If you are using an FMEA to define sequence of events and hazardous situations relevant for your medical device, you are likely having a difficult time. Here is an easier, more direct way to meet ISO 14971:2019 requirements. 

Use of a Failure Mode Effects Analysis (FMEA) is so widespread in the medical device industry that often, it is the only way to show conformance to ISO 14971:2019 requirements for risk assessments. In a recent blog post, we discussed why using an FMEA as your only tool for risk management is a problem. 

Risk of device failure is NOT the same as risk of harm.

The two are related, but not the same. It is very important to understand this difference so you can use FMEAs correctly, while at the same time, developing a sound approach to link your failure analysis with safety risk assessment. Note that we are using the term risk in the context of ISO 14971:2019, and not as a general term. 

Therefore, a failure mode is NOT the same as a hazardous situation. It may lead to a hazardous situation, but it does not, by itself, represents a hazardous situation. 

 The concept of hazardous situation is hard to understand. Here is the definition, per ISO 14971:2019:

Hazardous situation is a circumstance in which people, property or the environment is/are exposed to one or more hazards. 

But what does that mean? Is a hazardous situation different from a hazardous event? If so, then how to define a hazardous event? ISO 14971 provides a definition for a hazardous situation not a hazardous event!

Differences in terminology causes a lot of confusion in the industry. As a result, there are many mistakes in risk analysis. 

Here is another example of potential confusion.

If a patient is in the operating room about to receive an implantable medical device, they are already in a hazardous situation, even before the procedure has started! Which hazardous situation should we consider that relates to our device, and not to the surgical procedure itself? 

Here is a brief video from our Risk Management Fundamentals course that provides a good background on the term hazardous situation, illustrative examples and regulatory perspective. 

Why is it a problem to use FMEA for defining a hazardous situation?

In short, because a hazardous situation may occur even when there is no device malfunction!

This is a problem because FMEA by itself is a tool that analyzes each failure mode, its cause and effect one at a time. 

Let us consider the following example based on a recent FDA Safety Alert:

"The U.S. Food and Drug Administration (FDA) is warning health care providers, parents and caregivers of pediatric patients (children) who receive enteral feeding that there is a risk of strangulation from the use of enteral feeding delivery sets. The feeding set tubing can become wrapped around a child’s neck and cause strangulation or death."

According to the device description in the FDA alert, "enteral feeding delivery sets are medical devices used to provide nutrition to people who are unable to eat, swallow, or be fed by mouth to fully meet their nutritional needs. These sets include tubing that delivers feeding to the patient’s enteral tube (or feeding tube) using gravity or a pump. A feeding tube passes directly to the stomach or small intestine through the nose, mouth, or artificial opening in the abdomen."

Feeding tube is classified as a Class II product under the FDA code FPD.

Which failure mode should we consider to be related to this hazardous situation where the feeding tube can get wrapped around a child's neck? 

Is it the diameter of the tube? Or the length of the tube? Or the wall thickness? Or the material of construction? Or inadequate, incomplete and/or ambiguous use instructions, warnings and precautions to the healthcare staff? Or something else?

This is an illustration of the key issue. A failure mode is not a hazardous situation. 

A way out of this dilemma is to separate your failure analysis from hazard/harm analysis. Here are 4 simple steps you can follow.

As described in the video above, you have to carefully consider the link between a trigger event (may or may not be due to device malfunction), sequence of events, hazardous situation and harm. You have to look at how a patient or user is exposed to one or more hazards and a hazardous situation.

The figure below illustrates this linkage:

 A key insight is that the link from a trigger event to hazardous situation is not always linear. After a foreseeable sequence of events lead to a hazardous situation, further intervention may itself lead to additional sequence of events a new hazardous situation.

The first step, therefore, is to figure out the boundary for your analysis. At what point in the foreseeable sequence of events are you going to stop? Otherwise, you will end up with a lot of speculation and and endless exercise of what-ifs.

It is also important to understand what a foreseeable sequence of event is and how it is defined. There are two parts to this term: first, it should be foreseeable using common sense and expert judgment based on technical or clinical experience. Second, there may be a series of events, either in a sequence or a combination that may lead to a hazard situation. We need to be able to map out a foreseeable sequence of events in as much detail as possible. 

It is best to involve experts with specific clinical knowledge and field experience. Ask the question - what is in scope for our device and what is out of scope? This question must be resolved early, and clearly before you begin your analysis. 

Second, clearly specify the scope of failure analysis, and focus the effect of a potential failure mode on product function. Identify the hazard(s) that may be activated as a result of each failure mode. If there are no applicable hazards, then the specific failure mode does not impact safety. This can be indicated by a simple Y/N flag to potential safety impact.

Third, complete a separate hazard/harm analysis. In this analysis, you are trying to link hazards to one or more harms through a sequence of events leading up to a hazardous situation. 

As an example, you may consider the following scenario as one possibility when analyzing the feeding tube case above:

Trigger event: external tube connected to feeding tube but left coiled up close to the child

Sequence of event: child left unmonitored, external tubing gets wrapped up around the child neck, child unable to call for help, child unable to breathe. 

Hazardous situation: respiratory stress, low oxygen

Hazard: errors in labeling, instructions for use, warnings/precautions

Harm: death

Note that this is only one combination of factors leading to the hazardous situation where the patient is exposed to the hazard (i.e., labeling errors in this case). There may be other factors leading to the same hazardous situation. Hazard analysis is not simply identification of hazards, but also linking them to harms through each applicable sequence of events and hazardous situation. 

Fourth, download our free template for a preliminary hazard analysis. You will also get additional resources such as a video guide, best practices and mistakes to avoid. Start with this tool early in your design and development and use the modular template to extend into a complete risk assessment. This will allow you to link all applicable failure modes to each hazard/harm combination.

Check out Table C.2 and C.3 in Annex C (Informative) of ISO 14971:2019. Additional guidance in ISO/TR 24971:2020. 

In summary

As a result of the current industry practice of using FMEA for safety risk assessment, it is very challenging to easily link failure modes to hazardous situations. Failure modes are not the same as a hazardous situation, which can occur even when a medical device is operating normally. Therefore, it is best to separate the failure analysis from safety risk analysis, which focuses on hazard, hazardous situations and harms. This can be easily done using a well-designed modular template which starts out as a preliminary hazard analysis but grows into a complete product-specific risk assessment. In this way, FMEA is used exclusively for failure analysis but linked to a separate risk assessment.

Learn more about this topic in this Hazard Analysis Made Easy webinar and get a free template!