Medical Device FMEA Under ISO 14971: Linking Failure Modes to Risk Management Files

Medical device manufacturers running FMEA under automotive conventions (AIAG-VDA, RPN, Action Priority) will fail an ISO 14971 audit. Not because FMEA is wrong — it’s a useful tool inside a 14971 risk management process — but because ISO 14971 demands a specific framework that FMEA alone does not provide. The mistake is treating FMEA as the risk management process rather than one technique within it.

This guide covers how medical device FMEA fits into the ISO 14971 risk management file, what auditors look for, where automotive-style FMEA falls short, and how to structure failure mode work so it satisfies both internal engineering rigor and regulatory expectations.

ISO 14971 Is the Process; FMEA Is a Technique Inside It

ISO 14971:2019 defines the full risk management lifecycle for medical devices: risk analysis, risk evaluation, risk control, overall residual risk evaluation, and post-production monitoring. Its sibling technical report, ISO/TR 24971:2020, provides guidance on how to apply the standard and explicitly names FMEA as one risk analysis technique alongside fault tree analysis (FTA), hazard and operability studies (HAZOP), and preliminary hazard analysis (PHA).

The critical distinction: ISO 14971 requires you to identify hazards and evaluate risks to patients, users, and third parties. FMEA starts from failure modes. Not every failure mode creates a hazard, and not every hazard originates in a component failure — use error, software defects, and foreseeable misuse are hazard sources too. If your entire risk analysis is a PFMEA-style failure mode table, you are missing use-related risk entirely, and that is a finding in every medical device audit.

The Risk Management File (RMF) Structure

ISO 14971 Clause 4.5 requires a risk management file (RMF) that contains records of every risk management activity. FMEA outputs do not replace the RMF — they populate specific sections of it. A conforming RMF includes:

• Risk management plan (Clause 4.4) — scope, responsibilities, risk acceptability criteria, verification plan
• Hazard identification (Clause 5.4) — known and foreseeable hazards from all sources: energy, biological, chemical, information, use-related, functional
• Risk analysis (Clause 5.5-5.6) — for each hazardous situation, estimate the probability of occurrence of harm and the severity of harm
• Risk evaluation (Clause 6) — compare estimated risk against acceptability criteria from the plan
• Risk control (Clause 7) — in priority order: inherent safety by design, protective measures, information for safety (labeling and training)
• Residual risk evaluation (Clause 7.4 and 8) — per hazard and overall, including risk/benefit analysis
• Production and post-production information (Clause 10) — complaints, field failures, new hazards

DFMEA typically feeds Clause 5.5 (design-related failure mode analysis) and Clause 7 (risk control measures in design). PFMEA feeds Clause 5.5 (manufacturing process risk) and Clause 7 (process controls). Use-related risk analysis (often UFMEA or a separate technique per IEC 62366-1) feeds a distinct branch of Clause 5.4 and 5.5. Keeping these streams separated in the RMF is what makes the file traceable.

How to Link FMEA Outputs to the RMF

Three specific linkages an auditor will trace end-to-end:

1. Failure mode → hazardous situation → harm. For each DFMEA or PFMEA line item, document the hazardous situation it creates (not just the effect at the device level) and the potential harm to the patient or user. "Battery overdischarge" is a failure mode. "Device fails to deliver therapy during critical procedure" is the hazardous situation. "Delayed diagnosis or treatment resulting in patient injury" is the harm. Without the chain, the audit finding is "failure modes documented but no linkage to patient harm."
2. Risk control → failure mode addressed. Each risk control measure must map back to the failure modes or hazards it mitigates. When you add a software watchdog timer as a risk control, the DFMEA line item "watchdog fails to reset" needs re-rating, and the risk control measure record needs the DFMEA line it addresses.
3. Risk control → verification evidence. ISO 14971 Clause 7.2 requires verification that each risk control is effective and does not introduce new hazards. That verification evidence (test reports, design verification, software unit tests) must be linked to the control measure in the RMF.

What the AIAG-VDA Playbook Gets Wrong for Medical Devices

Quality engineers moving from automotive to medical devices carry habits that do not translate:

• Action Priority (AP) instead of ISO 14971 acceptability: AP is a three-tier H/M/L classification designed for automotive supply chain action management. ISO 14971 requires you to define risk acceptability criteria in the risk management plan before the analysis starts, and every residual risk must be evaluated against those criteria. An AP of Low does not equal acceptable risk under 14971 — acceptable means "below the threshold defined in your plan."
• Severity defined at the end-customer level: AIAG-VDA severity scales describe "dissatisfaction" and "warranty impact." ISO 14971 severity describes harm to patients and users. A severity 5 in an automotive scale (noticeable degradation) could correspond to a severity 9 in a medical context (permanent impairment) for the same underlying failure.
• Occurrence ratings from production data: AIAG-VDA occurrence uses manufacturing failure rates. ISO 14971 probability of harm combines the probability of the hazardous situation and the probability that the situation leads to harm. Ignoring the second term produces systematically optimistic risk estimates.
• Detection controls as risk reduction: In AIAG-VDA, improving detection reduces AP. In ISO 14971, detection of a failure by the user or the device is not risk control in the hierarchical sense — Clause 7.1 puts "information for safety" last, below inherent design and protective measures. Relying on a detection rating drop to justify acceptance is an audit finding.

Use-Related Risk: The Gap FMEA Does Not Cover

ISO 14971 requires identification of hazards "including those resulting from normal use and reasonably foreseeable misuse." IEC 62366-1 (usability engineering) defines the companion process. A DFMEA focused on component failure will systematically miss: the clinician picks the wrong mode, the patient adjusts a setting they should not touch, the nurse connects a tube to the wrong port, the reprocessing cycle omits a step.

These are the failure sources that drive most field recalls. A compliant RMF includes a separate use-related risk analysis (often a task analysis, use FMEA, or fault tree from the user interface) feeding the same hazard list and risk evaluation as the component FMEAs. If your FMEA skill set is only DFMEA/PFMEA, you need to add UFMEA or collaborate with a human factors engineer.

FDA Alignment and the QMSR

As of February 2, 2026, the FDA’s Quality Management System Regulation (QMSR) replaces the prior Quality System Regulation, incorporating ISO 13485:2016 by reference. ISO 13485 references ISO 14971 for risk management. The practical implication: FDA inspectors will cite ISO 14971 clause numbers during inspections, not 21 CFR 820 section numbers for most risk topics. Your RMF should already be organized around 14971 clauses, because that is what inspectors are trained to walk through.

ISO 14971:2019 is an FDA-recognized consensus standard, so declaring conformity to 14971 is an acceptable route to meeting the risk management requirements in QMSR. The regulatory text in 21 CFR Part 820 is now short precisely because it points to ISO 13485, which points to ISO 14971.

Rating Scales That Work for Medical Devices

If you are going to use FMEA within a 14971 framework, adapt the rating scales:

• Severity (harm-based): 1 = no injury; 3 = temporary reversible injury, no medical intervention; 5 = injury requiring medical intervention; 7 = permanent impairment or life-threatening injury requiring intensive intervention; 10 = death. Anchor against your risk management plan’s definition of harm.
• Probability of occurrence of harm: Combine P1 (probability of hazardous situation) and P2 (probability of harm given the situation) as required by ISO/TR 24971. A catheter tip detachment (P1) has probability of distal embolization (P2) less than 1.0, not equal to 1.0.
• Detection: Limit to detection that prevents harm — e.g., hardware interlock, software alarm the clinician can act on. Detection in the 14971 sense is not the same as detection in the AIAG-VDA sense, and conflating them is the source of most bad medical device FMEAs.

Our RPN and Action Priority calculator supports the AIAG-VDA rating scales; for medical device work, use it for the S/O/D arithmetic but layer your own harm-based rating criteria on top, and always record the rating criteria used alongside the FMEA itself. Audit-ready records show the criteria, not just the numbers.

Related Reading

For the methodology fundamentals, see severity rating scale definitions, how Action Priority differs from RPN, and how detection ratings interact with current controls. Each applies differently in medical device contexts, but the underlying mechanics are the same.

Summary

Medical device FMEA is a technique inside the ISO 14971 risk management process, not a substitute for it. The risk management file demands hazard identification, use-related analysis, risk acceptability criteria defined in advance, hierarchical risk control, and linked verification evidence. Automotive-style FMEA habits — AP tiers as acceptance criteria, severity defined as customer dissatisfaction, detection as a risk reducer — will fail a 14971 audit. Build the RMF around 14971 clauses, feed failure mode analyses into the right sections, and keep use-related risk as a distinct stream. That is what both FDA inspectors and notified body auditors expect to see.