ISO 14971:2019 vs FMEA methodology

[mlo106]

Hello,
Following-up on auditor risk analysis evaluation I have a concern on the way risk assessment is evaluated.

Indeed based on ISO 14971, the auditor assess the probabilty and the severity of the damage and do not find the same quotation as we did.
The fact is that applying FMEA methodology, we have assess the probability of the failure and the severity of the damage.

Therefore if we have to quote the probability and the severity of the damage, shall we still use a FMEA methodology?

Thanking you in advance for your thoughts,

 

[Hi_Its_Matt]

Hi mlo. I'm not sure I completely follow the question, but hopefully this help.

ISO 14971 defines Risk as "The combination of the probability of occurrence of harm and the severity of that harm." The idea is that companies should know which Harms their medical device could cause, and be able to describe both the severity of the harm and the probability of the harm. This allows the companies to determine whether the overall risk of that harm is acceptable (based on their pre-defined risk acceptability criteria).

For each Harm, companies are required to document the Hazards that can cause the Harms, and the Hazardous Situations in which those Hazards may be present.

Companies often assign a 1 to 3, 1 to 5, or 1 to 10 numerical value to different Severity rankings and Probability rankings, and multiply the two values to get an overall Risk Rating, which can then be compared against a risk acceptability matrix to evaluate the acceptability of the Risk.

FMEA is quite different in terms of its overall purpose. As the name implies, a Failure Mode & Effects Analysis is a tool for understanding how the device or process may fail (the failure mode), the reason why it failed (failure cause), and the effect of the failure on both the immediate process/device feature, and the overall device performance.

FMEA is similar to a device-level, harms-focused, 14971 risk assessment, in that it oftentimes has a calculation in it that is a combination of severity and probability. But as you alluded to, the probability in an FMEA is oftentimes the probability that a particular failure mode will occur. As with a 14971 risk assessment, the Severity in a FMEA is oftentimes associated with the end-effect of the failure - that is, the impact of the failure on users/patients/the environment.

This calculated value is often called a Risk Priority Number (RPN). It is the combination of the probability of a failure mode occurring and the severity of the end-effect of the failure.

RPN and 14791 "Risks" are common in that they are a combination or probability and severity, but they must not be confused with each other.

If you do not already have it, I highly recommend purchasing ISO TR 24971, the guidance document that accompanies 14971. It is incredibly valuable for understanding these concepts.

 

[Enternationalist]

FMEA is just one method, and by itself it is not sufficient to address all hazards.

14971 asks you evaluate probability of occurrence and severity of harms.

These are separate ideas. What is the area of confusion?

 

[mlo106]

The issue is that apparently Notified bodies that asked us to add a quotation for detection five years age are now asking us to remove upon the definition of the ISO 14971 and despite the ISO/TR 24971 which states that a detection criteria can be apply if detection risk mitigation measures are applied.

 

[Kiranivd]

The issue is that apparently Notified bodies that asked us to add a quotation for detection five years age are now asking us to remove upon the definition of the ISO 14971 and despite the ISO/TR 24971 which states that a detection criteria can be apply if detection risk mitigation measures are applied.

- This is interesting and really helpful to know! I have done this based on review of my Risk Management process, as I feel that RPN described in IEC 60812 is a linear approach. Therefore, have decided to stick with Severity and Probability of occurrence.

From review of ISO 14971 and 24971, my interpretation was that detectability can fall within the risk control process and evaluated here. As well as post market product failure risk reviews. This is where detectability is key from a usability perspective.

 

[Jim Wynne]

FMEA is just one method, and by itself it is not sufficient to address all hazards.

14971 asks you evaluate probability of occurrence and severity of harms.

FMEA asks you to evaluate probability of occurrence and severity of harms.

 

[ThatSinc]

FMEA asks you to evaluate probability of occurrence and severity of harms.

Respectfully disagree.

FMEA is used across multiple industries and evaluations and asks you to evaluate the probability and severity of *things* happening.
I use FMEA within medical device risk management to evaluate the probability of failure modes occurring, and the severity of those failure modes with respect to their impact on the device functionality and the creation of hazardous situations.
Whilst the impact on the device functionality is related to the harm that might occur - it's not a direct relationship.
Two different failure modes may cause hazardous situations and get a "4" rating but the harm that could occur as a result of those hazardous situations may be different.

14971 requires you to explicitly evaluate the probability of harms occurring, and the severity of those harms.

 

[Bev D]

I’ve never interpreted it that way at all. FMEA is about severity of effect of a failure mode. And I’ve always interpreted - and taught - that effect means any harm done by the failure modes. My ratings include death, injury, continuing illness, disability, etc. as well as lesser ‘harms’ such as first aid needed, delayed diagnosis of a minor illness such as worms, incorrect drug application such as dewormer…

I think that 14971 simply reinforces that the effects to be particularly assessed are harms as many non medical people misuse FMEA (in many ways) to not include final harm. But FMEA itself doesn’t preclude assessment of harms; it requires it.

I’m all for addressing weaknesses and misuses of quality methods but let’s be honest about them.

 

[ThatSinc]

But FMEA itself doesn’t preclude assessment of harms; it requires it.

I'm not suggesting that FMEA can't be used in that manner, but it's not it's only purpose and not a requirement of it.

When auditors start expecting RCOA and RBA on every line of an extensive FMEA, performed by design/development teams that don't have a view as to the harm at a device/system level, as it's been conflated with with the broader requirement to assess the harms from a 14971 perspective, you start seeing issues.

 

[Tidge]

As long as we are all describing different parts of the elephant...

One personal bête noire of Failure Modes Effects & Analysis efforts in medical devices (with respect to harms to patients, users, et al.) is that the typical methodology that links failure modes to harms almost always makes it impossible to know if the line of analysis (in the FME&A) is a control to mitigate the effect of the harm or is a potential cause of some harm that requires its own risk controls to avoid possibly contributing to that/any harm.

There are (well understood) risk management tools to speak directly to this beast, but I rarely see them used to my satisfaction. I only bring this up here because there are dimensions to FME&A (in medical devices) that often get folks talking at cross-purposes.