FMECA: Relevance In Context Of ISO 14971 & EU MDR Compliance

Failure modes and effects and criticality analysis (FMECA), a tool developed by U.S. military, has been around since World War II, when it was used to identify and reduce component reliability-related risks for rocket parts (see MIL-P-1629, published in 1949). From then on, NASA adopted the method and successfully used it for the Apollo manned spaceflight program (RA-006-013-1A, published in 1966). Until the early 70s, there were two specific steps to the tool:

1. Failure Modes and Effects Analysis (FMEA)

Figure 1: FMEA worksheet format from MIL-P-1629a

A procedure by which each potential failure mode in a system is analyzed to determine the results or effects thereof on the system and to classify each potential failure mode according to its severity.
 

2. Criticality Analysis (CA)

Figure 2: CA worksheet format from MIL-P-1629a

A procedure by which each potential failure mode is ranked according to the combined influence of severity and probability of occurrence.

It must be noted that the 1966 NASA standard clarifies FMECA as a reliability estimation tool. The whole standard doesn’t even mention the word risk, while it mentions reliability 46 times. The 1980 version of MIL-P-1629a mentions the word risk and clarifies:

The FMECA is potentially one of the most beneficial and productive tasks in a well-structured reliability program. Since individual failure modes are listed in an orderly, organized fashion and evaluated, the FMECA serves to verify design integrity, identify and quantify sources of undesirable failure modes, and document the reliability risks.

Until the early 70s, at least until the end of the Apollo program, the NASA method of vehicle launch reliability risk reduction included single point failure analysis using FMECA and the failures that were not eliminated were consolidated on a critical items list (CIL), which was further analyzed using other methods. The FMECA/CIL method is defined as a bottom-up approach oriented to assessing and reducing the risk of single independent component failures causing loss of crew, vehicle, or mission.

In the 60s, FMECA became the tool of choice to satisfy many requirements of MIL-Q-9858, the standard that spelled out quality requirements for defense contractors. BS 5750 and ISO 9000 both trace their origins back to this U.S. military standard.

In the mid-70s, FMECA was widely adopted by the auto industry in America (precipitated by the Ford Pinto recall). With the passage of time, the focus on the criticality analysis, which was quantitative and reliability testing-focused during the NASA Apollo days, moved toward being a qualitative assessment with the introduction of risk priority numbers (RPNs), and FMECA shifted from being used as a reliability risk reduction tool to a total product life cycle risk management tool.

Era Of Safety Risk

The first version of ISO 14971 came out in 2000, by which time the quantitative reliability aspects of FMECA were somewhat diluted and RPN was considered the standard. The medical device industry widely adopted this version of FMECA, and it quickly became the industry standard. It must be noted that even in the first version of ISO 14971, the hazard-based approach was apparent.

The hazard-based approach focuses specifically on safety risk, which is defined as the combination of the probability of occurrence of harm and the severity of that harm.

Thus, the focus here is on the harm and not on the failure mode. This doesn’t mean we are moving away from the reliability focus of the FMECA but, instead, we are expanding the scope of risk management to include all hazards that may lead to harm. This is important to understand since a perfectly reliable medical device without any failure mode can still potentially cause a harm.

Figure 3: FMECA and hazard-based risk management

Safety risk management for medical devices has a large place for device reliability (as shown in Figure 3); however, the central focus has to be on patient harm and patient risk. Oftentimes in the past, device manufacturers were able to get away with a lack of focus on patient harm and safety by citing acceptable reliability risk of their devices. In the latest paradigm, especially in the EU MDR world, with its explicit focus on clinical risks, this may not be the case anymore.

EU MDR

EU MDR mentions:

The risk management system should be carefully aligned with and reflected in the clinical evaluation for the device, including the clinical risks to be addressed as part of clinical investigations, clinical evaluation and post-market clinical follow up. The risk management and clinical evaluation processes should be inter-dependent and should be regularly updated.

Clinical risk can be defined as any undesirable situation or operational factor that may have negative consequences for patient safety or capable of causing an adverse event.

Figure 4: Clinical risks and reliability risks in the sample space of hazards

Within the sample space of all hazards, there will be hazardous situations due not only to the nature of clinical procedure but also to the use of the device itself. A reliability-centered approach may miss such hazardous situations.

For a medical device manufacturer, where is the line to be drawn? Are all risks associated with the clinical procedure the manufacturer’s liability? No. The simple answer is that if, within the scope of the clinical procedure, the medical device, either by its failure, use, or misuse, introduces hazards that can potentially cause patient risk, then that can potentially be seen as the manufacturer’s liability and regulatory agencies may expect robust risk management around that.

Reclaiming FMEA: A Top-down Approach

FMECA is generally today considered a bottom-up approach because it prompts the designers to go through failure modes for each component or subcomponent line by line, one at a time. The advantage of such an approach is that it is comprehensive, and failure modes and, thus, risks, are not missed. This approach especially adds value- when doing design FMECAs.

Another way of looking at the FMECA that can be considered top-down is by looking at the system functions instead of subcomponents, as shown in Figure 5.

Figure 5: Component-based DFMEA (orange) and functional FMEA (green)

There is a slight difference when the FMECA activity is done this way. When we look at the component, we are analyzing the component as part of the system; we look at the impact of its failure on the system (i.e., the local effect) and then, as a next additional step, we may assess the impact on intended use and effect on the user or patient. The thinking here is to add in risk controls to ensure design robustness such that the local effect of failure can be precluded.

When we look at it from a system function standpoint, everything not only relates back to the end effect, but every consequence of the failure effect (i.e., effect of system not working/intended function not being satisfied) has to directly translate to a patient harm.

Hazard Analysis

Now let us look at a hazard analysis for the exact same situation.

Figure 6: Hazard analysis

Usually, hazard analysis is a first step used to assess system risks, so much so that often, “hazard analysis” has the word “preliminary” attached to it. The benefit of HA in preliminary stages is that you do not need complete understanding of the intricacies of the design of the device to conduct it (this, though, can potentially become the shortcoming of an improperly done HA). Hazard is a potential condition that can transform into a scenario (hazardous situation) as a result of a sequence of events.

HA is a top-down analysis that has two potential drawbacks:

1. Incomplete design understanding early on leads to insufficient understanding of causes of hazardous situations, thereby leading to improper risk controls.
2. Addition of newer features after the initial PHA misses risk assessments for those features and can potentially create new risks, or risks may go unassessed.

Both of these can be mitigated by strong ownership of the HA and ensuring that it’s a living document that has clear expectations from the quality and design teams for its continual update, from the scoping phase to design verification and validation and, finally, the post-production/market phase. Keeping risk management as a paper exercise in the early design phase will lead to spectacular failure of the HA and the overall risk management process.

What Is The Best Approach?

A conservative, watertight approach may be to use both HA and FMECA to ensure both top-down and bottom-up assessments. Maybe your organization does not have resources for that. Maybe you choose to focus on the functional aspects of FMEA and use it for system design and usability. Or, perhaps you choose to use a novel approach that incorporates component malfunctions into the HA.

Regardless of which approach you choose, abandoning FMEAs and chasing the hazards-based approach in hopes of superficial compliance to ISO 14971 and EU MDR can lead to disastrous consequences for a risk management system. Why? Because you will lose the reliability risk focus provided by the granular FMECA approach and replace it with a top-down approach that, if poorly implemented, will lead to both poor device reliability and mismanaged patient risks. Step one is to understand the system context, i.e., what suits the QMS and risk management practices of the organization best. This approach, whether it uses any tool, should ensure that risks are assessed in the most effective and efficient manner and can practically lead to safer and reliable design and, most importantly, result in risk controls that eliminate or reduce patient harm as far as possible. It is important to keep in mind that there is one goal of all risk management activity – to provide for the best selection of the means for controlling or eliminating patient risk.

About The Author:

Jayet Moon earned a master’s degree in biomedical engineering from Drexel University in Philadelphia and is a Project Management Institute (PMI)-Certified Risk Management Professional (PMI-RMP). Jayet is also a Chartered Quality Professional in the UK (CQP-MCQI). He is also an Enterprise Risk Management Certified Professional (ERMCP) and a Risk Management Society (RIMS)-Certified Risk Management Professional (RIMS-CRMP). He is a Fellow of the International Institute of Risk & Safety Management. His new book, Foundations of Quality Risk Management, was recently released by ASQ Quality Press. He holds ASQ CQE, CQSP, and CQIA certifications.