Risk matrixing (from process flow chart via risk analisys to validation protocol)

Hi all,

I wonder is there any FDA or ISO requirement that says that risk should be tracking (matrixing)?
Should risk (defined in risk analysis) should be linked with defined step in process flow chart?
Should risk/hazard be tracking from process flow chart? or it is ok to track it from FMCA?

I would appreciate for help.


Risk management (product) is essentially to identify where the risks can occur, how they can occur, and identify measures (controls) to mitigate the risk - either by reducing likelihood or severity. The expectations are that the controls are verified to be implemented and effective at the time they are needed.

The rest is just the mechanics about getting there. Auditors / inspectors will want to review the documentation you created that shows all of this but it’s not (too) prescribed as how. If the things you ask about are useful to your company in controlling risk, then do them. If you’re doing something just for an auditor / inspector, you may want to re-evaluate your approach.

Hello. To be honest with you, FDA does not require you to perform risk analysis. ISO 13485 is little more stringent for risk analysis. I have worked in big medical device companies, and few of them even dont care for risk analysis. What you really need is risk / hazard study to be performed.
Risk analysis (d/pFMEA) will help to perform risk based validation, again its not requirements.

Can’t say that I agree with that assertion. It’s not as overt in 21 CFR 820 as in 13485, but it’s there (nominally in Design Validation). And just because it’s not as overtly stated, there’s no question that the current state of the art (i.e., the ‘c’ in cGMP) is to take a risk-based approach. For any device with software (including minor level of concern), the guidance indicates a hazard analysis (with identified mitigations) is required. If you look at any of the later guidance docs (human factors, incorporating wireless, etc.), there are plenty of references to risk management.

I think to dismiss risk management completely would be a, well, risky approach.

it is possible to make risk analyse for not to do audits to suppliers?
If yes, you can you give me an example?

I would appreciate for help.


Risk assessment is also performed during qualification or approval of supplier with respect to Product Quality and Patient safety.
ICH Q9 is a guidance document regarding to Risk assessment of Product/Process/System during its entire life cycle to build control with respect to product quality & patient safety not regulatory aspects.