1、 IEC 80001-1Edition 1.0 2010-10INTERNATIONAL STANDARD NORME INTERNATIONALEApplication of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities Application de la gestion des risques aux rseaux des technologies de linformation contenant des dispos
2、itifs mdicaux Partie 1: Fonctions, responsabilits et activits IEC80001-1:2010 colourinsideTHIS PUBLICATION IS COPYRIGHT PROTECTED Copyright 2010 IEC, Geneva, Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any m
3、eans, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IEC or IECs member National Committee in the country of the requester. If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publicatio
4、n, please contact the address below or your local IEC member National Committee for further information. Droits de reproduction rservs. Sauf indication contraire, aucune partie de cette publication ne peut tre reproduite ni utilise sous quelque forme que ce soit et par aucun procd, lectronique ou mc
5、anique, y compris la photocopie et les microfilms, sans laccord crit de la CEI ou du Comit national de la CEI du pays du demandeur. Si vous avez des questions sur le copyright de la CEI ou si vous dsirez obtenir des droits supplmentaires sur cette publication, utilisez les coordonnes ci-aprs ou cont
6、actez le Comit national de la CEI de votre pays de rsidence. IEC Central Office 3, rue de Varemb CH-1211 Geneva 20 Switzerland Email: inmailiec.ch Web: www.iec.ch About the IEC The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes Internat
7、ional Standards for all electrical, electronic and related technologies. About IEC publications The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the latest edition, a corrigenda or an amendment might have been published. Catalogue of
8、IEC publications: www.iec.ch/searchpub The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,). It also gives information on projects, withdrawn and replaced publications. IEC Just Published: www.iec.ch/online_news/justpub Stay up to da
9、te on all new IEC publications. Just Published details twice a month all new publications released. Available on-line and also by email. Electropedia: www.electropedia.org The worlds leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions in Eng
10、lish and French, with equivalent terms in additional languages. Also known as the International Electrotechnical Vocabulary online. Customer Service Centre: www.iec.ch/webstore/custserv If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Ser
11、vice Centre FAQ or contact us: Email: csciec.ch Tel.: +41 22 919 02 11 Fax: +41 22 919 03 00 A propos de la CEI La Commission Electrotechnique Internationale (CEI) est la premire organisation mondiale qui labore et publie des normes internationales pour tout ce qui a trait llectricit, llectronique e
12、t aux technologies apparentes. A propos des publications CEI Le contenu technique des publications de la CEI est constamment revu. Veuillez vous assurer que vous possdez ldition la plus rcente, un corrigendum ou amendement peut avoir t publi. Catalogue des publications de la CEI: www.iec.ch/searchpu
13、b/cur_fut-f.htm Le Catalogue en-ligne de la CEI vous permet deffectuer des recherches en utilisant diffrents critres (numro de rfrence, texte, comit dtudes,). Il donne aussi des informations sur les projets et les publications retires ou remplaces. Just Published CEI: www.iec.ch/online_news/justpub
14、Restez inform sur les nouvelles publications de la CEI. Just Published dtaille deux fois par mois les nouvelles publications parues. Disponible en-ligne et aussi par email. Electropedia: www.electropedia.org Le premier dictionnaire en ligne au monde de termes lectroniques et lectriques. Il contient
15、plus de 20 000 termes et dfinitions en anglais et en franais, ainsi que les termes quivalents dans les langues additionnelles. Egalement appel Vocabulaire Electrotechnique International en ligne. Service Clients: www.iec.ch/webstore/custserv/custserv_entry-f.htm Si vous dsirez nous donner des commen
16、taires sur cette publication ou si vous avez des questions, visitez le FAQ du Service clients ou contactez-nous: Email: csciec.ch Tl.: +41 22 919 02 11 Fax: +41 22 919 03 00 IEC 80001-1Edition 1.0 2010-10INTERNATIONAL STANDARD NORME INTERNATIONALEApplication of risk management for IT-networks incorp
17、orating medical devices Part 1: Roles, responsibilities and activities Application de la gestion des risques aux rseaux des technologies de linformation contenant des dispositifs mdicaux Partie 1: Fonctions, responsabilits et activits INTERNATIONAL ELECTROTECHNICAL COMMISSION COMMISSION ELECTROTECHN
18、IQUE INTERNATIONALE XICS 11.040.01; 35.240.80 PRICE CODECODE PRIXISBN 978-2-88912-221-9colourinside 2 80001-1 IEC:2010 CONTENTS FOREWORD.4 INTRODUCTION.6 1 Scope.9 2 Terms and definitions .9 3 Roles and responsibilities.14 3.1 General .14 3.2 RESPONSIBLE ORGANIZATION .14 3.3 TOP MANAGEMENT responsib
19、ilities.15 3.4 MEDICAL IT-NETWORK RISK MANAGER .16 3.5 MEDICAL DEVICE manufacturer(s)17 3.6 Providers of other information technology18 4 Life cycle RISK MANAGEMENT in MEDICAL IT-NETWORKS19 4.1 Overview .19 4.2 RESPONSIBLE ORGANIZATION RISK MANAGEMENT20 4.2.1 POLICY FOR RISK MANAGEMENT for incorpora
20、ting MEDICAL DEVICES20 4.2.2 RISK MANAGEMENT PROCESS21 4.3 MEDICAL IT-NETWORK RISK MANAGEMENT planning and documentation.21 4.3.1 Overview .21 4.3.2 RISK-relevant asset description22 4.3.3 MEDICAL IT-NETWORK documentation 22 4.3.4 RESPONSIBILITY AGREEMENT 22 4.3.5 RISK MANAGEMENT plan for the MEDICA
21、L IT-NETWORK .24 4.4 MEDICAL IT-NETWORK RISK MANAGEMENT24 4.4.1 Overview .24 4.4.2 RISK ANALYSIS 24 4.4.3 RISK EVALUATION 25 4.4.4 RISK CONTROL 25 4.4.5 RESIDUAL RISK evaluation and reporting .26 4.5 CHANGE-RELEASE MANAGEMENT and CONFIGURATION MANAGEMENT .27 4.5.1 CHANGE-RELEASE MANAGEMENT PROCESS.2
22、7 4.5.2 Decision on how to apply RISK MANAGEMENT.27 4.5.3 Go-live 29 4.6 Live network RISK MANAGEMENT29 4.6.1 Monitoring .29 4.6.2 EVENT MANAGEMENT .29 5 Document control .30 5.1 Document control procedure30 5.2 MEDICAL IT-NETWORK RISK MANAGEMENT FILE.30 Annex A (informative) Rationale.31 Annex B (i
23、nformative) Overview of RISK MANAGEMENT relationships 35 Annex C (informative) Guidance on field of application 36 Annex D (informative) Relationship with ISO/IEC 20000-2:2005 Information technology Service management Part 2: Code of practice38 Bibliography42 80001-1 IEC:2010 3 Figure 1 Illustration
24、 of TOP MANAGEMENT responsibilities.16 Figure 2 Overview of life cycle of MEDICAL IT-NETWORKS including RISK MANAGEMENT .20 Figure B.1 Overview of roles and relationships 35 Figure D.1 Service management processes .39 Table A.1 Relationship between ISO 14971 and IEC 80001-1 33 Table C.1 IT-NETWORK s
25、cenarios that can be encountered in a clinical environment.36 Table D.1 Relationship between IEC 80001-1 and ISO/IEC 20000-1:2005 or ISO/IEC 20000-2:200540 4 80001-1 IEC:2010 INTERNATIONAL ELECTROTECHNICAL COMMISSION _ APPLICATION OF RISK MANAGEMENT FOR IT-NETWORKS INCORPORATING MEDICAL DEVICES Part
26、 1: Roles, responsibilities and activities FOREWORD 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international co-operation on all
27、questions concerning standardization in the electrical and electronic fields. To this end and in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publica
28、tion(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with may participate in this preparatory work. International, governmental and non-governmental organizations liaising with the IEC also participate in this preparation. IEC
29、collaborates closely with the International Organization for Standardization (ISO) in accordance with conditions determined by agreement between the two organizations. 2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international consensus of opin
30、ion on the relevant subjects since each technical committee has representation from all interested IEC National Committees. 3) IEC Publications have the form of recommendations for international use and are accepted by IEC National Committees in that sense. While all reasonable efforts are made to e
31、nsure that the technical content of IEC Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any misinterpretation by any end user. 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications transparently
32、 to the maximum extent possible in their national and regional publications. Any divergence between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter. 5) IEC itself does not provide any attestation of conformity. Independent certifica
33、tion bodies provide conformity assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any services carried out by independent certification bodies. 6) All users should ensure that they have the latest edition of this publication. 7) No liability shall a
34、ttach to IEC or its directors, employees, servants or agents including individual experts and members of its technical committees and IEC National Committees for any personal injury, property damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal f
35、ees) and expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC Publications. 8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is indispensable for the correct application of this publica
36、tion. 9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent rights. IEC shall not be held responsible for identifying any or all such patent rights. International Standard IEC 80001-1 has been prepared by a joint working group of subc
37、ommittee 62A: Common aspects of electrical equipment used in medical practice, of IEC technical committee 62: Electrical equipment in medical practice and ISO technical committee 215: Health informatics. It is published as a double logo standard. The text of this standard is based on the following d
38、ocuments: FDIS Report on voting 62A/703/FDIS 62A/718/RVDFull information on the voting for the approval of this standard can be found in the report on voting indicated in the above table. In ISO, the standard has been approved by 17 P-members out of 18 having cast a vote. 80001-1 IEC:2010 5 This pub
39、lication has been drafted in accordance with the ISO/IEC Directives, Part 2. Terms defined in Clause 2 of this standard are printed in SMALL CAPITALS. For the purposes of this standard: “shall” means that compliance with a requirement is mandatory for compliance with this standard; “should” means th
40、at compliance with a requirement is recommended but is not mandatory for compliance with this standard; “may” is used to describe a permissible way to achieve compliance with a requirement; and “establish” means to define, document, and implement. A list of all parts of the IEC 80001 series, publish
41、ed under the general title Application of risk management for IT-networks incorporating medical devices, can be found on the IEC website. The committee has decided that the contents of this publication will remain unchanged until the stability date indicated on the IEC web site under “http:/webstore
42、.iec.ch“ in the data related to the specific publication. At this date, the publication will be reconfirmed, withdrawn, replaced by a revised edition, or amended. IMPORTANT The colour inside logo on the cover page of this publication indicates that it contains colours which are considered to be usef
43、ul for the correct understanding of its contents. Users should therefore print this document using a colour printer. 6 80001-1 IEC:2010 INTRODUCTION An increasing number of MEDICAL DEVICEs are designed to exchange information electronically with other equipment in the user environment, including oth
44、er MEDICAL DEVICES. Such information is frequently exchanged through an information technology network (IT-NETWORK) that also transfers data of a more general nature. At the same time, IT-NETWORKS are becoming increasingly vital to the clinical environment and are now required to carry increasingly
45、diverse traffic, ranging from life-critical patient data requiring immediate delivery and response, to general corporate operations data and to email containing potential malicious content (e.g. viruses). For many jurisdictions, design and production of MEDICAL DEVICES is subject to regulation, and
46、to standards recognized by the regulators. Traditionally, regulators direct their attention to MEDICAL DEVICE manufacturers, by requiring design features and by requiring a documented PROCESS for design and manufacturing. MEDICAL DEVICES cannot be placed on the market in these jurisdictions without
47、evidence that those requirements have been met. The use of the MEDICAL DEVICES by clinical staff is also subject to regulation. Members of clinical staff have to be appropriately trained and qualified, and are increasingly subject to defined PROCESSES designed to protect patients from unacceptable R
48、ISK. In contrast, the incorporation of MEDICAL DEVICES into IT-NETWORKS in the clinical environment is a less regulated area. IEC 60601-1:2005 11)requires MEDICAL DEVICE manufacturers to include some information in ACCOMPANYING DOCUMENTS if the MEDICAL DEVICE is intended to be connected to an IT-NET
49、WORK. Standards are also in place covering common information technology activities including planning, design and maintenance of IT-NETWORKS, for instance ISO 20000-1:2005 9. However, until the publication of this standard, no standard addressed how MEDICAL DEVICES can be connected to IT-NETWORKS, including general-purpose IT-NETWORKS, to achieve INTEROPERABILITY without compromising the organization a
