Explicit acceptable/unacceptable determination for each hazardous situation, compared against the Risk Management Plan acceptance matrix — unacceptable risks mandate control.
AFAP principle requires documented rationale even for risks already within the acceptable zone; cost alone can no longer justify forgoing further reduction.
Device-specific risk matrix — generic company-wide matrices without clinical-context calibration are a common rejection point for notified bodies.
Maps to
ISO 14971: §6 Risk evaluation
ISO 13485: §7.1 Planning of product realization
Pre-QMSR Part 820 (legacy QSR): §820.30(g) Design validation.
Requirement text
The manufacturer shall compare the estimated risk for each hazardous situation against the acceptability criteria established in the risk management plan. If the risk is acceptable, it is not required to apply risk control measures to this hazardous situation and the estimated risk shall be treated as residual risk. If the risk is not acceptable, the manufacturer shall perform risk control activities.
Why this clause exists
Risk evaluation is the decision gate that converts numerical estimates into action obligations — without an explicit acceptable/unacceptable determination for each hazardous situation, a risk analysis remains a descriptive exercise rather than a driver of design decisions. Manufacturers who skip formal risk evaluation or record only risk scores without acceptability conclusions leave auditors with no evidence that the risk management process actually governed design choices. The ISO 14971:2019 shift from ALARP (as low as reasonably practicable) to AFAP (as far as possible) in clause 6 further tightened this by removing cost as a primary justification for not reducing an already-acceptable risk — a change that reflects a regulatory consensus that risk should be reduced to the lowest level consistent with technical feasibility, with the state of the art serving as the practical lower bound rather than economic convenience.
What changed
ISO 14971:2019 was a major revision reorganizing the standard from 9 to 10 clauses and moving extensive guidance material into a separate technical report (ISO/TR 24971:2020), making normative requirements clearer and more auditable.
The most significant change was replacing ALARP (As Low As Reasonably Practicable) with AFAP (As Far As Possible), removing the ability to use economic cost as a primary justification for not implementing a risk control. The standard introduced explicit benefit-risk analysis requirements — three new definitions were added (benefit, reasonably foreseeable misuse, state of the art) and the required conclusion shifted from 'risks are acceptable' to 'benefits outweigh residual risks.' Risk acceptability criteria must now be established and documented in the risk management plan before risk analysis begins.
Post-production requirements (Clause 10) were substantially expanded into four sub-clauses (Establish, Collect, Review, Act), mandating active collection and review of post-market data rather than passive complaint handling. The overall residual risk evaluation (Clause 8) was enhanced to require aggregate assessment of all residual risks combined, considering synergistic effects where multiple low risks may create new high-risk situations. Clause 4.3 shifted emphasis from personnel qualifications to demonstrated competence. ISO/TR 24971:2020 (informative companion) adds Annex G (cybersecurity risk management) and Annex H (legacy device risk file remediation).
Common gaps (what we see in audits)
- Generic risk acceptability matrices used across all products — Risk acceptability criteria are rejected when they are generic matrices used identically across all products without adjustment for clinical context, device class, or current state of the art. Auditors expect risk criteria tailored to the specific device's intended use, patient population, and clinical environment.