Manufacturers of medical devices must define criteria for risk acceptance. This is often done on two levels:

  1. In the risk policy (see ISO 14971, Chapter 4.2)
  2. In the risk management plan (see ISO 14971, Chapter 4.4)

Risk policy

In the risk policy, manufacturers define (across all products) how they proceed to determine the (product-specific) criteria for risk acceptance.


  • No device may lead to risks with a catastrophic severity of harm (e.g., death). (This could result in manufacturers being unable to place specific devices on the market).
  • The risks must be minimized as far as possible for each device. Economic considerations must not play a role in risk minimization. (Both are already required by regulation.)
  • Risks that do not lead to measurable harm are generally acceptable unless this is not in line with the state of the art (e.g., a small delay in a diagnosis that is not critical in terms of time).

Manufacturers can express their risk policy in a separate document or as part of a standard operating procedure.

Risk acceptance

Manufacturers must determine the risk acceptance criteria for each device. This is usually done in the form of a risk acceptance matrix.

Further information

The criteria for risk acceptance must meet the requirements of the risk policy.

Probability of software defects

The probability of software defects is difficult to estimate. It’s so difficult that the “old” DIN EN IEC 62304:2006 wrote: “However, there is no agreement on how to determine the probability of the occurrence of software failures using traditional statistical methods.” The standard concluded that “the probability of such a malfunction must be assumed to…


Periodic Safety Update Report (PSUR) and Post-Market Surveillance report (PMS report)

The MDR and IVDR require either a “Post-Market Surveillance Report” or a “Periodic Safety Update Report” from medical device manufacturers. The Periodic Safety Update Report is abbreviated as “PSUR”, the Post-Market Surveillance reports as “PMS report”. PSUR and PMS report: Regulatory background and objectives The European Commission has significantly increased the requirements for monitoring devices…