Application of risk management for IT-networks incorporating medical devices - Part 1: Roles, responsibilities and activities

IEC 80001-1:2010 Recognizing that medical devices are incorporated into IT-networks to achieve desirable benefits (for example, interoperability), defines the roles, responsibilities and activities that are necessary for risk management of IT-networks incorporating medical devices to address safety, effectiveness and data and system security (the key properties). IEC 80001-1:2010 does not specify acceptable risk levels. IEC 80001-1:2010 applies after a medical device has been acquired by a responsible organization and is a candidate for incorporation into an IT-network. It applies throughout the life cycle of IT-networks incorporating medical devices. IEC 80001-1:2010 applies where there is no single medical device manufacturer assuming responsibility for addressing the key properties of the IT-network incorporating a medical device. IEC 80001-1:2010 applies to responsible organizations, medical device manufacturers and providers of other information technology for the purpose of risk management of an IT-network incorporating medical devices as specified by the responsible organization. It does not apply to personal use applications where the patient, operator and responsible organization are one and the same person.

Anwendung des Risikomanagements für IT-Netzwerke, die Medizinprodukte beinhalten - Teil 1: Aufgaben, Verantwortlichkeiten und Aktivitäten

Application de la gestion des risques aux réseaux des technologies de l’information contenant des dispositifs médicaux - Partie 1 : Fonctions, responsabilités et activités

La CEI 80001-1:2010 Etant donné que les dispositifs médicaux sont incorporés dans des réseaux TI afin d'en tirer des bénéfices (par exemple, l'interopérabilité), définit les fonctions, responsabilités et activités nécessaires à la gestion des risques des réseaux TI comportant des dispositifs médicaux afin de traiter la sécurité, l'efficacité et la sécurité des données et du système (les propriétés clés). La présente norme internationale ne spécifie pas les niveaux de risques acceptables. La CEI 80001-1:2010 s'applique dès lors qu'un dispositif médical a été acquis par un organisme responsable et qu'il est envisagé de l'incorporer dans un réseau IT. Elle s'applique tout au long du cycle de vie des réseaux TI comportant des dispositifs médicaux. La CEI 80001-1:2010 s'applique lorsqu'il n'existe aucun fabricant de dispositifs médicaux se portant responsable de la définition des propriétés clés du réseau TI comportant un dispositif médical. La CEI 80001-1:2010 s'applique aux organismes responsables, aux fabricants de dispositifs médicaux et aux fournisseurs d'autres technologies de l'information pour les besoins de la gestion des risques d'un réseau IT incorporant des dispositifs médicaux tels que spécifiés par l'organisme responsable. Elle ne s'applique pas aux applications d'utilisation personnelle où le patient, l'opérateur et l'organisme responsable ne désignent qu'une seule et même personne.

Uporaba upravljanja tveganja za omrežja IT, ki vključujejo medicinske naprave - 1. del: Vloge, odgovornosti in dejavnosti (IEC 80001-1:2010)

S spoznanjem, da MEDICINSKE NAPRAVE, ki so vgrajene v OMREŽJA IT, zato da se zagotovijo zaželene koristi (na primer MEDOBRATOVANJE), standard določa vloge, odgovornosti in dejavnosti, ki so potrebne za UPRAVLJANJE TVEGANJA OMREŽIJ IT, katere vsebujejo MEDICINSKE NAPRAVE za naslavljanje VARNOSTI, UČINKOVITOSTI ter PODATKOVNE IN SISTEMSKE VARNOSTI (KLJUČNE LASTNOSTI).  Ta mednarodni standard ne določa sprejemljive stopnje TVEGANJA.
OPOMBA 1: Dejavnosti UPRAVLJANJA TVEGANJ, opisane v tem standardu, so izpeljane iz tistih v ISO 14971 [4]. Razmerje med ISO 14971 in tem standardom je opisano v dodatku A.
Ta standard velja, potem ko MEDICINSKO NAPRAVO pridobi ODGOVORNA ORGANIZACIJA in ko je kandidat za vgradnjo v OMREŽJE IT.
OPOMBA 2: Ta standard ne zajema predtržnega OBVLADOVANJA TVEGANJ.
Ta standard velja v življenjskem ciklusu OMREŽIJ IT, ki vsebujejo MEDICINSKE NAPRAVE.
OPOMBA 3: Dejavnosti upravljanja življenjskega cikla, ki so opisane v tem standardu, so zelo podobne tistim v
ISO/IEC 20000-2 [10]. Razmerje med ISO/IEC 20000-2 in tem standardom je opisano v dodatku D.
Ta standard velja, kadar noben posamezni proizvajalec MEDICINSKIH NAPRAV ne prevzame odgovornosti za naslavljanje KLJUČNIH LASTNOSTIH OMREŽIJ IT, ki vsebujejo MEDICINSKO
NAPRAVO.
OPOMBA 4: Če en sam proizvajalec določa celotno MEDICINSKO NAPRAVO, ki vsebuje omrežje, potem vgradnja ali sestava MEDICINSKE NAPRAVE v skladu s proizvajalčevimi SPREMNIMI DOKUMENTI ni predmet določb tega standarda, ne glede na to, kdo vgradi ali sestavi MEDICINSKO NAPRAVO.
OPOMBA 5: Če en sam proizvajalec določa celotno MEDICINSKO NAPRAVO, ki vsebuje omrežje, so dodatki k tej MEDICINSKI NAPRAVI ali spreminjanje konfiguracije MECINSKE NAPRAVE, ki so različni od nekaterih, ki jih določi proizvajalec, predmet določb tega standarda.
Ta standard velja za ODGOVORNE ORGANIZACIJE, proizvajalce MEDICINSKIH NAPRAV in ponudnike drugih informacijskih tehnologij za namen OBVLADOVANJA TVEGANJ OMREŽJA IT, ki vsebuje MEDICINSKE NAPRAVE, kot določa ODGOVORNA ORGANIZACIJA.
Ta standard ne velja za osebno uporabo, kjer so bolnik, OPERATER in ODGOVORNA ORGANIZACIJA ena in ista oseba.
OPOMBA 6: Kadar se MEDICINSKA NAPRAVA uporablja doma pod nadzorom ali navodili ponudnika, se ponudnik šteje za ODGOVORNO ORGANIZACIJO. Osebna uporaba, ko bolnik pridobi in uporablja MEDICINSKO NAPRAVO brez nadzora ali navodil ponudnika, je zunaj področja uporabe tega standarda. Ta standard ne naslavlja regulativnih ali pravnih zahtev.

General Information

Status
Withdrawn
Publication Date
17-Mar-2011
Withdrawal Date
31-Jan-2014
Current Stage
9960 - Withdrawal effective - Withdrawal
Start Date
26-Oct-2024
Completion Date
26-Oct-2024

Relations

Buy Standard

Standard
EN 80001-1:2011
English language
44 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-maj-2011
8SRUDEDXSUDYOMDQMDWYHJDQMD]DRPUHåMD,7NLYNOMXþXMHMRPHGLFLQVNHQDSUDYH
GHO9ORJHRGJRYRUQRVWLLQGHMDYQRVWL ,(&
Application of risk management for IT-networks incorporating medical devices - Part 1:
Roles, responsibilities and activities (IEC 80001-1:2010)
Anwendung des Risikomanagements für IT-Netzwerke, die Medizinprodukte beinhalten -
Teil 1: Aufgaben, Verantwortlichkeiten und Aktivitäten (IEC 80001-1:2010)
Application de la gestion des risques aux réseaux des technologies de l’information
contenant des dispositifs médicaux - Partie 1: Fonctions, responsabilités et activités (CEI
80001-1:2010)
Ta slovenski standard je istoveten z: EN 80001-1:2011
ICS:
11.040.01 Medicinska oprema na Medical equipment in general
splošno
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN 80001-1
NORME EUROPÉENNE
March 2011
EUROPÄISCHE NORM
ICS 11.040.01; 35.240.80
English version
Application of risk management for IT-networks incorporating medical
devices -
Part 1: Roles, responsibilities and activities
(IEC 80001-1:2010)
Application de la gestion des risques aux Anwendung des Risikomanagements für
réseaux des technologies de l’information IT-Netzwerke, die Medizinprodukte
contenant des dispositifs médicaux - beinhalten -
Partie 1: Fonctions, responsabilités et Teil 1: Aufgaben, Verantwortlichkeiten und
activités Aktivitäten
(CEI 80001-1:2010) (IEC 80001-1:2010)

This European Standard was approved by CENELEC on 2011-02-01. CENELEC members are bound to comply
with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard
the status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and notified
to the Central Secretariat has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus,
the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia,
Spain, Sweden, Switzerland and the United Kingdom.

CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Management Centre: Avenue Marnix 17, B - 1000 Brussels

© 2011 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 80001-1:2011 E
Foreword
The text of document 62A/703/FDIS, future edition 1 of IEC 80001-1, prepared by SC 62A, Common
aspects of electrical equipment used in medical practice, of IEC TC 62, Electrical equipment in medical
practice, was submitted to the IEC-CENELEC parallel vote and was approved by CENELEC as
EN 80001-1 on 2011-02-01.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN and CENELEC shall not be held responsible for identifying any or all such patent
rights.
The following dates were fixed:
– latest date by which the EN has to be implemented
at national level by publication of an identical
national standard or by endorsement (dop) 2011-11-01
– latest date by which the national standards conflicting
with the EN have to be withdrawn (dow) 2014-02-01
Terms defined in Clause 2 of this standard are printed in SMALL CAPITALS.
For the purposes of this standard:
— “shall” means that compliance with a requirement is mandatory for compliance with this standard;
— “should” means that compliance with a requirement is recommended but is not mandatory for
compliance with this standard;
— “may” is used to describe a permissible way to achieve compliance with a requirement; and
— “establish” means to define, document, and implement.
__________
Endorsement notice
The text of the International Standard IEC 80001-1:2010 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards indicated:
[1] IEC 60601-1:2005 NOTE  Harmonized as EN 60601-1:2006 (not modified).
[2] IEC 61907:2009 NOTE  Harmonized as EN 61907:2010 (not modified).
[3] IEC 62304:2006 NOTE  Harmonized as EN 62304:2006 (not modified).
[4] ISO 14971:2007 NOTE  Harmonized as EN ISO 14971:2009 (not modified).
[7] ISO 16484-2:2004 NOTE  Harmonized as EN ISO 16484-2:2004 (not modified).
[8] ISO 9000:2005 NOTE  Harmonized as EN ISO 9000:2005 (not modified).
__________
IEC 80001-1
Edition 1.0 2010-10
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Application of risk management for IT-networks incorporating medical devices –
Part 1: Roles, responsibilities and activities

Application de la gestion des risques aux réseaux des technologies de
l’information contenant des dispositifs médicaux –
Partie 1: Fonctions, responsabilités et activités

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
X
CODE PRIX
ICS 11.040.01; 35.240.80 ISBN 978-2-88912-221-9

– 2 – 80001-1 © IEC:2010
CONTENTS
FOREWORD.4
INTRODUCTION.6
1 Scope.9
2 Terms and definitions .9
3 Roles and responsibilities.14
3.1 General .14
3.2 RESPONSIBLE ORGANIZATION .14
3.3 TOP MANAGEMENT responsibilities .15
3.4 MEDICAL IT-NETWORK RISK MANAGER .16
3.5 MEDICAL DEVICE manufacturer(s).17
3.6 Providers of other information technology.18
4 Life cycle RISK MANAGEMENT in MEDICAL IT-NETWORKS.19
4.1 Overview .19
4.2 RESPONSIBLE ORGANIZATION RISK MANAGEMENT.20
4.2.1 POLICY FOR RISK MANAGEMENT for incorporating MEDICAL DEVICES.20
4.2.2 RISK MANAGEMENT PROCESS.21
4.3 MEDICAL IT-NETWORK RISK MANAGEMENT planning and documentation .21
4.3.1 Overview .21
4.3.2 RISK-relevant asset description.22
4.3.3 MEDICAL IT-NETWORK documentation .22
4.3.4 RESPONSIBILITY AGREEMENT .22
4.3.5 RISK MANAGEMENT plan for the MEDICAL IT-NETWORK .24
4.4 MEDICAL IT-NETWORK RISK MANAGEMENT.24
4.4.1 Overview .24
4.4.2 RISK ANALYSIS .24
4.4.3 RISK EVALUATION .25
4.4.4 RISK CONTROL .25
4.4.5 RESIDUAL RISK evaluation and reporting .26
4.5 CHANGE-RELEASE MANAGEMENT and CONFIGURATION MANAGEMENT .27
4.5.1 CHANGE-RELEASE MANAGEMENT PROCESS.27
4.5.2 Decision on how to apply RISK MANAGEMENT.27
4.5.3 Go-live .29
4.6 Live network RISK MANAGEMENT.29
4.6.1 Monitoring .29
4.6.2 EVENT MANAGEMENT .29
5 Document control .30
5.1 Document control procedure.30
5.2 MEDICAL IT-NETWORK RISK MANAGEMENT FILE.30
Annex A (informative) Rationale.31
Annex B (informative) Overview of RISK MANAGEMENT relationships .35
Annex C (informative) Guidance on field of application .36
Annex D (informative) Relationship with ISO/IEC 20000-2:2005 Information technology
– Service management – Part 2: Code of practice.38
Bibliography.42

80001-1 © IEC:2010 – 3 –
Figure 1 – Illustration of TOP MANAGEMENT responsibilities.16
Figure 2 – Overview of life cycle of MEDICAL IT-NETWORKS including RISK MANAGEMENT .20
Figure B.1 – Overview of roles and relationships .35
Figure D.1 – Service management processes .39

Table A.1 – Relationship between ISO 14971 and IEC 80001-1 .33
Table C.1 – IT-NETWORK scenarios that can be encountered in a clinical environment.36
Table D.1 – Relationship between IEC 80001-1 and ISO/IEC 20000-1:2005 or
ISO/IEC 20000-2:2005.40

– 4 – 80001-1 © IEC:2010
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
APPLICATION OF RISK MANAGEMENT FOR IT-NETWORKS
INCORPORATING MEDICAL DEVICES –

Part 1: Roles, responsibilities and activities

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.