URRA vs Use Risk Analysis: Same Words, Different Worlds

Jun 23, 2026

Jenny Collinson

Director of Human Factors Strategy & Advisory

If you’ve worked across both FDA Human Factors submissions and ISO 14971/IEC 62366-1 programs, you’ve probably hit this wall:

Both documents get called Use risk analysis/URRA or similar. Both live in the HFE file. Both reference use errors. And yet they are not the same thing and conflating them can cause real problems in submissions.

The URRA (FDA’s Use-Related Risk Analysis)

FDA Human Factors guidance (Content of Human Factors Information in Medical Device Marketing Submissions, Guidance for Industry and Food and Drug Administration Staff May 2026 and Purpose and Content of Use-Related Risk Analyses for Drugs, Biological Products, and Combination Products, Draft July 2024) describe the URRA as a tool for scoping your HFE program. Its job is to identify which tasks are critical, meaning, which use errors or use difficulties could directly cause or contribute to harm. The URRA drives what goes into your summative evaluation protocol. It’s fundamentally a prioritisation document as well as serving as a summary of the use related risk that helps streamline FDA review.

The Use Risk Analysis (IEC 62366-1 / ISO 14971)

Under IEC 62366-1, the Use Risk Analysis (sometimes formatted as a Use FMEA) sits within the broader risk management process governed by ISO 14971. Here, you’re evaluating use-related hazards, estimating probability and severity, and feeding outputs into the risk control cycle. It’s integrated with your risk file, not just your HFE file. The focus isn’t just identifying tasks that should be included in the summative evaluation, it’s identifying the use risks and their controls, determining residual risk, and acceptability.

So why is it confusing?

Because the FDA Human Factors guidance seems to have borrowed the language of ISO 14971/IEC 62366-1 without fully aligning to it, this created practical ambiguity for manufacturers attempting to comply with FDA Guidance and the international standards simultaneously. Identifying usability hazards and risks are goals of both frameworks, but the scope, structure, trigger points, and outputs are different. FDA Human Factors reviewers care about whether you identified the right critical tasks and tested them (FDA does care about compliance to ISO 14971 but it is not explicitly required for marketing clearance or approval). Notified Bodies care about whether use-related hazards are traceable through your risk management system.

Additionally, terminology differs: IEC 62366-1 refers to identifying hazard-related use scenarios and then selecting which ones should be evaluated as part of the summative study. The FDA guidance talks about critical tasks being included. Different terminology but essentially the same thing – Hazard-related Use Scenarios selected for summative evaluation = Critical tasks.

The result? Teams sometimes build a URRA that satisfies neither requirement - insufficient content included for an ISO 14971 risk file, not focussed enough on use related tasks to support clear identification of critical tasks for FDA submission..

The fix isn’t complicated, but it requires knowing the requirements and goals of each framework, and building your documentation appropriately, even if the deliverable looks similar on the surface.

If your team is navigating a dual submission (FDA + CE mark), make sure you can clearly articulate how these two analyses relate and where they diverge. Reviewers on both sides will ask.

Can you do both in one document?

Yes - and for dual submissions, a combined document is often the most practical approach. The key is making the structure explicit so content required from the standards and the Guidance are included.

A well-designed combined document typically works in layers. The first layer covers the full Use Risk Analysis aligned to ISO14971 and IEC 62366-1: hazard identification, hazardous situations, potential harm and its associated severity, probability estimates, risk controls, and traceability of implementation and effectiveness of the risk controls. The second layer, aimed at adherence to the FDA guidance can live as a clearly marked section or summary table of hazard-related use scenarios associated with harm (or serious harm depending on product type), identification of the critical tasks and the user interface controls requiring validation, ensuring they are mapped to the validation protocol.

The traceability between the two layers is what makes the combined document work. If a task appears in the summative evaluation, a reviewer should be able to trace it back to a use-related hazard and the appropriate risk control. If a hazard-related use scenario doesn’t require evaluating in a summative study (not a critical task), that should be explicit too - either the severity doesn’t meet the threshold, or the design has already controlled the risk sufficiently.

Where teams run into trouble is when they try to write one document that’s vague enough to work for both and ends up insufficient for either. Combining them only works when you’ve been deliberate about which rows, columns, and sections are answering the regulatory question. Label it. Cross-reference it. Don’t make your reviewer guess.