Hazard Analysis Methods for Medical Devices: FMEA vs FTA vs PHA vs Use-Related Risk Analysis
Complete comparison of hazard analysis methods for medical device risk management — when to use FMEA, FTA, PHA, HAZOP, and use-related risk analysis under ISO 14971, IEC 62366, FDA, and EU MDR requirements, with examples and decision guidance.
Why One Risk Analysis Method Is Never Enough
ISO/TR 24971:2020 — the companion technical report to ISO 14971 — states explicitly that risk analysis techniques are "complementary, and it can be necessary to use more than one of them in order to support a thorough and complete risk analysis." Yet many medical device manufacturers rely almost exclusively on FMEA, treating it as the default tool for every risk analysis scenario.
This approach creates real compliance gaps. FMEA is a bottom-up failure analysis tool that examines single fault conditions. But hazards can arise during normal device operation, from combinations of events, or from user interaction — scenarios that FMEA alone cannot adequately capture. Notified bodies and FDA investigators increasingly expect manufacturers to justify why specific risk analysis methods were chosen and to demonstrate that multiple methods were applied where appropriate.
This guide compares the major hazard analysis methods used in medical device risk management, explains when each is most effective, and provides practical guidance for building a multi-method risk analysis strategy.
The Regulatory Foundation
ISO 14971:2019 requires manufacturers to identify hazards and hazardous situations, estimate and evaluate associated risks, implement controls, and monitor residual risk throughout the product lifecycle. The standard does not mandate any specific analysis technique. Instead, ISO/TR 24971:2020 Annex B lists recognized techniques and advises manufacturers to select methods appropriate to the device, its complexity, and the phase of development.
Key regulatory expectations:
- FDA: The Agency's design control guidance and risk management presentations reference PHA, FMEA, FTA, and benefit-risk analysis as recognized techniques. FDA expects the risk analysis method to match the complexity of the device and the nature of the hazard.
- EU MDR: Annex I GSPR 1–3 require risks to be reduced "as far as possible" using inherently safe design, protective measures, and information for safety. Notified bodies scrutinize whether the analysis methods chosen are sufficient to identify all foreseeable hazards, including those arising from normal use and user interaction.
- IEC 62366-1: Requires use-related risk analysis as a distinct activity integrated with the overall ISO 14971 risk management process.
Method 1: Preliminary Hazard Analysis (PHA)
What It Is
PHA is a top-down, early-stage risk analysis technique used to identify potential hazards and hazardous situations when device design details are still limited. It uses brainstorming, checklists (such as ISO 14971 Annex C), and analysis of intended use to produce an initial hazard inventory.
When to Use It
- Project initiation and concept phase: Before the design architecture is defined
- Predicate device analysis: When reviewing hazards from similar devices already on the market
- Risk management planning: As the first pass to populate the hazard log and prioritize areas for deeper analysis
Strengths
- Can be performed with minimal design information — only intended use and basic device description needed
- Broad coverage of hazard categories (mechanical, electrical, thermal, chemical, biological, radiation, software, data/cybersecurity, usability)
- Quick to execute, making it suitable for early risk prioritization
- ISO 14971 Annex C provides a ready-made checklist of hazard categories
Limitations
- Not detailed enough for design-level risk estimation
- Relies heavily on team experience and brainstorming quality
- Does not model sequences or combinations of events
PHA Example
For a surgical laser system:
| Hazard Category | Hazard | Hazardous Situation | Potential Harm | Initial Risk |
|---|---|---|---|---|
| Thermal | Excessive laser energy | Misaligned beam strikes non-target tissue | Burns, tissue necrosis | High |
| Optical | Reflected beam | Laser reflects off surgical instrument | Eye damage to surgical staff | High |
| Electrical | Power surge | Component failure during procedure | Electrocution | Medium |
Method 2: Failure Mode and Effects Analysis (FMEA)
What It Is
FMEA (defined in IEC 60812) is a bottom-up analysis technique that systematically examines potential failure modes of components, subsystems, or process steps, determines their effects, and prioritizes them using severity, occurrence, and detection ratings.
When to Use It
- Design phase (DFMEA): When the design architecture, component selection, and interfaces are defined
- Process phase (PFMEA): When manufacturing processes are being designed or validated
- Software risk analysis: For analyzing software failure modes in devices with software components (per IEC 62304)
- Post-market risk updates: When analyzing failure modes identified through complaint data or field returns
Strengths
- Systematic and structured — reduces the chance of missing individual failure modes
- Produces a Risk Priority Number (RPN) that helps prioritize corrective actions
- Widely understood and accepted by auditors and notified bodies
- Can be applied at component, subsystem, or system level
Limitations
- Analyzes only fault conditions: Cannot identify hazards that arise during normal device operation (e.g., side effects of a drug delivery device working exactly as intended)
- Single-fault analysis: Does not model combinations of failures or sequences of events
- Requires mature design: Cannot be effectively started until the design architecture is defined
- Not a hazard analysis: Failure modes are not the same as hazardous situations. A failure mode may initiate a sequence leading to a hazardous situation, but hazardous situations can also occur without any device failure
Critical Distinction: FMEA vs ISO 14971 Hazard Analysis
| Characteristic | FMEA | ISO 14971 Hazard Analysis |
|---|---|---|
| Scope | Fault conditions only | Normal and fault conditions |
| Starting point | Components and failure modes | Hazards and hazardous situations |
| End point | Effects of failure | Causes and sequences of events |
| Analysis type | Bottom-up | Top-down and bottom-up |
| Objective | Device reliability | Patient safety |
| Combinations | Single faults only | Sequences and combinations of events |
| When started | After design architecture defined | At concept phase |
Method 3: Fault Tree Analysis (FTA)
What It Is
FTA (defined in IEC 61025) is a top-down, deductive analysis technique that starts with an undesired top event (a specific harm or hazardous situation) and works backward to identify all the combinations of root causes and failures that could lead to that event, using Boolean logic gates (AND, OR).
When to Use It
- High-severity hazards: When a specific harm is severe enough that all possible causes must be identified
- Complex systems: When multiple subsystems interact and failures can cascade
- Combination fault analysis: When you need to model AND conditions (two or more failures occurring simultaneously)
- Root cause investigation: For post-market analysis of adverse events
- Complement to FMEA: When FMEA has identified a high-risk failure mode and you need to trace all possible root causes
Strengths
- Models combinations of events using AND/OR logic — critical for systems with redundancy
- Provides visual representation of causal chains that auditors can follow
- Quantitative FTA allows probability calculation for the top event
- Excellent for analyzing high-severity, low-probability events where FMEA may underperform
Limitations
- Requires detailed knowledge of the system to construct meaningful fault trees
- Becomes complex and unwieldy for large systems
- Focuses on a single top event per tree — you need separate trees for different hazardous situations
- Does not easily capture human factors or use-related risks
FTA Example
For the surgical laser's "excessive laser energy to non-target tissue" hazard:
Top Event: Excessive energy to non-target tissue
├── OR Gate
│ ├── Operator misalignment
│ │ ├── AND Gate
│ │ │ ├── Insufficient training
│ │ │ └── No alignment verification system
│ ├── Beam delivery system failure
│ │ ├── OR Gate
│ │ │ ├── Fiber optic cable damage
│ │ │ ├── Mirror misalignment
│ │ │ └── Calibration drift beyond limits
│ └── Control system failure
│ ├── AND Gate
│ │ ├── Software output exceeds set limits
│ │ └── Hardware interlock bypassed
Method 4: Use-Related Risk Analysis (URRA)
What It Is
Use-related risk analysis, required by IEC 62366-1 and recommended by FDA's human factors guidance, specifically addresses hazards arising from user interaction with the device. Unlike FMEA (which examines device failures), URRA examines how normal or abnormal use by the operator can lead to hazardous situations — even when the device is functioning correctly.
When to Use It
- All devices with user interfaces: Any device requiring human interaction (physical controls, displays, software interfaces)
- Home-use devices: Where users may be untrained patients or caregivers
- Complex clinical workflows: Where use errors are likely (e.g., infusion pump programming, surgical instrument assembly)
- Complement to hazard analysis: As a required input into the overall ISO 14971 risk management process
Strengths
- Captures risks that FMEA and FTA miss — specifically, use errors that occur during normal device operation
- Aligns with IEC 62366-1 usability engineering process and FDA human factors expectations
- Uses task analysis to systematically decompose user interactions into steps where errors can occur
- Drives design improvements in the user interface, which is the most effective risk control for use-related hazards
Limitations
- Requires user research (contextual inquiry, formative testing) to identify use errors the development team would not anticipate
- Cannot replace device-level hazard analysis — it addresses a different category of risk
- Summative usability testing is needed to validate effectiveness of use-related risk controls
URRA Example
For an auto-injector device:
| User Task | Potential Use Error | Hazardous Situation | Potential Harm |
|---|---|---|---|
| Remove cap | Fail to remove cap before injection | Drug not delivered | Delayed treatment |
| Select dose | Select wrong dose from display | Overdose or underdose | Adverse drug reaction, therapeutic failure |
| Inject | Inject at wrong site (e.g., into muscle instead of subcutaneous) | Improper drug absorption | Reduced efficacy, local tissue damage |
| Hold for duration | Remove needle too early | Incomplete dose delivery | Therapeutic failure |
Method 5: HAZOP and Other Specialized Techniques
HAZOP (Hazard and Operability Study)
HAZOP is a structured brainstorming technique that uses guide words (e.g., "more," "less," "no," "reverse") applied to process parameters to identify deviations. In medical devices, it is particularly useful for:
- Fluid delivery systems (infusion pumps, dialysis machines)
- Gas delivery systems (ventilators, anesthesia machines)
- Chemical processing in IVD manufacturing
Event Tree Analysis (ETA)
ETA starts with an initiating event and traces forward through a series of barriers or safeguards to determine possible outcomes. It is useful for analyzing the effectiveness of protective measures in sequence.
HACCP (Hazard Analysis and Critical Control Points)
HACCP is primarily used in food and pharmaceutical manufacturing but applies to medical device sterilization processes and manufacturing environments where contamination control is critical.
Choosing the Right Method: Decision Framework
| Device Characteristic | Primary Method | Complementary Method |
|---|---|---|
| Early concept, minimal design detail | PHA | — |
| Complex electromechanical system | DFMEA | FTA (for high-severity hazards) |
| Software-heavy device | DFMEA (software) | FTA (for critical fault paths) |
| Device with significant user interaction | URRA (IEC 62366) | DFMEA |
| Fluid/gas delivery system | DFMEA | HAZOP |
| Implantable Class III device | All methods | FTA for critical hazards, URRA for surgical use |
| Post-market root cause analysis | FTA | — |
Practical Sequencing Strategy
- Start with PHA during concept phase using ISO 14971 Annex C hazard checklist
- Conduct URRA once user profiles and use scenarios are defined (IEC 62366-1)
- Apply DFMEA once design architecture is established
- Use FTA for any high-severity hazard identified in steps 1–3
- Apply PFMEA during manufacturing process development
- Iterate: Update all analyses as the design evolves and post-market data becomes available
Common Mistakes to Avoid
1. Using FMEA as the Only Risk Analysis Method
FMEA alone does not meet the requirements of ISO 14971 because it only addresses fault conditions and single failures. Normal-use hazards, combination events, and use-related risks require complementary methods.
2. Confusing Failure Modes with Hazardous Situations
A failure mode is how a component or function fails. A hazardous situation is the circumstance in which a person is exposed to a hazard. These are not the same. A failure mode may lead to a hazardous situation through a sequence of events, but hazardous situations can also occur during normal operation without any device failure.
3. Mixing Risk Models Across Methods
FMEA uses severity × occurrence × detection. ISO 14971 uses severity × probability of occurrence of harm. Do not combine these scales or transfer RPN ratings directly into a hazard analysis table. Each method has its own risk model.
4. Applying Methods Without Documenting the Rationale
ISO 14971 and notified bodies expect manufacturers to justify why specific methods were chosen. Document in the Risk Management Plan which methods will be used, for which hazards, and why.
5. Performing Risk Analysis After Design Is Complete
Risk analysis must begin at the concept phase (PHA) and continue throughout development. Conducting FMEA as a paperwork exercise after the design is frozen defeats the purpose of risk-driven design.
Checklist: Multi-Method Risk Analysis
- Risk Management Plan specifies which analysis methods will be used and why
- PHA performed at concept phase with ISO 14971 Annex C hazard categories
- URRA conducted for all user interface devices per IEC 62366-1
- DFMEA applied once design architecture is defined
- FTA used for high-severity hazards and combination fault analysis
- PFMEA applied during manufacturing process development
- Risk models are consistent within each method and not mixed across methods
- Hazard log cross-references inputs from multiple analysis methods
- All analyses are updated as the design evolves
- Results feed into the Risk Management File with full traceability
Key Takeaways
No single risk analysis method provides complete coverage for a medical device. PHA captures early hazards with minimal design information. FMEA systematically identifies individual failure modes. FTA models combination events and traces root causes of high-severity hazards. URRA addresses the unique category of use-related risks. The most effective risk management strategies apply multiple complementary methods at the right stage of development, document the rationale for method selection, and maintain traceability across all analyses in the Risk Management File. Regulators and notified bodies increasingly expect this multi-method approach — and the devices that follow it are safer for patients.