FMEA is NOT ISO 14971 Risk Management

If you are still using FMEA as your methodology to capture medical device risk management activities, then your risk management process is out of date.

And you might be asking why do you need to abandon FMEA as the risk management tool of choice.

Let me tell you why.

Here is the definition of “risk management” as defined in ISO 14971.

Risk Management – systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, controlling, and monitoring risk

And to be fair, I’ll also share with you a definition / description of FMEA from ASQ

Failure Modes and Effects Analysis (FMEA) is a step-by-step approach for identifying all possible failures in a design, a manufacturing or assembly process, or a product or service.

Risk Management needs to be systematic. Risk Management considers use of a medical device–correct and incorrect use. The basis of Risk Management is built on identifying hazards (potential source of harm) and hazardous situations (circumstance in which people, property, or the environment are exposed to one or more hazard(s)). Once identified, severity of potential harms resulting from hazards and hazardous situations are estimated. The probability of occurrence of these harms is also estimated. And the estimation of severity of harm and probability of occurrence of harm is what defines RISK.

FMEA is slightly different in its scope and purpose. The basis of FMEA is identifying failure modes. Right off the bat, the FMEA tool is only about failure.

Medical device risks are NOT solely a function of failure.

A medical device might never exhibit a failure mode yet still has risks.

Don’t mishear me.

FMEA is a VERY good tool and can be extremely helpful for design and development teams while evaluating materials, components, and sub-assemblies comprising medical devices. But FMEA is more of a reliability tool rather than a risk management system.

FMEA & Risk Management Confusion

ISO 14971 Risk Management uses terms such as risk, hazards, hazardous situations, harm, severity, probability of occurrence, risk acceptability, and risk controls.

FMEA uses terms such as failure modes, effects of failure, severity, causes of failure, occurrence, process controls, detectability, risk priority number, and recommended actions.

It’s pretty clear just by reviewing the terminology between ISO 14971 and FMEA how this can be confusing.

Hazards and hazardous situations does sound similar to failure modes.

Harm seems similar to effects of failure.

Risk seems similar to risk priority number.

Certainly, the terminology creates a great deal of confusion. The terminology of FMEA seems close enough to Risk Management.

But you are used to using FMEAs

Yeah, I get it. Everyone on the product development team is familiar with and somewhat comfortable using FMEAs.

You have been using FMEA long before ISO 14971 become a harmonized standard.

And the intent and terminology is close enough . . .

So why change?

ISO 14971 vs FMEA comparison (courtesy of

ISO 14971 vs FMEA comparison (courtesy of

Doing only FMEA will mean that you will NOT comply with ISO 14971 Risk Management standard.

The medical device regulatory world has embraced ISO 14971

It’s very clear from medical device regulatory bodies throughout the world that sound risk management processes are paramount for medical device companies. So much so that ISO 14971 was harmonized several years ago by most regulatory agencies, including FDA, Health Canada, and EU Competent Authority. (Note, that EU took a spin with risk management a few years ago when EN ISO 14971:2012 was released.)

Regulatory agencies expect medical device companies to document Risk Management activities.

And since ISO 14971 exists and is broadly accepted in the med device regulatory world, I highly recommend using this standard as your framework.

Risk Management is a system

As noted, ISO 14971 describes an entire system approach for Risk Management.

Figure 1 from ISO 14971:2007

Figure 1 from ISO 14971:2007

In a nutshell, a Risk Management process shall include risk management planning, risk analysis, risk evaluation, risk controls, overall residual risk acceptability, risk management report, risk management file, and production / post-production information.

As you can see, ISO 14971 describes a entire system. And this system is a process intended to be applied throughout the entire lifecycle of a medical device.

Risk Management needs to be useful

Realize that the whole idea behind Risk Management is this:

Help ensure that medical devices are as safe as possible

Regulatory bodies aside, please, please, PLEASE make sure that your Risk Management process is established and implemented in such a way so that it is actually useful.

Let me borrow a few tips from another Risk Management blog post to help you:

  1. Get a copy of ISO 14971:2007 and ISO TR 24971:2013 – Guidance on the application of ISO 14971 (and EN ISO 14971:2012–especially if you plan to be in EU)
  2. Establish a Risk Management Policy & Procedure
  3. Keep your severity, probability, and risk levels simple
  4. Use Risk Management as a tool during design & development
  5. Use Risk Management as a tool after design & development

Let me close out this post by sharing a short video I found on YouTube by Gantus on ISO 14971 Risk Management.






Jon Speer has been in the medical device industry for over 16 years. In 2007, Jon started Creo Quality to help medical device companies with project management, quality systems, and regulatory submissions. As a result of his experience in the medical device industry, Jon had an idea to develop a software solution to improve how companies handle Design Controls. Because of this was born. You can find him on Google+Twitter, and LinkedIn.  



Related Posts

No Comments Yet.

add new comment