Back to the list

ISO 14971, ISO/TR 24971, IEC 60812 and IEC 61025: how to choose the right risk analysis methods for medical devices

Medical devices regulation

Risk management is a cornerstone of medical device development. It is a major regulatory requirement, mandated by both the EU Regulation (EU) 2017/745 (MDR) and the FDA’s quality system regulations. Beyond compliance, it plays a central role in ensuring the device’s safety, performance, and lifecycle control.


Over the years, ISO 14971 has become the international reference standard for risk management in the medical device industry. It defines the principles to be applied throughout development, production, and post-market surveillance.


But when transitioning from this global framework to the practical implementation of risk analysis, many questions arise:

  • Which methods should be used to identify and evaluate risks?
  • How should failures in a complex system be modeled?
  • Should we use FMEA, FTA, or another technique?
  • Which standards ensure compliance?

This is precisely where ISO/TR 24971 comes into play. It complements ISO 14971 by providing practical guidance on method selection and application. Among others, it references three technical standards that are often misunderstood or misapplied: IEC 60812 (FMEA), IEC 61025 (FTA), and IEC 62502 (failure analysis).


In this article, we break down these standards, clarify their use cases and limitations, and introduce an emerging, non-standardized approach — Relational Risk Analysis (ReRA) — as a possible complement to traditional methods.




The "regulatory" foundation: ISO 14971 and ISO/TR 24971

The ISO 14971:2019 standard is the global reference framework for risk management applied to medical devices. It is required:

  • by the European MDR 2017/745, notably through the requirements of Annex I (§3 on risk control);
  • by the FDA, through 21 CFR 820 (Design Controls, Risk Management), although without a direct reference to the standard.


A structured framework — but not method-prescriptive ISO 14971 defines the core principles of risk management:

  • Systematic identification of hazards
  • Risk estimation and evaluation
  • Implementation of risk control measures
  • Evaluation of residual risks
  • Post-market surveillance (field feedback, PMCF)

However, the standard does not prescribe any specific method for conducting risk analysis: it defines the objectives, not the tools. It is up to the manufacturer to demonstrate that the methods used are appropriate, justified, and consistent with the current state of the art.


The role of ISO/TR 24971 The complementary document ISO/TR 24971:2020 serves as an application guide to ISO 14971. It provides practical clarifications on:

  • interpreting the standard's requirements,
  • understanding key concepts (hazard, risk, control, clinical benefit),
  • structuring the Risk Management File,
  • and defining acceptable risk criteria.

Most importantly, its Annex B outlines recommended analysis methods, based on the type and complexity of the device:

  • FMEA, based on IEC 60812
  • FTA, based on IEC 61025
  • and other approaches (e.g. HAZOP, HACCP, scenario analysis)

TR 24971 thus serves as a bridge between the general ISO 14971 framework and the operational practices expected by auditors, notified bodies, and competent authorities.




FMEA and IEC 60812: the basic approach

FMEA (Failure Modes and Effects Analysis — known in French as AMDEC) is by far the most widely used risk analysis method in the medical device industry. Its strength? A structured, systematic approach that can be applied at various levels of analysis (component, function, process, etc.).



A bottom-up approach

FMEA follows a bottom-up logic:

  • Start from the lowest elements of a system (components, basic functions),
  • Identify potential failure modes,
  • Evaluate the associated effects on the system or the user,
  • Then determine the most probable causes.

Each mode–effect–cause combination is then assessed based on severity, occurrence, and detectability (the traditional approach, even if ISO 14971 doesn’t formally require these criteria).



The IEC 60812:2018 standard

The IEC 60812 standard provides the formal framework for conducting FMEA. It details:

  • The different types of FMEA: Design FMEA, Process FMEA, Software FMEA, System FMEA;
  • The key elements to document: functions, failure modes, effects, causes, existing controls, recommended actions;
  • How to evaluate and prioritize risks, with or without a numerical indicator such as the RPN (Risk Priority Number).



Typical applications in medical devices

  • Design FMEA: on the device itself, its subsystems, or components.
  • Use FMEA: on the use of the device, linked to IEC 62366.
  • Process FMEA: on manufacturing or assembly processes (aligned with ISO 13485 §7.5).
  • Software FMEA: to anticipate software failures, often combined with scenario-based analysis.



Best practices

  • Make sure the functions analyzed are aligned with the intended use of the device.
  • Involve a multidisciplinary team (engineering, quality, clinical).
  • Integrate the FMEA results into the Risk Management File as per ISO 14971.
  • Avoid relying on FMEA as the sole method for complex or interconnected systems.




FTA and IEC 61025: for complex systems

Fault Tree Analysis (FTA) is a complementary method to FMEA. While FMEA starts from basic failure modes and builds upward toward effects, FTA uses a top-down logic: it begins with a feared event and works step by step to identify the combinations of causes that could lead to it.



A top-down and probabilistic approach

IEC 61025 defines the framework for this method. The analysis involves:

  • Identifying a primary undesired event (e.g., power supply failure in the device),
  • Building a logical tree of potential causes using logic gates (AND, OR, etc.),
  • Quantifying probability of occurrence at each level, if relevant data is available.


This approach allows:

  • Visualization of combined failure scenarios,
  • Analysis of cross-interactions between different subsystems or modules,
  • A more robust evaluation of devices with critical architectures.


Typical applications in medical devices

FTA is particularly useful for:

  • Active implantable devices (e.g., pacemakers, neurostimulators),
  • Systems with redundant logic or integrated safety functions (e.g., infusion pumps, ventilators),
  • Devices combining hardware, software, and sensors, such as surgical robotics systems.



Best practices

  • Clearly define the top event being analyzed (one FTA per event).
  • Ensure the fault tree remains understandable and traceable (avoid overly deep or unmanageable trees).
  • Use FTA in combination with FMEA to provide a comprehensive, bidirectional view of risks.
  • Document all probabilistic assumptions in the Risk Management File (RMF) if quantitative evaluation is included.



In summary

FTA requires more effort in modeling, but provides an indispensable systemic view for complex devices. While not always mandatory, its use is strongly recommended when critical functional interdependencies are involved.




IEC 62502: advanced reliability, rarely used in standard medical devices

The IEC 62502:2010 standard addresses a topic adjacent to risk management: failure analysis, aimed at identifying the root causes of a failure. It is often confused with predictive methods like FMEA, but it belongs more to a reactive, post-failure investigation process.



Purpose of the standard

IEC 62502 provides a methodology to:

  • Identify the root cause of a defect observed on a component, subsystem, or system,
  • Define the conditions that led to the failure,
  • Recommend corrective actions to prevent recurrence.

It is typically used after reliability testing or during quality investigations, and not as a proactive risk analysis method.



Use cases in medical devices

In the context of medical devices, this standard may be relevant in specific cases:

  • A critical failure observed during verification or validation testing,
  • A major nonconformity affecting a component in production,
  • A post-market event requiring in-depth investigation (e.g., field safety notice, CAPA plan).


It is particularly useful for:

  • Sensitive electronic components (e.g., integrated circuits, precision sensors),
  • Devices involving complex power technologies (e.g., implantable motors, therapeutic lasers).



Important distinctions

This standard should not be confused with FMEA or FTA:

  • It is used after the fact, not in anticipation of risks,
  • It is rarely required as part of the CE marking or FDA 510(k) submission, unless specifically justified.



In practice

  • It can enrich the Risk Management File if a documented failure leads to sustainable control measures.
  • It is especially valuable in a continuous improvement approach, or as part of post-market surveillance activities.


A Non-Standardized Alternative: Relational Risk Analysis (ReRA)

In addition to standardized methods like FMEA or FTA, emerging approaches are being explored to overcome some of the limitations of traditional models. One such method is Relational Risk Analysis (ReRA) — a non-standardized but conceptually valuable approach for analyzing complex systems.



A paradigm shift

ReRA encourages a shift in how we conceptualize risk:


Instead of viewing risk as a standalone undesired event, it is seen as the result of ineffective mechanisms that are supposed to ensure a given function of the device.


This approach is built on three key pillars:

  • The functions to be ensured (e.g., drug delivery, signal measurement),
  • The mechanisms that implement these functions (hardware, software, human),
  • The potential inefficiencies of these mechanisms, which become the entry point for the risk analysis.

This relational logic — Function ↔ Mechanism ↔ Inefficiency ↔ Risk — enables a more detailed understanding of systemic failures.



A useful method for complex systems

ReRA proves particularly relevant for:

  • Devices integrating software, sensors, and user interfaces,
  • Products with interconnected or redundant operations,
  • High-variability use environments (e.g., home use or patient-worn devices).

It supports dynamic risk mapping, focused on functional logic, and can be used to complement traditional analyses.



Limitations and conditions for use

Element ReRA
Standard status Not recognized by ISO or IEC
Main benefit Models functional interactions
Regulatory use Acceptable if well justified and documented
Complementarity Can be used to enrich FMEA or FTA


⚠️ Since ReRA is not formally standardized, using it in a regulatory context requires:

  • A rigorous justification within the technical documentation (Risk Management File),
  • Detailed documentation of the method and its results,
  • A clear alignment with ISO 14971 and Annex I of the MDR requirements.



In summary

ReRA is not meant to replace standardized methods, but it can provide a valuable systemic perspective, especially for innovative or complex projects. Its use requires a strategic position in the risk management plan and a clear explanation of its added value to auditors and reviewers.



Summary table

Standard / Method

Type of Analysis

Typical Applications

Regulatory Status

ISO 14971

Overall risk management

All types of medical devices

Mandatory (MDR & FDA)

ISO/TR 24971

Methodological guidance

Supporting risk analysis methods

Recommended

IEC 60812 (FMEA)

Bottom-up failure mode analysis

Design, process, software

Commonly expected

IEC 61025 (FTA)

Top-down fault tree analysis

Complex systems, critical architectures

To be justified based on complexity

IEC 62502

Post-incident failure analysis

Reliability, critical electronic components

Optional

ReRA (non-standard)

Relational mechanism-based analysis

Interconnected systems, functionally-driven devices

Usable if well justified and documented




Common mistakes to avoid

Even with the right standards in hand, several recurring mistakes can compromise the quality and credibility of risk analysis:

  • Stacking methods without a clear rationale: Using FMEA, FTA, HAZOP or ReRA in combination without a global strategy can make the analysis unreadable to auditors.
  • Relying solely on FMEA for complex systems: FMEA alone cannot model combined failure scenarios or cross-dependencies. FTA or a complementary approach may be required.
  • Confusing predictive and corrective methods: IEC 62502 is designed for post-failure analysis, not for the preventive risk analysis required by ISO 14971.
  • Underestimating risks introduced by control measures: Any risk control can create new hazards (e.g., added alarms may cause misinterpretation). See ISO 14971 §7.4.
  • Poor documentation or traceability: A well-conducted analysis that is not traceable in the Risk Management File, or not clearly linked to the intended use, will be considered non-compliant.
  • Using non-standard methods without justification (e.g., ReRA): If an alternative method is used, its value, structure, limitations, and alignment with MDR requirements must be clearly explained.



Best practices for manufacturers

Effective risk management is not about choosing a single method, but about ensuring coherence, relevance, and proper documentation of the chosen approach.


Here are some key best practices:

  • Clearly justify the selected methods: Each method (FMEA, FTA, ReRA, etc.) should be tied to a specific purpose: system complexity, type of risk, nature of the device.
  • Adapt the method to the device lifecycle: Design FMEA during development, Process FMEA during industrialization, failure analysis (IEC 62502) after market release, etc.
  • Combine methods when needed: For example, use FMEA to evaluate individual failure modes, and FTA or ReRA to analyze functional or system-level interactions.
  • Document how the methods work together: The Risk Management File (RMF) should clearly explain how each method feeds into the overall risk evaluation.
  • Ensure alignment with the intended use and user profile: Risk analysis must be contextualized: professional vs. lay user, hospital vs. home use, etc.
  • Link identified risks to their control measures: Pay special attention to residual risks and any new risks introduced by mitigation strategies.
  • Prepare for auditor questions: Be ready to explain and defend the rationale behind each method and its implementation, in line with ISO 14971 and MDR Annex I.



Conclusion

Risk management is not just about selecting an analysis method — it’s about building a structured, adapted, and well-documented approach.


The ISO 14971 standard provides the general framework. The TR 24971 offers guidance on how to apply it. Standards like IEC 60812 (FMEA) and IEC 61025 (FTA) provide essential operational tools, while others such as IEC 62502 or ReRA can bring added value in specific contexts.


Ultimately, what matters most is the manufacturer’s ability to:

  • Choose the right method for the right purpose,
  • Justify and explain how these methods work together,
  • Maintain a consistent and traceable approach throughout the product lifecycle.

At CSDmed, we help medical device manufacturers build a robust and compliant risk management system, aligned with regulatory expectations and grounded in practical realities.



You can also consult our article entitled "Understanding the Imperative of Risk Management Plan (RMP) in Medical Devices": https://www.csdmed.mc/en/news/medical-devices-regulation/understanding-the-imperative-of-risk-management-plan-rmp-in-medical-devices-65



FAQ

What’s the difference between FMEA and FTA in medical devices?

FMEA uses a bottom-up approach, analyzing individual failure modes and their effects. FTA uses a top-down approach, modeling combinations of failures that could lead to a critical event.



Which standard applies to FMEA in medical devices?

The reference standard is IEC 60812:2018, which defines the methodology for conducting a Failure Modes and Effects Analysis.



When should FTA (IEC 61025) be used in a medical device project?

When the device has a critical architecture or when combined failure scenarios must be modeled, especially in complex systems.



Is IEC 62502 mandatory for CE marking?

No. It is optional, and typically used for in-depth post-failure analysis, especially in electronics or reliability engineering.



Is ReRA acceptable under the MDR?

Yes, but only if it is well justified and documented. It must be shown to align with ISO 14971 and Annex I of the MDR.



Can multiple risk analysis methods be combined?

Absolutely — and it’s often recommended. For example: use FMEA to identify component-level failures and FTA or ReRA to analyze system-level interactions or functional dependencies.




Need assistance?

CSDmed supports medical device manufacturers for:

  • The selection and combination of risk analysis methods (FMEA, FTA, ReRA, reliability, post-market),
  • The complete structuring of the Risk Management File in compliance with ISO 14971, MDR, and FDA expectations,
  • Audit preparation for Notified Bodies or FDA submissions,
  • The updating and remediation of existing documentation following changes, nonconformities, or design modifications

Contact us to discuss your projects or request a methodological review of your risk management system.