Published: June 25, 2026
How to run a design FMEA (dFMEA) for a connected medical device, link it to the ISO 14971 risk file, and hand off cyber-triggered failure modes to the threat model the FDA expects.
Blog · Risk Management
Design FMEA for Medical Devices: dFMEA, ISO 14971 & Cybersecurity
How to run a design FMEA (dFMEA) for a connected medical device, link it to the ISO 14971 risk file, and hand off cyber-triggered failure modes to the threat model the FDA expects.
Related articles
Keep reading
-
Risk ManagementFMEA vs Threat Modeling for Medical Devices: Where Safety Risk Ends and Security Risk Begins
FMEA covers random and systematic failure modes; threat modeling covers adversarial action. Both are required for a 524B submission, and they do not substitute for each other. Here is how to scope them, link them, and avoid the gap.
-
Device ClassInfusion Pump Cybersecurity: FDA Expectations in 2026
What the FDA expects from infusion pump cybersecurity submissions in 2026: threat model focus areas, Section 524B evidence, and the deficiencies that delay clearance.
-
Threat ModelingData Flow Diagrams for Medical Device Cybersecurity
What a DFD is, the five DFD elements, and how data flow diagrams feed STRIDE threat modeling and the FDA's Security Architecture Views in a 2026 submission.
Related 524B resources
Keep going: the anchor 524B guides
Deep references on the statute, SBOM monitoring, postmarket planning, and deficiency response. Use these as the working playbook behind every cyber device submission.
-
FDA Section 524B Requirements Explained
The full statute walkthrough: what each subsection of 524B requires and which artifacts satisfy it.
-
SBOM Vulnerability Management for Medical Devices
How to operationalize SBOM monitoring, VEX, and KEV triage against your shipped components.
-
Postmarket Cybersecurity Readiness Plan
Build the 524B(b)(1) plan reviewers expect: named sources, cadence, triggers, and update process.
-
FDA Cybersecurity Deficiency Response Checklist
How to triage and close cybersecurity deficiencies from an FDA hold or AI letter without a second round.
Related services
Put this into practice on your device
Every Blue Goat Cyber engagement maps directly to FDA Section 524B and the SPDF - so the evidence you need lands in your submission, not in a separate report.
-
Secure MedTech Product Design
Early-stage secure design: architecture, control selection, and SBOM strategy before you lock the design.
-
Medical Device Threat Modeling
STRIDE/attack-tree threat modeling tied to ISO 14971 patient harm - the source of every test case.
-
Full-Service FDA Premarket Cybersecurity
End-to-end §524B premarket package: SPDF, threat model, SBOM, pen test, and eSTAR-ready documentation.
Ready when you are
Get FDA cleared without the cybersecurity headaches.
30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.