RISK MANAGEMENT: HAZARD ANALYSIS AND FMEA

Hazard Analysis and Failure Mode and Effects Analysis (FMEA) are two tools used to manage
risk in the development of medical devices. There are many people who do not understand these
tools and are not aware that they are two separate and distinct tools. This insight report will try to
provide a definition of each and the differences between the Hazard Analysis and FMEA.

HISTORY OF RISK MANAGEMENT

Formal risk management techniques were developed for the nuclear and defense industries in the
1940’s. The petroleum and chemical process industries were among the first commercial
industries to adopt these techniques in the 1960’s. In the 1980’s the automotive industry joined
in. In 1990 the FDA first established risk management regulations and standards for the medical
devices industry.

DEFINITIONS

Hazard Analysis is the detailed qualitative examination of the device from the perspective of the
user. It considers the interface of the device with the user. It ignores the internals of the device
and what may happen internally in the device to cause an external hazard.

FMEA is a detailed examination of each internal component. The FMEA considers how each
component might fail and the effect of each failure on system operation. Each device is not
composed of independent parts; they are all linked. They may be composed of electromechanical
mechanisms, sensors, control electronics and software. Failure of one component may lead to
other internal failures. The FMEA leads to the generation of a critical component list.

Hazard Analysis is a “top-down” approach while FMEA is a “bottoms-up” approach. They are
complementary to each other and together constitute a risk management program. Each
document should be approved and controlled. The FMEA is more time consuming and requires
more sophisticated technical input than the hazard analysis. Typically the hazard analysis is
conducted early in the design process and updated as the design progresses. The FMEA is
conducted when details of the design are sufficiently firm, usually at the first prototype build and
is then updated as the design progresses. Be aware that both are a basic requirement of the FDA
Design Control process.

HAZARD ANALYSIS

The hazard analysis begins with definitions of all possible hazards to the user that might occur
(initially no consideration is given to probability of this event happening). It is helpful to
distinguish between a hazard and the effect of a hazard; for example a hazard would be “exposed
wiring”; the effect of the hazard would be “electrical shock”. The hazard analysis is usually
presented in table form for easier reading
Next the possible cause or causes of the hazard are identified. Each hazard could have multiple
causes. For example consider an IV bag. A possible hazard is an IV bag falling . Possible causes
are:

1. IV stand imbalance

2. Bag clamp failure

3. Bag failure

At this point causes are kept general. Specific design elements are not identified.

Responses for each cause are now identified in as much detail as needed to provide direction to
the design team. For example, for cause to 1 above the response might be: increase stand base
diameter.

A simple hazard analysis could end at this point. For a complex system further analysis is usually
conducted. Probability of occurrence and severity of the hazard are factored into the analysis.
Probabilities are divided into several categories from frequent to improbable and severities are
also divided into categories from catastrophic to negligible. Each hazard is assigned an
identification number and a probability as well as a severity ranking. A table is created with
probability categories in the leftmost column and severities in the top row. Each hazard
identification number is placed in a position in the table determined by it’s ranking.

This table gives a visual method to determine which hazards require corrective action and helps
to determine priorities of corrective action. See the example table below. Hazard 4 can probably
be addressed by means of a label warning while hazard 3 definitely requires re-design work.
Hazard 3 would be fixed before hazard 1.

FMEA

FMEA is generally presented in a table that shows each component’s failure mode, it’s cause,
and the corresponding effects. A component failure can cause a linked component or subsystem
to fail. From the FMEA (or included as part of it), methods to control or indicate failures can be
developed. Design changes may be made to eliminate a failure or alarms might be included in
the design. A sample table is shown below:
There are other methods of performing an FMEA, where each failure is scored based on the
following: chance of occurrence, chance of detection, severity of the incident if occurred. The
score ranked on a 1-10 bases with 10 being the worse condition and 1 being the best condition.
Then for each failure the scores are multiplied and a final score given for each component failure
with the highest score being 1000 (10x10x10) and the lowest a 1 (1x1x1). The group conducting
the FMEA uses an arbitrary number where they feel the potential risk of the failure is minimal,
usually around 100. Any score above that number would have to be addressed to reduce the risk,
i.e. redesign, alarms, or if no fix is available, additional warnings on the device, on the label or in
the user manual.

Both the FMEA and the Hazard Analysis are two tools that have to be made part of any firm
developing new products. It has become an expected part of any device release. With a fully
documented FMEA and Hazard Analysis could only result and problems down the road.