Contact Us
  • FDA's Additional Information (AI) Requests

Example #14: Inadequate Risk Management Information

A promotional banner for a tech device series event by The Device Show Experience and C2.
By Robert Rajewski, President, CriTech Research, Inc.

Here’s this week’s example of an Additional Information Request (AI Request):

FDA Additional Information Request – Example #14: Inadequate Risk Management Information

You provided Risk Management File documentation in your submission.

However, the information provided was not adequate. FDA was only able to identify two software related hazards in your risk assessment – a complete software crash and an automatic adjustment abnormality. FDA does not believe that this is comprehensive in capturing all foreseeable failure modes and hazards associated with your software, such as, but not limited to, failure of specific software functions, failures of the user interfaces, or failures of the screen or alarms.

It also does not appear that you addressed the use of Off-The-Shelf (OTS) software in your risk assessment, as recommended in the FDA guidance document “Off-The shelf Software Use in Medical Devices”. A comprehensive Risk Assessment is important to show that you have identified and adequately mitigated the risks because software with unmitigated risks could result in adverse health effects for the patient.

Therefore, please revise your Risk Assessment to address these issues and as recommended in the “Risk Management File” section of the FDA guidance document “Content of Premarket Submissions for Device Software Functions”.

In this example, the Additional Information Request focuses on the risk management information being inadequate. In particular, the FDA found only two risks related to software in the risk assessment, which the FDA does not believe is comprehensive.

The provided documentation does not address the use of Off-The-Shelf (OTS) in the risk assessment.  The FDA considers this a serious oversight given the critical nature of many OTS packages to the proper functionality of the device, including operating systems, communications libraries, and graphic user interface packages.

The medical device company must revise its Risk Assessment to address these OTS issues. Making changes to the risk assessment (and resulting risk control measures) will likely lead to a need to update design documentation, as well as the potential for source code changes and even a complete update and re-execution of testing.

Please follow us to see more examples of AI Requests – a new one is released every week. 

Should you receive an Additional Information Request from the FDA, CriTech is here to help.  Please give us a call to discuss and we’ll help you craft what you need to do going forward.

Should you happen to receive an FDA AIR related to software as part of your submission, CriTech is here to help. Contact us any time.

Contact Us
Linkedin

Follow us on LinkedIn to find out when the next example of our FDA AIRs series is released.

View All Media