Over the past few decades, medical device manufacturers have used FMEA (Failure Mode and Effects Analysis) as a risk analysis tool.
However, looking closely at the regulatory and normative requirements for risk management, it becomes apparent that FMEA does not sufficiently meet these requirements.
The ISO 14971 standard already specifies FMEA as a tool for risk management in 2009, 2012, and still in the current version of 2019.
However, one important piece of information is missing, namely the fact that FMEA is not suitable as a tool for risk analysis!
The problem becomes clear when looking at the term "risk" as it is defined in the context of FMEA and in ISO 14971:2019.
"Risk" is defined in ISO 14971:2019 as:
"Combination of the probability of occurrence of harm and the severity of that harm."
"Risk" in FMEA is defined as:
"Combination of the probability of occurrence of the failure cause, the detectability of the failure and the severity of the effects of the failure."
"Risk" from the FMEA perspective focuses on the product failure mode.
It estimates
how likely the cause of a failure in the product is to occur
how likely the defect in the product is to be discovered, and
how severe the consequences of defective products are.
It does not show that a chain of events must occur before a medical device causes harm. From an FMEA perspective, a faulty product would, in any case, virtually lead to harm.
"Risk" from the ISO 14971:2019's point of view, on the other hand, focuses on the effects of hazards (including failure modes) posed by the medical device. The probability of occurrence and the severity of harm resulting from that hazards are estimated. It is considered that a chain of events is necessary to occur for a hazard to cause harm.
Thus, it becomes apparent that some events reduce the probability of harm, and not all faulty products automatically cause harm.
Further, it can be estimated whether the probability of the occurrence of harm is acceptable. This way of risk analysis enables sensible usage of "Benefit-risk balance", which is not possible using only FMEA.
Conclusion: FMEA is not risk analysis!
Using FMEA as a tool for risk analysis only does not meet the regulatory and normative requirements.
Author: Bernhard Lindner, MSc
Do you still have questions about risk analysis or how best to approach this topic in your company?
Our risk management experts will be happy to advise you.
Comments