It's a question that, even after careful consideration, can seem difficult to answer: Does the FDA actually "require" medical device manufacturers to perform risk analysis? If so, where?
The short answer is yes. But the topic requires a more nuanced discussion. We've summarized where the confusion stems from and how and where regulators require risk analysis below.
A Main Point of Confusion
This question commonly arises out of the specific mention of the phrase "risk analysis" in 820.30(g) Design Controls referenced in the bolded text below.
"(g) Design validation. Each manufacturer shall establish and maintain procedures for validating the device design. Design validation shall be performed under defined operating conditions on initial production units, lots, or batches, or their equivalents. Design validation shall ensure that devices conform to defined user needs and intended uses and shall include testing of production units under actual or simulated use conditions. Design validation shall include software validation and risk analysis, where appropriate. The results of the design validation, including identification of the design, method(s), the date, and the individual(s) performing the validation, shall be documented in the DHF."
The wording of this section can lead some to interpret it as giving manufacturers the ability to declare when risk analysis is and is not appropriate.
In practical terms, however, risk analysis is always required for higher risk devices. Some of these devices, on the other hand, don't include software. This is where appropriateness is practically applied. Design validation should always include risk analysis, and where appropriate, software validation.
A Closer Look at Terminology
The preamble of the 1997 quality system regulation offers a helpful reference for parsing the specific terminology here, particularly in Comment 83:
“FDA has deleted the term ‘hazard analysis’ and replaced it with the term ‘risk analysis’. FDA’s involvement with the ISO TC 210 made it clear that ‘risk analysis’ is the comprehensive and appropriate term. FDA's involvement with the ISO TC 210 made it clear that 'risk analysis' is the comprehensive and appropriate term.When conducting a risk analysis, manufacturers are expected to identify possible hazards associated with the design in both normal and fault conditions. The risks associated with the hazards, including those resulting from user error, should then be calculated in both normal and fault conditions. If any risk is judged unacceptable, it should be reduced to acceptable levels by the appropriate means, for example, by redesign or warnings."
Even further clarification can be found in the Design Controls section QSIT Manual, also referenced below.
"While the requirement for the conduct of risk analysis appears in Section 820.30(g) Design Validation, a firm should not wait until they are performing design validation to begin risk analysis. Risk analysis should be addressed in the design plan and risk should be considered throughout the design process. Risk analysis must be completed in design validation."
ISO 14971:2007 as a Useful Risk Management Methodology
Under ISO 14971:2007, which while not formally required by FDA-CDRH, remains a recognized consensus standard, offers an easily-followed process that lays out a methodology for medical device risk management in a simple series of steps.
In addition to being easy to follow, ISO 14971:2007 positions hazards (the potential sources of harm to patient or user) as the basic unit from which analysis is performed. This aligns particularly well with the ultimate end goal of patient safety.
Other methodologies, such as traditional FMEA or fault trees, play an important supporting role, but address different issues which may not map onto patient harm. (FMEA, for example, analyzes the effect of a failure on the device, which may or may not result in harm to patients.)
Read our other article to learn more about medical device risk management: Risk Management & Medical Devices: 4 Common Problems to Avoid