EURO-SYMBIOSE > Infos > Actuality > FMEA and ISO 14971: two complementary approaches to managing risks associated with medical devices

FMEA and ISO 14971: two complementary approaches to managing risks associated with medical devices

  • 11 December 2025
  • Posted by: Maélise ROBERT
  • Category: Actuality ,
No Comments

Article written by Valérie Le Couedic 

 

The safety of medical devices relies on rigorous risk management throughout their entire lifecycle. Two approaches are commonly used: FMEA, originating from the industrial world, and the risk analysis process defined in ISO 14971, which is specifically dedicated to the medical sector. While their objectives converge (identifying, assessing, and controlling risks), their logic and scope differ. This article compares the two approaches and highlights their complementarity.

1. Risk Analysis of Medical Devices According to ISO 14971: A Normative and Comprehensive Approach

ISO 14971, “Application of risk management to medical devices,” is part of the European regulatory requirements (Regulation (EU) 2017/745) for any medical device manufacturer: a physical or legal person who designs, manufactures, packages, and markets the device under their own name and affixes the CE marking.

The manufacturer is therefore the organization legally responsible for the conformity and safety of the medical device. It must implement and document a risk management process compliant with ISO 14971 in order to demonstrate that all risks associated with the device have been identified, evaluated, controlled, and deemed acceptable. A risk management file, integrated into the technical documentation and covering the entire product lifecycle, must be created and kept up to date.

The goal is to ensure the safety and clinical performance of the device by reducing risks to an acceptable level.

It is a comprehensive risk management process focused on patient and user safety that goes far beyond a technical analysis such as FMEA, as it includes risk analysis, evaluation, control, and post-production monitoring.

In other words:

  • ISO 14971 aims to identify, evaluate, and control risks related to the device itself (its design, functions, components, software, interactions with the user, etc.).

  • It covers the entire product lifecycle: design, manufacturing, distribution, use, and post-production.

  • It does not directly apply to manufacturing process control, but requires the manufacturer to ensure that processes do not introduce new risks to the product.

2. ISO 14971 and the Supplier’s Role in Risk Control for a Medical Device — Importance of the Link with the Manufacturer

Legal responsibility cannot be fully delegated to a supplier, even if certain activities (partial design, component manufacturing, assembly, sterilization, etc.) are outsourced. A supplier is not responsible for the final device nor its market placement. Therefore, suppliers are not required to directly apply ISO 14971. However, they must meet the manufacturer’s requirements, as defined in quality agreements or technical specifications.

The manufacturer remains responsible for verifying and documenting that outsourced activities contribute in a controlled manner to product safety (according to ISO 13485 §7.4 Purchasing and supplier control).

Even though ISO 14971 does not “officially” apply to suppliers, when they develop a critical subsystem or component for a manufacturer, the latter may require the supplier to conduct a Design FMEA considering effects on the user and patient.

Although ISO 14971 focuses on product risk, it indirectly integrates process control because:

  • Manufacturing risks can lead to product nonconformities, and therefore risks to the patient.

  • The manufacturer must demonstrate that critical processes are validated and controlled (ISO 13485 §7.5.6).

Suppliers therefore play a key role in controlling risks related to manufacturing processes and must implement a Process FMEA (or equivalent) to identify and control potential failures in their operations. Process FMEA thus supports ISO 14971 by helping prevent the introduction of failures into the product.

3. Process FMEA and ISO 14971

Process FMEA must go beyond industrial aspects (quality, yield) and include patient/user impact, because any nonconformity may ultimately affect medical device safety. For example:

  • Uncontrolled particulate contamination can lead to clinical infection risks.

  • A welding or assembly defect can compromise essential device functions (e.g., infusion, sensors, prosthesis failure).

  • Labeling errors can lead to misuse.

The supplier must therefore understand the actual consequences of potential failures on the safety and performance of the medical device. However, suppliers cannot determine this alone; they rely on the manufacturer, who possesses:

  • Knowledge of the device as a whole (function, interfaces, use environment),
  • The overall risk evaluation conducted according to ISO 14971,
  • The definition of critical characteristics and tolerances required for safety.

Thus, structured bilateral communication is essential:

  • The manufacturer provides essential requirements and critical product characteristics to be monitored.

  • The supplier documents their Process FMEA, implements control plans, and informs the manufacturer of any deviations or changes that may affect identified risks.

4. Design FMEA and ISO 14971: Methodological Differences

Both approaches aim to reduce risks, but they do not use the same notions or underlying philosophy.

Design FMEA is a technical reliability analysis method (IEC 60812) used to identify technical failure causes through structural and functional analysis of components and their interactions. It is very useful during development to help design robust products by determining failure chains (cause → failure mode → effect) and the control measures (prevention, detection) planned to reduce risks.

Risk reduction actions are prioritized based on three criteria:

  • Severity (S) evaluates all effects of a failure, whether dangerous or simply inconvenient for the user/patient.

  • Occurrence (O) of the cause, considering preventive measures.

  • Detection (D) of the cause or failure mode, according to planned verification/validation activities.

While Design FMEA covers the technical aspects well, it is only one tool within the ISO 14971 process, as it does not cover all risks specified in the standard:

  • Use-related risks (user errors),
  • Clinical risks,
  • Environmental risks,
  • Control of residual risks to patient health.

A medical device manufacturer must:

  • Apply the ISO 14971 process (mandatory),

  • Choose appropriate tools to identify hazards:

    • Design FMEA (technical failures),

    • Process FMEA (manufacturing risks),

    • Functional analysis,

    • Fault tree analysis,

    • Use-related risk analysis (URRA) / Use Error Analysis (according to IEC 62366-1),

    • HAZOP (IEC 61882), etc.

5. Documenting the Rationale for Method Selection in the Risk Management Plan

In other words, ISO 14971 requires the result (a complete and traceable risk analysis) but does not prescribe the tool.

ISO 14971 does not aim to prioritize technical failures but to evaluate risk to patient and user health and safety. Each identified hazard is analyzed to determine:

  • The Severity (S) of potential harm to patient or user health,

  • The Probability (P) of harm occurring (not the probability of the cause, as in FMEA). This probability includes both the likelihood of failure and the likelihood that it will lead to harm.

Risk level (R) is then: Risk = Severity × Probability.

Detection is not a parameter in ISO 14971, because improved detection (e.g., alarms) reduces the probability of harm, and therefore reduces risk.

ISO 14971 prescribes no scoring method: the manufacturer defines its own criteria (severity, probability, acceptability thresholds) in the risk management plan.

The standard defines three hierarchical risk control actions (section 7.1):

  1. Inherently safe design (primary prevention)

  2. Protective measures (secondary prevention)

  3. Safety information (warnings/instructions)

Conclusion

FMEA and ISO 14971 are complementary:

  • ISO 14971 is used to evaluate and manage clinical and patient-safety-related risks across the entire lifecycle of the medical device.

  • Design FMEA is a design tool that identifies and prevents technical failures, focused on product reliability.

ISO 14971 is generally formalized after product design for regulatory compliance, while Design FMEA supports early design stages.

A manufacturer cannot rely solely on FMEA, as it does not cover all health-related risks, such as use errors or clinical risks.

However, even though a manufacturer is not obligated to conduct a Design FMEA, it must analyze technical failures, and FMEA is often the most structured method. A well-executed Design FMEA is an essential piece of evidence in the ISO 14971 risk management file.

Suppliers are not required to comply with ISO 14971, as they do not hold regulatory responsibility and lack knowledge of patient-related risks and device use.

 

Euro-Symbiose can support your risk analysis activities through the following training courses:

#217 – Design FMEA

#218 –  Process FMEA

# 30 – ISO 14971: 2019 – Risk management of medical devices

 

📞 Our teams are available to support you:

Author: EURO-SYMBIOSE

Leave a Reply