All terms
    Quality & RiskQuality System

    Risk Acceptability Matrix

    Pre-defined matrix mapping severity × probability combinations to acceptable, ALARP, or unacceptable risk.

    Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

    Definition

    Required by ISO 14971, the risk acceptability matrix is the manufacturer's policy on how risk levels translate into action. It must be defined before risk evaluation and applied consistently across the risk management file.
    What the regulation says
    Under ISO 14971:2019, specifically clause 4.2 and 6.4, manufacturers must establish criteria for risk acceptability, which often takes the form of a risk acceptability matrix. This matrix defines when a risk is considered acceptable without further mitigation, or when additional risk control measures are required. The criteria must be defined based on the manufacturer's policy for determining acceptable risk before risk evaluation, as outlined in ISO 14971:2019 clause 4.2.

    What this means in practice

    Notified Bodies frequently challenge inconsistent or unjustified matrices; aligning to ISO/TR 24971 examples is a defensible starting point.

    Examples

    • A manufacturer defines a 3x3 risk matrix where risks with "medium" probability and "moderate" severity are deemed "acceptable with review," prompting further analysis.
    • During design control, a risk of software malfunction is assessed using the established risk acceptability matrix, leading to a decision that additional software testing is required to reduce the risk level.
    • A Notified Body auditor reviews the risk management file and cross-references the risk acceptability matrix with the residual risk evaluations to confirm consistency and adherence to the manufacturer's policy.
    Common pitfalls
    • Failing to define the risk acceptability matrix before conducting risk evaluation can lead to biased assessments and non-compliance with ISO 14971.
    • Inconsistently applying the risk acceptability criteria across different hazards or use scenarios will result in a non-compliant risk management file.
    • Defining overly aggressive or overly conservative risk acceptability criteria without justification can lead to regulatory scrutiny or an unmarketable device.
    • Not documenting the rationale for the chosen risk acceptability criteria is a common audit finding.
    • Using a generic risk matrix without tailoring it to the specific device and its intended use is a significant oversight.

    Frequently asked questions

    The primary purpose is to provide a consistent framework for determining whether identified risks are acceptable or if further risk reduction is necessary, aligning with the manufacturer's risk management policy.
    Shared paths + category

    Latest in MedTech

    Primary references

    3 sources
    Link health: 3 verified· last checked 2026-06-20
    ISO·1AAMI·1MDIC·1
    1. 1
      ISO 14971
      Verified
      ISOiso.org
    2. 2
      AAMI - Quality Systems Resources
      Verified
      AAMIaami.org
    3. 3
      MDIC Case for Quality
      Verified
      MDICmdic.org

    Inline markers like [1] jump to the matching reference above.