In the medical device industry, risk management is not just a regulatory requirement. It is a fundamental practice to ensure the safety, effectiveness and quality of devices that directly impact patient health and wellbeing.
If you operate within the medical device industry as a manufacturer, Software as a Medical Device (SaMD) developer, OEM supplier or service provider (such as sterilization, packaging, and testing laboratories), you are required to identify, assess, mitigate, and monitor risks throughout the entire product lifecycle.
The medical device industry is highly regulated worldwide, and a risk-based approach forms the foundation of the key regulations and standards listed below:
One of the most widely used methodologies in medical device risk management is Failure Modes and Effects Analysis (FMEA). FMEA is a systematic approach used to identify potential failure modes within a product or process, evaluate their potential impact, and prioritize them based on factors such as severity, likelihood of occurrence, and detectability.
While FMEA is a powerful method, performing it manually or using spreadsheets can be time-consuming, error-prone, and difficult to maintain throughout the device lifecycle.
In the medical device industry, organizations apply a range of risk analysis methods to ensure compliance with regulatory requirements and maintain product safety and effectiveness throughout the lifecycle. Commonly used methods include Preliminary Hazard Analysis (PHA), Hazard Analysis (HA), Failure Modes and Effects Analysis (FMEA) and Fault Tree Analysis (FTA). In this section, we will elaborate on FMEA and Hazard Analysis, as they are two of the most widely adopted approaches within the medical device sector.
Failure Modes and Effects Analysis (FMEA) takes a bottom-up, detailed approach. It focuses on identifying potential failure modes in components, processes, or software, examining the causes and consequences of these failures. It uses quantitative risk evaluation, employing Risk Priority Numbers (RPN) that assess severity, occurrence, and detectability. FMEA is typically applied during the design and manufacturing phases to target specific risk mitigation actions.
Hazard Analysis (HA), on the other hand, is a top-down, system-level approach. It identifies and assesses hazards, hazardous situations, and potential harms across the entire product lifecycle, ensuring broad risk coverage. The risk evaluation in HA is typically qualitative, focusing on hazard identification and assessment as outlined in ISO 14971. HA is crucial for continuous monitoring throughout the product’s lifecycle to ensure ongoing safety.
Below is a flowchart illustrating how Hazard Analysis is integrated into FMEA, a process also supported by SoftComply Risk Manager Plus.
Figure 1 - SoftComply Risk Manager Plus supports both FMEA and HA by offering customizable templates and workflows for each method. The platform allows for integration between the two, linking failure modes identified in FMEA with hazards in HA.
Start the FMEA by defining the system, subsystem, or component under analysis. Clearly establish the scope, considering the entire product lifecycle from design to disposal. Review device specifications, design documents, and applicable regulatory requirements to clarify the intended use, operating environment, and user profile.
For conducting FMEA in Jira with the SoftComply Risk Manager Plus, start with creating a new risk management project, select the right risk model and risk register from the built-in templates.
Figure 2 - Risk Model and Risk Register Templates in Risk Manager Plus in Jira
Case Study: To illustrate the process in a practical context, we will follow a case study from MediHeart Devices Inc., a fictional medical device company based in Munich, Germany.
At MediHeart Devices Inc., the Quality Manager creates a dedicated Jira project called MD-RISKS using the SoftComply Risk Manager Plus.
The team selects the built-in FMEA Risk Model and Risk Register templates and customizes it to include risk evaluation iterations, mitigation actions, and traceability between product requirements and verification tests.
Form a multidisciplinary team that includes experts from engineering, quality, manufacturing, regulatory affairs and clinical departments. Assign responsibilities to each team member and establish a clear communication process to ensure effective collaboration throughout the FMEA.
By leveraging Jira’s collaborative features, the SoftComply Risk Manager Plus enables you to assign roles and responsibilities to team members from various departments, such as engineering, quality, manufacturing, and regulatory affairs. This integration fosters effective communication and collaboration throughout the FMEA process.
Figure 3 - assign risk management ownership and responsibility to various team members in the Risk Manager Plus table view in Jira
Case Study: MediHeart assembles a cross-functional team, including RA/QA, R&D, and Clinical Affairs. Using Jira’s collaborative functions, the team assigns specific roles within the MD-RISKS project, ensuring efficient tracking of risk items and actions in real-time.
Break down the medical device into its functions and sub-functions. Identify the performance requirements for each function, including regulatory, user, and safety needs. Create functional diagrams to visualize the system and identify any critical or life-supporting functions.
Utilize customizable templates within SoftComply Risk Manager Plus to document and analyze the functions and requirements of the medical device. This includes creating functional flow diagrams and specifying performance criteria, ensuring a comprehensive understanding of the device’s intended use and regulatory obligations.
Figure 4 - link medical device requirements and functions with risks directly in the Risk Manager Plus table in Jira
Case Study: The team uses SoftComply Risk Manager Plus templates to map the key functions of the implantable cardiac monitor, such as battery management and thermal regulation. They document device requirements in Jira and link them to the FMEA items, ensuring clear traceability from product requirements to risk items.
For every identified function, list all possible failure modes by considering how the function might fail. Use brainstorming sessions, historical data, complaints, and test results to ensure no potential failure modes are overlooked. Include failures related to hardware, software, processes, and user interactions.
SoftComply Risk Manager Plus facilitates the identification of potential failure modes by allowing users to document and categorize various ways in which each function might fail. The tool supports the inclusion of historical data, test results, and user feedback to ensure a thorough analysis.
Figure 5 - identify failure modes in the Risk Manager Plus table view in Jira
Case Study: In a workshop, the team identifies potential failure modes including battery overheating due to capacitor failure. Using SoftComply, they document these modes, their causes, and link historical incident data. The failure mode is entered as:
Determine the effects of each failure mode on the device, the patient, the user, or the environment. Evaluate both local effects within the device and broader system-level effects. Identify possible patient or user harms, ensuring a clinical perspective is applied.
SoftComply Risk Manager Plus enables you to assess and record the potential effects of each failure mode on the device, patient, user, or environment. By systematically evaluating these effects, you can prioritize risks based on their severity and impact.
Figure 6 - identify and assess potential effects of failure modes in the Risk Manager Plus table view in Jira
Case Study: The team records the effect of battery overheating as tissue damage and burns. In SoftComply Risk Manager Plus, they use the clinical impact matrix to assess the severity and document the clinical harms directly linked to the failure mode.
Analyze the root causes and mechanisms that could lead to each failure mode to explore potential errors in design, manufacturing, software, or user handling that might trigger the failure.
SoftComply Risk Manager Plus supports methodologies like cause-and-effect analysis, enabling a detailed examination of potential design flaws, manufacturing errors, or user interactions.
Figure 7 - describe the cause of each failure directly in the Risk Manager Plus table view in Jira
Case Study: The team determines that excessive charging cycles and software errors are the root causes. Using the built-in cause analysis feature in SoftComply Risk Manager Plus, the team documents these causes and identifies gaps in the current design and firmware.
Assign scores for severity, occurrence, and detection (if used) for each failure mode using the previously defined ranks. Calculate the Risk Priority Number (RPN) by multiplying the three scores. This step helps prioritize the most critical risks that require attention.
Risk Priority Number (RPN) is a numerical value used in Failure Modes and Effects Analysis (FMEA) to prioritize risks associated with potential failure modes in a product, process, or system. RPN is calculated using the following formula:
RPN = Severity × Occurrence × Detection
The software allows you to assign numerical values to the severity, occurrence, and detection of each failure mode, automatically calculating the Risk Priority Number (RPN). This quantifiable approach aids in prioritizing risks and determining the need for mitigation strategies.
Figure 8 - risk assessment with RPN in Risk Manager Plus in Jira
Case Study: The team assigns Severity 9, Occurrence 4, and Detection 5, resulting in an initial RPN of 180. They use Jira to link this risk to specific product requirements (PRD-55.3) and verification tests (VT-77) to ensure the risks are connected to validation activities.
Propose and document appropriate risk control measures to reduce the likelihood of occurrence or improve the detectability of the failure. Implement these measures through design modifications, additional controls, software updates, enhanced instructions for use, or user training.
SoftComply Risk Manager Plus enables you to propose and document risk control measures aimed at reducing the likelihood or improving the detectability of failure modes. You can track the implementation of these actions and assess their effectiveness within the same platform.
Figure 9 - add risk mitigation actions as Jira issue links to your risks directly in the table of Risk Manager Plus
Case Study: They assign a mitigation action to the Embedded Systems Engineers to add a firmware watchdog for thermal feedback. After implementing this action, the team updates the detection and occurrence scores in SoftComply, resulting in a residual RPN of 54, demonstrating effective risk reduction.
After applying the risk controls, recalculate the RPN to verify whether the residual risks fall within acceptable limits as defined in your risk management plan. Confirm that all mitigations have been properly verified and validated to ensure their effectiveness.
Figure 10 - residual risk assessment after risk mitigation
Case Study: Following implementation, the team reassesses the battery overheating risk and confirms that the residual RPN of 54 meets MediHeart’s risk acceptance criteria. All updates are logged within SoftComply Risk Manager Plus, ensuring full traceability.
Document all steps, findings, and decisions in the FMEA risk table and maintain it as a living document. Update the FMEA throughout the device lifecycle to reflect design changes, manufacturing improvements, or post-market surveillance data. Ensure that the FMEA is integrated into the overall risk management file and linked to design and validation records.
SoftComply Risk Manager Plus provides comprehensive documentation capabilities, allowing you to maintain detailed records of all FMEA activities. The tool supports reporting and traceability, ensuring that the FMEA remains up to date throughout the product lifecycle.
Figure 11 - traceability between risks, mitigation actions and test cases in the Risk Manager Plus table view in Jira
Case Study: The Quality team uses the reporting feature of SoftComply Risk Manager for Confluence to generate the FMEA Risk Table, Risk Model or Risk History Reports directly on Confluence pages.
These reports are then approved by relevant team members and used for the upcoming EU MDR audit and to maintain their ISO 13485-certified QMS. The FMEA remains updated throughout the product lifecycle, with post-market surveillance data linked back into the system.
Can you imagine handling the FMEA process manually or without an effective application, managing endless documents, coordinating across multiple departments, and keeping up with complex regulatory requirements? The risk of missing critical details, human error, and costly delays is high without a streamlined solution.
SoftComply Risk Manager Plus eliminates these challenges by simplifying the entire process, from identifying failure modes to documenting mitigation actions. With this tool, your team can work more efficiently, reduce the risk of compliance issues, and focus on what truly matters: ensuring the safety and quality of your medical devices.
Ready to see how it works in practice? Book a call or try it for FREE and start building a more compliant FMEA process today.
Marion Lepmets _SoftComply_
CEO
SoftComply
Munich, Dublin, Tallinn
3 accepted answers
0 comments