How to Document Risk in your 510(k)

You can document Risk in a 510(k) by comparing subject device with one or more similar legally marketed devices to support substantial equivalency claims. To legally market your medical device, you need to demonstrate it is as safe and effective as any other legally marketed product that is not subject to PMA (21 CFR 807.92(a)(3)).

The blog describes key factors for documenting risk management in 510(k) submissions. Here is a list of questions we should understand:

  • What is a predicate device and how to claim substantial equivalence to a proposed device?
  • Types of devices needing risk management for 510(k) submissions?
  • Risk management requirements for a Traditional 510(k)?
  • Where can one find 510(k) risk management requirements?
  • How can manufacturers demonstrate device safety?
  • Key factors for documenting risks before submitting 510(k)?
  • Contents of software related documentation?
  • What are the contents of risk related documentation?


Using Substantial equivalence to demonstrate risk management in the 510(k) submission. 

A predicate device is a legally marketed device subjected to premarket approval. We can demonstrate Substantial Equivalence by comparing the applicant’s device to a cleared predicate device, if:

  • it was cleared through the 510(k) process
  • it was legally marketed prior to May 28, 1976 (pre-amendments device)
  • it was originally on the U.S. market as a Class III device (Premarket approval) and later down-classified to Class II or I
  • it is a 510(k)-exempt device

We can demonstrate substantial equivalence if predicate device has:

  • The same intended use as the predicate; and
    • the same technological characteristics as the predicate
  • The same intended use as the predicate; and
    • different technological characteristics and the information submitted to FDA and
    • does not raise new questions of safety and effectiveness; and
    • demonstrates that the device is at least as safe and effective as the legally marketed device.
  • Same technical characteristics can be:
    • The design
    • Energy used or delivered
    • Materials of construction
    • Performance
    • Safety
    • Effectiveness
    • Labeling
    • Biocompatibility
    • Environmental conditions
    • Storage/ transport
    • operating

If the new device has some different technological characteristics the differences must not raise questions of safety or effectiveness when you’re testing the device as safe and effective as the predicate device. However, if testing is done in accordance with FDA recognized standard then certificate of compliance to that standard is sufficient for the submission, and global test information or test data is not required.

A simple way to show substantial equivalence is to create a comparison table including: 

  • Technological specifications mentioned below:
    • Intended use, Indications for use
    • Target population, Anatomical sites, where used (hospital, home, etc.)
    • Energy used and/or delivered
    • Human factors, Design, Performance, Standards met, Materials, Biocompatibility, Compatibility with environment and other devices
    • Sterility, Electrical safety, Mechanical safety, Chemical safety, Thermal safety, Radiation safety
  • A Narrative discussing similarities and differences between new and predicate device


Devices requiring risk management for 510(k) submission.

  • Risk management requirements are only for devices that contain software.
  • Abbreviated 510(k)s generally require declarations of conformity and risk management documents


Risk management requirements for a Traditional 510(k). 

Only embedded software, driven by or standalone software and devices with software component must include Hazard Identification and Risk Assessment in 510(k)s.

When there is insufficient information to create general controls, special controls provide reasonable assurance of safety and effectiveness. It assures FDA that hazards related to device development process were subject to controls and mitigations.

You should include Risk Control Verification and Validation requirements under

  • Packaging Validation
    • Sterilization Validation
    • Biocompatibility
    • Software Verification Validation
    • Electrical Safety and EMC
    • Bench/Pre-Clinical Performance Testing
    • Animal Performance Testing
    • Clinical Performance Testing

Risks to Users and Patients are addressed in the Instructions for Use (IFU) as warnings, contraindications, and precautions (typically because of usability studies and hazard analysis).

Risk-Benefit Analysis is required in Special 510(k)s, De Novo applications, Humanitarian Device Exemptions, and PMAs. It is not required for traditional 510(k).

Where can one find 510(k) risk management requirements?

Design validation-software validation and risk analysis (21 CFR 820.30) FDA and EU CE Marking compliance- recognize ISO 14971 standard:

  • FDA recognizes ISO 14971:2019
  • EU recognizes EN ISO 14971:2019 (differences include omission of Annexes, decoupling of standards to MDR regs),

Best practices to address risks in 510(k) submissions

  • Look for appropriate Special Controls Guidance Docs in the FDA Guidance Document
  • Use Guidance Documents for Controls and Risk Management Requirements
  • Examine the guidance and determine which standards, testing, and hazard/risk analyses are appropriate.
  • Ensure extensive testing

How to demonstrate device safety?

The GHTF/SG1-N11:2008 in 10.0 Risk Analysis and Control Summary states that “The STED [Summary Technical Documentation] should contain a summary of the risks identified during the risk analysis process and how these risks have been controlled to an acceptable level. Preferably, this risk analysis should be based on recognized standards and be part of the manufacturer’s risk management plan.”

Factors to consider regarding risks before submitting 510(k)?

Human factors:

“Medical device manufacturers are required to follow FDA’s Human Factors guidance and regulations to help ensure safe use of these devices.” – CDRH website

Recognized standards include ISO 14971 risk management standard, IEC 62366 (joint ISO/IEC standard applying to all devices), IEC 60601-1-6 and AAMI HE75. To comply with standards,

  • Manufacturers will have to develop usability specifications for devices
  • Manufacturers should explore usability issues as part of the risk management process in compliance with standards
  • Include Usability evaluations as part of design validations

The FDA requires a summary of these actions as part of a human factors dossier while submitting pre-market information, which is explained in detail below:

  • Description of device user interface
  • Description of user interaction with UI (use scenarios)
    • Device, Training, Labeling, IFU
  • intended users, uses, use environments and training
  • Summary of known use problems from:
    • Predecessor devices
    • Similar devices
  • Analysis of hazards and risks associated with the use of the device
  • Summary of preliminary analyses and evaluations
  • Description and categorization of critical tasks
  • Details of human factors validation testing
    • Description of test participants (minimum of 15 in each user population)
    • Description of test scenarios
    • Moderator guideline
    • Training offered
    • Test results
    • Test results summary
  • Conclusion


Content of Software-related risk documentation.

In the 510(k) submission, medical device manufacturers must:

  • show they identified hazards appropriately and managed risks effectively and
  • provide traceability to link design, implementation, testing, and risk management.

The following information is picked from the Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices, May 11, 2005

Device Hazard Analysis: Tabular description of identified hardware and software hazards, including severity assessment and mitigations.

Traceability Analysis: Traceability among requirements, specifications, identified hazards and mitigations, and Verification and Validation testing.

When performing a hazard analysis, it is recommended that you address all foreseeable hazards, including those resulting from intentional or inadvertent misuse of the device.

The risk documentation for software can be in the form of an extract of the software-related items from a comprehensive risk management document, such as the Risk Management Summary described in ISO 14971. In this format, each line item should include:

  • identification of the hazardous event
  • the severity of the hazard i.e., level of concern
  • cause(s) of the hazard i.e., device Hazard analysis
  • method of control (e.g., alarm, hardware design)
  • corrective measures taken, including an explanation of the aspects of the device design/requirements, that eliminate, reduce, or warn of a hazardous event; and
  • verification that the method of control was implemented correctly.
  • Software Description
  • Software Requirements Specification (SRS)
  • Architecture Design Chart
  • Software Design Specification (SDS)
  • Traceability Analysis
  • Software Development Environment Description
  • Configuration management & maintenance plan
  • Verification/ validation Documentation
  • Revision Level History
  • Unresolved anomalies
  • Impact on safety or effectiveness discussion
  • Rationale for accepting

It is recommended to base your estimation of risk for your Software Device on the severity of the hazard resulting from failure, assuming that the failure will occur. You need to use risk identification and control techniques described in consensus standards such as ISO 14971.

Documenting risk in 510(k)

After analyzing the previous material, it is evident that ISO 14971 has identified a method for providing the information necessary by the FDA, namely the traceability summary required in Clause 3.5 of the risk management file.

The information can be provided in a document that is displayed in the GHTF guidance, GHTF/SG3/N15R8 Implementation of risk management principles and activities within a Quality Management System Annex C. 

Example of Risk Management Summary Table
Example of Risk Management Summary Table










Risk Traceability Summary

You can add a column with reference to the source document listing each hazard and additional information to improve the use of Risk Traceability Summary, for example:

  • A Human Factors or Usability study that identifies hazards
  • A standard that identifies a hazard and possibly a risk control method
  • MAUDE database identified hazard from predicate device
  • Complaint file from previous similar product

Risk Information in 510(k)

Provide a copy of the Risk Chart, which specifies the Risk Acceptability levels for the product in the submission, and include copies of the definitions of Severity Levels and the Probability of Occurrence Levels.

Take care of probability levels to ensure there is evidence to support the quantified levels and the ranges do not overlap.

Risk Chart Communicating Risk Management

Risk chart communicating risk management activities


Managing 510(k) is a tedious process, requiring data from various teams and several elements of test strategy. However, you can still navigate the process of organizing all the data in a simple yet comprehensive manner. It is important to remember that FDA reviewers can only review so much detail, and therefore randomly put together irrelevant data can cause delays in receiving approval. Therefore too much information can negatively impact 510(k) review timelines. It is a manufacturer’s responsibility to submit data accurately and present it in an easily comprehensible format. FDA can have many questions after the application is submitted, and they need to be responded promptly by going back to the source of data and responding to FDA to compress your approval cycle.

Leveraging Regulatory Management Technology (RIM) to build your medical device technical files and 510(k) submissions will help you avoid inconsistency, maintain clarity for managing submission requirements helping you streamline only those processes and parts of of section of your document that need additional detail.

About Essenvia

Essenvia is a regulatory lifecycle management solution to help you optimize the entire regulatory operations process. Our Regulatory Management Software solutions include an innovative approach to building your pre-market submissions like 510(k) and MDR/ IVDR as well as post-market submissions like Regulatory Change Assessment and Post Market Surveillance. Our solution reduces errors, streamlines regulatory process, and guarantees faster regulatory clearance for your medical device.

Schedule a demo now to find out how Essenvia can help you with your regulatory submissions.

FDA Cleared Vs FDA Approved for Medical Devices

What does FDA Cleared vs. FDA Approved mean for Medical Devices?

Medical devices in the US (and the rest of the world) use a risk-based classification system that determines the rules and regulations and level of evidence necessary to obtain FDA permission to market a new or modified medical technology.

In the US, the precise terminology of FDA cleared vs. approved arises from the statutory distinction between a sponsor marketing a Class II 510(k) vs. Class III PMA medical device. FDA marketing terminology for products that are Class I 510(k) Exempt is the same as with Class II 510(k)s — that is “FDA Cleared”.

For De Novo 510(k)s, it’s not clear what terminology sponsors should use. A quick search of recent listings in FDA’s De Novo 510(k) database indicates that some sponsors on their websites describe a newly marketed De Novo 510(k) technology as “FDA approved” while others use the more conservative terminology of “FDA cleared”.

Interestingly, the real-world implications of using incorrect terminology — for example inappropriately claiming that a Class II 510(k) device is “FDA approved” — while not advisable rarely results in a publicly disclosed FDA compliance enforcement action such as a Warning Letter.

1976 Medical Device Amendments to FD&C Act     

The precise terminology of FDA-cleared vs. approved dates back to the 1976 Medical Device Amendments to the Food, Drug, and Cosmetic Act (FD&C Act) which for the first time established a statutory framework designed specifically for FDA regulation of medical devices as opposed to FDA oversite of pharmaceuticals, dietary supplements, veterinary products, etc.

Pathway to Market for Medical Devices – 510(k) and PMA

The statutory framework of the Medical Device Amendments established 2 Pathways to Market for new or modified medical technologies:

Statutory ProvisionCommon NameRisk ClassificationRegulatory Paradigm
Premarket Notification510(k)Class II — ModerateSubstantial Equivalent (SE) to Predicate Device
Premarket ApprovalPMAClass III — HighReasonable Assurance of
Safety and Effectiveness

1. FDA Premarket Notification – 510(k) Submission

The Premarket Notification, or 510(k) submission, is the mechanism through which the majority of medical devices obtain US marketing clearance.

Under section 510(k) of the FD&C Act, a manufacturer must submit a 510(k) to FDA at least 90 days before introducing or delivering for introduction, a device into interstate commerce for commercial distribution so the Agency can determine whether or not the device meets the criteria for market clearance.

If FDA finds the device to be substantially equivalent, the sponsor receives an order, in the form of a letter, from FDA which states that the device can be legally marketed. This order “clears” the device for commercial distribution in the US.

2. FDA Premarket Approval – PMA Submission

The Premarket Approval or PMA is the FDA process of scientific and regulatory review to evaluate the safety and effectiveness of Class III medical devices.

PMA is the most stringent type of device marketing application required by FDA. The applicant must receive FDA approval of its PMA application prior to marketing the device.

PMA approval is based on a determination by FDA that the PMA contains sufficient valid scientific evidence to assure that the device is safe and effective for its intended use(s).

Marketing via FDA Clearance vs. FDA Approval

The 1976 Medical Device Amendments established different terminology for marketing 510(k) vs. PMA technologies as specified below. Using different languages suggests that there is a purposeful distinction between whether a new medical device comes to market via the 510(k) vs. PMA Regulatory Pathway.

Marketing ApplicationSafety and Effectiveness Testing Requirements for Marketing
FDA 510(k)To obtain FDA Clearance, the manufacturer must compare the new device to a similar legally marketed predicate device and demonstrate substantial equivalence.
FDA PMA (Pre-Market Approval)To obtain FDA Approval, the manufacturer must provide sufficient testing results from the new device that demonstrate a reasonable assurance of safety and effectiveness.

In fact, there is no legal or commercial difference between whether a medical technology comes to market through FDA Clearance or FDA Approval.

In both cases, what’s important is that FDA acknowledges in writing (SE Letter vs. PMA Approval Order) that the manufacturer can introduce a new or modified medical device into commercial distribution.

De Novo 510(k)s

1. Language from Sponsor Websites

For De Novo 510(k)s, it’s not clear what terminology the sponsor should use. A quick search of recent listings in FDA’s De Novo 510(k) database indicates that some sponsors on their websites describe a newly marketed De Novo 510(k) technology as “FDA approved” while others use the more conservative terminology of “FDA cleared”. The following are examples of newly marketed De Novo 510(k) devices.  One company website specifies FDA approved and the other FDA cleared.

Neurolutions IpsiHand

Upper Extremity Rehabilitation

DEN200046 04/23/2021

Apple Watch App for PTSD

DEN200033 11/06/2020

2. Regulatory Paradigm for De Novo 510(k)s is Most Similar to PMA, Not Traditional 510(k)

Unlike traditional 510(k)s and PMAs, the De Novo Letter that sponsors receive from FDA allowing them to market a new device does not include terminology such as “FDA cleared” or “FDA approved”.

Instead, the De Novo Letter provides the following boilerplate language:

“After review of the information submitted in the De Novo request, FDA has determined that … [your device] can be classified in class II with the establishment of special controls for class II. FDA believes that class II (special) controls provide reasonable assurance of the safety and effectiveness of the device type.”

According to the above, the regulatory paradigm for the De Novo 510(k) pathway to market is very similar to the PMA – that is for the sponsor to demonstrate a reasonable assurance of safety and effectiveness.

3. So What Terminology Should a Sponsor Use?

Since a PMA sponsor appropriately refers to their marketed device as “FDA approved”, the above Regulatory Analysis provides the sponsor of a De Novo 510(k) ample justification to use the same language for marketing their medical device.

So De Novo 510(k) sponsors can confidently use “FDA approved” as appropriate terminology for product Websites, Advertising, and Promotional Materials, Sell Sheets, etc.

Real World Implications of Using Incorrect Terminology

The real-world implications of using incorrect terminology (FDA cleared vs. FDA approved) are surprisingly low risk — even considering regulatory and/or legal liability.

1. Misbranded

FDA clearly has the authority to determine if a medical device is “misbranded”.  This is most commonly the result of some aspect(s) of product labeling which is found by the FDA to be false or misleading.

2. Labeling for 510(k) Device Incorrectly Specifies “FDA Approved”

What are the consequences if a sponsor (either inadvertently or perhaps intentionally) incorrectly claims that a Class II 510(k) device is “FDA approved”?

According to the letter of the law, this would qualify as misbranding.  But the real-world consequences are actually insignificant.

FDA’s Compliance and Quality Staff is a relatively small group with limited resources.  When a product is found to be misbranded, FDA typically pursues enforcement action only if the violation meets either of the following:

  • Misbranding could reasonably result in patient harm
  • Misbranding characterizes device therapy as more effective than was demonstrated in 510(k) submission

3. Warning Letter From FDA – Compliance Enforcement Action

FDA typically reserves the use of a Warning Letter for compliance violations that meet one of the following – in order from most common to least:

  • Noncompliance with Quality Systems Regulation (QSR)
  • Class II Device has been marketed without 510(k) filing
  • Failure to properly conduct Postmarket Surveillance

In FDA’s Warning Letter database, there are no instances of misbranding from using incorrect marketing status terminology.

So while not advisable, simply misbranding a Class II 510(k) device by using the incorrect terminology of FDA approved (as opposed to FDA cleared) would rarely if ever result in a compliance enforcement action such as FDA issuing a Warning Letter.

About Essenvia

Essenvia is an online software to streamline pre and post-market workflow for medical device companies by streamlining plans or activities to market, improving cross-functional collaboration, and automating steps to manage initial and subsequent device modifications.

Essenvia is designed to help drastically reduce submission errors, streamline data and information gathering, save time, improve collaboration and help you submit a close to rejection proof as a possible submission for 510k, PMA, IDE, Technical File for CE Mark, etc.Schedule a demo now to find out how Essenvia can help you with your regulatory submissions.