Risk analysis is the systematic examination of potential hazards, their causes, and their effects on a medical device and its users. ISO 14971 (Medical devices—Application of risk management to medical devices) requires risk analysis as part of a comprehensive risk management process, but notably does not prescribe a single method. Instead, organizations may choose from multiple risk analysis approaches—each with distinct advantages, limitations, and appropriate applications. Selecting the right method (or combination of methods) is critical for effective hazard identification and mitigation. This article explains five major risk analysis methods, when to use each, and how to combine them for comprehensive hazard coverage.

Why ISO 14971 Does Not Prescribe a Specific Risk Analysis Method

ISO 14971 is intentionally method-neutral. The standard requires that hazards be identified and risk be analyzed, but leaves the choice of analytical technique to the organization. This flexibility reflects the reality that different device types, complexity levels, and risk profiles benefit from different approaches. A simple mechanical device might be adequately analyzed with Preliminary Hazard Analysis (PHA), while a software-driven device with complex user interfaces may require a combination of FMEA, Fault Tree Analysis, and human factors validation.

Regulators (FDA, notified bodies, and others) evaluate the adequacy of risk analysis by asking: Are relevant hazards identified? Are causes and effects systematically examined? Is the analysis proportionate to the device complexity and risk? Is there evidence that the chosen method(s) were appropriate? A well-executed FMEA on a simple device is acceptable; a superficial FMEA on a complex system is not.

The flexibility in ISO 14971 empowers organizations to choose analysis methods that fit their process and device characteristics. However, this flexibility also creates a responsibility: organizations must justify their method selection and demonstrate that their approach captured all significant hazards. Many organizations default to FMEA because it is widely taught and accepted, but other methods may be more efficient or thorough for specific contexts.

Method 1 — FMEA: Failure Mode and Effects Analysis

How FMEA Works

FMEA is a bottom-up, inductive analysis that systematically examines each component, subsystem, or process step to identify failure modes (ways the element can fail), their causes, and their effects on the system and patient. For each identified failure mode, the team assigns severity (how serious is the effect?), occurrence (how likely is the failure?), and detectability (how easily can the failure be caught?). The Risk Priority Number (RPN) is calculated as Severity × Occurrence × Detectability, which prioritizes high-risk failure modes for mitigation.

FMEA creates a detailed table with columns for component/process, failure mode, causes, effects, severity, occurrence, detectability, current controls, RPN, recommended actions, and responsibility/deadline. The analysis is highly structured and produces a comprehensive, documented record of hazards and mitigations.

Important note on ISO 14971 compatibility: ISO 14971:2019 uses a two-factor risk estimation framework (severity × probability of occurrence). Unlike the 3-factor FMEA RPN, ISO 14971 treats detectability as a risk control measure to be applied after the initial risk has been estimated—not as a factor that reduces the initial risk score. Using the RPN formula alone as the risk acceptance criterion for medical devices can conflict with ISO 14971 requirements, because incorporating detectability before controls are applied may artificially lower an uncontrolled risk score. When using FMEA for ISO 14971 compliance, severity and probability should first be assessed without detection controls, and detectability should then be considered separately as part of risk control evaluation.

When to Use FMEA for Medical Devices

• Hardware-dominant devices: FMEA is particularly effective for analyzing mechanical assemblies, electrical systems, and component interactions.

• Software and firmware: FMEA can be adapted for software (often called FMEA-S) to analyze algorithm failures, data corruption, communication failures, and user interface defects.

• Manufacturing processes: Process FMEA analyzes failure modes in manufacturing steps (e.g., sterilization pressure drift, contamination, assembly misalignment) that could affect product quality.

• Mature device platforms: FMEA is useful for analyzing incremental design changes or manufacturing improvements when the baseline design is well-understood.

• When traceability is critical: FMEA creates a highly traceable record linking each hazard to design controls and risk mitigations.

FMEA Limitations

• Top-event bias: FMEA can miss hazards that result from multiple independent failures or complex interactions because it focuses on single-component failures.

• Labor-intensive: For complex systems with hundreds of components, FMEA can be extremely time-consuming and require large cross-functional teams.

• Interdependency blind spots: FMEA may not capture hazards arising from interactions between components unless explicitly examined.

• Human factors gaps: FMEA focuses on component failures and may miss hazards related to user error, training deficiencies, or workflow issues.

• RPN limitations: The RPN calculation (Severity × Occurrence × Detectability) can be misleading—a high-severity, low-occurrence hazard may receive a moderate RPN yet still pose significant risk.

Method 2 — FTA: Fault Tree Analysis

How FTA Works

FTA is a top-down, deductive analysis that begins with a defined undesired event (the 'top event') and works backward to identify all possible combinations of component failures and human actions that could lead to that event. The analysis builds a logic tree using AND and OR gates to show how lower-level failures combine to cause the top event. For example, if the top event is 'device delivers incorrect medication dose,' the analysis identifies all combinations of sensor failures, software bugs, pump malfunctions, and user errors that could result in that outcome.

FTA produces a visual tree diagram that shows how failures cascade through the system. The analysis identifies minimal cut sets (the smallest combination of failures sufficient to cause the top event) and can quantify the probability of the top event if failure rates are available. FTA is particularly useful for understanding complex failure mechanisms and identifying critical failure points.

When to Use FTA

• High-consequence hazards: FTA is ideal for analyzing hazards with severe patient impact (e.g., unintended drug delivery, loss of critical function, system shutdown).

• Complex system interactions: When a hazard results from multiple failures acting together, FTA is more effective than FMEA at identifying those combinations.

• Software-intensive devices: FTA can trace how software bugs, communication failures, and sensor errors combine to cause system failure.

• Safety-critical systems: Medical devices where failure could cause death or serious injury benefit from the detailed hazard path analysis FTA provides.

• Reliability quantification: If failure rate data is available, FTA can quantify the probability of hazardous outcomes and support risk acceptance decisions.

Method 3 — HAZOP: Hazard and Operability Study

How HAZOP Works

HAZOP is a systematic, multi-disciplinary brainstorming method that uses guidewords (e.g., MORE, LESS, REVERSE, NO, AS WELL AS) to prompt teams to imagine deviations from normal operation. For each process parameter or design aspect (e.g., pressure, flow rate, timing, concentration), the team asks: What if there is MORE? What if there is LESS? What if this reverses? The goal is to identify hazards and operability problems that might not emerge from conventional analysis.

HAZOP sessions typically involve a cross-functional team (engineering, operations, quality, safety, clinical) that collectively brainstorm deviations and their consequences. The method is highly collaborative and generates creative, sometimes unexpected insights. HAZOP results are documented as a table listing parameters, deviations, possible causes, consequences, existing safeguards, and recommended actions.

When to Use HAZOP

• Process-intensive devices: Infusion pumps, anesthesia delivery systems, and other devices where process parameters (pressure, flow, concentration, timing) are critical.

• User-interactive devices: Devices where operators make decisions or control key parameters—HAZOP excels at identifying user error scenarios.

• New or novel devices: When baseline failure data is unavailable and conventional analysis struggles, HAZOP's brainstorming approach uncovers novel hazards.

• Multi-step procedures: Devices requiring step-by-step user actions (e.g., diagnostic equipment with complex workflows) benefit from HAZOP's parameter-deviation approach.

• Cross-functional engagement: Organizations seeking to involve clinical, operations, and quality perspectives benefit from HAZOP's collaborative workshop format.

Method 4 — PHA: Preliminary Hazard Analysis

How PHA Works

PHA is a high-level, qualitative risk analysis method typically performed early in design, before detailed specifications are finalized. It identifies broad categories of hazards and major potential causes without exhaustive detail. A PHA typically addresses hazards in categories such as electrical, mechanical, chemical, ergonomic, thermal, radiation, and software. For each hazard category, the team asks: What can go wrong? How serious is it? How likely is it? What existing measures mitigate it?

PHA produces a simpler, less detailed analysis than FMEA or FTA but provides early-stage risk visibility and prioritizes areas requiring deeper analysis. PHA is often used as a prerequisite to FMEA or FTA, narrowing the scope of detailed analysis to high-risk areas.

When to Use PHA

• Early design phase: PHA is ideal for concept evaluation and design planning when detailed specifications are still evolving.

• Simple or mature devices: For devices with well-understood hazards and straightforward designs, PHA may be sufficient without deeper analysis.

• Resource-constrained teams: PHA requires less time and expertise than FMEA or FTA, making it suitable for small organizations or projects with limited budgets.

• Scoping for detailed analysis: PHA helps identify which design aspects pose the highest risk, focusing subsequent FMEA or FTA effort on high-risk areas.

• Regulatory communication: PHA results can be presented to regulators early in development to demonstrate systematic hazard thinking.

Method 5 — Bowtie Analysis

How Bowtie Analysis Works

Bowtie (or bow-tie) analysis combines elements of FTA and FMEA to create a visual diagram showing how a hazardous event can occur and what consequences might follow. The analysis identifies a central undesired event (e.g., 'uncontrolled device activation'), shows all possible causes on the left side of the diagram (like an FTA), and all possible consequences on the right side (like an FMEA). The diagram visually resembles a bowtie, with the undesired event at the center.

For each cause and consequence branch, the analysis identifies existing control measures and any gaps in controls. The bowtie diagram is particularly useful for communicating risk to stakeholders because it shows both 'what can go wrong' and 'what happens if it does' in a single, visual representation.

When to Use Bowtie

• Communication and visualization: Bowtie diagrams are highly visual and effective for presenting risk to executive management, clinical teams, and regulators.

• Integrated cause-consequence analysis: When understanding both root causes and downstream effects of a hazard is important, bowtie provides a complete picture.

• Multiple hazardous events: For devices with several distinct high-consequence scenarios (e.g., unintended activation, loss of sterility, user confusion), creating separate bowties for each clarifies risk structure.

• Barrier and safeguard analysis: Bowtie explicitly identifies existing controls (barriers) and gaps, making it useful for assessing adequacy of mitigation measures.

• Regulatory submission: Bowties are increasingly requested by regulators in submissions because they clearly show cause-control-consequence relationships.

Choosing the Right Method for Your Device

The selection should be based on device complexity, primary hazard sources, available resources, and regulatory expectations. A decision framework might include: (1) Device complexity—simple devices may need only PHA; complex systems may require FMEA plus FTA. (2) Primary hazard types—hardware failures suggest FMEA; complex system failures suggest FTA; process deviations suggest HAZOP. (3) Regulatory precedent—what methods do regulatory submissions in your device category typically include? (4) Team expertise—FMEA and PHA are widely understood; FTA and HAZOP require more specialized training.

Most organizations use a tiered approach: PHA early in design to identify high-risk areas, followed by FMEA on hardware and software components, supplemented with FTA for high-consequence hazards and HAZOP for process-intensive aspects. This combination leverages the strengths of each method and provides comprehensive hazard coverage.

Combining Methods for Better Hazard Coverage

The most effective approach is to combine methods rather than rely on a single technique. For example: (1) Begin with PHA to identify high-risk design aspects and hazard categories. (2) Use FMEA to analyze component failures and their immediate effects. (3) Apply FTA to high-consequence hazards to understand failure combinations. (4) Conduct HAZOP for process-intensive aspects to uncover non-obvious deviations. (5) Create bowties to visualize integrated cause-consequence relationships for critical hazards.

This multi-method approach requires more effort upfront but yields several benefits: (a) gaps identified by one method may be caught by another, (b) different methods suit different hazard types, so combined use provides comprehensive coverage, (c) cross-checking results across methods validates that major hazards have been identified, and (d) the variety of analyses creates a stronger, more persuasive regulatory submission.

💡 Matrix Req's integrated risk management module supports multiple risk analysis methods, automatically links hazards to design elements and risk controls, maintains traceability across FMEA, FTA, and other analyses, and generates impact analysis to show how design changes affect identified hazards and mitigation strategies.

• FMEA is most effective for systematic, component-level failure analysis but may miss complex interactions.

• FTA excels at tracing how multiple failures combine to cause hazardous events and is ideal for high-consequence hazards.

• HAZOP is superior for identifying non-obvious deviations in process parameters and user interactions.

• PHA provides high-level hazard scoping early in design with minimal resource investment.

• Bowtie combines cause and consequence analysis in a visual format ideal for stakeholder communication and barrier assessment.

Effective risk management relies on selecting and executing analysis methods that match device complexity and hazard profiles. Organizations that invest in rigorous, multi-method risk analysis build confidence in device safety and design robustness, provide comprehensive evidence to regulators, and create a documented record that survives post-market scrutiny. The choice of method is not a compliance checkbox—it is a strategic decision that directly impacts design quality and regulatory success.