Understanding Risk with Medical Devices

On November 15, 2022, I had the pleasure to log in to a “live” FDA CDRH Industry Basics Seminar on Understanding Risk with Medical Devices.  You can view the workshop at this link: https://fda.yorkcast.com/webcast/Play/4aecf454d2d54039a1d5a6a3001d78c31d

I did enjoy the materials presented and I do think the presenters Joseph and Tonya did a great job. I would recommend viewing this presentation when it does become available as a resource on the FDA website.

The presentation is a good introduction on FDA “requirements” and “thinking” related to Medical Device Risk Management, This presentation simply pops open the door to the topic of medical device risk management.

This would make an excellent educational resource for a new hire or any-one new to medical device risk management.

Here are my top take aways from what I heard:

  • There is risk associate with every medical device
  • They emphasize that “you” the medical device manufacturer are responsible for the risk management of your device
  • You will have to identify hazards, hazardous situations and harms associated with your device
  • They reminded us that the FDA also uses risk management when making various regulatory decisions
  • The FDA will review your risk analysis and make an assessment
  • The specific definition of risk depends on many regulations and many different contexts of use a.k.a. CDRH does not have one consistent uniform definition
  • Risk Management Tools:

The FDA does not recommend or approve risk management tools.

The FDA does not require any specific risk management tool.

The FDA thinks that you will have to use more than one risk management tool to get the job done.

  • There are many different methods, processes and procedures that can be used to implement an effective risk management program
  • You will need defined and documented procedures and records to implement your risk management process
  • To achieve success, you will need appropriate SMEs, open and honest discussions, and you will need to cast a wide net.
  • Your device’s Post-market data and information will modify your device risk profile
  • Your risk management process does not end until your device ends
  • The primary reference for this risk discussion was ISO 14971
  • The presentation does not touch on software or software risk management

To gain further knowledge of “software risk management” and the integration of 62304 and 14971.

I recommend that you consider Public Course – Jan 9-11, 2023 – Risk Management (in-person) Our newly updated ISO 14971:2019 Medical Device Risk Management, A Software Organization’s Perspective public training course.  Fill out the form below to get a special, limited time discounted registration:

About the author

John is a 25 year FDA veteran. John served as a regulatory and compliance expert for FDA regulated computers and software. Practice (focus) areas include FDA software related guidances, software device classification determination, pre-market software review, post market software inspectional 483’s, additional information software requests, Digital Health Pre-certification, AAMI Software related TIRs and related medical device software standards.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  June 5-7, 2024
Boston, MA

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:

Register Now



Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: Tuesday, January 23 through Friday, January 26 from at 11 am – 3 pm EST

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.