News & Commentary on ISO Management System Standards

    ISO 14971: Choosing appropriate Risk Management Tools

    Risk 02 (1)-2-1

    Using FMEA alone is a lazy choice and no longer acceptable

    ISO 14971, Medical devices - Application of risk management to medical devices is frequently misapplied, and if your ISO 13485 QMS Manual claims to use ISO 14971, you'd better use it properly.

    Some bastardised version of FMEA alone will no longer be accepted as the publication of ISO 14971:2019 and the associated Technical Report (a guide) ISO 24971:2020 attests.  External Auditors will want to see that both standards have been adequately applied in taking a product lifecycle approach.

    Risk Management Courses offer assessment tools and techniques and a unique insight into the practical application of Risk Management.  The variety, complexity and wide range of applicability of these tools can be confusing, especially for those new to risk management.

    Too often, those responsible for overseeing the risk planning, risk monitoring, and risk response of organizations limit themselves to using basic FMEA – Failure Modes and Effect Analysis – or even a slimmed-down version of an FMEA.  This is a mistake.  The expectation of External Auditors is for two or more risk management tools to be used.

    How to Avoid Making Common Mistakes When Using ISO 14971

    As emphasized in our ISO 14971 courses ...

    1. DO NOT use FMEA alone: A single FMEA is typically used, usually a process FMEA. This is not acceptable as the Standard requires risk management throughout the product lifecycle, from initial product concept to end-of-life disposal.
    2. DO NOT use a pFMEA focused on component failure: This is to miss the point of Clause 7.1 of ISO 13485 completely, where it is the threat to patient/user safety in regular use and possible misuse of the product that is the primary concern.
    3. DO NOT neglect to maintain a Risk Management File (RMF): Such a file is required in addition to the file requirements of Clauses 4.2.3 and 7.3.10 of ISO 13485.
    4. Do not forget to make periodic or adverse event-driven updates of Risk Management Tools/Methods: Risk management throughout the lifecycle of the product/device is required.
    5. DO NOT forget to keep a history of updates in the RMF: The reasons why updates were made to risk management records are documented or referenced in the RMF.
    6. DO NOT be complacent about gathering Post-Market Surveillance data, and make sure to update Risk Management records accordingly (in addition to other actions that may be required). 


    Risk Assessment Tools in the Product Life Cycle

    When to Apply Risk Assessment Tools in the Product Lifecycle It is not immediately obvious to the reader of ISO 14971 as to where in the lifecycle of a product each of the tools should be applied. The table below maps each of the tools against the lifecycle stage where typically they are used.

    Risk Assessment Tools in the Product Life Cycle
    Tools and Techniques Life Cycle Stage Comment
    Design and Development Production Operation and Use
    Preliminary Hazard Analysis (PHA) X     Most commonly carried out early in the development of a project when there is little information on design details or operating procedures and can often be a precursor to further studies.

    It can be useful when analysing existing systems or prioritizing hazards where circumstances prevent a more extensive technique from being used.
    Hazard and Operability Studies (HAZOP)   X  

    While the use of HAZOP studies in the chemical industry focuses on deviations from design intent, there are alternative applications for a medical device developer. A HAZOP can be applied to:

    • the operation/function of the medical device {e.g., to the existing methods/processes used for the diagnosis, treatment or alleviation of disease as the "design intent"), or
    • to a process used in the manufacture or maintenance/service of the medical device (e.g., sterilization) that can have a significant impact on the function of the medical device.
    Hazard Analysis and Critical Control Points (HACCP)   X  

    This is a systematic approach to the identification, evaluation and control of hazards, and is best applied to established processes, particularly manufacturing

    Applied to medical devices, HACCP is used for the control and monitoring of initiating causes of product hazards originating in the processes themselves.

    Design FMEA X     During all stages of product design and development.
    Process FMEA X X X During the design and development process and continuing throughout the product life cycle. Production and postproduction feedback is often used to update FMEAs and / or verity them.
    Administrative FMEA   X X

    While Design and Process FMEAs are based on individual product components, FMEAs can also be applied to processes.

    Here the risks associated with the individual activities that go to make up a process are examined, the associated risks are evaluated and then, steps are taken to reduce unacceptable risks to an acceptable level.

    User or Patient FMEA X   X

    In this case, the effects of product or component failure during use, or unintended misuse, are considered.

    While most frequently applied to considerations of patient satety, application to consumer, or end-user, satisfaction is also possible.

    Fault Tree Analysis   X  

    This is a systematic approach to the identification and evaluation of fault conditions, based on an analysis of
    possible causes, and is best applied to established processes, particularly manufacturing processes.

    A significant history of the process is needed, or else much time and effort can be wasted.

    Event Tree Analysis   X   An event tree is an analytical, diagrammatic representation of a chronological series of subsequent events or consequences based on the analysis of an initiating event.

    Event tree analysis provides a model for examining the possible outcomes from a single event.

    Risk management tools do not only apply to medical devices

    While our focus is on the risk associated with Medical Device manufacture, you can no doubt find analogous opportunities to apply the tools to your organization. And they are not limited in use to manufacturing; they are just as applicable to all business activities, both public and private sector. 

    The management of risk is fundamental to business improvement. So be sure to give these tools a try.

    And training is essential if you are to successfully implement these Risk Management Tools

    To fill this need we have developed two Courses.

    For Internal Auditors:

    Learn about out ISO 14971 Risk Management - Foundation Course


    For Quality Managers and Consultants:

    Learn about our ISO 14971 Risk Management - Advanced Course


    Related Articles

    deGRANDSON Global is an ISO Certified Educational Organization

    New call-to-actionIn  October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts