IEC 80001-1:2010
(Main)Application of risk management for IT-networks incorporating medical devices - Part 1: Roles, responsibilities and activities
Application of risk management for IT-networks incorporating medical devices - Part 1: Roles, responsibilities and activities
IEC 80001-1:2010 Recognizing that medical devices are incorporated into IT-networks to achieve desirable benefits (for example, interoperability), defines the roles, responsibilities and activities that are necessary for risk management of IT-networks incorporating medical devices to address safety, effectiveness and data and system security (the key properties). IEC 80001-1:2010 does not specify acceptable risk levels. IEC 80001-1:2010 applies after a medical device has been acquired by a responsible organization and is a candidate for incorporation into an IT-network. It applies throughout the life cycle of IT-networks incorporating medical devices. IEC 80001-1:2010 applies where there is no single medical device manufacturer assuming responsibility for addressing the key properties of the IT-network incorporating a medical device. IEC 80001-1:2010 applies to responsible organizations, medical device manufacturers and providers of other information technology for the purpose of risk management of an IT-network incorporating medical devices as specified by the responsible organization. It does not apply to personal use applications where the patient, operator and responsible organization are one and the same person.
Application de la gestion des risques aux réseaux des technologies de l'information contenant les dispositifs médicaux - Partie 1: Fonctions, responsabilités et activités
La CEI 80001-1:2010 Etant donné que les dispositifs médicaux sont incorporés dans des réseaux TI afin d'en tirer des bénéfices (par exemple, l'interopérabilité), définit les fonctions, responsabilités et activités nécessaires à la gestion des risques des réseaux TI comportant des dispositifs médicaux afin de traiter la sécurité, l'efficacité et la sécurité des données et du système (les propriétés clés). La présente norme internationale ne spécifie pas les niveaux de risques acceptables. La CEI 80001-1:2010 s'applique dès lors qu'un dispositif médical a été acquis par un organisme responsable et qu'il est envisagé de l'incorporer dans un réseau IT. Elle s'applique tout au long du cycle de vie des réseaux TI comportant des dispositifs médicaux. La CEI 80001-1:2010 s'applique lorsqu'il n'existe aucun fabricant de dispositifs médicaux se portant responsable de la définition des propriétés clés du réseau TI comportant un dispositif médical. La CEI 80001-1:2010 s'applique aux organismes responsables, aux fabricants de dispositifs médicaux et aux fournisseurs d'autres technologies de l'information pour les besoins de la gestion des risques d'un réseau IT incorporant des dispositifs médicaux tels que spécifiés par l'organisme responsable. Elle ne s'applique pas aux applications d'utilisation personnelle où le patient, l'opérateur et l'organisme responsable ne désignent qu'une seule et même personne.
General Information
Relations
Standards Content (Sample)
IEC 80001-1
Edition 1.0 2010-10
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Application of risk management for IT-networks incorporating medical devices –
Part 1: Roles, responsibilities and activities
Application de la gestion des risques aux réseaux des technologies de
l’information contenant des dispositifs médicaux –
Partie 1: Fonctions, responsabilités et activités
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by
any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IEC or
IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.
Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de la CEI ou du Comité national de la CEI du pays du demandeur.
Si vous avez des questions sur le copyright de la CEI ou si vous désirez obtenir des droits supplémentaires sur cette
publication, utilisez les coordonnées ci-après ou contactez le Comité national de la CEI de votre pays de résidence.
IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: inmail@iec.ch
Web: www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
ƒ Catalogue of IEC publications: www.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
ƒ IEC Just Published: www.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
ƒ Electropedia: www.electropedia.org
The world's leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions
in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical
Vocabulary online.
ƒ Customer Service Centre: www.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email: csc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00
A propos de la CEI
La Commission Electrotechnique Internationale (CEI) est la première organisation mondiale qui élabore et publie des
normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.
A propos des publications CEI
Le contenu technique des publications de la CEI est constamment revu. Veuillez vous assurer que vous possédez
l’édition la plus récente, un corrigendum ou amendement peut avoir été publié.
ƒ Catalogue des publications de la CEI: www.iec.ch/searchpub/cur_fut-f.htm
Le Catalogue en-ligne de la CEI vous permet d’effectuer des recherches en utilisant différents critères (numéro de référence,
texte, comité d’études,…). Il donne aussi des informations sur les projets et les publications retirées ou remplacées.
ƒ Just Published CEI: www.iec.ch/online_news/justpub
Restez informé sur les nouvelles publications de la CEI. Just Published détaille deux fois par mois les nouvelles
publications parues. Disponible en-ligne et aussi par email.
ƒ Electropedia: www.electropedia.org
Le premier dictionnaire en ligne au monde de termes électroniques et électriques. Il contient plus de 20 000 termes et
définitions en anglais et en français, ainsi que les termes équivalents dans les langues additionnelles. Egalement appelé
Vocabulaire Electrotechnique International en ligne.
ƒ Service Clients: www.iec.ch/webstore/custserv/custserv_entry-f.htm
Si vous désirez nous donner des commentaires sur cette publication ou si vous avez des questions, visitez le FAQ du
Service clients ou contactez-nous:
Email: csc@iec.ch
Tél.: +41 22 919 02 11
Fax: +41 22 919 03 00
IEC 80001-1
Edition 1.0 2010-10
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Application of risk management for IT-networks incorporating medical devices –
Part 1: Roles, responsibilities and activities
Application de la gestion des risques aux réseaux des technologies de
l’information contenant des dispositifs médicaux –
Partie 1: Fonctions, responsabilités et activités
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
X
CODE PRIX
ICS 11.040.01; 35.240.80 ISBN 978-2-88912-221-9
– 2 – 80001-1 © IEC:2010
CONTENTS
FOREWORD.4
INTRODUCTION.6
1 Scope.9
2 Terms and definitions .9
3 Roles and responsibilities.14
3.1 General .14
3.2 RESPONSIBLE ORGANIZATION .14
3.3 TOP MANAGEMENT responsibilities .15
3.4 MEDICAL IT-NETWORK RISK MANAGER .16
3.5 MEDICAL DEVICE manufacturer(s).17
3.6 Providers of other information technology.18
4 Life cycle RISK MANAGEMENT in MEDICAL IT-NETWORKS.19
4.1 Overview .19
4.2 RESPONSIBLE ORGANIZATION RISK MANAGEMENT.20
4.2.1 POLICY FOR RISK MANAGEMENT for incorporating MEDICAL DEVICES.20
4.2.2 RISK MANAGEMENT PROCESS.21
4.3 MEDICAL IT-NETWORK RISK MANAGEMENT planning and documentation .21
4.3.1 Overview .21
4.3.2 RISK-relevant asset description.22
4.3.3 MEDICAL IT-NETWORK documentation .22
4.3.4 RESPONSIBILITY AGREEMENT .22
4.3.5 RISK MANAGEMENT plan for the MEDICAL IT-NETWORK .24
4.4 MEDICAL IT-NETWORK RISK MANAGEMENT.24
4.4.1 Overview .24
4.4.2 RISK ANALYSIS .24
4.4.3 RISK EVALUATION .25
4.4.4 RISK CONTROL .25
4.4.5 RESIDUAL RISK evaluation and reporting .26
4.5 CHANGE-RELEASE MANAGEMENT and CONFIGURATION MANAGEMENT .27
4.5.1 CHANGE-RELEASE MANAGEMENT PROCESS.27
4.5.2 Decision on how to apply RISK MANAGEMENT.27
4.5.3 Go-live .29
4.6 Live network RISK MANAGEMENT.29
4.6.1 Monitoring .29
4.6.2 EVENT MANAGEMENT .29
5 Document control .30
5.1 Document control procedure.30
5.2 MEDICAL IT-NETWORK RISK MANAGEMENT FILE.30
Annex A (informative) Rationale.31
Annex B (informative) Overview of RISK MANAGEMENT relationships .35
Annex C (informative) Guidance on field of application .36
Annex D (informative) Relationship with ISO/IEC 20000-2:2005 Information technology
– Service management – Part 2: Code of practice.38
Bibliography.42
80001-1 © IEC:2010 – 3 –
Figure 1 – Illustration of TOP MANAGEMENT responsibilities.16
Figure 2 – Overview of life cycle of MEDICAL IT-NETWORKS including RISK MANAGEMENT .20
Figure B.1 – Overview of roles and relationships .35
Figure D.1 – Service management processes .39
Table A.1 – Relationship between ISO 14971 and IEC 80001-1 .33
Table C.1 – IT-NETWORK scenarios that can be encountered in a clinical environment.36
Table D.1 – Relationship between IEC 80001-1 and ISO/IEC 20000-1:2005 or
ISO/IEC 20000-2:2005.40
– 4 – 80001-1 © IEC:2010
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
APPLICATION OF RISK MANAGEMENT FOR IT-NETWORKS
INCORPORATING MEDICAL DEVICES –
Part 1: Roles, responsibilities and activities
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for ident
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.