hierarchical documentation structure for a risk management file. It has worked extremely well in my practice where we have found an easy way to integrate FMEAs with other documents in the RMF.

ISO 14971 fundamentals: risk management file

Hello, 

The company I'm working for recently took over a medical device.  I've become responsible for the Technical file and in particular the Risk Management File. The device is currently only on the US market, 510(k) but the possibility to also enter the EU market is being considered. We are now working on updating the technical file so that the device can be included in the scope of our ISO13485 certificate. Here I see the risk management file as the biggest challenge. Currently the risk management file contains the following risk assessments:

-Design FMEA

-Useability FMEA

-2 production FMEAs (by two separate subcontractors performing different parts of the production process).

These does not fit directly into the risk assessment templates we have in our current risk management SOP, which is based on the ISO 14971:2019 format. I know there has been some debate in the forum around to which extent FMEAs are compliant to the latest ISO14971:2019. Not sure if a consensus has been reached 😊

However, this is also what I'm struggling with when adapting the risk management file to be compliant with our risk management SOP. I have been contemplating some alternatives:

-Update our SOP to include FMEAs in their current form

-Rewrite all risks (>200) to fit our current templates.

Both options will require significant efforts especially since requirement traceability needs to be maintained and this is currently not obvious. Risk management plan and report exists but will require revision depending on the chosen path.

Now I'm looking for suggestions for a pragmatic path to a ISO 14971 compliant file from anyone that has had  similar experiences.

Recommendations of consultants that could provide guidance is also appreciated.  

Thanks!

/Confused risk manager

Sounds like you're on the right track.

But I'll add that I generally be sure to itemize out each and every hazard / sequence of events / hazardous situation / harm scenario.  This is primarily because each one has its own individual probability even though they may have the same severity.  Without initial articulation of each scenario's individual probability (such as happens if we bundle multiple scenarios together), then we can lose one of the most important practical purposes for risk management: The ability to objectively decide on the need for corrections and corrective actions later when trouble arises.  That probability ranking is a critical aspect of deciding, for example, if a recall is needed.  If we have no record of originally accepting a certain scenario's projected frequency, then it is difficult to objectivity declare later whether the actual frequency observed later is or is not acceptable.  For example, when doing complaint data analysis, I like to be able to state that the observed frequency is no different than the frequency that was accepted in the original risk analysis.  That kind of objective risk analysis approach has served me well for justifying later decisions to forego corrective action.  Without such an objective approach, then it's just someone's opinion against another's which can get expensive and stressful when an auditor suggests that it seems like a recall or other action is needed.

Thank you all, it's been really helpful!

The general advice seems to be to rewrite the risk assessment and that resonates well with me. The previous FMEAs are somewhat of a hybrid where the "Failure Effects" in about half of the risks identify harm and a hazards and sequence of event can be pulled out with some good will.

My thinking now is to consider the performed FMEAs as part of the systematic risk analysis for the risk assessment and use them for that purpose. Then we do a new risk assessment per ISO 14917, taking the FMEA hazards and risks into account and also including any additional risks identified.

One thing I'm still hesitant on is weather to include each and every risk from the FMEA as a separate risk in the risk assessment or if some can be combined (effectively combining the probabilities from several risks that identify the same hazard. I find that FMEAs often leads to large number of risks and that this may be counterproductive when trying to get an overview of the risk level of the device.

As an example our Design FMEA identifies 27 ways there can be something wrong with IFU and/or Labels and/or they are misunderstood. Although I cannot argue with any of them specifically in terms of risk assessment I would like to summarize these 27 into two basic risks:

1. There is something wrong in IFU/Labels leading to misuse and corresponding harm.
2. The IFU/labels are correct but the user does not understand the IFU, similarly leading to misuse and harm.

For context the device in our case is a standard device used by surgeons and it cannot be expected that the user reads anything except expiry date. 

Referring to the structure referenced by Naveen (Thanks!) this would be the transition from Level 2 to 3. Would be grateful for comments how you approach such situations to get a manageable and effective risk management file.

Getting less confused.

Hello Anon - there are a lot of good suggestions and clarifications from colleagues on your situation. I would like to share the following article with you that offers a simple, hierarchical documentation structure for a risk management file. It has worked extremely well in my practice where we have found an easy way to integrate FMEAs with other documents in the RMF.

ISO 14971 fundamentals: risk management file

Hello, 

The company I'm working for recently took over a medical device.  I've become responsible for the Technical file and in particular the Risk Management File. The device is currently only on the US market, 510(k) but the possibility to also enter the EU market is being considered. We are now working on updating the technical file so that the device can be included in the scope of our ISO13485 certificate. Here I see the risk management file as the biggest challenge. Currently the risk management file contains the following risk assessments:

-Design FMEA

-Useability FMEA

-2 production FMEAs (by two separate subcontractors performing different parts of the production process).

These does not fit directly into the risk assessment templates we have in our current risk management SOP, which is based on the ISO 14971:2019 format. I know there has been some debate in the forum around to which extent FMEAs are compliant to the latest ISO14971:2019. Not sure if a consensus has been reached 😊

However, this is also what I'm struggling with when adapting the risk management file to be compliant with our risk management SOP. I have been contemplating some alternatives:

-Update our SOP to include FMEAs in their current form

-Rewrite all risks (>200) to fit our current templates.

Both options will require significant efforts especially since requirement traceability needs to be maintained and this is currently not obvious. Risk management plan and report exists but will require revision depending on the chosen path.

Now I'm looking for suggestions for a pragmatic path to a ISO 14971 compliant file from anyone that has had  similar experiences.

Recommendations of consultants that could provide guidance is also appreciated.  

Thanks!

/Confused risk manager

Hello, 

The company I'm working for recently took over a medical device.  I've become responsible for the Technical file and in particular the Risk Management File. The device is currently only on the US market, 510(k) but the possibility to also enter the EU market is being considered. We are now working on updating the technical file so that the device can be included in the scope of our ISO13485 certificate. Here I see the risk management file as the biggest challenge. Currently the risk management file contains the following risk assessments:

-Design FMEA

-Useability FMEA

-2 production FMEAs (by two separate subcontractors performing different parts of the production process).

These does not fit directly into the risk assessment templates we have in our current risk management SOP, which is based on the ISO 14971:2019 format. I know there has been some debate in the forum around to which extent FMEAs are compliant to the latest ISO14971:2019. Not sure if a consensus has been reached 😊

However, this is also what I'm struggling with when adapting the risk management file to be compliant with our risk management SOP. I have been contemplating some alternatives:

-Update our SOP to include FMEAs in their current form

-Rewrite all risks (>200) to fit our current templates.

Both options will require significant efforts especially since requirement traceability needs to be maintained and this is currently not obvious. Risk management plan and report exists but will require revision depending on the chosen path.

Now I'm looking for suggestions for a pragmatic path to a ISO 14971 compliant file from anyone that has had  similar experiences.

Recommendations of consultants that could provide guidance is also appreciated.  

Thanks!

/Confused risk manager