A whole lot going on here with plenty of misunderstandings over the years. I wrote an article on Risk Acceptability for MeDevice Online a short time ago, which I will attach here.
As was indicated in previous posts, EN ISO 14971:2012 was withdrawn by CEN and CENELEC and replaced by what BSI has indicated is the "state of the art" medical device risk management standard. Also you cannot use any Harmonized standard currently, as there are no standards Harmonized to the MDR / IVDR. Also a prefix of EN does NOT mean a standard is Harmonized. Standards are no Harmonized until the EU issues a Standardization Request to the European standards bodies CEN and CENELEC and they create a standard that is published in the Official Journal, indicating it has been accepted as Harmonized. To date one such request was submitted to CEN and CENELEC and rejected by them. Another was in the process of being created for submission last month. Currently ISO 14971:2019 and EN ISO 14971:2019 are identical with no differences. When Harmonized an Amended version of EN ISO 14971:2019 will be released with the Correspondence Tables for MDR and IVDR (an maybe even the Directives, though they might be useless at that point).
Your current choice is to either create your own system or to use EN ISO 14971:2019 to comply with risk management requirements in the MDR / IVDR. You may then comply with the standard, and respond to any requirements of the MDR / IVDR that are not covered in EN ISO 14971:2019. The ISO FDIS 14971:2019 contained proposed Correspondence Tables for the MDR (ZD) and IVDR (ZE) that show how such a table might be constructed. Unfortunately without Standardization Requests for any standards being accepted, these tables are only samples and do not contain valid data. The new Z Annexes will no longer have the troublesome Content Deviations that were alluded to early. They were fraught with errors which were addressed in the new regulations and also addressed in the 2019 version of 14971.
Now as for the ALAP / AFAP debacle, those are possible choice for a risk management POLICY as required in ISO 14971:2019 4.2, and are NOT regions on a risk chart. EN ISO 24971:2020 4.2 and Annex C go to great lengths in discussing the differences between these commonly confused requirements. The referenced article discusses this. The Policy sets what the company will use and consists of: Purpose; Scope; Factors and considerations for determine acceptable risk; Approaches to risk control; and Requirements for approval and review. The Risk Acceptability Criteria should be based on (and here is where MDR / IVDR comes in): Applicable regulatory requirements; Relevant internal standards; Generally acknowledged state of the art; and Validated stakeholder concerns. One of my concerns was always how you prove you have reached As Far As Possible, there, is always one more risk control that can be applied in my estimation, now the trick is to make sure you did not impact benefit-risk, that is your out, making the product unavailable due to cost is one impact that is certainly negative.
As Kevin indicated, once you have established a company Policy for Risk Acceptability, then for a particular product, you establish Risk Acceptability Criteria for that product in the Risk Management Plan for that product. Those criteria help you to implement your policy (ALAP, AFAP: without impacting your benefit-risk ratio; or whatever it is).
One of my other concerns is the undefined terminology used in MDR / IVDR. Benefit-risk ratio seems to indicate a numerical value, which cannot be created with all the disparate elements of benefit and risk, and then trying to compare them. EN ISO 24971:2020 does provide some examples on documenting benefit-risk, but they are all textual and not numeric, so there is no "ratio".
Good luck on your quest, but in the end your Notified Body will decide if you have reached your goal, or not.
------------------------------
Edwin Bills MEd, CQA, RAC, BSc, CQE, ASQ
Principal Consultant
Overland Park KS
United States
elb@edwinbillsconsultant.com------------------------------
Original Message:
Sent: 26-Jan-2021 20:27
From: Kevin Randall
Subject: ALAP vs. AFAP
First, it is important to know what an organization's "ALAP" acronym actually stands for. If the existing Risk Management Procedure defines ALAP as "As Low as Possible", then it may be that the organization's definition of ALAP could already be aligned with the EU MDR's requirement for As Far As Possible (AFAP). But further detailed assessment of the existing procedure would be needed to flush this out.
On the other hand, if a Risk Management procedure is based on reducing/controlling risks to be As Low As Practicable (a.k.a., ALARP - As Low As Reasonably Practicable), then, in preparation for an EU MDR audit, it is most definitely the right approach, and certainly required, to revise the procedure so as to update and replace ALAP/ALARP to a proper interpretation of AFAP. This is because both the outgoing MDD and incoming EU MDR demand that risks be reduced to AFAP. Indeed, AFAP is not a new concept to the European medical device regulatory arena.
Ultimately, it is necessary to be sure that the procedure aligns its definition and application of ALAP/AFAP with what will be expected by the Notified Body. This should start with realizing that the EU MDR's approach to AFAP builds upon, but doesn't clearly conflict with, that which was already established in the MDD. Specifically, the EU MDR adds that the reduction of risks AFAP means reduction of risks AFAP without adversely affecting the benefit-risk ratio. So, what does that mean, and how do we characterize it for the purposes of the Risk Management procedure and process? I introduce this below.
First, remember that the notion of achieving AFAP without regard for economic considerations was born from Annex Z Content Deviation #3 of EN ISO 14971:2012 (now withdrawn and superseded by the latest state of the art, EN ISO 14971:2019) which includes no such Content Deviation. Indeed, even before EN ISO 14971:2012 was withdrawn, the Notified Bodies recognized and voiced such recognition (based on longstanding MDD precedent) of the impracticality and inappropriateness of pursuing AFAP with total disregard for economic considerations. So, the Notified Bodies in fact continued to permit a reasonable amount of economic consideration to be made when pursuing AFAP. Accordingly, the EU MDR Risk Management procedure's attendance to AFAP should not be singularly focused on an aversion to, or disregard for, the associated economic considerations. Such an approach would probably be viewed by the Notified Bodies as impossible, and perhaps even disingenuous.
Instead, the Risk Management procedure needs to assure that the organization and its risk management mechanism properly and precisely define, in practical (i.e., working, implementable) terms, the concept of the AFAP threshold and how the organization goes about reducing risks AFAP. The procedure needs to specify what particular thresholds and criteria will be used for determining whether a particular risk has or has not been reduced to the AFAP threshold. The Notified Bodies, based on longstanding precedent, have a pretty clear understanding of this concept as elaborated on in their October 2014 Consensus Paper for the Interpretation and Application of Annexes Z in EN ISO 14971:2012. As noted above, the EN 2012 version of the ISO 14971 standard has been superseded, yet the 2014 Consensus Paper still in my experience contains an accurate Notified Body interpretation of the AFAP concept to be used as the basis for the corresponding elements of the Risk Management procedure.
A quick final note: Risk management is not risk analysis (though risk management certainly includes risk analysis). Accordingly, in order to comply with EN ISO 14971 and the EU MDR, it is necessary to have a Risk "Management" procedure that properly defines and integrates risk "analysis".
------------------------------
Kevin Randall, ASQ CQA, RAC (Europe, U.S., Canada)
Principal Consultant
ComplianceAcuity, Inc.
Ridgway, CO
United States
www.complianceacuity.com
© Copyright 2020 by ComplianceAcuity, Inc. All rights reserved.
Original Message:
Sent: 26-Jan-2021 13:09
From: Anonymous Member
Subject: ALAP vs. AFAP
This message was posted by a user wishing to remain anonymous
As we are approaching our MDR audit, our Risk Analysis procedure and documents need to be updated to replace ALAP with AFAP.
It seems to be a lot of differences between the interpretation of this change. Is it fair to say that our organization needs to "demonstrate that risks are reduced AFAP, by showing objective evidence that all possible risk control options were considered and implemented, without taking cost into consideration"?
If this is true, there is no difference in our organization, from ALAP to AFAP as we never take cost into consideration.
Please advise.