Risk Evidence Based Change Management for Medical Devices

Manual change reviews miss the mark. FY 2024 FDA data shows the cost. Here is what a risk evidence based approach looks like, and how it works.

Every medical device goes through changes. A software update. A new supplier. A material swap. A label revision. In a single year, a MedTech company can process dozens of design changes.

Each change carries risk. It can introduce new hazards. It can invalidate prior testing. It can trigger a new submission to the FDA. Yet at most companies, change impact is still decided in a conference room from memory.

FY 2024 FDA data tells the story. The agency cited 46 device makers for poor change procedures and 42 more for missing risk analysis. The downstream effects show up in 254 CAPA citations and 92 nonconforming product citations. Most of those started as changes that were never properly risk-assessed.

This guide explains what risk evidence based change management is, why the manual approach fails, and how it works in practice.

In short

Risk evidence based change management runs a structured impact check on every proposed change before it is approved. The check traces what the change touches in the Design History File and Risk File. It updates only the affected hazards. It decides the regulatory path against FDA's published criteria. It builds the audit trail as work happens. Regulify.AI's Change Clarifier and Risk Manager run this workflow together.

Key takeaways

• Design changes are governed by 21 CFR 820.30(i), ISO 13485 Section 7.3.9, ISO 14971, and FDA's 2017 change guidance.

• Manual review misses affected items, skips risk re-assessment, and produces inconsistent 510(k) decisions.

• FY 2024 FDA data: 46 citations for poor change procedures, 42 for missing risk analysis. Source: FDA Office of Inspections and Investigations.

• Risk evidence based change management links every change to its impact on design, risk, and submission records.

• Regulify.AI's Change Clarifier and Risk Manager automate the analysis. Final decisions stay with the qualified human reviewer.

What is risk evidence based change management?

Risk evidence based change management is a way to review medical device changes. It uses traceable data instead of meeting room guesswork. Every proposed change is checked against the existing Design History File, Risk File, and submission record before it is approved.

The approach rests on four rules. First, every change is linked to the design inputs, design outputs, and risk controls it touches. Second, affected hazards are updated only where the change actually shifts risk. Third, the regulatory path is chosen against FDA's published criteria, not the opinion of the most senior person in the room. Fourth, the audit trail is built in real time, not reconstructed when the inspector arrives.

This framework sits on top of three regulatory anchors. 21 CFR 820.30(i) requires that every design change be identified, verified, validated where needed, reviewed, and approved before implementation. ISO 13485 Section 7.3.9 mirrors this internationally. ISO 14971 requires that any change be evaluated against the Risk File for the life of the device.

Why do manual change reviews miss the mark?

Most MedTech companies still review changes the same way. An engineer files a change request. A review board meets. The board votes on whether the change is significant. The decision is captured in meeting notes.

This process breaks in four ways.

Affected items get missed. The people in the room may not know that a small software function change touches a hazard in a different part of the Risk File. The trace exists in the DHF. A manual review rarely walks it.

Risk re-assessment gets skipped. ISO 14971 expects the Risk File to be a living document. In practice, the file gets updated at major milestones, not at each change. The gap between the real device and the documented risk picture grows quietly.

The 510(k) decision is inconsistent. FDA's 2017 guidance gives a decision tree for change types. Without automation, the criteria get applied from memory. The same change can get different answers on different days.

The audit trail is broken. Two years later, when an inspector asks how the change was assessed, the answer lives in email threads, meeting recordings, or a former employee's laptop. The decision was made but the proof is gone.

What does FY 2024 FDA data show?

Bad change management drives some of the most common FDA citations. The FY 2024 data shows the cascade.

FDA citation

What it means

Citations (FY 2024)

820.30(i)

Inadequate design change procedures

820.30(g)

Risk analysis not done in design validation

820.100(a)

Inadequate CAPA procedures (often from missed change impacts)

254

820.90(a)

Inadequate nonconforming product procedures

Two citations point directly at change management: 820.30(i) (46 observations) and 820.30(g) (42 observations). Together, 88 device makers were cited in a single year for these gaps alone.

The downstream effects are larger. Many of the 254 CAPA citations started as incidents that should have been caught when a change was first proposed. Many of the 92 nonconforming product citations trace back to manufacturing or supplier changes whose impact was never properly verified.

Source: FDA Office of Inspections and Investigations, Inspection Observations Fiscal Year 2024, available at fda.gov.

How does risk evidence based change management work in practice?

The workflow runs in six steps. Each step builds a piece of the audit trail.

Step 1, intake. The proposed change is captured with structured fields. What is changing. What type of change. Which product or family. Proposed timeline.

Step 2, automated trace. The system walks the DHF and Risk File. It surfaces every design input, design output, verification activity, hazard, and risk control the change touches. The output is a complete impact map.

Step 3, targeted risk update. Risk re-assessment focuses only on affected hazards. New hazards are flagged. Existing hazard estimates get reviewed. Risk controls get re-evaluated for effectiveness.

Step 4, regulatory path decision. FDA's 2017 guidance criteria are applied to the change profile. The output is a documented recommendation. New 510(k). Letter to File. Or minor revision below reportability.

Step 5, evidence assembly. Required verification, validation, and risk control updates queue as work items. The change cannot close until each item is signed off with evidence.

Step 6, traceable closure. The final change record links to every artifact. Inspectors can trace any change from request to implementation through one record.

The comparison below shows the difference across six dimensions.

What changes

Manual review

Risk evidence based

Finding affected items

Engineers guess from memory

Live trace through DHF and Risk File

Risk re-assessment

Often skipped

Targeted hazard updates only

510(k) decision

Subjective, varies by reviewer

Mapped to FDA criteria, same each time

Audit trail

Email threads and meeting notes

Time-stamped, linked, exportable

Cycle time per change

Days to weeks

Hours from request to decision

Failure mode

Missed impacts found in audit

Impacts surfaced before implementation

How does Regulify.AI fit into this workflow?

Two Regulify.AI modules run this workflow together. Change Clarifier handles the impact analysis and regulatory path decision. Risk Manager handles the hazard library, the risk re-assessment, and the integration with the Risk File.

Change Clarifier. Smart approval and review for regulatory notifications. It assesses the impact of each change, determines the notification path, and guides the change control process. Source: regulify.ai.

Risk Manager. Structured frameworks for risk assessment, automated documentation, and continuous risk monitoring aligned with ISO 14971. Source: regulify.ai.

AI handles the heavy parts. The DHF trace. The hazard library lookup. The application of FDA decision criteria. The audit trail assembly. Qualified human reviewers make every final decision. This matches the expert-judgment requirements embedded in MEDDEV 2.7/1 Rev 4 and FDA guidance.

For AI-enabled and machine learning devices, Change Clarifier supports FDA's Predetermined Change Control Plan (PCCP) framework. The modification protocol and impact assessment template stay aligned with the cleared PCCP.

Frequently asked questions

What counts as a design change under 21 CFR 820.30(i)?

Any change to the device design counts. This includes hardware, software, labeling, manufacturing process, supplier, or materials. The rule is broad on purpose. Every change must be identified, documented, verified or validated where needed, reviewed, and approved before it is implemented.

How do I decide if a change needs a new 510(k)?

Use FDA's 2017 guidance, Deciding When to Submit a 510(k) for a Change to an Existing Device. The guidance groups changes into categories and gives a decision tree for each. A documented evaluation against the guidance is itself a strong audit artifact.

What is a Letter to File?

A Letter to File is internal documentation that records why a change did not require a new 510(k). It must be supported by the same level of analysis as a submission would be. FDA inspectors review Letters to File and expect clear, traceable rationale.

How often should I update the Risk File?

ISO 14971 requires that the Risk File stay current for the life of the device. In practice, it should be updated at every change with hazard or risk control implications, every adverse event with risk relevance, and at defined periodic reviews. A Risk File last touched 12 months ago is a regulatory red flag.

What is a Predetermined Change Control Plan?

A PCCP is an FDA framework for AI-enabled and machine learning devices. It lets manufacturers define in advance the types of modifications the device may go through (modifications protocol) and the methods for implementing them (implementation protocol). The PCCP itself is reviewed as part of the original submission.

Does this approach apply outside the US?

Yes. Under EU MDR Article 120 and Annex IX, changes to CE-marked devices are split into substantial and non-substantial categories with different notification rules. ISO 13485 Section 7.3.9 governs change control globally. The same risk evidence principles apply.

Stop guessing, start evidencing

Manual change management was viable when product portfolios were small and change frequency was low. Today, software-enabled devices ship updates monthly. Supplier networks span continents. Regulators expect documented impact analysis on every modification.

Risk evidence based change management does not remove human judgment. It makes sure the judgment is informed by complete, traceable evidence. It applies the same criteria to every change. It captures the decision in a defensible audit trail. Regulify.AI's Change Clarifier and Risk Manager exist to make this the default operating model.

To see how this would map to your specific device and change profile, schedule a free Regulify.AI consultation.

About the authors

Abtin Eshraghi. Co-Founder at Regulify.AI. Regulatory affairs background in medical device development.

Kundan Krishna. Co-Founder at Regulify.AI. AI/ML engineer focused on natural language processing for biomedical and regulatory documents.

References

• U.S. FDA. 21 CFR 820.30(i), Design Changes.

• U.S. FDA. Deciding When to Submit a 510(k) for a Change to an Existing Device, October 2017.

• U.S. FDA. Marketing Submission Recommendations for a Predetermined Change Control Plan for AI-Enabled Device Software Functions, December 2024.

• U.S. FDA. Office of Inspections and Investigations, Inspection Observations Fiscal Year 2024.

• ISO 13485:2016. Medical devices, Quality management systems, Section 7.3.9.

• ISO 14971:2019. Medical devices, Application of risk management to medical devices.

• European Parliament. Regulation (EU) 2017/745 on Medical Devices, Article 120 and Annex IX.

• Regulify.AI product pages for Change Clarifier and Risk Manager.