The Pre-amble provides some guidance (see below). It's a bit dated (some references), but still applicable. I hope it's helpful.
In my opinion, risk analysis and software validation is always appropriate (i.e. required) unless you have a good justification for not doing it, for example, your device does not contain software. ISO14971 is a recognized consensus standard, so you should follow that for risk management activities.
From Pre-amble:
83. Several comments stated that the term ‘‘hazard analysis’’ should be defined in reference to design verification. A couple of comments stated that the proposed requirement for design verification, to include software validation and hazard analysis, where applicable, was ambiguous, and may lead an FDA investigator to require software validation and hazard analysis for devices in cases where it is not needed. One comment stated that FDA should provide additional guidance regarding software validation and hazard analysis and what investigators will expect to see. Another comment only software validation and hazard analysis, FDA was missing the opportunity to introduce manufacturers to some powerful and beneficial tools for better device designs and problem avoidance.
FDA has deleted the term ‘‘hazard analysis’’ and replaced it with the term ‘‘risk analysis.’’ FDA’s involvement with the ISO TC 210 made it clear that ‘‘risk analysis’’ is the comprehensive and appropriate term. When conducting a risk analysis, manufacturers are expected to identify possible hazards associated with the design in both normal and fault conditions. The risks associated with the hazards, including those resulting from user error, should then be calculated in both normal and fault conditions. If any risk is judged unacceptable, it should be reduced to acceptable levels by the appropriate means, for example, by redesign or warnings. An important part of risk analysis is ensuring that changes made to eliminate or minimize hazards do not introduce new hazards. Tools for conducting such analyses include Failure Mode Effect Analysis and Fault Tree Analysis, among others. FDA disagrees with the comments that state the requirement is ambiguous.
Software must be validated when it is a part of the finished device. FDA believes that this control is always needed, given the unique nature of software, to assure that software will perform as intended and will not impede safe operation by the user. Risk analysis must be conducted for the majority of devices subject to design controls and is considered to be an essential requirement for medical devices under this regulation, as well as under ISO/CD 13485 and EN 46001.
FDA has replaced the phrase ‘‘where applicable’’ with ‘‘where appropriate’’ for consistency with the rest of the
regulation.
FDA believes that sufficient domestic and international guidelines are available to provide assistance to manufacturers for the validation of software and risk analysis. For example, ‘‘Reviewer Guidance for Computer Controlled Medical Devices Undergoing 510(k) Review,’’ August 1991; ‘‘A Technical Report, Software Development Activities,’’ July 1987; and ISO–9000–3 contain computer validation guidance. Further, FDA is preparing a new ‘‘CDRH Guidance for the Scientific Review of Pre-Market Medical Device Software Submissions.’’ Regarding guidance on ‘‘risk analysis,’’ manufacturers can reference the draft EN (prEN) 1441, ‘‘Medical Devices—Risk Analysis’’ standard and the work resulting from ISO TC 210 working group No. 4 to include ISO/CD 14971, ‘‘Medical Devices—Risk Management—Application of Risk Analysis to Medical Devices.’’
FDA disagrees that it is missing the opportunity to introduce manufacturers to some powerful and beneficial tools for better device designs and problem avoidance because the manufacturer must apply current methods and procedures that are appropriate for the device, to verify and validate the device design under the regulation. Therefore, FDA need not list all known methods for meeting the requirements. A tool that may be required to adequately verify and validate one design may be unnecessary to verify and validate another design.