The New ISO/IEC Standard for Risk Management

Similar documents
Medical Software Development. International standards requirements and practice

MEDICAL DEVICES INTERIM REGULATION

Final Document. Software as a Medical Device (SaMD): Key Definitions. Date: 9 December Despina Spanou, IMDRF Chair. IMDRF/SaMD WG/N10FINAL:2013

US & CANADA: REGULATION AND GUIDELINES ON MEDICAL SOFTWARE AND APPS OR

Medical Device Software Standards for Safety and Regulatory Compliance

Health Informatics Application of clinical risk management to the manufacture of health software Formerly ISO/TS 29321:2008(E) DSCN14/2009

How To Know If A Mobile App Is A Medical Device

Implementation of ANSI/AAMI/IEC Medical Device Software Lifecycle Processes.

Guide for Custom-Made Dental Device Manufacturers on Compliance with European Communities (Medical Devices) Regulations, 1994

a Medical Device Privacy Consortium White Paper

Quality Assurance Manual

Guidance on the In Vitro Diagnostic Medical Devices Directive 98/79/EC

Med-Info. Council Directive 93/42/EEC on Medical Devices. TÜV SÜD Product Service GmbH

Medical Device Software

WHITEPAPER: SOFTWARE APPS AS MEDICAL DEVICES THE REGULATORY LANDSCAPE

Safeguarding public health The Regulation of Software as a Medical Device

Correspondence between ISO 13485:2003 and the US Quality System Regulation

AND. CE IT Community Town Hall Meeting Feb. 8, 2012

International standards and guidance that address Medical Device Software

GUIDANCE NOTE FOR MANUFACTURERS OF CUSTOM-MADE MEDICAL DEVICES

Mauro Calvano. About Aviation Safety Management Systems

This is a preview - click here to buy the full publication

2002 No. 618 CONSUMER PROTECTION. The Medical Devices Regulations 2002

Safety Risk Management in RT: A Software Manufacturer Perspective

2015. All rights reserved.

Quality Management Systems Manual

The New Paradigm for Medical Device Safety. Addressing the Requirements of IEC Edition 3.1

CDRH Regulated Software

(OJ L 169, , p. 1)

Considerations for using the Web for Medical Device Applications

Policy on Safety, Security, Health and Environmental Protection (SHE) in the Roche Group Edition

PUBLICLY AVAILABLE SPECIFICATION PRE-STANDARD

How To Write Software

I S O G AP A N A L Y I S T O O L

Health, Safety and Environment Policy

National Decontamination Guidance on Loan Medical Devices (Reusable): Roles & Responsibilities GUID 5002

ISO & ISO Legal Compliance Know Your Risk - Reduce your Risk"

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Regulation of Medical Devices involving Software in Australia an Overview

PROPOSED DOCUMENT. Global Harmonization Task Force. Title: Principles of In Vitro Diagnostic (IVD) Medical Devices Classification

ISMS Implementation Guide

Risk Management and Cybersecurity for Devices that Contain Software. Seth D. Carmody, Ph.D. 12 th Medical Device Quality Congress March 18, 2015

GOVERNMENT OF THE RUSSIAN FEDERATION RESOLUTION from December 27, 2012 N 1416 APPROVAL OF THE RULES STATE REGISTRATION OF MEDICAL PRODUCTS

Spillemyndigheden s change management programme. Version of 1 July 2012

Regulatory Strategy for Drug-Device Combinations By John Worroll

Corporate Data Quality Policy

Software Verification and Validation

CE Marking: Your Key to Entering the European Market

Medical Product Software Development and FDA Regulations Software Development Practices and FDA Compliance

1.0 Safety Management System

Topic Priority Setting for research on patient safety Operational Definitions

FINAL DOCUMENT. Implementation of risk management principles and activities within a Quality Management System. The Global Harmonization Task Force

This document is a preview generated by EVS

NABL NATIONAL ACCREDITATION

Applying Risk Management to Mobile Wireless Medical Devices. AAMI Town Hall Meeting January 11, 2012 Rick Hampton Stuart Higgins

Nuclear Safety Council Instruction number IS-19, of October 22 nd 2008, on the requirements of the nuclear facilities management system

GUIDELINES ON MEDICAL DEVICES EVALUATION OF CLINICAL DATA : A GUIDE FOR MANUFACTURERS AND NOTIFIED BODIES

GUIDANCE NOTES FOR MANUFACTURERS OF CLASS I MEDICAL DEVICES

Medical Device Software Do You Understand How Software is Regulated?

Content Sheet 10-1: Overview of External Quality Assessment (EQA)

Legal compliance for developers. Training materials (prepared by Tilburg University)

Quality & Safety Manual

Software as a Medical Device. A Provider View from Canada

How DCMA Helps To Ensure Good Measurements

RECALLS in EUROPE. Past, present, near & further future. Gert Bos BSI Medcon May 2012

Regulation of Mobile Medical Apps

This is a preview - click here to buy the full publication

QUALITY MANAGEMENT SYSTEMS

Aviation Safety Policy. Aviation Safety (AVS) Safety Management System Requirements

codebeamer INTLAND SOFTWARE codebeamer Medical ALM Solution is built for IEC62304 compliance and provides a wealth of medical development knowledge

Comparison between FDA QSR and ISO 13485

Information technology Security techniques Information security management systems Overview and vocabulary

WEB APPLICATION SECURITY TESTING GUIDELINES

GOOD DISTRIBUTION PRACTICE FOR MEDICAL DEVICES (GDPMD)

FAQs on the Standard IEC (Risk management for IT-networks incorporating medical devices)

CENTER FOR CONNECTED HEALTH POLICY

Medical Certification: Bringing genomic microcores to clinical use OI- VF- WP- 011

ISO/IEC QUALITY MANUAL

Clinical evaluation Latest development in expectations EU and USA

EXAM PREPARATION GUIDE

OD-2017-Ed.1.5 CHECK LIST FOR TESTING AND CALIBRATION LABORATORIES

Quality Risk Management The Pharmaceutical Experience Ann O Mahony Quality Assurance Specialist Pfizer Biotech Grange Castle

An introduction to the regulation of apps and wearables as medical devices

Client information note Assessment process Management systems service outline

The Act on Medical Devices

Guidance Notes for Applicants of the Certificate for Clinical Trial on Medical Device

Regulatory Landscape For Mobile Medical Apps (MMAs)

Virginia Commonwealth University School of Medicine Information Security Standard

Use of Mobile Medical Applications in Clinical Research

BSI Road Show: September 8 th to 15 th, 2014

Healthcare Cybersecurity Risk Management: Keys To an Effective Plan

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

CONSOLIDATED VERSION IEC Medical device software Software life cycle processes. colour inside. Edition

2014 Annual Report on Inspections of Establishments

Sarah Chandler A/Head, Regulatory and Scientific Section Medical Devices Bureau

Transcription:

The New ISO/IEC 80001 Standard for Risk Management Rick Hampton Wireless Communications Manager Partners HealthCare System Wednesday, September 29, 2010 3/31/2010 Copyright 2010

What is IEC 80001? Full title IEC 80001-1 Ed.1: Application of risk management for it-networks incorporating medical devices Part 1: Roles, responsibilities and activities It is an international standard It is a process standard; it tells you what to do, not how to do (how comes later) It is a voluntary standard unless formally adopted by regulatory authorities

Future Documents Technical Reports (guidance documents) to be published soon: Guidance for Healthcare Delivery Organizations An implementation guide for HDOs of all sizes Step by Step Risk Management Still not a bullet-list of steps to accomplish, but rather a simple explanation of concepts from ISO 14971 and how they might be adopted by Responsible Organizations Security Use of Wireless Technologies With more to come

Why do we need IEC 80001? Currently, many healthcare medical systems operate on isolated networks which (in the US) are viewed as a component of a regulated medical device. Medical device manufacturers are held responsible for performing risk assessment and mitigation activities under current federal requirements and thus ensuring these systems are safe and effective for their intended use. Emerging technologies hold the promise to allow medical device manufactures and healthcare facilities to begin combining these systems on the healthcare information systems (HIS) network. When healthcare facilities use their HIS networks for medical device connectivity instead of the manufacturerprovided networks, the healthcare facility now become responsible for ensuring the proper operation of those medical devices.

A Medical Device is: Any instrument, apparatus, implement, machine, appliance, implant, in vitro reagent or calibrator, software, material or other similar or related article*: intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the specific purpose(s) of: diagnosis, prevention, monitoring, treatment or alleviation of disease, or compensation for an injury, support of the anatomy or of a physiological process, supporting or sustaining life, control of conception, disinfection of medical devices And is not a pharmacological, immunological or metabolic agent. Note: This definition is nearly identical to those used by FDA and other regulatory agencies around the world. *In the US, FDA adds, including a component part, or accessory

Origins of 80001 Core ideas drawn from: ISO 14971 Application of risk management to medical devices Applies ONLY to medical device manufacturers ISO 20000 IT Service Management Standards ITIL IT Infrastructure Library

Risk Management Risk management is a more realistic term than safety. It implies that hazards are ever-present, that they must be identified, analyzed, evaluated and controlled or rationally accepted. Jerome Ledere, director of the Flight Safety Foundation for 20 years and NASA's first director of Manned Flight Safety

The Key Properties 80001 defines three Key Properties to be managed. They are, in this order of priority: Safety (freedom from unacceptable risk of physical injury or damage to the health of people or damage to property or the environment) Effectiveness (ability to produce the intended result for the patient and the Responsible Organization) Data and System Security (an operational state of a Medical IT-Network in which information assets (data and systems) are reasonably protected from degradation of confidentiality, integrity, and availability) 80001 does not specify acceptable risk levels.

80001 Structure Section 1 Scope Section 2 Terms and definitions Section 3 Roles and responsibilities Section 4 Life Cycle Risk Management In Medical It-Networks Section 5 Document Control Annex A (informative) Rationale Annex B (Informative) Overview Of Risk Management Relationships Annex C (Informative) Guidance On Field Of Application Annex D (Informative) Relationship With ISO/IEC 20000-2:2005 Information Technology Service management Part 2: Code of practice Bibliography

80001 SCOPE Defines roles to ensure the Key Properties Does not specify acceptable risk levels Applies after a medical device has been acquired by a Responsible Organization for incorporation into an ITnetwork Does not cover pre-market/pre-purchase risk management Applies throughout the life cycle of IT-network incorporating medical devices.

80001 SCOPE Continued Applies where there is no single medical device manufacturer assuming responsibility for addressing the Key Properties of the IT-network incorporating a medical device Does not apply to complete systems that include a network specified by a single manufacturer Does apply to complete systems that include a network specified by a single manufacturer if that system is modified, added to, or connected to another network

80001 SCOPE Continued Applies to Responsible Organizations, Medical Device Manufacturers, and Providers of Other Information Technology Does not apply to personal use applications where the Patient, Operator, and Responsible Organization are one and the same person In cases where a medical device is used at home under the supervision or instruction of the provider, that provider is deemed to be the Responsible Organization. Does not apply for personal use where the patient acquires and uses a medical device without the supervision or instruction of a provider.

Section 3 Roles and Responsibilities The Responsible Organization Entity accountable for the use and maintenance of a Medical IT-Network A few examples of Responsible Organizations include a hospital, a private clinician, or a telehealth organization. Top Management person or group of people who direct(s) and control(s) the Responsible Organization accountable for a Medical IT-Network at the highest level Significant responsibilities to establish policies, specify acceptable risk levels, and provision required resources The Medical IT-Network Risk Manager The person accountable to the Responsible Organization for Risk Management of a Medical IT-Network Significant responsibility for overall management, implementation, and monitoring of risk management process, reporting to Top Management, and go-live authorization Medical Device Manufacturer(s) Shall make available information describing the intended use and instructions necessary for the safe and effective use of the Medical Device.

Section 3 Roles and Responsibilities Continued Providers of Other Information Technology Providers of other (not MEDICAL DEVICES) information technology may provide: infrastructure components; infrastructure services; client devices not being MEDICAL DEVICES; servers; application software; or middleware. Each provider of other information technology (equipment and/or software) shall make available documentary information as follows: technical descriptions and technical manuals; required IT-NETWORK characteristics; recommended product configurations; known incompatibilities and restrictions; operating requirements; product corrective actions and recalls; and cyber security notices (warnings of known security vulnerabilities).

Role Relationships Medical Device Manufacturer Providers of Other Information Technology Responsible Organization Top Management Medical IT-Network Risk Manager

Importance of Top Management No matter how interested individual employees might be, or what assistance a manufacturer offers, or how insistent a certificating authority might be none of these factors will have a significant effect on safety without support from top management. John O'Brian, ALPA's Engineering and Air Safety Department.

Section 4 Life Cycle Risk Management Continued Responsible Organization Risk Management Policy For Risk Management For Incorporating Medical Devices Created by Top Management to establish balanced risk criteria for each of the Key Properties, describe processes for Event, Change-Release, Configuration, and Monitoring Management in terms that can be interpreted throughout all Risk management activities. Risk Management Process Implemented by Medical IT-Network Risk Manager

Section 4 Life Cycle Risk Management Continued Medical It-Network Risk Management Planning And Documentation Risk-Relevant Asset Description Information on each IT and Medical Device component of the IT infrastructure, including operational characteristics, configurations, identifiable patient data, security description Medical It-Network Documentation Physical & logical configurations, conformance statements, security, reliability, and data integrity information, etc. Responsibility Agreement Defines (e.g. by contract) roles & responsibilities of all relevant stakeholders, activities and equipment covered, and information required from each party Risk Management Plan For The Medical IT-Network Identifies stakeholders, defines uses and benefits, reasons for creation, monitoring requirements and criteria for acceptable risk

Section 4 Life Cycle Risk Management Continued Medical IT-Network Risk Management Risk Analysis Hazards must be identified and assigned risks Risk Evaluation Each hazard with unacceptable risks must have Risk Controls applied Risk Control Includes (in this order) Inherent Control by Design, Protective Measures, and Information for Assurance Risk controls must be evaluated for reviewed for new risks and their effectiveness validated If risk reduction is not practicable, a risk/benefit analysis must be conducted and documented Residual Risk Evaluation And Reporting

Section 4 Life Cycle Risk Management Continued Change-Release Management And Configuration Management Change-Release Management Process Created by the Responsible Organization, documented and implemented by the Medical IT-Network Risk Manager Decision On How To Apply Risk Management Change Permits may be approved for routine changes, if risk management shows negligible/acceptable risks New projects or substantial changes require full review Go-Live Before approval the Medical IT-Network Risk Manager reviews, approves, and documents residual risks and specified changes

Section 4 Life Cycle Risk Management Continued Live Network Risk Management Monitoring Monitoring is required to detect emerging risks, effectiveness of risk, and accuracy of original estimations of risk Monitored items include environmental changes, operational/performance feedback, information about components or similar networks, reported events, and audit results of policies and procedures Event Management Negative events shall be captured, documented, evaluated, and changes proposed, with corrective and preventive actions tracked and reported

Life Cycle Risk Management is neither Easy nor Impossible, but Necessary. Take nothing for granted; do not jump to conclusions; follow every possible clue to the extent of usefulness.... Apply the principle that there is no limit to the amount of effort justified to prevent the recurrence of one aircraft accident or the loss of one life. Accident Investigation Manual of the U.S. Air Force.

Section 5 Document Control Document Control Procedure All relevant documents in the Medical IT-Network life cycle shall be revised, amended, reviewed, and approved in accordance with a document control procedure. Medical IT-Network Risk Management File Provide traceability for each identified hazard to: the risk analysis; the risk evaluation; the implementation and verification of the risk control measures; and the assessment of the acceptability of any residual risk(s) with approval. Need not physically contain all the records and other documents; however, it should contain at least references or pointers to all required documentation.

Final Thoughts In flying I have learned that carelessness and overconfidence are usually far more dangerous than deliberately accepted risks. Wilbur Wright in a letter to his father, September 1900

Contact Information Rick Hampton Wireless Communications Manager Partners HealthCare System One Constitution Center, Suite 200 Charlestown, MA 02129 Office: 617-726-6633 Cell: 617-968-2262 RHampton@Partners.org

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information