--- title: The ISO 14971 Annex Z Trap: Why the Global Version Is Not Enough description: ISO 14971 Annex Z MDR risk reduction: why the global ISO version does not satisfy MDR, and what AFAP means in practice for EU manufacturers. authors: Tibor Zechmeister, Felix Lenhard category: Risk Management Under MDR primary_keyword: ISO 14971 Annex Z MDR risk reduction canonical_url: https://zechmeister-solutions.com/en/blog/iso-14971-annex-z-trap source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # The ISO 14971 Annex Z Trap: Why the Global Version Is Not Enough *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **The global ISO 14971:2019 and the European EN ISO 14971:2019+A11:2021 are not the same document. The EN version contains Annex Z, which maps the standard's clauses to the MDR General Safety and Performance Requirements and flags where the standard alone does not fully satisfy MDR — most notably around the MDR's "as far as possible" risk reduction principle. Using the global ISO text alone is a common and costly trap for EU manufacturers.** **By Tibor Zechmeister and Felix Lenhard.** ## TL;DR - EN ISO 14971:2019+A11:2021 is the harmonised European version of the standard. Its Annex Z (ZA for MDR) is the component that maps the standard to specific MDR GSPRs. - The global ISO 14971:2019 does not include Annex Z. Buying it alone leaves a regulatory gap. - MDR Annex I §1, §3, and §8 require risk reduction "as far as possible" (AFAP) without imposing a cost-benefit limit on safety. - This differs from frameworks that use "as low as reasonably practicable" (ALARP), where cost and proportionality are explicit limiting factors. - Annex Z flags the AFAP tension: ISO 14971's risk-benefit language is not a one-to-one match with MDR's AFAP language, and the standard alone cannot be used to justify residual risk that could technically be reduced further. - Practically: if a risk can be reduced further by a technically feasible control that does not unacceptably worsen the benefit-risk ratio, the MDR requires the reduction. Cost alone is not a defence. - Use the EN version. Read Annex Z. Document AFAP decisions explicitly. ## Why this matters A founder we worked with had spent €400 on an ISO 14971:2019 PDF from a national standards reseller. The document was legitimate, current, and useless — it was the global ISO version. Her risk management file cited "ISO 14971:2019" throughout. At the notified body's stage 1 review, the reviewer asked where Annex Z was. There was no Annex Z to show. The finding was not fatal, but it triggered a full rework of the risk management file to explicitly address the MDR GSPRs and to re-examine several residual risks against the AFAP principle rather than the standard's benefit-risk framing. The cost of the mistake was three weeks of rework and one delayed milestone. The cost of avoiding it would have been buying the right document: EN ISO 14971:2019+A11:2021. This is the trap. The global standard and the EN version share most of their text. The difference lives in a small annex at the back — and that annex is the only part that tells you, in writing, where the standard is not enough on its own. ## What MDR actually says **MDR Annex I** sets out the General Safety and Performance Requirements. Three sections are load-bearing for risk management: - **§1** requires that devices achieve the performance intended by their manufacturer and be designed and manufactured in such a way that, during normal conditions of use, they are suitable for their intended purpose. They shall be safe and effective and shall not compromise the clinical condition or the safety of patients, or the safety and health of users or, where applicable, other persons. - **§3** requires manufacturers to establish, implement, document, and maintain a risk management system and sets out the sequence of risk management activities — identification, estimation, evaluation, control, and monitoring. - **§8** sets out the risk control priority: eliminate or reduce risks as far as possible through safe design and manufacture; take adequate protection measures where risks cannot be eliminated; provide information for safety. It also addresses training where relevant. The critical phrase is in §8: *as far as possible*. This is the MDR's own language, and it is stricter than comparable frameworks. The MDR does not say "as low as reasonably practicable." It does not invite a cost-benefit trade-off at the level of individual risk controls. It says: reduce as far as possible, bounded by the need to maintain an acceptable benefit-risk ratio. **EN ISO 14971:2019+A11:2021** is the European harmonised version of the international risk management standard. The +A11:2021 is a European amendment. The standard includes **Annex ZA** (mapping to MDR), **Annex ZB** (mapping to IVDR), and **Annex ZC** (mapping to the Active Implantable Medical Devices Directive in legacy contexts). These annexes are not in the global ISO 14971:2019 published by ISO directly. Annex ZA is the part that matters for MDR work. It walks through the MDR GSPRs and states, clause by clause, whether ISO 14971 fully covers them, partially covers them, or does not cover them. The most important entries are the ones flagged as partial coverage — specifically around the MDR's AFAP principle and the use of economic considerations in risk acceptability. The standard's core body talks about risk acceptability with a benefit-risk overall evaluation. The MDR, via §8, requires that individual risks be reduced as far as possible before the benefit-risk trade-off is considered at the whole-device level. Annex ZA makes this tension explicit so that a manufacturer using the standard cannot inadvertently rely on the standard's broader framing to justify a residual risk that MDR would require them to reduce further. ## A worked example A Class IIb electromechanical device has a residual risk from a sharp edge on an internal component. A risk control option exists: replace the component with a rounded version. The rounded component costs €8 more per unit and adds two weeks to a supplier qualification activity. The current residual risk is classified as "acceptable" against the manufacturer's risk acceptability criteria, which follow ISO 14971's framing. Under a pure cost-benefit framing, the manufacturer might argue the additional control is not justified — the cost is real, the residual risk is already "acceptable," and the benefit-risk analysis for the device as a whole remains positive. Under MDR Annex I §8, that argument is weaker. The AFAP principle requires reduction *as far as possible*. The €8 unit cost is a commercial consideration, not a technical impossibility. The two-week qualification delay is a schedule consideration, not a technical impossibility. Unless the rounded component introduces a new and materially worse risk (for example, a new biocompatibility concern from a different material), or unacceptably degrades the device's clinical benefit, the MDR position is that the control should be implemented. Annex ZA of EN ISO 14971:2019+A11:2021 is what flags this explicitly to the user of the standard. Without Annex ZA, a manufacturer reading the global ISO text alone might never see the tension until a notified body reviewer points it out — usually in the worst possible venue, a stage 2 audit. The worked decision record in the risk management file should read: "Residual risk from sharp edge. Control option: rounded component. Technical feasibility: yes. Benefit-risk impact: neutral. AFAP decision under MDR Annex I §8: control implemented. Rationale documented." That is what AFAP in practice looks like. ## The Subtract to Ship playbook **Step 1. Buy the right document.** EN ISO 14971:2019+A11:2021 from a recognised European standards body (Austrian Standards, DIN, BSI, AFNOR, and similar national bodies). Do not buy the global ISO 14971:2019 alone unless you are also operating outside the EU and have a specific reason. If you already have the global version, you need to add the EN version — the two are not interchangeable for EU conformity. **Step 2. Read Annex ZA first.** Before you touch the core body of the standard, read Annex ZA cover to cover. It is short. It tells you exactly which GSPRs the standard fully covers, partially covers, or leaves to the manufacturer. Your risk management plan should reference Annex ZA explicitly. **Step 3. Make AFAP explicit in the risk management plan.** The plan should include a section that states the MDR §8 AFAP obligation and how the team will apply it when evaluating risk controls. Cite Annex Z. **Step 4. Add an AFAP column to the risk control decision record.** For every residual risk, the record should show: identified risk, control options considered, technical feasibility of each, benefit-risk impact of each, AFAP decision, rationale. The AFAP field forces the team to write down why a further control was not implemented, and cost alone cannot be the answer. **Step 5. Train the team.** AFAP is not intuitive for engineers who come from ALARP jurisdictions or cost-benefit cultures. A one-hour internal training session with worked examples is enough. Record the training as a competence record under EN ISO 13485 clause 6.2. **Step 6. Review the file against GSPRs, not just against the standard.** The final review of the risk management file should explicitly check each decision against MDR Annex I, not just against ISO 14971. This is what Annex ZA exists to enable. **What not to do.** Do not assume "ISO 14971:2019" is ISO 14971:2019 is ISO 14971:2019. The two documents with that base number diverge in their annexes and that divergence is the entire point. Do not cite "ISO 14971:2019" in your risk management file if you are placing the device on the EU market — cite EN ISO 14971:2019+A11:2021. ## Reality Check 1. Does your risk management file cite EN ISO 14971:2019+A11:2021, or the global ISO 14971:2019? 2. Have you read Annex ZA of the EN version? 3. Does your risk management plan reference the MDR Annex I §8 AFAP principle by name? 4. For your top five residual risks, can you show a written record of which further controls were considered and why they were not implemented? 5. Is the word "cost" anywhere in those rationales? If yes, does it stand alone, or is it paired with a technical-feasibility or benefit-impact reason? 6. Would your team recognise the difference between AFAP and ALARP if an auditor asked? 7. Does your competence matrix include AFAP training for the risk management team? 8. If your notified body asked to see where your standard mapping to MDR GSPRs lives, could you point to it within thirty seconds? ## Frequently Asked Questions **Is ISO 14971:2019 a harmonised standard under MDR?** The harmonised version is EN ISO 14971:2019+A11:2021. The harmonisation status of standards changes — check the current Official Journal listing before relying on presumption of conformity. **Can I use the global ISO 14971:2019 at all?** For markets outside the EU, yes. For EU conformity under MDR, you need the EN version with Annex Z. If you operate in multiple markets, you need both, but you must not substitute one for the other in the MDR file. **What is the difference between AFAP and ALARP?** AFAP ("as far as possible") is the MDR's formulation — reduce risks as far as possible without unacceptably degrading the benefit-risk ratio; cost alone is not a limiting factor. ALARP ("as low as reasonably practicable") is used in some other safety frameworks and explicitly allows cost and proportionality to limit the reduction. They are not interchangeable. **Does AFAP mean we have to eliminate every risk?** No. AFAP is bounded by technical feasibility and by the need to maintain an acceptable benefit-risk ratio for the device as a whole. If a further control would break the device's intended purpose or introduce worse risks, it is not "possible" in the AFAP sense. **Where do I actually buy EN ISO 14971:2019+A11:2021?** From any CEN member national standards body: Austrian Standards (A.S.I.), DIN (Germany), BSI (UK), AFNOR (France), NEN (Netherlands), and others. Cost is typically in the low hundreds of euros. **Does Annex Z change what I have to do, or just where it is written down?** Both. Annex Z changes where the GSPR mapping is written down (it gives you the map explicitly), and it also makes certain MDR-specific expectations visible — particularly around AFAP — that a reader of the global standard alone might not recognise. The obligation comes from MDR; Annex Z is how the standard admits it. ## Related reading - [MDR Annex I GSPRs explained](/blog/mdr-annex-i-gspr) — the General Safety and Performance Requirements that Annex Z maps to. - [Harmonised standards under MDR: complete list 2026](/blog/harmonized-standards-under-mdr-complete-list-2026) — where EN ISO 14971:2019+A11:2021 sits in the current harmonised landscape. - [Benefit-risk analysis in technical documentation](/blog/benefit-risk-analysis-technical-documentation) — the document the AFAP decisions feed into. - [How to use harmonised standards to demonstrate MDR compliance](/blog/how-to-use-harmonized-standards-demonstrate-mdr-compliance) — the presumption of conformity mechanism. - [State-of-the-art principle under MDR](/blog/state-of-the-art-principle-mdr-design-decisions) — the neighbouring principle that shapes what "possible" means in practice. ## Sources 1. Regulation (EU) 2017/745 on medical devices, consolidated text. Annex I §1, §3, §8. 2. EN ISO 14971:2019+A11:2021 — Medical devices — Application of risk management to medical devices. Annex ZA (relationship with MDR). 3. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Clause 6.2 (competence). --- *This post is part of the [Risk Management Under MDR](https://zechmeister-solutions.com/en/blog/category/risk-management) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*