FDA's Risk Management Expectations for Medical Devices: What Manufacturers Need to Know

By Billy Delfs

How is the FDA applying Risk Management to medical devices, and how can manufacturers prepare for submission and inspection inquiries?

Risk management is no longer a peripheral concept in device regulation. Interestingly, the word risk appears once in 21 CFR 820, Quality System Regulation (QSR) for medical devices, and is absent from Current Good Manufacturing Practices (CGMP) pharma regulations. Yet, the ISO standard for Risk Management, ISO 14971, is an FDA-recognized consensus standard for medical device submissions and will be formally required by the Quality Management System Final Rule for ISO 13485 in 2026.

Why Risk Management Matters

The risk management pillar is used to identify design and safety problems. Postmarket surveillance data or complaints analysis became a requirement with EU MDR 2017/745 and the 2021 annexes to ISO EN 13485. These elevated ISO 14971 Medical devices — Application of risk management to medical devices from a standard to a requirement.

ISO 14971 – Beyond the Failure Mode and Effect Analysis (FMEA)

ISO 14971 represents a critical evolution from traditional FMEA approaches. This is reflected in the 2019 release that included new definitions for benefit, reasonably foreseeable misuse, and state of the art.

Reasonably Foreseeable Misuse

Reasonably Foreseeable Misuse is not the same as off-label use. Rather, the concept encompasses the risks related to human factors. Defined as the “use of a product or system in a way not intended by the manufacturer, but which can result from readily predictable human behavior,” it expands risk considerations beyond skilled clinicians to patients themselves. Under EU MDR, this requirement is front and center, and FDA reviewers will expect to see it addressed in every risk management file.

Building the Right Risk Management File

Expect the FDA and Notified Bodies to review the:

• Top level Risk Management Standard Operating Procedure (SOP)
• Risk Management Plan template
• Risk Management Report (RMR) template, and
• Hazard Analysis (HA) work instruction

Hazard Analysis now emphasizes humanized “effects” and clarifies post-production activities.

In an inspection or audit, the Risk Management Subject Matter Expert (SME) will be interviewed. The preparation for the interview needs to go beyond the SME “walking through” the SOP. Demonstrating a holistic and dynamic approach to risk management is essential.

The Challenge: Balancing Probability and Severity

Risk is defined by two components:

1. The probability of occurrence of harm; and
2. The consequences of that harm, that is, how severe it might be.

Probability is not always calculable. Your SOP must define criteria for accepting risks when estimates are uncertain.

For next-generation devices, postmarket surveillance and clinical study follow-up data may be used. Be prepared to discuss and justify risks that are not mitigated by the new design and how postmarket data show an improved risk-benefit profile.

Credible peer-reviewed journals are another source for probability figures. They incorporate statistics into adverse event and sequelae analyses.

Using a search query like “probability of occurrence of harm for [indicated use] of [med device type]” will produce extremely relevant results. Adding credible sources such as NIH.gov, Mayo Clinic, JAMA, etc. aids in bringing key opinion leader articles to the top.

FDA’s Evolving Expectations on Severity

Foreseeable harms and supported mitigations thereof are a critical part of the Health Hazard Evaluation for recall classification and another way the Agency expects Risk Management to be ingrained into quality principles.

Severity and foreseeable harms now extend beyond explant or surgical intervention and include risks such as hospital acquired infections, following the lead of its European partners.

“I have seen risk management evolve from a checkbox to a cornerstone of device safety. ISO 14971 is not just a standard. It is a mindset shift. We work with firms to convey their tailored practices in presentations to regulators."
Billy Delfs, Associate Attorney, Gardner Law

Get with risk

Risk management is a regulatory cornerstone shaping FDA submissions, inspections, and global compliance strategies. With ISO 14971 elevated from mere guidance to a requirement and the QMS Final Rule on the horizon, manufacturers must demonstrate not only technical rigor, but also a living, adaptive risk management process. From reasonably foreseeable misuse to postmarket surveillance integration, the expectations are clear: risk must be embedded into design, quality, and lifecycle decisions.

Is your organization ready to defend its risk management file under scrutiny? Now is the time to audit your SOPs, templates, and training programs before regulators do. Our team can help you build a robust, inspection-ready framework that aligns with FDA and EU MDR expectations. Contact us to schedule a risk management readiness review or tailored training session. Turn compliance into a competitive advantage.