Medical Device Software Standards

An example of this research is the development of a Framework for the Assessment of Risk within Medical IT Networks. Medical devices are subject to strict regulations in order to ensure their safety. While traditionally medical devices were developed to be stand-alone, increasingly these devices are being incorporated into hospital IT networks so that they can communicate with other hospital systems such as patient electronic health records or details of their prescriptions. This can have many benefits in providing care to patients, such as reducing the time that nurses need to spend transcribing information and reduce errors caused by doing so. However, placing a device onto such a network can introduce additional risks which may compromise the safety, effectiveness and security of the device and the network. In 2010, a standard named IEC 80001-1 was published to address these risks. The standard explains the risk management activities that should be performed before putting a device onto a network and maintaining that device to ensure that it continues to work as intended. While the standard was recognised as useful by hospitals, they found the requirements of the standard difficult to understand and implement. To address these difficulties, this research focused on the development of a framework which would allow hospitals to assess the how well they perform risk management activities related to these devices and allow improvements to these processes to be identified. The framework can be used by any hospital regardless of size or the region in which they operate. This framework was published in 2015 as a technical report within14 the IEC 80001-1 family of standards as ISO TR 80001-2-7. This research was led by Dr Silvana Togneri Mac Mahon of the Regulated Software Research Centre (RSRC) at Dundalk Institute of Technology (Lero@DkIT). The framework has helped hospitals improve their risk management processes and ensure that medical devices can be placed safely onto a hospital IT network.

Impact

This research has made a number of contributions as follows:

The framework has improving the understanding of the requirements of the IEC 80001-1 standard and its adoption in hospitals
In a hospital where the framework was used, the risk management process relating to putting medical devices onto networks, and maintaining those devices, improved (an example is discussed below)
This standard is being revised. Using the framework in hospitals is influencing the way in which the standard will be revised. A process approach similar to the framework will be used.

As IEC 80001-1 was published in 2010, the standard is now scheduled for revision. Before starting the revision, feedback was gathered from hospitals who had experience of implementing the requirements of the standard. This feedback showed that the standard would be easier to understand and implement if it was revised as a “process standard” explaining the activities that need to be carried out and the outcomes of these activities. This approach is similar to that used in the framework.

Case Study

A publication produced as a result of this research, published in the Association for the Advancement of Medical Instrumentation (AAMI) Biomedical Instrumentation and Technology journal, describes an exercise undertaken to assess the medical IT network risk management practice implemented within a hospital to control risk associated with a clinical information system (CIS) in St. James’s Hospital in Dublin. The framework developed by Lero’s Regulated Software Research Centre (RSRC) was used to review how well risk management processes, related to putting medical devices onto networks, were being performed. The purpose of this exercise was to identify how the management of such an existing CIS project meets the requirements of IEC 80001-1.

As a result of the assessment using the framework, a number of recommendations were made in order to improve risk management processes related to the management of the CIS and to improve compliance with the requirements of the standard. These recommendations included: ensuring that risk management processes were documented; discussion of risk-related issues specific to network technology management among stakeholder groups; and implementing a single-documented risk management policy defining how clinical engineering and IT work together to manage network infrastructure and medical devices as a single system. Also as a result of the assessment, risk management activities were included in job descriptions for roles within the hospital and risk management was added as a recurring agenda item during weekly meetings of a multi-disciplinary team. This team includes relevant risk management stakeholders from various departments. Additional improvements were also made following assessment with the clinical engineering and IT groups who have completed a shared mapping exercise to clearly identify all components of the network and describe how the network is configured. The team held formal meetings with the system suppliers to review the responsibility agreements and share information pertinent to risk management processes. In general, the risk management of the system is given a higher priority at team meetings. Processes associated with change control, where a change is made to the network or a device on the network, have been reviewed and improved.

Related Publications

Hegarty, F.J., MacMahon, S.T., Byrne, P. and McCaffery, F., 2014. Assessing a hospital's medical IT network risk management practice with 80001-1. Biomedical Instrumentation & Technology, 48(1), pp.64-71.

MacMahon, S.T., Mc Caffery, F. and Keenan, F., 2015. Development of the MedITNet Assessment Method. Enabling Healthcare Delivery Organisation Self Assessment against IEC 80001-1. In The First International Conference on Fundamentals and Advances in Software Systems Integration FASSI 2015 August 23-28, 2015-Venice, Italy (pp. 1-7).

MacMahon, S.T., McCaffery, F. and Keenan, F., 2016. The MedITNet Assessment Method–Development and Validation using Action Design Research. Self Assessment against IEC 80001-1. International Journal on Advances in Life Sciences, 8(1 & 2), pp.143-153.

MacMahon, S.T., McCaffery, F. and Keenan, F., 2016. The MedITNet assessment framework: development and validation of a framework for improving risk management of medical IT networks. Journal of Software: Evolution and Process, 28(9), pp.817-834.