Here is my attempt to address Ronen's queries.
FDA is probably kicking themselves for saying so little about risk management in Part 820 (see excerpt below), but that has not prevented FDA CDRH ODE reviewers and field investigators from expecting manufacturers to apply risk management principles.
820.30(g) Design validation shall include software validation and risk analysis, where appropriate.
When the QSR was released in 1996, ISO 14971:2000 did not exist yet, and EN 1441 (risk analysis) was the current risk standard. Hence, the term "risk analysis" instead of the broader term "risk management".
Although 21 CFR 820 (FDA Quality System Regulation) does not have "risk management" requirements that are as broad as in ISO 13485, FDA has in practice been expecting manufacturers to have a life-cycle risk management process per ISO 14971: 2007, which is an FDA recognized standard.
http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfStandards/detail.cfm?id=19639
As stated at the above link "A declaration of conformity to ISO 14971 may be used to satisfy the risk management needs for a Special 510(k)". This demonstrates FDA's focus on risk management.
The preamble for 21 CFR 820 (written in 1996) says more about risk (called risk analysis at the time) than the regulation itself. The current day risk management concepts per ISO 14971 are broader than just "risk analysis" but the concepts are the same.
http://www.fda.gov/downloads/Medica...dicalDeviceQualitySystemsManual/UCM122806.pdf
Here are some excerpts:
"Risk analysis must be conducted for the majority of devices subject to design controls and is considered to be an essential requirement for medical devices under this regulation, as well as under ISO/CD 13485 and EN 46001."
"FDA agrees that the degree of corrective and preventive action taken to eliminate or minimize actual or potential nonconformities must be appropriate to the magnitude of the problem and commensurate with the risks encountered. FDA cannot dictate in a regulation the degree of action that should be taken because each circumstance will be different, but FDA
does expect the manufacturer to develop procedures for assessing the risk, the actions that need to be taken for different levels of risk, and how to correct or prevent the problem from recurring, depending on that risk assessment."
"FDA has deleted the term ‘‘hazard analysis’’ and replaced it with the term ‘‘risk analysis.’’ FDA’s involvement with the ISO TC 210 made it clear that ‘‘risk analysis’’ is the comprehensive and appropriate term. When conducting a risk analysis, manufacturers are
expected to identify possible hazards associated with the design in both normal and fault conditions. The risks associated with the hazards, including those resulting from user error, should then be calculated in both normal and fault conditions. If any risk is judged unacceptable, it should be reduced to acceptable levels by the appropriate means, for example, by redesign or
warnings. An important part of risk analysis is ensuring that changes made to eliminate or minimize hazards do not introduce new hazards. Tools for conducting such analyses include Failure Mode Effect Analysis and Fault Tree Analysis, among others."