What is FMEA and when to use RPN?

March 13, 2017

Per ISO 14971,

Failure Mode and Effects Analysis (FMEA) and Failure Mode, Effects and Criticality Analysis (FMECA) are techniques by which an effect or consequences of individual components are systematically identified and is more appropriate as the design matures.

We won’t go into the details of the FMEA, but often we were asked to explain when (and if / how) the Risk Prioritization Number (RPN) should be used.

The RPN is a numerical value that represents the “risk level” of a certain combination of input factors. These input factors are typically the Severity (S) of the risk and the Occurrence (O) of the risk. Sometimes the Detection (D) value is used in addition to Severity and Occurrence.

In its simplest form the RPN is calculated as follows:

RPN = O x S (x D, if used)

where O, S and D are in a linear scale ranging from 1 (lowest / best case) to typically 5 (highest / worst case).

The use of the RPN is exactly what the name says: prioritization, meaning that risks with higher RPN should receive more attention than the ones with a lower RPN. It can also be used to determine the acceptability of a risk, but this is a decision that each company or project team has to make itself.

Here’s an example – in a typical scenario with only Occurrence and Severity, ranging from 1 to 5, the risk matrix looks like this:

 

SEVERITY

1

2 3 4

5

OCCURRENCE

5

5

10

15 20 25

4

4

8

12

16

20

3

3 6 9 12

15

2

2 4 6 8

10

1 1 2 3 4

5

 

Once you have decided how to classify your RPNs (e.g. 1 to 7 = low, 8 to 15 = Med, 16 to 25 = High), then the matrix is automatically populated:

 

The RPN gives a quick solution regarding the acceptability of a risk, but often companies prefer to use the RPN as a “prioritization” tool only and to color the risk matrix according to other criteria or considerations, for example.

 

To summarize:

1. The use of the RPN in FMEAs is not mandated by ISO 14971; use it only when you think it’s beneficial to your analysis.

2. The RPN is not strictly related to the (un)acceptability of a risk, but it can be used for this purpose.

3. There is no unique formula to calculate the RPN. You can create your own for your specific product / project.

There is no general rule on how to classify your risk based on the RPN or other criteria, this is a decision that each company / project team have to make.

For simple product risk management in Atlassian Jira Cloud (with simple Risk Matrices), try out the SoftComply Risk Manager.

For a more advanced risk management app on Jira Cloud (with both Risk Matrices & RPNs), try out the SoftComply Risk Manager Plus.

Table of Contents

Ready to get started?

Contact us to book a demo and learn how SoftComply can cover all your needs

Vendor Security Risk Assessment in Jira
Picture of Marion Lepmets

Marion Lepmets

CEO
October 1, 2025

Every company depends on others to survive. From your cloud provider to your payroll processor, your business is connected to a web of vendors. But here’s the reality: over 60% of data breaches originate from third-party vendors. This is why managing your vendor security risks has become more important than...

31000
Picture of Marion Lepmets

Marion Lepmets

CEO
September 22, 2025

Most companies have informal risk discussions in meetings. You know the type – “What happens if our lead developer leaves?” or “What if this big deal doesn’t close?”. These conversations usually end without any real action plan and you find yourself talking about the same risks over and over again....

RAID in Jira
Picture of Marion Lepmets

Marion Lepmets

CEO
September 16, 2025

Project managers know that uncertainty is the enemy of successful delivery. You’ve got potential risks lurking around every corner, assumptions that might prove wrong, current issues demanding attention and dependencies that could slip at any moment. This is where RAID comes in (and no, I’m not talking about the data...