HFMEA & Risk Management in Medical Software Development
In one of our previous posts titled Quality Assurance, Testing and Compliance in Medical Device Development we have thoroughly explored the importance of safety and reliability regarding medical devices. We have also discussed the benefits of adequate QA processes, and how industry regulations and standards govern the requirements of both medical end products, and the processes used during their development.
In this article, we are going to focus on medical risk management in general and in accordance with ISO 14971 specifically, and the method of Healthcare Failure Mode and Effects Analysis. While the focus of this article is mainly medical software and software embedded in medical devices, the following processes may be applied to various types of medical devices (even hardware).
(Let us note that while project and business risks are also relevant and important factors, this article only discusses the management of functional risks involved in the development of medical software.)
Risks in medical development
As a fundamental practice of medical quality assurance, risk management (the identification, analysis and mitigation of all risks related to the development process, and to the end product itself) provides the following benefits:
- It can help save costs by avoiding delay and overhead in development & recalls and possible legal costs after the product has been released
- Risk management can also cut time to market by letting the developers prepare for certain failures early on & plan procedures to avoid these
- It helps ensure the reliability as well as the functional safety of your products, an aspect that is of crucial importance in safety-critical devices such as medical products that may have a direct effect on patients’ lives
- Finally, risk management helps you comply with relevant standards & regulations, which is often a prerequisite to entering the market.
One of the above mentioned standards, ISO 14971, is specifically targeted at risk management in relation to medical devices.
Risk management according to ISO 14971
ISO 14971 is an international standard that specifies requirements for manufacturers to identify the hazards associated with any medical device they are developing; to analyze these risks; to plan and carry out their reduction/mitigation; and to monitor the effectiveness of these controls (mitigation efforts). It also requires the assignment of risk management responsibilities, and residual risk analysis. Each of these aspects have to be thoroughly documented to provide evidence of adequate risk control processes.
As such, ISO 14971 specifies a similar process to the general risk management lifecycle that codeBeamer applies:
- Risk Identification
- Classification and Assessment
- Hazard Analysis
- Risk Reduction Plan
- Risk Mitigation Actions
- Documentation and Reporting
codeBeamer not only provides complete risk management functionality: its features can also be customized to suit your internal processes, and its advanced workflow engine also helps you enforce adequate processes. E-signatures may also be required so that certain steps may only be carried out by authorized individuals, and their signatures will be recorded with all the relevant data.
Thoroughly documenting each aspect manually would be a strenuous task, was it not for codeBeamer’s complete traceability features that provide a full history and complete change control for each and every work item. Custom reports can also be configured and exported in various MS Office formats (Word, Excel).
Healthcare Failure Mode and Effects Analysis (HFMEA)
Failure Mode and Effects Analysis (FMEA) is one of the most often used system reliability, safety engineering and risk management practices. As a general method, it’s widely used in various industries to identify risks (possible ways a product could malfunction), the causes of these hazards, and the appropriate control actions to mitigate these risks.
HFMEA is FMEA adapted to healthcare. Developed by the VA National Center for Patient Safety, this healthcare-specific method combines the detectability and criticality steps of general FMEA into a Decision Tree algorithm. In traditional FMEA, a Risk Priority Number (RPN) is calculated as a function of risk Severity, Occurrence (likelihood), and Detectability (which, as mentioned above, is taken out of the equation in HFMEA) – this healthcare-specific method replaces RPN with a hazard score that helps prioritize risks.
In addition to the Decision Tree which is practically a flow diagram, HFMEA also includes a graphical description of the process itself (which is basically a flowchart).
codeBeamer comes with a preconfigured FMEA template, complete with a workflow and a FMEA worksheet that includes all the relevant data and can be exported any time to MS Office. While a HFMEA process is not configured by default, these minor differences may be mapped and configured simply in codeBeamer ALM’s flexible system. Hazard Scoring Matrixes are represented as Risk Matrix Diagrams in codeBeamer, and workflows are visualized automatically. Enterprise Architect integration is also available for more sophisticated (UML) diagrams.
To learn more about medical risk management with codeBeamer, watch this recording of our webinar on 13 May 2015 titled Risk Management in Medical Device Development: