IEC/TR 80001-2-1:2012

IEC/TR 80001-2-1
Edition 1.0 2012-07
TECHNICAL
REPORT
colour
inside
Application of risk management for IT-networks incorporating medical devices –

Part 2-1: Step-by-step risk management of medical IT-networks – Practical

applications and examples
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

Useful links:
IEC publications search - www.iec.ch/searchpub Electropedia - www.electropedia.org
The advanced search enables you to find IEC publications The world's leading online dictionary of electronic and
by a variety of criteria (reference number, text, technical electrical terms containing more than 30 000 terms and
committee,…). definitions in English and French, with equivalent terms in
It also gives information on projects, replaced and additional languages. Also known as the International
withdrawn publications. Electrotechnical Vocabulary (IEV) on-line.

IEC Just Published - webstore.iec.ch/justpublished Customer Service Centre - webstore.iec.ch/csc
Stay up to date on all new IEC publications. Just Published If you wish to give us your feedback on this publication
details all new publications released. Available on-line and or need further assistance, please contact the
also once a month by email. Customer Service Centre: csc@iec.ch.

IEC/TR 80001-2-1
Edition 1.0 2012-07
TECHNICAL
REPORT
colour
inside
Application of risk management for IT-networks incorporating medical devices –

Part 2-1: Step-by-step risk management of medical IT-networks – Practical

applications and examples
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
XB
ICS 11.040.01; 35.240.80 ISBN 978-2-83220-201-2

– 2 – TR 80001-2-1  IEC:2012(E)
CONTENTS
FOREWORD . 5
INTRODUCTION . 7
1 Scope . 8
2 Normative references . 8
3 Terms and definitions . 8
4 Prerequisites . 14
5 Study of terms used in RISK MANAGEMENT . 14
5.1 Overview . 14
5.2 HAZARDS . 15
5.3 HAZARDOUS SITUATIONS . 15
5.4 Foreseeable sequences of events and causes . 16
5.5 UNINTENDED CONSEQUENCE . 16
5.6 RISK CONTROL measures (mitigations) . 17
5.7 Degrees of RISK . 17
5.8 Checking wording . 18
6 The steps . 18
6.1 Overview of the steps . 18
6.2 A basic example using the 10 steps . 19
6.2.1 General . 19
6.2.2 Initial RISK – Steps 1 – 5 (Figure 2) . 19
6.2.3 RISK CONTROL and final RISK – Steps 6 – 10 (Figure 3) . 20
7 IEC 80001-1:2010, Clause 4.4: Step by step . 23
7.1 General . 23
7.2 Application of Subclause 4.4.1: Document all RISK MANAGEMENT elements . 23
7.3 Note about RISK EVALUATION . 23
7.4 The 10-step PROCESS . 23
7.4.1 STEP 1: Identify HAZARDs and HAZARDOUS SITUATIONS . 23
7.4.2 STEP 2: Identify causes and resulting HAZARDOUS SITUATIONS . 24
7.4.3 STEP 3: Determine UNINTENDED CONSEQUENCES and estimate the
potential severities . 25
7.4.4 STEP 4: Estimate the probability of UNINTENDED CONSEQUENCE . 25
7.4.5 STEP 5: Evaluate RISK . 26
7.4.6 STEP 6: Identify and document proposed RISK CONTROL measures
and re-evaluate RISK (return to Step 3) . 27
7.4.7 STEP 7: Implement RISK CONTROL measures . 28
7.4.8 STEP 8: Verify RISK CONTROL measures . 29
7.4.9 STEP 9: Evaluate any new RISKS arising from RISK CONTROL . 30
7.5 The steps and their relationship to IEC 80001-1 and ISO 14971 . 30
8 Practical examples . 31
8.1 General . 31
8.2 Example 1: Wireless PATIENT monitoring during PATIENT transport . 32
8.2.1 Full description of context . 32
8.2.2 Description of network under analysis. 32
8.2.3 The 10 Steps . 32
8.3 Example 2: Remote ICU / Distance medicine . 35

TR 80001-2-1  IEC:2012(E) – 3 –
8.3.1 Full description of context . 35
8.3.2 Description of network under analysis. 35
8.3.3 The 10 Steps . 35
8.4 Example 3: Post Anaesthesia Care Unit (PACU) . 38
8.4.1 Full description of context . 38
8.4.2 Description of network under analysis. 38
8.4.3 The 10 Steps . 39
8.5 Example 4: Ultrasound –Operating system (OS) vulnerability . 44
8.5.1 Full description of context . 44
8.5.2 Description of network under analysis. 44
8.5.3 The 10 Steps . 44
Annex A (informative) Common HAZARDS, HAZARDOUS SITUATIONS, and causes to
consider in MEDICAL IT-NETWORKS . 48
Annex B (informative) List of questions to consider when identifying HAZARDs of the
MEDICAL IT-NETWORK . 52
Annex C (informative) Layers of MEDICAL IT-NETWORKS where errors can be found . 53
Annex D (informative) Probability, severity, and RISK acceptability scales used in the
examples in this technical report . 56
Annex E (informative) MONITORING RISK mitigation effectiveness . 59
Annex F (informative) RISK ANALYZING small changes in a MEDICAL IT-NETWORK . 62
Annex G (informative) Example of Change Window Form . 63
Annex H (informative) Template for examples . 64
Bibliography . 66

Figure 1 – Basic flow of concepts from HAZARD to HAZARDOUS SITUATION to UNINTENDED
CONSEQUENCE . 15
Figure 2 – Steps 1 – 5: HAZARD identification through RISK EVALUATION . 20
Figure 3 – Steps 6 – 10: RISK CONTROL measures through overall RESIDUAL RISK . 21
Figure 4 – Sample summary RISK ASSESSMENT register format . 22
Figure 5 – Relation of cause to HARM . 26
Figure 6 – Schematic of the post anaesthesia care unit (PACU). 39
Figure 7 – Example of the use of colour coding cables . 42
Figure 8 – Sample summary RISK ASSESSMENT register for the PACU example . 43
Figure D.1 – Application of STEPs 5 and 6 with 3 levels of RISK acceptability . 58
Figure F.1 – Overview of RISK ANALYZING small changes in a MEDICAL IT-NETWORK . 62

Table 1 – Relationship of KEY PROPERTIES, SAFETY, EFFECTIVENESS and DATA AND
SYSTEMS SECURITY with associated UNINTENDED CONSEQUENCE as used in this technical
report . 17
Table 2 – Methods for checking accurate and appropriate wording of causes,
HAZARDOUS SITUATIONS, and UNINTENDED CONSEQUENCES . 18
Table 3 – Relationship between this technical report, IEC 80001-1:2010 and
ISO 14971:2007 . 31
Table A.1 – HAZARDS related to potential required network characteristics . 50
Table A.2 – Relationship between HAZARDS, foreseeable sequences, and causes . 50
Table A.3 – Relationship between HAZARDS, causes, foreseeable sequences, and
HAZARDOUS SITUATIONS . 51

– 4 – TR 80001-2-1  IEC:2012(E)
Table C.1 – Layers of an MEDICAL IT-NETWORK . 53
Table C.2 – Example of the layers of an MEDICAL IT-NETWORK . 55
Table D.1 – Probability scales used in the examples in this technical report . 56
Table D.2 – Severity scales . 56
Table D.3 – RISK level matrix . 57

TR 80001-2-1  IEC:2012(E) – 5 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
APPLICATION OF RISK MANAGEMENT FOR
IT-NETWORKS INCORPORATING MEDICAL DEVICES –

Part 2-1: Step-by-step risk management of medical IT-networks –
Practical applications and examples

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
The main task of IEC technical committees is to prepare International Standards. However, a
technical committee may propose the publication of a technical report when it has collected
data of a different kind from that which is normally published as an International Standard, for
example "state of the art".
IEC 80001-2-1, which is a technical report, has been prepared by a Joint Working Group of
subcommittee 62A: Common aspects of electrical equipment used in medical practice, of IEC
technical committee 62: Electrical equipment in medical practice and ISO technical committee
215: Health informatics.
– 6 – TR 80001-2-1  IEC:2012(E)
The text of this technical report is based on the following documents:
Enquiry draft Report on voting
62A/782/DTR 62A/803/RVC
Full information on the voting for the approval of this technical report can be found in the
report on voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
Terms used throughout this technical report that have been defined in Clause 3 appear in
SMALL CAPITALS.
The committee has decided that the contents of this publication will remain unchanged until
the stability date indicated on the IEC web site under "http://webstore.iec.ch" in the data
related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
A bilingual version of this publication may be issued at a later date.

IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct
understanding of its contents. Users should therefore print this document using a
colour printer.
TR 80001-2-1  IEC:2012(E) – 7 –
INTRODUCTION
This technical report is a step-by-step guide to help in the application of RISK MANAGEMENT
when creating or changing a MEDICAL IT-NETWORK. It provides easy to apply steps, examples,
RISKS. All relevant requirements in
and information helping in the identification and control of
IEC 80001-1:2010 are addressed and links to other clauses and subclauses of IEC 80001-1
are addressed where appropriate (e.g. handover to release management and monitoring).
This technical report focuses on practical RISK MANAGEMENT. It is not intended to provide a full
outline or explanation of all requirements that are satisfactorily covered by IEC 80001-1.
This step-by-step guidance follows a 10-step PROCESS that follows subclause 4.4 of
IEC 80001-1:2010, which specifically addresses RISK ANALYSIS, RISK EVALUATION and RISK
CONTROL. These activities are embedded within the full life cycle RISK MANAGEMENT PROCESS.
They can never be the first step, as RISK MANAGEMENT follows the general PROCESS model
which sets planning before any action.
For the purpose of this technical report, “prerequisites” as stated in subclause 1.3 are
considered to be in place before execution of the 10 steps. Also, it is well understood that all
MEDICAL IT-
steps outlined in this technical report should have been performed before any new
NETWORK can go live or before proceeding with a change to an existing MEDICAL IT-NETWORK.
It is emphasized that subclause 4.5 of IEC 80001-1:2010 “CHANGE RELEASE MANAGEMENT and
CONFIGURATION MANAGEMENT” explicitly includes and applies to new MEDICAL IT-NETWORKS, as
well as changes to existing networks.
This technical report will be useful to those responsible for or part of a team executing RISK
when changing or creating (as the ultimate change) a MEDICAL IT-NETWORK.
MANAGEMENT
MEDICAL DEVICES in the context of IEC 80001 refer to those MEDICAL DEVICES that connect to a
network.
– 8 – TR 80001-2-1  IEC:2012(E)
APPLICATION OF RISK MANAGEMENT FOR
IT-NETWORKS INCORPORATING MEDICAL DEVICES –

Part 2-1: Step-by-step risk management of medical IT-networks –
Practical applications and examples

1 Scope
This technical report provides step-by-step information to aid RESPONSIBLE ORGANIZATIONS in
implementation of the RISK MANAGEMENT PROCESS required by IEC 80001-1. Specifically, it
details the steps involved in executing subclause 4.4 of IEC 80001-1:2010 and provides
guidance in the form of a study of RISK MANAGEMENT terms, RISK MANAGEMENT steps, an
explanation of each step, step-by-step examples, templates, and lists of HAZARDS and causes
to consider.
The steps outlined within this technical report are considered to be universally applicable.
Application of these steps can be scaled as described within this document.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and
are indispensable for its application. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 80001-1:2010, Application of risk management for IT-networks incorporating medical
devices – Part 1: Roles, responsibilities and activities
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
CHANGE PERMIT
an outcome of the RISK MANAGEMENT PROCESS consisting of a document that allows a specified
change or type of change without further RISK MANAGEMENT activities subject to specified
constraints
[SOURCE: IEC 80001-1:2010, definition 2.3]
3.2
CHANGE RELEASE MANAGEMENT
PROCESS that ensures that all changes to the IT-NETWORK are assessed, approved,
implemented and reviewed in a controlled manner and that changes are delivered, distributed,
and tracked, leading to release of the change in a controlled manner with appropriate input
and output with CONFIGURATION MANAGEMENT
[SOURCE: IEC 80001-1:2010, definition 2.2]

TR 80001-2-1  IEC:2012(E) – 9 –
3.3
CONFIGURATION MANAGEMENT
PROCESS that ensures that configuration information of components and the IT-NETWORK are
defined and maintained in an accurate and controlled manner, and provides a mechanism for
identifying, controlling and tracking versions of the IT-NETWORK
[SOURCE: IEC 80001-1:2010, definition 2.4]
3.4
DATA AND SYSTEMS SECURITY
operational state of a MEDICAL IT-NETWORK in which information assets (data and systems) are
reasonably protected from degradation of confidentiality, integrity, and availability
[SOURCE: IEC 80001-1:2010, definition 2.5, modified – two notes integral to understanding
the scope of the definition in the original document have been deleted.]
3.5
EFFECTIVENESS
ability to produce the intended result for the PATIENT and the RESPONSIBLE ORGANIZATION
[SOURCE: IEC 80001-1:2010, definition 2.6]
3.6
ELECTROMAGNETIC INTERFERENCE
EMI
any electromagnetic phenomenon that may degrade the performance of a device, equipment,
or system
[SOURCE: IEC 60601-1-2:2007, definition 3.5, modified – the term has been changed, an
abbreviation added and the note to the original definition removed.]
3.7
EVENT MANAGEMENT
PROCESS that ensures that all events that can or might negatively impact the operation of the
IT-NETWORK are captured, assessed, and managed in a controlled manner
[SOURCE: IEC 80001-1:2010, definition 2.7]
3.8
HARM
physical injury or damage to the health of people, or damage to property or the environment,
or reduction in EFFECTIVENESS, or breach of DATA AND SYSTEMS SECURITY
[SOURCE: IEC 80001-1:2010, definition 2.8]
3.9
HAZARD
potential source of HARM
[SOURCE: IEC 80001-1:2010, definition 2.9]
3.10
HAZARDOUS SITUATION
circumstance in which people, property, or the environment are exposed to one or more
HAZARD(s)
[SOURCE: ISO 14971:2007, definition 2.4]

– 10 – TR 80001-2-1  IEC:2012(E)
3.11
HEALTH DATA
PRIVATE DATA that indicates physical or mental health
Note 1 to entry: This generically defines PRIVATE DATA and its subset, HEALTH DATA, within this document to permit
users of this document to adapt it easily to different privacy compliance laws and regulations. For example, in
Europe, the requirements might be taken and references changed to “Personal Data” and “Sensitive Data”; in the
USA, HEALTH DATA might be changed to “Protected Health Information (PHI)” while making adjustments to text as
necessary.
[SOURCE: IEC 80001-2-2:2012, definition 3.7]
3.12
INTENDED USE
use for which a product, PROCESS or service is intended according to the specifications,
instructions and information provided by the MANUFACTURER
[SOURCE: IEC 80001-1:2010, definition 2.10]
3.13
INTEROPERABILITY
property permitting diverse systems or components to work together for a specified purpose
[SOURCE: IEC 80001-1:2010, definition 2.11]
3.14
INFORMATION TECHNOLOGY
IT
technology (computer systems, networks, software) used to PROCESS, store, acquire and
distribute information
3.15
IT-NETWORK
INFORMATION TECHNOLOGY NETWORK
system or systems composed of communicating nodes and transmission links to provide
physically linked or wireless transmission between two or more specified communication
nodes
[SOURCE: IEC 80001-1:2010, definition 2.12, modified – the two notes to the original
definition have not been retained.]
3.16
KEY PROPERTIES
three RISK managed characteristics (SAFETY, EFFECTIVENESS, and DATA AND SYSTEMS SECURITY)
of MEDICAL IT-NETWORKS
[SOURCE: IEC 80001-1:2010, definition 2.13]
3.17
LOCAL AREA NETWORK
LAN
computer network covering a small physical area, such as a home or office, or small group of
buildings, such as a school or an airport
3.18
MANUFACTURER
natural or legal person with responsibility for the design, manufacture, packaging, or labelling
of a MEDICAL DEVICE, assembling a system, or adapting a medical device before it is placed on
the market or put into service, regardless of whether these operations are carried out by that
person or on that person's behalf by a third party

TR 80001-2-1  IEC:2012(E) – 11 –
[SOURCE: ISO 14971:2007, definition 2.8, modified – Note 1 to the original definition, which
provides pertinent information, has not been retained.]
3.19
MEDICAL DEVICE
any instrument, apparatus, implement, machine, appliance, implant, in vitro reagent or
calibrator, software, material or other similar or related article:
a) intended by the MANUFACTURER to be used, alone or in combination, for human beings for
one or more of the specific purpose(s) of:
– diagnosis, prevention, monitoring, treatment or alleviation of disease,
– diagnosis, monitoring, treatment, alleviation of or compensation for an injury,
– investigation, replacement, modification, or support of the anatomy or of a
physiological PROCESS,
– supporting or sustaining life,
– control of conception,
– disinfection of MEDICAL DEVICES,
– providing information for medical or diagnostic purposes by means of in vitro
examination of specimens derived from the human body; and
b) which does not achieve its primary intended action in or on the human body by
pharmacological, immunological or metabolic means, but which may be assisted in its
intended function by such means.
Note 1 to entry: The definition of a device for in vitro examination includes, for example, reagents, calibrators,
sample collection and storage devices, control materials, and related instruments or apparatus. The information
provided by such an in vitro diagnostic device may be for diagnostic, monitoring or compatibility purposes. In some
jurisdictions, some in vitro diagnostic devices, including reagents and the like, may be covered by separate
regulations.
Note 2 to entry: Products which may be considered to be medical devices in some jurisdictions but for which there
is not yet a harmonized approach, are:
– aids for disabled/handicapped people;
– devices for the treatment/diagnosis of diseases and injuries in animals;
– accessories for medical devices (see Note 3 to entry);
– disinfection substances;
– devices incorporating animal and human tissues which may meet the requirements of the above definition but
are subject to different controls.
Note 3 to entry: Accessories intended specifically by MANUFACTURERS to be used together with a ‘parent’ medical
device to enable that medical device to achieve its intended purpose should be subject to the same GHTF
procedures as apply to the medical device itself. For example, an accessory will be classified as though it is a
medical device in its own right. This may result in the accessory having a different classification than the ‘parent’
device.
Note 4 to entry: Components to medical devices are generally controlled through the MANUFACTURER’S quality
management system and the conformity assessment procedures for the device. In some jurisdictions, components
are included in the definition of a ‘medical device’.
[SOURCE: IEC 80001-1:2010, definition 2.14]
3.20
MEDICAL IT-NETWORK
NETWORK that incorporates at least one MEDICAL DEVICE
IT-
[SOURCE: IEC 80001-1:2010, definition 2.16]
3.21
MONITORING
on-going review of all RISK MANAGEMENT activities and RISK CONTROL options that were put in
place to achieve acceptable RISK in the use of MEDICAL IT-NETWORK(S).

– 12 – TR 80001-2-1  IEC:2012(E)
3.22
OPERATOR
person handling equipment
[SOURCE: IEC 80001-1:2010, definition 2.18]
3.23
PATIENT
individual awaiting or under medical care and treatment
3.24
PROCESS
set of interrelated or interacting activities which transforms inputs into outputs
[SOURCE: IEC 80001-1:2010, definition 2.19]
3.25
QUALITY OF SERVICE
QOS
the capability or means of providing differentiated levels of networking performance in terms
of traffic engineering (packet delay, loss, jitter, bit rate) to different data flows.
3.26
RESIDUAL RISK
RISK remaining after RISK CONTROL measures have been taken
[SOURCE: IEC 80001-1:2010, definition 2.20]
3.27
RESPONSIBILITY AGREEMENT
one or more documents that together fully define the responsibilities of all relevant
stakeholders
[SOURCE: IEC 80001-1:2010, definition 2.21, modified – a note to the original definition,
containing examples, has not been retained.]
3.28
RESPONSIBLE ORGANIZATION
RO
entity accountable for the use and maintenance of a MEDICAL IT-NETWORK
[SOURCE: IEC 80001-1:2010, definition 2.22, modified – a note to the original definition,
containg examples, has not been retained.]
3.29
RISK
combination of the probability of occurrence of HARM and the severity of that HARM
[SOURCE: IEC 80001-1:2010, definition 2.23]
3.30
RISK ANALYSIS
systematic use of available information to identify HAZARDS and to estimate the RISK
[SOURCE: IEC 80001-1:2010, definition 2.24]
3.31
RISK ASSESSMENT
overall PROCESS comprising a RISK ANALYSIS and a RISK EVALUATION

TR 80001-2-1  IEC:2012(E) – 13 –
[SOURCE: IEC 80001-1:2010, definition 2.25]
3.32
RISK CONTROL
PROCESS in which decisions are made and measures implemented by which RISKS are reduced
to, or maintained within, specified levels
[SOURCE: IEC 80001-1:2010, definition 2.26]
3.33
RISK EVALUATION
PROCESS of comparing the estimated RISK against given RISK criteria to determine the
acceptability of the RISK
[SOURCE: IEC 80001-1:2010, definition 2.27]
3.34
RISK MANAGEMENT
systematic application of management policies, procedures and practices to the tasks of
analyzing, evaluating, controlling, and MONITORING RISK
[SOURCE: IEC 80001-1:2010, definition 2.28]
3.35
RISK MANAGEMENT FILE
set of records and other documents that are produced by RISK MANAGEMENT
[SOURCE: IEC 80001-1:2010, definition 2.29]
3.36
SAFETY
freedom from unacceptable RISK of physical injury or damage to the health of people or
damage to property or the environment
[SOURCE: IEC 80001-1:2010, definition 2.30]
3.37
TOP MANAGEMENT
person or group of people who direct(s) and control(s) the RESPONSIBLE ORGANIZATION
accountable for a MEDICAL IT-NETWORK at the highest level
[SOURCE: IEC 80001-1:2010, definition 2.31]
3.38
UNINTENDED CONSEQUENCE
UC
unwanted and negative outcome of an event that results in one or more degraded KEY
PROPERTIES
3.39
VERIFICATION
confirmation through provision of objective evidence that specified requirements have been
fulfilled
Note 1 to entry: The term “verified” is used to designate the corresponding status.
Note 2 to entry: Confirmation can comprise activities such as:
– performing alternative calculations;
– comparing a new design specification with a similar proven design specification;
– undertaking tests and demonstrations; and

– 14 – TR 80001-2-1  IEC:2012(E)
– reviewing documents prior to issue.
Note 3 to entry: In design and development, VERIFICATION concerns the PROCESS of examining the result of a given activity to
determine conformity with the stated requirement for that activity.
[SOURCE: IEC 80001-1:2010, definition 2.32]
4 Prerequisites
Before beginning the steps outlined within this technical report, the requirements in
subclauses 3.1 to 4.3 of IEC 80001-1:2010 need to be completed. Additionally, the
RESPONSIBLE ORGANIZATION (RO) must be prepared to meet the requirements in subclauses
4.5 through 5.2. For example, the RISK MANAGEMENT policy and PROCESSES are in place; the
RISK MANAGEMENT plan is complete; any required RESPONSIBILITY AGREEMENTS are in place;
probability, severity, and RISK acceptability scales are defined.
RISK MANAGEMENT of any system to proceed, the system must be defined. In the case of
For
MEDICAL IT-NETWORKS, the network under analysis must be well defined and can already
contain some existing controls. This will be important in Steps 3 and 4. For new MEDICAL IT-
NETWORKS, this can be a preliminary design.
In addition to defining the system under analysis, fundamental information regarding RO
specific use, needs, and concerns are needed in order to complete the RISK estimation. This
is referred to as “context” of use and includes information such as:
– acuity of PATIENTS;
– clinical workflow;
– clinical staffing and competencies;
– INTENDED USE/clinical or business use case; and
– clinical and business criticality of the systems/applications using the network.
The steps described in this report will generally be executed by a team of individuals within
the RESPONSIBLE ORGANIZATION. It is recommendable to have representation from multiple
departments, including IT, biomedical engineering, clinical, and RISK MANAGEMENT. The
makeup of the team should align with existing structures within the organization.
5 Study of terms used in RISK MANAGEMENT
5.1 Overview
RISK MANAGEMENT is a very large field of study. This technical report provides an introduction
to this subject with examples that can be undertaken with minimal knowledge. It provides step
by step instructions for undertaking a RISK ASSESSMENT PROCESS.
IEC 80001-1 provides a RISK MANAGEMENT philosophy. As there are several RISK MANAGEMENT
philosophies available, this one might or might not be completely in line with RISK
MANAGEMENT approaches and techniques already in place at the RO. The RO should consider
taking appropriate steps to reconcile the differences in methodology and terminology.
Figure 1 shows the basic flow of concepts from HAZARD to HAZARDOUS SITUATION to UNINTENDED
CONSEQUENCE.
TR 80001-2-1  IEC:2012(E) – 15 –
P1
P2
Hazardous
Unintended
Sequence of events leading to Sequence of events leading to Sequence of events –
situation
Hazard
creation of hazard person exposure to hazard Hazard leading to harm
(person exposed consequence
to hazard)
Cause Cause
IEC  1289/12
Figure 1 – Basic flow of concepts from HAZARD to HAZARDOUS SITUATION
UNINTENDED CONSEQUENCE
to
5.2 HAZARDS
IEC 80001-1 addresses three KEY PROPERTIES (SAFETY, EFFECTIVENESS, and DATA AND SYSTEMS
SECURITY), each of which can be subject to single or combined HAZARDS and HAZARDOUS
SITUATIONS.
Consider HAZARDS as categories of things that could be detrimental to one or more of the
three KEY PROPERTIES. Concrete examples include electrical energy, suspended masses, high
temperatures, etc., but functional and operational failures must also be considered as
HAZARDS. For example, failure of a defibrillator to power up at a time when it is needed is
dangerous. In the case of MEDICAL IT-NETWORKS, many of the HAZARDOUS SITUATIONS that can
develop are related to the HAZARD “loss of function” (e.g., the MEDICAL IT-NETWORK fails to
deliver the data).
HAZARDS are hierarchical and can be organized as such. For example, regarding the HAZARD
“energy”, this can be broken down into thermal energy, mechanical energy, and electrical
HAZARDS. Further subdividing – high temperature, torsion, and high
energy, which are also
voltage are all HAZARDS. This hierarchical approach can be used to organize RISK ANALYSIS
and documentation. For example, high temperatures in a communications cabinet can be a
cause of failures to IT equipment. ELECTROMAGNETIC INTERFERENCE can also be a cause of
failure in IT-NETWORKS.
Many HAZARDS are inherent to the properties of the device or system, whereas some develop
HAZARD. A cook-top is
during the life of the system. For example, high temperature is a
intended to be hot (inherent to the system), but an overheated surface of a machine might
develop after a failure in the machine. As another example, sharp edges are also a type of
HAZARD. A knife is intended to be sharp, but a metal burr on a metal enclosure might form
during manufacturing. Loss of network function as a HAZARD could develop during the use of
networked devices.
5.3 HAZARDOUS SITUATIONS
A HAZARD is a potential source of UNINTENDED CONSEQUENCE. A sharp knife, an icy sidewalk,
HAZARD. A HAZARDOUS SITUATION is a circumstance in
even a blizzard can be considered a
which a person, property, or the environment is exposed to one or more HAZARDS. A
HAZARDOUS SITUATION must occur for there to be possibility of UNINTENDED CONSEQUENCE. For
example, if no-one ever walks on an icy sidewalk (HAZARDOUS SITUATION), the icy sidewalk
itself is still a HAZARD, but there is no possibility of UNINTENDED CONSEQUENCE if the
HAZARDOUS SITUATION never occurs.
HAZARDOUS SITUATIONS can develop from a single HAZARD, each with different
Multiple different
levels of RISK. Given the HAZARD “loss of connectivity”, several HAZARDOUS SITUATIONS can
develop, such as failure to update medical records, delay in dispatching new physician's

– 16 – TR 80001-2-1  IEC:2012(E)
orders, inability to determine if equipment is operating correctly, inability to update a
formulary on an IV pump, failure to transmit an active alarm, etc.
With the information given in a HAZARDOUS SITUATION along with the MEDICAL IT-NETWORK
definition and context (clinical use case, clinical functionality/workflow, PATIENT acuity, data
sensitivity, etc.), UNINTENDED CONSEQUENCES can be determined. In the case of lost
connectivity, what data was lost and to whom it belonged are important factors in determining
UNINTENDED CONSEQUENCES. Loss of alarm data for a high acuity PATIENT will carry different
RISK than loss of electronic medical record data at a walk-in clinic.
5.4 Foreseeable sequences of events and causes
A foreseeable sequence of events transforms the HAZARD into a HAZARDOUS SITUATION. A
sequence of events can also lead up to a HAZARD that is not inherent to the MEDICAL IT-
NETWORK and then lead to a HAZARDOUS SITUATION. The initial event is referred to as the
cause. In the case of a MEDICAL IT-NETWORK, a cause can be network congestion that results
in a HAZARD such as lost connectivity. A HAZARDOUS SITUATION occurs when a PATIENT or the
organization is exposed to this HAZARD, potentially leading to one or more of the 3 KEY
PROPERTIES being negatively affected.
The cause answers the question “why is someone/something in the HAZARDOUS SITUATION?”
For simplicity, consider cause the point at which things went wrong (network design flaw,
network component failure, etc.), and this is one of the points where RISK CONTROL measures
can effectively be applied.
5.5 UNINTENDED CONSEQUENCE
The RISK MANAGEMENT PROCESS used in IEC 80001-1 follows the RISK MANAGEMENT PROCESS of
ISO 14971. It is important to note that the realm of RISKS addressed by IEC 80001-1 and this
technical report is broader than that of ISO 14971, even though it uses identical terms. HARM
as defined in ISO 14971 is related to IEC 80001 KEY PROPERTY SAFETY only (physical injury)
where in IEC 80001-1 HARM is defined to address all three KEY PROPERTIES: SAFETY,
EFFECTIVENESS and DATA AND SYSTEMS SECURITY. To avoid a single domain interpretation of
RISK MANAGEMENT (SAFETY only) this Technical Report explains RISK MANAGEMENT using the
more neutral term ‘UNINTENDED CONSEQUENCE’ (or ‘UC’). A physical injury would be an
UNINTENDED CONSEQUENCE of a RISK to SAFETY. A HAZARD could be a potential source of a
security breach or reduced effectiveness, in addition to physical injury. RISK MANAGEMENT of
MEDICAL IT-NETWORKS requires involvement of multiple disciplines that can use domain
specific terms regarding RISK, RISK MANAGEMENT or HAZARDS. UNINTENDED CONSEQUENCE is
used in this document as a generically descriptive term.
Table 1 gives an overview of the relationship between the terms used.

TR 80001-2-1  IEC:2012(E) – 17 –
Table 1 – Relationship of KEY PROPERTIES, SAFETY, EFFECTIVENESS and DATA AND SYSTEMS
SECURITY with associated UNINTENDED CONSEQUENCE as used in this technical report
KEY PROPERTY SAFETY EFFECTIVENESS DATA AND SYSTEMS
SECURITY
Definition of KEY Freedom from Ability to produce An operational state of a
PROPERTY unacceptable the intended result MEDICAL IT-NETWORK in
combination of for the PATIENT and which information assets
probability and the RESPONSIBLE (data and systems) are
severity of physical ORGANIZATION reasonably protected from
injury or damage to degradation of
the health of confidentiality, integrity,
people, or damage and availability
to the property or
the environment
Description of Physical injury or Reduction in Breach of DATA AND
UNINTENDED damage to the EFFECTIVENESS SYSTEMS SECURITY
CONSEQUENCE health of people, or

damage to the
property or the
environment,
For a more detailed treatment of how IT security terms relate to SAFETY RISK MANAGEMENT
DATA AND SYSTEMS SECURITY” is
terms, see IEC/TR 80001-2-2. The phrase “breach of
approximately equivalent to an executed exploit in the domain of IT security (i.e., cyber
security). A system vulnerability is a system attribute that, whe
...