Regulatory Open Forum

First, it is important to know what an organization's "ALAP" acronym actually stands for.  If the existing Risk Management Procedure defines ALAP as "As Low as Possible", then it may be that the organization's definition of ALAP could already be aligned with the EU MDR's requirement for As Far As Possible (AFAP).  But further detailed assessment of the existing procedure would be needed to flush this out.

On the other hand, if a Risk Management procedure is based on reducing/controlling risks to be As Low As Practicable (a.k.a., ALARP - As Low As Reasonably Practicable), then, in preparation for an EU MDR audit, it is most definitely the right approach, and certainly required, to revise the procedure so as to update and replace ALAP/ALARP to a proper interpretation of AFAP.  This is because both the outgoing MDD and incoming EU MDR demand that risks be reduced to AFAP.  Indeed, AFAP is not a new concept to the European medical device regulatory arena.

Ultimately, it is necessary to be sure that the procedure aligns its definition and application of ALAP/AFAP with what will be expected by the Notified Body.  This should start with realizing that the EU MDR's approach to AFAP builds upon, but doesn't clearly conflict with, that which was already established in the MDD.  Specifically, the EU MDR adds that the reduction of risks AFAP means reduction of risks AFAP without adversely affecting the benefit-risk ratio.  So, what does that mean, and how do we characterize it for the purposes of the Risk Management procedure and process?  I introduce this below.

First, remember that the notion of achieving AFAP without regard for economic considerations was born from Annex Z Content Deviation #3 of EN ISO 14971:2012 (now withdrawn and superseded by the latest state of the art, EN ISO 14971:2019) which includes no such Content Deviation.  Indeed, even before EN ISO 14971:2012 was withdrawn, the Notified Bodies recognized and voiced such recognition (based on longstanding MDD precedent) the impracticality and inappropriateness of pursuing AFAP with total disregard for economic considerations.  So, the Notified Bodies in fact continued to permit a reasonable amount of economic consideration to be made when pursuing AFAP.  Accordingly, the EU MDR Risk Management procedure's attendance to AFAP should not be singularly focused on an aversion to, or disregard for, the associated economic considerations.  Such an approach would probably be viewed by the Notified Bodies as impossible, and perhaps even disingenuous.

Instead, the Risk Management procedure needs to assure that the organization and its risk management mechanism properly and precisely define, in practical (i.e., working, implementable) terms, the concept of the AFAP threshold and how the organization goes about reducing risks AFAP.  The procedure needs to specify what particular thresholds and criteria will be used for determining whether a particular risk has or has not been reduced to the AFAP threshold.  The Notified Bodies, based on longstanding precedent, have a pretty clear understanding of this concept as elaborated on in their October 2014 Consensus Paper for the Interpretation and Application of Annexes Z in EN ISO 14971:2012.  As noted above, the EN 2012 version of the ISO 14971 standard has been superseded, yet the 2014 Consensus Paper still in my experience contains an accurate Notified Body interpretation of the AFAP concept to be used as the basis for the corresponding elements of the Risk Management procedure.

A quick final note:  Risk management is not risk analysis (though risk management certainly includes risk analysis).  Accordingly, in order to comply with EN ISO 14971 and the EU MDR, it is necessary to have a Risk "Management" procedure that properly defines and integrates risk "analysis".

First, it is important to know what an organization's "ALAP" acronym actually stands for.  If the existing Risk Management Procedure defines ALAP as "As Low as Possible", then it may be that the organization's definition of ALAP could already be aligned with the EU MDR's requirement for As Far As Possible (AFAP).  But further detailed assessment of the existing procedure would be needed to flush this out.

On the other hand, if a Risk Management procedure is based on reducing/controlling risks to be As Low As Practicable (a.k.a., ALARP - As Low As Reasonably Practicable), then, in preparation for an EU MDR audit, it is most definitely the right approach, and certainly required, to revise the procedure so as to update and replace ALAP/ALARP to a proper interpretation of AFAP.  This is because both the outgoing MDD and incoming EU MDR demand that risks be reduced to AFAP.  Indeed, AFAP is not a new concept to the European medical device regulatory arena.

Ultimately, it is necessary to be sure that the procedure aligns its definition and application of ALAP/AFAP with what will be expected by the Notified Body.  This should start with realizing that the EU MDR's approach to AFAP builds upon, but doesn't clearly conflict with, that which was already established in the MDD.  Specifically, the EU MDR adds that the reduction of risks AFAP means reduction of risks AFAP without adversely affecting the benefit-risk ratio.  So, what does that mean, and how do we characterize it for the purposes of the Risk Management procedure and process?  I introduce this below.

First, remember that the notion of achieving AFAP without regard for economic considerations was born from Annex Z Content Deviation #3 of EN ISO 14971:2012 (now withdrawn and superseded by the latest state of the art, EN ISO 14971:2019) which includes no such Content Deviation.  Indeed, even before EN ISO 14971:2012 was withdrawn, the Notified Bodies recognized and voiced such recognition (based on longstanding MDD precedent) the impracticality and inappropriateness of pursuing AFAP with total disregard for economic considerations.  So, the Notified Bodies in fact continued to permit a reasonable amount of economic consideration to be made when pursuing AFAP.  Accordingly, the EU MDR Risk Management procedure's attendance to AFAP should not be singularly focused on an aversion to, or disregard for, the associated economic considerations.  Such an approach would probably be viewed by the Notified Bodies as impossible, and perhaps even disingenuous.

Instead, the Risk Management procedure needs to assure that the organization and its risk management mechanism properly and precisely define, in practical (i.e., working, implementable) terms, the concept of the AFAP threshold and how the organization goes about reducing risks AFAP.  The procedure needs to specify what particular thresholds and criteria will be used for determining whether a particular risk has or has not been reduced to the AFAP threshold.  The Notified Bodies, based on longstanding precedent, have a pretty clear understanding of this concept as elaborated on in their October 2014 Consensus Paper for the Interpretation and Application of Annexes Z in EN ISO 14971:2012.  As noted above, the EN 2012 version of the ISO 14971 standard has been superseded, yet the 2014 Consensus Paper still in my experience contains an accurate Notified Body interpretation of the AFAP concept to be used as the basis for the corresponding elements of the Risk Management procedure.

A quick final note:  Risk management is not risk analysis (though risk management certainly includes risk analysis).  Accordingly, in order to comply with EN ISO 14971 and the EU MDR, it is necessary to have a Risk "Management" procedure that properly defines and integrates risk "analysis".

First, it is important to know what an organization's "ALAP" acronym actually stands for.  If the existing Risk Management Procedure defines ALAP as "As Low as Possible", then it may be that the organization's definition of ALAP could already be aligned with the EU MDR's requirement for As Far As Possible (AFAP).  But further detailed assessment of the existing procedure would be needed to flush this out.

On the other hand, if a Risk Management procedure is based on reducing/controlling risks to be As Low As Practicable (a.k.a., ALARP - As Low As Reasonably Practicable), then, in preparation for an EU MDR audit, it is most definitely the right approach, and certainly required, to revise the procedure so as to update and replace ALAP/ALARP to a proper interpretation of AFAP.  This is because both the outgoing MDD and incoming EU MDR demand that risks be reduced to AFAP.  Indeed, AFAP is not a new concept to the European medical device regulatory arena.

Ultimately, it is necessary to be sure that the procedure aligns its definition and application of ALAP/AFAP with what will be expected by the Notified Body.  This should start with realizing that the EU MDR's approach to AFAP builds upon, but doesn't clearly conflict with, that which was already established in the MDD.  Specifically, the EU MDR adds that the reduction of risks AFAP means reduction of risks AFAP without adversely affecting the benefit-risk ratio.  So, what does that mean, and how do we characterize it for the purposes of the Risk Management procedure and process?  I introduce this below.

First, remember that the notion of achieving AFAP without regard for economic considerations was born from Annex Z Content Deviation #3 of EN ISO 14971:2012 (now withdrawn and superseded by the latest state of the art, EN ISO 14971:2019) which includes no such Content Deviation.  Indeed, even before EN ISO 14971:2012 was withdrawn, the Notified Bodies recognized and voiced such recognition (based on longstanding MDD precedent) the impracticality and inappropriateness of pursuing AFAP with total disregard for economic considerations.  So, the Notified Bodies in fact continued to permit a reasonable amount of economic consideration to be made when pursuing AFAP.  Accordingly, the EU MDR Risk Management procedure's attendance to AFAP should not be singularly focused on an aversion to, or disregard for, the associated economic considerations.  Such an approach would probably be viewed by the Notified Bodies as impossible, and perhaps even disingenuous.

Instead, the Risk Management procedure needs to assure that the organization and its risk management mechanism properly and precisely define, in practical (i.e., working, implementable) terms, the concept of the AFAP threshold and how the organization goes about reducing risks AFAP.  The procedure needs to specify what particular thresholds and criteria will be used for determining whether a particular risk has or has not been reduced to the AFAP threshold.  The Notified Bodies, based on longstanding precedent, have a pretty clear understanding of this concept as elaborated on in their October 2014 Consensus Paper for the Interpretation and Application of Annexes Z in EN ISO 14971:2012.  As noted above, the EN 2012 version of the ISO 14971 standard has been superseded, yet the 2014 Consensus Paper still in my experience contains an accurate Notified Body interpretation of the AFAP concept to be used as the basis for the corresponding elements of the Risk Management procedure.

A quick final note:  Risk management is not risk analysis (though risk management certainly includes risk analysis).  Accordingly, in order to comply with EN ISO 14971 and the EU MDR, it is necessary to have a Risk "Management" procedure that properly defines and integrates risk "analysis".

First, it is important to know what an organization's "ALAP" acronym actually stands for.  If the existing Risk Management Procedure defines ALAP as "As Low as Possible", then it may be that the organization's definition of ALAP could already be aligned with the EU MDR's requirement for As Far As Possible (AFAP).  But further detailed assessment of the existing procedure would be needed to flush this out.

On the other hand, if a Risk Management procedure is based on reducing/controlling risks to be As Low As Practicable (a.k.a., ALARP - As Low As Reasonably Practicable), then, in preparation for an EU MDR audit, it is most definitely the right approach, and certainly required, to revise the procedure so as to update and replace ALAP/ALARP to a proper interpretation of AFAP.  This is because both the outgoing MDD and incoming EU MDR demand that risks be reduced to AFAP.  Indeed, AFAP is not a new concept to the European medical device regulatory arena.

Ultimately, it is necessary to be sure that the procedure aligns its definition and application of ALAP/AFAP with what will be expected by the Notified Body.  This should start with realizing that the EU MDR's approach to AFAP builds upon, but doesn't clearly conflict with, that which was already established in the MDD.  Specifically, the EU MDR adds that the reduction of risks AFAP means reduction of risks AFAP without adversely affecting the benefit-risk ratio.  So, what does that mean, and how do we characterize it for the purposes of the Risk Management procedure and process?  I introduce this below.

First, remember that the notion of achieving AFAP without regard for economic considerations was born from Annex Z Content Deviation #3 of EN ISO 14971:2012 (now withdrawn and superseded by the latest state of the art, EN ISO 14971:2019) which includes no such Content Deviation.  Indeed, even before EN ISO 14971:2012 was withdrawn, the Notified Bodies recognized and voiced such recognition (based on longstanding MDD precedent) of the impracticality and inappropriateness of pursuing AFAP with total disregard for economic considerations.  So, the Notified Bodies in fact continued to permit a reasonable amount of economic consideration to be made when pursuing AFAP.  Accordingly, the EU MDR Risk Management procedure's attendance to AFAP should not be singularly focused on an aversion to, or disregard for, the associated economic considerations.  Such an approach would probably be viewed by the Notified Bodies as impossible, and perhaps even disingenuous.

Instead, the Risk Management procedure needs to assure that the organization and its risk management mechanism properly and precisely define, in practical (i.e., working, implementable) terms, the concept of the AFAP threshold and how the organization goes about reducing risks AFAP.  The procedure needs to specify what particular thresholds and criteria will be used for determining whether a particular risk has or has not been reduced to the AFAP threshold.  The Notified Bodies, based on longstanding precedent, have a pretty clear understanding of this concept as elaborated on in their October 2014 Consensus Paper for the Interpretation and Application of Annexes Z in EN ISO 14971:2012.  As noted above, the EN 2012 version of the ISO 14971 standard has been superseded, yet the 2014 Consensus Paper still in my experience contains an accurate Notified Body interpretation of the AFAP concept to be used as the basis for the corresponding elements of the Risk Management procedure.

A quick final note:  Risk management is not risk analysis (though risk management certainly includes risk analysis).  Accordingly, in order to comply with EN ISO 14971 and the EU MDR, it is necessary to have a Risk "Management" procedure that properly defines and integrates risk "analysis".

When approaching risk management to comply with the corresponding requirements of the EU MDR, I feel it is imperative to remember that the EU MDR, in more than twenty different instances, legislatively demands that risk be reduced "as far as possible" (AFAP).  Another telling factor relates to the aforementioned EU MDR definition of AFAP, which means reduction of risks AFAP without adversely affecting the benefit-risk ratio.  Specifically, this identical paradigm is stated by EN ISO 14971:2019 under clause 4.2 therein, reminding us that the manufacturer has the liberty to define its particular approach to risk control, and that such an approach could (but for the legislative context of the EU MDR, must) be based on reducing risk "as far as possible without adversely affecting the benefit-ratio".  Accordingly, when applying EN ISO 14971:2019's normative provisions in the context of the EU MDR's legislative mandate for reduction of risk AFAP, I suggest that the abandonment of the AFAP concept in an EU MDR risk management system will likely result in objection from the Notified Body, probably in the form of a major nonconformity.

Offline I received an objection from a peer regarding the notion of establishing an AFAP "threshold".  The concern was lodged in response to my preceding post, where I stated that the EU MDR Risk Management procedure needs to assure that the organization and its risk management mechanism properly and precisely define, in practical (i.e., working, implementable) terms, the concept of the AFAP threshold, and how the organization goes about reducing risks AFAP.  I also stated that the procedure needs to specify what particular thresholds and criteria will be used for determining whether risk has or has not been reduced to the AFAP threshold.  The objection asserts a concern that there is no such threshold in ISO 14971, and asserts that we should abandon such a notion.  The objection also asserts that we should instead focus on acceptability without any threshold, and that there is no black line between acceptable and not acceptable.  My approach to these concerns is described below.

Specifically, if we reject the notion of an AFAP "threshold" (the Notified Bodies call it an AFAP "end-point") and thus try to tackle the AFAP beast without first establishing implementable, executable boundaries on the meaning of AFAP, then it would seem to intrinsically demand and prevent us from ever concluding that the device's current risk profile is acceptable at any moment in time.  Indeed, a key factor motivating the withdrawal of the 2012 EN ISO 14971 Annex Z Content Deviations on AFAP was the Notified Bodies' recognition that, without a "clear, easy to understand, and unambiguous" AFAP end-point, there would be "practical problems such as where to stop in reducing risk".  I'm suggesting that this problem would only be exacerbated (and we would likely ruffle our Notified Bodies feathers) if we were to reject the notion of establishing an AFAP "threshold" (i.e., end-point) for EU MDR risk management.

As mentioned in my prior post, the Notified Bodies seem to have a clear understanding of the AFAP end-point, and it is explained in the aforesaid Notified Body Consensus Paper.  Moreover, I find that there is a clear correlation between that approach and how risk acceptability is addressed in ISO 24971:2020 (the guideline for ISO 14971), thus providing a nice bridge between the EU MDR's legislative parameters and ISO 14971's normative parameters.  This is a good opportunity to mention that Edwin Bills' article (https://www.meddeviceonline.com/doc/iso-tr-bringing-clarity-to-risk-acceptability-in-iso-0001) is a great read.

In summary, the Notified Bodies' approach to establishing the AFAP end-point is what needs to be woven into an EU MDR Risk Management procedure/process.  Via this approach, I have had positive feedback and results during Notified Body audit of my Risk Management system. But if the AFAP approach and establishment of a corresponding end-point are abandoned regarding EU MDR conformity, then my opinion is that a major nonconformity from the Notified Body would follow soon thereafter.

When approaching risk management to comply with the corresponding requirements of the EU MDR, I feel it is imperative to remember that the EU MDR, in more than twenty different instances, legislatively demands that risk be reduced "as far as possible" (AFAP).  Another telling factor relates to the aforementioned EU MDR definition of AFAP, which means reduction of risks AFAP without adversely affecting the benefit-risk ratio.  Specifically, this identical paradigm is stated by EN ISO 14971:2019 under clause 4.2 therein, reminding us that the manufacturer has the liberty to define its particular approach to risk control, and that such an approach could (but for the legislative context of the EU MDR, must) be based on reducing risk "as far as possible without adversely affecting the benefit-ratio".  Accordingly, when applying EN ISO 14971:2019's normative provisions in the context of the EU MDR's legislative mandate for reduction of risk AFAP, I suggest that the abandonment of the AFAP concept in an EU MDR risk management system will likely result in objection from the Notified Body, probably in the form of a major nonconformity.

Offline I received an objection from a peer regarding the notion of establishing an AFAP "threshold".  The concern was lodged in response to my preceding post, where I stated that the EU MDR Risk Management procedure needs to assure that the organization and its risk management mechanism properly and precisely define, in practical (i.e., working, implementable) terms, the concept of the AFAP threshold, and how the organization goes about reducing risks AFAP.  I also stated that the procedure needs to specify what particular thresholds and criteria will be used for determining whether risk has or has not been reduced to the AFAP threshold.  The objection asserts a concern that there is no such threshold in ISO 14971, and asserts that we should abandon such a notion.  The objection also asserts that we should instead focus on acceptability without any threshold, and that there is no black line between acceptable and not acceptable.  My approach to these concerns is described below.

Specifically, if we reject the notion of an AFAP "threshold" (the Notified Bodies call it an AFAP "end-point") and thus try to tackle the AFAP beast without first establishing implementable, executable boundaries on the meaning of AFAP, then it would seem to intrinsically demand and prevent us from ever concluding that the device's current risk profile is acceptable at any moment in time.  Indeed, a key factor motivating the withdrawal of the 2012 EN ISO 14971 Annex Z Content Deviations on AFAP was the Notified Bodies' recognition that, without a "clear, easy to understand, and unambiguous" AFAP end-point, there would be "practical problems such as where to stop in reducing risk".  I'm suggesting that this problem would only be exacerbated (and we would likely ruffle our Notified Bodies feathers) if we were to reject the notion of establishing an AFAP "threshold" (i.e., end-point) for EU MDR risk management.

As mentioned in my prior post, the Notified Bodies seem to have a clear understanding of the AFAP end-point, and it is explained in the aforesaid Notified Body Consensus Paper.  Moreover, I find that there is a clear correlation between that approach and how risk acceptability is addressed in ISO 24971:2020 (the guideline for ISO 14971), thus providing a nice bridge between the EU MDR's legislative parameters and ISO 14971's normative parameters.  This is a good opportunity to mention that Edwin Bills' article (https://www.meddeviceonline.com/doc/iso-tr-bringing-clarity-to-risk-acceptability-in-iso-0001) is a great read.

In summary, the Notified Bodies' approach to establishing the AFAP end-point is what needs to be woven into an EU MDR Risk Management procedure/process.  Via this approach, I have had positive feedback and results during Notified Body audit of my Risk Management system. But if the AFAP approach and establishment of a corresponding end-point are abandoned regarding EU MDR conformity, then my opinion is that a major nonconformity from the Notified Body would follow soon thereafter.