Insights on risk management topics and tips and techniques for implementation.

Case study - When Miscalculating Risk Leads to a Warning Letter

risk analysis warning letter Mar 29, 2024

Note: this article is a summary of the original article published on the Let's Talk Risk! newsletter on Substack, a reader-supported publication.Read the full article here.


This case study analyzes a recent FDA warning letter to a manufacturer of an ambulatory cardiac monitoring system for not following their own procedures, which led to a miscalculation in the risk level, and negatively influenced the outcome of a Health Hazard Evaluation (HHE).

The main issue

The manufacturer uses the HHE procedure to determine if any corrective and/or preventive actions are required as a follow up to potential safety-related issue. In this case, a miscalculation in the probability of occurrence of harm led to the incorrect decision of not updating the risk management documentation and other appropriate field actions.

Although many of the relevant details have been redacted in the warning letter, footnotes 5 and 6 offer clues about some of the factors that might have contributed to the cited miscalculation, and the resulting incorrect decision in the HHE:

  • Failing to convert the probability value into a percent value when determining the risk level using the Risk Level Matrix in the risk management SOP.
  • Selecting risk level as “low” when correct calculation would have led to selecting “medium” risk level.
  • Using probability ranges for different levels in the Health Risk Table, but only a single probability level for HHE determination.
  • Mismatch in probability levels between different risk tables.

Two main issues stand out from these clues:

  1. Probability value is not converted to a percent value
  2. Risk tables in procedures have significant inconsistencies

Likely reason for FDA scrutiny

The warning letter refers to marketing materials and other documentation, which seem to suggest that the device is intended for near real-term monitoring as a mobile cardiac telemetry monitor; it can provide notifications immediately; and that is intended for high-risk patients.

FDA considers these claims to be outside the scope of the authorized indication for use, which excluded high-risk patient population requiring more supervised monitoring and critical care.

Further, FDA cites several design changes, which would have required additional testing to support the manufacturer’s assertion that the safety and effectiveness is unaffected.

In short, FDA is questioning whether the current assessment of safety and effectiveness is adequate to support the marketing claims about near real-term monitoring, immediate notifications and use on high-risk patients. If there is evidence suggesting that risk is miscalculated, and that appropriate steps to ensure patient safety are not being taken, then gaps identified in the HHE process according to this specific issue should be considered significant.

Patient safety impact

The specific safety issue of concern in this case study is related to the Activation Time Mismatch error, when prior patient data is not fully erased from the device prior to its reuse on another patient.

A safety-related potential consequence of this issue is incorrect final report issued for the second patient who receives a device where data from the previous patient is not fully erased. This may lead to an incorrect diagnosis and treatment for the second patient.

Another potential outcome is that the device may fail to activate, or transmit data, which may lead to delay in monitoring, diagnosis and treatment. In some cases, a breakdown in data capture or transmission may lead to serious health consequence, or death.

In Conclusion

  1. Although FDA is citing a violation of the CAPA requirement in this warning letter, a deeper issue relates to how health hazard evaluations are conducted, and how simple error in risk calculation can lead to significant errors in judgement.
  2. In this case, failing to convert the probability value into a percent value likely led to selecting the risk level as low, instead of medium.
  3. As a result, an update to the risk documentation was not made to recognize the risk related to activation time mismatch error, an unanticipated safety-related issue.
  4. When new risks are not recognized and addressed in a timely manner, the overall benefit-risk of a device may be adversely impacted, thereby, raising new questions about safety and effectiveness within the scope of the intended use.
  5. The current regulatory framework inadvertently led to a disconnect between Risk Management and Quality system in the device industry. The proposed amendment to the Quality System Regulation to align with ISO 13485 is expected to encourage a better integration of risk management throughout the Quality System.

Read the full article here to learn more about this device, its regulatory status and a simulation of a scenario may have lead to an incorrect risk level assignment.


  1. FDA warning letter CMS 643474, Issued May 25, 2023
  2. Let's Talk Risk! newsletter


Say yes to receiving a practical risk managementĀ tip each week!


You're safe with me. I'll never spam you or sell your contact info.