FMEA for Medical Devices: Step-by-Step ISO 14971 Risk Analysis

Why FMEA Is Central to ISO 14971

Failure Mode and Effects Analysis (FMEA) is the workhorse risk analysis method for medical device risk management under ISO 14971:2019. While ISO 14971 does not mandate FMEA by name — it is a standard that defines risk management process requirements, not specific techniques — FMEA has become the de facto method used by medical device manufacturers globally because it systematically identifies failure modes, their effects, and their causes in a format that integrates naturally with design control and risk management documentation.

ISO 14971 requires that manufacturers identify hazards and hazardous situations associated with their device, estimate the risks from each hazardous situation, evaluate whether each risk is acceptable, implement risk controls for unacceptable risks, and verify that risk controls are effective without introducing new risks. FMEA provides a structured framework for executing the identification and estimation steps, and the resulting risk register feeds directly into risk evaluation and risk control activities.

Medical device FMEA differs from manufacturing process FMEA (pFMEA used in automotive) in an important way: the endpoint is patient harm, not manufacturing defect. When a medical device engineer assigns severity ratings, they are assessing consequences for patients, users, and third parties — not production line consequences. This patient-centered framing must be maintained throughout the analysis.

Setting Up Your FMEA: Intended Use and Foreseeable Misuse

The foundation of any ISO 14971-compliant FMEA is a well-defined intended use and identification of reasonably foreseeable misuse. ISO 14971 Clause 4.1 requires that the risk management process begin with defining intended use, intended purpose, and the characteristics of the device that relate to safety.

Intended use is more than a single sentence. For FMEA purposes, it includes the patient population (demographic, clinical condition, anatomical site), the use environment (clinical setting, home use, field conditions), the user profile (professional healthcare provider, lay user, patient), and the clinical procedure or diagnostic purpose the device is intended to fulfill. Each of these dimensions shapes what failure modes are foreseeable and what severity ratings are appropriate.

Foreseeable misuse — sometimes called abnormal use — must also be considered. ISO 14971 defines reasonably foreseeable misuse as use in a way not intended by the manufacturer but that can result from readily predictable human behavior. A device designed for single use that might be reused, a device with controls that could be misread by a fatigued nurse, or a device that could be used on a contraindicated patient population — all of these are foreseeable misuses that belong in your FMEA.

Failure to identify foreseeable misuse scenarios is a recurring audit finding. Regulators and Notified Bodies will review your intended use definition and your FMEA scenarios and ask whether plausible misuse scenarios are addressed. If they are not, the FMEA is considered incomplete.

The FMEA Worksheet: Failure Modes, Effects, and Causes

The core of a medical device FMEA is the worksheet that documents failure modes, their effects, and their potential causes for each component or function under analysis.

Failure mode is the way in which a component or function can fail to perform as intended. For a pump, failure modes include no output, excessive output, flow reversal, and contaminated output. For software, failure modes include incorrect calculation, no output, unintended output, and delayed output. Each component or function typically has multiple failure modes, and each should be analyzed separately.

Effect of failure is the consequence of the failure mode on the patient, user, or environment. Effects should be described in terms of clinical consequences: hemorrhage, incorrect dosing, delayed diagnosis, no therapeutic effect. Effects are described at multiple levels — local effect (immediate consequence of the failure), next-higher-level effect (consequence for the subsystem), and end effect (consequence for the patient or user). The end effect drives the severity rating.

Cause of failure is the mechanism by which the failure mode occurs: material fatigue, software defect, manufacturing variability, user error, environmental degradation. Identifying causes is critical because risk controls are implemented at the cause level (design changes, material specifications, user interface improvements) or at the mitigation level (alarms, protective measures, information for safety).

For each failure mode, the FMEA worksheet documents the probability of occurrence (before risk controls are implemented), the severity of the end effect, and the resulting risk level. After risk controls are implemented, the analysis is repeated to verify that residual risk is acceptable.

Severity and Probability Scales: Calibrating Your Risk Matrix

ISO 14971 requires that risk estimation be based on severity of harm and probability of occurrence, but the standard does not prescribe specific numerical scales. Manufacturers must define their own scales in their risk management plan, and those scales must be appropriate for the device type and risk profile.

Severity scales for medical devices typically use a clinical harm taxonomy: negligible (no injury, no healthcare intervention required), minor (temporary injury, minimal treatment), serious (injury requiring medical intervention, temporary disability), critical (permanent impairment or injury), and catastrophic (death). The exact descriptors must be calibrated to your device — a severity scale for a Class III implantable device will be different from a scale for a Class I accessory.

Probability scales can be qualitative (frequent, probable, occasional, remote, improbable) or quantitative (specific probability ranges per device lifetime or per million operations). Quantitative scales are preferred for high-risk devices because they enable more defensible risk decisions. When using quantitative scales, you must have a basis for the probability estimates — reliability data from similar devices, field performance data, or engineering analysis.

Risk evaluation compares the estimated risk against your acceptance criteria. ISO 14971:2019 removed the ALARP (As Low As Reasonably Practicable) zone that existed in the 2007 version. Under the 2019 standard, risks must be reduced as far as possible using state-of-the-art risk controls, regardless of whether they fall in an "acceptable" zone. This is a material change that many manufacturers who built their risk management programs under the 2007 standard have not fully addressed.

Risk Controls: Implementation and Verification

ISO 14971 Clause 6 defines a hierarchy of risk controls that must be applied in the order specified when risks require reduction. The hierarchy is: (1) inherently safe design, (2) protective measures, (3) information for safety. You must always implement controls at the highest applicable level of the hierarchy before descending to lower levels.

Inherently safe design changes the device so that the hazard is eliminated or the probability of the failure mode is reduced through design. Material substitution, geometry changes, interlock design, and fail-safe mechanisms are all inherently safe design controls. These are preferred because they do not depend on user behavior.

Protective measures include alarms, automatic shutoffs, physical guards, and engineering controls that protect against the harm even if the failure mode occurs. Protective measures are less preferred than inherent safety because they introduce additional components that can themselves fail.

Information for safety includes contraindication labeling, warnings, instructions for use, and training requirements. This is the lowest-tier risk control — labeling can only reduce risk if users read and comply with it, which is never guaranteed. Regulators will push back on risk management strategies that rely heavily on labeling to reduce risks that could have been addressed through design or protective measures.

After risk controls are implemented, you must verify that each control achieves its intended risk reduction and does not introduce new hazards. Risk control verification must be documented with objective evidence — test results, analysis, or inspection records. Incomplete risk control verification is a common 483 observation in FDA inspections.