FMEA (Failure Mode Effect Analysis) is definitely the most widely used method for assessment of risks associated two any type of devices and processes. This is valid for any type of product or industry sector, medical device-related or not.

Here we present an article on how to apply and integrate FMEA method with risk management for a medical device. We all know the importance of a risk management process within a quality management system compliant with 21 CFR 820 and ISO 13485.

What is FMEA?

FMEA (Failure Mode and Effect Analysis) is a method used to anticipate the potential failures associated to a product or a process, estimated the severity of the potential effects of the failure and identify measures to mitigate the risks related to this failure.

Different types of FMEA can be developed; in particular we could have:

  • DFMEA, Design Failure Mode and Effect Analysis, where the risk analysis is performed on a specific products. The risks that can be handled within this FMEA are the ones related to failure of specific components of the device or failure related to the use of the device by patient, users or any other person potentially involved.
  • PFMEA, Process Failure Mode and Effect Analysis, where the risk analysis is performed on the manufacturing process. Following the workflow of a process, all the potential deviations are taken in considerations, associated risks estimated and mitigation actions identified.

5 Steps to perform a FMEA

The FMEA can be performed on 5 sequential steps which can be summarised in the infographic below:


Here we can now discuss more in details each step of the FMEA process.

Step 1: Risk Identification

The first step of the FMEA method is the risk identification. Hazardous situation and related risk can arise from different sources:

  • Risks resulting from faults : it is important to remind that the probability of a fault occurring is not the same probability of a harm occurring.
  • Risks resulting from random faults : Random faults are typically due to physical or chemical causes such as corrosion, contamination, thermal stress, and wear-out, etc.
  • Risk resulting from systematic faults : A systematic fault can be caused by an error in any type of activity. It will systematically give rise to a failure when some particular combination of inputs or environmental conditions arises, but will otherwise remain latent.
  • Risks arising from security vulnerabilities : Security vulnerabilities can lead to loss of data, disclosure of personal health information, unauthorized access to patient records, etc.  

Step 2: Determination of the severity of the potential harm

For each of the risks identified in Step 1, determination of the severity of the harm associated to the risk shall be performed. A score shall be given the severity of the harm. As a matter of example, the following table can be followed:

RatingSeverity of the Associated Harm
Catastrophic / FatalResults in death
CriticalResults in permanent impairment or irreversible injury
Serious / MajorResults in injury or impairment requiring medical or surgical intervention
MinorResults in temporary injury or impairment not requiring medical or surgical intervention
NegligibleResults in inconvenience or temporary discomfort 

Step 3: FMEA and Determination of the probability of occurence

Each of the risk identified in step 1 has a specific probability of occurrence shall be estimated. This can be performed using two different methods:

  • Qualitative method
  • Quantitative method.

For a qualitative method, the estimation of the probability of occurrence is performed by an expert based on different levels defined as per below:

Probability Levels Description
High Likely to happen, often, frequently, always
Likely to happen several times during the lifetime of the medical device
Medium Can happen, but not frequently
Likely to occur a few times during the lifetime of the medical device
Low Unlikely to happen, rare, remote
Not likely to occur during the lifetime of the medical device 

Instead, for a quantitative method, levels of probability of occurrence are defined on a quantitative way. For example:

Probability Levels Range
Probable<10−3 and ≥10−4
Occasional<10−4 and ≥10−5
Remote<10−5 and ≥10−6

Step 4 : FMEA and Estimation of the detectability

For a tri-dimensional FMEA, the estimation of the detectability shall be performed. This means that for each risks identified, a score should be given the possibility to detect the risk in order to prevent any specific hazardous situation or harm.

Also in this case, a table could be prepared as a matter of example:

Detectability Levels Criterial
Almost ImpossibleNo known control(s) available to detect failure mode
RemoteRemote likelihood current control(s) will detect failure mode.
LowLow likelihood current control(s) will detect failure mode.
ModerateModerate likelihood current control(s) will detect failure mode.
High High likelihood current control(s) will detect failure mode.
Almost Certain Almost Certain likelihood current control(s) will detect failure mode.

Step 5 : FMEA and Risk Estimation

The estimation of the risk is performed through the definition of a score which is called risk priority number and it is the last phase of the FMEA process. The RPN can be defined as Severity x Occurrence x Detectability. Also in this case, different layers shall be defined in order to identify the region of risks.

In general the regions of risk are defined in the risk management plan.

Leave a Reply

Your email address will not be published. Required fields are marked *