The risk management approach
ALARP (As Low As Reasonably Practicable) to AFAP (As Far As Possible) and medical device risk management has always been a tricky one. The nature of the products, their intended use, and the markets in which they are sold influences the approaches in controlling risk. When it comes to risk, the first thing to consider is the ISO 14971 standard. MDR and IVDR changes bring a new alignment in terms of risk.
The latest version of ISO 14971:2019+A11:2021 and the Medical Devices Regulation (EU) 2017/745 are linked and not referenced. EU MDR regulation has a very strong emphasis on risk management. Risk is mentioned 243 times in the regulation compared to a combined total of only 69 times in the two medical device directives — Active Implantable Medical Device 90/385/EEC (14 times) and Medical Device Directive 93/42/EEC (55 times).
Although ISO 14971 is not cited in the regulation, it is a documented harmonized standard in the Official Journal of the European Union. In January 2022, news emerged that this latest version of EN ISO 13485 has been officially harmonized under the MDR along with other standards.
Those who are new to the Regulatory Affairs field, should talk to experienced colleagues or read this previous ALARP-AFAP blog for insights.
How MDR is linked with ISO13485
In MDR in Annex I, Chapter l of the regulation exactly reflects risk management requirements of those in ISO 14971. Although the regulation does not specifically mention the medical device risk management standard ISO 14971, it does require compliance to harmonized standards. Recital 22 states “compliance with harmonized standards as defined in Regulation (EU) No 1025/2012 of the European Parliament and of the Council (2) should be a means for manufacturers to demonstrate conformity with the general safety and performance requirements and other legal requirements, such as those relating to quality and risk management, laid down in this Regulation.” Article 2 (70) defines a harmonized standard as “a European standard as defined in point (1)(c) of Article 2 of Regulation (EU) No 1025/2012”.
MDR requirements with respect to reducing risk
In Clause 4.2 of ISO 14971:2019, Note 1 states that “The manufacturer’s policy for establishing criteria for risk acceptability can define the approaches to risk control: reducing risk as low as reasonably practicable, reducing risk as low as reasonably achievable, or reducing risk as far as possible without adversely affecting the benefit-risk ratio.”
This brings manufacturers to a point where they can manage risk based on all the requirements
Differences to keep in mind with regards to ALARP and AFAP
|ALARP permits a manufacturer to include economic impacts as one of the factors in considerations as to what are acceptable and unacceptable risks. AFAP (as far as possible), does not allow economic impacts as part of the risk decision making process||“The manufacturer’s policy for establishing criteria for risk acceptability can define the approaches to risk control, for example reducing risk as low as reasonably practicable, reducing risk as low as reasonably achievable, or reducing risk as far as possible without adversely affecting the benefit-risk ratio.”|
ALARP permits a manufacturer to include economic impacts as one of the factors in considerations as to what are acceptable and unacceptable risks. AFAP (as far as possible), does not allow economic impacts as part of the risk decision making process.
The requirement to reduce risk AFAP was introduced in Section 2 of Annex I to Directive 93/42/EEC. It is here to stay. Certain Essential Requirements require risks to be reduced AFAP without consideration of the economic impact of changing from ALARP to AFAP.
If you want to keep track of business risks, you should create a separate document for that purpose. Keep economic considerations out of your risk analysis. Then changes will need to be made to align with the AFAP requirements, otherwise such medical devices may not be legally marketed across the European Market. All risks, including those determined as “negligible” under ISO 14971, have been reduced AFAP, based on the “state of the art”. Note “state of the art” refers to “generally accepted state of the art”, which relates to current best practices in the industry
In the European Union (EU), the difference between acceptable versus unacceptable risks was unclear in the release of the EN ISO 14971:2012 edition, which indicated a company could not use the ALARP approach but should reduce risk using the As Far As Possible (AFAP) approach following the three medical device directives in Europe. The EN 2012 standard did not identify a process for identifying how the level required could be accomplished, causing more confusion. Providing objective evidence to auditors and regulators that AFAP has been reached is difficult, if not impossible. One more risk control could always be applied with some degree of improvement, even if it is infinitesimal. It is difficult to decide how much improvement is enough.
TR 24971 provides additional guidance on how to implement a Risk Management System according to ISO 14971. Guidance on hazard identification, risk concepts and techniques, risk management for in-vitro diagnostic devices, and risk management plans have all been relocated out of the standard and into TR 24971. The technical committee that authored ISO 14971:2019 relocated the information to the technical report TR 24971 because it will be easier to revise the technical report than the standard itself when information needs updating.
The resulting revision of ISO TR 24971:2020 — provides guidance in the informative annexes, discussions of the requirements in ISO 14971:2019, and more direction on “benefit” and “benefit-risk analysis.” It is only guidance or help for those implementing the standard. The term “benefit” is defined in ISO 14971:2019 3.2, but nowhere else in a guidance, regulations, or standards. An extensive discussion, with examples, of “benefit” and “benefit-risk analysis” is found in ISO TR 24971:2020 7.4. A summary of the most relevant changes in ISO 14971:2019+A11:2021 is below:
|Section 4.4 e), Risk Management Plan||An addition stating that a method to evaluate the overall risk and the criteria for acceptability of the overall risk shall be included|
|Section 5.2||Clarifies the requirement to document reasonably foreseeable misuse|
|Section 5.4||Adds a requirement for hazardous situations to be considered and documented. A reference to Annex C is included|
|Section 5.5 (Risk Estimation),|
Section 6 (Risk Evaluation),
Section 7.1 (Risk control option analysis), Section 7.2 (Implementation of risk control measures),
Section 7.3 (residual risk evaluation),
Section 7.4 (benefit-risk analysis), and
Section 10.1 (information collection)
|Includes clarification and updates to their notes|
|Section 8 (Evaluation of overall residual risk)||Addition of disclosure of residual risk statement|
|Section 9 (Risk Management Review)||Addition stating that manufacturers shall determine when subsequent reviews of the risk management plan’s execution need to be performed and when the risk management report needs to be updated|
|Section 10.2 (Information Review)||Clarifies the requirement to review for possible relevance to safety and includes changes in general state of the art|
|Section 10.3 (Actions)||Separates the actions into particular medical devices and risk processes. Adds consideration of devices already on the market|
In conclusion, how to approach a final decision on risk management depends on company management, predominately based on regulatory requirement going forward.
ISO 14971:2019 provides a thorough process for manufacturers to identify medical device hazards, assess risks, control risks, and monitor the effectiveness of risk controls throughout the life of a device. The expectation is to reduce risk AFAP. It consists of 10 clauses and three annexes (informative) and is aligned with the general safety and performance requirements within the EU MDR and EU IVDR. It is a European harmonized standard and therefore represents the current state of the art. The EU commission explains that while the extent of the meaning of “as far as possible” still leaves open ambiguity, the risk management and risk mitigation under the MDR’s relies on safety concerns, e.g. “risk versus safety” benefits.
Image: Can Stock Photo / iqoncept
Rajeswari (Raje) Devanathan is a QA/RA Consulting Services Manager at StarFish Medical. Raje is a certified lead auditor and regulatory affairs professional with 20 Years of experience in medical devices, IVD, combination products, and Biologics.
Virginia Anastassova, RAC, was the Regulatory Affairs Manager/ Senior QA Specialist at StarFish Medical. She brings extensive experience in quality management and regulatory affairs to our clients.