FMEA in medical devices can work better when mated with ISO 14971

Failure Mode and Effects Analysis (FMEA) is a core aspect of risk management and risk analysis in medical devices. FMEA is essentially about analyzing the reasons for which a problem arises and the effects it has on the system. In the field of medical devices, it is absolutely critical to understand the failure mode and effects because the consequences of not doing this can be disastrous and many times, even fatal.

Required, but not clear about the steps

The FDA only broadly states that risk management has to be built into the manufacturing process. This leaves medical device manufacturers in a kind of quandary, because although the FDA is clear about the requirement for risk management; there is no clear-cut guideline on how this needs to be carried out. This leaves the implementation of FMEA in medical devices something that is at the discretion of the medical device company.

The FDA’s Final Rule on cGMP Quality System Regulation (QSR) is, to quote its own words, “less prescriptive and gives the manufacturer the flexibility to determine the controls that are necessary to be commensurate with risk” ( In other words, there is no specific guideline on risk management, using which medical device manufacturers can decide the ways and processes of implementing risk management. The guideline is all the more vague about risk analysis approaches and procedures like FMEA.

Complementarity with ISO 14971Since the guidelines on medical devices FMEA are rather general medical device companies that implement FMEA have to go by a buzzword: implementing FMEA at every level. In this regard, they can work complementarily with ISO 14971, whose guidelines relate to risk management.


Understanding Medical Device inspection

A medical device inspection is one of the most important activities the FDA carries out to determine that a device meets the requisite regulatory standards for ensuring safety and effectiveness. It is a core GMP activity and hence covers all medical devices ranging from the smallest to complex ones such as MRI’s.

Rationale for the medical device inspection regime

The medical device inspection process is built on the logic that methods are not to be considered the criterion for evaluating and inspecting a medical device. This is because many methods can be used to arrive at the same product, due to which the choice of the best option is left to the manufacturer. Given this fact, the FDA medical device inspection concept is aimed at inspecting the device’s Quality System Regulations (QSR)-mandated objectives, which are a more precise parameter for medical device inspection.

What are manufacturers expected to demonstrate to a medical device inspection?A medical device inspection is done to ensure that the device meets set safety, efficiency and intended use standards, while being compliant with regulatory requirements. During the medical device inspection, manufacturers have to demonstrate that the method they have chosen to use -since there can be varied methods for arriving at a medical device specification -is helpful in arriving at the product while meeting the prescribed regulatory compliance requirements. They should defend the methods they have used in ensuring regulatory compliance requirements.

Need not meet all GMP requirementsOne major factor that the FDA keeps in mind for a medical device inspection is that manufacturers are not required to show compliance with each and every Quality System (QS) or GMP section. Only those that are relevant to that device can be shown, but they should be able show which sections of the GMP or QS are relevant to the said device, and should also show how these have been used to arrive at the product that is compliant in terms of regulatory requirements.

Factors a medical device inspection takes into considerationDuring a medical device inspection, the FDA inspectors keep in mind a few factors that help them determine the efficiency and effectiveness of a medical device. Some of the important ones among these include:

  • Has the manufacturer documented the processes in the right format? Has everything related to it been written down?
  • Is the manufacturer complying with those processes?
  • Is there sufficient evidence that these are adequate?


Other issues for a medical device inspectionThe FDA does a medical device inspection keeping these factors in mind while also weighing other issues such as the size of the medical device manufacturing firm, the complexity of the device under inspection, and the nature and gravity of risk a device that does not meet its intended specifications poses.

Compliance4All blog page reaches 200+ followers successfully in super quick time!

Compliance4All, a Fremont, CA-based leading provider of compliance related trainings for professionals in the areas of regulatory compliance, has once again proved why it is such a popular hit with its community!

Its started blog, has already touched a follower base of over 200. That it has reached this milestone despite the blog being aimed at a niche, qualified and educated professionals, and also considering that its blog is aimed at a very narrowly focused community of professionals speaks a lot about its popularity. This should be considered no small feat!


But then, pulling up aces up its sleeves is second nature for Compliance4All. Committed to offering high class regulatory compliance trainings for regulatory professionals in a very engaging and value-providing manner, Compliance4All has gone on to become a reliable source of knowledge sharing among regulatory professionals around the globe.

Compliance4All is a provider of valuable courses that carry the double benefit of only catering to the exact professional needs of regulatory professionals by supplying them the latest in terms of regulatory updates, best practices and technologies; it does all these at prices that are appreciably lower than those offered by most other such providers.

Compliance4All is an important aid for regulatory professionals in helping them meet challenges in their professions. It has demonstrated its popularity time and again, and this milestone of reaching over 200 followers in next to no time is only another feather in its cap. Heartfelt thanks from Compliance4All to all our patrons! We look forward to serving you for a lot more time to come in the future, just as we have been doing so till now. Cheers!

Advanced Process Control is Rooted in Regulatory Process Control

Organizations in any industry involving process control have to implement advanced process control mechanisms for maximizing return on investment (ROI). Maximization of ROI being a very important objective of any industry involving plant management; the key to realizing this is putting the right regulatory process control in place. No external activity, such as buying the most sophisticated control equipment or loading systems with the most advanced software is going to be of any use unless the organization gets its regulatory process control right.

An understanding of regulatory process control

Regulatory process control is the means of monitoring and controlling the process of metamorphosing raw materials and other inputs into final products. Since there is no clearly laid out, authoritative regulation concerning process control in the generalized sense; organizations have to rely on established best practices and principles to arrive at optimal regulatory process control. There is the existence of the proportional-integral-derivative controller (PID controller), but this is more a mechanism than a standard.


So, meeting stringent quality standards involves the application of many highly scientific and precise steps and processes. It involves the use of tightly controlled techniques, into which a hierarchy of well-defined functions and responsibilities consisting of people, facilities and systems has to be instilled from management.

The basis to all this, as we have seen, has to be a regulatory process control system in which people and systems harmonize their functions.

General principles for regulatory process controlAn organization needs to put in a user-ready systems infrastructure which personnel having the requisite qualifications and experience should be able to start using straightway. A faulty or inaccurate regulatory process control mechanism or strategy will impede this, leading to suboptimal control.

The same principles of regulatory process control apply to control system testing as well. This is a process in which the organization uses established documentation techniques to record data relating to problems that could occur at any stage of the regulatory process control.

Types of regulatory process controlsTwo kinds of controls are often cited in regulatory process control: feedback and feedforward. These are usually implemented in tandem. In short, feedback control is the regulatory process control that is configured for control schemes such as the ratio, selective, cascade, and certain other kinds of control schemes, all of which are related to a common reference point called the setpoint. Any deviation from the setpoint should lead to remedial action by the person in charge of system control.

On the other hand, feedforward regulatory process control is a preventive step in which a load disturbance is measured and a corrective measure of dynamically compensating the disturbance is implemented beforehand.

Purpose of regulatory process controlThe essential role of regulatory process control is to bring down any unacceptable variability in the control system that is subject to changing and often, volatile conditions. In the absence of an effective regulatory control system; each succeeding operation unit has the potential to cause an amount of variation, however small or big, which can pile up throughout the process to eventually impact the quality and cost of the product. Regulatory process control aims to address this by introducing analytical and corrective measures at every stage of the control process.

Principles of FDA requirements for medical devices

The FDA has some clear-cut requirements that those manufacturing medical devices have to meet in order to get their products approved. FDA requirements for medical devices cover regulations for these devices, based on the way they are classified, and for meeting set regulatory guidelines.

The FDA classifies medical devices according to the extent of their use and the potential they have for causing risk. FDA requirements for medical devices are based on this classification. This is how the FDA classifies medical devices:


Class I:These devices are considered least complicated in terms of their use, design and potential harm. This is why FDA requirements for medical devices are minimal, since their failure is likely to result in the least risk to the user. Examples of Class I medical devices are plasters and dressing kits. According to the FDA, 47 percent of all medical devices grouped into Class I.

Class II: FDA requirements for medical devices for Class II devices are based on the nature of these devices, which are considered slightly more complicated than Class I medical devices and have the potential to cause slightly higher injury in the case of failure. 43 percent of all FDA-approved devices fall in this category, whose examples could include test kits and wheelchairs.

Class III: Class III medical devices are those that are serious in the nature of their risk. These devices also carry the highest level of use for the user. Constituting barely a tenth of all medical devices; Class III medical devices could include life supporting systems such as pacemakers.

An important aspect of FDA requirements for medical devices is that a marketing application has to be submitted by the device’s makers if they have to get approval for marketing the device. FDA requirements for medical devices exempt many kinds of devices from this submission, but require their makers to be subject to the usual controls that are part of FDA requirements for medical devices.

General FDA requirements for medical devicesAll medical devices from any manufacturer have to satisfy the following criteria to get approved:


Criteria for FDA requirements for medical devices

The FDA has a few criteria that manufacturers of medical devices have to meet in order to have their medical devices approved:

  • 510 (K): FDA requirements for medical devices include the 510 (K) submission, which is a submission that medical device manufacturers have to make to declare that their device is at least as safe as any other device in its category already in the market, or what is called Substantially Equivalent (SE).
  • Premarket approval: The PMA is a request that a manufacturer makes to the FDA, by which it asks for clearance from the FDA to market a new Class III device or to continue to market an existing one in the same category.
  • Investigational Device Exemption:An IDE is a mechanism by which the manufacturer of an investigational device is allowed permission to use effectiveness and safety data that can be used for making either a 510(K) submission or a PMA application to the FDA.
  • Good Manufacturing Practices: FDA requirements for medical devices include GMP requirements to be met in all the areas of manufacture in accordance with the principles laid out in a Quality System (QS), such as designing, manufacturing, labelling, storing, installation and servicing of finished products.

FDA steps up efforts at bringing about medical device cyber security

It is a disturbing, but true fact that medical devices are hacked. Medical devices have inbuilt software, and hackers try to breach this. Medical device cyber security is thus critical, because lack of it can bring harm to patients who use medical devices that come with software built into them.

An important factor that makes medical devices vulnerable to cyberattacks, thus triggering and hastening the need for medical device cyber security is that many times, medical devices are not standalone devices. They are connected via the Net to a number of important sources such as hospitals, electronic records and healthcare providers.

This fact makes it easier for hackers to carry out cyberattacks on medical devices because it is not necessary for them to actually have access to the device to carry out their breach. All these factors combine to make medical device cyber security a much needed system.

CyberAttacksIndustries_gifThe FDA guideline of June 2013:

Keeping in mind the nature of fallibilities in a medical device; the FDA, with the intention of bringing about medical device cyber security passed the draft guideline on this topic in mid-2013. Titled the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices; this guideline sought to address the issue of medical device cyber security by making an attempt at identifying the issue from its root.

That is, this guideline on medical device cyber security put in place security checks and procedures that manufacturers of medical device have to put in place right from the earliest stages of manufacture, going all the way up to the time it is implanted in or used by the patient.


The main intention of this FDA medical device cyber security guideline is to offer recommendations that medical device manufacturers need to take to reduce the intentional or unintentional risk of an attack on a medical device. This FDA guideline seeks to enforce medical device cyber security by ensuring that the manufacturers take steps to secure medical devices by clearly defining medical device cyber security.

Terms clearly defined

The FDA defines medical device cyber security as steps taken to prevent any of these:

  • Unauthorized modification
  • Misuse of the device
  • Denying the use of the device
  • Unauthorized use of the information that is stored in these devices. This relates to the information stored, accessed and modified when the device is transferred from one source to another

Documentation is at the heart of ensuring medical device cyber security

Towards ensuring medical device cyber security as defined by it; this FDA guideline requires manufacturers to monitor and document all the aspects of medical device cyber security at all stages. Medical device manufacturers should bring about medical device cyber security by developing a set of controls in three vital areas:

  • Firstly, medical device manufacturers should take steps to permit only authorized personnel into the software of the medical device
  • Medical device manufacturers should also ensure medical device cyber security by filling only relevant and accurate data into the device
  • They should also ensure that data is available when asked for

Controls, controls, controls

A very important aspect of medical device cyber security that the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices brings about is that it requires medical device manufacturers to monitor and document all the possible potential for medical device cyber security breach from the design stage itself.

medicalDeviceCyberSecurityMedical device manufacturers have to also bring to the notice of the FDA whenever they make changes related to security at the premarket notification stage. It seeks to fortify medical device cyber security by requiring medical device manufacturers to provide information relating to medical device cyber security by submitting data related to the following:


Biocompatibility testing and evaluations for medical devices

Biocompatibility testing and evaluations for medical devices is a vital component of patient safety, for it is the only effective means to ensuring that a medical device or any related material, when it happens to come into contact with the patient’s body has to not only perform its intended purpose and function; it should also not result in adverse reactions for the patient.


When medical devices and/or materials come into contact with the patient’s body, they can cause problems or what may be termed adverse effects that can be either short-term or long-term adverse effects to the body. These effects, called acute to chronic, can result in mutagenic effects. It is to prevent the occurrence of such events that biocompatibility testing and evaluations for medical devices has to be carried out.

These evaluations for biocompatibility of medical devices are done to evaluate the interaction between a device and anything it comes into contact with within the patient’s body, such as cells, tissue or body fluids. Essentially, device biocompatibility is assessed to prevent biological risks from happening to the patient.


ISO standard for biocompatibility testing and evaluations for medical devices

The International Standards Organization (ISO) has a specific standard for carrying out and ensuring biocompatibility testing and evaluations for medical devices. It is called ISO 10993-1: 2009, and makes biological evaluation part of a structured biological evaluation program that comes under a risk management process. All these are carried out in accordance with ISO 14971.

ISO 10993-1, Biological Evaluation of Medical Devices – Part 1 The basis for biocompatibility testing and evaluations for medical devices is the Risk Management Process. This is the most prevalent standard for assessing biocompatibility testing and making evaluations for medical devices. In requiring biocompatibility testing and evaluations for medical devices to be conducted in compliance with Principles of Good Laboratory Practice (GLP) and/or ISO/IEC 17025 and requiring the consideration of evaluation of local and systemic risk factors; the ISO 10993-1 is considered the basis for determining the subsequent, necessary biocompatibility testing and evaluations for medical devices.

What factors are tested?In line with the principles set out in ISO 10993-1: 2009 on biocompatibility testing and evaluations for medical devices, specific testing is prescribed based on two factors: a) the type and the intended use of a medical device or related material, and b) the kind, tenure and extent of contact the medical device makes with the body.

ISO 10993-1: 2009 on biocompatibility testing and evaluations for medical devices requires assessment to be made for the following among others:

  • Cytotoxicity
  • Genotoxicity
  • Sub chronic toxicity
  • Sensitization
  • Irritation or intra-cutaneous reactivity
  • Implantation
  • Haemocompatibility
  • Systemic toxicity, etc.

For Medical Devices courses