Start addressing the proposed FDA device QMSR now

Device risk is going to have major emphasis in the revised 21 CFR 820 (currently it's only mentioned casually under Design Control, 820.30) which will include ISO 13485 by reference, and add consideration of ISO 14971 Device Risk Management to it to further flesh out 820.  ISO 14971 defines risk as 1) patient, 2) user / clinician, 3) use environment safety, not financial, scheduling, compliance risk, et al.  ISO 14971 requires a device risk management file, and risk incorporated throughout a company's QMS.  While I have emphasized such risk management since 2003 -- when I was called to assist a company that had 3 FDA inspectors on site for several months overseeing the company generate risk management files and resolve outstanding CAPA files with complete Failure Investigation and Root Cause Analysis documentation, reviewing every completed document prior to allowing it to be added to the company's CGMP documentation / records.

Incidentally, the FDA includes cybersecurity issues as a part of patient safety, if systems affecting the patient are, or can be, networked.

The Device Risk Management File format the Agency approved was similar to the following (one file for each device 'family'):

1.  Narrative:  Device background / description, use environment, team (including a relevant clinician), assumptions, and similar;

2.  Hazard List (basic use hazards and severity to patient);

3.  Fault Tree Analysis (expanding upon the Hazard List);

4.  FMECA's:  Design-, Process-, and Use-FMECAs (also expanding upon the Hazard List);

5.  Problems from "Normal" use  (added later to address the one problem with FTA,       FMEA, and FMECAs being only focused on "Failures" causing problems. Note:       14971 requires that "Control" be included under "Probability" in any final version       of a FMECA (RPN = S x P (including C)). 

6.  Final "Report" / discussion of residual risk, and the Benefit / Risk analysis /               statement. 

Not only did this format pass the inspection of those three inspectors back in 2003, but it has since passed numerous FDA inspections, Notified Body audits, 510(k) and IDE submissions, 483 / Warning Letters' remediation's (with companies in the US, EU, and Asia) since then. 

Get a jump on the upcoming Device CGMP changes, and be in compliance now, by addressing your risk management files now.

Also, SOPs(and the QM) should start including not only references to the 820 regulation (in general), but also specific references to the appropriate ISO 13485:2016 citation(s).  I've been doing this for many years already for my clients. 

  -- jel@jelincoln.com