ISO 14971 - ALARP and P2 - New ISO 14971 does not allow the concept of ALARP?

thisby_

Involved In Discussions
#1
Hello,

I would like to get some help in understanding if it is true that the new version of ISO 14971 does not allow the concept of ALARP.

Our current SOP for Risk Management refers to ISO 14971:2007 (EN ISO 14971:2012).
Our acceptability matrix has the concept of ALARP. Do we need to change it? Should the acceptability matrix (sevXprob) only have Acceptable and Not-Acceptable ranges?
We assume that if a hazard gets into the ALARP zone after mitigation and there is nothing we can do to change it (imagine the case of Catastrophic X Improbable and we are already in the lowest possible probability) we leave it in the ALARP and we add a rationale to it. Is this acceptable?

For what concerns the P2 (probability of a hazard to cause a harm), is it correct to assume that this probability is independent of the device? Could you please provide an example to help me understand better this concept?

I thought of this example (not sure if it is clear though):
device - infusion pump
hazard - wrong infusion rate
severity outcome - death
P1 - (probability the wrong infusion rate of occurring) to be determined by design (it may depend on what originates the wrong infusion rate)
P2 (the probability of wrong infusion rate to cause a death) - probable

To arrive at this value I should assume that a wrong infusion rate (independently of how it is administered) causes a death, correct?

Thank you in advance for your help!
Emilia
 
Elsmar Forum Sponsor

yodon

Staff member
Super Moderator
#2
I would like to get some help in understanding if it is true that the new version of ISO 14971 does not allow the concept of ALARP.
Correct(ish). The standard expects that all risks are reduced as far as possible. The rationale for this was to eliminate the application of ALARP with regard to economic considerations. But that's exactly what happens anyway (you're not going to gold-plate a tongue depressor!). I've even seen postings here about auditors looking at a risk analysis and asking why they didn't consider some (apparently obvious) control - and then writing them up for not meeting the standard. So it's a difficult proposition to deal with but suffice to say yes, reduce to the greatest extent possible. (And by no means say that some control was dismissed for economic considerations!).

Our current SOP for Risk Management refers to ISO 14971:2007 (EN ISO 14971:2012).
Our acceptability matrix has the concept of ALARP. Do we need to change it? Should the acceptability matrix (sevXprob) only have Acceptable and Not-Acceptable ranges?
We assume that if a hazard gets into the ALARP zone after mitigation and there is nothing we can do to change it (imagine the case of Catastrophic X Improbable and we are already in the lowest possible probability) we leave it in the ALARP and we add a rationale to it. Is this acceptable?
The standard still requires that you have criteria for risk acceptability. I think the majority of folks still use the red-yellow-green (or maybe not just red / green) matrix approach... and this has been acceptable to auditors from what I've seen.

Another fun twist in the standard is that every risk now needs to have a risk-benefit analysis conducted (in addition to the overall RBA).

For what concerns the P2 (probability of a hazard to cause a harm), is it correct to assume that this probability is independent of the device? Could you please provide an example to help me understand better this concept?
I wouldn't say that you consider probability independent of the device but maybe independent of the design. Device categories generally have common risks. An infusion pump, for example, may allow free-flow if a door is opened. Probability is quite high unless you design in features to prevent free-flow. If you just alarm if the door opens, you haven't prevented free flow. If you integrate a clamp that closes the tubing (irrespective of power) if the door is opened, you have now reduced the probability of free-flow.

I thought of this example (not sure if it is clear though):
device - infusion pump
hazard - wrong infusion rate
severity outcome - death
P1 - (probability the wrong infusion rate of occurring) to be determined by design (it may depend on what originates the wrong infusion rate)
P2 (the probability of wrong infusion rate to cause a death) - probable

To arrive at this value I should assume that a wrong infusion rate (independently of how it is administered) causes a death, correct?
That's the approach I've generally seen. I have mixed opinions of the P1 * P2 approach. I understand the intent and can see how it might give a better picture but I haven't come to grips yet (accepted) that it give a substantially better picture versus the extra overhead. But if it works for you, keep it up!

Hopefully this gets the discussion rolling and others will weigh in. (Marcelo, where are you?? :) )

Do some searches in the forum for other discussions on this topic. There have been many.

Oh, and don't forget that the standard does not allow risk reduction through information for safety only any more.
 

thisby_

Involved In Discussions
#3
Maybe I am misunderstood but Annex D of ISO 14971:2007 talks about ALARP. Is there a newer version that removed this section?
I was under the impression that EN ISO 14971:2017 has the same content as the one from 2007 except for some annexes related to MD Directive.
Thank you,
Emilia
 

Ronen E

Problem Solver
Staff member
Moderator
#4
Maybe I am misunderstood but Annex D of ISO 14971:2007 talks about ALARP. Is there a newer version that removed this section?
I was under the impression that EN ISO 14971:2017 has the same content as the one from 2007 except for some annexes related to MD Directive.
Thank you,
Emilia
Your description is quite accurate.

If there's any misunderstanding, I think it stems from your statement (post #1):

Our current SOP for Risk Management refers to ISO 14971:2007 (EN ISO 14971:2012).
It's true that the normative (=binding) parts of these two standards are identical, however, in the MDD context the Z annexes in the EN standard make a significant difference. If you are after MDD compliance, those Z annexes actually say that compliance with the normative part will not provide full compliance with the MDD, and thus they stop being "just annexes" and become very significant in the compliance process. Further, they tell you what are the normative part's "shortcomings" and how to bridge the gap to MDD compliance.

If you're not after MDD compliance there's no real reason to refer to the EN standard in your SOP. ISO 14971 (currently, 2007 version) would suffice and you could apply the ALARP concept without difficulty.
 
Thread starter Similar threads Forum Replies Date
S Practical Implementation of ISO 14971 ISO 14971 - Medical Device Risk Management 6
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
A ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
K Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
M Gap analysis on ISO 14971:2019 with previous revision ISO 14971 - Medical Device Risk Management 3
B New ISO 14971:2019 Harm: unreasonable psychological stress, and cybersecurity ISO 14971 - Medical Device Risk Management 13
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
B ISO 14971 Applied to Software ISO 14971 - Medical Device Risk Management 2
D Recent changes to ISO 14971 - SOP required for managing standard revisions ISO 13485:2016 - Medical Device Quality Management Systems 1
A EN ISO 14971:2019 does not include the Annex Zs ISO 14971 - Medical Device Risk Management 4
J ISO 14971 applied to ISO 13485? Low risk class 1 devices ISO 13485:2016 - Medical Device Quality Management Systems 3
Ronen E Informational What's new in ISO 14971:2019 ISO 14971 - Medical Device Risk Management 2
T ISO 14971-2019 doubt - Evaluate if estimated risks are acceptable ISO 14971 - Medical Device Risk Management 9
A We are ISO 13485:2016 should we be audited to ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 16
Y When will Notified Bodies require MedDev manufacturers to fully implement ISO 14971:2019? ISO 14971 - Medical Device Risk Management 1
P Risk acceptability alignment between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 6
S ISO 14971 Risk Management - Questions for Hazard identification ISO 14971 - Medical Device Risk Management 2
M Informational ISO 14971 / ISO TR 24971 revision update – atualizações sobre a revisão Medical Device and FDA Regulations and Standards News 1
R The difference b/w FMEA & Risk analysis as per iso 14971 ISO 14971 - Medical Device Risk Management 8
D Risk management according to ISO 14971 - When to document risk controls? ISO 14971 - Medical Device Risk Management 10
D Where does FMEA fit in your ISO 14971 Risk Management process? ISO 14971 - Medical Device Risk Management 13
Q Information for safety EN ISO 14971:2012 - Customer Risk Reduction ISO 14971 - Medical Device Risk Management 6
M Informational ISO TC 210 JWG 1 meeting in São Paulo – Revision of ISO 14971 and ISO TR 24971 – Medical Device Risk Management Medical Device and FDA Regulations and Standards News 0
A Our auditor requires us to attend a training on EN ISO 14971:2012 Other ISO and International Standards and European Regulations 3
S In a risk analysis, how can we tie mobile app security breach to ISO 14971? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
F IMDRF opened a Consultation on Annex E & F and the link to ISO 14971 ISO 14971 - Medical Device Risk Management 4
M Updates to EN 62366 & ISO 14971? Other Medical Device Related Standards 3
D IEC 60601-1 and ISO 14971 Assessment IEC 60601 - Medical Electrical Equipment Safety Standards Series 12
M Example ISO 14971 policy and risk criteria ISO 14971 - Medical Device Risk Management 0
P ISO 13485 and ISO 14971 - one mandates the other? ISO 13485:2016 - Medical Device Quality Management Systems 8
D Rationale for Risk Acceptability Matrix - ISO 14971 ISO 14971 - Medical Device Risk Management 9
H Task analysis and ISO 14971 ISO 14971 - Medical Device Risk Management 9
M ISO 14971 and Stand-Alone Diagnostic Software ISO 14971 - Medical Device Risk Management 4
dgrainger Benefit - What is the definition of Benefit in ISO 14971? ISO 14971 - Medical Device Risk Management 7
Y Training as a risk control for ISO 14971 ISO 14971 - Medical Device Risk Management 13
W Risk Benefit Analysis - ISO 14971:2012 Requirements ISO 14971 - Medical Device Risk Management 27
C What is the difference between "Overall Risk" and "Risk"? (ISO 14971) ISO 14971 - Medical Device Risk Management 10
B New EU Medical Device Regulation & Reconciling with EN ISO 14971 EU Medical Device Regulations 41
B IFU and deviation 7 in ISO 14971 Annex ZA ISO 14971 - Medical Device Risk Management 1
B Interpreting Deviations 5 & 6 in Annex ZA in ISO 14971:2012 ISO 14971 - Medical Device Risk Management 1
B Our NB says that IEC 62304 is an ISO 14971 Requirement ISO 14971 - Medical Device Risk Management 1
B Clarification on interpretation of some EN ISO 14971:2012 & IEC 62304:2006 req's ISO 14971 - Medical Device Risk Management 46
H ISO 14971 vs. IEC 62304 vs. 98/79/EC vs. ISO 13485 (Software Medical Device) ISO 14971 - Medical Device Risk Management 1
M ISO 14971 and ISO TR 24971 revision ISO 14971 - Medical Device Risk Management 32
F ISO 14971:2012 and the FDA ISO 14971 - Medical Device Risk Management 5
M ISO 14971:2007 Revision Approved - The Delft ISO TC 210 plenary meeting - Nov 2016 ISO 14971 - Medical Device Risk Management 2
S Organizing Risk Analysis and Controls for a New Medical Device (ISO 14971) ISO 14971 - Medical Device Risk Management 4
M The future of ISO 14971:2007 ISO 14971 - Medical Device Risk Management 2
M IEC 62304, ISO 14971 and FDA Medical Device SW Guidance 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
K ISO 14971 and IEC 62304 - Medical Device Software House ISO 14971 - Medical Device Risk Management 9

Similar threads

Top Bottom