ISO/TR 80001-2-6:2014
(Main)Application of risk management for IT-networks incorporating medical devices
Application of risk management for IT-networks incorporating medical devices
ISO/TR 80001-2-6:2014 provides guidance on implementing RESPONSIBILITY AGREEMENTS, which are described in IEC 80001-1 as used to establish the roles and responsibilities among the stakeholders engaged in the incorporation of a MEDICAL DEVICE into an IT-NETWORK in order to support compliance to IEC 80001-1. Stakeholders may include RESPONSIBLE ORGANIZATIONS, IT suppliers, MEDICAL DEVICE manufacturers and others. The goal of the RESPONSIBILITY AGREEMENT is that these roles and responsibilities should cover the complete lifecycle of the resulting MEDICAL IT-NETWORK.
Application de la gestion des risques pour les réseaux intégrant appareils médicaux
General Information
Standards Content (sample)
TECHNICAL ISO/TR
REPORT 80001-2-6
First edition
2014-12-01
Application of risk management for
IT-networks incorporating medical
device —
Part 2-6:
Application guidance — Guidance for
responsibility agreements
Application de la gestion des risques pour les réseaux intégrant
appareils médicaux —
Partie 2-6: Application guidage — Orientation des accords de
responsabilité
Reference number
ISO/TR 80001-2-6:2014(E)
ISO 2014
---------------------- Page: 1 ----------------------
ISO/TR 80001-2-6:2014(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any
means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission.
Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester.
ISO copyright officeCase postale 56 CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved
---------------------- Page: 2 ----------------------
ISO TR 80001-2-6:2014(E)
Contents Page
Foreword ............................................................................................................................................................ iv
Introduction ......................................................................................................................................................... v
1 Scope ...................................................................................................................................................... 1
1.1 Purpose .................................................................................................................................................. 1
1.2 Prerequisites .......................................................................................................................................... 1
2 Normative references ............................................................................................................................ 1
3 Terms and definitions ........................................................................................................................... 1
4 Key aspects for RESPONSIBILITY AGREEMENTS ........................................................................ 5
4.1 Reasons and rationale .......................................................................................................................... 5
4.2 Participants ............................................................................................................................................ 5
4.3 Proposed types of RESPONSIBILITY AGREEMENTS ....................................................................... 5
4.4 Communication control ........................................................................................................................ 5
4.4.1 Bilateral versus multilateral RESPONSIBILITY AGREEMENTS ........................................................ 5
4.4.2 Non-disclosure agreements ................................................................................................................. 5
4.4.3 Update of information and documentation ......................................................................................... 6
4.5 Responsibility for establishing ............................................................................................................ 6
4.6 Methods for determination and of responsibilities ............................................................................ 6
4.7 Life cycle considerations...................................................................................................................... 6
5 Elements of a RESPONSIBILITY AGREEMENT .................................................................................. 7
Annex A (informative) RACI chart .................................................................................................................... 11
Annex B (informative) Typical documents ........................................................................................................ 12
© ISO 2014 – All rights reserved iii---------------------- Page: 3 ----------------------
ISO TR 80001-2-6:2014(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
In exceptional circumstances, when a technical committee has collected data of a different kind from that
which is normally published as an International Standard (“state of the art”, for example), it may decide by a
simple majority vote of its participating members to publish a Technical Report. A Technical Report is entirely
informative in nature and does not have to be reviewed until the data it provides are considered to be no
longer valid or useful.Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO TR 80001-2-6 was prepared by Technical Committee ISO/TC 215, Health informatics, jointly with IEC
Subcommittee IEC/SC 62A.ISO/IEC TR 80001 consists of the following parts, under the general title Application of risk management for
IT-networks incorporating medical devices. Part 1: Roles, responsibilities and activities
Part 2-1: Step-by-step risk management of medical IT-networks – Practical applications and examples
Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and
controls Part 2-3: Guidance for wireless networks
Part 2-4: Application guidance – General implementation guidance for Healthcare Delivery Organizations
Part 2-5: Application guidance – Guidance on distributed alarm systems (in development)
Part 2-6: Application guidance – Guidance for responsibility agreements Part 2-7: IT-networks incorporating medical devices - Part 2-7: Application Guidance - Guidance for
Healthcare Delivery Organizations (HDOs) on how to self-assess their conformance with IEC 80001-1 (in
development) Part 2-8: Application of risk management for IT-networks incorporating medical devices Part 2-8:
Application guidance - Guidance on standards for establishing the security capabilities identified in IEC
80001-2-2 (in development)iv © ISO 2014 – All rights reserved
---------------------- Page: 4 ----------------------
ISO TR 80001-2-6:2014(E)
Introduction
0.1 Background
IEC 80001-1 was developed to meet the need to managing RISKS associated with the increasing prevalence of
MEDICAL DEVICES being connected to general purpose IT-NETWORKS. The standard introduces the notion of a
RESPONSIBILITY AGREEMENT covering roles and responsibilities of the stakeholders. This Technical Report
provides practical guidance to RESPONSIBLE ORGANIZATIONS on establishing a RESPONSIBILITY AGREEMENT
among all stakeholders involved, namely the RESPONSIBLE ORGANIZATION, the MEDICAL DEVICE manufacturer(s)
and the IT supplier(s).Examples of situations where a RESPONSIBILITY AGREEMENT could prove useful when an IT-NETWORK
incorporates MEDICAL DEVICES. The benefits of the RESPONSIBILITY AGREEMENT include:
a) The roles and responsibilities of the stakeholders are identified and communicated in written form.
It is essential to have a clear understanding of the clinical dependencies on the network and to identify
the roles and responsibilities of the stakeholders, including clinical staff and the MEDICAL DEVICE
manufacturers.The organization or department responsible for configurations control and maintenance of the IT-
NETWORK should have, or establish if necessary, change control procedures to manage the RISKS to
services supported by the network arising from the implementation of changes to network (e.g. software
upgrade to network components).EXAMPLE 1 Common examples include software upgrades for antivirus software or bug fixes in networking
switches and routers. Before upgrading hard/soft/firmware on infrastructure supporting MEDICAL DEVICES and medical
systems, it is important that MEDICAL DEVICES that can be impacted are identified through an impact assessment. To
undertake such an assessment requires either detailed engineering knowledge of each component and its
dependencies or for example, the co-operation of the respective manufacturer. Whichever party takes responsibility
for this should then review and validate their systems on the new hard/soft/firmware. It is also important to ensure
that whenever practicable, there is a back-out/regression plan which has also been tested. In this scenario, the
RESPONSIBILITY AGREEMENT would set out the responsibilities of each party, e.g., How such activities would be initiated,
who would notify whom, when, with what information and how would they be expected to respond. There have
already been documented instances where MEDICAL DEVICES have been adversely affected from such changes and
this was one reason for US FDA's "Guidance for Industry - Cybersecurity for Networked Medical Devices Containing
Off-the-Shelf (OTS) Software." See:http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077812.htm
b) A clinical user of a MEDICAL DEVICE can desire to connect the MEDICAL DEVICE to a general purpose IT-
NETWORK. Having a PROCESS in place to inform and involve relevant stakeholders early in the planning
stage (i.e., prior to go live) could help avert uninformed decision making and implementation that could
adversely impact other clinical systems that rely on the IT-NETWORK.EXAMPLE 2 Demand already exists for this capability, e.g., delivery of MEDICAL DEVICE alarms via wireless
communications devices carried by PATIENT care staff, automated/remote programming of infusion therapy pumps
and Admit/Discharge/Transfer data feeds to medical monitoring systems. When doing so requires multiple otherwise
independent stakeholders to be responsible for aspects of the system’s development, implementation and operation,
and maintenance, it is imperative that all stakeholders are explicitly aware and accepting of their responsibilities. A
RESPONSIBILITY AGREEMENT serves as a vehicle to accomplish this.© ISO 2014 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO TR 80001-2-6:2014(E)
0.2 Normative requirements from IEC 80001-1
In addition to the languages of subclause 4.3.4 describing the RESPONSIBILITY AGREEMENT, subclauses 3.5 and
3.6 require information to be made available to the RESPONSIBLE ORGANIZATION by MEDICAL DEVICE
manufacturers and IT supplier, respectively. Both subclauses acknowledge the possibility that the information
identified may be insufficient to address the RESPONSIBLE ORGANIZATION’S RISK MANAGEMENT needs by
including the following notes:NOTE 1 Where the content made available does not meet the RESPONSIBLE ORGANIZATION'S RISK MANAGEMENT need,
additional content can be made available under a RESPONSIBILITY AGREEMENT.NOTE 2 A RESPONSIBILITY AGREEMENT between the RESPONSIBLE ORGANIZATION and a MEDICAL DEVICE manufacturer can
be used to identify and share the documentation needed.vi © ISO 2014 – All rights reserved
---------------------- Page: 6 ----------------------
TECHNICAL REPORT ISO TR 80001-2-6:2014(E)
Application of risk management for IT-networks incorporating
medical devices — Part 2-6: Application guidance — Part 2-6:
Guidance for responsiblity agreements
1 Scope
1.1 Purpose
This Technical Report provides guidance on implementing RESPONSIBILITY AGREEMENTS, which are described
in IEC 80001-1 as used to establish the roles and responsibilities among the stakeholders engaged in the
incorporation of a MEDICAL DEVICE into an IT-NETWORK in order to support compliance to IEC 80001-1.
Stakeholders may include RESPONSIBLE ORGANIZATIONS, IT suppliers, MEDICAL DEVICE manufacturers and
others. The goal of the RESPONSIBILITY AGREEMENT is that these roles and responsibilities should cover the
complete lifecycle of the resulting MEDICAL IT-NETWORK.1.2 Prerequisites
The RESPONSIBLE ORGANIZATION’S (ROs) TOP MANAGEMENT has accepted responsibility for the successful
implementation of IEC 80001-1. As required by IEC 80001-1, the RO has created and approved policies for
the RISK MANAGEMENT PROCESS and RISK acceptability criteria while balancing the three KEY PROPERTIES with
the mission of the RO. The RO has identified and provisioned adequate resources and assigned qualified
personnel to perform tasks related to the standard. The RO has appointed a MEDICAL IT-NETWORK RISK
MANAGER and is prepared to establish the RESPONSIBILITY AGREEMENT.2 Normative references
The following document, in whole or in part, is normatively referenced in this document and is indispensable
for its application. As a dated reference, only the edition cited applies.IEC 80001-1:2010, Application of risk management for IT -networks incorporating medical devices – Part 1:
Roles, responsibilities and activities3 Terms and definitions
3.1
CHANGE PERMIT
outcome of the RISK MANAGEMENT PROCESS consisting of a document that allows a specified change or type of
change without further RISK MANAGEMENT activities subject to specified constraints
[SOURCE: IEC 80001-1:2010, 2.3]3.2
DATA AND SYSTEM SECURITY
operational state of a MEDICAL IT-NETWORK in which information assets (data and systems) are reasonably
protected from degradation of confidentiality, integrity, and availability© ISO 2014 – All rights reserved
---------------------- Page: 7 ----------------------
ISO TR 80001-2-6:2014(E)
[SOURCE: IEC 80001-1:2010, 2.5]
3.3
EFFECTIVENESS
ability to produce the intended result for the subject of care and the RESPONSIBLE ORGANIZATION
[SOURCE: IEC 80001-1:2010, 2.6]3.4
EVENT MANAGEMENT
PROCESS that ensures that all events that can or might negatively impact the operation of the IT-NETWORK are
captured, assessed, and managed in a controlled manner[SOURCE: IEC 80001-1:2010, 2.7]
3.5
HARM
physical injury or damage to the health of people, or damage to property or the environment, or reduction in
EFFECTIVENESS, or breach of DATA AND SYSTEM SECURITY[SOURCE: IEC 80001-1:2010, 2.8]
3.6
HAZARD
potential source of HARM
[SOURCE: IEC 80001-1:2010, 2.9]
3.7
INFORMATION TECHNOLOGY
branch of engineering that deals with the use of computers and telecommunications to retrieve, store, and
transmit information3.8
IT-NETWORK
electronic data transmission facility which can comprise of just a point-to-point wire link between two devices,
or a complex arrangement of transmission lines.[SOURCE: IEC 80001-1:2010, 2.12]
3.9
KEY PROPERTIES
three RISK managed characteristics (SAFETY, EFFECTIVENESS, and DATA AND SYSTEMS SECURITY) of MEDICAL IT-
NETWORKS[SOURCE: IEC 80001-1:2010, 2.13]
3.10
MEDICAL DEVICE
Means any instrument, apparatus, implement, machine, appliance, implant, in vitro reagent or calibrator,
software, material or other similar or related articlea) intended by the manufacturer to be used, alone or in combination, for human beings for one or more of
the specific purpose(s) of: diagnosis, prevention, monitoring, treatment or alleviation of disease,
diagnosis, monitoring, treatment, alleviation of or compensation for an injury,
© ISO 2014 – All rights reserved---------------------- Page: 8 ----------------------
ISO TR 80001-2-6:2014(E)
investigation, replacement, modification, or support of the anatomy or of a physiological process,
supporting or sustaining life, control of conception,
disinfection of MEDICAL DEVICES.
providing information for medical or diagnostic purposes by means of in vitro examination of
specimens derived from the human body; andb) which does not achieve its primary intended action in or on the human body by pharmacological,
immunological or metabolic means, but which may be assisted in its intended function by such means.
Note 1 to entry: The definition of a device for in vitro examination includes, for example, reagents, calibrators, sample
collection and storage devices, control materials, and related instruments or apparatus. The information provided by such
an in vitro diagnostic device may be for diagnostic, monitoring or compatibility purposes. In some jurisdictions, some in
vitro diagnostic devices, including reagents and the like, may be covered by separate regulations
Note 2 to entry: Products which may be considered to be MEDICAL DEVICES in some jurisdictions but for which there
is not yet a harmonized approach, are: aids for disabled/handicapped people;
devices for the treatment/diagnosis of diseases and injuries in animals;
accessories for MEDICAL DEVICES (see Note 3 to entry);
disinfection substances;
devices incorporating animal and human tissues which may meet the requirements of the above definition
but are subject to different controls.Note 3 to entry: Accessories intended specifically by manufacturers to be used together with a ‘parent’ MEDICAL DEVICE
to enable that MEDICAL DEVICE to achieve its intended purpose should be subject to the same GHTF procedures as apply to
the MEDICAL DEVICE itself. For example, an accessory will be classified as though it is a MEDICAL DEVICE in its own right. This
may result in the accessory having a different classification than the ‘parent’ device.
Note 4 to entry: Components to MEDICAL DEVICES are generally controlled through the manufacturer’s quality
management system and the conformity assessment procedures for the device. In some jurisdictions, components are
included in the definition of a ‘MEDICAL DEVICE."[SOURCE: IEC 80001-1:2010, 2.14, modified — NOTES changed to "notes to entry" format.]
3.11MEDICAL IT-NETWORK
IT-NETWORK that incorporates at least one MEDICAL DEVICE
[SOURCE: IEC 80001-1:2010, 2.16]
3.12
MEDICAL IT-NETWORK RISK MANAGER
person accountable for RISK MANAGEMENT of a MEDICAL IT-NETWORK
[SOURCE: IEC 80001-1, 2.17]
3.13
MONITORING
on-going review of all RISK MANAGEMENT activities and RISK control options that were put in place to achieve
acceptable RISK in the use of MEDICAL IT-NETWORK(S)© ISO 2014 – All rights reserved
---------------------- Page: 9 ----------------------
ISO TR 80001-2-6:2014(E)
3.14
PROCESS
set of interrelated or interacting activities which transforms inputs into outputs in a computer program
[SOURCE: IEC 80001-1:2010, 2.19]3.15
RESPONSIBILITY AGREEMENT
one or more documents that together fully define the responsibilities of all relevant stakeholders
[SOURCE: IEC 80001-1:2010, 2.21]3.16
RESPONSIBLE ORGANIZATION
entity accountable for the use and maintenance of a MEDICAL IT-NETWORK
[SOURCE: IEC 80001-1:2010, 2.22]
3.17
RISK
combination of the probability of occurrence of HARM and the severity of that HARM
[SOURCE: IEC 80001-1:2010, 2.23]3.18
RISK ANALYSIS
systematic use of available information to identify HAZARDS and to estimate the RISK
[SOURCE: IEC 80001-13.19:2010, 2.24]3.19
RISK ASSESSMENT
overall PROCESS comprising a RISK ANALYSIS and a RISK EVALUATION
[SOURCE: IEC 80001-1:2010, 2.25]
3.20
RISK EVALUATION
PROCESS of comparing the estimated RISK against given RISK criteria to determine the acceptability of the RISK
[SOURCE: IEC 80001-1:2010, 2.27]3.20
RISK MANAGEMENT
systematic application of management policies, procedures and practices to the tasks of analysing, evaluating,
controlling, and MONITORING RISK[SOURCE: IEC 80001-1:2010, 2.28]
3.21
SAFETY
freedom from unacceptable RISK of physical injury or damage to the health of people or damage to property or
the environment[SOURCE: IEC 80001-1:2010, 2.30]
© ISO 2014 – All rights reserved
---------------------- Page: 10 ----------------------
ISO TR 80001-2-6:2014(E)
3.22
TOP MANAGEMENT
person or group of people e who direct(s) and control(s) the RESPONSIBLE ORGANIZATION accountable for
a MEDICAL IT-NETWORK at the highest level[SOURCE: IEC 80001-1:2010, .31]
4 Key aspects for RESPONSIBILITY AGREEMENTS
4.1 Reasons and rationale
Among the important aspects of implementing and maintaining a MEDICAL IT-NETWORK is distributing
responsibilities for its RISK MANAGEMENT activities. Clear allocation of these responsibilities is indispensable for
achieving the targets of the three KEY PROPERTIES as defined by the RESPONSIBLE ORGANIZATION.
RESPONSIBILITY AGREEMENTS are a means to document the roles and responsibilities relating to RISK
MANAGEMENT, of the various stakeholders involved in the activities associated with procurement,
implementation or through-life /in-service management of MEDICAL IT-NETWORK. Each project/ network will be
different and it is possible that some may already have some roles and responsibilities defined and in such
cases the RESPONSIBILITY AGREEMENT will simply help with identifying any gaps. In other projects however, the
RESPONSIBLE ORGANIZATION may find that it becomes a key PROCESS for establishing the management
PROCESSES that will be required to adequately manage RISKS relating to the three KEY PROPERTIES.
4.2 ParticipantsRESPONSIBILITY AGREEMENTS may not only be needed between the RO, MEDICAL DEVICE manufacturers, and IT
suppliers but may also be helpful between different stakeholders within the RESPONSIBLE ORGANIZATION like the
biomedical engineering department and the IT department.4.3 Proposed types of RESPONSIBILITY AGREEMENTS
Depending upon the context for which it is to be used, a RESPONSIBILITY AGREEMENT can span the spectrum
from informal to formal. A RESPONSIBILITY AGREEMENT can take the form of a Memorandum of Understanding
(MoU) e.g., 1) Planning and & Design Phase, 2) Installation and Go Live Phase, and 3) Maintenance Phase.
Later in the life cycle and given that there may be commitments to provide specific services in certain
situations, a RESPONSIBILITY AGREEMENT for a system being placed in active clinical service may need to take
the form of a legal contract.4.4 Communication control
4.4.1 Bilateral versus multilateral RESPONSIBILITY AGREEMENTS
In the case that more than two parties are required to be included in RESPONSIBILITY AGREEMENTS the MEDICAL
IT-NETWORK RISK MANAGER should consider whether separate bilateral agreements or a common
RESPONSIBILITY AGREEMENT should be set up. The difference between these solutions is the extent of
information sharing. While a high degree of information sharing is often valuable, it needs to be weighed
against privacy of information and increased effort in case of updates.4.4.2 Non-disclosure agreements
In the event any stakeholder has concerns related to disclosing proprietary information a confidentiality or
Non-Disclosure Agreement (NDAs) can be established with the RESPONSIBLE ORGANIZATION. This will ensure
that the proprietary information is kept confidential between one or more stakeholders and the RESPONSIBLE
ORGANIZATION.© ISO 2014 – All rights reserved
---------------------- Page: 11 ----------------------
ISO TR 80001-2-6:2014(E)
In many cases technical data provided by the MEDICAL DEVICE manufacturer and IT suppliers which are
essential for RISK MANAGEMENT of the MEDICAL IT-NETWORK are sensitive to confidentiality. A means to support
this confidentiality is to limit the intended audience of this information (see also bilateral vs. multilateral) or to
establish NDAs.4.4.3 Update of information and documentation
Technical information as well as personnel responsible for specified activities may change over time. It is
important that these changes are communicated to the stakeholders in a timely manner. This should be done
by update of the documentation which contains this information. Furthermore, this requires assigning revision
identifiers to the documents. An appropriate mechanism should be described in the RESPONSIBILITY
AGREEMENT(S) and should cover possible updates of the RESPONSIBILITIES AGREEMENTS themselves.
4.5 Responsibility for establishingThe overall responsibility for establishing RESPONSIBILITY AGREEMENTS rests with the MEDICAL IT-NETWORK RISK
MANAGER (see 4 c) and e) of IEC 80001-1:2010)4.6 Methods for determination and of responsibilities
The starting point for determination of responsibilities is the preparation of the overall plan for incorporation of
MEDICAL DEVICES into the network. In addition, IEC 80001-1:2010, 4.3.5 b) requires for the RISK MANAGEMENT
plan a description of activities, roles and responsibilities for all parties involved in operating/maintaining the
MEDICAL IT-NETWORK, with respect to RISK MANAGEMENT.Subclauses 3.4 through 3.6 of the standard define responsibilities for the usually involved parties, e.g. for the
provision of specific information.Setting up this plan requires the participation of the involved MEDICAL DEVICE manufacturers and IT suppliers.
Usually, this planning comprises high level meetings with all MEDICAL DEVICE manufacturers and IT suppliers
as well as meetings on a very detailed level with experts from at least two involved parties.
The MEDICAL IT-NETWORK RISK MANAGER should determine which level of detail needs to be defined in the RISK
MANAGEMENT plan and which level of detail can be left up to the internal plans of the involved parties. The
contents of the RESPONSIBILITY AGREEMENT(S) are based on this determination.Analysis tools can be used to support identification, clarification, and understanding of stakeholder roles in any
task of any phase. An example is the Responsible, Accountable, Consulted, Informed (RACI) chart, where the
acronym RACI stands for: Responsible for performing the task
Accountable for the task being completed
Consulted prior to the task being performed
Informed that the task has been completed.
An example for a RACI chart is contained in Annex A.
4.7 Life cycle considerations
When establishing RESPONSIBILITY AGREEMENTS it should be taken into account that different phases of the
lifecycle necessitate different activities and different responsibilities. This should be considered from the very
beginning of the project. For our purpose here, the lifecycle of a network can be considered as divided into the
Planning and Design, Installation and Go Live, Maintenance phases. The design phase includes the planning
phase where the network is designed to meet the needs of the specific healthcare delivery organization, as
well as any phase where, for example, the architecture, topology or hardware used within an existing network
is modified. The maintenance phase includes times where the network is operational and changes are
completed while the network is in operation. Changes to the network during the maintenance phase are
© ISO 2014 – All rights reserved---------------------- Page: 12 ----------------------
ISO TR 80001-2-6:2014(E)
restricted to replacement of defective parts. Modification of the network according to CHANGE PERMITS as
described in IEC 80001-1 may be seen as part of the maintenance phaseReference information supporting these phases is available from various sources. For example:
Manufacturer Disclosure Statement for MEDICAL DEVICE Security – MDS2 See also Annex B for information which might be required in specific phases.
5 Elements of a RESPONSIBILITY AGREEMENT
The purpose of this clause is to elaborate upon the requirements of subclause 4.3.4 of the IEC 80001-1:2010.
Boxed text [items a) – h)] is copied from 80001-1:2010 to identify the subclauses for which guidance is
provided.NOTE 1 If in the following more than two parties are mentioned this does not impose that multilateral RESPONSIBILITY
AGREEMENTS are required or preferable compared to bilateral RESPONSIBILITY AGREEMENTS.
a) the name of the person responsible for RISK MANAGEMENT for the activities covered by the
RESPONSIBILITY AGREEMENTIEC 80001-1:2010, 4.3.4 a) requires provision of the name of the responsible person for the RISK MANAGEMENT
project at each of the legal entities, e.g., RESPONSIBLE AGREEMENT between different stakeholders by the
RESPONSIBILITY ORGANIZATION.Guidance:
1) In addition to the name the necessary contact data should be provided.
NOTE Documentation of this information in a separate attachment allows for a more efficient search and
easier update.2) This person should have the authority to perform or initiate and control the tasks covered by the
RESPONSIBILITY AGREEMENT in line with the requirements by the standard.3) For the RESPONSIBLE ORGANIZATION this person is usually the MEDICAL IT-NETWORK RISK MANAGER.
4) Depending on the type and extent of activities cove...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.