Vincent Crabtree

How to Handle Medical Device Risk Management and the change from ALARP to AFAP

riskThe Medical Device Directive is currently under review, in part due to the French Breast Implant scandal, and there has been much critical feedback to the EU over the change from ALARP (or ‘As low as reasonably practicable’) to AFAP (“As Far As Possible’ (AFAP)).  We will have to see how this and other feedback affect the treatment of risk in the Directive, which is Law, versus the Standard, which is not.  As part of design and development at StarFish, we undertake Risk Engagements with key Stakeholders, and create a Medical Device Risk Management file, which demonstrates that risks are controlled.  This blog provides details on the Directive and Standard, examines implications for the recent changes, and explains how we handle the situation.

If you are not familiar, both FDA 21 CFR 820.30 Design Controls and ISO13485 (required in Canada and Europe, amongst other) Product Realization section (which is when you are going to actually develop a medical device to sell, and not just as proof of concept) requires that risk of harm to a patient and operator are identified, and controlled.  ISO14971 is the normative risk management standard for medical device development, which describes how risks are identified, and then quantified based on frequency and severity.  This process assumes no mitigating factors exist, and then identifies where they are required to reduce risk.  As part of the risk management file, one would usually verify that all required mitigations are effective.  The FDA also recognizes ISO14971.

That is the theory, now for the implementation.  During the risk engagement we would define two scoring thresholds: one coloured red, for which the group feels any score greater than the threshold is unacceptable and mitigations must be implemented to reduce risk of harm to patient or operator.  The other threshold is coloured green; any risk score lower than this is broadly acceptable and does not require any mitigation.   The interval between is coloured amber; whether the score is acceptable is evaluated on a case by case basis – this is often termed ALARP, or ‘As low as reasonably practicable’.

Depending on the client, there are two approaches to handling the Green risks.  Some clients choose to leave out any mitigation for green items, or ignore them completely and not list them on the risk analysis.  The intent here is that, by leaving green mitigations off, any risks or mitigations discussed are ‘real’ risks of harm, so that is where the design focus must lie.

The alternative approach is that all risks that can be conceived and all mitigations which have been implemented are included in the risk analysis, so even risks scored as green will have mitigations listed.  The intent here is to demonstrate that all aspects of the design have been considered and even negligible risks are given equal priority to more severe risks.

As mentioned, the FDA recognize ISO14971:2007.  However, in the EU, EN ISO14971:2012 is now in force.  The text is essentially identical, but Annex ZA has been included, which details the discrepancies between the Essential Requirements of the Medical Device Directive (MDD).  Essentially, now ‘negligible risks’, which could be ignored in ISO14971:2007, must now be taken into account and at the very least included in the risk analysis.  In addition, the treatment of Amber risks, which may have been classified as ALARP under EN ISO14971:2007, must be reduced As Far As Possible (AFAP), ‘without … economic consideration’.  Essentially, all risks are either acceptable (Green) or unacceptable (Amber/Red).

If you recall in our earlier blogs on IEC60601-1 3rd Ed., the test house will review your Risk Management file when evaluating the documentation during an IEC60601-1 submission.  In addition, the Notified Body will review your Technical File (which contains the Risk Management File) when submitting for a CE mark to sell Class II devices in Europe.  We have yet to see it happen at StarFish.   But what happens if either of these reviewers disagrees with the mitigations which have been implemented to reduce the risk ‘AS FAR AS POSSIBLE’?   – The wording specifically states ‘without … economic consideration’.

In readiness for this unfortunate event to occur, we developed risk-benefit analysis templates that can be used for Amber risks – the intent is to review available clinical literature and available failure databases such as MAUDE, and use this data in making a documented, informed decision.  In addition, even though EN ISO14971:2012 states that warning in the Instruction for Use (IFU) manual  cannot be used to reduce risk, the standard also states that any residual risks must be described in the IFU.

As I mentioned upfront, the Medical Device Directive is currently under review and there has been much critical feedback to the EU over the change from ALARP to AFAP.  While we will have to see how this and other feedback affect the treatment of risk in the Directive versus the Standard, incorporating Medical Device Risk Management and risk-benefit analysis are moves I highly recommend.

Vincent QRVincent Crabtree, PhD., is a former Regulatory Advisor & Project Manager at StarFish Medical.

Image courtesy of jscreationzs /

Leave a Reply

Your email address will not be published. Required fields are marked *

Join over 6000 medical device professionals who receive our engineering, regulatory and commercialization insights and tips every month.

Website Survey

Please answer a few questions about our website.

Take Survey No Thanks