BS EN 80001-1 Application of risk management for IT-networks incorporating medical devices. Roles, responsibilities and activities

BS EN 80001-1:2011

Application of risk management for IT-networks incorporating medical devices. Roles, responsibilities and activities

Status : Current, Work in hand   Published : April 2011



BS EN 80001-1:2011 Application of risk management for IT-networks incorporating medical devices. Roles, responsibilities and activities

Recognizing that medical devices are incorporated into IT-networks to achieve desirable benefits (for example, interoperability), this international standard defines the roles, responsibilities and activities that are necessary for risk management of IT-networks incorporating medical devices to address safety, effectiveness and data and system security (the key properties). This international standard does not specify acceptable risk levels.

BS EN 80001-1 is the standard that applies after a medical device has been acquired by a responsible organization and is a candidate for incorporation into an IT-network. BS EN 80001-1 does not cover pre-market risk management. It applies throughout the life cycle of IT-networks incorporating medical devices.

This standard applies where there is no single medical device manufacturer assuming responsibility for addressing the key properties of the IT-network incorporating a medical device.  It applies to responsible organizations, medical device manufacturers and providers of other information technology for the purpose of risk management of an IT-network incorporating medical devices as specified by the responsible organization.

BS EN 80001-1 does not apply to personal use applications where the patient, operator and responsible organization are one and the same person. It does not address regulatory or legal requirements.

An increasing number of medical devices are designed to exchange information electronically with other equipment in the user environment, including other medical devices. Such information is frequently exchanged through an information technology network (IT-network) that also transfers data of a more general nature.

At the same time, IT-networks are becoming increasingly vital to the clinical environment and are now required to carry increasingly diverse traffic, ranging from life-critical patient data requiring immediate delivery and response, to general corporate operations data and to email containing potential malicious content (e.g. viruses).

For many jurisdictions, design and production of medical devices is subject to regulation, and to standards recognized by the regulators. Traditionally, regulators direct their attention to medical device manufacturers, by requiring design features and by requiring a documented process for design and manufacturing. Medical devices cannot be placed on the market in these jurisdictions without evidence that those requirements have been met.

The use of the medical devices by clinical staff is also subject to regulation. Members of clinical staff have to be appropriately trained and qualified, and are increasingly subject to defined processes designed to protect patients from unacceptable risk.

In contrast, the incorporation of medical devices into IT-networks in the clinical environment is a less regulated area. IEC 60601-1:2005 requires medical device manufacturers to include some information in accompanying documents if the medical device is intended to be connected to an IT-network. Standards are also in place covering common information technology activities including planning, design and maintenance of IT-networks, for instance ISO 20000-1:2005.

However, until the publication of this standard, no standard addressed how medical devices can be connected to IT-networks, including general purpose IT-networks, to achieve interoperability without compromising the organization and delivery of health care in terms of safety, effectiveness, and data and system security.

BS EN 80001-1 is addressed to responsible organizations, to manufacturers of medical devices, and to providers of other information technology.

Contents of BS EN 8001-1 contain:

  • Scope
  • Terms and definitions
  • Roles and responsibilities
  • Responsible organization
  • Top management responsibilities
  • Medical IT-network risk manager
  • Medical device manufacturer(s)
  • Providers of other information technology
  • Life cycle risk management in medical IT-networks
  • Overview
  • Responsible organization risk management
  • Policy for risk management for incorporating medical devices
  • Risk management process
  • Medical IT-network risk management planning and documentation
  • Overview
  • Risk-relevant asset description.
  • Medical IT-network documentation
  • Responsibility agreement
  • Risk management plan for the medical IT-network
  • Medical IT-network risk management
  • Overview
  • Risk analysis
  • Risk evaluation
  • Risk control
  • Residual risk evaluation and reporting
  • Change-release management and configuration management
  • Change-release management process.
  • Decision on how to apply risk management
  • Go-live
  • Live network risk management
  • Monitoring
  • Event management
  • Document control
  • Document control procedure.
  • Medical IT-network risk management file
  • Rationale
  • Overview of risk management relationships
  • Guidance on field of application .
  • Relationship with ISO/IEC 20000-2:2005 Information technology – Service management – Part 2: Code of practice
  • Bibliography
  • Illustration of top management responsibilities.
  • Overview of life cycle of medical IT-networks including risk management
  • Overview of roles and relationships
  • Service management processes
  • Relationship between ISO 14971 and IEC 80001-1
  • IT-network scenarios that can be encountered in a clinical environment
  • Relationship between IEC 80001-1 and ISO/IEC 20000-1:2005 or ISO/IEC 20000-2:2005.

Standard NumberBS EN 80001-1:2011
TitleApplication of risk management for IT-networks incorporating medical devices. Roles, responsibilities and activities
StatusCurrent, Work in hand
Publication Date30 April 2011
Normative References(Required to achieve compliance to this standard)No other standards are normatively referenced
Informative References(Provided for Information)IEC 60601-1:2005, ISO/IEC 20000-1:2005, ISO 31000:2009, ISO/IEC 20000-2:2005, ISO 9000:2005, IEC 61907:2009, ISO/IEC 15408, ISO/IEC 15026-2, ISO 16484-2:2004, IEC 62304:2006, ISO 14971:2007
International RelationshipsEN 80001-1:2011,IEC 80001-1:2010
Draft Superseded By09/30157835 DC
DescriptorsRisk assessment, Technical documents, Health services, Personnel, Project management, Medical equipment, Data transfer, Computer networks, Management, Information exchange, Data security, Risk analysis, Communication networks, Data processing
Title in FrenchApplication de la gestion des risques aux réseaux des technologies de l'information contenant des dispositifs médicaux. Fonctions, responsabilités et activités
Title in GermanAnwendung des Risikomanagements für IT-Netzwerke, die Medizinprodukte beinhalten. Aufgaben, Verantwortlichkeiten und Aktivitäten
ISBN978 0 580 57854 0
File Size1.282 MB

 Your basket
Your basket is empty

Multi-user access to over 3,500 medical device standards, regulations, expert commentaries and other documents

Worldwide Standards
We can source any standard from anywhere in the world

Develop a PAS

Develop a fast-track standardization document in 9-12 months


Access, view and download standards with multiple user access, across multiple sites with BSOL

Customers who bought this product also bought

  • PD IEC/TR 80001-2-1:2012
    Application of risk management for IT-networks incorporating medical devices Step-by-step risk management of medical IT-networks. Practical applications and examples
  • PD IEC/TR 80001-2-2:2012
    Application of risk management for IT-networks incorporating medical devices Guidance for the disclosure and communication of medical device security needs, risks and controls
  • PD IEC/TR 80001-2-3:2012
    Application of risk management for IT-networks incorporating medical devices Guidance for wireless networks
  • PD IEC/TR 80001-2-4:2012
    Application of risk management for IT-networks incorporating medical devices Application guidance. General implementation guidance for healthcare delivery organizations