Regulatory Open Forum

There are some clarifications in order.

ISO 14971:2007 has not been updated. The international version remains at the 2007 revision and is among the recognized standards in both the US and Canada. What has changed is EN ISO 14971:2012 which seeks to address discrepancies between the international standard and the EU product directives related to medical devices.

In terms of ALARP, the content deviation refers to As Far As Possible, which is usually stated as AFAP. It concludes, “Accordingly, manufacturers and Notified Bodies may not apply the ALARP concept with regard to economic considerations.” ALARP is a risk reduction methodology (not the name of a risk region) composed of technical means and economic means. The content deviation eliminates economic means (making the device an unsound economic proposition) from the tool box. It does not change to acceptability criteria or the need to reduce a risk to an acceptable level.

You say, “user labeling is to provide no primary risk mitigating value”. First, the correct term is risk reduction, not mitigation. The standard doesn’t use the word mitigation, since it has a different meaning.

The content deviation is about residual risk, not using information for safety as a risk reduction measure. In fact, for the MDD, there is a content deviation that requires information for safety as a risk reduction measure. This is described as the cumulative approach to the application of risk reduction options. The content deviation in question, for the MDD, is about a requirement to inform users about the residual risks, and concludes that manufacturers cannot use this information, i.e., the residual risk information, to reduce risk. The misunderstanding often arises from failure to distinguish between information for safety and disclosing residual risk. See Annex J of the standard for a discussion of the differences.

There are some future issues to pay attention to related to this discussion. First of all, the Medical Device Directives will be replaced by new EU Regulations, which will shortly be released.  Second, ISO 13485:2003 and EN ISO 13485:2012 are being replaced by new versions, ISO 13485:2016 and EN ISO 13485:2016.  While all f these have transition periods associated with implementation, as wise company would include these new requirements in their plans for the future.  It is expected that the ISO document and EN ISO will have three year transitions, but there is an asterisk.  It is possible that new certificates for the standards, may not be issued after two years.

The new ISO 13485 and EN ISO 13485 does contain over 47 references to the term "risk" in the complete document, including requirements and annexes.  This is far more than in the previous revision, which did not break the single digits.  So you will see an expanded emphasis on risk in upcoming audits for certifications to the standards.  

As for ISO 14971, the technical committee will meet this summer to determine possible revision activity.  As always, revisions take considerable time, and a new release will not be forthcoming any time soon.  In fact, it is possible no decision could be made for some time.  Companies, however, should include ISO TR 24971 information in any updates to their risk management system.  This often overlooked document contains extremely valuable information, such as how to use product and process safety standards as part of the risk management process.