ISO 14971 Content Deviation #3: The Economic Considerations of Risk Reduction

  • Post author:
Read Time: 5 minutes
Written by: John Lafferty.

During the process of harmonisation of ISO 14971: 2007 as an EN standard, it became apparent that the standard did not comply with all the requirements of the Medical Devices Directives (MDDs), namely 90/385/EEC, 93/42/EEC and 98/79/EC. Seven discrepancies were identified; these discrepancies are described in EN 14971 as “Content Deviations”. This newsletter deals with Content Deviation No. 3 – Economic Considerations of Risk Reduction.

In the area of medical device manufacture, all risks cannot be completely designed out and therefore there will always be some residual risk. This residual risk and precautions that are necessary by the user and contraindications are normally contained in the device Instructions for Use (IFU). However the Essential requirements of the MDD require that all risks must be reduced as far as possible and not just as low as reasonably practicable (ALARP) as stated in the ISO 14971: 2009. The 2012 version of the Standard (EN ISO 14971: 2012) makes it clear that economic considerations are not an acceptable justification for not reducing a risk, regardless of the magnitude of that risk. Therefore, manufacturers cannot justify not reducing a risk because to do so would be too costly. The Medical Devices Directives do not permit financial considerations to override the Essential Requirements for safety and performance of medical devices.

Process Risks

As regards process risks, the same principles apply – economic considerations cannot be used as justification for not implementing process controls. The question must be asked, would additional process controls or inspections reduce the risk associated with the use of the device?
If the answer is yes, then the additional process controls must be implemented. The permissible reasons for not implementing additional controls are outlined later in this newsletter but they must not include economic considerations. It is important to note here, that the MDDs are only concerned with the risks associated the use of the device and not the risks to the manufacturing process itself, except the risk that stocking out the market would be deny patients treatment e.g. in the case of a unique therapy or a near monopoly situation.
The real practicable difficulty that arises here is the need to immediately comply with EN 14971:2012. Implementing additional process controls takes time, the process controls themselves must be risk assessed to ensure that there is no adverse effect from their use and the effectiveness of the controls must be validated or verified.
The question is; how does the manufacturer solve this problem? It is recommended that existing risk analysis documents such as pFMEA s be reviewed and additional controls be identified where necessary for each and every process risk (regardless of its magnitude). Once this has been done, a project plan should be drawn up for the implementation of the additional process controls. This plan should prioritise the risks of the highest magnitude. The project plan should be integrated into the company’s Quality System through a mechanism such as Change Control or a Quality Plan. The next step should be to contact your Notified Body as soon as possible, well in advance of your next audit or submission, and outline your plan for compliance.
Once the notified body is on side with the plan, the implementation of additional controls should be progressed without delay and the project plan should be kept up to date as the project evolves. Account must be taken of the Post Market Information as required by ISO 14971:2012 when implementing the plan. If information arises that indicates that a particular risk was higher than originally estimated or has increased or is increasing, then that risk should be re-prioritised within the project plan and the implementation of the additional risk controls for that risk must be brought forward if possible.

Does this mean an end to the use of ALARP?

Yes. For devices sold in Europe, the ALARP concept will no longer be permissible as a means of risk acceptance because it involves an economic element in the justification of acceptable risk.
In future, there will only be two categories of risk;
1) Intolerable risk – the presence of which means a device cannot be placed on the market unless justified through risk/benefit analysis.
2) Acceptable risk – risks that have been reduced as low as possible and have been justified through risk/benefit analysis. (Risk/benefit analysis must be conducted for each individual risk and for the totality of the risk).
Most company’s risk management system contain a risk acceptability matrix that displays the ALARP region of risk acceptability such risk acceptability matrices should be replace with a matrix such as the one shown in Figure D.5 of ISO 14971

Where does this all end?

How far do I need to go in reducing risks is a question manufactures often ask? To take the principle of not using economic justification for reducing to its logical conclusion, I could ensure that my device is free particulate by having it built in space. As I cannot state that it would not be economically feasible to do so, how am I to proceed? You are not expected to go to the Nth degree but are expected to adhere to the ‘generally acknowledged state of the art’ as required by the MDDs. The MDDs do not define state of the art, but ISO 14971 does define state of the art as follows: “State of the art” is used here to mean what is currently and generally accepted as good practice. Various methods can be used to determine “state of the art” for a particular medical device. Examples are: ⎯ standards used for the same or similar devices; ⎯ best practices as used in other devices of the same or similar type; ⎯ results of accepted scientific research.
State of the art does not necessarily mean the most technologically advanced solution. As there is no content deviation in EN ISO 14971: 2012 relating to state of the art it can be concluded that this definition is valid for compliance with the MDDs. As long as your designs and controls are state of the art you can justify that you have reduced the risk as far as possible.
For example: To have a line of six inspectors each checking the previous inspector has not missed a defect is not the state of the art; however, to have a vision system checking for defects which are associated with a high severity harm for the patient is state of the art, while to have a vision systems to check for every possible defect irrespective of the harm that it could cause is not state of the art.
Manufacturers must be aware that the state of the art changes over time and that they must keep up with the state of the art. Consideration of how current designs and controls compare to the state of the art should form part of the periodic review of risk conducted by top management as required by ISO 14971. This leaves the following possible justification available for not reducing risk further:
The risk has been eliminated.
The designs and controls are state of the art.
Improved design or further controls are not technically feasible (as opposed to economically feasible) taking into account the current state of the art.
The existing design (or controls) have reduced the risk to the same level as the proposed new design.
Additional designs or controls would conflict with the existing design or controls thereby resulting in a risk that is equal to worse than the current situation.
The design or control introduces a new hazard that presents a risk that is equal to worse than the current situation.

How to Address Deviation No. 3

In order to address content deviation No. 3 your risk management team will need to change the risk management process to remove the ALARP risk category and the use of economic justification for not reducing risk. These will need to be replaced with requirements to reduce risk as far as possible given the state of the art and a requirement to clearly state that all risks have been reduced as far as possible. The risk review process will need to be updated to ensure that it contains a requirement that the designs and controls be kept up to date with the current state to the art.
Your team will need to review risk management documents such as dFMEAs and pFMEAs to remove all reference to ALARP and to ensure that all risks have been reduced as far as possible. Where this is the case a clear justification should be added to state that risks have been reduced as far as possible given the state of the art. Where this is not the case, redesigns and or improved controls will have to be developed in order to bring the device safety up to the state of the art. A project plan to achieve this should be embedded in your Quality System and kept up to date.
Finally communication with your Notified Body is vital to ensure that they are on side with your programme for compliance with content deviation No. 3.


 * Content Deviation: During the process of making ISO 14971 an EN standard (a process known as harmonisation), it became apparent that the standard did not comply with all the requirements of the Medical Devices European Directives, namely 90/385/EEC, 93/42/EEC and 98/79/EC. The differences between EN 14971: 2012 and the medical devices directives are known as Content Deviations.
The seven Content Deviations are:
 Treatment of Negligible Risk
 Risk Acceptability Assessment
 Risk Reduction
 Economic Considerations
 Risk-Benefit Analysis Not Optional
 Risk Control Options First Risk Control Option
 Labelling Information Cannot Influence Residual Risk

Course on Quality Risk Management and ISO 14971 for Medical Devices

To find out more, why not come along to our Quality Risk Management and ISO 14971 – Medical Devices course, which we run through our training partner SQT Training. To enquire further or to book, simply log on to SQT Training

John Lafferty – Tutor

John Lafferty is the tutor on the above training course. John also delivers courses in areas such as Quality Systems, Process Validation, Software Validation and Quality Risk Management on behalf of SQT. John runs a Quality Management Consultancy, Northridge Quality & Validation, which specialises in providing assistance to the Medical Devices and Pharmaceutical sector.