Introduction
If you’re a Business Analyst assigned to a medical device development project, intended for the US market, understanding the FDA’s approval process is critical to ensure that product requirements, documentation, and risk controls are aligned with compliance expectations. This article outlines the FDA’s classification framework, approval pathways (510(k), De Novo, PMA), and the risk management process. It also highlights how a Business Analyst contributes to hazard identification, traceability matrices, and risk control measures, while preparing submissions under FDA regulations and ISO 14971.
Risk-based Classification and Approval Pathways under the FDA
In the United States the Food and Drug Administration (FDA) regulates medical devices designed to diagnose, cure, mitigate, treat, or prevent disease. The FDA classifies medical devices based on their risk level: Class I (Low Risk), Class II (Moderate Risk), and Class III (High Risk). Understanding these classes ensures that a Business Analyst aligns product requirements with the appropriate regulatory expectations, since each FDA class comes with different levels of regulatory scrutiny. Risk level influences which features or controls are considered safety-critical, and a Business Analyst uses this knowledge to prioritize and trace high-risk requirements through design, verification, and validation processes. Also, risk classification guides the depth and detail of risk analysis. Therefore, a knowledgeable analyst contributes effectively to hazard identification, traceability matrices, and control verification, all required for FDA submissions.
There are several approval pathways under the FDA - 510(k), De Novo, and PMA - which depend on a risk class and directly influence the product development strategy, regulatory timeline, and documentation requirements. Understanding these pathways helps Business Analyst to define a level of rigor needed in requirement specifications, risk analysis, and testing.
The 510(k) Clearance is the most common route for most moderate-risk medical devices. This is the FDA’s standard process for products that are substantially equivalent to existing ones on the market, known as a predicate device. To get 510(k) clearance, the manufacturer must show that their product is just as safe and effective as the existing one.
In cases where a company develops a novel device with no clear predicate, the De Novo pathway comes in. It is designed for low- to moderate-risk devices that are novel but still meet safety and effectiveness standards. Instead of proving similarity to something existing, the company must demonstrate that the device is safe on its own merits. If successful, the FDA not only clears the device but also establishes a new “predicate” for future devices of the same type.
Finally, for medical devices that carry a high risk (Class III devices), where an incorrect result could lead to serious harm or death, companies must go through the Premarket Approval (PMA) process, the FDA’s most rigorous review. PMA requires comprehensive clinical trials, detailed safety and effectiveness data, and strict post-market monitoring once the device is in use.
Overview of Design Controls and Post-Market Surveillance for FDA-Compliant Medical Device
To meet the FDA regulatory expectations, under 21 CFR Part 820, medical device manufacturers must implement Design Controls to systematically manage product development from concept to commercialization. Design controls provide a structured framework for planning, developing, verifying, validating, and managing changes to a medical device throughout its design lifecycle. The process begins with Design Inputs, which are the documented requirements derived from user needs, intended use, and applicable regulatory and safety constraints. These inputs form the basis for Design Outputs, which include specifications, engineering drawings, and source code. To maintain compliance and traceability, every output must be directly linked back to its corresponding input. At key points throughout development, Design Reviews are conducted as formal, documented evaluations to verify that the project is on track and meeting quality and regulatory expectations. Within this process, Design Verification ensures that outputs correctly fulfill the defined inputs. Following verification, Design Validation confirms that the final product meets user needs and intended use under actual or simulated conditions. Once validated, the design is transitioned to manufacturing through the Design Transfer process, ensuring that all specifications are accurately conveyed for consistent production. Throughout and after development, any Design Changes must be rigorously controlled, documented, and assessed for impact, with re-verification and re-validation performed as necessary. All documentation and evidence generated through these activities are compiled into the Design History File (DHF), which serves as a comprehensive record demonstrating that the device was developed in accordance with 21 CFR Part 820.30 and is ready for FDA inspection or submission.
Following market entry, manufacturers are required to fulfill post-market obligations. By establishing a post-market surveillance system, a manufacturer continuously monitors the device’s real-world performance, collects data on how it behaves in diverse clinical environments, and watches for any potential safety concerns. If a device encounters issues — unexpected malfunctions, cybersecurity vulnerabilities, or performance problems — companies are required to report them to the FDA through the Medical Device Reporting (MDR) system. Serious adverse events, such as patient injury or death related to device use, must be reported within strict timelines.
Risk Management Process Overview
Risk management under FDA regulation is a central component of medical device development and is closely aligned with the international standard ISO 14971 for identifying, evaluating, controlling, and monitoring risks associated with medical devices. FDA guidance documents often refer to this standard to define expectations for risk management activities throughout a product’s lifecycle. Risk Management Plan should cover the entire lifecycle: design, development, post-market. It defines roles, responsibilities, criteria for risk acceptability, and methods for evaluation. Risk Analysis is conducted to determine the probability of occurrence and severity of harm. Risk controls - design changes, protective measures, information for safety - are implemented to eliminate or reduce a risk. After controls are applied, the remaining risks are assessed, and if the residual risk is still too high, further controls or design changes are needed. If a risk cannot be further reduced, justification needs to be provided to demonstrate that the clinical benefits outweigh the risks. Risk Management File includes all identified risks and is a part of 510(k) or PMA submission for the FDA review. The FDA expects a risk-based approach to both development and regulatory submission. Risk Management should be integrated with design controls, not treated as an isolated risk. In premarket submissions the FDA requires a risk analysis summary and traceability between risks, mitigations and testing.
The role of Business Analyst is especially valuable when preparing the Risk Analysis Summary for 510(k) submission, where traceability between hazard, hazardous situation, potential harm must be identified, evaluated and mitigated appropriately.
Case Study: Hazard and Risk Analysis for a Blood Pressure Monitor.
Consider the following scenario: a nurse uses a malfunctioning automated BP monitor that underestimates the patient's systolic pressure by 20 mmHg. The physician, seeing normal readings, decides not to start treatment for hypertension. A few weeks later, the patient suffers a stroke due to uncontrolled high blood pressure.
- Starting point is to identify Hazard, a potential source of danger.
- Hazard: Inaccurate Blood Pressure Measurement
- The next step is to define one or several Hazardous Situations, conditions where a user or a patient is exposed to the hazard.
- Hazardous Situation: Device gives low BP reading
- For each Hazardous Situation, a potential Harm should be identified - actual injury of health issues that could result from a Hazard.
- Harm: Misdiagnosis, improper treatment, hypotension, stroke
A Business Analyst assists Risk Manager in identifying one or several causes, why or how the Hazard could happen. In this particular case, identified causes apply to both Hazardous Situations:
- Cause 1: Incorrect cuff placement
- Cause 2: Motion during reading
- Cause 3: Calibration drift
A Risk level needs to be defined for the Hazard, which is a combination of how likely the harm is (probability) and how serious it would be (severity). For the Hazard - Inaccurate Blood Pressure Measurement - Probability is medium, since human error and equipment issues are not uncommon in clinical settings, and Severity is high, demonstrating it can lead to misdiagnosis, under-treatment hypertension, causing a stroke, or other complications.
- Initial Risk Level: medium to high, due to moderate probability and high severity.
After defining the causes and risk level, Business Analyst works on Risk Control Measures in order to reduce or eliminate the Risk. Every Risk Control Measure must be traceable with the Risk, as required by the FDA guidance.
- Risk control measure 1: Clear instructions for cuff placement. Use validated equipment
- Risk control measure 2: Automated Motion detection
- Risk control measure 3: Double-checking abnormal readings manually
There should be verification of controls in place to prove that the defined Risk Control Measures work and are effective.
And finally, the Residual Risk, the risk that remains after applying all controls, is defined as low and acceptable.
Final Thoughts
From initial concept to FDA submission, Business Analyst plays an essential role in ensuring medical devices are developed with regulatory compliance and patient safety in mind. By driving clarity in requirements, supporting risk identification, and ensuring traceability between hazards, mitigations, and testing, a Business Analyst helps translate regulatory expectations into actionable and traceable design inputs. Their involvement in risk management activities, design control documentation, and stakeholder alignment supports the creation of submission-ready artifacts that meet FDA standards.
Author: Iryna Sizikova
For the past 17 years I have been working in the healthcare industry, the US dental equipment and software product manufacturer that markets its products in over 120 countries. My current role is the Chapter Lead of the Business Analysis and Documentation. I am promoting the role of Business Analyst in a regulated environment.
I am an IIBA member, podcast guest, speaker, presenter and author of scientific publications. I am passionate about business analysis and regulatory compliance and enjoy sharing best practices and techniques with the BA community worldwide.