IEC/TR 80001-2-4:2012

IEC/TR 80001-2-4


Edition 1.0 2012-11




TECHNICAL



REPORT









colour

inside









Application of risk management for IT-networks incorporating medical devices –

Part 2-4: Application guidance – General implementation guidance for healthcare

delivery organizations




































IEC/TR 80001-2-4:2012(E)

---------------------- Page: 1 ----------------------
THIS PUBLICATION IS COPYRIGHT PROTECTED
Copyright © 2012 IEC, Geneva, Switzerland

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.


IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch

About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

Useful links:

IEC publications search - www.iec.ch/searchpub Electropedia - www.electropedia.org
The advanced search enables you to find IEC publications The world's leading online dictionary of electronic and
by a variety of criteria (reference number, text, technical electrical terms containing more than 30 000 terms and
committee,…). definitions in English and French, with equivalent terms in
It also gives information on projects, replaced and additional languages. Also known as the International
withdrawn publications. Electrotechnical Vocabulary (IEV) on-line.

IEC Just Published - webstore.iec.ch/justpublished Customer Service Centre - webstore.iec.ch/csc
Stay up to date on all new IEC publications. Just Published If you wish to give us your feedback on this publication
details all new publications released. Available on-line and or need further assistance, please contact the
also once a month by email. Customer Service Centre: csc@iec.ch.

---------------------- Page: 2 ----------------------
IEC/TR 80001-2-4


Edition 1.0 2012-11




TECHNICAL



REPORT








colour

inside










Application of risk management for IT-networks incorporating medical devices –

Part 2-4: Application guidance – General implementation guidance for healthcare

delivery organizations


























INTERNATIONAL

ELECTROTECHNICAL

COMMISSION

PRICE CODE
T


ICS 11.040.01; 35.240.80 ISBN 978-2-83220-525-9



  Warning! Make sure that you obtained this publication from an authorized distributor.

---------------------- Page: 3 ----------------------
– 2 – TR 80001-2-4 © IEC:2012(E)
CONTENTS
FOREWORD . 3
INTRODUCTION . 5
1 Scope . 7
1.1 Purpose. 7
1.2 HEALTHCARE DELIVERY ORGANIZATION . 7
1.3 Field of application . 7
1.4 Prerequisites . 7
2 Normative references . 8
3 Terms and definitions . 8
4 RESPONSIBLE ORGANIZATION . 12
4.1 TOP MANAGEMENT responsibilities . 12
4.2 Small RESPONSIBLE ORGANIZATION – points to consider . 13
4.3 Large RESPONSIBLE ORGANIZATION – points to consider . 14
5 RISK MANAGEMENT implementation steps . 14
5.1 Overview . 14
5.2 Determine the clinical context within which the healthcare provision is made . 14
5.3 Establish underlying RISK framework . 14
5.4 Determining and understanding a MEDICAL IT-NETWORK. 15
5.4.1 Performing a RISK ASSESSMENT . 15
5.4.2 MEDICAL IT-NETWORK configuration . 16
5.4.3 Development status of MEDICAL IT-NETWORK . 18
5.4.4 Manufacturer identification . 18
5.4.5 External IT and bio-medical engineering support . 19
6 RESPONSIBILITY AGREEMENTS . 19
Annex A (informative) MEDICAL IT-NETWORK configuration examples . 20
Bibliography . 24

Figure A.1 – Standalone MEDICAL IT-NETWORK outside the scope of IEC 80001-1 . 21
Figure A.2 – Standalone MEDICAL IT-NETWORK . 22
Figure A.3 – Collaborative MEDICAL IT-NETWORK . 22
Figure A.4 – Centralized MEDICAL IT-NETWORK . 23

---------------------- Page: 4 ----------------------
TR 80001-2-4 © IEC:2012(E) – 3 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________

APPLICATION OF RISK MANAGEMENT FOR
IT-NETWORKS INCORPORATING MEDICAL DEVICES –

Part 2-4: Application guidance – General implementation guidance
for healthcare delivery organizations

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
The main task of IEC technical committees is to prepare International Standards. However, a
technical committee may propose the publication of a technical report when it has collected
data of a different kind from that which is normally published as an International Standard, for
example "state of the art".
IEC 80001-2-4, which is a technical report, has been prepared by a Joint Working Group of
subcommittee 62A: Common aspects of electrical equipment used in medical practice, of IEC
technical committee 62: Electrical equipment in medical practice and ISO technical committee
215: Health informatics.
The text of this technical report is based on the following documents:
Enquiry draft Report on voting
62A/818/DTR 62A/835/RVC

---------------------- Page: 5 ----------------------
– 4 – TR 80001-2-4 © IEC:2012(E)
Full information on the voting for the approval of this technical report can be found in the
report on voting indicated in the above table. In ISO, the technical report has been approved
by 15 P-members out of 16 having cast a vote.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
Terms used throughout this technical report that have been defined in Clause 3 appear in
SMALL CAPITALS.
A list of all parts of the IEC 80001 series, published under the general title Application of risk
management for IT-networks incorporating medical devices, can be found on the IEC website.
The committee has decided that the contents of this publication will remain unchanged until
the stability date indicated on the IEC web site under "http://webstore.iec.ch" in the data
related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
A bilingual version of this publication may be issued at a later date.

IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
which are considered to be useful for the correct
that it contains colours
understanding of its contents. Users should therefore print this document using a
colour printer.

---------------------- Page: 6 ----------------------
TR 80001-2-4 © IEC:2012(E) – 5 –
INTRODUCTION
This technical report is a guide to help a HEALTHCARE DELIVERY ORGANIZATION (see 1.2)
fulfilling its obligations as a RESPONSIBLE ORGANIZATION in the application of IEC 80001-1, in
conjunction with other technical reports in this series. Specifically, this guide helps the
HEALTHCARE DELIVERY ORGANIZATION assess the impact of the standard on the organization
and establish a series of business as usual PROCESSES to manage RISK in the creation,
maintenance and upkeep of its MEDICAL IT-NETWORKS. Whilst this document is aimed solely at
HEALTHCARE DELIVERY ORGANIZATIONS, the term RESPONSIBLE ORGANIZATION is used throughout
this document to ensure consistency with IEC 80001-1. In this respect the two terms are
synonymous.
This technical report will be useful to those responsible for establishing an IEC 80001-1
compliant RISK MANAGEMENT framework within a RESPONSIBLE ORGANIZATION that is expecting
to establish one or more MEDICAL IT-NETWORKS. In particular, the RISK MANAGEMENT framework
should address the KEY PROPERTIES – SAFETY, DATA AND SYSTEM SECURITY and EFFECTIVENESS –
as defined in IEC 80001-1. The purpose of the framework is to ensure that the potential
problems associated with the incorporation of MEDICAL DEVICES into IT-NETWORKS, identified in
IEC 80001-1, are avoided.
Defining and implementing the RISK MANAGEMENT framework and the business change that can
result, will require the RESPONSIBLE ORGANIZATION to draw upon a range of skills from within
the organization, managerial, clinical and technical. Where such skills are not available within
the RESPONSIBLE ORGANIZATION, consideration should be given to collaboration with similar
organizations or through experts in the field. It is important that the RESPONSIBLE
ORGANIZATION be able to draw upon expertise with respect to appropriate standards and their
corresponding technical reports.
In establishing a RISK MANAGEMENT framework, a RESPONSIBLE ORGANIZATION will need to take
account of:
– the size and capabilities of the organization;
– the extent of its IT operations and the complexity of its current infrastructure and systems;
and
– the cost of implementing IEC 80001-1.
It is expected that some of the above factors, for example size of IT operations and
complexity of the networks, will be proportionate to the size of the organization. It is important
that the framework itself does not create patient RISK by placing unnecessary demands on
clinical staff, yet at the same time this workload should not introduce avoidable new RISKS
when implementing a new technology.
In taking a RESPONSIBLE ORGANIZATION through the key decisions and steps required to
successfully establish a RISK MANAGEMENT framework for MEDICAL IT-NETWORKS this document
refers to small and large organizations. These are subjective terms, for which no precise
measures are given, though:
• a small organization could be a doctor's practice with:
– a few clinicians, or
– with many clinicians, a consolidated IT function and a highly centralised governance
structure
• a large organization could be:
– a multi-hospital conglomerate, or
– an organisation with distributed clinics and a mixture of in-house and outsourced
clinical and IT governance.
Small organisations may also find the guidance identified under large organisation relevant.
RISK MANAGEMENT framework developed by a RESPONSIBLE ORGANIZATION following the
The
guidance in this technical report needs to fit into the formal management systems that are

---------------------- Page: 7 ----------------------
– 6 – TR 80001-2-4 © IEC:2012(E)
routinely used for normal business: the business as usual PROCESSES. Such business as
usual PROCESSES need to ensure RISK MANAGEMENT is part of the on-going requirement when
systems are changed or new systems are deployed by:
– including the RISK MANAGEMENT PROCESSES in the existing management PROCESSES, for
example the organization's Quality Management System;
– ensuring that the internal audit schedule includes the RISK MANAGEMENT PROCESSES;
– making sure RISK MANAGEMENT training is included on induction of new staff and provided
to existing staff; and
– ensuring RISK MANAGEMENT is undertaken for both new work and changes to existing
MEDICAL IT-NETWORKS.
Having established a RISK MANAGEMENT framework, the RESPONSIBLE ORGANIZATION will be
ready to undertake a detailed RISK ASSESSMENT (see IEC/TR 80001-2-1 [1]).

---------------------- Page: 8 ----------------------
TR 80001-2-4 © IEC:2012(E) – 7 –
APPLICATION OF RISK MANAGEMENT FOR
IT-NETWORKS INCORPORATING MEDICAL DEVICES –

Part 2-4: Application guidance – General implementation guidance
for healthcare delivery organizations



1 Scope
1.1 Purpose
This technical report helps a RESPONSIBLE ORGANIZATION through the key decisions and steps
required to establish a RISK MANAGEMENT framework, before the organization embarks on a
detailed RISK ASSESSMENT of an individual instance of a MEDICAL IT-NETWORK. The steps are
supported by a series of decision points to steer the RESPONSIBLE ORGANIZATION through the
PROCESS of understanding the MEDICAL IT-NETWORK context and identifying any organizational
changes required to execute the responsibilities of TOP MANAGEMENT as defined in Figure 1 of
IEC 80001-1:2010.
1.2 HEALTHCARE DELIVERY ORGANIZATION
This technical report is addressed to all HEALTHCARE DELIVERY ORGANIZATIONS. A HEALTHCARE
DELIVERY ORGANIZATION includes hospitals, doctors’ offices, community care homes and
clinics.
In the provision of a MEDICAL IT-NETWORK containing a MEDICAL DEVICE within a HEALTHCARE
DELIVERY ORGANIZATION there can be a number of RESPONSIBLE ORGANIZATIONS. For the
purpose of this document the focus is the HEALTHCARE DELIVERY ORGANIZATION and its
obligations with respect to IEC 80001-1.
It is important for the HEALTHCARE DELIVERY ORGANIZATION to identify the RESPONSIBLE
ORGANIZATION(S) responsible for any aspect of the network which is subject to IEC 80001-1.
This allows a clear assignment of the roles and responsibilities of that standard.
1.3 Field of application
This technical report details the steps to be undertaken by the RESPONSIBLE ORGANIZATION in
implementing the requirements of 3.1 to 3.3 and 4.1 to 4.6 of IEC 80001-1:2010.
NOTE It is assumed that the RESPONSIBLE ORGANIZATION will consider IEC/TR 80001-2-1 [1] for detailed advice in
satisfying 4.4 of IEC 80001-1:2010.
1.4 Prerequisites
The International Standard IEC 80001-1:2010 is prerequisite to this technical report. The
guidance in this technical report is intended to help a RESPONSIBLE ORGANIZATION establish a
RISK MANAGEMENT framework to satisfy the underlying requirements of IEC 80001-1, ensuring:
– RISK MANAGEMENT policy and PROCESSES are in place;
– probability, severity, and RISK acceptability scales are specified; and
– MEDICAL IT-NETWORKS are well defined.

---------------------- Page: 9 ----------------------
– 8 – TR 80001-2-4 © IEC:2012(E)
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and
are indispensable for its application. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 80001-1:2010, Application of risk management for IT-networks incorporating medical
devices – Part 1: Roles, responsibilities and activities.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply:
3.1
ACCOMPANYING DOCUMENT
a document accompanying a MEDICAL DEVICE or an accessory and containing information for
the RESPONSIBLE ORGANIZATION or OPERATOR, particularly regarding SAFETY
Note 1 to entry: Adapted from IEC 60601-1:2005, definition 3.4.
[SOURCE: IEC 80001-1:2010, 2.1]
3.2
CHANGE-RELEASE MANAGEMENT
PROCESS that ensures that all changes to the IT-NETWORK are assessed, approved,
implemented and reviewed in a controlled manner and that changes are delivered, distributed,
and tracked, leading to release of the change in a controlled manner with appropriate input
and output with CONFIGURATION MANAGEMENT
Note 1 to entry: Adapted from ISO/IEC 20000-1:2005, Subclauses 9.2 (change management) and 10.1 (release
management).
[SOURCE: IEC 80001-1:2010, 2.2]
3.3
CONFIGURATION MANAGEMENT
a PROCESS that ensures that configuration information of components and the IT-NETWORK are
defined and maintained in an accurate and controlled manner, and provides a mechanism for
identifying, controlling and tracking versions of the IT-NETWORK
Note 1 to entry: Adapted from ISO/IEC 20000-1:2005, Subclause 9.1.
[SOURCE: IEC 80001-1:2010, 2.4]
3.4
DATA AND SYSTEMS SECURITY
an operational state of a MEDICAL IT-NETWORK in which information assets (data and systems)
are reasonably protected from degradation of confidentiality, integrity, and availability
Note 1 to entry: Security, when mentioned in this technical report, should be taken to include DATA AND SYSTEMS
SECURITY.
Note 2 to entry: DATA AND SYSTEMS SECURITY is assured through a framework of policy, guidance, infrastructure,
and services designed to protect information assets and the systems that acquire, transmit, store, and use
information in pursuit of the organization’s mission.
[SOURCE: IEC 80001-1:2010, 2.5]

---------------------- Page: 10 ----------------------
TR 80001-2-4 © IEC:2012(E) – 9 –
3.5
EFFECTIVENESS
ability to produce the intended result for the patient and the RESPONSIBLE ORGANIZATION
[SOURCE: IEC 80001-1:2010, 2.6]
3.6
EVENT MANAGEMENT
a PROCESS that ensures that all events that can or might negatively impact the operation of the
NETWORK are captured, assessed, and managed in a controlled manner
IT-
Note 1 to entry: Adapted from ISO/IEC 20000-1:2005, Subclauses 8.2 (incident management) and 8.3 (problem
management).
[SOURCE: IEC 80001-1:2010, 2.7]
3.7
HARM
physical injury or damage to the health of people, or damage to property or the environment,
or reduction in EFFECTIVENESS, or breach of DATA AND SYSTEM SECURITY
Note 1 to entry: Adapted from ISO 14971:2007, definition 2.2.
[SOURCE: IEC 80001-1:2010, 2.8]
3.8
HAZARD
potential source of HARM
[SOURCE: IEC 80001-1:2010, 2.9]
3.9
HAZARDOUS SITUATION
circumstance in which people, property, or the environment are exposed to one or more HAZARD(s)
[SOURCE ISO 14971:2007, 2.4]
3.10
HEALTHCARE DELIVERY ORGANIZATION
one or more RESPONSIBLE ORGANISATIONS
Note 1 to entry: Within this technical report, HEALTHCARE DELIVERY ORGANIZATIONS are considered to be
professional health organisations including hospitals, doctors’ offices, community care homes and clinics.
3.11
IT-NETWORK (INFORMATION TECHNOLOGY NETWORK)
a system or systems composed of communicating nodes and transmission links to provide
physically linked or wireless transmission between two or more specified communication
nodes
Note 1 to entry: Adapted from IEC 61907:2009, definition 3.1.1.
Note 2 to entry: The scope of the MEDICAL IT-NETWORK in this standard is defined by the RESPONSIBLE
ORGANIZATION based on where the MEDICAL DEVICES in the MEDICAL IT-NETWORK are located and the defined use of
the network. It can contain IT infrastructure, home health and non-clinical contexts.
[SOURCE: IEC 80001-1:2010, 2.12]

---------------------- Page: 11 ----------------------
– 10 – TR 80001-2-4 © IEC:2012(E)
3.12
KEY PROPERTIES
three RISK managed characteristics (SAFETY, EFFECTIVENESS, and DATA AND SYSTEMS SECURITY)
of MEDICAL IT-NETWORKS
[SOURCE: IEC 80001-1:2010, 2.13]
3.13
MEDICAL DEVICE
means any instrument, apparatus, implement, machine, appliance, implant, in vitro reagent or
calibrator, software, material or other similar or related article:
a) intended by the manufacturer to be used, alone or in combination, for human beings for
one or more of the specific purpose(s) of:
– diagnosis, prevention, monitoring, treatment or alleviation of disease,
– diagnosis, monitoring, treatment, alleviation of or compensation for an injury,
– investigation, replacement, modification, or support of the anatomy or of a
physiological PROCESS,
– supporting or sustaining life,
– control of conception,
– disinfection of MEDICAL DEVICES,
– providing information for medical or diagnostic purposes by means of in vitro
examination of specimens derived from the human body; and
b) which does not achieve its primary intended action in or on the human body by
pharmacological, immunological or metabolic means, but which may be assisted in its
intended function by such means.
Note 1 to entry: The definition of a device for in vitro examination includes, for example, reagents, calibrators,
sample collection and storage devices, control materials, and related instruments or apparatus. The information
provided by such an in vitro diagnostic device may be for diagnostic, monitoring or compatibility purposes. In some
jurisdictions, some in vitro diagnostic devices, including reagents and the like, may be covered by separate
regulations.
Note 2 to entry: Products which may be considered to be MEDICAL DEVICES in some jurisdictions but for which
there is not yet a harmonized approach, are:
– aids for disabled/handicapped people;
– devices for the treatment/diagnosis of diseases and injuries in animals;
– accessories for MEDICAL DEVICES (see Note 3 to entry);
– disinfection substances;
– devices incorporating animal and human tissues which may meet the requirements of the above definition but
are subject to different controls.
Note 3 to entry: Accessories intended specifically by manufacturers to be used together with a ‘parent’ medical DEVICE to
enable that MEDICAL DEVICE to achieve its intended purpose should be subject to the same GHTF procedures as
apply to the MEDICAL DEVICE itself. For example, an accessory will be classified as though it is a MEDICAL DEVICE in
its own right. This may result in the accessory having a different classification than the ‘parent’ device.
Note 4 to entry: Components to MEDICAL DEVICES are generally controlled through the manufacturer’s quality
management system and the conformity assessment procedures for the device. In some jurisdictions, components
are included in the definition of a ‘MEDICAL DEVICE’.
[SOURCE: IEC 80001-1:2010, 2.14]
3.14
MEDICAL IT-NETWORK
an IT-NETWORK that incorporates at least one MEDICAL DEVICE
[SOURCE: IEC 80001-1:2010, 2.16]

---------------------- Page: 12 ----------------------
TR 80001-2-4 © IEC:2012(E) – 11 –
3.15
MEDICAL IT-NETWORK RISK MANAGER
person accountable for RISK MANAGEMENT of a MEDICAL IT-NETWORK
[SOURCE: IEC 80001-1:2010, 2.17]
3.16
OPERATOR
person handling equipment
[SOURCE: IEC 80001-1:2010, 2.18]
3.17
PROCESS
set of interrelated or interacting activities which transforms inputs into outputs
Note 1 to entry: The term “activities” covers use of resources.
[SOURCE: IEC 80001-1:2010, 2.19]
3.18
RESPONSIBILITY AGREEMENT
one or more documents that together fully define the responsibilities of all relevant
stakeholders
Note 1 to entry: This agreement can be a legal document, e.g. a contract.
[SOURCE: IEC 80001-1:2010, 2.21]
3.19
RESPONSIBLE ORGANIZATION
entity accountable for the use and maintenance of a MEDICAL IT-NETWORK
Note 1 to entry: The accountable entity can be, for example, a hospital, a private clinician or a telehealth
organization.
Note 2 to entry: Adapted from IEC 60601-1:2005 definition 3.101.
[SOURCE: IEC 80001-1:2010, 2.22]
3.20
RISK
combination of the probability of occurrence of HARM and the severity of that HARM
[SOURCE: IEC 80001-1:2010, 2.23]
3.21
RISK ANALYSIS
systematic use of available information to identify HAZARDS and to estimate the RISK
[SOURCE: IEC 80001-1:2010, 2.24]
3.22
RISK ASSESSMENT
PROCESS comprising a RISK ANALYSIS and a RISK EVALUATION
overall
[SOURCE: IEC 80001-1:2010, 2.25]

---------------------- Page: 13 ----------------------
– 12 – TR 80001-2-4 © IEC:2012(E)
3.23
RISK CONTROL
PROCESS in which decisions are made and measures implemented by which RISKS are reduced
to, or maintained within, specified levels
[SOURCE: IEC 80001-1:2010, 2.26]
3.24
RISK EVALUATION
PROCESS of comparing the estimated RISK against given RISK criteria to determine the
acceptability of the RISK
[SOURCE: IEC 80001-1:2010, 2.27]
3.25
RISK MANAGEMENT
systematic application of management policies, procedures and practices to the tasks of
analyzing, evaluating, controlling, and monitoring RISK
[SOURCE: IEC 80001-1:2010, 2.28]
3.26
RISK MANAGEMENT FILE
RISK MANAGEMENT
set of records and other documents that are produced by
[SOURCE: IEC 80001-1:2010, 2.29]
3.27
SAFETY
freedom from unacceptable RISK of physical injury or damage to the health of people or
damage to property or the environment
Note 1 to entry: Adapted from ISO 14971:2007, definition 2.24.
[SOURCE: IEC 80001-1:2010, 2.30]
3.28
TOP MANAGEMENT
person or group of people who direct(s) and control(s) the RESPONSIBLE ORGANIZATION
accountable for a MEDICAL IT-NETWORK at the highest level
Note 1 to entry: Adapted from ISO
...