Dr. Christopher Joseph Devine, President, Devine Guidance International
Devine Guidance

FDA Cites Failure to Assess Product Risk in Warning Letter

By Dr. Christopher Joseph Devine
Dr. Christopher Joseph Devine, President, Devine Guidance International

Comply all the time, not just when FDA announces an inspection.

While on his weekly fishing trip on the FDA’s warning letter database pond, Dr. D caught a glimpse of a relatively rare Form 483 observation citing risk management issues. Dr. D felt that this catch was a keeper and worthy of this week’s Devine Guidance (DG). It seems that the FDA is finally starting to take a deeper dive into the application of risk management associated with the design and development of finished medical devices that are safe and effective in their intended use. In fact, ISO 14971:2007 (Recognition Number 5-40) has been listed as a Consensus Standard by the FDA for a few years. European regulators continue to place a significant amount of emphasis on the need for device manufacturers to comply with EN ISO 14971:2012, as well. Prudent device manufacturers have devoted substantial effort into: (a) the development of the Risk Management Plan (RMP); (b) the scripting of the Risk Management Report (RMR); and (c) the creation of the Risk Management File (RMF), including all of the associated goodies such as the hazard analysis and FMEAs. Unfortunately, some device establishments just do not understand all of the little nuances associated with 21 CFR, Part 820.30, including the need for risk management. When it comes to complying with the Quality System Regulation (QSR), Chief Jailable Officers (CJO) that prevaricate (look-it-up) will quickly find themselves in the FDA’s doghouse. Not a nice place to be; woof, woof. Enjoy!

Warning Letter – August 10, 2015

On a positive note, the offending establishment dissected in this week’s DG did have a written and released procedure for risk analysis. Unfortunately, the FDA found that the procedure was not fully established. Additionally, the FDA was not too pleased that updates to an FMEA occurred after the agency notified them of a pending inspection. Considering that product complaints from the summer of 2014 were not added to an FMEA until June 2015—well, the readers know the drill. Bad things were bound to happen to this establishment; and no crystal ball was needed. Just an FYI, the subliminal (look-it-up #2) message being sent by FDA is that it is incumbent upon the device establishment to keep its quality management system in compliance with the QSR at all times and not wait to play catch up when the FDA announces an inspection.

Observation Six (6) – “Failure to maintain a complete risk analysis, as required by 21 CFR 820.30(g). Specifically, section 6.6 “Risk Review” of your “Risk Analysis” procedure, QMS-217 Rev A, dated 06/01/2013, has not been implemented in that post-production data is not being evaluated to determine if the FMEA should be updated to reflect unidentified or changed hazards and if severity, probability and/or detection requires modification.

For example, the new hazard of “cable fraying and exposed wires” that was identified in the summer of 2014 due to complaints was not added to the FMEA until June 9, 2015 after the pre-announcement of the FDA inspection. An additional 6 hazards, regarding laser’s failing, were added to the FMEA after a review of the complaints were completed during the FDA inspection.”

21 CFR, Part 820.30(g) – Design Validation

“Each manufacturer shall establish and maintain procedures for validating the device design. Design validation shall be performed under defined operating conditions on initial production units, lots, or batches, or their equivalents. Design validation shall ensure that devices conform to defined user needs and intended uses and shall include testing of production units under actual or simulated use conditions. Design validation shall include software validation and risk analysis, where appropriate. The results of the design validation, including identification of the design, method(s), the date, and the individual(s) performing the validation, shall be documented in the DHF.”

Compliance for Dummies

Risk management is not rocket science, folks. Yes, some familiarity with EN ISO 14971:2012 is warranted; however, the concept associated with creating a hazard analysis, design FMEA, use FMEA, or even a process FMEA should be second nature to an engineer. Heck, the automotive industry has been employing these tools for years. Remember, the application of risk management will be throughout the duration of the product life cycle. Regardless, the process begins with the RMP.

It is imperative that the RMP be created at the start of any design and development project. As a minimum, the RMP will address three salient concepts: (a) risk analysis; (b) risk evaluation; (c) risk control; and (d) assessment of production and post-production risk. In general, the RMP will contain and/or address:

  • Scope of risk management activities
  • Description of device and life-cycle phases
  • Assignment of roles and responsibilities
  • Review requirements for risk management activities
  • Criteria for risk acceptability
  • Verification activities
  • Activities associated with collection and review of production and post-production activities

The RMF will become the primary receptacle for risk management activities. Please note, it is acceptable to use the Design History File (DHF) as the RMF. One just needs to declare the relationship between the DHF and RMF in the RMP (enough acronyms for you?).  Additionally, the RMF will contain the following:

  • Risk analysis
  • Risk evaluation
  • Implementation and verification of risk control measures
  • Assessment and the acceptability of residual risks

Prior to commercial release, device establishments must review the risk management process and document the review in the RMR. Elements to be reviewed are:

  • The RMP has been fully executed
  • Overall residual Risk has been determined to be acceptable
  • Appropriate tools are in place to monitor and collect production and post-production data

Finally, production and post-production activities must be pursued by device manufacturers. Examples of information needing to be collected include:

  • Operator data
  • User data
  • Installation data
  • Maintenance and servicing data
  • Medical device performance data (i.e., complaints, MDRs, vigilance report, & literature reviews)
  • Evaluated for previously unknown hazards
  • Evaluated for previously unknown hazardous situations
  • Determination if device risk is still acceptable


For this week’s guidance, the doctor will leave the readers two takeaways. One: It is imperative that device manufacturers apply risk management tools throughout the product life-cycle. Risk management does not end at commercialization. Two: Although Dr. D did not mention it in the body of this week’s DG, do not forget to audit the risk management process, at least annually. Just maybe an annual audit of this week’s offending device establishment may have resulted in one less Form 483 observation. In closing, thank you again for joining Dr. D, and I hope you find value in the guidance provided. Until the next installment of DG, cheers from Dr. D. and best wishes for continued professional success.


  1. Code of Federal Regulation. (2014, April) Title 21 Part 820: Quality system regulation. Washington, D.C.: U.S. Government Printing Office.
  2. Devine, C. (2011). Devine guidance for complying with the FDA’s quality system   regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
  3. Devine, C. (2013). Devine guidance for managing key attributes of a FDA-compliant quality management system – 21 CFR, Part 820 Compliance. Charleston, SC: Amazon.
  4. FDA. (August 10, 2015). Inspections, Compliance, Enforcement, and Criminal Investigations, Transdermal Cap, Inc. Accessed September 1, 2015. Retrieved from http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2015/ucm458008.htm

About The Author

Dr. Christopher Joseph Devine, President, Devine Guidance International