1 Introduction FAQs zur IEC Rev. 2.1 Stand An increasing number of medical devices, for example medical imaging devices, are designed to exchange electronic information with other devices, including other medical devices. This normally happens by using a hospital s information technology network (hospital IT network), which is also used to transport general IT data. Today there are only a few standards that address incorporating medical devices into hospital IT networks. To properly assess the functionality of the IT network, the incorporation of both medical devices and non-medical devices into the network must be considered. In order to avoid unnecessary risks during the use of the hospital IT network a risk management process should be performed prior any change of the hospital ITnetwork infrastructure. A way of performing this risk management process is described in the coming international Standard IEC (Application of Risk management for IT-networks. After publication, a review and update will take place. In order to provide replies to frequently asked questions on the content and the application of IEC , the German trade association ZVEI and the German national Standardization Organization DKE established an expert working group. These replies are provided on the website of ZVEI, DKE and VHITG, along with a link to send further questions to the expert working group. For details, refer to paragraph Goal, Objective of the IEC Standard 1.1 Philosophy (1.1.1) How does the new Standard impact a hospital? The Standard describes how a hospital can reduce potential risks for patients, users and third parties when integrating medical devices into its IT-network. 1.2 Benefits (1.2.1) Which information in the Standard is new for a hospital? How can a hospital benefit from that Standard? By applying the Standard the hospital increases the transparency of its IT network, which, due to the incorporation of medical devices, becomes a medical IT network. The standard describes a lifecycle-model for a medical IT-network supporting early detection and reduction of potential risks when incorporating medical devices. That is why the implementation of the Standard substantially contributes to safer operation of the medical IT network throughout the complete lifetime of the IT network and its connected medical devices.
2 1.3 Relationship to other Standards (1.3.1) Who is addressed by IEC ? IEC as of today is primarily intended for hospitals (responsible organizations,), but also includes in its risk management process medical device manufacturers and suppliers of IT products. Note: The term IT products is not limited to hardware. It can also include software solutions used in the healthcare sector, whether or not such software solution is a medical device or not. (1.3.2) Which law requires compliance with IEC ? None. Application of Standards is always voluntary. Consequently, there is no legal obligation to apply IEC (1.3.3) Do manufacturers of medical devices have to comply with IEC before placing their devices on the market? No. IEC is not addressed to manufacturers of medical devices, but to organizations maintaining a medical IT network. IEC presumes that medical devices that are to be integrated into the IT-network have been placed on the market correctly. (1.3.4) What are the main goals of IEC ? IEC provides support on how the key properties of a medical IT network can be ensured in order to enable the healthcare service provider to deliver a reliable health service. These key properties are: Safety (for patients, users and other persons) Effectiveness of medical processes Data and System security (1.3.5) Why has IEC been defined as a pure Process-Standard? To enable the application of IEC for a variety of healthcare service providers using different communication technologies, the International Electrical Commission (IEC) decided to choose a process approach. According to the IEC, the process approach permits the Standard to remain meaningful over a longer timeframe (e.g., 5 years) without need for change. (1.3.6) Are any other documents required in addition to IEC ? Generally speaking, IEC can be applied without any further documents. There are several supporting documents currently being developed, such as checklists and guidelines intended to assist implementing IEC in a particular environment or when using specific technologies. (1.3.7) What is the relationship between IEC and IEC/EN :2005? IEC is primarily addressed to medical IT networks and responsible organizations. IEC/EN :2005 is addressed to manufacturers of medical electrical equipment and is listed under the EU medical device directive 93/42 EEC. By complying with the requirements of chapter of IEC/EN :2005, a manufacturer of medical electrical equipment can implicitly comply with the requirements of IEC (see paragraph 3.5)
3 2. Scope and Range of Application (2.0.1) What is the purpose of IEC ? The purpose of IEC is to define the roles, responsibilities and activities that are necessary for Risk Management of IT-NETWORKS incorporating medical devices to address safety, effectiveness and data security. (2.0.2) Who should apply IEC ? IEC is addressed to partners who want to sign a responsibility agreement (see also chapter 5 for more detailed information). 2.1 Terms used (healthcare delivery organization, manufacturer, IT-responsible, Medical device, medical IT-network, IT-products) (2.1.1) What is the responsibility of the healthcare facility management? According to IEC , the top management of the healthcare facility establishes a risk management process, sets the goals for that process via a risk management policy and ensure their control. The management shall assign a responsible person as a Medical IT Risk Manager. (2.1.2) What are the tasks of the Medical IT Network Risk Manager? The Medical IT Risk Manager brings together a team of employees from the departments of medical technology, hospital IT and users of medical and IT devices. This team coordinates, controls and drives all measures necessary to apply IEC This includes the generation of risk management policy, processes and procedures based on the policy including all risk management documents. The Medical IT Risk Manager defines, in coordination with organization management, the risk management process of the hospital for those networks that incorporate medical devices. The Medical IT Risk Manager is responsible) for the description and the implementation of safety measures, data and system security and for the complete documentation and the execution of the risk analysis for the medical IT network that incorporates medical devices (Note: Not all actions need to be performed directly by the risk manager however, he or she must ensure that the process functions satisfactorily). The Medical IT-Network-risk manager is responsible for The management of the risk management process Reporting on the risk management process to the hospital facility management Managing the communications between all parties involved in the medical IT network 2.2 Roles and Responsibilities (2.1.3) Does the hospital have to hire more personnel? The IT Risk manager role can be assigned to either an internal or an external person. This does not automatically include the generation of new positions. (2.1.4) Are any specific qualifications required for the Medical IT Risk Manager? The Medical IT Risk Manager should at a minimum have some knowledge or experience related to Medical technology and IT networks. They should enhance their qualifications with knowledge of risk management, medical regulations, etc. An excellent understanding of IEC , current medical device legislation, current data security legislation and IT knowledge are strongly recommended.
4 2.3 Responsibility Agreement The responsibility agreement is to be limited to those departments where it is permitted to transfer or to delegate responsibilities. The content has to be agreed upon case by case and should be reviewed and approved by the legal advisers of the concerned organizations. 3. Potential Consequences of the Standard for responsible organisations, operators, manufacturers, IT-responsibles (3.1) What additional tasks will be required for healthcare delivery organizations? When a healthcare delivery organization decides to bring a medical IT-Network under IEC control, the organization creates and applies a risk management process. This includes planning the incorporation of medical devices (hardware and/or software), but also taking into account changes to the network including the evaluation of the impact of any changes on the medical devices and systems. (3.2) When and how shold the responsible organization apply the Standard? The Standard should be applied over the complete lifecycle of an IT network incorporating medical devices. This means that every potentially relevant/significant change within the medical IT network has to be considered at least initially. This includes changes to the network infrastructure, as well as other IT components (such as Client-Server-solutions, middleware, printers, etc). (3.3) Does the Standard cause increased costs for healthcare delivery organizations either initially or over time? For many organizations, increasing the quality of risk management in medical IT-networks may increase cost. The structured approach of should improve the predictability of costs and reduce potentially damaging events. Costs are likely to be highest in the initial implementation phase. (3.4) What advantages does the adopting the Standard give to healthcare delivery organizations? Applying the Standard can reduce the number and severity of disruptions and improve the security and effectiveness of IT networks incorporating medical devices. These improvements will contribute positively to the costs and, as such, balance out the any added initial costs. It is furthermore expected that improved safety, effectiveness, and security will lead to fewer interruptions and better workflow and thus have positive impact on the health outcomes and operational effectiveness. The hospital improves control over the network and the connected medical devices in order to ensure safety, data security and effectiveness. The documentation required therefore may support in case of dispute to refute the accusation of wantonly negligence when operating medical devices in IT networks without necessary security measures. (3.5) How does the Standard affect a medical device that is already placed on the market and part of a network? By applying IEC potential disturbance to an IT network by medical devices that are already part of that network may be reduced, because they are planned for in advance. In addition, the connected medical device(s) may exchange data more reliable via the IT network.
5 (3.6) Can any tasks can be delegated or outsourced by the healthcare delivery organization? Generally, all tasks can be delegated. When selecting the service provider, the required competencies have to be evaluated carefully. Responsiblities, on the other hand,cannot be delegated. (3.7) Should any tasks not be delegated by the responsible organization? The evaluation and the approval or rejection of residual risks should not be delegated by the responsible organization. (3.8) Are there any kinds of network that IEC does not apply to? IEC does not apply to a network which only serves personal needs or which is not connected to a medical IT network or a medical device. The standard does also not apply to closed networks containing medical devices of a single manufacturer, (see closed network Class C according to Annex H IEC :2005) (3.9) Who supports healthcare delivery organizations when implementing the Standard? The suppliers and manufacturers participating in the incorporation of medical devices into IT networks can offer any needed support, in addition to services that specialized consultants can offer. Another potentially helpful tool for a healthcare delivery organization could be a guided integration into the network of the healthcare delivery organization, offered by a manufacturer of the medical device. Like this, it might be easier for the healthcare delivery organization to apply IEC (3.10) What are the benefits for the healthcare delivery organization when implementing the Standard? The application of IEC is voluntarily. However, the healthcare delivery organization obtains transparency about its IT network and the connected medical devices to improve network security, data security and effective functional operations. The documentation required therefore may support in case of dispute to obtain legal certainty when operating medical devices in IT networks without the necessary security measures. Manufacturer (3.11) How can manufacturers of medical devices contribute to the implementation of IEC ? In close cooperation with the healthcare delivery organizations and others involved in the planning and implementation of IT-networks, manufacturers must provide the information necessary for the safe incorporation of their medical devices into networks, as required by the medical device legislation. Additionally, manufacturers can support the healthcare delivery organization when integrating medical devices see paragraph 3.9. (3.12) Is there anything that can t be provided by medical device manufacturers? Medical device manufacturers cannot take over the responsibility for the safe operation of the Healthcare organization s IT network. They are unlikely to render for free those services requested by the healthcare delivery organization that exceed the existing handing over of information necessary for the safe incorporation. In general, they would not to take over any task of the risk management as described in the Standard without being explicitly empowered for that task by the healthcare delivery organization.
6 (3.13) Does the Standard impact medical device approvals? No, the standard has no impact on medical device approvals. Placing medical devices on the market is only permitted after having obtained the necessary approval for that particular market. One prerequisite is (e.g. in the EU, USA, etc.) to also document compliance with the applicable Safety Standards. The approval is limited to the intended use of the medical device as determined by the manufacturer. This may include the incorporation into IT networks. Therefore, an additional approval of the medical devices for this or after this integration into an IT network is not needed. (3.14) Which information must be provided from the medical device manufacturer to the responsible organization? According to the current medical device legislation, manufacturers must make available all information which could impact the safe application of a medical device within a network. This means that they already supply the information the healthcare delivery organization needs to know for the planning and the realization of the IT network incorporating this medical device. They may choose to organize this differently for The relevant information includes: The intended use of the medical device, the performance criteria and the necessary configuration of the IT-network (in case there are restrictions) The technical specification of the network interface of the medical device (if required) The required information exchange between medical devices, the IT network and other IT products. When medical devices are incorporated into IT networks, manufacturers must provide the necessary information about potential risks of these medical devices to the healthcare delivery organization (see IEC :2005, chapter 14.13) (3.15) Are manufacturers obliged to share confidential information? Information necessary for the incorporation into IT network may be needed for the safe use of the medical device. Such information should not be regarded as company confidential and should be made available for the healthcare delivery organization. If company confidential information is ever needed, (e.g. when testing the clinical network integration of a new medical device), a respective Non-Disclosure-Agreement can be signed. (3.16) Does any liaison exists with other (IT) Standards? IEC is a process-standard for a systematic assessment prior changing an existing medical IT network. (Adding or removing a component or a medical device). It requires a defined change- and risk management process. IEC refers to IT Standards for data communication. As of today, there is no comparable Standard for risk management of IT networks incorporating medical devices. Single paragraphs of the following Standards provide statements to specific network aspects: a. IEC :2005 information of manufacturers of medical electrical equipment with regard to ME equipment in IT networks b. ISO :2005: Planning, Design and Maintenance of an IT-network c. ISO 27001:2005 Information technology Security techniques Information Security management systems - Requirements d. ISO 14971:2007 Risk management for medical devices e. ISO 13485: Manufacturing of medical devices (3.17) How are medical device manufacturers required to contribute? Manufacturers of medical devices, whose devices will be integrated intentionally into a medical IT network must make available all information necessary to ensure the intended and safe use of these medical devices within the IT network. According to IEC additional information is expected for the generation of the risk management file of their medical devices.
7 IT Responsibles from Healthcare Delivery Organizations, Manufacturers and Vendors (3.18) What are therequired tasks of IT manufacturers and IT-vendors? They should cooperate closely with the healthcare delivery organizations and other parties involved in the planning and the implementation of the IT network. Manufacturers of IT devices should make available all information relevant to enable their devices to contribute to the safe and effective operation of the medical (IT) network. (e.g. switches, PCs, virus protection, etc.) (3.19) What information must be provided by IT manufacturers? Technical Information Product configuration Incompatibilities Operating conditions Product related corrective measures Safety information (3.20) What are the minumum requirements or approvals that must be met by IT devices? The IT components and IT devices shall comply with the current legal requirements, e.g. the general product safety act. In combination with medical electrical equipment the applicable requirements of IEC also have to be taken into account. To ensure safety, effectiveness and data and system security, it is necessary to carefully examine within the risk management process the suitability of the IT devices in medical environments. 4. Standard Content 4.1 Set-Up and Structure of the Standard (4.1.1) When must the risk management process be applied? The risk management process must be applied throughout the complete lifecycle of the IT network. The Standard illustrates the complete lifecycle of the IT network or single components from planning through putting into service up to taking out of service (4.1.2) What are the benefits of the risk management process of the Standard The risk management process can identify potential hazards, pro-actively estimate and evaluate related risks and control the efficiency of containment measures. This facilitates the handling and safe containment of residual risks, which should result in time- and cost-savings. (4.1.3) How can the responsible organization apply the Standard? When implementing the Standard, the healthcare delivery organisation shall set up rules for risk management concerning the incorporation of medical devices into IT networks and put in place a continuous risk management process allocate necessary resources and assign a risk manager for the IT network. implement the results of the risk management activities via evident and sustainable measures and regularly review the implementation.
8 4.2 Change Management (4.2.1) What is change management? Change management is the structured management of changes. Change management ensures that changes only take place after being tested and released and that disruptions to users are minimized. 4.3 Risk Management (4.3.1) How can risks be managed? By testing, evaluating and taking decisions risks become controllable, meaning unacceptable risks can be avoided. One basis for this is in the principles of safety integration. Further information is available from ISO 14971: risk management for medical devices (4.3.2) Do any additional duties result for the responsible organization from monitoring network events From Monitoring network events, measures for risk control and for improving the overall risk management process shall be derived. Other applicable Reporting duties continue. (4.3.3) How are findings of medical device manufacturers and of IT device manufacturers taken into account in the risk management? Information provided by manufacturers regarding the safe application of their products and solutions when integrated into a medical IT network shall be adequately taken into account in the risk management, (e.g. by incorporation into the risk management documentation, the training of the clinical users, etc). (4.3.4) How is a medical IT network defined? How is the Standard to be applied? A medical IT network is created when medical devices are integrated into an IT network. A medical IT network normally does not constitute a medical device because the purpose of the IT network as determined by the network manufacturer is independent from the use in the medical environment. The Standard describes a lifecycle model for existing medical networks medical networks to be established/generated measures/changes to existing medical networks For this, a risk management process is defined which should ensure the major proprieties of a medical network. The Standard defines the major proprieties as Safety (for patients, users and other persons), effectiveness of medical processes and data and system security. 5. Compliance, Matching the risk management requirements 5.1 Documentation Requirements (5.1.1) Are there any specific document format requirements? There are no format requirements for the documentation. All generated documents shall be reviewed and approved according to a document review procedure and, if needed, be reworked and updated according to a designated procedure.
9 (5.1.2) What information must be documented? The healthcare delivery organization shall primarily provide the following documentation: Description and evaluation of risk-relevant IT network elements Documentation of the medical IT network Risk management plan for the medical IT network (5.1.3) Is a Document Management System needed? Yes, this is the only way of ensuring the availability, actuality and validity of the documentation. 5.2 Fulfillment oft he Responsibility Agreement (5.2.1) How are responsibilities defined and documented? The responsibility agreement of the healthcare delivery organization defines the responsibilities of all stakeholders. Stakeholders include all departments and employees of the responsible organization. Medical device manufacturers are no stakeholders in the meaning of the standard. (5.2.3) What minimum information shall the responsibility agreement contain? Stakeholder name Individual responsibilities of all stakeholders Range of activities to be provided List of medical devices and other It devices being part of the medical IT network List of available documentation for all components used in the IT network Technical information for the risk analysis of the medical devices and if available of the IT devices 5.3 Regulatory Requirements by the legislative body (5.3.1) Is Compliance with the Standard required by law? Currently there are no requirements to this. That may change, which is why a continuously active monitoring of the future development is valuable (5.3.2) When will the Standard become binding for a healthcare delivery organisation? The Standard will probably be published in late A Standard constituting a generally acknowledged state of the art has no legal force. A Standard can be used to evidently demonstrate that and how specific processes have been fulfilled. However, the healthcare delivery organization is obliged by the medical device act and the national regulation governing the installation, operation and use of medical devices to operate devices and systems safely for patients, users and others. (5.3.4) Will the Standard be harmonized in the European Union? It was a consensus of all stakeholders of the charged international Standardization Committee (IEC Meeting in Durham, USA, October 2009) that the Standard does not apply to medical devices and their process of placing them on the market. To clarify this in the final version of the Standard, adequate comments are under preparation. While the Standard does not refer to medical devices it cannot be applied to document compliance with the essential requirements of the European medical device directive 93/42EEC. A publication of the Standard in the Official Journal of the EU Commission (harmonisation) is not planned. (5.3.5) Does this Standard constitute a generally acknowledged state of the art? This Standard represents a state of the art which for example could be cited during a lawsuit.
10 (5.3.6) Are there similar Standards in particular countries? As of today, no similar Standards are known from other countries. 6. Forecast This listing of questions and answers has been generated by responsible organizations, respectively their representatives in Standardization committees and representatives from medical device manufacturers. You as a stakeholder have the opportunity to raise further questions which have not been asked in this document to the attention of the editing group ZVEI-DKE IEC It is highly appreciated if you could also provide a reply based on your experience and your knowledge and forward this by to the editing group. The combination between question and answer will be treated by the editing group and eventually be published on the homepage of the ZVEI and the DKE, commented with referencing the author of the question and the comments. Imprint ZVEI e.v., Fachverband Elektromedizinische Technik Ansprechpartner: Marcus Wenzel Editing group Eva-Maria Reiter Gerhard Weller Dr. Wolfgang Leetz Oliver Christ Armin Gärtner Dr. Klaus Neuder Johannes Dehm Thorsten Schütz Marcus Wenzel Dr. Norbert Pauli Jochen Kaiser Andreas Kassner Michael Asmalsky Siemens AG Siemens AG Siemens AG Prosystems AG Sana MTSZ GmbH VDE Frankfurt VDE Frankfurt Klinikum Itzehoe ZVEI e.v. Drägerwerk AG Uni Erlangen VHitG e.v., Berlin Philips Healthcare
11 Content Introduction Goal, Objective of the IEC Standard Philosophy...1 (1.1.1) How does the new Standard impact a hospital? Benefits...1 (1.2.1) Which information in the Standard is new for a hospital? How can a hospital benefit from that Standard? Relationship to other Standards...2 (1.3.1) Who is addressed by IEC ?...2 (1.3.2) Which law requires compliance with IEC ?...2 (1.3.3) Do manufacturers of medical devices have to comply with IEC before placing their devices on the market?...2 (1.3.4) What are the main goals of IEC ?...2 (1.3.5) Why has IEC been defined as a pure Process Standard?...2 (1.3.7) What is the relationship between IEC and IEC/EN :2005? Scope and Range of Application...3 (2.0.1) What is the purpose of IEC ?...3 (2.0.2) Who should apply IEC ? Terms used (healthcare delivery organization, manufacturer, IT responsible, Medical device, medical IT network, IT products)...3 (2.1.1) What is the responsibility of the healthcare facility management?...3 (2.1.2) What are the tasks of the Medical IT Network Risk Manager? Roles and Responsibilities...3 (2.1.3) Does the hospital have to hire more personnel?...3 (2.1.4) Are any specific qualifications required for the Medical IT Risk Manager? Responsibility Agreement Potential Consequences of the Standard for responsible organisations, operators, manufacturers, ITresponsibles...4 (3.1) What additional tasks will be required for healthcare delivery organizations?...4 (3.2) When and how shold the responsible organization apply the Standard?...4 (3.3) Does the Standard cause increased costs for healthcare delivery organizations either initially or over time?...4 (3.4) What advantages does the adopting the Standard give to healthcare delivery organizations?...4
12 (3.5) How does the Standard affect a medical device that is already placed on the market and part of a network?...4 (3.6) Can any tasks can be delegated or outsourced by the healthcare delivery organization?...5 (3.7) Should any tasks not be delegated by the responsible organization?...5 (3.8) Are there any kinds of network that IEC does not apply to?...5 (3.9) Who supports healthcare delivery organizations when implementing the Standard?...5 (3.10) What are the benefits for the healthcare delivery organization when implementing the Standard?...5 Manufacturer...5 (3.11) How can manufacturers of medical devices contribute to the implementation of IEC ?...5 (3.12) Is there anything that can t be provided by medical device manufacturers?...5 (3.13) Does the Standard impact medical device approvals?...6 (3.14) Which information must be provided from the medical device manufacturer to the responsible organization?...6 (3.15) Are manufacturers obliged to share confidential information?...6 (3.16) Does any liaison exists with other (IT) Standards?...6 (3.17) How are medical device manufacturers required to contribute?...6 IT Responsibles from Healthcare Delivery Organizations, Manufacturers and Vendors...7 (3.18) What are therequired tasks of IT manufacturers and IT vendors?...7 (3.19) What information must be provided by IT manufacturers?...7 (3.20) What are the minumum requirements or approvals that must be met by IT devices? Standard Content Set Up and Structure of the Standard...7 (4.1.1) When must the risk management process be applied?...7 (4.1.2) What are the benefits of the risk management process of the Standard...7 (4.1.3) How can the responsible organization apply the Standard? Change Management...8 (4.2.1) What is change management? Risk Management...8 (4.3.1) How can risks be managed?...8 (4.3.2) Do any additional duties result for the responsible organization from monitoring network events...8 (4.3.3) How are findings of medical device manufacturers and of IT device manufacturers taken into account in the risk management?...8 (4.3.4) How is a medical IT network defined? How is the Standard to be applied? Compliance, Matching the risk management requirements...8
13 5.1 Documentation Requirements...8 (5.1.1) Are there any specific document format requirements?...8 (5.1.2) What information must be documented?...9 (5.1.3) Is a Document Management System needed? Fulfillment oft he Responsibility Agreement...9 (5.2.1) How are responsibilities defined and documented?...9 (5.2.3) What minimum information shall the responsibility agreement contain? Regulatory Requirements by the legislative body...9 (5.3.1) Is Compliance with the Standard required by law?...9 (5.3.2) When will the Standard become binding for a healthcare delivery organisation?...9 (5.3.4) Will the Standard be harmonized in the European Union?...9 (5.3.5) Does this Standard constitute a generally acknowledged state of the art?...9 (5.3.6) Are there similar Standards in particular countries? Forecast... 10