1 Introduction FAQs zur IEC Rev. 2.1 Stand An increasing number of medical devices, for example medical imaging devices, are designed to exchange electronic information with other devices, including other medical devices. This normally happens by using a hospital s information technology network (hospital IT network), which is also used to transport general IT data. Today there are only a few standards that address incorporating medical devices into hospital IT networks. To properly assess the functionality of the IT network, the incorporation of both medical devices and non-medical devices into the network must be considered. In order to avoid unnecessary risks during the use of the hospital IT network a risk management process should be performed prior any change of the hospital ITnetwork infrastructure. A way of performing this risk management process is described in the coming international Standard IEC (Application of Risk management for IT-networks. After publication, a review and update will take place. In order to provide replies to frequently asked questions on the content and the application of IEC , the German trade association ZVEI and the German national Standardization Organization DKE established an expert working group. These replies are provided on the website of ZVEI, DKE and VHITG, along with a link to send further questions to the expert working group. For details, refer to paragraph Goal, Objective of the IEC Standard 1.1 Philosophy (1.1.1) How does the new Standard impact a hospital? The Standard describes how a hospital can reduce potential risks for patients, users and third parties when integrating medical devices into its IT-network. 1.2 Benefits (1.2.1) Which information in the Standard is new for a hospital? How can a hospital benefit from that Standard? By applying the Standard the hospital increases the transparency of its IT network, which, due to the incorporation of medical devices, becomes a medical IT network. The standard describes a lifecycle-model for a medical IT-network supporting early detection and reduction of potential risks when incorporating medical devices. That is why the implementation of the Standard substantially contributes to safer operation of the medical IT network throughout the complete lifetime of the IT network and its connected medical devices.
2 1.3 Relationship to other Standards (1.3.1) Who is addressed by IEC ? IEC as of today is primarily intended for hospitals (responsible organizations,), but also includes in its risk management process medical device manufacturers and suppliers of IT products. Note: The term IT products is not limited to hardware. It can also include software solutions used in the healthcare sector, whether or not such software solution is a medical device or not. (1.3.2) Which law requires compliance with IEC ? None. Application of Standards is always voluntary. Consequently, there is no legal obligation to apply IEC (1.3.3) Do manufacturers of medical devices have to comply with IEC before placing their devices on the market? No. IEC is not addressed to manufacturers of medical devices, but to organizations maintaining a medical IT network. IEC presumes that medical devices that are to be integrated into the IT-network have been placed on the market correctly. (1.3.4) What are the main goals of IEC ? IEC provides support on how the key properties of a medical IT network can be ensured in order to enable the healthcare service provider to deliver a reliable health service. These key properties are: Safety (for patients, users and other persons) Effectiveness of medical processes Data and System security (1.3.5) Why has IEC been defined as a pure Process-Standard? To enable the application of IEC for a variety of healthcare service providers using different communication technologies, the International Electrical Commission (IEC) decided to choose a process approach. According to the IEC, the process approach permits the Standard to remain meaningful over a longer timeframe (e.g., 5 years) without need for change. (1.3.6) Are any other documents required in addition to IEC ? Generally speaking, IEC can be applied without any further documents. There are several supporting documents currently being developed, such as checklists and guidelines intended to assist implementing IEC in a particular environment or when using specific technologies. (1.3.7) What is the relationship between IEC and IEC/EN :2005? IEC is primarily addressed to medical IT networks and responsible organizations. IEC/EN :2005 is addressed to manufacturers of medical electrical equipment and is listed under the EU medical device directive 93/42 EEC. By complying with the requirements of chapter of IEC/EN :2005, a manufacturer of medical electrical equipment can implicitly comply with the requirements of IEC (see paragraph 3.5)
3 2. Scope and Range of Application (2.0.1) What is the purpose of IEC ? The purpose of IEC is to define the roles, responsibilities and activities that are necessary for Risk Management of IT-NETWORKS incorporating medical devices to address safety, effectiveness and data security. (2.0.2) Who should apply IEC ? IEC is addressed to partners who want to sign a responsibility agreement (see also chapter 5 for more detailed information). 2.1 Terms used (healthcare delivery organization, manufacturer, IT-responsible, Medical device, medical IT-network, IT-products) (2.1.1) What is the responsibility of the healthcare facility management? According to IEC , the top management of the healthcare facility establishes a risk management process, sets the goals for that process via a risk management policy and ensure their control. The management shall assign a responsible person as a Medical IT Risk Manager. (2.1.2) What are the tasks of the Medical IT Network Risk Manager? The Medical IT Risk Manager brings together a team of employees from the departments of medical technology, hospital IT and users of medical and IT devices. This team coordinates, controls and drives all measures necessary to apply IEC This includes the generation of risk management policy, processes and procedures based on the policy including all risk management documents. The Medical IT Risk Manager defines, in coordination with organization management, the risk management process of the hospital for those networks that incorporate medical devices. The Medical IT Risk Manager is responsible) for the description and the implementation of safety measures, data and system security and for the complete documentation and the execution of the risk analysis for the medical IT network that incorporates medical devices (Note: Not all actions need to be performed directly by the risk manager however, he or she must ensure that the process functions satisfactorily). The Medical IT-Network-risk manager is responsible for The management of the risk management process Reporting on the risk management process to the hospital facility management Managing the communications between all parties involved in the medical IT network 2.2 Roles and Responsibilities (2.1.3) Does the hospital have to hire more personnel? The IT Risk manager role can be assigned to either an internal or an external person. This does not automatically include the generation of new positions. (2.1.4) Are any specific qualifications required for the Medical IT Risk Manager? The Medical IT Risk Manager should at a minimum have some knowledge or experience related to Medical technology and IT networks. They should enhance their qualifications with knowledge of risk management, medical regulations, etc. An excellent understanding of IEC , current medical device legislation, current data security legislation and IT knowledge are strongly recommended.
4 2.3 Responsibility Agreement The responsibility agreement is to be limited to those departments where it is permitted to transfer or to delegate responsibilities. The content has to be agreed upon case by case and should be reviewed and approved by the legal advisers of the concerned organizations. 3. Potential Consequences of the Standard for responsible organisations, operators, manufacturers, IT-responsibles (3.1) What additional tasks will be required for healthcare delivery organizations? When a healthcare delivery organization decides to bring a medical IT-Network under IEC control, the organization creates and applies a risk management process. This includes planning the incorporation of medical devices (hardware and/or software), but also taking into account changes to the network including the evaluation of the impact of any changes on the medical devices and systems. (3.2) When and how shold the responsible organization apply the Standard? The Standard should be applied over the complete lifecycle of an IT network incorporating medical devices. This means that every potentially relevant/significant change within the medical IT network has to be considered at least initially. This includes changes to the network infrastructure, as well as other IT components (such as Client-Server-solutions, middleware, printers, etc). (3.3) Does the Standard cause increased costs for healthcare delivery organizations either initially or over time? For many organizations, increasing the quality of risk management in medical IT-networks may increase cost. The structured approach of should improve the predictability of costs and reduce potentially damaging events. Costs are likely to be highest in the initial implementation phase. (3.4) What advantages does the adopting the Standard give to healthcare delivery organizations? Applying the Standard can reduce the number and severity of disruptions and improve the security and effectiveness of IT networks incorporating medical devices. These improvements will contribute positively to the costs and, as such, balance out the any added initial costs. It is furthermore expected that improved safety, effectiveness, and security will lead to fewer interruptions and better workflow and thus have positive impact on the health outcomes and operational effectiveness. The hospital improves control over the network and the connected medical devices in order to ensure safety, data security and effectiveness. The documentation required therefore may support in case of dispute to refute the accusation of wantonly negligence when operating medical devices in IT networks without necessary security measures. (3.5) How does the Standard affect a medical device that is already placed on the market and part of a network? By applying IEC potential disturbance to an IT network by medical devices that are already part of that network may be reduced, because they are planned for in advance. In addition, the connected medical device(s) may exchange data more reliable via the IT network.
5 (3.6) Can any tasks can be delegated or outsourced by the healthcare delivery organization? Generally, all tasks can be delegated. When selecting the service provider, the required competencies have to be evaluated carefully. Responsiblities, on the other hand,cannot be delegated. (3.7) Should any tasks not be delegated by the responsible organization? The evaluation and the approval or rejection of residual risks should not be delegated by the responsible organization. (3.8) Are there any kinds of network that IEC does not apply to? IEC does not apply to a network which only serves personal needs or which is not connected to a medical IT network or a medical device. The standard does also not apply to closed networks containing medical devices of a single manufacturer, (see closed network Class C according to Annex H IEC :2005) (3.9) Who supports healthcare delivery organizations when implementing the Standard? The suppliers and manufacturers participating in the incorporation of medical devices into IT networks can offer any needed support, in addition to services that specialized consultants can offer. Another potentially helpful tool for a healthcare delivery organization could be a guided integration into the network of the healthcare delivery organization, offered by a manufacturer of the medical device. Like this, it might be easier for the healthcare delivery organization to apply IEC (3.10) What are the benefits for the healthcare delivery organization when implementing the Standard? The application of IEC is voluntarily. However, the healthcare delivery organization obtains transparency about its IT network and the connected medical devices to improve network security, data security and effective functional operations. The documentation required therefore may support in case of dispute to obtain legal certainty when operating medical devices in IT networks without the necessary security measures. Manufacturer (3.11) How can manufacturers of medical devices contribute to the implementation of IEC ? In close cooperation with the healthcare delivery organizations and others involved in the planning and implementation of IT-networks, manufacturers must provide the information necessary for the safe incorporation of their medical devices into networks, as required by the medical device legislation. Additionally, manufacturers can support the healthcare delivery organization when integrating medical devices see paragraph 3.9. (3.12) Is there anything that can t be provided by medical device manufacturers? Medical device manufacturers cannot take over the responsibility for the safe operation of the Healthcare organization s IT network. They are unlikely to render for free those services requested by the healthcare delivery organization that exceed the existing handing over of information necessary for the safe incorporation. In general, they would not to take over any task of the risk management as described in the Standard without being explicitly empowered for that task by the healthcare delivery organization.
6 (3.13) Does the Standard impact medical device approvals? No, the standard has no impact on medical device approvals. Placing medical devices on the market is only permitted after having obtained the necessary approval for that particular market. One prerequisite is (e.g. in the EU, USA, etc.) to also document compliance with the applicable Safety Standards. The approval is limited to the intended use of the medical device as determined by the manufacturer. This may include the incorporation into IT networks. Therefore, an additional approval of the medical devices for this or after this integration into an IT network is not needed. (3.14) Which information must be provided from the medical device manufacturer to the responsible organization? According to the current medical device legislation, manufacturers must make available all information which could impact the safe application of a medical device within a network. This means that they already supply the information the healthcare delivery organization needs to know for the planning and the realization of the IT network incorporating this medical device. They may choose to organize this differently for The relevant information includes: The intended use of the medical device, the performance criteria and the necessary configuration of the IT-network (in case there are restrictions) The technical specification of the network interface of the medical device (if required) The required information exchange between medical devices, the IT network and other IT products. When medical devices are incorporated into IT networks, manufacturers must provide the necessary information about potential risks of these medical devices to the healthcare delivery organization (see IEC :2005, chapter 14.13) (3.15) Are manufacturers obliged to share confidential information? Information necessary for the incorporation into IT network may be needed for the safe use of the medical device. Such information should not be regarded as company confidential and should be made available for the healthcare delivery organization. If company confidential information is ever needed, (e.g. when testing the clinical network integration of a new medical device), a respective Non-Disclosure-Agreement can be signed. (3.16) Does any liaison exists with other (IT) Standards? IEC is a process-standard for a systematic assessment prior changing an existing medical IT network. (Adding or removing a component or a medical device). It requires a defined change- and risk management process. IEC refers to IT Standards for data communication. As of today, there is no comparable Standard for risk management of IT networks incorporating medical devices. Single paragraphs of the following Standards provide statements to specific network aspects: a. IEC :2005 information of manufacturers of medical electrical equipment with regard to ME equipment in IT networks b. ISO :2005: Planning, Design and Maintenance of an IT-network c. ISO 27001:2005 Information technology Security techniques Information Security management systems - Requirements d. ISO 14971:2007 Risk management for medical devices e. ISO 13485: Manufacturing of medical devices (3.17) How are medical device manufacturers required to contribute? Manufacturers of medical devices, whose devices will be integrated intentionally into a medical IT network must make available all information necessary to ensure the intended and safe use of these medical devices within the IT network. According to IEC additional information is expected for the generation of the risk management file of their medical devices.
7 IT Responsibles from Healthcare Delivery Organizations, Manufacturers and Vendors (3.18) What are therequired tasks of IT manufacturers and IT-vendors? They should cooperate closely with the healthcare delivery organizations and other parties involved in the planning and the implementation of the IT network. Manufacturers of IT devices should make available all information relevant to enable their devices to contribute to the safe and effective operation of the medical (IT) network. (e.g. switches, PCs, virus protection, etc.) (3.19) What information must be provided by IT manufacturers? Technical Information Product configuration Incompatibilities Operating conditions Product related corrective measures Safety information (3.20) What are the minumum requirements or approvals that must be met by IT devices? The IT components and IT devices shall comply with the current legal requirements, e.g. the general product safety act. In combination with medical electrical equipment the applicable requirements of IEC also have to be taken into account. To ensure safety, effectiveness and data and system security, it is necessary to carefully examine within the risk management process the suitability of the IT devices in medical environments. 4. Standard Content 4.1 Set-Up and Structure of the Standard (4.1.1) When must the risk management process be applied? The risk management process must be applied throughout the complete lifecycle of the IT network. The Standard illustrates the complete lifecycle of the IT network or single components from planning through putting into service up to taking out of service (4.1.2) What are the benefits of the risk management process of the Standard The risk management process can identify potential hazards, pro-actively estimate and evaluate related risks and control the efficiency of containment measures. This facilitates the handling and safe containment of residual risks, which should result in time- and cost-savings. (4.1.3) How can the responsible organization apply the Standard? When implementing the Standard, the healthcare delivery organisation shall set up rules for risk management concerning the incorporation of medical devices into IT networks and put in place a continuous risk management process allocate necessary resources and assign a risk manager for the IT network. implement the results of the risk management activities via evident and sustainable measures and regularly review the implementation.
8 4.2 Change Management (4.2.1) What is change management? Change management is the structured management of changes. Change management ensures that changes only take place after being tested and released and that disruptions to users are minimized. 4.3 Risk Management (4.3.1) How can risks be managed? By testing, evaluating and taking decisions risks become controllable, meaning unacceptable risks can be avoided. One basis for this is in the principles of safety integration. Further information is available from ISO 14971: risk management for medical devices (4.3.2) Do any additional duties result for the responsible organization from monitoring network events From Monitoring network events, measures for risk control and for improving the overall risk management process shall be derived. Other applicable Reporting duties continue. (4.3.3) How are findings of medical device manufacturers and of IT device manufacturers taken into account in the risk management? Information provided by manufacturers regarding the safe application of their products and solutions when integrated into a medical IT network shall be adequately taken into account in the risk management, (e.g. by incorporation into the risk management documentation, the training of the clinical users, etc). (4.3.4) How is a medical IT network defined? How is the Standard to be applied? A medical IT network is created when medical devices are integrated into an IT network. A medical IT network normally does not constitute a medical device because the purpose of the IT network as determined by the network manufacturer is independent from the use in the medical environment. The Standard describes a lifecycle model for existing medical networks medical networks to be established/generated measures/changes to existing medical networks For this, a risk management process is defined which should ensure the major proprieties of a medical network. The Standard defines the major proprieties as Safety (for patients, users and other persons), effectiveness of medical processes and data and system security. 5. Compliance, Matching the risk management requirements 5.1 Documentation Requirements (5.1.1) Are there any specific document format requirements? There are no format requirements for the documentation. All generated documents shall be reviewed and approved according to a document review procedure and, if needed, be reworked and updated according to a designated procedure.
9 (5.1.2) What information must be documented? The healthcare delivery organization shall primarily provide the following documentation: Description and evaluation of risk-relevant IT network elements Documentation of the medical IT network Risk management plan for the medical IT network (5.1.3) Is a Document Management System needed? Yes, this is the only way of ensuring the availability, actuality and validity of the documentation. 5.2 Fulfillment oft he Responsibility Agreement (5.2.1) How are responsibilities defined and documented? The responsibility agreement of the healthcare delivery organization defines the responsibilities of all stakeholders. Stakeholders include all departments and employees of the responsible organization. Medical device manufacturers are no stakeholders in the meaning of the standard. (5.2.3) What minimum information shall the responsibility agreement contain? Stakeholder name Individual responsibilities of all stakeholders Range of activities to be provided List of medical devices and other It devices being part of the medical IT network List of available documentation for all components used in the IT network Technical information for the risk analysis of the medical devices and if available of the IT devices 5.3 Regulatory Requirements by the legislative body (5.3.1) Is Compliance with the Standard required by law? Currently there are no requirements to this. That may change, which is why a continuously active monitoring of the future development is valuable (5.3.2) When will the Standard become binding for a healthcare delivery organisation? The Standard will probably be published in late A Standard constituting a generally acknowledged state of the art has no legal force. A Standard can be used to evidently demonstrate that and how specific processes have been fulfilled. However, the healthcare delivery organization is obliged by the medical device act and the national regulation governing the installation, operation and use of medical devices to operate devices and systems safely for patients, users and others. (5.3.4) Will the Standard be harmonized in the European Union? It was a consensus of all stakeholders of the charged international Standardization Committee (IEC Meeting in Durham, USA, October 2009) that the Standard does not apply to medical devices and their process of placing them on the market. To clarify this in the final version of the Standard, adequate comments are under preparation. While the Standard does not refer to medical devices it cannot be applied to document compliance with the essential requirements of the European medical device directive 93/42EEC. A publication of the Standard in the Official Journal of the EU Commission (harmonisation) is not planned. (5.3.5) Does this Standard constitute a generally acknowledged state of the art? This Standard represents a state of the art which for example could be cited during a lawsuit.
10 (5.3.6) Are there similar Standards in particular countries? As of today, no similar Standards are known from other countries. 6. Forecast This listing of questions and answers has been generated by responsible organizations, respectively their representatives in Standardization committees and representatives from medical device manufacturers. You as a stakeholder have the opportunity to raise further questions which have not been asked in this document to the attention of the editing group ZVEI-DKE IEC It is highly appreciated if you could also provide a reply based on your experience and your knowledge and forward this by to the editing group. The combination between question and answer will be treated by the editing group and eventually be published on the homepage of the ZVEI and the DKE, commented with referencing the author of the question and the comments. Imprint ZVEI e.v., Fachverband Elektromedizinische Technik Ansprechpartner: Marcus Wenzel Editing group Eva-Maria Reiter Gerhard Weller Dr. Wolfgang Leetz Oliver Christ Armin Gärtner Dr. Klaus Neuder Johannes Dehm Thorsten Schütz Marcus Wenzel Dr. Norbert Pauli Jochen Kaiser Andreas Kassner Michael Asmalsky Siemens AG Siemens AG Siemens AG Prosystems AG Sana MTSZ GmbH VDE Frankfurt VDE Frankfurt Klinikum Itzehoe ZVEI e.v. Drägerwerk AG Uni Erlangen VHitG e.v., Berlin Philips Healthcare
11 Content Introduction Goal, Objective of the IEC Standard Philosophy...1 (1.1.1) How does the new Standard impact a hospital? Benefits...1 (1.2.1) Which information in the Standard is new for a hospital? How can a hospital benefit from that Standard? Relationship to other Standards...2 (1.3.1) Who is addressed by IEC ?...2 (1.3.2) Which law requires compliance with IEC ?...2 (1.3.3) Do manufacturers of medical devices have to comply with IEC before placing their devices on the market?...2 (1.3.4) What are the main goals of IEC ?...2 (1.3.5) Why has IEC been defined as a pure Process Standard?...2 (1.3.7) What is the relationship between IEC and IEC/EN :2005? Scope and Range of Application...3 (2.0.1) What is the purpose of IEC ?...3 (2.0.2) Who should apply IEC ? Terms used (healthcare delivery organization, manufacturer, IT responsible, Medical device, medical IT network, IT products)...3 (2.1.1) What is the responsibility of the healthcare facility management?...3 (2.1.2) What are the tasks of the Medical IT Network Risk Manager? Roles and Responsibilities...3 (2.1.3) Does the hospital have to hire more personnel?...3 (2.1.4) Are any specific qualifications required for the Medical IT Risk Manager? Responsibility Agreement Potential Consequences of the Standard for responsible organisations, operators, manufacturers, ITresponsibles...4 (3.1) What additional tasks will be required for healthcare delivery organizations?...4 (3.2) When and how shold the responsible organization apply the Standard?...4 (3.3) Does the Standard cause increased costs for healthcare delivery organizations either initially or over time?...4 (3.4) What advantages does the adopting the Standard give to healthcare delivery organizations?...4
12 (3.5) How does the Standard affect a medical device that is already placed on the market and part of a network?...4 (3.6) Can any tasks can be delegated or outsourced by the healthcare delivery organization?...5 (3.7) Should any tasks not be delegated by the responsible organization?...5 (3.8) Are there any kinds of network that IEC does not apply to?...5 (3.9) Who supports healthcare delivery organizations when implementing the Standard?...5 (3.10) What are the benefits for the healthcare delivery organization when implementing the Standard?...5 Manufacturer...5 (3.11) How can manufacturers of medical devices contribute to the implementation of IEC ?...5 (3.12) Is there anything that can t be provided by medical device manufacturers?...5 (3.13) Does the Standard impact medical device approvals?...6 (3.14) Which information must be provided from the medical device manufacturer to the responsible organization?...6 (3.15) Are manufacturers obliged to share confidential information?...6 (3.16) Does any liaison exists with other (IT) Standards?...6 (3.17) How are medical device manufacturers required to contribute?...6 IT Responsibles from Healthcare Delivery Organizations, Manufacturers and Vendors...7 (3.18) What are therequired tasks of IT manufacturers and IT vendors?...7 (3.19) What information must be provided by IT manufacturers?...7 (3.20) What are the minumum requirements or approvals that must be met by IT devices? Standard Content Set Up and Structure of the Standard...7 (4.1.1) When must the risk management process be applied?...7 (4.1.2) What are the benefits of the risk management process of the Standard...7 (4.1.3) How can the responsible organization apply the Standard? Change Management...8 (4.2.1) What is change management? Risk Management...8 (4.3.1) How can risks be managed?...8 (4.3.2) Do any additional duties result for the responsible organization from monitoring network events...8 (4.3.3) How are findings of medical device manufacturers and of IT device manufacturers taken into account in the risk management?...8 (4.3.4) How is a medical IT network defined? How is the Standard to be applied? Compliance, Matching the risk management requirements...8
13 5.1 Documentation Requirements...8 (5.1.1) Are there any specific document format requirements?...8 (5.1.2) What information must be documented?...9 (5.1.3) Is a Document Management System needed? Fulfillment oft he Responsibility Agreement...9 (5.2.1) How are responsibilities defined and documented?...9 (5.2.3) What minimum information shall the responsibility agreement contain? Regulatory Requirements by the legislative body...9 (5.3.1) Is Compliance with the Standard required by law?...9 (5.3.2) When will the Standard become binding for a healthcare delivery organisation?...9 (5.3.4) Will the Standard be harmonized in the European Union?...9 (5.3.5) Does this Standard constitute a generally acknowledged state of the art?...9 (5.3.6) Are there similar Standards in particular countries? Forecast... 10
Medical Device Software Standards for Safety and Regulatory Compliance Sherman Eagles +1 612-865-0107 email@example.com www.softwarecpr.com Assuring safe software SAFE All hazards have been addressed
PS/INF 1/2010 * * Quality Risk Management Quality Risk Management Implementation of ICH Q9 in the pharmaceutical field an example of methodology from PIC/S Document > Authors: L. Viornery (AFSSAPS) Ph.
Code of Practice on Electronic Invoicing in Europe 24 th March 2009 Version 0.17 Approved by Expert Group Plenary on 24 th March 2009 This Code of Practice on Electronic Invoicing in Europe is recommended
Code of Practice on Electronic Invoicing in Europe 24 th March 2009 Version 0.17 Approved by Expert Group Plenary on 24 th March 2009 This Code of Practice on Electronic Invoicing in Europe is recommended
The German Standardization Roadmap Mobile Diagnostic Systems Thorsten Prinz and Janina Laurila-Dürsch Düsseldorf, 13.11.2014 Medical Engineering at VDE Do you standardize or are you standardized? The German
Oct. 30, 2012, Luebeck Keynote on IEC 80001-1 What is the objective of IEC 80001-1? Which benefits are provided for hospitals? Where apply the key properties of IEC 80001-1? Beim Strohhause 27 20097 Hamburg
Publication Reference EA-2/17 INF: 2014 EA Document on Accreditation For Notification Purposes PURPOSE The document presents the policy agreed by EA Members for accreditation of Conformity Assessment Bodies
15.1 ESTABLISH SECURITY AGREEMENTS WITH SUPPLIERS 15.1.1 EXPECT SUPPLIERS TO COMPLY WITH RISK MITIGATION AGREEMENTS Do you clarify the information security risks that exist whenever your suppliers have
HUMAN SERVICES QUALITY FRAMEWORK STANDARDS - POLICIES DOCUMENT Q:/1 DATE REVEIWED: REFERENCE: GOVERNANCE AND August 2014 MANAGEMENT POLICY AUTHORISATION: STANDARD REFERENCE: NEXT REVIEW DATE: Management
Selection and use of the ISO 9000 family of standards ISO and international standardization ISO/TC 176, Quality management and quality assurance ISO is the International Organization for Standardization.
Role Profile Job Title Strategic Procurement Project Manager Job No. (Office Use) C6014 Band/Band Range- (for career grades) Grade K Directorate Corporate Support Department Finance Assets and Efficiency
Digital Continuity in ICT Services Procurement and Contract Management This guidance relates to: Stage 1: Plan for action Stage 2: Define your digital continuity requirements Stage 3: Assess and manage
Improving self-regulation through (law-based) Corporate Data Protection Officials * Article by Christoph Klug ** The rise of globalization and multinational corporations is creating a pressing need for
CCBE POSITION ON THE PROPOSAL FOR A DIRECTIVE OF THE EUROPEAN PARLIAMENT AND THE COUNCIL ON CONSUMER RIGHTS DIRECTIVE COM(2008) 614/3 CCBE position on The Proposal for a Directive of the European Parliament
The New Paradigm for Medical Device Safety Addressing the Requirements of IEC 60601-1 Edition 3.1 Medical devices play a vital role in the diagnosis and treatment of most health-related conditions, and
ITIL Managing Digital Information Assets Shirley Lacy, ConnectSphere Frieda Midgley, Digital Continuity Project Judith Riley, Digital Continuity Project Nigel Williamson, Digital Continuity Project White
EUROPEAN COORDINATION COMMITTEE OF THE RADIOLOGICAL, ELECTROMEDICAL AND HEALTHCARE IT INDUSTRY COCIR Position Paper COCIR* position on the certification of Healthcare IT product interoperability The objective
JOB AND PERSON SPECIFICATION Position Title: Help Desk Officer Classification Code: ASO-3 Division: Central Northern Adelaide Health Service Branch: The Queen Elizabeth Hospital Type of Appointment: Section:
Norwegian Data Inspectorate Narvik kommune Postboks 64 8501 NARVIK Norway Your reference Our reference (please quote in any reply) Date 1111/1210-6/PEJA 11/00593-7/SEV 16 January 2012 Notification of decision
IRCA Briefing note ISO/IEC 20000-1: 2011 How to apply for and maintain Training Organization Approval and Training Course Certification IRCA 3000 Contents Introduction 3 Summary of the changes within ISO/IEC
QUALITY MANUAL Revision D Gujll'y Manual Introduction The purpose of this manual is to describe the Quality Assurance Program implemented by Camar Aircraft Products Co. (hereafter referred to as C.A.P.C.)
CUSTOMER FOCUS PROCESS APPROACH IMPROVEMENT LEADERSHIP FURTHER EXCELLENCE RELATIONSHIP MANAGEMENT ENGAGEMENT OF PEOPLE EVIDENCE BASED DECISIONS RISK MANAGEMENT ISO 9001:2015 WHAT YOU NEED TO KNOW HELPING
Guidance for Industry Q10 Pharmaceutical Quality System U.S. Department of Health and Human Services Food and Drug Administration Center for Drug Evaluation and Research (CDER) Center for Biologics Evaluation
INTERNATIONAL STANDARD ISO/IEC 38500 First edition 2008-06-01 Corporate governance of information technology Gouvernance des technologies de l'information par l'entreprise Reference number ISO/IEC 38500:2008(E)
General Terms and Conditions Advertiser 1 General Provisions These Terms and Conditions apply to the use of the platform www.financeads.com (subsequently referred to as "platform") of financeads International
Z.A.S. Archive- and informationsmanagement Presentation at SAG Scientific Archivists Group Spring Conference in Basel 11 June 2010 Electronic Archiving in a GXP-regulated environment Author: Bernd Mohnsame
p. 1 System Management Standards Proposed on October 8, 2004 Preface Today, the information system of an organization works as an important infrastructure of the organization to implement its management
Quality, Environmental, Health and Safety Manual Toshiba International Corporation Doc. No. QEHS 001 Rev. 19 (12/12) Title: Prepared By: Revision No.: Table of Contents and Cross Reference Ken Mori/Homer
TEXTUAL PROPOSAL TECHNICAL BARRIERS TO TRADE (TBT) Article 1 Objective and Scope 1. The objective of this Chapter is to promote convergence in regulatory approaches, by reducing or eliminating conflicting
GMP Rules and Guidelines in 2013 for Computer System Validation / Computerises Systems / Electronic Records and Signatures/ IT Infrastructure and Application Compliance: What is the correct title of this
Mapping of outsourcing requirements Following comments received during the first round of consultation, CEBS and the Committee of European Securities Regulators (CESR) have worked closely together to ensure
Clinical trials regulation The Proposal for a Regulation of the European Parliament and of the Council on Clinical Trials on Medicinal Products for Human Use and Repealing Directive 2001/20/EC an update
TKPV-Technical Briefing Note 3 Guideline Good Manufacturing Practice for Adhesives used in the Manufacturing of Materials and Articles intended to come into Contact with Food Version: May 2012 Legal provisions
REMARKS: This is an initial textual proposal for a draft Chapter on Regulatory Cooperation that the Commission intends to submit to the US on Friday, 30 January, in preparation of the 8 th round of TTIP
Position Paper EFPIA Principles for the Development of the EU Clinical Trials Portal and Database Executive summary EFPIA sees the implementation of the Clinical Trials Regulation 1 as an opportunity to
Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat
Procurement Performance model The Procurement Performance Model develops key questions as reference pointers for auditors evaluating the performance of the procurement function in public sector bodies.
1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These
31.5.2016 A8-0125/2 Amendment 2 Roberto Gualtieri on behalf of the Committee on Economic and Monetary Affairs Report Markus Ferber Markets in financial instruments, market abuse and securities settlement
BT N 9776 Draft BT C135/2014 TECHNICAL BOARD CEN/BT by correspondence For vote Issue date: 2014-11-19 Simultaneous circulation to CENELEC/BT Deadline: 2015-02-17 SUBJECT Creation of a new CEN/TC Private
HEALTH SAFETY & ENVIRONMENT MANAGEMENT SYSTEM September 2011 OUR HEALTH, SAFETY AND ENVIRONMENT POLICY OUR PRINCIPLE OF DUE CARE We care about the wellbeing of our people and our impact on the environment.
IT/Technology Infrastructure Design and Planning Level 2 Role Overview This sub-discipline is part of overall service design. It concerns the design of, and planning for, resilient IT/ technology infrastructure
Medical Device Software Do You Understand How Software is Regulated? By Gregory Martin Agenda Relevant directives, standards, and guidance documents recommended to develop, maintain, and validate medical
Accountability: Data Governance for the Evolving Digital Marketplace 1 1 For the past three years, the Centre for Information Policy Leadership at Hunton & Williams LLP has served as secretariat for the
LSB Procurement Framework Introduction Procurement covers the typical purchase of services, supplies and works required to enable project delivery and to manage the infrastructure. The Services Board (LSB)
CEIOPS-DOC-29/09 CEIOPS Advice for Level 2 Implementing Measures on Solvency II: System of Governance (former Consultation Paper 33) October 2009 CEIOPS e.v. Westhafenplatz 1-60327 Frankfurt Germany Tel.
English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Ordinance on Data Protection Certification (DPCO) 235.13
Introduction into IEC 62304 Software life cycle for medical devices Christoph Gerber 4. September 2008 SPIQ 9/5/2008 1 Agenda Current Picture Regulatory requirements for medical device software IEC 62304
European Forum for Good Clinical Practice Audit Working Party REVISION OF THE ENGAGE 1 AUDITING GUIDELINE. AN OPTIONAL GUIDELINE FOR GCP COMPLIANCE AND QUALITY MANAGEMENT SYSTEMS AUDITING This document
Business continuity management policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSADPN001b S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review
SAFETY and HEALTH STANDARDS The Verve Energy Occupational Safety and Health Management Standards have been designed to: Meet the Recognised Industry Practices & Standards and AS/NZS 4801 Table of Contents
Functional and technical specifications Background In terms of the Public Audit Act, 2004 (Act No. 25 of 2004) (PAA), the deputy auditor-general (DAG) is responsible for maintaining an effective, efficient
EUROPEAN COMMISSION Brussels, 6.6.2016 C(2016) 3266 final COMMISSION DELEGATED REGULATION (EU) /... of 6.6.2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council on markets
TTIP Proposal for Chapter: Good Regulatory Practices Article 1 General Provisions: 1. The parties reaffirm their commitment to good regulatory principles and practices to achieve public policy objectives
Personal data and cloud computing, the cloud now has a standard by Luca Bolognini Lawyer, President of the Italian Institute for Privacy and Data Valorization, founding partner ICT Legal Consulting Last
Successful EHR Change Management Roles and responsibilities White paper Table of contents Executive summary... 2 Introduction... 3 Never underestimate the power of the people... 3 People... 4 From resisting
DATA PROTECTION ACT POLICY Version 7.0 Document owner Director ICT Document author and enquiry point Alison Moss, IT Security & Access Manager Date of document June 2010 Version 7.0 Document classification
Emptoris Contract Management Solution for Healthcare Providers An Emptoris White Paper Emptoris, an IBM Company www.emptoris.com CMS-HP-4/12 Emptoris Contract Management Solution for Healthcare Providers
EN ECB-PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK of 12 November 2015 on the regulation of companies acquiring credit (CON/2015/45) Introduction and legal basis On 5 November 2015 the European Central
Reprinted from PHARMACEUTICAL ENGINEERING The Official Magazine of ISPE July/August 2011, Vol. 31 No. 4 www.ispe.org Copyright ISPE 2011 The ISPE GAMP Community of Practice (COP) provides its interpretation
Written Contribution of the National Association of Statutory Health Insurance Funds of 16.11.2015 to the Public Consultation of the European Commission on Standards in the Digital : setting priorities
Quality Management System Certification Understanding Quality Management System (QMS) certification The medical device manufacturing sector is one of the most regulated sectors in which significant quality
Supplement to the IIMM 2011 Quick Guide: Meeting ISO 55001 Requirements for Asset Management Using the International Infrastructure Management Manual (IIMM) ISO 55001: What is required IIMM: How to get
POSITION DESCRIPTION - Receptionist/Administration Assistant - Employment Primary purpose of role: To provide a range of efficient reception and administration tasks that ensures outstanding level of customer
PUBLIC PROCUREMENT CONTRACTS Public authorities conclude contracts to ensure the supply of works and delivery of services. These contracts, concluded in exchange for remuneration with one or more operators,
Business Process Management & Workflow Solutions Connecting People to Process, Data & Activities TouchstoneBPM enables organisations of all proportions, in a multitude of disciplines, the capability to
IEC/TR 80001-2-3 TECHNICAL REPORT Edition 1.0 2012-07 colour inside Application of risk management for IT-networks incorporating medical devices Part 2-3: Guidance for wireless networks INTERNATIONAL ELECTROTECHNICAL
Frequently Asked Questions Unannounced audits for manufacturers of CE-marked medical devices 720 DM 0701-53a Rev 1 2014/10/02 What is an unannounced audit?... 6 Are unannounced audits part of a new requirement?...
ISO 9001 Quality Systems Manual Revision: D Issue Date: March 10, 2004 Introduction Micro Memory Bank, Inc. developed and implemented a Quality Management System in order to document the company s best
MENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY Index: Introduction Information is a Corporate Resource Personal Responsibility Information Accessibility Keeping Records of what we do Ensuring
Accord on Fire and Building Safety in Bangladesh The undersigned parties are committed to the goal of a safe and sustainable Bangladeshi Ready- Made Garment ("RMG") industry in which no worker needs to
Promotion hidroenergetikasi Project investiciebis (HIPP) Opportunities for the Georgian Hydropower industry to benefit from Directive 2009/28EC of the European Parliament What Europe wants to do Comply
JOB SPECIFICATION JOB TITLE: GRADE: Service Support Manager SMP ORGANISATION CHART: JOB PURPOSE: Management responsibility for the Service Support within the Trust delivering an efficient and cost effective
Initial Provisions for CHAPTER [ ] Regulatory Cooperation General notes: 1. As TTIP negotiations progress, the provisions in this Chapter may be reviewed in the light of developments in other Chapters,
Council of the European Union Brussels, 5 May 2015 (OR. en) 8485/15 NOTE From: To: Special Committee on Agriculture Council No. prev. doc.: 7524/2/15 REV 2 Subject: AGRI 242 AGRIORG 26 AGRILEG 100 AGRIFIN
Release: 1 ICASAS417A Undertake IT system capacity planning ICASAS417A Undertake IT system capacity planning Modification History Release Release 1 Comments This Unit first released with ICA11 Information