Across medical device and IVD inspections, U.S. Food and Drug Administration (FDA) continues to issue Form 483 observations and Warning Letters tied to risk management failures. These findings are not about missing templates, they reflect systemic breakdowns in how risk is identified, evaluated, justified, and maintained.

Below are the three most common risk management issues FDA cites, supported by FDA’s own enforcement language, and what those findings actually mean in practice.

1. Incomplete Risk Analyses

What FDA cites

FDA frequently cites firms for failing to adequately establish or execute risk analysis procedures. In a 2025 Warning Letter, FDA stated:

“Failure to adequately establish procedures for adequate risk analysis… hazard analyses do not address hazards and risks associated with the use of your device with automated insulin dosing (AID) systems.”

In other Warning Letters, FDA has similarly noted that:

“Risk analysis was not adequately conducted to identify and evaluate known or foreseeable hazards.”

“The risk analysis does not include an estimation of the probability of occurrence of harm.”

What this means

FDA is flagging risk analyses that list hazards but fail to fully evaluate foreseeable use conditions, including probability of harm, fault conditions, and real-world use scenarios. This often occurs when risk analysis is treated as a one-time design activity rather than a foundational safety process.

From FDA’s perspective, a risk analysis that omits probability, foreseeable misuse, or system-level interactions is incomplete by definition, regardless of how polished the document appears.

2. Risk Ratings Are Not Justified or Supported by Evidence

What FDA cites

FDA routinely challenges risk evaluations that are inconsistent, downgraded without rationale, or disconnected from available data. In a Warning Letter issued to a Swiss medical device company, FDA stated:

“Your firm’s risk assessment table identifies only one potential harm… despite the fact that embolism is also listed as a potential risk… The risk table does not identify nor calculate the risk of embolism.”

FDA has also cited firms where:

“Risk levels were not adequately justified or supported by objective evidence.”

“Severity classifications were incorrectly assigned and did not reflect the potential clinical impact.”

What this means

FDA expects risk ratings, particularly severity and occurrence, tyo be defensible and evidence-based. When complaint data, clinical knowledge, or known hazards exist, FDA expects those inputs to influence how risks are scored and justified.

Using vague definitions, qualitative scoring without rationale, or selectively excluding known harms signals to FDA that risk decisions are being made for convenience rather than safety.

3. Risk Management Is Not Maintained Over the Product Lifecycle

What FDA cites

One of the most consistent FDA findings is that risk management files are not updated when new information becomes available. In multiple Warning Letters, FDA has stated:

“Failure to adequately update risk analysis based on post narket information.”

“The risk management file was not revised to reflect design changes.”

“Complaints and nonconformances were not evaluated to determine whether they represent new or increased risks.”

In a Warning Letter to a U.S. based medical device company, FDA noted:

“This hazard has not been considered as part of your design activities.”

What this means

FDA expects risk management to be a living system, not a static file. Design changes, verification failures, complaints, nonconformances, and CAPAs are all expected to feed back into risk evaluation.

When risk files remain unchanged despite real-world signals, FDA interprets this as a failure to understand whether risk controls remain effective in actual use.

What FDA Is Signaling Through These Findings

When these three findings appear together – incomplete analysis, unjustified risk ratings, and static risk files – FDA is not pointing out isolated documentation gaps. FDA is signaling a breakdown in the manufacturer’s ability to actively manage risk.

In plain terms, FDA is asking:

Can you demonstrate that your device risks are understood, justified, and actively managed based on how the product actually performs?

If the answer cannot be clearly shown, a risk-related observation is likely to follow.

If you’re seeing similar risk management gaps in your own program, or want an independent assessment before FDA does, we can help.

FDA Warning Letters are publicly available and can be reviewed directly on the FDA’s website here.