Vincent Crabtree

How to Handle Medical Device Risk Management and the change from ALARP to AFAP

riskThe Medical Device Directive is currently under review, in part due to the French Breast Implant scandal, and there has been much critical feedback to the EU over the change from ALARP (or ‘As low as reasonably practicable’) to AFAP (“As Far As Possible’ (AFAP)).  We will have to see how this and other feedback affect the treatment of risk in the Directive, which is Law, versus the Standard, which is not.  As part of design and development at StarFish, we undertake Risk Engagements with key Stakeholders, and create a Medical Device Risk Management file, which demonstrates that risks are controlled.  This blog provides details on the Directive and Standard, examines implications for the recent changes, and explains how we handle the situation.

If you are not familiar, both FDA 21 CFR 820.30 Design Controls and ISO13485 (required in Canada and Europe, amongst other) Product Realization section (which is when you are going to actually develop a medical device to sell, and not just as proof of concept) requires that risk of harm to a patient and operator are identified, and controlled.  ISO14971 is the normative risk management standard for medical device development, which describes how risks are identified, and then quantified based on frequency and severity.  This process assumes no mitigating factors exist, and then identifies where they are required to reduce risk.  As part of the risk management file, one would usually verify that all required mitigations are effective.  The FDA also recognizes ISO14971.

That is the theory, now for the implementation.  During the risk engagement we would define two scoring thresholds: one coloured red, for which the group feels any score greater than the threshold is unacceptable and mitigations must be implemented to reduce risk of harm to patient or operator.  The other threshold is coloured green; any risk score lower than this is broadly acceptable and does not require any mitigation.   The interval between is coloured amber; whether the score is acceptable is evaluated on a case by case basis – this is often termed ALARP, or ‘As low as reasonably practicable’.

Depending on the client, there are two approaches to handling the Green risks.  Some clients choose to leave out any mitigation for green items, or ignore them completely and not list them on the risk analysis.  The intent here is that, by leaving green mitigations off, any risks or mitigations discussed are ‘real’ risks of harm, so that is where the design focus must lie.

The alternative approach is that all risks that can be conceived and all mitigations which have been implemented are included in the risk analysis, so even risks scored as green will have mitigations listed.  The intent here is to demonstrate that all aspects of the design have been considered and even negligible risks are given equal priority to more severe risks.

As mentioned, the FDA recognize ISO14971:2007.  However, in the EU, EN ISO14971:2012 is now in force.  The text is essentially identical, but Annex ZA has been included, which details the discrepancies between the Essential Requirements of the Medical Device Directive (MDD).  Essentially, now ‘negligible risks’, which could be ignored in ISO14971:2007, must now be taken into account and at the very least included in the risk analysis.  In addition, the treatment of Amber risks, which may have been classified as ALARP under EN ISO14971:2007, must be reduced As Far As Possible (AFAP), ‘without … economic consideration’.  Essentially, all risks are either acceptable (Green) or unacceptable (Amber/Red).

If you recall in our earlier blogs on IEC60601-1 3rd Ed., the test house will review your Risk Management file when evaluating the documentation during an IEC60601-1 submission.  In addition, the Notified Body will review your Technical File (which contains the Risk Management File) when submitting for a CE mark to sell Class II devices in Europe.  We have yet to see it happen at StarFish.   But what happens if either of these reviewers disagrees with the mitigations which have been implemented to reduce the risk ‘AS FAR AS POSSIBLE’?   – The wording specifically states ‘without … economic consideration’.

In readiness for this unfortunate event to occur, we developed risk-benefit analysis templates that can be used for Amber risks – the intent is to review available clinical literature and available failure databases such as MAUDE, and use this data in making a documented, informed decision.  In addition, even though EN ISO14971:2012 states that warning in the Instruction for Use (IFU) manual  cannot be used to reduce risk, the standard also states that any residual risks must be described in the IFU.

As I mentioned upfront, the Medical Device Directive is currently under review and there has been much critical feedback to the EU over the change from ALARP to AFAP.  While we will have to see how this and other feedback affect the treatment of risk in the Directive versus the Standard, incorporating Medical Device Risk Management and risk-benefit analysis are moves I highly recommend.

Vincent QRVincent Crabtree, PhD is a Regulatory Advisor & Project Manager at StarFish Medical, and would be delighted to hear comments and constructive criticism on this article.

Image courtesy of jscreationzs /

6 responses to “How to Handle Medical Device Risk Management and the change from ALARP to AFAP”

  1. Craig W. Sherman says:

    I strongly suspect that a functional FMEA applied to international standards will conclude that the requirement ALARP / AFAP results in unacceptable risk to patient populations and society. In part this depends on the formally stated missions of international standards. I anticipate that the FMEA result above is inevitable if the mission is what it should be, “best interests of patients and society.” Over- and under-regulation both do harm to patient populations and society. It is “essential” that standards recognize the limits of what a standard can accomplish.
    If the above is true, I am unsure who would be in a position to prosecute it. I suspect it would be highly inadvisable for someone in a company like starfish medical. Can you direct me to some groups involved in holding standards to standards? I am considering what good I might do after I retire and no longer have to worry about repercussions to the medical device company I work for.

  2. All product related risk management procedures and practices must be in alignment with ISO 14971, so it’s worth knowing about specific areas that continue to be an issue. This is the standard across the board, no matter which country you’re developing in.

  3. Michael Cejnar says:

    Having just had a Major NC from BSI over our 15 year old RM SOP, researching this is depressing.
    I am told that there is no Manufacturer-defined “acceptable risk” or green zone – making your statement that all is green or red not correct – any thoughts?
    Also, the new MDR, in Annex I / General, restores to the manufacturer the As Low As Judged Acceptable paradigm (I coin ALAJA) beyond which mitigation is unnecessary. Hurraah.

    Even more interestingly, the insertion of a word ‘through’ in the ‘as far as Possible line’ confirms to me that the MDD 2007 was bizarrely mis-interpreted by the EU regulators – The AFAP referred to the ORDER of mitigations – achieve acceptable risk as far as possible THROUGH design mitigations, before going onto Protective measures or Warnings. Just unbelievable.

    Even worse, BSI won’t accept that the new MDR now sets a new ‘state of the art’, and even though it clearly allows ALAJA and is in direct conflict with EN14971 Annex Z.

    We now have 2 versions of EU law MDD/MDR, two conflicting versions of 14971, new 13485 calling out Annex ZA in conflict with MDR, different NBs and a bunch of test houses using 60601-1 RM – all telling us how to do risk analysis. Oh, and FDA 21 CFR 820.30 – the only sane jurisdiction, IMHO.

    What an absolute mess, and we manufacturers pay.

  4. Robert says:

    It’s a big mess and just wrapping my arms around the new MDR is a challenge. The ‘without … economic consideration’ statement is going to cause big trouble. I can see customers using it as leverage to put more robots on the line or to manufacture in a class 7 as opposed to a class 8 environment. Anyway…a great article and my head is a little more clear now. Thanks for that.

  5. Henry Fraser says:

    Hi Vincent

    As you may know, the AFAP language from the MDD/MDR general requirements seems to have been copied into art 9(4) of the EU’s AI Act Proposal. It reads basically as follows:

    “The risk management measures referred to in paragraph 2, point (d) shall be such that any residual risk associated with each hazard as well as the overall residual risk of the high-risk AI systems is judged acceptable, provided that the high-risk AI system is used in accordance with its intended purpose or under conditions of reasonably foreseeable misuse. . Those residual risks shall be communicated to the user. In identifying the most appropriate risk management measures, the following shall be ensured:
    (a) elimination or reduction of risks as far as possible through adequate design and development;
    (b) where appropriate, implementation of adequate mitigation and control measures in relation to risks that cannot be eliminated;
    (c) provision of adequate information pursuant to Article 13, in particular as regards the risks referred to in paragraph 2, point (b) of this Article, and, where appropriate, training to users.”

    I am an AI governance / regualtion researcher, focused on questions about standard of care / risk criteria for high risk AI systems. I’m very interested in the question of how to interpret this provision, and in particular to find out what has been the consequence of the AFAP risk criterion on medical devices compliance. E.g. does the industry still basically follow ALARP, but simply present the risk management in such a way as to describe residual risk has having been reduced AFAP (even if there is, strictly speaking, something else that could be done to marginally reduce risk)? Or is the AFAP criterion taken so seriously that, for example, a manufacturer would choose not to put a device on the market in Europe on the ground that the risk mitigations required to meet the AFAP standard would be too expensive?



  6. Hi Henry,

    AFAP is part of MDR 2017 745 mandate to reduce risk. That make manufacturer’s responsibility to reduce the risk AFAP in order to place product in EU.


    Kind regards,
    Rajeswari Devanathan
    Reg. & Qty Consultant Manager

Leave a Reply

Your email address will not be published. Required fields are marked *

Join over 6000 medical device professionals who receive our engineering, regulatory and commercialization insights and tips every month.

Website Survey

Please answer a few questions about our website.

Take Survey No Thanks