SBS - The best value in QMS software

Risk Matrix vs FMEAs

contigo123

Starting to get Involved
#1
Hello,

Under ISO 14971 FMEAs are a tool for determining risks, but I'm wondering how this is being linked to an overall risk matrix in practice. We currently have traditional FMEAs (using occurrence, severity, and detection rankings) but are looking to create a more robust process to cover no-fault, use issues, etc. I think we have a couple options, but wanted to see if anyone has feedback based on what they've seen in use:

Option 1: Keep using FMEA type files, so we would have a dFMEA, pFMEA, use FMEA, etc. But modify the FMEA columns and risk ratings to use occurrence x severity and a risk table, as well as other details to meet ISO 14971 requirements. The combined set of files becomes the overall Risk Matrix.

Option 2: Use FMEAs to generate list of risks, but then create a larger Risk Matrix. We would need to make sure we have traceability from the Risk Matrix back to the FMEAs. Also, some info (like mitigations) would be duplicated unless we remove them from the FMEA document.

Any other methods?

I guess I'm just trying to figure out if everyone is using a set of (modified) FMEAs as their risk assessment or if they use FMEAs as an input to a separate risk assessment document.

Thank you!
 
Elsmar Forum Sponsor

indubioush

Quite Involved in Discussions
#2
I have seen it done where there are modified FMEAs that include risks without fault conditions and then the information is copied up to an all-encompassing matrix. I find this strange, however, since FMEAs are specifically for failure modes. It is also normal to have FMEAs and then a separate hazard analysis that lists all hazardous situations in normal and fault conditions and provides reference to FMEA line items for hazardous situations associated with a fault condition. Did a basically repeat what you just said?

If you have a low risk device, one hazard analysis document could work. If you have a high risk device, you could have separate FMEA documents, a fault-tree analysis, and a hazard analysis matrix document that ties everything together. You can also have a separate document for the initial risk assessment, a hazards list, and a harms list. As long as you satisfy all requirements of ISO 14971, you are okay.
 

contigo123

Starting to get Involved
#3
I have seen it done where there are modified FMEAs that include risks without fault conditions and then the information is copied up to an all-encompassing matrix. I find this strange, however, since FMEAs are specifically for failure modes. It is also normal to have FMEAs and then a separate hazard analysis that lists all hazardous situations in normal and fault conditions and provides reference to FMEA line items for hazardous situations associated with a fault condition. Did a basically repeat what you just said?

If you have a low risk device, one hazard analysis document could work. If you have a high risk device, you could have separate FMEA documents, a fault-tree analysis, and a hazard analysis matrix document that ties everything together. You can also have a separate document for the initial risk assessment, a hazards list, and a harms list. As long as you satisfy all requirements of ISO 14971, you are okay.
Thanks for the feedback! It just seems like so much repetitive documentation and tedious traceability that needs to happen. I guess that's how we make sure we capture all the possible hazards!
 

Tidge

Trusted Information Resource
#4
My preference is to stick with a Hazard Analysis as the primary risk analysis tool, and only leverage FMEAs when:
  • you want to specifically drive (down) design choices as risk controls, and choose to analyze them in a DFMEA (and sometimes a PFMEA, such as for sterilization or factory calibration)
  • you want to analyze risks that can come (up) from manufacturing process methods (and some design choices)
  • I'm intentionally sidestepping Use FMEA since a good HA will incorporate the circumstances of use in individual lines of risk analysis, but that doesn't mean to imply that a UFMEA couldn't also be leveraged to support an HA.
A Hazard Analysis will drive you towards identifying & implementing controls and making an overall assessment of risk, but an FMEA will really only provide some information on the prioritization of which areas 'need' controls (based on identified failure modes).

I think a 'risk matrix' is most appropriate in a Hazard Analysis because if well-constructed you can see the risk profile at a glance... and I believe there is a meaningful difference between risks associated with high-occurrence/low-harm, and low-prioritized (potentially hypothetical) failure modes.
 
Thread starter Similar threads Forum Replies Date
A 5 x 5 Risk Matrix - Looking for a good example Manufacturing and Related Processes 2
D Risk Matrix used by my company ISO 14971 - Medical Device Risk Management 3
D Rationale for Risk Acceptability Matrix - ISO 14971 ISO 14971 - Medical Device Risk Management 9
A Risk Evaluation Matrix-Product Portfolio ISO 14971 - Medical Device Risk Management 13
V Risk Assessment Precedence - FMEA > Risk Matrix (Modified PHA) > Ishikawa? FMEA and Control Plans 11
D Developing a Supplier Risk Matrix Supplier Quality Assurance and other Supplier Issues 4
N Risk Acceptance - Consequence Matrix ISO 14971 - Medical Device Risk Management 12
R Risk Assessment Matrix Question - Inputs from the DFMEA, etc. FMEA and Control Plans 9
A 5X5 Risk Analysis Matrix for Suppliers Supplier Quality Assurance and other Supplier Issues 3
S Risk Management Review ISO 14971 - Medical Device Risk Management 4
D Low risk IVD study in the UK, do I need MHRA approval? UK Medical Device Regulations 1
S Risk Management and other Files ISO 14971 - Medical Device Risk Management 8
silentmonkey Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
N ISO 27001 for Jumb Burger - Risk Assessment sheet IEC 27001 - Information Security Management Systems (ISMS) 10
C Risk Assessment Tools ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
qualprod Examples to mitigate risk from Covid ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
G Risk of stopping your customer's line IATF 16949 - Automotive Quality Systems Standard 4
S IVD risk class II devices for Brazil and MDSAP Other Medical Device Regulations World-Wide 0
M ISO 14971:2019: Criteria for overall residual risk ISO 14971 - Medical Device Risk Management 4
M ISO14971:2019 - Verification of implementation and effectiveness of risk control ISO 14971 - Medical Device Risk Management 3
Aymaneh Medical Device Cybersecurity Risk Management IEC 27001 - Information Security Management Systems (ISMS) 2
S Traceability of requirements to design and risk Design and Development of Products and Processes 3
R Risk control measures as per ISO 14971 ISO 14971 - Medical Device Risk Management 6
D Deciding whether or not pre-market clinical investigation is required for low risk device EU Medical Device Regulations 5
R The term "Benefit Risk Ratio" in EU MDR, do I need to present benefit risk analysis as a RATIO Risk Management Principles and Generic Guidelines 4
_robinsingh Security Risk Assessment Tool IEC 27001 - Information Security Management Systems (ISMS) 0
A 21 CFR 820 - Risk Management - Looking for some guidance US Food and Drug Administration (FDA) 3
bryan willemot Contract Review and risk managment AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
D Risk Analysis using Monte Carlo Simulation instead of Scoring and Heat Map Risk Management Principles and Generic Guidelines 2
Sravan Manchikanti Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
E Normal Condition Hazards in Risk Analysis ISO 14971 - Medical Device Risk Management 3
silentmonkey Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
R Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
B Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 4
R Opportunity For Improvement vs Opportunity (Positive Risk) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
R FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
A ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
Q Example of the Risk Template Document Control Systems, Procedures, Forms and Templates 1
K Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
A Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
A IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D Importing a general wellness low risk product Other US Medical Device Regulations 3
C Quantifying risk in choosing the number of parts, operators and replicates in a GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
R AQL, Consumer Risk and MA Statistical Analysis Tools, Techniques and SPC 2
M Risk managment report of Surgical Mask Example ISO 14971 - Medical Device Risk Management 14
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
F Risk for Quality Assurance Department in a Hospital - Hospital Incident Reporting ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7

Similar threads

Top Bottom