Stop Using RPN for Safety Risk: Why ISO 14971 Rejected Detection and What Auditors Actually Want

Executive Takeaway

• What is misunderstood: FMEA Risk Priority Numbers (RPN = Severity × Occurrence × Detection) are NOT valid for ISO 14971 risk evaluation. ISO 14971 uses only Severity + Probability of Occurrence — two factors, not three.
• Why it matters: Notified Bodies and FDA auditors routinely cite RPN-based risk files as nonconformities. The QMSR (effective Feb 2, 2026) strengthens ISO 14971 linkage, making this error even more audit-critical.
• What to do next: Audit your risk management file: if risk acceptability decisions are based on RPN thresholds, restructure around a severity × probability matrix with ALARP/AFAP criteria before your next audit.

The 8-Week Problem

An RA manager at a mid-size Class II device company is preparing for a Notified Body re-certification audit in eight weeks. She pulls up the risk management file and discovers that every risk acceptability decision is based on FMEA Risk Priority Numbers — RPN thresholds of 80 and 200, no severity × probability matrix anywhere. Three product families share the same template. The quality engineer who built it left two years ago, and nobody questioned the methodology. The previous auditor flagged the RPN approach as an observation. This time, with the QMSR in effect, that observation will almost certainly become a major finding. Eight weeks to restructure across three product lines.

What the Regulation Actually Requires

ISO 14971 vs ISO 60812: Two Standards, Two Purposes

Evidence Box: Regulatory Sources

Why ISO 14971 Deliberately Excludes Detection

1. Detection does not reduce harm

If a device with a design flaw ships, the harm potential exists regardless of whether inspection could have caught it. ISO 14971 evaluates risk to the patient, not quality control effectiveness.

2. Detection is a control measure, not a risk evaluation input

Under Clause 7, risk controls include inherent safety by design, protective measures, and information for safety. Detection belongs in this control category — something you implement to manage risk, not a factor in evaluating it.

3. The mathematical problem with RPN

RPN multiplies ordinal scales: 5×2×3 = 30 appears identical to 3×5×2 = 30, but these represent fundamentally different risk profiles. High severity with low occurrence is not the same as moderate severity with higher occurrence. RPN forces them into the same bucket.

Common Failure Modes: 6 Mistakes Teams Make

1. Copying the FMEA RPN template from automotive

The AIAG FMEA manual uses RPN for manufacturing process prioritization. Automotive FMEA prioritizes process improvements, not patient safety acceptability. When an auditor sees RPN thresholds copied from AIAG, they know the methodology was not built around ISO 14971.

2. Using single-axis risk scoring

Collapsing severity and probability into one composite number (S + P or a weighted index) eliminates the ability to distinguish catastrophic-improbable risks from minor-frequent risks. Auditors expect a two-dimensional matrix where both axes are independently visible.

3. Setting arbitrary RPN thresholds without clinical justification

Why is RPN 79 acceptable but 81 is not? The threshold is a mathematical artifact. ISO 14971 requires risk acceptability criteria defined with clinical rationale, not an arbitrary cutoff number.

4. Treating detection as a risk evaluation input

A device with a critical design flaw is equally dangerous whether inspection catches it 90% or 10% of the time. Detection is a quality control measure you verify separately — including it in risk evaluation masks the true severity.

5. Not updating the risk file after CAPA or field complaints

ISO 14971 Clause 10 requires post-production information review. If your risk analysis still shows P2 (Remote) for a failure mode that generated 15 complaints in 12 months, the probability estimate is no longer defensible.

6. Missing benefit-risk analysis for high-risk devices

EU MDR Annex I Section 3 requires evaluation of whether overall residual risk is acceptable in light of clinical benefit. For Class III devices and implantables, omitting this analysis is a predictable nonconformity.

Audit-Proof Checklist

Every element below should be present and traceable in your risk management file before a Notified Body or FDA audit.

The 10-Step Risk Evaluation Workflow

Step 1: Define risk management plan scope

Identify the device, intended use, and process boundaries. The plan must cover the full lifecycle from design through post-market surveillance.

Step 2: Define risk policy (ALARP/AFAP criteria)

State criteria for acceptable, ALARP (As Low As Reasonably Practicable), and unacceptable risk. These criteria must be clinically justified.

Step 3: Identify hazards (per Clause 5.4)

Use FMEA, Fault Tree Analysis, HAZOP, or PHA to identify failure modes. Map each to a hazardous situation.

Step 4: Estimate risk for each hazardous situation

Estimate the full chain: P(hazardous situation) × P(harm | hazardous situation).

Step 5: Build severity scale (S1–S5)

• S1: Negligible — Inconvenience, no injury
• S2: Minor — Temporary injury, no intervention needed
• S3: Serious — Injury requiring intervention
• S4: Critical — Permanent impairment or life-threatening
• S5: Catastrophic — Death

Step 6: Build probability scale (P1–P5)

Account for the combined probability of the hazardous situation arising and harm resulting from that situation.

Step 7: Construct risk acceptability matrix

Step 8: Apply risk controls (priority order per Clause 7.1)

1. Inherent safety by design
2. Protective measures in the device or manufacturing process
3. Information for safety (labeling, IFU)

Step 9: Evaluate residual risk

Re-evaluate using the same matrix. Residual risk must fall within acceptable or ALARP regions. If unacceptable, add controls or perform benefit-risk analysis.

Step 10: Document the risk management report

Summarize: plan executed, hazards evaluated, controls verified, residual risk acceptable, post-market collection planned.

Do / Don’t Reference

Practical Example: Class II Infusion Pump

If your device is a Class II infusion pump and you observe a pattern of over-infusion complaints, here is how to apply the workflow.

Hazard: Over-delivery of drug due to flow rate control failure. Severity: S4 (Critical) — overdose can cause organ damage or death. Probability: Complaint data shows 8 confirmed events across 12,000 units over 18 months — P3 (Occasional). Matrix placement: S4 × P3 = Unacceptable.

Controls: (1) Redesign flow sensor with redundant channel, (2) software alarm at >10% deviation, (3) update IFU with verification procedure. Residual risk: Probability drops to P1. S4 × P1 = ALARP — document justification.

Mini-Template: Risk Analysis Row

What Happens When Risk Management Fails: Evidence from 646,565 FDA Records

The following enforcement actions from the TrueMedDevice database illustrate the real-world consequences of inadequate risk management processes.

1. Z-1318-2016 (Card #2604): Knee resurfacing system — inadequate design control; risk process failed to identify known failure modes before distribution.
2. Z-1631-2014 (Card #12684): Bariatric bed — complete absence of design controls and Device Master Record.
3. Z-0888-2022 (Card #35316): Custom orthodontic devices distributed before design control completion; no risk evaluation before market release.
4. Z-0118-2020 (Card #27398): Dorsal wrist plate recalled — specification modifications not qualified through design controls or risk re-evaluation.
5. Z-2138-2012 (Card #6403): Water storage system manufacturer lacked design control procedures entirely.

The pattern: these failures did not stem from choosing the wrong scoring method. They stemmed from not having systematic risk management at all. A well-implemented ISO 14971 system prevents these outcomes.

Ask a Risk Management Question — Grounded in Real Data

Our Regulatory Intelligence tool searches 646,565 FDA and Health Canada records for cross-verified, cited answers.

Example questions:

• “What FDA enforcement actions cite risk management deficiencies for infusion pumps?”
• “Compare ISO 14971 and QMSR risk management requirements for Class III devices”
• “Show me recalls in the last 2 years where risk analysis was cited as inadequate”

Answers are grounded in real regulatory and PMS datasets with traceable citations.

Ask a Risk Management Question →

Close the Risk Management Feedback Loop

ISO 14971 Clause 10 requires manufacturers to collect and review post-production information. TrueMedDevice helps you filter regulatory signals into audit-ready evidence:

• Monitor enforcement actions and recalls matching your device profile automatically
• Build decision logs linking field signals to risk file updates
• Generate audit-ready traceability reports from complaint trending to risk re-evaluation

See the PMS Demo →

Conclusion

Risk management is not a checkbox exercise. ISO 14971 provides a clear framework: severity and probability, nothing more. Teams that align with the standard reduce audit findings and build safer devices. If your risk file relies on RPN thresholds, restructure around a severity × probability matrix, define ALARP criteria, and close the post-market feedback loop. The QMSR has made this alignment more critical than ever. Ask a specific question about risk management enforcement in your device category, or see how TrueMedDevice closes the PMS loop.