The risk management approach

ALARP (As Low As Reasonably Practicable) to AFAP (As Far As Possible) and medical device risk management has always been a tricky one. The nature of the products, their intended use, and the markets in which they are sold influences the approaches in controlling risk. When it comes to risk, the first thing to consider is the ISO 14971 standard. MDR and IVDR changes bring a new alignment in terms of risk.

The latest version of ISO 14971:2019+A11:2021 and the Medical Devices Regulation (EU) 2017/745 are linked and not referenced. EU MDR regulation has a very strong emphasis on risk management. Risk is mentioned 243 times in the regulation compared to a combined total of only 69 times in the two medical device directives — Active Implantable Medical Device 90/385/EEC (14 times) and Medical Device Directive 93/42/EEC (55 times).

Although ISO 14971 is not cited in the regulation, it is a documented harmonized standard in the Official Journal of the European Union. In January 2022, news emerged that this latest version of EN ISO 13485 has been officially harmonized under the MDR along with other standards.

Those who are new to the Regulatory Affairs field, should talk to experienced colleagues or read this previous ALARP-AFAP blog for insights.

How MDR is linked with ISO13485

In MDR in Annex I, Chapter l of the regulation exactly reflects risk management requirements of those in ISO 14971. Although the regulation does not specifically mention the medical device risk management standard ISO 14971, it does require compliance to harmonized standards. Recital 22 states “compliance with harmonized standards as defined in Regulation (EU) No 1025/2012 of the European Parliament and of the Council (2) should be a means for manufacturers to demonstrate conformity with the general safety and performance requirements and other legal requirements, such as those relating to quality and risk management, laid down in this Regulation.” Article 2 (70) defines a harmonized standard as “a European standard as defined in point (1)(c) of Article 2 of Regulation (EU) No 1025/2012”.

MDR requirements with respect to reducing risk

• Reduce risk as far as possible
• Eliminate risk (or reduce as far as possible)
• Minimize risk
• Remove risk (or reduce as far as possible)
• Remove risk (or minimize as far as possible)
• Reduce risk to the lowest possible
• Avoid risk to the lowest possible

In Clause 4.2 of ISO 14971:2019, Note 1 states that “The manufacturer’s policy for establishing criteria for risk acceptability can define the approaches to risk control: reducing risk as low as reasonably practicable, reducing risk as low as reasonably achievable, or reducing risk as far as possible without adversely affecting the benefit-risk ratio.”

This brings manufacturers to a point where they can manage risk based on all the requirements

Differences to keep in mind with regards to ALARP and AFAP

ALARP	AFAP
ALARP permits a manufacturer to include economic impacts as one of the factors in considerations as to what are acceptable and unacceptable risks. AFAP (as far as possible), does not allow economic impacts as part of the risk decision making process	“The manufacturer’s policy for establishing criteria for risk acceptability can define the approaches to risk control, for example reducing risk as low as reasonably practicable, reducing risk as low as reasonably achievable, or reducing risk as far as possible without adversely affecting the benefit-risk ratio.”

ALARP permits a manufacturer to include economic impacts as one of the factors in considerations as to what are acceptable and unacceptable risks. AFAP (as far as possible), does not allow economic impacts as part of the risk decision making process.

The requirement to reduce risk AFAP was introduced in Section 2 of Annex I to Directive 93/42/EEC. It is here to stay. Certain Essential Requirements require risks to be reduced AFAP without consideration of the economic impact of changing from ALARP to AFAP.

If you want to keep track of business risks, you should create a separate document for that purpose. Keep economic considerations out of your risk analysis. Then changes will need to be made to align with the AFAP requirements, otherwise such medical devices may not be legally marketed across the European Market. All risks, including those determined as “negligible” under ISO 14971, have been reduced AFAP, based on the “state of the art”. Note “state of the art” refers to “generally accepted state of the art”, which relates to current best practices in the industry

In the European Union (EU), the difference between acceptable versus unacceptable risks was unclear in the release of the EN ISO 14971:2012 edition, which indicated a company could not use the ALARP approach but should reduce risk using the As Far As Possible (AFAP) approach following the three medical device directives in Europe. The EN 2012 standard did not identify a process for identifying how the level required could be accomplished, causing more confusion. Providing objective evidence to auditors and regulators that AFAP has been reached is difficult, if not impossible. One more risk control could always be applied with some degree of improvement, even if it is infinitesimal. It is difficult to decide how much improvement is enough.

TR 24971 provides additional guidance on how to implement a Risk Management System according to ISO 14971. Guidance on hazard identification, risk concepts and techniques, risk management for in-vitro diagnostic devices, and risk management plans have all been relocated out of the standard and into TR 24971. The technical committee that authored ISO 14971:2019 relocated the information to the technical report TR 24971 because it will be easier to revise the technical report than the standard itself when information needs updating.

The resulting revision of ISO TR 24971:2020 — provides guidance in the informative annexes, discussions of the requirements in ISO 14971:2019, and more direction on “benefit” and “benefit-risk analysis.” It is only guidance or help for those implementing the standard. The term “benefit” is defined in ISO 14971:2019 3.2, but nowhere else in a guidance, regulations, or standards. An extensive discussion, with examples, of “benefit” and “benefit-risk analysis” is found in ISO TR 24971:2020 7.4. A summary of the most relevant changes in ISO 14971:2019+A11:2021 is below:

Section	Change
Section 4.4 e), Risk Management Plan	An addition stating that a method to evaluate the overall risk and the criteria for acceptability of the overall risk shall be included
Section 5.2	Clarifies the requirement to document reasonably foreseeable misuse
Section 5.4	Adds a requirement for hazardous situations to be considered and documented. A reference to Annex C is included
Section 5.5 (Risk Estimation), Section 6 (Risk Evaluation), Section 7.1 (Risk control option analysis), Section 7.2 (Implementation of risk control measures), Section 7.3 (residual risk evaluation), Section 7.4 (benefit-risk analysis), and Section 10.1 (information collection)	Includes clarification and updates to their notes
Section 8 (Evaluation of overall residual risk)	Addition of disclosure of residual risk statement
Section 9 (Risk Management Review)	Addition stating that manufacturers shall determine when subsequent reviews of the risk management plan’s execution need to be performed and when the risk management report needs to be updated
Section 10.2 (Information Review)	Clarifies the requirement to review for possible relevance to safety and includes changes in general state of the art
Section 10.3 (Actions)	Separates the actions into particular medical devices and risk processes. Adds consideration of devices already on the market