Risk Matrix vs FMEAs

contigo123

Involved In Discussions
Hello,

Under ISO 14971 FMEAs are a tool for determining risks, but I'm wondering how this is being linked to an overall risk matrix in practice. We currently have traditional FMEAs (using occurrence, severity, and detection rankings) but are looking to create a more robust process to cover no-fault, use issues, etc. I think we have a couple options, but wanted to see if anyone has feedback based on what they've seen in use:

Option 1: Keep using FMEA type files, so we would have a dFMEA, pFMEA, use FMEA, etc. But modify the FMEA columns and risk ratings to use occurrence x severity and a risk table, as well as other details to meet ISO 14971 requirements. The combined set of files becomes the overall Risk Matrix.

Option 2: Use FMEAs to generate list of risks, but then create a larger Risk Matrix. We would need to make sure we have traceability from the Risk Matrix back to the FMEAs. Also, some info (like mitigations) would be duplicated unless we remove them from the FMEA document.

Any other methods?

I guess I'm just trying to figure out if everyone is using a set of (modified) FMEAs as their risk assessment or if they use FMEAs as an input to a separate risk assessment document.

Thank you!
 
I have seen it done where there are modified FMEAs that include risks without fault conditions and then the information is copied up to an all-encompassing matrix. I find this strange, however, since FMEAs are specifically for failure modes. It is also normal to have FMEAs and then a separate hazard analysis that lists all hazardous situations in normal and fault conditions and provides reference to FMEA line items for hazardous situations associated with a fault condition. Did a basically repeat what you just said?

If you have a low risk device, one hazard analysis document could work. If you have a high risk device, you could have separate FMEA documents, a fault-tree analysis, and a hazard analysis matrix document that ties everything together. You can also have a separate document for the initial risk assessment, a hazards list, and a harms list. As long as you satisfy all requirements of ISO 14971, you are okay.
 

contigo123

Involved In Discussions
I have seen it done where there are modified FMEAs that include risks without fault conditions and then the information is copied up to an all-encompassing matrix. I find this strange, however, since FMEAs are specifically for failure modes. It is also normal to have FMEAs and then a separate hazard analysis that lists all hazardous situations in normal and fault conditions and provides reference to FMEA line items for hazardous situations associated with a fault condition. Did a basically repeat what you just said?

If you have a low risk device, one hazard analysis document could work. If you have a high risk device, you could have separate FMEA documents, a fault-tree analysis, and a hazard analysis matrix document that ties everything together. You can also have a separate document for the initial risk assessment, a hazards list, and a harms list. As long as you satisfy all requirements of ISO 14971, you are okay.

Thanks for the feedback! It just seems like so much repetitive documentation and tedious traceability that needs to happen. I guess that's how we make sure we capture all the possible hazards!
 

Tidge

Trusted Information Resource
My preference is to stick with a Hazard Analysis as the primary risk analysis tool, and only leverage FMEAs when:
  • you want to specifically drive (down) design choices as risk controls, and choose to analyze them in a DFMEA (and sometimes a PFMEA, such as for sterilization or factory calibration)
  • you want to analyze risks that can come (up) from manufacturing process methods (and some design choices)
  • I'm intentionally sidestepping Use FMEA since a good HA will incorporate the circumstances of use in individual lines of risk analysis, but that doesn't mean to imply that a UFMEA couldn't also be leveraged to support an HA.
A Hazard Analysis will drive you towards identifying & implementing controls and making an overall assessment of risk, but an FMEA will really only provide some information on the prioritization of which areas 'need' controls (based on identified failure modes).

I think a 'risk matrix' is most appropriate in a Hazard Analysis because if well-constructed you can see the risk profile at a glance... and I believe there is a meaningful difference between risks associated with high-occurrence/low-harm, and low-prioritized (potentially hypothetical) failure modes.
 

Jobig

Registered
But the initial question was to define a relationship between the risk matrix from the risk analysis (calculated with SxO) and the FMEA matrix that shows the result of severity, occurrence and detectability (RPN or AP) - correct?

Shall it be possible to accept a "yellow" design solution from your DFMEA, when the design mitigation is used to reduce the risk in the risk analysis to an acceptable level ("Green")?
 
Shall it be possible to accept a "yellow" design solution from your DFMEA, when the design mitigation is used to reduce the risk in the risk analysis to an acceptable level ("Green")?

Can you provide further clarification on your question? What do you mean by "yellow" design solution?
 

Jobig

Registered
Let's assume you are using 2 risk methods: the preliminary risk analysis (PHA) and the D-FMEA.
In your risk analysis you define a design mitigation that shall bring your residual risk into an "acceptable" (green) risk area.
You hand over that design mitigation as a requirement to your design input.

Now you switch your risk method, you are now using the FMEA method.
The purpose of the FMEA now is to ensure that your design works as intended.
You analyse the failure modes, to try to prevent and detect all relevant design failure causes.
That kind of analysis will be typically rated with RPN or AP. High RPN become red (e.g. 10x10x10=1000), some ratings get green (e.g. 1x1x1), some are in the middle (5x5x5=125).

After having selected the most appropriate preventive and detective methods (Before and after), the residual FMEA rating is "yellow" (e.g. 125).

Your risk mitigation from the PHA expects to have after risk mitigation an "Acceptable" risk.
Your design FMEA shows that corresponding failure modes have been adressed but the residual "risk priority" or "Action Priority" is still "yellow".

What are you doing?
Is that acceptable?
 

Tidge

Trusted Information Resource
This is specifically about risk per 14971, not risk per any other interpretation.

Simple answer: Failure Modes Effects and Analysis only explore Failure Modes, not Risks.

Conjugate response to the simple answer: Many failure modes do not require controls; all risks must be minimized.

Slightly more complicated answer: FMEA can be misused, for (at least) two reasons:
  1. The "RPN" of FMEA is used against an arbitrary "action limit"; the action limit sets the level at which you (the designer, manufacturer) are supposed to automatically implement controls for the failure mode. This mode of thinking is completely independent of risk to patients and users (it can overlap, but it is practically coincidental)
  2. FMEA can be filled with "low RPN" failure modes. This can have the effect of appearing to "dilute" the end-effect of "high RPN" lines of analysis. An easy thought-trap to fall into: "Our FMEA only has one yellow line but 200 green lines, so we think we have done enough to control failure modes". <- I'm not saying that everyone falls into that trap, but by trying to use FMEA as your final risk analysis tool you have basically walked up to the trap and stuck your hand inside it.
My advice is that if you are trying to modify FMEA to handle Risk Analysis, you would be better served by adopting a different methodology and not try to force FMEA to serve this role. You won't be using the terminology of FMEA in a standard way, and even if it somehow satisfies the requirements of 14971 you will be wasting the time of third parties (NRTLs, NBs) to try to rationalize your approach... and even then you run a serious risk of missing something that is going to cause you heartache.
 
Your risk mitigation from the PHA expects to have after risk mitigation an "Acceptable" risk.
It is not value added to have an "expected" post mitigation risk. All risk reduction needs to be verified to ensure it actually decreases the risk. What does having an expected value do for you?
 
Top Bottom