Application of Risk Analysis Techniques in Jama to Satisfy ISO 14971

About this Paper

Working with more than 200 medical device developers, Jama Software has established best practices for risk management in Jama Connect™.

This paper takes you through the main clauses of ISO 14971 — the FDA’s mandatory standard for risk assessment in medical devices — and outlines how Jama Connect gives you a comprehensive way to manage risk and requirements throughout development.

Learn how to:

  • Understand ISO 14971 and FMEA
  • Identify, analyze and mitigate risk
  • Connect risks and requirements
  • Achieve end-to-end traceability
  • Ease the path to compliance

Thank you!

Your content is available to read below.


Click to download

Medical device developers face tremendous pressure to bring innovative products to market without delay. As the pace of innovation increases, medical devices incorporating both hardware and software components have become standard, and tech companies are taking note of the market opportunity.

Innovation also introduces new challenges for companies trying to outclass competitors and revolutionize patient care. Software issues in medical devices can be devastating, and failure to ensure that products are safe and compliant can result in patient harm, enormous fines, FDA recall and brand erosion.

In the first quarter of 2018, for instance, medical device recalls jumped by 126% — the highest number since at least 2005, according to the Stericycle Recall Index.[i] Software issues were responsible for 78 recalls that quarter, making them the top cause among all recalls.

Given the stakes, safety, compliance and speed are central concerns for medical device developers. And that’s why tools and solutions that define requirements, mitigate risk, guide compliance, avoid errors and streamline the development process are such valuable resources.

Approaches to Risk Management: FMEA vs. ISO 14971

In our experience working with medical device developers — whether they are established thought leaders, disruptive new players or both — we’ve recognized the importance of creating best practices for risk management that a diverse array of developers can leverage for success, rather than organization-specific approaches with limited transferability.

Organization-focused approaches is where Jama Professional Services comes in: providing our customers with expert assistance in optimizing the platform, as well as industry-specific consultation and training.

Medical device developers take different approaches to risk management, depending on their product and market conditions. Companies involved in developing medical devices understand the importance of risk management, but their approaches can vary significantly in terms of the time it takes to manage risk, the ability to connect risks to specific requirements and tests, and the capacity to pull together relevant documentation for an audit.

To meet these challenges, medical device developers need a comprehensive approach to risk management.


Developed in the 1950s, failure modes and effects analysis (FMEA) is the first formal standard for risk management. FMEA is a bottom-up approach for identifying functionality and risk. It’s a strong tool for assessing single-fault failure modes and reliability. In simple terms, FMEA determines whether the product works or not.

However, FMEA isn’t necessarily sufficient to address the complexity of medical device development, and it’s not the best tool for managing risk across the entire product lifecycle. Medical device developers must identify, assess and evaluate risks for hazardous situations by considering every foreseeable sequence of events, including non-failure modes.

Restricting your risk management process to failure modes can overlook critical considerations, like patient safety, for medical device developers. Especially once a device has moved from development to production, risk analysis documentation in FMEA tends to be neglected and not kept updated.

ISO 14971

The FDA requires risk assessment as part of design validation and prescribes ISO 14971 as the mandatory standard.

A nine-part standard that establishes a framework for risk analysis, evaluation, control and management, ISO 14971 sees risk management as a product lifecycle process that encompasses development, production and post-production.

ISO 14971 is a top-down analysis that builds toward a holistic goal: optimizing the health, safety and success of the patient or end-user by understanding what type of harm might befall them.

Excel and other tools for document-based requirements management work for smaller projects, but spreadsheets don’t scale to meet the needs of global teams working on large development projects. Excel simply isn’t robust enough to account for the complexity and risk inherent to medical device development, and it can’t provide the end-to-end traceability necessary for satisfying ISO 14971.

Risks vs. Requirements

Jama Connect™ offers a straightforward approach to managing risk according to ISO 14971 in one platform.

The Jama Connect Risk Management Center gives developers and stakeholders the structured, intuitive information system they need to enable collaboration and traceability within the risk management process. By integrating risks and requirements into one system, the Jama Connect Risk Management Center also accelerates automation and helps prepare your organization for regulatory audits.

Risk management is an inextricable part of the medical device development process. For medical device developers, risks are requirements. Risks may take different forms than requirements, and may be more scenario-based, but they are a core principle of product development and should be tied together in one powerful platform.

Analyzing risk helps teams track data and make decisions, which makes risk a natural fit for Jama Connect. Without risks integrated directly into Jama Connect, it’s hard to make the case for complete traceability in your product development process, regardless of your industry or level of regulation.

Meeting Challenges for Medical Device Developers

By looking at three common challenges faced by medical device companies, let’s explore how Jama Connect helps teams mitigate risk simply and effectively during their development processes.

Challenge #1: Traceability in Risk Management

Many medical device companies continue to depend on Excel to capture risk data. Connecting that information back to design controls is a cumbersome and error-prone process.

Excel doesn’t allow for automated traceability, so risks and requirements don’t live in the same system. This makes it tedious and time-consuming to conclusively demonstrate compliance with ISO 14971.

Without risk analysis integrated into Jama Connect, requirements and tests will be orphaned from risk and hazard analysis.

The Jama Connect Risk Management Center allows teams to easily connect risks, requirements and testing in one system where requirements and test results stay live in real time.

Challenge #2: Templates

Jama Connect’s out-of-the-box ISO 14971 template provides industry-specific guidance to get you up and running much faster than a blank Excel spreadsheet. By using a guided template, you’ll spend less time on setup and more time on what’s important: identifying and mitigating risk.

In the Jama Connect Risk Management Center, you can create, modify and lock templates for product- or class-specific use to help ensure standardization across your organization. You can also add additional columns to improve efficiency and meet organizational needs.

Additionally, the Jama Connect Risk Management Center allows you to set context-rich scales for both probability and severity, and it also supports lookup tables in Risk Level. This eliminates the manual work and Excel expertise required to build a similar template from scratch — no more Vlookups, conditional formatting, cumbersome filtering or complex formulas needed.

Challenge #3: Collaboration

The Jama Connect Risk Management Center makes collaboration easier and more powerful. You can share or limit templates; multiple users can collaborate in real time; and information is saved as you go, giving you a better understanding of the latest version.

Jama Connect Risk Management Center and ISO 14971

Now that we’ve covered how Jama Connect helps users address three common challenges in risk management, let’s dig into how the Jama Connect Risk Management Center provides guidance for teams using ISO 14971 to evaluate risk.

Clause 3 of ISO 14971 concerns how risk is organized and administered for your product line. It requires the formation of a Risk Management Plan throughout the development lifecycle.

The Risk Management Plan is the record of a planned process for risk management: who does what and when, how risks are scored, etc. It’s a component of the Risk Management File, which contains all the outputs for risk.

The Jama Connect Risk Management Center guides compliance with Clauses 4 through 7, which focus on how risk should be managed within the Risk Management Plan.

Clause 4: Risk Analysis

Clause 4 of ISO 14971 requires that medical device developers identify potential hazards and hazardous situations. Each situation and its potential consequences must be evaluated. The Jama Connect Risk Management Center helps teams satisfy Clause 4 by defining device-specific hazards and capturing risk probability and severity.

The Jama Connect Risk Management Center offers risk management templates to capture important information about the risk analysis process, including a description of the device, intended use and the scope of the analysis. Teams can identify and evaluate potential hazards, sequences of events, hazardous situations and harms in a “tabbable” risk analysis table.

Clause 5: Risk Evaluation

Clause 5 requires evaluation of risk for each hazardous situation and the definition of acceptability criteria for determining when risk reduction is required. To satisfy Clause 5, teams take the inputs from Clause 4 and determine the risk level for each hazardous situation.

In the Jama Connect Risk Management Center, risk acceptability criteria can be customized for a particular product line or medical device classification in the risk management template.

The risk analysis table allows users to determine the probability that the hazardous situation occurs or results in harm to a patient by assigning a two-sided P value (probability value) and a severity value. The resultant P total and risk levels give teams an at-a-glance understanding of the risk level of each hazard.

Once defined, the risk acceptability criteria will automatically update the risk analysis table such that the probability of the hazardous situation resulting in harm is accounted for during evaluation.

Clause 6: Risk Control

Clause 6 requires risk control measures to be developed, implemented and verified across the product development lifecycle. Risk control measures could include product design, preventative measures in the product and labeling. Residual risk must be evaluated against acceptability criteria, and risk control measures must be reviewed in case additional risks have been introduced inadvertently.

The risk analysis table lets users identify risk control options for a specific hazardous situation, such as inherent safety by design, protective measures in the medical device or manufacturing process, and safety information.

Risk control measures, implementation verification, and verification of risk control effectiveness can also be accounted for in the risk analysis table. Links to system requirements and verifications in Jama Connect can easily be created from the risk analysis table to demonstrate traceability from hazardous situations to risk controls.

The residual risk evaluation process – which inputs can change following implementation of risk controls – can be captured with the risk management template. Residual risk evaluation following risk control can also be accounted for within the risk analysis table.

Clause 7: Residual Risk Evaluation

Clause 7 requires evaluation of the medical device’s overall residual risk. If the overall residual risk is unacceptable, it must be demonstrated that the medical benefit outweighs the residual risk.

When defining risk control measures, teams can capture those measures in Jama Connect and link them directly to risks, then update the rankings to determine the residual risk level.

With traceability through all phases of risk, users can quickly identify potential pitfalls in the product development process and address them before they become bigger barriers to success.

The Bottom Line

ISO 14971 requires you to produce a cohesive, well-documented narrative of your product’s lifecycle to assure the FDA that the product is safe, effective and compliant. Any decisions made or actions taken that are not documented are information gaps that could result in your product either never reaching the market or being recalled.

Finding and fixing errors early in the product lifecycle saves money and speeds time to market.

With Jama Connect, medical device developers can conduct reviews of risks and their related risk control measures holistically, so teams are never without clarity and confidence.

From a compliance perspective, the Jama Connect Risk Management Center illuminates the risk management and product development process, while simultaneously generating the required documentation to support that narrative.