Comparison guide
ISO 14971 vs AAMI SW96
They are not competing standards. SW96 is the cybersecurity overlay on ISO 14971's safety risk-management framework.
Side-by-side breakdown
| Dimension | ISO 14971 | ANSI/AAMI SW96 |
|---|---|---|
| Scope | Safety risk management for medical devices. | Cybersecurity risk management for medical devices. |
| Current edition | ISO 14971:2019 (with A11:2021 for EU MDR). | ANSI/AAMI SW96:2023. |
| Status | Foundational - cited in every medical device regulation. | FDA-recognized consensus standard for cybersecurity risk. |
| Risk inputs | Hazards, hazardous situations, harm. | Threats, vulnerabilities, exploitability, patient impact. |
| Risk file | One safety risk file (RMF). | Parallel security risk file linked to the safety RMF. |
| Acceptability | Risk acceptability defined by manufacturer's policy. | Cybersecurity risk acceptability mapped to patient harm; exploitability is a multiplier, not the whole story. |
| Used together | Every cyber device needs both - SW96 outputs feed into the 14971 RMF for any threat that can cause patient harm. | Designed as an overlay; SW96 explicitly references 14971. |
When to use which
Build one safety RMF under ISO 14971 and one security risk file under SW96. Document the bridge: every SW96 threat with a non-zero patient-harm pathway must have a corresponding entry in the 14971 RMF.
Do not delete legacy AAMI TIR57 traceability. The FDA accepts a SW96 overlay that demonstrates equivalence - rebuilding from scratch is rarely worth the cost.
Frequently asked questions
Keep exploring
Ready when you are
Get FDA cleared without the cybersecurity headaches.
30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.