In the medical device industry, risk management is not just a regulatory requirement. It is a fundamental practice to ensure the safety, effectiveness and quality of devices that directly impact patient health and wellbeing.
If you operate within the medical device industry as a manufacturer, Software as a Medical Device (SaMD) developer, OEM supplier or service provider (such as sterilization, packaging, and testing laboratories), you are required to identify, assess, mitigate, and monitor risks throughout the entire product lifecycle.
The medical device industry is highly regulated worldwide, and a risk-based approach forms the foundation of the key regulations and standards listed below:
§ ISO 14971:2019 – Provides a systematic framework for identifying hazards, estimating and evaluating risks, implementing controls, and monitoring their effectiveness.
§ EU MDR 2017/745 – Establishes requirements for the safety, performance, and clinical evaluation of medical devices throughout their lifecycle, emphasizing risk management, post-market surveillance, and patient safety.
§ IVDR 2017/746 – Outlines obligations for in vitro diagnostic devices, requiring manufacturers to implement robust risk management and performance evaluation processes across the entire product lifecycle.
§ FDA 21 CFR Part 820 – Mandates that medical device manufacturers establish and maintain a quality system, including design controls, risk management, and corrective actions to ensure product safety and effectiveness.
§ ISO 13485:2016 – Requires a risk-based approach to all processes, from design and development to production, distribution, and post-market activities.
§ ISO 62304:2006 – Specifies lifecycle requirements for medical device software, integrating risk management into software development, maintenance, and post-market processes to ensure product safety and effectiveness.
§ IEC 60601-1:2015 – Requires manufacturers to apply risk management principles throughout the design and manufacturing process.
One of the most widely used methodologies in medical device risk management is Failure Modes and Effects Analysis (FMEA). FMEA is a systematic approach used to identify potential failure modes within a product or process, evaluate their potential impact, and prioritize them based on factors such as severity, likelihood of occurrence, and detectability.
While FMEA is a powerful method, performing it manually or using spreadsheets can be time-consuming, error-prone, and difficult to maintain throughout the device lifecycle.
FMEA and Hazard Analysis
In the medical device industry, organizations apply a range of risk analysis methods to ensure compliance with regulatory requirements and maintain product safety and effectiveness throughout the lifecycle. Commonly used methods include Preliminary Hazard Analysis (PHA), Hazard Analysis (HA), Failure Modes and Effects Analysis (FMEA), Fault Tree Analysis (FTA), Hazard and Operability Study (HAZOP), Use Error Analysis, and Software Hazard Analysis. In this section, we will elaborate on FMEA and Hazard Analysis, as they are two of the most widely adopted approaches within the medical device sector.
Failure Modes and Effects Analysis (FMEA) takes a bottom-up, detailed approach. It focuses on identifying potential failure modes in components, processes, or software, examining the causes and consequences of these failures. It uses quantitative risk evaluation, employing Risk Priority Numbers (RPN) that assess severity, occurrence, and detectability. FMEA is typically applied during the design and manufacturing phases to target specific risk mitigation actions.
Hazard Analysis (HA), on the other hand, is a top-down, system-level approach. It identifies and assesses hazards, hazardous situations, and potential harms across the entire product lifecycle, ensuring broad risk coverage. The risk evaluation in HA is typically qualitative, focusing on hazard identification and assessment as outlined in ISO 14971. HA is crucial for continuous monitoring throughout the product’s lifecycle to ensure ongoing safety.
Below is a flowchart illustrating how Hazard Analysis is integrated into FMEA, a process also supported by SoftComply Risk Manager Plus.
A Step by Step Guide to FMEA in Jira:
Step 1: Define Scope and System Boundaries
Start the FMEA by defining the system, subsystem, or component under analysis. Clearly establish the scope, considering the entire product lifecycle from design to disposal. Review device specifications, design documents, and applicable regulatory requirements to clarify the intended use, operating environment, and user profile.
For conducting FMEA in Jira with the SoftComply Risk Manager Plus, start with creating a new risk management project, select the right risk model and risk register from the built-in templates.
Case Study: To illustrate the process in a practical context, we will follow a case study from MediHeart Devices Inc., a fictional medical device company based in Munich, Germany.
| CASE STUDY | |
| Name: | MediHeart Devices Inc. |
| Industry: | Medical Devices |
| Location: | Munich, Germany |
| Product Focus: | Implantable cardiac monitors (ICMs) and wearable ECG recorders |
| Employees: | 120 |
| Compliance Goals: | § Comply with ISO 14971:2019 § Prepare for EU MDR audits § Maintain an ISO 13485-certified QMS |
At MediHeart Devices Inc., the Quality Manager creates a dedicated Jira project called MD-RISKS using the SoftComply Risk Manager Plus. The team selects the built-in FMEA Risk Model and Risk Register templates and customizes it to include risk evaluation iterations, mitigation actions, and traceability between product requirements and verification tests.
Step 2: Assemble a Cross-Functional Team
Form a multidisciplinary team that includes experts from engineering, quality, manufacturing, regulatory affairs and clinical departments. Assign responsibilities to each team member and establish a clear communication process to ensure effective collaboration throughout the FMEA.
By leveraging Jira’s collaborative features, the SoftComply Risk Manager Plus enables you to assign roles and responsibilities to team members from various departments, such as engineering, quality, manufacturing, and regulatory affairs. This integration fosters effective communication and collaboration throughout the FMEA process.
Case Study: MediHeart assembles a cross-functional team, including RA/QA, R&D, and Clinical Affairs. Using Jira’s collaborative functions, the team assigns specific roles within the MD-RISKS project, ensuring efficient tracking of risk items and actions in real-time.
Step 3: Identify Device Functions and Requirements
Break down the medical device into its functions and sub-functions. Identify the performance requirements for each function, including regulatory, user, and safety needs. Create functional diagrams to visualize the system and identify any critical or life-supporting functions.
Utilize customizable templates within SoftComply Risk Manager Plus to document and analyze the functions and requirements of the medical device. This includes creating functional flow diagrams and specifying performance criteria, ensuring a comprehensive understanding of the device’s intended use and regulatory obligations.
Case Study: The team uses SoftComply Risk Manager Plus templates to map the key functions of the implantable cardiac monitor, such as battery management and thermal regulation. They document device requirements in Jira and link them to the FMEA items, ensuring clear traceability from product requirements to risk items.
Step 4: Identify Failure Modes
For every identified function, list all possible failure modes by considering how the function might fail. Use brainstorming sessions, historical data, complaints, and test results to ensure no potential failure modes are overlooked. Include failures related to hardware, software, processes, and user interactions.
SoftComply Risk Manager Plus facilitates the identification of potential failure modes by allowing users to document and categorize various ways in which each function might fail. The tool supports the inclusion of historical data, test results, and user feedback to ensure a thorough analysis.
Case Study: In a workshop, the team identifies potential failure modes including battery overheating due to capacitor failure. Using SoftComply, they document these modes, their causes, and link historical incident data. The failure mode is entered as:
- Failure Mode: Thermal run-off due to capacitor failure
- Effect: Tissue damage, burns
- Cause: Excessive charging cycles, software error
Step 5: Identify Effects of Failure Modes
Determine the effects of each failure mode on the device, the patient, the user, or the environment. Evaluate both local effects within the device and broader system-level effects. Identify possible patient or user harms, ensuring a clinical perspective is applied.
SoftComply Risk Manager Plus enables you to assess and record the potential effects of each failure mode on the device, patient, user, or environment. By systematically evaluating these effects, you can prioritize risks based on their severity and impact.
Case Study: The team records the effect of battery overheating as tissue damage and burns. In SoftComply Risk Manager Plus, they use the clinical impact matrix to assess the severity and document the clinical harms directly linked to the failure mode.
Step 6: Identify Causes and Mechanisms of Failure
Analyze the root causes and mechanisms that could lead to each failure mode to explore potential errors in design, manufacturing, software, or user handling that might trigger the failure.
Using the tool’s structured approach, you can analyze root causes and mechanisms leading to each failure mode. SoftComply Risk Manager Plus supports methodologies like cause-and-effect analysis, enabling a detailed examination of potential design flaws, manufacturing errors, or user interactions.
Case Study: The team determines that excessive charging cycles and software errors are the root causes. Using the built-in cause analysis feature in SoftComply Risk Manager Plus, the team documents these causes and identifies gaps in the current design and firmware.
Step 7: Evaluate Risks
Assign scores for severity, occurrence, and detection (if used) for each failure mode using the previously defined ranks. Calculate the Risk Priority Number (RPN) by multiplying the three scores. This step helps prioritize the most critical risks that require attention.
Risk Priority Number (RPN) is a numerical value used in Failure Modes and Effects Analysis (FMEA) to prioritize risks associated with potential failure modes in a product, process, or system. RPN is calculated using the following formula:
RPN = Severity × Occurrence × Detection
The software allows you to assign numerical values to the severity, occurrence, and detection of each failure mode, automatically calculating the Risk Priority Number (RPN). This quantifiable approach aids in prioritizing risks and determining the need for mitigation strategies.
Case Study: The team assigns Severity 9, Occurrence 4, and Detection 5, resulting in an initial RPN of 180. They use Jira to link this risk to specific product requirements (PRD-55.3) and verification tests (VT-77) to ensure the risks are connected to validation activities.
Step 8: Identify Risk Mitigation Actions
Propose and document appropriate risk control measures to reduce the likelihood of occurrence or improve the detectability of the failure. Implement these measures through design modifications, additional controls, software updates, enhanced instructions for use, or user training.
SoftComply Risk Manager Plus enables you to propose and document risk control measures aimed at reducing the likelihood or improving the detectability of failure modes. You can track the implementation of these actions and assess their effectiveness within the same platform.
Case Study: They assign a mitigation action to the Embedded Systems Engineers to add a firmware watchdog for thermal feedback. After implementing this action, the team updates the detection and occurrence scores in SoftComply, resulting in a residual RPN of 54, demonstrating effective risk reduction.
Step 9: Reassess Risk Post-Mitigation
After applying the risk controls, recalculate the RPN to verify whether the residual risks fall within acceptable limits as defined in your risk management plan. Confirm that all mitigations have been properly verified and validated to ensure their effectiveness.
Case Study: Following implementation, the team reassesses the battery overheating risk and confirms that the residual RPN of 54 meets MediHeart’s risk acceptance criteria. All updates are logged within SoftComply Risk Manager Plus, ensuring full traceability.
Step 10: Document and Maintain the FMEA
Document all steps, findings, and decisions in the FMEA worksheet and maintain it as a living document. Update the FMEA throughout the device lifecycle to reflect design changes, manufacturing improvements, or post-market surveillance data. Ensure that the FMEA is integrated into the overall risk management file and linked to design and validation records.
SoftComply Risk Manager Plus provides comprehensive documentation capabilities, allowing you to maintain detailed records of all FMEA activities. The tool supports reporting and traceability, ensuring that the FMEA remains up to date throughout the product lifecycle.
Case Study: The Quality team uses the reporting extension of SoftComply Risk Manager for Confluence to generate the FMEA Risk Table, Risk Model and Risk History Reports directly on Confluence pages.
These reports are used for the upcoming EU MDR audit and to maintain their ISO 13485-certified QMS. The FMEA remains updated throughout the product lifecycle, with post-market surveillance data linked back into the system.
Conclusion
Can you imagine handling the FMEA process manually or without an effective application, managing endless documents, coordinating across multiple departments, and keeping up with complex regulatory requirements? The risk of missing critical details, human error, and costly delays is high without a streamlined solution.
SoftComply Risk Manager Plus eliminates these challenges by simplifying the entire process, from identifying failure modes to documenting mitigation actions. With this tool, your team can work more efficiently, reduce the risk of compliance issues, and focus on what truly matters: ensuring the safety and quality of your medical devices.
Ready to see how it works in practice? Book a call or try it for FREE and start building a more compliant FMEA process today.
