For software hazard analysis, the traceability matrix is required by the FDA but it is not typically called a hazard traceability matrix (but it is one). For human factors, the use-related risk analysis (URRA) needs to include traceability to your risk controls and the hazards. For other types of risk analysis, you also need traceability.
Thank you very much for your great explanation. I had a question in mind and that was why I started to search for the answer and saw your videos. My question is , if my identified risk had more than one harm (for example physical harm for user and physical harm for internal parts of device), should I consider each harm separately and analyse the severity and probability of each harm separately?
You should identify each hazard separately in your risk analysis. For each harm you will estimate severity and probability. Many times companies will only focus on the most severe harm or most severe risk. However, when risk controls are implemented, the probability can change, and in post-market surveillance, we find that our original estimated harms and probabilities might not be accurate. If we limited our estimation of harm and probability to only one possible harm or hazardous situation, we might find out later that our risk analysis is missing critical residual risks that need to be disclosed to users and patients.
That's a great point. You need separate documentation for RF wireless coexistence testing. The FDA is not requiring a different format for the risk analysis. Therefore, a design FMEA can be used for the RF wireless functionality and it can be included in your overall device risk analysis. However, the FDA requires specific risks to be addressed in your risk analysis and specific verification testing and labeling requirements associated with the wireless functionality. The same comments apply to EMC testing, but only in the case of software and human factors is the FDA requiring that risks be documented differently (i.e., without the probability of occurrence).
ISO 14971 is the standard used for risk management of medical devices. It includes process risk analysis, design risk analysis, and other types of risk analysis. However, it is a risk management standard and covers much more than just the risk analysis. It covers the entire product lifecycle. For more detailed help on process risk analysis you might get more useful information from resources specific to the FMEA process. This process was developed in the 1940s and it is used by aerospace and automotive companies to analyze risks associated with failure modes that occur with each component you manufacture and/or assemble. The pFMEA tool typically has 3 factors (S = severity, O = occurrence, and D = detectability). Detectability is specific to detection of defects during manufacturing or assembly (i.e., proactive detection), and it should not be used for detecting that a device is hot, or sharp, by the user. Ideally your method of detection is automated and validated (e.g., automated vision system inspection).
Great talk. I can't think of any as big as those 4.
Hi, thanks for the information. What about a hazard traceability matrix?
For software hazard analysis, the traceability matrix is required by the FDA but it is not typically called a hazard traceability matrix (but it is one). For human factors, the use-related risk analysis (URRA) needs to include traceability to your risk controls and the hazards. For other types of risk analysis, you also need traceability.
Thank you very much for your great explanation.
I had a question in mind and that was why I started to search for the answer and saw your videos. My question is , if my identified risk had more than one harm (for example physical harm for user and physical harm for internal parts of device), should I consider each harm separately and analyse the severity and probability of each harm separately?
You should identify each hazard separately in your risk analysis. For each harm you will estimate severity and probability. Many times companies will only focus on the most severe harm or most severe risk. However, when risk controls are implemented, the probability can change, and in post-market surveillance, we find that our original estimated harms and probabilities might not be accurate. If we limited our estimation of harm and probability to only one possible harm or hazardous situation, we might find out later that our risk analysis is missing critical residual risks that need to be disclosed to users and patients.
Thanks jamal
You're welcome.
Connected medical devices will require security risk analysis to be done and documented....
That's a great point. You need separate documentation for RF wireless coexistence testing. The FDA is not requiring a different format for the risk analysis. Therefore, a design FMEA can be used for the RF wireless functionality and it can be included in your overall device risk analysis. However, the FDA requires specific risks to be addressed in your risk analysis and specific verification testing and labeling requirements associated with the wireless functionality. The same comments apply to EMC testing, but only in the case of software and human factors is the FDA requiring that risks be documented differently (i.e., without the probability of occurrence).
ISO 14971 could help me to Identify Risks in medical devices manufacturing process or it is only For products?
ISO 14971 is the standard used for risk management of medical devices. It includes process risk analysis, design risk analysis, and other types of risk analysis. However, it is a risk management standard and covers much more than just the risk analysis. It covers the entire product lifecycle. For more detailed help on process risk analysis you might get more useful information from resources specific to the FMEA process. This process was developed in the 1940s and it is used by aerospace and automotive companies to analyze risks associated with failure modes that occur with each component you manufacture and/or assemble. The pFMEA tool typically has 3 factors (S = severity, O = occurrence, and D = detectability). Detectability is specific to detection of defects during manufacturing or assembly (i.e., proactive detection), and it should not be used for detecting that a device is hot, or sharp, by the user. Ideally your method of detection is automated and validated (e.g., automated vision system inspection).
Thank you..
You're welcome