New Work Proposing Initiation of an Revsion of IEC :2010 with an expanded scope and revised title as:

Transcription

1 Doc. HITN059 New Work Proposing Initiation of an Revsion of IEC :2010 with an expanded scope and revised title as: IEC , Safety, effectiveness and security in the implementation and clinical use of connected medical devices or connected health software Part 1-1: Application of risk management This New Work Proposal has been circulated to ISO/TC 215 and IEC/SC 62A for approval. If approved, the work will begin at international meetings this fall in Frankfurt and Oslo. The AAMI Health IT committee is being asked to provide input to the U.S. TAG for ISO/TC 215, Health informatics, as it considers this proposal. Any comments in support or in opposition to this proposal should be submitted by to no later than August 2016.

2 Background on the ISO/IEC series and their adoption by AAMI ISO/TC 215, Health informatics, and IEC/SC 62A, Common aspects of electrical equipment used in medical practice, have developed the ISO/IEC series of standards and technical reports addressing risk management of IT networks incorporating medical devices. The published parts of this series are: IEC :2010, Application of risk management for IT networks incorporating medical devices Part 1: Roles, responsibilities and activities IEC/TR :2012, Application of risk management for IT networks incorporating medical devices Part 2 1: Step by Step Risk Management of Medical IT Networks; Practical Applications and Examples IEC/TR :2012, Application of risk management for IT networks incorporating medical devices Part 2 2: Guidance for the communication of medical device security needs, risks and controls IEC :2012, Application of risk management for IT networks incorporating medical devices Part 2 3: Guidance for wireless networks IEC/TR :2012, Application of risk management for IT networks incorporating medical devices Part 2 4: General implementation guidance for Healthcare Delivery Organizations IEC/TR :2014, Application of risk management for IT networks incorporating medical devices Part 2 5: Application guidance Guidance for distributed alarm systems ISO/TR :2014. Application of risk management for IT networks incorporating medical devices Part 2 6: Application guidance Guidance for responsibility agreements ISO/TR :2015, Application of risk management for IT networks incorporating medical devices Application guidance Part 2 7: Guidance for healthcare delivery organizations (HDOs) on how to self assess their conformance with IEC IEC/TR :2016, Application of risk management for IT networks incorporating medical devices Part 2 8: Application guidance Guidance on standards for establishing the security capabilities identified in IEC AAMI, which administers the international work on this series, has adopted all the existing parts of the existing series as American National Standards or as AAMI Technical Information Reports. If revision of is undertaken, the AAMI Health IT Committee will likely consider adoption of the revised document as a revision of ANSI/AAMI/IEC :2010. For more information, please contact Joe Lewelling at jlewelling@aami.org.

3 Form 4: New Work Item Proposal Circulation date: Closing date for voting: Reference number: N2043_Revision ISO IEC :2010 (to be given by Central Secretariat) Proposer ANSI ISO/TC 215, Health informatics /SC 62A Proposal for a new PC Secretariat AHIMA A proposal for a new work item within the scope of an existing committee shall be submitted to the secretariat of that committee with a copy to the Central Secretariat and, in the case of a subcommittee, a copy to the secretariat of the parent technical committee. Proposals not within the scope of an existing committee shall be submitted to the secretariat of the ISO Technical Management Board. The proposer of a new work item may be a member body of ISO, the secretariat itself, another technical committee or subcommittee, an organization in liaison, the Technical Management Board or one of the advisory groups, or the Secretary-General. The proposal will be circulated to the P-members of the technical committee or subcommittee for voting, and to the O-members for information. IMPORTANT NOTE: Proposals without adequate justification risk rejection or referral to originator. Guidelines for proposing and justifying a new work item are contained in Annex C of the ISO/IEC Directives, Part 1. The proposer has considered the guidance given in the Annex C during the preparation of the NWIP. Proposal (to be completed by the proposer)

4 Title of the proposed deliverable. English title: IEC (2nd ed), Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software Part 1: Application of risk management French title (if available): IEC (2nd ed.), Sécurité, efficacité et sécurité dans la mise en œuvre et l'utilisation des dispositifs médicaux connectés ou des logiciels de santé connecté - Partie 1: Application de la gestion des risques (In the case of an amendment, revision or a new part of an existing document, show the reference number and current title) Scope of the proposed deliverable. Proposed Scope: ISO/TC 215 IEC/SC 62A Joint Working Group (JWG) 7 has drafted the proposed title change above and the following scope change for IEC The implementation and use of connected medical devices or health software to support health IT systems and services entails risk. This international standard provides general requirements for applying risk management to Health Information Technology (HIT) systems by addressing the key properties of safety, effectiveness and both data and system security (including privacy) while engaging appropriate stakeholders. In this context, "implementation" refers to the technology lifecycle phases and activities that are required after health software or medical devices have been released and made available to the market and are being prepared for connection and use. Connected devices, software and HIT systems generally rely upon shared IT infrastructures that may be composed of wired and wireless networks, direct connections (e.g., RS232, USB) or internet-based services (e.g. cloud services). These IT infrastructures are often used for both clinical (e.g. patient monitoring systems) and non-clinical organizational functions (e.g., accounting, scheduling, social networking, multimedia, file sharing) thus impacting the scope of risk assessment. This standard will apply to existing or new HIT system(s) and will scale from incorporation of a single device or health software instance to large integrated HIT systems. This standard will provide requirements and guidance for the multiple stakeholders potentially involved in the application of risk management to HIT systems. Examples include healthcare delivery organizations, medical device manufacturers, IT vendors, health software developers, healthcare IT service providers. It also applies to health organizations that have created their own health software or hardware. This standard will not cover risk management applied by a medical device manufacturer or health software developer during those phases of the lifecycle from conception to release. This standard will not address regulatory or legal requirements. Note In this standard, the conjunctive "or" is used as an "inclusive or", so a statement is true if any combination of the conditions is true.

5 Purpose and justification of the proposal* Safety risks can be introduced throughout the lifecycle stages as shown by reported incidents, research and publications (such as the November 2012 U.S. Institute of Medicine (IOM) Health IT and Patient Safety report). In November 2014, IEC/SC 62A, with the support of ISO/TC 215, approved in principle the project to revise IEC However, having taken due regard of the ongoing work of the ISO/TC 215 Health Software Ad Hoc Group, which included experts from SC 62A, the officers of 62A agreed to delay the formal start of work to revise IEC until the ad hoc group completed its report. ISO/TC 215 Health Software Ad Hoc Group spent two years building on the work that produced ISO/TS and looking at the broader question of how to address risk management in the context of information governance and overall safety management within a healthcare organization. The Ad Hoc Group published a report on Health Software & Health IT Safety Standards, Future State Architecture/Framework and Roadmap in 2015 (circulated as doc. 62A/1009/INF and TC 215 N1738), which included specific recommendations for future work around the revision of the documents as well as new foundational documents that would cover the entire HIT lifecycle. Concurrently, several series implementation projects were underway in different countries, where vendors and clinical experts worked to apply risk management to networked medical technology. These projects met with varied success, some beyond expectation, but many others with frustration, causing some to ask whether the series was usable and would ever be able to achieve its objective of significantly improving the safety, effectiveness and security of networked healthcare technology. In addition to the difficult "regulatory" language used in parts of the series, the implementation projects identified the following barriers to adoption of the standards: lack of patient safety consideration at points of potential failure lack of executive management support within the HDO relevance of the standard in the modern world of platform/software/etc. as a service and complex software systems inconsistency around security between organizations and their processes challenges with scalability of the standard and no clear where to start lack of awareness and understanding regarding the linkages between safety issues related to medical devices and networked environments The purpose of this revision is to address these issues within IEC and to expand the scope (as requested in ISO/TC 215 Resolution ) to expand the scope from networks incorporating medical devices to IT infrastructure incorporating medical devices or health software, expand the scope to address risk management within the broader context of IT service management, address the internal and external context, including people, technology, organization, process, environment, and explore the need for applying system engineering concepts to health IT life cycle processes. The risk management elements to be addressed in this revision of IEC will be based upon existing standards with concepts adapted and extended as appropriate for use by a healthcare delivery organization and the stakeholders supporting implementation and clinical use of interconnected medical devices or health software. The work undertaken will align with and take advantage of existing standards including guide 73, ISO 31000, ISO 14971, and others. ISO procedures require the acceptance of a new work item proposal in order to change the scope of a published standard. In IEC, a resolution of the responsible committee is required. In parallel with the circulation of this NP, a questionnaire is being circulated in IEC/SC 62A (see document 62A/1094/Q) seeking the approval of the 62A National Committees of the modified title and scope of IEC Consider the following: Is there a verified market need for the proposal? What problem does this standard solve? What value will the document bring to end-users? See Annex C of the ISO/IEC Directives part 1 for more information. See the following guidance on justification statements on ISO Connect:

6 Preparatory work (at a minimum an outline should be included with the proposal) A draft is attached initial basis An outline is attached An existing document to serve as The proposer or the proposer's organization is prepared to undertake the preparatory work required: Yes No If a draft is attached to this proposal,: Please select from one of the following options (note that if no option is selected, the default will be the first option): Draft document will be registered as new project in the committee's work programme (stage 20.00) Draft document can be registered as a Working Draft (WD stage 20.20) Draft document can be registered as a Committee Draft (CD stage 30.00) Draft document can be registered as a Draft International Standard (DIS stage 40.00) Is this a Management Systems Standard (MSS)? Yes No NOTE: if Yes, the NWIP along with the Justification study (see Annex SL of the Consolidated ISO Supplement) must be sent to the MSS Task Force secretariat (tmb@iso.org) for approval before the NWIP ballot can be launched. Indication(s) of the preferred type or types of deliverable(s) to be produced under the proposal. International Standard Publicly Available Specification Proposed development track Technical Specification Technical Report 1 (24 months) 2 (36 months - default) 3 (48 months) Note: Good project management is essential to meeting deadlines. A committee may be granted only one extension of up to 9 months for the total project duration (to be approved by the ISO/TMB). Known patented items (see ISO/IEC Directives, Part 1 for important guidance) Yes No If "Yes", provide full information as annex Co-ordination of work: To the best of your knowledge, has this or a similar proposal been submitted to another standards development organization? Yes No If Yes, please specify which one(s): This is a joint work item with IEC/SC 62A, Common aspects of electrical equipment in medical practice

7 A statement from the proposer as to how the proposed work may relate to or impact on existing work, especially existing ISO and IEC deliverables. The proposer should explain how the work differs from apparently similar work, or explain how duplication and conflict will be minimized. This is a revision of IEC Revision of the series was suggested by a review performed by IEC/SC 62A in (See documents 62A/962/CD and 62A/976/INF). A revision with an expanded scope was recommended by the ISO/TC 215 Ad hoc Group on Health Software (with IEC/SC 62A experts participating). In San Francisco, ISO/TC 215 adopted resolution 2015-N41 requesting that this revision be proposed to both IEC/SC 62A and ISO/TC 215. A listing of relevant existing documents at the international, regional and national levels. Other existing parts of ISO/IEC series ISO Guide 73:2009 Risk management -- Vocabulary ISO 31000:2009 Risk Management Principles and guidelines ISO 14971:2007 Medical devices Application of risk management to medical devices A simple and concise statement identifying and describing relevant affected stakeholder categories (including small and medium sized enterprises) and how they will each benefit from or be impacted by the proposed deliverable(s) All stakeholders involved in Health IT and HIT systems will benefit when such systems are made safer, more effective, and more secure. This includes 1) medical device or health software manufacturers, developers and vendors, HIT component vendors, IT vendors, 2) test houses, regulators, certification bodies, insurers, risk managers 3) integrators, implementers, third party service providers 4)Healthcare Delivery Organizations, healthcare service providers, individual healthcare professionals, and 5)clinicians using HIT, operators and users of HIT, those who maintain HIT system, patients. Liaisons: A listing of relevant external international organizations or internal parties (other ISO and/or IEC committees) to be engaged as liaisons in the development of the deliverable(s). Existing liaisons of ISO Joint/parallel work: Possible joint/parallel work with: IEC (please specify committee ID) IEC/SC 62A CEN (please specify committee ID) CEN/TC 251 Other (please specify) Click here to enter text. A listing of relevant countries which are not already P-members of the committee. None Note: The committee secretary shall distribute this NWIP to the countries listed above to see if they wish to participate in this work Proposed Project Leader (name and address) Phil Raymond (phillip.raymond@philips.com) Todd Cooper (toddcooperafc@gmail.com) Name of the Proposer (include contact information) Todd Cooper US / ANSI (toddcooperafc@gmail.com)

8 This proposal will be developed by: An existing Working Group (please specify which one: ISO/TC 215-IEC/SC 62A JWG 7) A new Working Group (title: Click here to enter text.) (Note: establishment of a new WG must be approved by committee resolution) The TC/SC directly To be determined Supplementary information relating to the proposal This proposal relates to a new ISO document; This proposal relates to the adoption as an active project of an item currently registered as a Preliminary Work Item; This proposal relates to the re-establishment of a cancelled project as an active project. Other: This proposal relates to the revision of an existing standard Annex(es) are included with this proposal (give details) Click here to enter text.