Safety of medical devices and risk management are two of the central demands of the legal requirements for manufacturers of medical devices in Europe. In the new EU Medical Devices Regulation (2017/745), which replaces the previously valid EU Medical Devices Directive (93/42/EEC), the requirements for risk management have been specified and further tightened.
In addition to the legal requirements, there are normative specifications that demand a risk-based approach throughout the entire life cycle of medical devices. These standards include ISO 13485:2017, ISO 14971:2019, ISO 24971:2020. The requirements for risk management were also tightened and specified in these standards. The requirements of the standards largely coincide with the new legal requirements. However, since the standards have not yet been harmonized, there are still undiscussed differences in detailed aspects to the laws.
FMEA in the risk management of medical device manufacturers
Many medical device manufacturers have used FMEA as a tool to meet risk management requirements. On closer inspection, however, it becomes apparent that FMEA cannot meet these requirements alone. This becomes particularly clear when considering the use of the term "risk" as it relates to FMEA and as it is defined in the ISO 14971:2019 standard (see Fig. 01).
Fig. 01: Use of the term risk in ISO 14971:2019 and the FMEA
Risk from the perspective of the ISO 14971:2019 standard focuses on the effects that failures cause on the medical device by estimating the severity of damage and the occurrence of damage.
Risk from the perspective of FMEA, on the other hand, focuses on the failure of the medical device itself by estimating the occurrence of the cause and the detection of the same or its effects according to the evaluation table specification.
Another indication that FMEA is no longer seen as "risk analysis" is that in the new AIAG/VDA FMEA manual (2019) the term RPN (risk priority number) has been replaced by "action priority". In the future, the automotive sector (AIAG/VDA) will therefore determine the action priority and not the risk.
Does this mean that the "FMEA" method can still be used sensibly for risk management? ... Absolutely yes!
Combining risk analysis and FMEA in risk management
The goal of a risk management process is to ensure that medical devices are safe. In order to achieve this goal economically, the resources of the company must be concentrated on those aspects of the product from which socially unacceptable risks emanate. For this purpose, risk analysis and FMEA must be linked.
From the risk analysis, based on the risk acceptance, it can be determined which hazards (defects in the product) can lead to unaccepted risks and to what extent these hazards may occur in order to be accepted. This information can be used in the FMEAs to determine appropriate measures to ensure that hazards only occur to an extent that leads to an acceptable risk (see Fig. 02).
Fig. 02: Combining risk analysis and FMEA
Hazards (potential defects in the product) must be identified and the hazardous situation and damage that may occur must be determined. It must be evaluated how often damage can occur and how severe this damage is. The combination of occurrence and severity of the damage results in the risk. If the risk is in an acceptable range and the risk has been reduced "as far as possible", no measures need to be taken. If the risk lies in an unacceptable range, it must be determined where in the life cycle of the medical device (design, manufacturing and use) the cause of the defect lies. By means of FMEA, the causes of the defect and the measures that are necessary to reduce the occurrence of the defect in customer operation must be analyzed to such an extent that the resulting risk lies in an acceptable range.
By combining risk management and FMEA, it is thus possible to focus specifically on measures that are essential for the safety of the medical device.
Author: 
Bernhard Lindner, MSc is Head of Quality Management in the Quality Department at the medical device manufacturer Leonhard Lang GmbH in Innsbruck. He is responsible for the reorganisation of the existing quality management system.
[The article was published in the magazine FMEA Konkret, issue 12/2021, p. 12-13, and is published on RiskNET with the kind permission of the editors]
