U.S. flag An official website of the United States government
  1. Home
  2. Medical Devices
  3. CDRH International Affairs
  4. Medical Device Single Audit Program (MDSAP)
  5. MDSAP Risk Management Procedure
  1. Medical Device Single Audit Program (MDSAP)

MDSAP Risk Management Procedure

  • Document No: MDSAP QMS P0004.004
  • Version Date: 2023-12-22
  • Effective Date: 2023-12-22
  • Project Manager: Hiromi Kumada, PMDA

Table of Contents

  1. Purpose / Policy
  2. Scope
  3. Definitions / Acronyms
  4. Authorities / Responsibilities
  5. Procedures
  6. Forms
  7. Reference Documents
  8. Document History

1. Purpose / Policy

The purpose of this procedure is to provide MDSAP RA participants including stakeholders such as AOs with guidance on the application of consistent and comprehensive methods for risk management. This procedure provides information on how to identify, analyze, evaluate, and react to risk(s) associated with decisions made under the program, e.g. risks inherent to the program, and risks associated with recognition decisions based on program outcomes. This procedure will also assist in confirming whether or not the MDSAP management system effectively mitigates these risks.

2. Scope

This procedure specifies when the risk management process described in this document is either encouraged or required by MDSAP RA participants and /or stakeholders.

3. Definitions / Acronyms

Consequence: Outcome of an event affecting objectives. (ISO 31000:2009 (E))

Hazard: Source of potential harm. (ISO Guide 73:2009 (E/F))

Level of Risk: magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood (ISO Guide 73.2009 (E/F/))

Likelihood: chance of something happening. (ISO Guide 73:2009 (E/F))

Probability: Measure of the chance of occurrence expressed as a number between 0 and1, where 0 is impossibility and 1 is absolute certainty. (ISO Guide 73:2009 (E/F))

Risk: Effect of uncertainty (ISO 9000:2015 (E))

Risk Acceptance: Informed decision to take a particular risk. (ISO Guide 73:2009 (E/F)

Risk Analysis: Process to comprehend the nature of risk and to determine the level of risk. (ISO 31000:2009 (E))

Risk Assessment: Overall process of risk identification, risk analysis and risk evaluation. (ISO 31000:2009 (E))

Risk Criteria: Terms of reference against which the significance of the risk is evaluated. (ISO 31000:2009 (E))

Risk Evaluation: Process of comparing the result of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable. (ISO 31000:2009 (E))

Risk Identification: Process of finding, recognizing and describing risks (ISO Guide 73.2009 (E/F))

Risk Management: Coordinated activities to direct and control an organization with regard to risk. (ISO 31000:2009 (E))

Review: Activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives. (ISO 31000:2009 (E)) 

4. Authorities / Responsibilities

MDSAP's ability to conduct effective risk management is dependent upon having an appropriate risk governance structure and well-defined roles and responsibilities.

It is important for every MDSAP RA participant and stakeholder to be aware of their individual and collective risk management responsibilities.  In order for participants to effectively manage risk, it is essential to have participants behaving in a way that is consistent with an MDSAP approach to risk management. 

Risk management is not merely about having a well-defined process but also about effecting a behavioral change in participants that is necessary to embed risk management in all MDSAP activities.  Additionally, risk management is not the sole responsibility of one person but should be supported at all levels.       

Risk management activities are usually undertaken by experts from appropriate areas, in addition to individuals who are knowledgeable about the risk management process.

Decision makers (MDSAP Team Lead and/or designated MDSAP Project Manager) should:

  • Take responsibility for coordinating risk management across various MDSAP functions,
  • Ensure that a risk management process is defined, deployed and reviewed, and that adequate resources are available, and
  • Communicate key risk issues to the RAC and Chairperson

5. Procedures

5.1 An MDSAP participant should be familiar with the concepts and tools described in this document and encourage incorporating them into day to day MDSAP projects and related deliverables; including technical assessment activities as needed.

  • 5.1.1 Risk management should include systematic processes designed to coordinate, facilitate and improve science-based decision making with respect to risk. Possible steps used to initiate and plan a risk management process include:
    • Identify any existing hazards (once we have identified whether any hazards exist with a process, we then can estimate and analyze the risk associated with those hazards)
    • Assemble available information and/or data on relevant potential hazards, and harm on consumer health and/or impact on compliance with regulatory requirements.
    • Define the problem and/or risk question, including pertinent assumptions identifying the potential for risk.
    • Specify a timeline, deliverables and appropriate level of decision making for the risk management process, and
    • Effective risk management is important because it will enable MDSAP to take advantage of opportunities as they arise. To enable MDSAP to maximize opportunities and achieve our outputs we provided 2 methods of identifying and managing key risks.
    • Method #1 use of the minimal process provided in Section 5.6 – A;
    • Method #2 use of a more formal tool provided in Section 5.6 – B.

5.2 If an MDSAP participant identifies a hazard or potential concern for a product/service, they should consider the likelihood of the hazard occurring in similar product/services and situations.

5.3 MDSAP participants are required to incorporate a risk management process in the following scenarios:

  • A dispute between RAC and/or MDSAP site(s)
  • A secondary or higher level review of a report with a differing opinion from the primary review
  • In a situation where a new concern is identified based on documented information received through the complaint process or an identified increase in "several adverse events" linked to a product. A risk assessment needs to be performed for related products/medical devices or related scenarios. The assessment is likely to involve a multi-disciplinary team and may involve the use of alternative procedures.

5.4 The level of effort, formality and documentation of the risk management process should be commensurate with the level of risk. It is not always appropriate or necessary to use a formal risk management process. Using recognized tools and / or internal procedures, such as this procedure is acceptable in some situations.

5.5 However, if a particular risk assessment tool is appropriate, it should be used. The use of a particular assessment tool should consider the nature of the concerns, the available data and expertise to use the tool, and the potential or demonstrated utility for MDSAP project managers in similar situations. The choice of risk assessment tool should be justified in the documented record.

5.6 A – Method #1: At a minimum, a risk management record should record an investigation to answer the following:

  • What is the boundary, context or circumstance of the environment that is being examined for risk?
  • What could go wrong (sources of harm and the impact on MDSAP outputs, safety or efficacy)?
  • What is the likelihood (probability) it will go wrong?
  • What are the consequences (severity)?
    • For these four questions, supportive information may be obtained from:
      • Data with statistics
      • Case reports
      • Theoretical or mechanistic concerns
    • For these four questions, the source of supportive information should be cited as:
      • Internal MDSAP files
      • Expert opinions
      • Other
    • If the risk determined using the information above is not an acceptable level, the risk record should document an investigation to determine what a MDSAP participant could do to reduce or eliminate the risk.
      • There should be a Yes or No answer with justification. The justification should balance benefits, risks and resources. This could include prior decisions in analogous situations.
      • If the risk is deemed unacceptable, suggestions for mitigating the risk should be provided and the balance of benefits, risks and resources reconsidered.
      • The answer should weigh factors such as:
        • Benefit of product/service versus risk for a final "approval" of the audit report
        • Decreased access to product and/or service due to mitigation versus risk

5.6 B – Method #2: A more formal tool described as steps in managing risks can be used by the MDSAP participants as another type of method to identify and manage key risks in relation to their work output activities.

a. Establish Goals and Context

As outlined in the Risk Management process (MDSAP QMS F0004.1 Risk Management Process Flowchart), risk assessment is undertaken within the context of MDSAP goals.  The identification / validation of those goals are therefore a critical first step in the risk management process.

Effective risk management requires a thorough understanding of the context in which MDSAP operates.  The analysis of this operating environment enables participants to define parameters for the management of risks associated with MDSAP outputs.

The context sets the scope for the risk management process.  The context includes strategic, organizational and risk management considerations. 

The risk management context defines the goals, objectives, and/or projects of the MDSAP to which the risk management process is to be applied.  This context is important because:

  • Risk management occurs within the context of endeavoring to achieve goals and objectives,
  • Risks need to be managed to reduce the risk of failing to achieve objectives, and
  • Goals and strategies assist to mitigate risk.

b. Identify risks

  • What could go wrong?
  • Are people, assets, etc. exposed to potential risk?

Identify the risks most likely to impact on MDSAP outputs, together with their sources and impacts. It is important to be rigorous in the identification of sources and impacts as the risk management strategies will be directed to sources (preventive) and impacts (reactive). (Use MDSAP QMS F0004.2 Identify and Analyzing Risks Form (optional) to help with this step in the process)

c. Analyze risks

Identify the controls (currently in place) that deal with the identified risks and assess their effectiveness. Based on this assessment, analyze any remaining risks in terms of likelihood and consequence. Refer to the MDSAP QMS F0004.2 Identify and Analyzing Risks Form (optional) to assist you in determining the level of likelihood and consequence, and the current risk level (a combination of likelihood and consequence).

d. Evaluate risks

  • What are the causes and consequences?
  • How likely is it?
  • How bad will it be?

This stage of the risk assessment process determines whether the risks are acceptable or unacceptable. The person with the appropriate authority makes this decision. Participants should periodically monitor a risk that has been determined acceptable to ensure it remains acceptable when existing controls are applied. In all cases participants should document the reasons for the assessment to provide a record of the thinking that led to the decisions. Such documentation will provide a useful context for future risk assessment.

e. Determine the treatments/action for the risks

  • How can we avoid the undesired/hazardous event?
  • How can the risks be kept to as low as reasonably practicable?
  • How effective are controls (barriers)? How could their effectiveness become undermined?
  • Is there a better way?

Participants will direct treatment (action) strategies towards:

  • Avoiding the risk by discontinuing the activity that generates it, (rarely an option when providing services to the public),
  • Reducing the likelihood of the occurrence,
  • Reducing the consequences of the occurrence/severity of the risk
  • Transferring the risk, and
  • Retaining the risk.

Participants shall develop potential treatments/actions according to the selected treatment/action strategy.  The selection of the preferred treatment/action takes into account factors such as the costs and effectiveness.

The determination of the preferred treatments/actions also includes detailed documentation of the method of implementation (e.g. responsibilities, timetable for implementation and monitoring requirements).

The intention of these risk actions is to reduce the level of unacceptable risks to an acceptable level (i.e. the target risk level).  Use the MDSAP QMS F0004.3 Risk Treatment Action Plan (optional) to determine the expected reduction in level of risk (expected consequence, likelihood and target risk level) resulting from the successful implementation of the treatment/action.

f. Monitor and report on the effectiveness of the risk action taken

  • Can the potential consequences be limited?
  • What recovery measures are needed?
  • Are recovery capabilities suitable and sufficient

The relevant project manager is required to monitor the effectiveness of risk treatments/actions and has the responsibility to identify new risks as they arise and treat/act accordingly. Project managers are also required to provide feedback and report on the progress of risk treatments/actions at regular intervals.

5.7 For disagreements or disputes, an analysis of the risk of each viewpoint must be prepared. The parties in disagreement should present to an appropriate subject matter expert(s) records of the risk management process that represent their viewpoints. The subject matter expert(s) is responsible for ultimately making a risk-benefit decision based on these records and supporting discussion.

6. Forms

7. Reference Documents

  • ISO 31000:2009 – Risk Management – Principles and Guidelines
  • ISO/IEC Guide 73:2002 – Risk Management – Vocabulary
  • IEC/ISO 31010:2009 – Risk Management – Risk Assessment Techniques

8. Document History

Description of Change Author Name / Project Manager
001 2014-03-11
  • Initial Release
Liliane Brown, USFDA
002 2016-10-11
  • Updated Section: Definition /Acronyms.
  • Including minor update to reflect ISO 9001:2015 revision
Liliane Brown, USFDA
003 2019-01-11
  • Corrected color of font in section 5.1 and 5.6.
  • Corrected heading in section 5.6
  • Minor spacing corrections
Hiromi Kumada, PMDA
004 2023-12-22
  • Periodic review
  • Adjusted formatting
  • Corrected indent in section 5.6 e. and f.
Hiromi Kumada, PMDA

Version Approval: 004

Approved: Signature on File, CHAIR, MDSAP RAC

Date: 2023-12-22

Uncontrolled when printed.

For the most current copy, contact MDSAP@fda.hhs.gov

Back to Top