Why FMEA is Not ISO 14971 Risk Management

Failure mode effects analysis (FMEA) is a popular tool for identifying the possible failures in the design of a product or process. FMEA is an industry-agnostic engineering method, and while that makes it widely applicable, it also means that for some unique industries like MedTech, it isn’t the ideal risk management tool. 

Here’s how the American Society for Quality (ASQ) defines FMEA: “a step-by-step approach for identifying all possible failures in a design, a manufacturing or assembly process, or a product or service.”

However, in MedTech, the standard for risk management is ISO 14971:2019, Application of risk management to medical devices. ISO 14971 defines risk management as “the systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, controlling, and monitoring risk.”

In this article, I want to take a closer look at the differences between the two and show you why FMEA (while still a useful tool) does not work as a substitute for ISO 14971.

FREE DOWNLOAD: Click here to download a free, customizable Risk Management Plan Template aligned to ISO 14971 requirements.

What's the difference between FMEA and ISO 14971?

The ISO 14971 risk management approach is built on identifying hazards (potential source of harm) and hazardous situations (circumstance in which people, property, or the environment are exposed to one or more hazard(s)). Once you’ve identified them, you must also estimate the severity of potential harms resulting from the hazards and hazardous situations, as well as the probability that those harms will occur. Severity of harm and probability of occurrence are what define risk.

FMEA is different in both its scope and purpose. The basis of FMEA is identifying failure modes. However, the risks inherent in medical devices are not solely a function of failure. A medical device might never exhibit a failure mode, yet it may still have risks. 

And while FMEA is a very good tool and can be extremely helpful for design and development teams evaluating materials, components, and sub assemblies comprising medical devices, it’s more a tool for establishing reliability than it is a risk management system.

What's the confusion between FMEA and risk management according to ISO 14971:2019?

A lot of the misunderstanding about these two methods comes from their similarities, especially in the language we use to describe them. 

FMEA uses terms like failure modes, effects of failure, severity, causes of failure, occurrence, process controls, detectability, risk priority number, and recommended actions.

ISO 14971 Risk Management uses terms like risk, hazards, hazardous situations, harm, severity, probability of occurrence, risk acceptability, and risk controls.

And “hazards and hazardous situations” do seem pretty similar to “failure modes.” “Harm” seems similar to “effects of failure.” And “risk acceptability” sounds similar to “risk priority number.” When you look at it from that standpoint, it’s easy to see how someone who is used to using FMEA would try to make that tool work for their medical device risk management.

The problem is that using FMEA will not bring you into compliance with ISO 14971:2019. And for a medical device company, that’s going to cause a lot of problems down the road.

The MedTech regulatory world has embraced risk management according to ISO 14971:2019

There really isn’t any ambiguity in what regulatory bodies believe you should be using when it comes to medical device risk management. Previous versions of ISO 14971 were harmonized years ago by most regulatory bodies, including FDA, Health Canada, and the EU’s Competent Authority. The 2019 version of the standard is also recognized as a consensus standard by FDA, meaning FDA will accept a declaration of conformity to that standard. 

In other words, it is expected that you will be using the risk management framework laid out in ISO 14971:2019 to manage risk throughout the lifecycle of your medical device. If you try to make FMEA do the same job, you’re going to struggle to meet regulatory expectations and that will lead to trouble during audits and inspections—no matter what market you’re in.

What is the risk management system according to ISO 14971?

The risk management system in ISO 14971:2019 is a multi-step process that must include: 

• Risk management planning
• Risk analysis
• Risk evaluation
• Risk controls
• Overall residual risk acceptability
• Risk management review
• Risk management file
• production/post-production information

Here’s how it looks visually:

When it’s laid out this way, it’s hard not to see how risk management according to ISO 14971 differs from FMEA. ISO 14971 is describing an entire system that is intended to be applied throughout the entire medical device lifecycle and not just during the design of the device.

Can you use FMEA with ISO 14971?

The short answer is, yes. While you do need to follow ISO 14971:2019 for your approach to risk management, that doesn’t mean you can’t also use FMEA. In fact, using FMEA during the design and development of your device will help you build a product that operates as it should and very rarely fails. 

If we take a look at ISO/TR 24971:2020, Guidance on the Application of 14971, we’ll find that Annex B covers “techniques that support risk analysis.” One of the techniques included in that Annex is FMEA, along with other tools like:

• Fault Tree Analysis (FTA)
• Preliminary Hazard Analysis (PHA)
• Hazard and Operability Study (HAZOP)
• Hazard Analysis and Critical Control Point (HACCP)

ISO TR 24971 tells us that “these techniques are complementary, and it can be necessary to use more than one of  them in order to support a thorough and complete risk analysis.” 

In other words, you do need to follow the risk management system laid out by ISO 14971:2019. You don’t have to do FMEA, but it could be very helpful as you’re designing your device. At the end of the day, these are similar and complementary methods for building safe and effective medical devices, but one of them is more comprehensive and required by regulations.

FREE DOWNLOAD: Click here to download a free, customizable Risk Management Plan Template aligned to ISO 14971 requirements.

With Greenlight Guru, you get effortless compliance with ISO 14971:2019

If it sounds like becoming compliant with ISO 14971:2019 will be a big lift, there’s no need to worry. Having the standard on hand and referring to it as you’re building out your processes will actually make risk management much easier. This standard was made specifically for medical device companies just like yours. 

So it only makes sense that you’d want a quality management system (QMS) that’s also purpose-built for medical device companies. At Greenlight Guru, we created our QMS software with only one industry in mind: MedTech. And that means you’ll be getting a system that integrates risk throughout the entire product lifecycle, with built-in compliance to standards like ISO 14971:2019 and ISO 13485:2019.

It’s never been easier to stay compliant and build the safest, most effective medical devices possible. Get your free demo of Greenlight Guru today →