# Doing both a top-down and a bottom-up risk assessment - How to combine

#### david316

##### Involved In Discussions
Hello,

If conducting both a top-down (e.g. FTA, PHA) and a bottom-up (e.g. FMEA) risk assessment for a design of a medical product how does one combine the results? Is their a normal way? I assume they should be done independently from each other but one concern is in conducting both assessments there could be lots of duplication and the possibility of one documents contradicting the other.

Thanks for any input.

#### Ronen E

##### Problem Solver
Staff member
Moderator
I'm not sure how you could end up with contradictions, but I certainly agree that you're up for a lot of duplication.

If you're looking to follow ISO 14971, it's basis is identifying Hazards and Hazardous Situations (see definitions in the standard). No matter what analysis method(s) you use, these should be the outputs to look for. Once done, combine all to one list, then proceed according to the procedure the standard specifies.

#### david316

##### Involved In Discussions
Thanks Ronen. If I was to take a scalpel as an example to illustrate by questions/concerns. Maybe my top-down PHA identified the need for the scalpel to have a certain pattern of grip on the shaft to prevent to prevent a doctor's hand from slipping and injuring the patient. In the PHA I establish a probability and severity of harm occurring prior to the grip being added. The grip (risk control) then brings the probability of harm down to a post-imitator level.

Later on in the project a DFMEA is conducted on the scalpel. When looking at the shaft the failure mode, "grip insufficient" is identified. Assume the DFMEA team does not know this has been identified as a risk control in the PHA as there is no formal link between the two. The grip pattern is reviewed by the team and it is decided it is insufficient due to the fact that the doctor may be wearing gloves. Hence the design is changed. The probability of harm identified by the DFMEA team pre the change is higher than the probability in the PHA as the PHA didn't consider the use of gloves. Hence you can get a contradiction.

So I guess I was wondering if there is a way to ensure things like this don't happen? It also gets complicated because do you go and update the PHA with the grip pattern that was identified in the FMEA? Also, maybe the PHA didn't call for a grip and put in something else to prevent slipping but then the FMEA identified the need for a grip so you have multiple risk control which is fine but how do you then combine these things to look at residual risk.

It seems like it would get complicated quite quickly...

#### Ronen E

##### Problem Solver
Staff member
Moderator
I see it as refinement rather than contradiction. The Risk Management is a live process and the Risk Management File (singular) is a live document. All these processes need to feed into the RMF as revisions. That would also ensure that different teams working at different stages stay informed with the work of others, because everyone would be working off the same document.

The probability estimates in the RMF should always reflect the best knowledge existing at the time of making them. Further, if this is managed as formal revisions of the RMF, there should be no need to update backwards. It should be clear enough what estimates were issued at what time/stage, and why, and it should also be clear why and how they were subsequently updated.

BTW I think the example you gave is not the best. What you described as a DFMEA entry seems to me like a reworded HA entry. In my understanding FMEA is about component failure, and that example involved no such failure.

#### david316

##### Involved In Discussions
Thanks again. That makes sense. In regards to the FMEA, my understanding is that one use of this document is to capture if the component design is inadequate to meet its function. Hence even though its not a component failure in the strict sense (its just badly designed and specified) the FMEA can still capture this. Although if this is incorrect please let me know. I think it gets a little messy as different people seem to have different rules for FMEAs.

#### Ronen E

##### Problem Solver
Staff member
Moderator
different people seem to have different rules for FMEAs.
That's why I dislike FMEAs in general and I try to avoid them in the ISO 14971 context, except maybe for complex devices/systems where the consequences of individual component failure are otherwise quite difficult to capture.

#### indubioush

##### Quite Involved in Discussions
You should have a hazard analysis document that lists hazardous situations and risk levels determined from both the top down and bottom up approaches. Regardless of how you do it, all documents need to be linked.

#### zoneofindifference

##### Registered
@indubioush Could you expand on this approach of having a hazard analysis document that contains risk levels determined from both the top down and bottom up approach? I thought the hazard analysis document itself is usually the top down approach. Thanks.

#### indubioush

##### Quite Involved in Discussions
The hazard analysis could be considered a top-down approach depending on how you determine foreseeable hazardous situations. The typical top-down approach is the fault tree analysis, but not every company does this. If you do both FTA and FMEA, you would have a hazard analysis document that brings the info from these sources together so you have one document that lists all hazardous situations and the risk level assigned to them. If you only have a hazard analysis and fmea documents, your hazard analysis should still list all hazardous situations and their associated risk levels. There should be linkages to the FMEA document so that tracing all sequences of events and probabilities for each hazardous situation is possible, and thereby, the assigned risk level in the hazard analysis can be verified.

#### zoneofindifference

##### Registered
Ah that makes sense and thanks for the quick response! I think the part that is still fuzzy to me is what the linkage between the hazard analysis and fmea should ideally look like.

M PMAP (single outside audits for both FDA, HC)--anyone doing? US Food and Drug Administration (FDA) 1
What do CB´s change when doing a partial moving ? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
What to be careful about/focus on when doing a Technical File review EU Medical Device Regulations 4
The correct way of doing a 2 Sample T test Reliability Analysis - Predictions, Testing and Standards 7
CE Mark under MDD or IVDR - IVD company doing Virtual Manufacturing Other Medical Device Regulations World-Wide 3
Are the Accreditation Bodies doing their job? Keeping CB's accountable Registrars and Notified Bodies 0
QMS in SharePoint - Is anyone doing this? Manufacturing and Related Processes 10
Do I need part variation while doing Destructive Variable Gage R&R MSA study Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 19
A True purpose of doing EST (Electrical Safety Test) on medical device Other Medical Device Related Standards 3
d/b/a doing business as and the FDA US Food and Drug Administration (FDA) 1
What is the first step in doing PIA (Privacy Impact Assessment)? IEC 27001 - Information Security Management Systems (ISMS) 3
I AS9100D - Interview Request - I'm doing research Misc. Quality Assurance and Business Systems Related Topics 1
Q Doing an MSA on a Climatic Chamber Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 3
Explanation - Quality means doing it right when no one is looking ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
R CMDCAS and dba's (Doing Business As) Canada Medical Device Regulations 2
As a profession we, auditors, are not doing enough - Simon Feary speech Registrars and Notified Bodies 36
B Doing MSA Variables Data Study on Threads Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 3
D Are we doing enough to meet Identification and Traceability 7.5.3 Requirements? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
Who is doing BGA cross sectional analysis in assembled PCBA in INDIA? Reliability Analysis - Predictions, Testing and Standards 1
G Thoughts on Audit Finding for not doing Gage R and R for Visual Inspection Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 8
What the Internet is Doing to Our Brains Coffee Break and Water Cooler Discussions 5
J Doing a "yearly" mass calibration of gages over the weekend. Any advice? General Measurement Device and Calibration Topics 4
P Root Cause for not doing Management Review ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
Testing Standards - Regulatory agency doing Enforcement Testing of Medical Devices EU Medical Device Regulations 5
T DOE Multi level Taguchi - I am doing a Capstone Project Using Minitab Software 10
M Requirement to complete an MSA when doing Comparative Tests Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 2
Dealing with Excessive Within-Part Variation when doing MSA and Cpk studies Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 3
M To find the Optimum Parameter Setting using Minitab (Doing DOEs) Using Minitab Software 18
O NET-INSPECT is it worth it? Small Machine Shop doing AS9100 Quality Manager and Management Related Issues 8
R First Pass Yield - Am I doing correct the First Pass Yield Metric Quality Tools, Improvement and Analysis 2
P Environmental Aspects and Impacts while doing Software Development ISO 14001:2015 Specific Discussions 6
L Must Calibration Labs have IEC 17025 before doing Calibration Jobs for Customers ISO 17025 related Discussions 13
F Regulatory Affairs Certification (RAC) April/May EU Exam - Anyone doing it? Professional Certifications and Degrees 10
Is anyone familiar with doing a DVI (Dossier de Validation Industrielle) for Snecma AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
E Should FDA implement 3rd party (PMAs) reviews? What are the pros and cons of doing so Other US Medical Device Regulations 2
Q Methods for doing Production Process Risk Analysis ISO 14971 - Medical Device Risk Management 4
V Help doing 6sigma Green Belt Professional Certifications and Degrees 6
What activities are you doing daily as QMS Coordinator? Career and Occupation Discussions 3
C Setting Up Part Masters in ERP Systems - How are others doing it? Document Control Systems, Procedures, Forms and Templates 1
C Handling Repeated Non-Conformities when doing Layered Process Audits Process Audits and Layered Process Audits 11
A MR (Management Representative) also doing Internal Audits? Internal Auditing 27
J Registrars Doing Synchronized (Combined) Audits to AS9100 and ISO 13485 Registrars and Notified Bodies 8
C Volkswagen Quality System - Is Volkswagen doing anything different? Customer and Company Specific Requirements 1
What are Toyota's idled U.S. workers doing? World News 4
FOC (3 lots) - First of Code - Are you still doing 3 lots for FOC? Other Medical Device and Orthopedic Related Topics 1
D Greening of Standard Specifications - What is your company/ organization doing Sustainability, Green Initiatives and Ecology 10
S Please tell me how to start doing an FMEA FMEA and Control Plans 6
D Currently doing battle with IT - IT Help Desk procedure wanted Service Industry Specific Topics 5
B 'Doing Quality' - But calling it something else Quality Manager and Management Related Issues 12
What is LinkedIn doing with the "People you may know" box? After Work and Weekend Discussion Topics 8