All terms
Quality & RiskQuality System
Risk Acceptability Matrix
Pre-defined matrix mapping severity × probability combinations to acceptable, ALARP, or unacceptable risk.
Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026
Definition
Required by ISO 14971, the risk acceptability matrix is the manufacturer's policy on how risk levels translate into action. It must be defined before risk evaluation and applied consistently across the risk management file. What the regulation says
Under ISO 14971:2019, specifically clause 4.2 and 6.4, manufacturers must establish criteria for risk acceptability, which often takes the form of a risk acceptability matrix. This matrix defines when a risk is considered acceptable without further mitigation, or when additional risk control measures are required. The criteria must be defined based on the manufacturer's policy for determining acceptable risk before risk evaluation, as outlined in ISO 14971:2019 clause 4.2.What this means in practice
Notified Bodies frequently challenge inconsistent or unjustified matrices; aligning to ISO/TR 24971 examples is a defensible starting point.Examples
- A manufacturer defines a 3x3 risk matrix where risks with "medium" probability and "moderate" severity are deemed "acceptable with review," prompting further analysis.
- During design control, a risk of software malfunction is assessed using the established risk acceptability matrix, leading to a decision that additional software testing is required to reduce the risk level.
- A Notified Body auditor reviews the risk management file and cross-references the risk acceptability matrix with the residual risk evaluations to confirm consistency and adherence to the manufacturer's policy.
Common pitfalls
- •Failing to define the risk acceptability matrix before conducting risk evaluation can lead to biased assessments and non-compliance with ISO 14971.
- •Inconsistently applying the risk acceptability criteria across different hazards or use scenarios will result in a non-compliant risk management file.
- •Defining overly aggressive or overly conservative risk acceptability criteria without justification can lead to regulatory scrutiny or an unmarketable device.
- •Not documenting the rationale for the chosen risk acceptability criteria is a common audit finding.
- •Using a generic risk matrix without tailoring it to the specific device and its intended use is a significant oversight.
Frequently asked questions
The primary purpose is to provide a consistent framework for determining whether identified risks are acceptable or if further risk reduction is necessary, aligning with the manufacturer's risk management policy.
Related terms
Shared paths + categoryStandards
ISO 14971
International standard for the application of risk management to medical devices.
Risk & Usability Deep Dive
Quality & Risk
Risk Management File(RMF)
Set of records and outputs from the ISO 14971 risk management process.
Risk & Usability Deep Dive · adjacent
Standards
IEC 62366-1
Application of usability engineering to medical devices.
Risk & Usability Deep Dive · adjacent
Quality & Risk
Summative vs. Formative Evaluation
Iterative usability studies (formative) vs. final validation testing (summative) of a device's user interface.
Risk & Usability Deep Dive
Quality & Risk
Use Specification
Defined description of intended users, uses, use environments, and patient populations for a device.
Risk & Usability Deep Dive
Clinical & Trials
Human Factors Engineering(HFE)
Engineering discipline focused on safe and effective device use by intended users.
Risk & Usability Deep Dive
Latest in MedTech
Primary references
3 sourcesLink health: 3 verified· last checked 2026-06-20
ISO·1AAMI·1MDIC·1
- 1ISO 14971VerifiedISOiso.org
- 2AAMI - Quality Systems ResourcesVerifiedAAMIaami.org
- 3MDIC Case for QualityVerifiedMDICmdic.org
Inline markers like [1] jump to the matching reference above.