Dr. Christopher Joseph Devine, President, Devine Guidance International
Devine Guidance

The FDA and Risk, It Matters

By Dr. Christopher Joseph Devine
Dr. Christopher Joseph Devine, President, Devine Guidance International

Is your risk management process rock solid?

On occasion, Dr. D hears some device establishments make silly comments such as, “We are just a specification developer and do not have to comply with the Quality System Regulation (QSR).” Ladies and gentlemen, the doctor is going to share a not-so-well kept secret. If an establishment owns the regulatory filing and enters product into commerce with a label containing their name, they own it! Period! All one has to do is consider the nature of the category “specification developer” and hopefully come to the conclusion that the employment of design controls (§820.30) are important for specification developers, including the application of risk management. The doctor has visited a whole bunch of specification developers during an extremely long career in industry and can emphatically state that “specification developers have some really unique and often quite elongated supply chains.” As a result of these supply chain challenges, it is imperative that the design control process, including risk management, be rock solid. Yes, purchasing controls and supplier management are extremely important as well, but that will be a topic of discussion by Dr. D. on another day. There is no doubt the Chief Jailable Officer’s (CJO) lack of §820.30 knowledge can be attributed to nescience (look-it-up) and the eventual awarding of a prized agency warning letter. Enjoy!

Warning Letter – May 5, 2016

The offending device establishment mentioned in this week’s guidance only received two Form 483 observations (multiple subparts). However, when an establishment is a specification developer and the Form 483 observations are related to design control, then bad things typically happen. The potential for bad things to happen can escalate quickly when our dear friends from the agency conclude a response scripted for the Form 483 observations is not adequate.

Warning Letter Excerpt

Observation Two (2).  Your firm failed to have risk analysis, as required by 21 CFR 820.30(g). Specifically, the design plan for the Renovis sterile Tesera Trabecular Technology Titanium Stand Alone Anterior Lumbar Interbody Fusion (ALIF) Case (Design History File number DHF-SPN-(b)(4)) requires completion of risk activities including a Core Risk Assessment. 

A. Core Risk Worksheet, document number CR-SPN-006, dated 12-20-13, Revision A, identifies a potential risk hazard number (b)(4) as (b)(4) product at the time of surgery with the resultant patient risk of infection. DHF-SPN-(b)(4) did not include or reference cleaning and sterilization validation studies in support of this product.

We reviewed your firm’s response and conclude that it is not adequate.” 

21 CFR, Part 820.30(g) – Design Controls (design validation)

(g) Design validation. Each manufacturer shall establish and maintain procedures for validating the device design. Design validation shall be performed under defined operating conditions on initial production units, lots, or batches, or their equivalents. Design validation shall ensure that devices conform to defined user needs and intended uses and shall include testing of production units under actual or simulated use conditions. Design validation shall include software validation and risk analysis, where appropriate. The results of the design validation, including identification of the design, method(s), the date, and the individual(s) performing the validation, shall be documented in the DHF.

Compliance for Dummies

For those readers not familiar with ISO 14971 (Application of risk management to medical devices), this ISO standard essentially delineates all of the necessary elements of an effective risk management program. The FDA has even gone so far as to recognize ISO 14971:2007 as a consensus standard (recognition number 5-40). Additionally, the agency really does expect to see documented evidence of compliance associated with the employment of risk management tools such as a hazard analysis, application FMEAs (a.k.a. use FMEAs), design FMEAs, and process FMEAs. However, having a hazard analysis or FMEAs is simply not enough. There are multiple elements associated with an effective approach to risk management.

Risk management essentially starts with the buy-in from management. For all of you CJOs out there, the management team must lead the charge when implementing a risk management program. Without management buy-in, any attempt at risk management is doomed for failure—no crystal ball is needed to predict the outcome. According to ISO 14971, risk programs can be divided into four elements: Risk analysis, risk evaluation, risk control, and production and post-production information. However, to ensure that positive vision appearing in the crystal ball is forever present, people working within the framework of a risk management program must be appropriately trained. Dr. D believes your typical reading and comprehension approach to training is not appropriate for risk management. Why? There is just too darn much material to comprehend.

With management on board and the team appropriately trained, a device establishment can roll up their sleeves and jump right into the risk management. All successful attempts at risk management start with a well-defined plan, and risk management is no different. Successful risk management is rooted in a well-written and executed risk management plan (RMP). Additionally, a receptacle needs to be created for the risk management documentation that will be collected. A risk management file (RMF) is the appropriate location; however, the design history file (DHF) is a suitable location, too.

The execution of risk analysis is the next stage of effective risk management. The doctor recommends visiting Annex G of ISO 14971 if you need some ideas pertaining to some risk analysis techniques. According to ISO 14971, the following elements should be considered:

  • The description and identification of the medical device being analyzed
  • The identification of the personnel (organization) performing risk analysis activities
  • The scope of the risk analysis activities and date(s) the activities were performed

Additionally, risk management requires: (a) the identification of the medical device’s intended use, (b) identification of characteristics related to product safety and efficacy, (c) hazard identification, and (d) risk estimation for hazards and hazardous situations.

The next step of risk management is to ensure that risk management criteria identified in the RMP are employed in support of evaluating overall product risk. The manufacturer (specification developer) needs to ascertain if the reduction of risk is required or no further risk reduction activities need to be pursued. Regardless, the decisions made need to be documented and placed into the RMF (DHF).

But wait, there’s more! Risk control activities (risk reduction), if deemed to be appropriate, need to be addressed. ISO 14971 recommend employing one or more of the following options:

  • “Inherent safety by design
  • Protective measures in the medical device itself or in the manufacturing process
  • Information for safety”

ISO 14971 references additional elements associated with risk control, which need to be considered:

  • Risk reduction
  • Risk control option analysis
  • Implementation of risk control measures
  • Evaluation of residual risk
  • Risk/benefit analysis
  • Risks arising from control measures
  • Completeness of risk control

Once all of the risk control measures have been appropriately implemented and obviously verified, the manufacturer (specification developer) needs to decide if the overall approach to risk management is adequate. This includes deciding if residual risk (if any posed) associated with a medical device is acceptable. Otherwise, more work is required (a.k.a., back to the proverbial drawing board).

Once risk has been judged to be acceptable, the risk management report (RMR) is written. The RMR is essentially the review of the risk management process pursued and a confirmation that the RMP has been executed. According to ISO 14971, the review shall include:

  • Confirmation that the RMP has been successfully executed
  • The decision that the overall residual risk is deemed to be acceptable
  • The processes/tools are in place to pursue post-market surveillance activities

Finally, post-market activities are extremely important. It is incumbent upon the specification developer to ensure their design is safe and effective in its intended use. Complaint data, MDRs, vigilance reports, literature, performance of similar devices (such as a competitors) and production / manufacturing information are excellent sources for obtaining post-market surveillance data.


For this week’s guidance the doctor will leave the readers with one takeaway. One: The FDA is out there, and they are watching. Obviously, this week’s guidance addresses risk at the macro level; however, specification developers are going to be held to the same standard as other device establishments (manufacturers) when it comes to design and development activities, including the application of risk management. There is a plethora of information available associated with the establishing of an effective approach to risk management. Dr. D strongly recommends that establishments grab the proverbial bull by the horns and embrace risk management. It works! In closing, thank you again for joining Dr. D, and I hope you find value in the guidance provided. Until the next installment of DG, cheers from Dr. D., and best wishes for continued professional success.


  1. Code of Federal Regulation. (April 2015). Title 21 Part 820: Quality system regulation. Washington, D.C.: U.S. Government Printing Office.
  2. Devine, C. (2011). Devine guidance for complying with the FDA’s quality system   regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
  3. Devine, C. (2013). Devine guidance for managing key attributes of a FDA-compliant quality management system – 21 CFR, Part 820 Compliance. Charleston, SC: Amazon.
  4. EN ISO 14971:2012. (2012). Medical devices — Application of risk management to medical  devices. Switzerland: International Standards Organization.
  5. FDA. (May 2016). Inspections, Compliance, Enforcement, and Criminal Investigations. Renovis Surgical Technologies, Inc. Accessed May 24, 2016. Retrieved from http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2016/ucm501776.htm

About The Author

Dr. Christopher Joseph Devine, President, Devine Guidance International