Copy to clipboard 
Ask the Experts is a series of reader questions answered by industry advisors. Send us your questions.
Reader Question: How do I handle medical device risk management and the change from As Low As Reasonably Practicable (ALARP) to As Far As Possible (AFAP)?
Answer from Virginia Anastassova, RAC, B.Sc., Regulatory Affairs Manager/Senior QA Specialist, StarFish Medical: You must look no further than the newly issued ISO 14971 in December 2019 and the EU Medical Device Regulation (MDR) coming into force in May 2020 to realize that medical device risk management is an ever-evolving process. Staying current with the latest regulations, standards and guidance is key.
Previously, if you were developing a medical device to be placed on the U.S. and EU markets, you had to comply with the MDD, 21 CFR 820, ISO 14971:2007 (recognized by FDA) and ISO 14971:2012 (applicable for the EU). What is happening today with the updated ISO 14971 and MDR? And how about the change from ALARP to AFAP?
The requirement to reduce risk AFAP was introduced in Section 2 of Annex I to Directive 93/42/EEC. It is here to stay. Certain Essential Requirements necessitate that risks be reduced AFAP without consideration of the economic impact of changing from ALARP to AFAP. Essentially, you will need to demonstrate that risks are reduced AFAP, by showing objective evidence that all possible risk control options were considered and implemented.
ALARP is no longer mentioned in the MDR or the new ISO 14971:2019, and using ALARP is no longer acceptable. The new regulation and standard don’t even clarify or mention that ALARP no longer belongs in medical device risk assessment. If you want to consider the economic impact of risk and keep track of business risks, you should create a separate document for that purpose. Keep economic considerations out of your risk analysis.
The new European MDR requires manufacturers to implement a quality management system that incorporates risk management. The regulations were written in line with ISO 14971:2012, where Z annexes have been prepared to harmonize the risk management standard with the European Medical Device directive, as well as the new European regulations.
The latest version of ISO 14971, Application of Risk Management to Medical Devices, was updated from the previous versions—ISO 14971:2007 and EN ISO 14971:2012—and does not include the Z annexes. The major changes include reorganization of the content, new terms and more detailed requirements that fall in line with the changes included in the EU MDR.
One major organizational difference is that the Technical Report (TR) 24971 is now a necessary supplement to the ISO 14971 standard. Guidance on hazard identification, risk concepts and techniques and risk management plans have all been relocated out of the standard and into TR 24971. The technical committee that authored ISO 14971:2019 relocated the information to the technical report TR 24971 because it will be easier to revise the technical report than the standard itself when information needs updating. Note that TR 24971 has not been published as of the date of writing this article.
A summary of the most relevant changes in ISO 14971:2019 can be found in the box below.
In conclusion, ISO 14971:2019 provides a thorough process for manufacturers to identify medical device hazards, assess risks, control risks and monitor the effectiveness of risk controls throughout the life of a device. The expectation is to reduce risk AFAP. This new edition, comprising 10 clauses and three annexes (informative), is aligned with the general safety and performance requirements within the new EU MDR; it is expected to become a European harmonized standard and therefore represents the current state of art.
Summary of Relevant Changes in ISO 14971:2019, By Section
Section 4.4 e) Risk Management Plan: An addition stating that a method to evaluate the overall risk and the criteria for acceptability of the overall risk shall be included
Section 5.2: Clarifies the requirement to document reasonably foreseeable misuse
Section 5.4: Adds a requirement for hazardous situations to be considered and documented; a reference to Annex C is included
Section 5.5 (Risk Estimation), Section 6 (Risk Evaluation), Section 7.1 (Risk control option analysis), Section 7.2 (Implementation of risk control measures), Section 7.3 (residual risk evaluation), Section 7.4 (benefit-risk analysis), and Section 10.1 (information collection): Includes clarification and updates to their notes
Section 8 (Evaluation of overall residual risk): Addition of disclosure of residual risk statement
Section 9 (Risk Management Review): Addition stating that manufacturers shall determine when subsequent reviews of the risk management plan’s execution need to be performed and when the risk management report needs to be updated
Section 10.2 (Information Review): Clarifies the requirement to review for possible relevance to safety and includes changes in general state of the art
Section 10.3 (Actions): Separates the actions into particular medical devices and risk processes; adds consideration of devices already on the market
Annex B: Provides a detailed correspondence between ISO 14971:2007 and ISO 14971:2019, including a graphic reflecting the amendments in 2019
Annex C: Includes a graphic that describes the relationship of hazard, sequence of events, hazardous situation, and harm that was previously in Annex E.1.; also includes examples of hazards, events and circumstances, the relationship between hazards foreseeable sequences of events, hazardous situations and harm that can occur
Virginia Anastassova, RAC, B.Sc., is a regulatory affairs professional with more than 18 years of experience in the pharmaceutical and medical device industries, having acted as a regulatory affairs manager at Genzyme, Sorin Group and Vifor Pharma before joining StarFish Group. Ms. Anastassova has played instrumental roles in the preparation and maintenance of corporate regulatory strategies, as well as NDA, MAA, IND, IDE, PMA and 510(k) regulatory submissions. Her GXP experience includes GCP, GLP, GMP and GDP. She is ISO 13485 Lead Auditor certified.
Ask the Experts is a series of reader questions answered by industry advisors. Send your questions to Carolyn LaWell.
