Using FMEA alone is the lazy choice and no longer acceptable
ISO 14971, Medical devices - Application of risk management to medical devices, is frequently miss-applied and if your ISO 13485 QMS Manual claims to use ISO 14971 you'd better use it properly. Some bastardised version of FMEA alone will no longer be accepted as the publication of ISO 14971:2019 and the associated Technical Report (a guide) ISO 24971:2020 attests. External Auditors will want to see that both have been adequately applied in taking a product lifecycle approach.
Risk assessment tools and techniques offer unique insight into the practical application of Risk Management. The variety, complexity and wide range of applicability of these tools can be confusing especially for those new to risk management.
Too often those responsible for overseeing the risk management of an organization limit themselves to using basic FMEA – Failure Modes and Effect Analysis – or even a slimmed-down version of an FMEA. This is a mistake. The expectation of External Auditors is for two or more risk management tools to be used.
Six common mistakes in using ISO 14971
- Use of FMEA alone: a single FMEA is used; usually a process FMEA. This is not acceptable as the Standard requires risk management throughout the product lifecycle, from initial product concept to end-of-life disposal.
- pFMEA focused on component failure: This is to miss the point of Clause 7.1 of ISO 13485 completely where it is the threat to patient/user safety in regular use and possible misuse of the product that is the concern.
- No Risk Management File (RMF) is maintained: such a file is required in addition to the file requirements of Clauses 4.2.3 and 7.3.10 of ISO 13485.
- No periodic or adverse event-driven update of Risk Management Tools/Methods: Risk management throughout the lifecycle of the product/device is required.
- No history in the RMF: The reasons why updates were made to risk management records are documented or referenced in the RMF.
- No proactive effort to seek out Post-Market Surveillance data and to update Risk Management records accordingly (in addition to other actions that may be required).
Applications of Risk Assessment Tools in the Product Lifecycle
It is not immediately obvious to the reader of ISO 14971 as to where in the lifecycle of a product each of the tools should be applied. The table below maps each of the tools against the lifecycle stage where typically they are used.
Doesn't only apply to Medical Devices
While our focus is on the risk associated with Medical Device manufacture, you can no doubt find analogous opportunities to apply the tools to your organization. And they are not limited in use to manufacturing; they are just as applicable to all business activities, both public and private sector.
The management of risk is fundamental to business improvement. So be sure to give these tools a try.
And training is essential if you are to successfully implement these Risk Management Tools
To fill this need we have developed two Courses.
For Internal Auditors:
For Quality Managers and Consultants:
Note: First published in Apr 2019; revised and updated in Aug 2021.