FMEA rankings vs Hazard Analysis Rankings

Onceuponatime

Starting to get Involved
Need some inputs on my chain on thoughts connecting :

Severity rankings from FMEAs to Hazard Analysis Severity rankings:
Let's say we are doing dFMEA. For each failure mode, I assign severity (on the 1-5 scale) based on impact on Medical device. For example, a cosmetic defect could be severity of 1 on dFMEA but a critical component failure that can shut the machine down is severity 5 for dFMEA.

Whereas when I do Hazard Analysis, I assign severity based on ISO14971 definition of harm. For example, a critical component failure that shuts down the machine and requires service intervention, is severity 1 harm because it is only user inconvenience.

Here is where I am getting some pushback. Some people disagree that a dFMEA failure mode with severity of 5 from dFMEA could only result in Severity of 1 harm in Hazard Analysis.

I do not see a problem given dFMEA assesses the impact on the system whereas Hazard Analysis focuses on harm to user, environment or property etc. Companies tend to use dFMEA more from component reliability, PM frequency determination etc. So a machine shutting down due to a component failure is Severity 5 on dFMEA because it directly affect the reliability.

Any thoughts?
 

yodon

Leader
Super Moderator
dFMEA assesses the impact on the system

I would not agree with this. Throughout risk analysis, harm is always assessed in terms of injury or damage to the health of people, or damage to property or the environment.

If you have a life-sustaining device and your DFMEA considers a machine shutdown to be an inconvenience, that's a major disconnect as the true result could be patient death.

We always establish the baseline severity for each hazard in the hazard analysis and that propagates through all our other FMEAs.
 

Hi_Its_Matt

Involved In Discussions
I am definitely interested in hearing others thoughts on this topic. Here are mine:
In medical device risk management, only one thing is for certain: the people coming into the risk management exercises (either FMEA or Hazard Analysis) will have different expectations for how the documentation should or will interact! So you must establish expectations and gain alignment early on.

Having said that, in my experience, it is common (or maybe "not uncommon") for the design FMEA to call out "local effect", "end effect," "harm," and "severity." I have also seen "intermediate effect" thrown in as well, for more complex systems. Having these different fields allows designers to accurately capture the full effect of the failure as it propagates.

In this framework, the local effect is the immediate impact of the failure on the subsystem or portion of the device in which the failure occurs. The end effect is the impact on the performance of the overall device. The harm is then, as defined by 14971, the injury or damage to the health of people, or damage to property or the environment that can result. And the severity rating is assigned based on the magnitude of that harm.

You could (although I wouldn't suggest it), stop your failure mode analysis at the "end effect" and leave the "end effect-to-harm" linkage for your hazard analysis. If you choose to take this approach, you will have two different severity rating scales. One for your FMEA (where the severity is based on the magnitude of the end effect) and one for your Hazard Analysis (where the severity is based on the magnitude of the harm). In my mind, this just sets everyone up for a whole bunch of confusion. But I have seen it before where a contracted design company was managing the FMEA, and their client, the legal manufacturer (with much more detailed clinical knowledge) was managing the Hazard Analysis.
 

Tidge

Trusted Information Resource
I recommend the top level assessment of Severity be in a Hazard Analysis, and then subordinate documents (such as FMEA) be analyzed ONLY how they interact with the Hazard Analysis. The FMEA interaction is fundamentally only at two levels:
  • A failure mode that results in an ineffective risk control; that is: there was a risk recognized in the hazard analysis that required control.
  • A failure mode that introduces new risk; this risk must be ultimately recognized in the hazard analysis.
It is entirely possible (and common) that a particular risk control analyzed in an FMEA (design, manufacturing process, or use) can control both high and low severity risks, but I don't understand how a high severity assessment could exist in an FMEA and NOT tie to a high severity risk in an upper-level document... at least not according to the decomposition of risks and controls in a practical implementation of risks and risk controls per 14971.
 

Tidge

Trusted Information Resource
I do not see a problem given dFMEA assesses the impact on the system whereas Hazard Analysis focuses on harm to user, environment or property etc. Companies tend to use dFMEA more from component reliability, PM frequency determination etc. So a machine shutting down due to a component failure is Severity 5 on dFMEA because it directly affect the reliability.

Any thoughts?

Are you referring to a machine used in manufacturing, or a machine that is a medical device? If it is the former, there may be confusion between corporate risk with medical risk. If it is the latter, then I think it is more likely that there is a defect in the medical device risk management file.
 

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
"severity 1 harm because it is only user inconvenience. " That depends on the intended use of the device. If the device is hypothetically a diabetes measurement tool that requires the user to periodically sample a blood sample from their fingertip and the user is frustrated by the design, it could cause grave consequences by not properly using the device. Something like that would require human factors validation to mitigate.
 

Onceuponatime

Starting to get Involved
I am definitely interested in hearing others thoughts on this topic. Here are mine:
In medical device risk management, only one thing is for certain: the people coming into the risk management exercises (either FMEA or Hazard Analysis) will have different expectations for how the documentation should or will interact! So you must establish expectations and gain alignment early on.

Having said that, in my experience, it is common (or maybe "not uncommon") for the design FMEA to call out "local effect", "end effect," "harm," and "severity." I have also seen "intermediate effect" thrown in as well, for more complex systems. Having these different fields allows designers to accurately capture the full effect of the failure as it propagates.

In this framework, the local effect is the immediate impact of the failure on the subsystem or portion of the device in which the failure occurs. The end effect is the impact on the performance of the overall device. The harm is then, as defined by 14971, the injury or damage to the health of people, or damage to property or the environment that can result. And the severity rating is assigned based on the magnitude of that harm.

You could (although I wouldn't suggest it), stop your failure mode analysis at the "end effect" and leave the "end effect-to-harm" linkage for your hazard analysis. If you choose to take this approach, you will have two different severity rating scales. One for your FMEA (where the severity is based on the magnitude of the end effect) and one for your Hazard Analysis (where the severity is based on the magnitude of the harm). In my mind, this just sets everyone up for a whole bunch of confusion. But I have seen it before where a contracted design company was managing the FMEA, and their client, the legal manufacturer (with much more detailed clinical knowledge) was managing the Hazard Analysis.

This is EXATLY my thought process !

The dFMEA severity I am assigning is based on the end effect. The reason being, Product development (Design) teams are targeting device upkeep or reliability metrices whereas clinical and Quality teams are more interested in 'End effect-to-harm' linkage in the Hazard Analysis.
At the end of the day, regulatory bodies are interested in Hazard Analysis.
the dFMEA also spits out P1 for me. I take that P1 and clinical/medical affairs help with P2 (during Hazard Analysis development).

I think this is better approach given you can better explain source of P1 (direct to dFMEA).
 

tazer

Involved In Discussions
Regarding this topic of FMEA VS Safety Risk,
I always advise having separate lists
- One for each FMEA: DFMEA, SFMEA, PFMEA, and what else you want
- One for Safety Risk analysis table (SAFRA)
If during FMEA activity, you find a failure that can lead to harm, in the sense of 14971, then remove it from the FMEA list and add it to your SAFRA table so you manage it as a Risk with the relevant rating.
That way you will have 2 (maybe 3 when including CyberSecurity Risks) separate and independent tables to manage, each with its own rating and process
 

d_addams

Involved In Discussions
Generally, I wouldn't set up the scoring systems to give non-safety related items the highest priority in a FMEA. The highest priority should be those things that are safety related functions, next would be necessary functions (i.e. failure to power up doesn't create a hazard for non-emergent therapies), then the 'nice to haves' as the lowest priority. Yes if the product doesn't work its a big deal to the business, but not as big as a safety issue.
 

Onceuponatime

Starting to get Involved
That’s the premise behind assigning safety related rankings in the Hazard Analysis.

FMEA, to me captures the impact on the system.( or the end effect).
 
Top Bottom