What ever happened to Medical Device Risk Management, anyway?

[Julie O]

I pulled these comments from another thread, posted in January 2011:

The FDA wants you to have an effective and comprehensive risk analysis and management process. They don't yet have detailed rules as to exactly how you must proceed.

FDA is probably kicking themselves for saying so little about risk management in Part 820

Six years later, I haven't seen any signs of significant forward movement on this.

- I google fda.gov for "medical devices and "risk management" and come up with nothing much.

- I hear that FDA inspectors expect to see risk management in place, but I wonder...if a company doesn't have risk management in place, what requirement do they cite in their findings?

Has anyone seen FDA do anything official about "requiring" risk management, as opposed to just "expecting" it?

 

[randomname]

Re: What ever happened to risk management, anyway?

If your firm is FDA regulated it's likely that you may work to ISO 13485, which requires risk management.

 

[Ronen E]

Re: What ever happened to risk management, anyway?

I pulled these comments from another thread, posted in January 2011:
..........

Six years later, I haven't seen any signs of significant forward movement on this.

- I google fda.gov for "medical devices and "risk management" and come up with nothing much.

- I hear that FDA inspectors expect to see risk management in place, but I wonder...if a company doesn't have risk management in place, what requirement do they cite in their findings?

Has anyone seen FDA do anything official about "requiring" risk management, as opposed to just "expecting" it?

Julie, I'm not aware of an official, wide change in the regulations or guidance in that regard. However, one can already see the change seeping through in specific guidances/circumstances. They do put it black on white sometimes but the scope is usually limited.

There's this (pdf), FWIW.

Cheers,
Ronen.

 

[Julie O]

Re: What ever happened to risk management, anyway?

Yes, FDA has issued several guidances on benefit-risk in the last few years, but nothing on risk management. The way the guidance you linked refers to risk management, it sounds like FDA thinks it has a requirement for risk management, but, as far as I know, it doesn't. I think this is rather strange.

 

[QA-Man]

Re: What ever happened to risk management, anyway?

Yes, FDA has issued several guidances on benefit-risk in the last few years, but nothing on risk management. The way the guidance you linked refers to risk management, it sounds like FDA thinks it has a requirement for risk management, but, as far as I know, it doesn't. I think this is rather strange.

What about 21CFR820.30(g)? Design validation shall include software validation and risk analysis, where appropriate.

 

[Marcelo]

Part of the "historical" problem is that what we know today as risk management (analysis, evaluation, control and monitoring) was not always called that. Although the term risk management has existed in literature for a long time, a definition for risk management is relatively recent (in particular, in terms of standards for medical devices).

For example, EN 1441:1998, which was created to related to the risk "management" portion of the EU Directives, was in fact called EN 1441:1998 - | Medical devices - Risk analysis, and the process it defined (see attached) is what we today call risk management.

When ISO 14971-1 was first created, the term risk management was defined, but the standard was going to have different parts, each one dealing with a part of the risk management process (the first being risk analysis).

Only after ISO 14971 was created in 2000 that we had one standard that dealt with "risk management"for medical devices.

This is basically the problem with FDA regulations, which preclude the dates mentioned. You can find risk analysis several times in FDA regulations, and also you can find mention to identify, evaluate, control and monitor risks. But this whole process was called risk analysis at the time. In today's terms, they require what Iso 14971 defines as risk management.

 

[Ronen E]

Re: What ever happened to risk management, anyway?

What about 21CFR820.30(g)? Design validation shall include software validation and risk analysis, where appropriate.

That is the only reference to risk in part 820, and it is very limited:

1. It speaks of "risk analysis" which is only a subset or risk management.
2. It has the notorious "where appropriate" which doesn't support clarity / transparency (though it is parseable).
3. It only addresses a portion of Design Control (Design Validation) while risk management is more holistic nowadays.

 

[Ronen E]

Marcelo, thanks for your overview, it's definitely an interesting aspect.

Let's please not forget that it's already been ~16 years since the publication of ISO 14971:2000. Part 820 was updated many times during that period and the FDA could have adjusted it to risk management if it was merely a matter of terminology.

You can find risk analysis several times in FDA regulations, and also you can find mention to identify, evaluate, control and monitor risks.

Can you please point out the FDA regulations that mention identification, evaluation, control and monitoring of risks?

 

[Julie O]

Re: What ever happened to risk management, anyway?

What about 21CFR820.30(g)?

Clearly it requires risk analysis, although potentially only software risk analysis. And "where appropriate" is a mystery to me here. Normally when FDA says something like this, it means...if there is risk, you analyze it. But of course there is no such thing as a medical device that has no risk. I'm not sure I even want to know where the authors of the QSR thought it would not be appropriate.

Regardless, risk analysis is not risk management. It is either the first step, or the step before.

 

[Julie O]

In today's terms, they require what Iso 14971 defines as risk management.

That is my question, where can one find this requirement?