FMEA (Failure Mode Effect Analysis) is definitely the most widely used method for assessment of risks associated two any type of devices and processes. This is valid for any type of product or industry sector, medical device-related or not.
Here we present an article on how to apply and integrate FMEA method with risk management for a medical device. We all know the importance of a risk management process within a quality management system compliant with 21 CFR 820 and ISO 13485.
What is FMEA?
FMEA (Failure Mode and Effect Analysis) is a method used to anticipate the potential failures associated to a product or a process, estimated the severity of the potential effects of the failure and identify measures to mitigate the risks related to this failure.
Different types of FMEA can be developed; in particular we could have:
- DFMEA, Design Failure Mode and Effect Analysis, where the risk analysis is performed on a specific products. The risks that can be handled within this FMEA are the ones related to failure of specific components of the device or failure related to the use of the device by patient, users or any other person potentially involved.
- PFMEA, Process Failure Mode and Effect Analysis, where the risk analysis is performed on the manufacturing process. Following the workflow of a process, all the potential deviations are taken in considerations, associated risks estimated and mitigation actions identified.
5 Steps to perform a FMEA
The FMEA can be performed on 5 sequential steps which can be summarised in the infographic below:
Here we can now discuss more in details each step of the FMEA process.
Step 1: Risk Identification
The first step of the FMEA method is the risk identification. Hazardous situation and related risk can arise from different sources:
- Risks resulting from faults : it is important to remind that the probability of a fault occurring is not the same probability of a harm occurring.
- Risks resulting from random faults : Random faults are typically due to physical or chemical causes such as corrosion, contamination, thermal stress, and wear-out, etc.
- Risk resulting from systematic faults : A systematic fault can be caused by an error in any type of activity. It will systematically give rise to a failure when some particular combination of inputs or environmental conditions arises, but will otherwise remain latent.
- Risks arising from security vulnerabilities : Security vulnerabilities can lead to loss of data, disclosure of personal health information, unauthorized access to patient records, etc.
Step 2: Determination of the severity of the potential harm
For each of the risks identified in Step 1, determination of the severity of the harm associated to the risk shall be performed. A score shall be given the severity of the harm. As a matter of example, the following table can be followed:
|Rating||Severity of the Associated Harm|
|Catastrophic / Fatal||Results in death|
|Critical||Results in permanent impairment or irreversible injury|
|Serious / Major||Results in injury or impairment requiring medical or surgical intervention|
|Minor||Results in temporary injury or impairment not requiring medical or surgical intervention|
|Negligible||Results in inconvenience or temporary discomfort|
Step 3: FMEA and Determination of the probability of occurence
Each of the risk identified in step 1 has a specific probability of occurrence shall be estimated. This can be performed using two different methods:
- Qualitative method
- Quantitative method.
For a qualitative method, the estimation of the probability of occurrence is performed by an expert based on different levels defined as per below:
|High||Likely to happen, often, frequently, always|
Likely to happen several times during the lifetime of the medical device
|Medium||Can happen, but not frequently|
Likely to occur a few times during the lifetime of the medical device
|Low||Unlikely to happen, rare, remote|
Not likely to occur during the lifetime of the medical device
Instead, for a quantitative method, levels of probability of occurrence are defined on a quantitative way. For example:
|Probable||<10−3 and ≥10−4|
|Occasional||<10−4 and ≥10−5|
|Remote||<10−5 and ≥10−6|
Step 4 : FMEA and Estimation of the detectability
For a tri-dimensional FMEA, the estimation of the detectability shall be performed. This means that for each risks identified, a score should be given the possibility to detect the risk in order to prevent any specific hazardous situation or harm.
Also in this case, a table could be prepared as a matter of example:
|Almost Impossible||No known control(s) available to detect failure mode|
|Remote||Remote likelihood current control(s) will detect failure mode.|
|Low||Low likelihood current control(s) will detect failure mode.|
|Moderate||Moderate likelihood current control(s) will detect failure mode.|
|High||High likelihood current control(s) will detect failure mode.|
|Almost Certain||Almost Certain likelihood current control(s) will detect failure mode.|
Step 5 : FMEA and Risk Estimation
The estimation of the risk is performed through the definition of a score which is called risk priority number and it is the last phase of the FMEA process. The RPN can be defined as Severity x Occurrence x Detectability. Also in this case, different layers shall be defined in order to identify the region of risks.
In general the regions of risk are defined in the risk management plan.