ISO/DIS 81001-1

DRAFT INTERNATIONAL STANDARD
ISO/DIS 81001-1
ISO/TC 215 Secretariat: ANSI
Voting begins on: Voting terminates on:
2019-11-10 2020-02-02
Health software and health IT systems safety, effectiveness
and security —
Part 1:
Foundational principles, concepts, and terms
ICS: 35.240.80
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
This document is circulated as received from the committee secretariat.
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/DIS 81001-1:2019(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. ISO 2019
---------------------- Page: 1 ----------------------
ISO/DIS 81001-1:2019(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2019

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Core themes ............................................................................................................................................................................................................12

4.1 General ........................................................................................................................................................................................................12

4.2 Socio-technical ecosystem .........................................................................................................................................................12

4.3 System of systems ............................................................................................................................................................................13

4.4 Life cycle of health software and health IT systems .......................................................................................14

4.5 Roles and responsibilities ..........................................................................................................................................................16

4.6 Communication ...................................................................................................................................................................................18

4.7 Interdependence of safety, effectiveness and security ..................................................................................20

5 Foundational elements ...............................................................................................................................................................................21

5.1 General ........................................................................................................................................................................................................21

5.2 Governance (intra organization focus) .........................................................................................................................21

5.2.1 General...................................................................................................................................................................................21

5.2.2 Organization culture, roles and competencies ................................................................................22

5.2.3 Quality management ................................................................................................................................................23

5.2.4 Information management .....................................................................................................................................25

5.2.5 Human factors and usability .............................................................................................................................26

5.3 Knowledge transfer (inter and intra organization collaboration) ........................................................28

5.3.1 General...................................................................................................................................................................................28

5.3.2 Risk management ......................................................................................................................................................28

5.3.3 Safety management ...................................................................................................................................................30

5.3.4 Security management ..............................................................................................................................................33

5.3.5 Privacy management ........................................................................................................................................... .....35

Annex A (informative) Particular guidance and rationale ..........................................................................................................38

Annex B (informative) Concept diagrams ....................................................................................................................................................42

Annex C (informative) Use of assurance cases for knowledge transfer .........................................................................45

Bibliography .............................................................................................................................................................................................................................56

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

Any trade name used in this document is information given for the convenience of users and does not

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso

This document was prepared by a joint working group of ISO technical committee 215: Health

informatics and subcommittee 62A: Common aspects of electrical equipment used in medical practice.

Any feedback or questions on this document should be directed to the user’s national standards body. A

While the benefits of digital health are widely accepted, the potential for inadvertent and adverse

impacts on safety, effectiveness and security caused by health software and health IT systems is also

becoming more apparent. Today’s sophisticated health software and health IT systems provide advanced

levels of decision support and integrate patient data between systems, across organizational lines, and

across the continuum of care. In addition to the patient and healthcare system benefits this creates,

there is also increased likelihood of software-induced adverse events. Design flaws, coding errors,

incorrect implementation or configuration, data integrity issues, faults in decision support tools, poor

alignment with clinical workflows and improper maintenance and use of such systems are examples of

Managing safety, effectiveness and security for health software and health IT systems requires a

comprehensive and coordinated approach to optimizing these three properties. Many organizations and

roles are involved throughout the life cycle of health software and health IT systems (including medical

devices), so a common understanding of the relevant concepts, principles and terminology is important

in standardizing the processes and inter-organizational communications to support a coordinated

This document addresses these issues by providing a framework of fundamental concepts, principles

and vocabulary for optimizing the key properties of safety, effectiveness and security of health software

and health IT systems, including those that can be classified as a medical device. In doing so, it provides

the foundation for other standards (e.g. the ISO/IEC 80001- series) addressing specific aspects of the

This document is for use by organizations and people who build, acquire, operate, maintain, use or

decommission health software and health IT systems (including medical devices), as well as by those

creating standards that address safety, security and effectiveness for health software, health IT systems

and medical devices. It is applicable to all organizations involved, regardless of size, complexity or

Annex A provides further information on the rationale for this document, the terms and definitions

being used and their relationship to other standards addressing various aspects of health software and

Figure 1 — Life cycle framework addressing safety, security and effectiveness of health

This document articulates the foundational principles, concepts, terms and definitions for health

software and health IT system safety, effectiveness and security across the full life cycle, from concept

to decommissioning, represented in Figure 1 (see Introduction). It takes into account the evolving

complex internal and external context in healthcare, including people, technology (hardware/

software), organizations, processes, and external environment. It also addresses the transition points in

the life cycle where transfers of responsibility occur, and the types of multi-lateral communication that

are necessary. This document provides a unifying foundation of coherent concepts and terminology for

other standards that address specific aspects of the safety, effectiveness, and security (including privacy)

The fundamental concepts and principles of managing safety, effectiveness and security are applicable to

all parties involved in the health software and health IT systems life cycle including:

a) Organizations, health informatics professionals and clinical leaders designing, developing,

integrating, implementing and operating these systems – for example health software developers

and medical device manufacturers, system integrators, system administrators (including cloud and

b) Healthcare service delivery organizations, healthcare providers and others who use these systems

c) Governments, health system funders, monitoring agencies, professional organizations and

customers seeking confidence in an organization’s ability to consistently provide safe, effective and

d) Organizations and interested parties seeking to improve communication in managing safety,

effectiveness and security risks through a common understanding of the concepts and terminology

e) Organizations performing conformity assessments against the requirements of ISO/IEC 80001- series;

f) Providers of training, assessment or advice in safety, effectiveness and security risk management for

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

NOTE Annex B contains a diagrammatic representation of how the terms used in this document relate

document accompanying a health software (3.23) and health IT system (3.22) or an accessory, containing

information for the responsible organization (3.35) or operator, particularly regarding safety (3.55)

Note 1 to entry: Adapted from IEC 60601-1:2005 definition 3.4 by replacing medical electrical equipment and

medical electrical system with health software and health IT system and replacing basic safety and essential

performance with safety in order to expand the scope to health software and health IT system.

role (3.53) responsible for the ongoing operation of the implemented health IT system (3.22) and

physical or digital entity that has value to an individual, an organization (3.35) or a government

reasoned, auditable artefact created that supports the contention that its top-level claim (or set of

claims), is satisfied, including systematic argumentation and its underlying evidence and explicit

Note 1 to entry: An assurance case contains the following and their relationships:

— arguments that logically link the evidence and any assumptions to the claim(s);

— a body of evidence and possibly assumptions supporting these arguments for the claim(s); and

process (3.38) for recording, coordination, approval and monitoring of all changes

process (3.38) that ensures that all changes to the health IT infrastructure (and its component (3.9)

parts) are assessed, approved, implemented and reviewed in a controlled manner and that changes

are delivered, distributed, and tracked, leading to release of the change in a controlled manner with

strategic and systematic approach that supports people and their organizations (3.35) in the successful

transition and adoption of electronic health solutions, with a focus on outcomes including solution

Note 1 to entry: Adapted from A Framework and Toolkit for Managing eHealth Change: People and Processes,

one or more capabilities offered via cloud computing invoked using a defined interface

collection of system (3.60) resources that (a) forms a physical or logical part of the system, (b) has

specified functions and interfaces, and (c) is treated (e.g., by policies or specifications) as existing

process (3.38) that ensures that configuration information of components (3.9) within the health IT

infrastructure (3.21) are defined and maintained in an accurate and controlled manner, and provides a

mechanism for identifying, controlling and tracking versions of the health IT infrastructure

person or organization (3.35) that could or does receive a product (3.39) or a service that is intended for

role (3.53) responsible for execution of the design and development phase (from concept to release and

Note 1 to entry: A developer could, for example, be part of a manufacturing organization (3.35), a supplier of

Note 1 to entry: An event can be one or more occurrences and can have several causes.

Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.

defined way to breach the security (3.56) of information systems (3.60) through vulnerability (3.67)

extent to which an organization (3.35) and/or stakeholder is subject to an event (3.14)

injury or damage to the health of people, or damage to property or the environment

circumstance in which people, property or the environment is/are exposed to one or more hazards (3.18)

the documented and intended application of information technology to the collection, storage,

processing, retrieval, and communication of information relevant to health, patient care, and well-being

combined set of IT assets (3.3) available to the individual or organization (3.35) for developing,

configuring, integrating, maintaining, and using IT services and supporting health, patient care and

b) health software (3.23) a (including medical devices (3.34), health applications, middleware, and operating

c) hardware components such as computers, mobile devices, servers, databases, and networks;

d) services, including security (3.56), software development, IT operations and externally provided services

f) technical procedures and documentation to manage and support the health IT infrastructure

g) HIT systems that are configured and implemented to address organizational objectives by leveraging the

a combination of interacting health information elements (including health software (3.23), medical

devices (3.34), IT hardware, interfaces, data, procedures and documentation) that is configured and

implemented to support and enable an individual or organization’s (3.35) specific health objectives

software intended to be used specifically for managing, maintaining, or improving health of individual

persons, or the delivery of care, or which has been developed for the purpose of being incorporated into

Note 1 to entry: Health software fully includes what is considered software as a medical device.

facility or enterprise such as a clinic or hospital that provides healthcare services

life cycle (3.32) phase at the end of which the hardware, software and procedures of the system (3.60)

[SOURCE: ISO/IEC 2382:2015, 2122692, modified — Change “system development” to “life cycle” and

role (3.53) responsible for the clinical installation, workflow optimization, and training of health

Note 1 to entry: An implementer can be the manufacturer (3.33), the HDO (3.24), or a third party.

role (3.53) responsible for the integration of health software (3.23) and health IT systems (3.22) with the

existing health IT systems, medical devices (3.34), and technology being used by the healthcare delivery

organization (3.24), including technical installation, configuration, and data migration

use for which a product (3.39), process (3.38) or service is intended according to the specifications,

Note 1 to entry: The intended medical indication, patient population, part of the body or type of tissue interacted

with, user (3.65) profile, use environment, and operating principle are typical elements of the intended use.

[SOURCE: ISO/IEC Guide 63, 2019, 3.4, modified — Add admitted term intended purpose.]

ability of two or more systems (3.60) or components (3.9) to exchange information and to use the

[SOURCE: IEEE standard computer dictionary: a compilation of IEEE standard computer glossaries.

system (3.60) or systems composed of communicating nodes and transmission links to provide

physically linked or wireless transmission between two or more specified communication nodes

three risk (3.44) managed characteristics (safety (3.55), effectiveness (3.13), and security (3.56)) of

health software (3.23), health IT systems (3.22), and health IT infrastructures (3.21)

series of all phases in the life of a product (3.39) or system (3.60), from the initial conception to final

[SOURCE: ISO/IEC Guide 63:2019, 3.5, modified — The words "medical device" have been replaced with

natural or legal person with responsibility for design and/or manufacture of a medical device (3.34)

with the intention of making the medical device available for use, under his name; whether or not such

a medical device is designed and/or manufactured by that person himself or on his behalf by another

Note 1 to entry: This “natural or legal person” has ultimate legal responsibility for ensuring compliance with all

applicable regulatory requirements for the medical devices in the countries or jurisdictions where it is intended to

be made available or sold, unless this responsibility is specifically imposed on another person by the Regulatory

Note 2 to entry: The manufacturer's responsibilities are described in other GHTF guidance documents. These

responsibilities include meeting both pre-market requirements and post-market requirements, such as adverse

Note 3 to entry: “Design and/or manufacture” can include specification development, production, fabrication,

assembly, processing, packaging, repackaging, labelling, relabelling, sterilization, installation, or remanufacturing

of a medical device; or putting a collection of devices, and possibly other products (3.39), together for a medical

Note 4 to entry: Any person who assembles or adapts a medical device that has already been supplied by another

person for an individual patient, in accordance with the instructions for use, is not the manufacturer, provided

the assembly or adaptation does not change the intended use (3.28) of the medical device.

Note 5 to entry: Any person who changes the intended use of, or modifies, a medical device without acting on

behalf of the original manufacturer and who makes it available for use under his own name, should be considered

Note 6 to entry: An authorized representative, distributor or importer who only adds its own address and

contact details to the medical device or the packaging, without covering or changing the existing labelling, is not

Note 7 to entry: To the extent that an accessory is subject to the regulatory requirements of a medical device, the

person responsible for the design and/or manufacture of that accessory is considered to be a manufacturer.

instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use, software,

material or other similar or related article, intended by the manufacturer (3.33) to be used, alone or in

combination, for human beings, for one of more of the specific medical purpose(s) of

— diagnosis, monitoring, treatment, alleviation of or compensation for an injury,

— investigation, replacement, modification, or support of the anatomy or of a physiological process,