Dr. Christopher Joseph Devine, President, Devine Guidance International
Devine Guidance

What, No Risk Analysis?

By Dr. Christopher Joseph Devine
Dr. Christopher Joseph Devine, President, Devine Guidance International

Procedures for design validation must address risk analysis where appropriate.

As Dr. D has stated on multiple occasions, there is typically no rhyme or reason to the decision making process as it pertains to the issuance of a prized agency warning letter. However, repeat inspectional observations, failure to file MDRs within 30 days, or failure to adequately document or report (Class I & II) a correction or removal, and the offending establishment will probably be on the receiving end of a warning letter. On the other end of the spectrum, receiving double-digit Form 483 observations during an inspection or coming close to receiving the magic number of 10 observations, and a warning letter will probably be in the offending device’s future, similar to the establishment discussed in this week’s guidance. This also becomes a reality if the relationship between the chief jailable officer (CJO) and the FDA investigator grows into a tempestuous (look-it-up) one during the course of an inspection.

Additionally, risk management (or lack thereof) is starting to climb the FDA’s citation ladder as a violation of design control. The doctor finds this troubling because risk management documentation is a critical component of design control; and the risk management plan, report, hazards analysis and FMEAs (design & application) are deliverables associated with 510(k) and PMA submissions made to FDA. In fact, ISO 14971:2007 is considered a consensus standard by FDA. Dr. D would definitely not want to be that CJO tasked with sitting across from the FDA investigator attempting to defend risk management if no documented evidence of compliance existed or the documentation was incomplete. Enjoy!

Warning Letter – July 25, 2018

As alluded to in the opening two paragraphs of this week’s guidance, the warning letter observation discussed in this week’s guidance was one of multiple Form 483 observations, with one observation specifically citing an issue with risk during the application of design controls (§820.30). After reading through the warning letter, one can safely assume the lucky number seven, was not lucky for the device establishment on the receiving end of a recently issued warning letter. Why? The warning letter cited seven observations. Please note, the doctor is not emphatically stating that seven observations will result in a warning letter; however, writing a response to the Form 483 observations and then implementing corrective action to mitigate the observations becomes more of a challenge with each observation noted.

Warning Letter Excerpt(s)

Observation Two (2) – “Procedures for design validation have not been established per the requirements of 21 CFR Part 820.30(g).”

“As mentioned above, your Design Controls procedure, QMP-001, revision: NEW, Section 4.5.2, states design validation must be performed under operating conditions and demonstrate the device meets user needs. This procedure does not address risk analysis in design. This procedure also does not note any effective or implementation date, or any evidence it has been reviewed or approved, yet you told our investigator it became effective on April 6, 2018.”

21 CFR, Part 820.30(g) – Design Controls

“(g) Design validation. Each manufacturer shall establish and maintain procedures for validating the device design. Design validation shall be performed under defined operating conditions on initial production units, lots, or batches, or their equivalents. Design validation shall ensure that devices conform to defined user needs and intended uses and shall include testing of production units under actual or simulated use conditions. Design validation shall include software validation and risk analysis, where appropriate. The results of the design validation, including identification of the design, method(s), the date, and the individual(s) performing the validation, shall be documented in the DHF.”

Compliance for Dummies

When an organization begins thinking about design control, risk and the application of risk management, one standard should always come to mind: ISO 14971 (Medical devices — Application of risk management to medical devices). Please note, the current version of the standard is EN ISO 14971:2012. The ISO standard for risk essentially providers the user with a blueprint for managing product risk from start to finish. In fact, “It’s so easy even a caveman can do it” (thank yo,u GEICO). Seriously, the concept behind the mitigation and/or the elimination of risk is to be able to reduce risk “As-Far-As-Possible”, or better known as AFAP! However, at the end of the day, an establishment’s management team owns the risk management process.

Additionally, ISO breaks down the risk management process into four congruent (look-it-up) elements that should align with an establishment’s goals for the design and development of a finished medical device that is safe and effective in its intended use. If an establishment nails these elements: (a) risk analysis, (b) risk evaluation, (c) risk control, and (d) the collection and analysis of production and post-production information, and documents activities associated with these elements accordingly, then everything else associated with risk management should be that proverbial cakewalk.
Furthermore, the devil is in the details. For example, as part of risk management establishments need to:

  • Ensure engineers (and other employees) are trained and qualified to execute risk management activities
  • Script a cohesive risk management plan
  • Establish a receptacle for risk management documentation such as a risk management file (it is an acceptable practice to use the Design History File (DHF) for that receptacle)
  • Define their approach to risk analysis (e.g., intended use, hazards and estimation of risk for hazardous situations)
  • Evaluate the level or risk and identify potential solutions for risk mitigation
  • Identify the tools to be used for the control and reduction of risk, and implement the risk control measures
  • Assess residual risk and identify appropriate actions, including the scripting of a risk- benefit analysis, as appropriate
  • Assess the overall acceptability of residual risk
  • Script the risk management report
  • Continuously monitor production and post-market activities

Finally, one of the biggest failures to risk management programs that Dr. D continues to see is the linking of risk (especially product, patient and user) back to the hazards analysis and the various FMEAs (design, application and process). The medtech industry is far from utopian, and Mr. Murphy is alive and well in most device establishments. That being said, if a complaint is received and the failure mode has never been seen before, a device establishment cannot ignore this new information. The establishment is going to want to re-visit the appropriate risk documentation and make changes to address this new information. The expectation is that FMEAs and potentially the hazards’ analysis be reviewed and revised accordingly. Please keep in mind, the risk management documentation should be treated as being dynamic and will be updated throughout the life of a device (womb to tomb, baby).


For this week’s guidance the doctor will leave the readers with four takeaways. One: During an inspection, if our dear friends from FDA decide to assess design controls by diving into one of your DHFs, he or she will eventually want to examine risk management. The key is to be prepared. Two: Dr. D strongly suggests that you become familiar with risk management. If your establishment does not have a copy of ISO 14971, it is imperative that you acquire one. Three: Scripting a robust risk management plan that supports a robust risk management report is the key to ensuring all applicable elements of risk management are adequately addressed. Four: Remember that the ultimate goal of a risk management program is reducing risk AFAP! In closing, thank you again for joining Dr. D, and I hope you found value (and some humor) in the guidance provided. Until the next installment of DG, cheers from Dr. D., and best wishes for continued professional success.


  1. Code of Federal Regulation. (April 2017). Title 21 Part 820: Quality system regulation. Washington, D.C.: U.S. Government Printing Office.
  2. Devine, C. (2011). Devine guidance for complying with the FDA’s quality system regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
  3. Devine, C. (2013). Devine guidance for managing key attributes of a FDA-compliant quality management system – 21 CFR, Part 820 Compliance. Charleston, SC: Amazon.
  4. FDA. (July 2018). Inspections, Compliance, Enforcement, and Criminal Investigations. Anigan, Inc. Accessed August 06, 2018. Retrieved from https://www.fda.gov/ICECI/EnforcementActions/WarningLetters/ucm615066.htm

About The Author

Dr. Christopher Joseph Devine, President, Devine Guidance International