National foreword

This British Standard is the UK implementation of ISO 81001‑1:2021.

The UK participation in its preparation was entrusted to Technical Committee IST/35, Health informatics.

A list of organizations represented on this committee can be obtained on request to its committee manager.

Contractual and legal considerations

This publication has been prepared in good faith, however no representation, warranty, assurance or undertaking (express or implied) is or will be made, and no responsibility or liability is or will be accepted by BSI in relation to the adequacy, accuracy, completeness or reasonableness of this publication. All and any such responsibility and liability is expressly disclaimed to the full extent permitted by the law.

This publication is provided as is, and is to be used at the recipient’s own risk.

The recipient is advised to consider seeking professional guidance with respect to its use of this publication.

This publication is not intended to constitute a contract. Users are responsible for its correct application.

Compliance with a British Standard cannot confer immunity from legal obligations.

This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 May 2021.

Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.

The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC list of patent declarations received (see http://patents.iec.ch).

Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.

This document was prepared jointly by Technical Committee ISO/TC 215, Health informatics, and Technical Committee IEC/TC 62, Electrical equipment in medical practice, Subcommittee SC 62A, Common aspects of electrical equipment used in medical practice.

A list of all parts in the ISO 81001 and IEC 81001 series can be found on the ISO and IEC websites.

Any feedback or questions on this document should be directed to the user’s national standards body. A complete listing of these bodies can be found at www.iso.org/members.html.

Introduction

While the benefits of digital health are widely accepted, the potential for inadvertent and adverse impacts on safety, effectiveness and security caused by health software and health IT systems is also becoming more apparent. Today’s sophisticated health software and health IT systems provide advanced levels of decision support and integrate patient data between systems, across organizational lines, and across the continuum of care. In addition to the patient and healthcare system benefits this creates, there is also increased likelihood of software-induced adverse events causing harm to both patients and healthcare organizations. Design flaws, coding errors, incorrect implementation or configuration, data integrity issues, faults in decision support tools, poor alignment with clinical workflows and improper maintenance and use of health software and health IT systems are examples of events with the potential to cause harm.

Managing safety, effectiveness and security for health software and health IT systems (including medical devices), requires a comprehensive and coordinated approach to optimizing these three properties. Many organizations and roles are involved throughout the life cycle of health software and health IT systems (see Figure 1). Therefore, a common understanding of the concepts, principles and terminology is important in standardizing the processes and inter-organizational communications to support a coordinated approach to managing safety, effectiveness and security. This document takes into account the evolving complex internal and external context in healthcare, including people, technology (hardware/software), organizations, processes, and external environment.

Annex A provides further information on the rationale for this document, the terms and definitions being used and their relationship to other standards addressing various aspects of health software and health IT systemssafety, effectiveness and security.

In addition to a common set of terms, definitions and concepts, this document describes eight foundational elements in Clause 5, which support the overarching themes articulated in Clause 4. For each foundational element, there is a “statement” describing each element; a “rationale” explaining why it is important; “key concepts and principles” pertinent for managing safety, effectiveness and security; and high-level guidance on the “approach” organizations can take to apply the concepts and principles.

Given the importance of communication between the various organizations, roles and responsibilities involved across the life cycle of health software and health IT systems for the four foundational cross-organizational elements, additional sub-clauses on communication and information sharing at major transition points are also included for 5.3.2, 5.3.3, 5.3.4 and 5.3.5.

1 Scope

This document provides the principles, concepts, terms and definitions for health software and health ITsystems, key properties of safety, effectiveness and security, across the full life cycle, from concept to decommissioning, as represented in Figure 1. It also identifies the transition points in the life cycle where transfers of responsibility occur, and the types of multi-lateral communication that are necessary at these transition points. This document also establishes a coherent concepts and terminology for other standards that address specific aspects of the safety, effectiveness, and security (including privacy) of health softwareandhealth ITsystems.

This document is applicable to all parties involved in the health software and health ITsystemslife cycle including the following:

Organizations, health informatics professionals and clinical leaders designing, developing, integrating, implementing and operating health softwareandhealth ITsystems – for example health softwaredevelopers and medical devicemanufacturers, systemintegrators, systemadministrators (including cloud and other IT service providers);
Healthcare service delivery organizations, healthcare providers and others who use health softwareandhealth ITsystems in providing health services;
Governments, health system funders, monitoring agencies, professional organizations and customers seeking confidence in anorganization’s abilitytoconsistently provide safe, effective and securehealth software, health ITsystems and services;
Organizations and interested parties seeking to improve communication in managing safety, effectiveness and securityrisks through a common understanding of the concepts and terminology used in safety, effectiveness and security management;
Providers of training, assessment or advice in safety, effectiveness and securityrisk management for health softwareandhealth ITsystems;
Developers of related safety, effectiveness and security standards.

2 Normative references

3 Terms and definitions

3.1 Organizations, people, and roles

3.2 Key properties and processes

3.3 Health information and technology

3.4 Risk management

4 Core themes

4.1 General

4.2 Sociotechnical ecosystem

4.3 System of systems

4.4 Life cycle of health software and health IT systems

4.5 Roles and responsibilities

4.6 Communication

4.7 Interdependence of safety, effectiveness and security

5 Foundational elements

5.1 General

5.2 Governance (intra organization focus)

5.3 Knowledge transfer (inter- and intra- organization collaboration)

Bibliography

BS ISO 81001-1:2021

Health software and health IT systems safety, effectiveness and security - Principles and concepts

Current, Under Review

Published:

31 Oct 2022