Why FMEA is Not ISO 14971 Risk Management

March 10, 2016

Why FMEA is Not ISO 14971 Risk Management

If you are still using FMEA as your methodology to capture medical device risk management activities, then your risk management process is out of date.

And you might be asking why do you need to abandon FMEA as the risk management tool of choice?

Let me tell you why.

Here is the definition of “risk management” as defined in ISO 14971.

Risk Management – systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, controlling, and monitoring risk.

And to be fair, I’ll also share with you a definition / description of FMEA from ASQ.

Failure Modes and Effects Analysis (FMEA) is a step-by-step approach for identifying all possible failures in a design, a manufacturing or assembly process, or a product or service.

Risk Management needs to be systematic. Risk Management considers use of a medical device–correct and incorrect use.

Bonus Resource: Click here to download your free PDF of Risk Management Plan Template.

The basis of Risk Management is built on identifying hazards (potential source of harm) and hazardous situations (circumstance in which people, property, or the environment are exposed to one or more hazard(s)).

Once identified, severity of potential harms resulting from hazards and hazardous situations are estimated. The probability of occurrence of these harms is also estimated.

And the estimation of severity of harm and probability of occurrence of harm is what defines RISK.

FMEA is slightly different in its scope and purpose. The basis of FMEA is identifying failure modes. Right off the bat, the FMEA tool is only about failure.

Medical device risks are NOT solely a function of failure.

A medical device might never exhibit a failure mode yet still has risks.

Don’t mishear me.

FMEA is a very good tool and can be extremely helpful for design and development teams while evaluating materials, components, and sub-assemblies comprising medical devices.

But FMEA is more of a reliability tool rather than a risk management system.


FMEA and Risk Management Confusion

ISO 14971 Risk Management uses terms such as risk, hazards, hazardous situations, harm, severity, probability of occurrence, risk acceptability, and risk controls.

FMEA uses terms such as failure modes, effects of failure, severity, causes of failure, occurrence, process controls, detectability, risk priority number, and recommended actions.

It’s pretty clear just by reviewing the terminology between ISO 14971 and FMEA how this can be confusing.

Hazards and hazardous situations does sound similar to failure modes.

Harm seems similar to effects of failure.

Risk seems similar to risk priority number.

Certainly, the terminology creates a great deal of confusion. The terminology of FMEA seems close enough to Risk Management.


What if You're Used To Using FMEA?

Yeah, I get it. Everyone on the product development team is familiar with and somewhat comfortable using FMEAs.

You have been using FMEA long before ISO 14971 became a harmonized standard.

And the intent and terminology is close enough . . .

So why change?


Doing only FMEA will mean that you will NOT comply with ISO 14971 Risk Management standard.


Medical Device Regulatory World Has Embraced ISO 14971 Risk Management

It’s very clear from medical device regulatory bodies throughout the world that sound risk management processes are paramount for medical device companies.

So much so that the previous versions of ISO 14971 were harmonized several years ago by most regulatory agencies, including FDA, Health Canada, and EU Competent Authority. Many of you know that the standard was updated in December 2019 and the the new version has already been recognized as a consensus standard by FDA.  

Regulatory agencies expect medical device companies to document Risk Management activities.

And since ISO 14971 exists and is broadly accepted in the med device regulatory world, I highly recommend using this standard as your framework.


Risk Management is a System

As noted, ISO 14971 describes an entire system approach for Risk Management.



In a nutshell, a Risk Management process shall include:

  • Risk management planning

  • Risk analysis

  • Risk evaluation

  • Risk controls

  • Overall residual risk acceptability

  • Risk management review

  • Risk management file

  • Production / post-production information

As you can see, ISO 14971 describes an entire system. And this system is a process intended to be applied throughout the entire lifecycle of a medical device.

ISO 14971 risk management for medical devices PDF download


Risk Management Needs to be Useful

Realize that the whole idea behind Risk Management is this:

Help ensure that medical devices are as safe as possible.

Regulatory bodies aside, please, please, PLEASE make sure that your Risk Management process is established and implemented in such a way so that it is actually useful.

Let me leave you with a few tips from a previous medical device Risk Management post to help you:

  1. Get a copy of ISO 14971:2019 and ISO/PRF TR 24971 – Guidance on the application of ISO 14971 

  2. Establish a Risk Management Policy & Procedure

  3. Keep your severity, probability, and risk levels simple

  4. Use Risk Management as a tool during design & development

  5. Use Risk Management as a tool after design & development

Looking for a design control solution to help you bring safer medical devices to market faster with less risk?  Click here to take a quick tour of Greenlight Guru's Medical Device QMS software →


Jon Speer is a medical device expert with over 20 years of industry experience. Jon knows the best medical device companies in the world use quality as an accelerator. That's why he created Greenlight Guru to help companies move beyond compliance to True Quality.

Risk Management Plan Template
Download Now
Search Results for:
    Load More Results