ISO 14971 - ALARP and P2 - New ISO 14971 does not allow the concept of ALARP?

thisby_

Involved In Discussions
Hello,

I would like to get some help in understanding if it is true that the new version of ISO 14971 does not allow the concept of ALARP.

Our current SOP for Risk Management refers to ISO 14971:2007 (EN ISO 14971:2012).
Our acceptability matrix has the concept of ALARP. Do we need to change it? Should the acceptability matrix (sevXprob) only have Acceptable and Not-Acceptable ranges?
We assume that if a hazard gets into the ALARP zone after mitigation and there is nothing we can do to change it (imagine the case of Catastrophic X Improbable and we are already in the lowest possible probability) we leave it in the ALARP and we add a rationale to it. Is this acceptable?

For what concerns the P2 (probability of a hazard to cause a harm), is it correct to assume that this probability is independent of the device? Could you please provide an example to help me understand better this concept?

I thought of this example (not sure if it is clear though):
device - infusion pump
hazard - wrong infusion rate
severity outcome - death
P1 - (probability the wrong infusion rate of occurring) to be determined by design (it may depend on what originates the wrong infusion rate)
P2 (the probability of wrong infusion rate to cause a death) - probable

To arrive at this value I should assume that a wrong infusion rate (independently of how it is administered) causes a death, correct?

Thank you in advance for your help!
Emilia
 

yodon

Leader
Super Moderator
I would like to get some help in understanding if it is true that the new version of ISO 14971 does not allow the concept of ALARP.

Correct(ish). The standard expects that all risks are reduced as far as possible. The rationale for this was to eliminate the application of ALARP with regard to economic considerations. But that's exactly what happens anyway (you're not going to gold-plate a tongue depressor!). I've even seen postings here about auditors looking at a risk analysis and asking why they didn't consider some (apparently obvious) control - and then writing them up for not meeting the standard. So it's a difficult proposition to deal with but suffice to say yes, reduce to the greatest extent possible. (And by no means say that some control was dismissed for economic considerations!).

Our current SOP for Risk Management refers to ISO 14971:2007 (EN ISO 14971:2012).
Our acceptability matrix has the concept of ALARP. Do we need to change it? Should the acceptability matrix (sevXprob) only have Acceptable and Not-Acceptable ranges?
We assume that if a hazard gets into the ALARP zone after mitigation and there is nothing we can do to change it (imagine the case of Catastrophic X Improbable and we are already in the lowest possible probability) we leave it in the ALARP and we add a rationale to it. Is this acceptable?

The standard still requires that you have criteria for risk acceptability. I think the majority of folks still use the red-yellow-green (or maybe not just red / green) matrix approach... and this has been acceptable to auditors from what I've seen.

Another fun twist in the standard is that every risk now needs to have a risk-benefit analysis conducted (in addition to the overall RBA).

For what concerns the P2 (probability of a hazard to cause a harm), is it correct to assume that this probability is independent of the device? Could you please provide an example to help me understand better this concept?

I wouldn't say that you consider probability independent of the device but maybe independent of the design. Device categories generally have common risks. An infusion pump, for example, may allow free-flow if a door is opened. Probability is quite high unless you design in features to prevent free-flow. If you just alarm if the door opens, you haven't prevented free flow. If you integrate a clamp that closes the tubing (irrespective of power) if the door is opened, you have now reduced the probability of free-flow.

I thought of this example (not sure if it is clear though):
device - infusion pump
hazard - wrong infusion rate
severity outcome - death
P1 - (probability the wrong infusion rate of occurring) to be determined by design (it may depend on what originates the wrong infusion rate)
P2 (the probability of wrong infusion rate to cause a death) - probable

To arrive at this value I should assume that a wrong infusion rate (independently of how it is administered) causes a death, correct?

That's the approach I've generally seen. I have mixed opinions of the P1 * P2 approach. I understand the intent and can see how it might give a better picture but I haven't come to grips yet (accepted) that it give a substantially better picture versus the extra overhead. But if it works for you, keep it up!

Hopefully this gets the discussion rolling and others will weigh in. (Marcelo, where are you?? :) )

Do some searches in the forum for other discussions on this topic. There have been many.

Oh, and don't forget that the standard does not allow risk reduction through information for safety only any more.
 

thisby_

Involved In Discussions
Maybe I am misunderstood but Annex D of ISO 14971:2007 talks about ALARP. Is there a newer version that removed this section?
I was under the impression that EN ISO 14971:2017 has the same content as the one from 2007 except for some annexes related to MD Directive.
Thank you,
Emilia
 

Ronen E

Problem Solver
Moderator
Maybe I am misunderstood but Annex D of ISO 14971:2007 talks about ALARP. Is there a newer version that removed this section?
I was under the impression that EN ISO 14971:2017 has the same content as the one from 2007 except for some annexes related to MD Directive.
Thank you,
Emilia

Your description is quite accurate.

If there's any misunderstanding, I think it stems from your statement (post #1):

Our current SOP for Risk Management refers to ISO 14971:2007 (EN ISO 14971:2012).

It's true that the normative (=binding) parts of these two standards are identical, however, in the MDD context the Z annexes in the EN standard make a significant difference. If you are after MDD compliance, those Z annexes actually say that compliance with the normative part will not provide full compliance with the MDD, and thus they stop being "just annexes" and become very significant in the compliance process. Further, they tell you what are the normative part's "shortcomings" and how to bridge the gap to MDD compliance.

If you're not after MDD compliance there's no real reason to refer to the EN standard in your SOP. ISO 14971 (currently, 2007 version) would suffice and you could apply the ALARP concept without difficulty.
 
Top Bottom