Risk Assessments: How Often Should I Update Them?

EduQuest, a global team of FDA compliance experts, answers industry’s pressing questions. In this round, Denise Dion, Vice President of Regulatory & Quality Services for EduQuest, advises when to update your risk documentation.

Question: I’ve been assigned to do a risk assessment on a new product we’re developing. 

I’m especially concerned about how often we should update our risk assessment and its documentation, both during the design process and once the product is on the market. My background is not in risk management, so any advice you can offer would be very much appreciated.

Answer: First of all, you need to understand that FDA’s primary focus is and always will be the risk to the patient or product user.

So, start your risk assessment by focusing on the product’s potential risks to the end-user, then work back to assess risks to the product introduced by your design and manufacturing processes.

Also, look at the risks associated with your overall Quality System (things like procurement, change control and maintenance, to name just a few). As much as you can, trace all these risks back to the ultimate user of your product.

The more data you collect, the better. Risk management is an iterative process. Especially for a new product, have your testing and operational data flow back to you continually, and use the information to update your design and your original risk documents.

Over time, you’ll understand more about frequency of occurrence and severity, and you’ll understand more about the product’s failure modes.

I strongly recommend a team approach to risk assessment. With a multi-disciplinary team, you’ll have different skill sets and a variety of knowledge points to draw from, allowing you to share ideas and perspectives and, in the long run, better match your risk assessments to reality.

Obviously, your risk management process has to be documented, and it has to be verified to be shown to be effective.

Change is one of the biggest reasons to have good, updated risk documentation. When you make a change to the product or the process, you’ll want to go back to those original risk documents and ask yourself, does this change introduce a new failure mode or hazard? Does it add a new mitigation? Does it change, modify or remove an existing mitigation?

In my opinion, you should review your risk documents with every design change and with the receipt of any new data—then update as needed.

I’ve had people ask if they can just update their risk documents every six months or so, instead of doing it with every change. My answer is that every time you make a change, you need to have the most current data at your fingertips to assess that change.

It doesn’t do anybody any good to work with old risk assessments. You need the most current thinking—what the latest data is telling you about risk—to make informed decisions.

In the end, your risk assessment is an exercise in probability. It’s not exact. But to make it as useful as possible, you should plan to continually collect data, carefully review and learn from that data, and then diligently update your risk decisions and documentation as needed.



Ms. Dion, Vice President of Regulatory and Quality Services for EduQuest, served 18 years with FDA as an expert field investigator and was co-editor of FDA’s Investigations Operations Manual, which is updated annually as a resource for FDA’s own investigators. EduQuest can be reached by This email address is being protected from spambots. You need JavaScript enabled to view it..

EduQuest