Product Risk Assessment Basics: Continually Collect Data, Update Documentation Often

Q: I’ve been assigned to do a product risk assessment on a new device we’re developing. My background is not in risk management, so any advice you can offer would be very much appreciated.

I’m especially concerned about how often we should update our product risk assessment and its documentation, both during the design process and once the product is on the market.

A: First of all, you need to understand that FDA’s primary focus is and always will be the risk to the patient or product user.

So start your risk assessment focusing on the product’s potential risks to the end-user. Then work back to assess risks to the product introduced by your design and manufacturing processes.

Also, look at the risks associated with your overall Quality System (things like procurement, change control, and maintenance to name just a few). As much as you can, trace all these risks back to the ultimate user of your product.

The more data you collect, the better. Risk management is an iterative process. Especially for a new product, have your testing and operational data flow back to you continually, and use the information to update your design and your original risk documents.

Over time, you’ll understand more about frequency of occurrence and severity, and you’ll understand more about the product’s failure modes.

With a multi-disciplinary team, you’ll have different skill sets and a variety of knowledge points to draw from.

I strongly recommend a team approach to risk assessment. With a multi-disciplinary team, you’ll have different skill sets and a variety of knowledge points to draw from — allowing you to share ideas and perspectives and, in the long run, better match your product risk assessment to reality.

Obviously, your risk management process has to be documented, and it has to be verified to be shown to be effective.

Change is one of the biggest reasons to have good, updated risk documentation. When you make a change to the product or the process, you’ll want to go back to those original risk documents and ask yourself, does this change introduce a new failure mode or hazard? Does it add a new mitigation? Does it change, modify or remove an existing mitigation?

In my opinion, you should review your risk documents with every design change and with the receipt of any new data — then update as needed.

I’ve had people ask if they can just update their risk documents every six months or so, instead of doing it with every change. My answer is that every time you make a change, you need to have the most current data at your fingertips to assess that change.

It doesn’t do anybody any good to work with old risk assessments. You need the most current thinking — what the latest data is telling you about risk — to make informed decisions.

In the end, your risk assessment is an exercise in probability. It’s not exact. But to make it as useful as possible, you should plan to continually collect data, carefully review and learn from that data, and then diligently update your risk decisions and documentation as needed.

Answered by Denise Dion, Vice President of Regulatory and Quality Services for EduQuest, who served 18 years at the U.S. FDA as an expert field investigator and who was co-editor of FDA’s Investigations Operations Manual, which is updated annually as a resource for FDA’s own investigators. Denise is the lead instructor for EduQuest’s training class on Design Control for Medical Devices: Meeting FDA’s 21 CFR 820.30 Rules for Quality Design and Manufacturing.


Leave a Reply

Your email address will not be published. Required fields are marked *