Maps to
QMSR / ISO 13485: §820.30(g)
ISO 13485: §7.1
ISO 14971: §6
Requirement text
The manufacturer shall compare the estimated risk for each hazardous situation against the acceptability criteria established in the risk management plan. Risks exceeding acceptability thresholds must proceed to risk control, and risks below the threshold should still be reduced further if reasonably practicable.
What changed
ISO 14971:2019 was a major revision reorganizing the standard from 9 to 10 clauses and moving extensive guidance material into a separate technical report (ISO/TR 24971:2020), making normative requirements clearer and more auditable.
The most significant change was replacing ALARP (As Low As Reasonably Practicable) with AFAP (As Far As Possible), removing the ability to use economic cost as a primary justification for not implementing a risk control. The standard introduced explicit benefit-risk analysis requirements — three new definitions were added (benefit, reasonably foreseeable misuse, state of the art) and the required conclusion shifted from 'risks are acceptable' to 'benefits outweigh residual risks.' Risk acceptability criteria must now be established and documented in the risk management plan before risk analysis begins.
Post-production requirements (Clause 10) were substantially expanded into four sub-clauses (Establish, Collect, Review, Act), mandating active collection and review of post-market data rather than passive complaint handling. The overall residual risk evaluation (Clause 8) was enhanced to require aggregate assessment of all residual risks combined, considering synergistic effects where multiple low risks may create new high-risk situations. Clause 4.3 shifted emphasis from personnel qualifications to demonstrated competence. New Annex G on cybersecurity risk management and Annex H on legacy device risk file remediation were added.
Atomic constraints
- •Risk evaluation must compare estimated risk against the acceptance criteria in the Risk Management Plan.
- •Each risk must be explicitly recorded as acceptable or unacceptable.
- •Risks classified as unacceptable must trigger risk control activities.
- •Risk evaluation decisions must be recorded in the risk management file.
- •The AFAP (as far as possible) principle requires attempting further reduction even for risks below the unacceptable threshold.
Common gaps
Generic risk acceptability matrices used across all products
majorRisk acceptability criteria are rejected when they are generic matrices used identically across all products without adjustment for clinical context, device class, or current state of the art. Auditors expect risk criteria tailored to the specific device's intended use, patient population, and clinical environment.
Evidence signals
- •
FILE_EXISTS
Risk.*Table|FMEA|Risk.*Accept|Hazard.*Log
- •
CONTENT_MATCH
Does this document classify risks as acceptable or unacceptable using a defined risk matrix, and explicitly identify which risks require control measures?
Audit defense
Each risk in the Risk Table for [your product] (Doc ID: [your document ID]) is explicitly evaluated against our Risk Acceptance Matrix. Unacceptable risks are flagged for mandatory risk control, and acceptable risks include an AFAP notation where no controls were applied.