Is AAMI SW96 replacing TIR57?

ANSI/AAMI SW96:2023 is the normative consensus standard and is now FDA-recognized; AAMI TIR57 is a Technical Information Report that remains available but is superseded as the primary reference for new FDA submissions.

Can a manufacturer still cite TIR57 in an FDA submission?

Yes. The FDA continues to accept TIR57-based risk management files, but the 2026 premarket guidance points reviewers at SW96 as the current consensus standard, so new programs should align to SW96.

Does SW96 replace ISO 14971?

No. SW96 is a cybersecurity-specific overlay on ISO 14971's general risk-management framework; both are used together.

AAMI SW96 vs TIR57

Side-by-side comparison of the two AAMI medical device cybersecurity risk-management documents most often cited in FDA submissions.

Dimension	ANSI/AAMI SW96:2023	AAMI TIR57:2016/(R)2019
Document type	ANSI/AAMI consensus standard (normative).	AAMI Technical Information Report (informative).
Published	2023 (ANSI/AAMI SW96:2023).	2016, reaffirmed 2019 (AAMI TIR57:2016/(R)2019).
FDA recognition	Recognized consensus standard (FDA Recognition #5-148).	Cited in 2014 and 2018 FDA premarket guidance; superseded as the primary reference in the 2026 final guidance.
Risk-management framework	Aligns to ISO 14971 but adds a parallel cybersecurity risk process with explicit threat-modeling and exploitability inputs.	Adapts ISO 14971 vocabulary to security; introduces the security risk-management file concept.
Threat modeling	Required activity with explicit linkage to risk register entries.	Recommended; methodology left to the manufacturer.
Use today	Preferred reference for new submissions under the FDA 2026 guidance.	Still acceptable; many legacy quality systems and risk files reference it.
Relationship	Builds on TIR57 and supersedes it as the consensus standard.	Conceptual ancestor of SW96; remains a useful tutorial reference.

When to use which

For any new FDA premarket submission planned under the Cybersecurity in Medical Devices final guidance (effective February 3, 2026), build the cybersecurity risk-management file against ANSI/AAMI SW96:2023. Map every threat in the threat model to a SW96 risk register entry and to a verification or mitigation artifact in the submission package.

Programs with mature, audited risk files written against AAMI TIR57 do not need to be rebuilt from scratch. Maintain TIR57 traceability and add a SW96 conformance overlay that demonstrates equivalence to reviewers - Blue Goat Cyber routinely produces this crosswalk as part of a deficiency-letter response.

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.

Book strategy session Explore services

AAMI SW96 vs TIR57

When to use which

Related

Get FDA cleared without the cybersecurity headaches.