What is FMEA and when to use RPN?

March 13, 2017

Per ISO 14971,

Failure Mode and Effects Analysis (FMEA) and Failure Mode, Effects and Criticality Analysis (FMECA) are techniques by which an effect or consequences of individual components are systematically identified and is more appropriate as the design matures.

We won’t go into the details of the FMEA, but often we were asked to explain when (and if / how) the Risk Prioritization Number (RPN) should be used.

The RPN is a numerical value that represents the “risk level” of a certain combination of input factors. These input factors are typically the Severity (S) of the risk and the Occurrence (O) of the risk. Sometimes the Detection (D) value is used in addition to Severity and Occurrence.

In its simplest form the RPN is calculated as follows:

RPN = O x S (x D, if used)

where O, S and D are in a linear scale ranging from 1 (lowest / best case) to typically 5 (highest / worst case).

The use of the RPN is exactly what the name says: prioritization, meaning that risks with higher RPN should receive more attention than the ones with a lower RPN. It can also be used to determine the acceptability of a risk, but this is a decision that each company or project team has to make itself.

Here’s an example – in a typical scenario with only Occurrence and Severity, ranging from 1 to 5, the risk matrix looks like this:

 

SEVERITY

1

2 3 4

5

OCCURRENCE

5

5

10

15 20 25

4

4

8

12

16

20

3

3 6 9 12

15

2

2 4 6 8

10

1 1 2 3 4

5

 

Once you have decided how to classify your RPNs (e.g. 1 to 7 = low, 8 to 15 = Med, 16 to 25 = High), then the matrix is automatically populated:

 

The RPN gives a quick solution regarding the acceptability of a risk, but often companies prefer to use the RPN as a “prioritization” tool only and to color the risk matrix according to other criteria or considerations, for example.

 

To summarize:

1. The use of the RPN in FMEAs is not mandated by ISO 14971; use it only when you think it’s beneficial to your analysis.

2. The RPN is not strictly related to the (un)acceptability of a risk, but it can be used for this purpose.

3. There is no unique formula to calculate the RPN. You can create your own for your specific product / project.

There is no general rule on how to classify your risk based on the RPN or other criteria, this is a decision that each company / project team have to make.

For simple product risk management in Atlassian Jira Cloud (with simple Risk Matrices), try out the SoftComply Risk Manager.

For a more advanced risk management app on Jira Cloud (with both Risk Matrices & RPNs), try out the SoftComply Risk Manager Plus.

Table of Contents

Ready to get started?

Contact us to book a demo and learn how SoftComply can cover all your needs

New Cybersecurity Risk Management Features in Jira
Picture of Marion Lepmets

Marion Lepmets

CEO
November 8, 2024

The Role of Cybersecurity in Medical Device Safety The Global medical device market is a $800 billion business that is rapidly growing, especially in the area of software as a medical device (SaMD). The majority of the SaMD segment is made up of the digital health and digital therapeutics solutions,...

Medical Device Compliance Guide
Picture of Marion Lepmets

Marion Lepmets

CEO
September 23, 2024

Introduction This medical device compliance guide focuses on the key requirements and strategies for navigating the regulatory landscape. We will cover the role of major regulatory bodies like the FDA, the classification of devices, and the importance of quality management. We will also discuss the challenges of global compliance and...

CVSS-FDA-cybersecurity-medical-devices-1712x599-c
Picture of Matteo Gubellini

Matteo Gubellini

Regulatory Affairs Manager
September 16, 2024

This case study describes the experience of a multinational medical device manufacturer meeting the FDA cybersecurity requirements. The company is operating in the MedTech sector developing a class 2/IIb device consisting of hardware and software. The company spent about 2 years working on the security risk management of the device....