IEC 80001-1 - Dundalk Institute of Technology

Transcription

IEC 80001-1 - Dundalk Institute of Technology
A Process Assessment Model for
Assessing the Risk Associated with
placing a Medical
Device on a Medical IT Network
Silvana Togneri MacMahon, Fergal Mc Caffery,
Frank Keenan
Regulated Software Research Group & Lero
Dundalk Institute of Technology
Dundalk
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide
Lero© 2013.
Presentation Overview
• Introduction
• Problem Background
• Overview of IEC 80001-1
• Approach to the Development of the PRM and PAM
• Overview of the PRM and PAM
• Overview of the Assessment Method
• Progress to Date and Future Work
• Conclusions
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide 2
2
Introduction
• Problem: While medical devices are stringently regulated prior to
marketing, placing a device onto an IT network may result in the
device not behaving as intended.
• Solution: IEC 80001-1: 2010 Application of risk management for ITnetworks incorporating medical devices - Part 1: Roles,
responsibilities and activities was developed to address these risks.
• To avoid any unintended consequences of placing a device on an IT
network, a high level of co-operation among risk management
stakeholders, including Medical Device Manufacturers (MDM) and
Responsible Organisations (RO), is required
• Our Contribution: Our research focuses on providing an assessment
framework to allow Responsible Organisations and Medical Device
Manufacturers to understand the requirements of the standard and
assess themselves against these requirements.
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide 3
3
Problem Background:
Medical IT Networks
• Increasingly, medical devices are being designed to exchange
electronic information with other devices, including medical
devices.
• Placing a device on an IT network can introduce risks that may
not have been considered during the design and manufacture
of the device.
• As hospitals become more reliant on networks, placing more
devices on the network, any network failure compromises
hospital operations and patient care is impacted.
• “Network down time in safety critical systems is not
acceptable.”*
*Bavesh
Patel, Director of Biomedical Engineering, Washington Hospital Centre –
Why Clinical Networks need maintenance and an overview of IEC 80001-1.
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide 4
4
Networked Medical Devices:
Benefits and Risks
•
Benefits:
o Increased Exchange of Data
o Streamlined work processes – save 4 to 36 minutes, prevent 24 data
errors daily, save 100 hours daily in a typical hospital~.
 Better, cheaper patient care.
•
Risks*:
o Limitation or error within any of the networked devices
o operational inefficiencies
o unauthorized access to information, or delayed, lost, or corrupted
data
 Threat to patient safety
~ Quantifying The Value Of Medical Device Connectivity - Martin Poppelaars
*Installation issues or operational activities such as software upgrades, cyber-security efforts, or
remote servicing of medical or IT system components.
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide 5
5
IEC 80001-1 Overview
FDA
Cluster of Reports of
Cyber Attacks on
Hospitals in
2003/2004
WHY
Key Properties:
Safety
Effectiveness
Security
IEC
80001-1
WHY
Cyber security
Guidance
Network
Integration of
Medical Devices
WHO
Responsible
Organisations
Medical Device
Manufacturers
Other IT Providers
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide 6
6
IEC 80001-1:
Roles and Responsibilities
• Responsible Organisation:
o
o
o
o
o
Risk Management policy & Risk Management Process
Medical IT Network Risk Manager &Risk Management File
Risk Analysis, Evaluation, Control and evaluation of residual risk
Life cycle approach to Risk Management
Establishment of a network; addition of a device to a network; modification,
maintenance or removal of a device from a network
• Medical Device Manufacturer & Providers of Other Information
Technology:
o Provide documentation to Responsible Organisations to allow them to safely
place devices on the network
o the intended use of the medical device and the network, required
characteristics and configurations of the network, technical specifications,
and security requirements
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide 7
7
Assessment against IEC 80001-1?
• No method of assessment against IEC 80001-1 is currently
available.
• To assess against IEC 80001-1 a Process Reference Model
(PRM), Process Assessment Model (PAM) and Assessment
method are required.
• In order to develop a process assessment model, we
investigated the following:
– Review of Process Assessment Standards – ISO/IEC 15504-2 –
requirements for PRMs and PAMs.
– What standards are similar to IEC 80001-1?
– How are assessments performed against these standards?
– How were these assessment methods developed?
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide 8
8
Approach to Development of PRM
and PAM - Standards
IEC 80001-1 – Application of Risk
Management for IT-Networks
Incorporating Medical Devices
Review of PAMs for standards similar
to IEC 80001-1
provides requirements
Template for
IEC 80001-1 Process Reference Model
(PRM)
provides description of
processes assessed by
ISO/IEC 15504-2 – Performing
an assessment
ISO/IEC TR 24774 – Guidelines for
process definition
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
provides requirements
for assessment
IEC 80001-1 Process Assessment
Model (PAM)
Lero© 2013. Slide 9
9
Assessment against similar standards:
TIPA Assessment Framework
• Focus on ISO/IEC 20000
• Similar standard to IEC 80001-1
• Service Management Standard – Design, transition, delivery and
improvement of services
• Lifecycle Approach -Plan, Do, Check, Act
• Similar roles and similar processes
• TIPA was developed by CRP Henri Tudor, Luxembourg.
• Can be used to assess against ISO/IEC 20000 or Information
Technology Infrastructure Library (ITIL).
• Developed using the TIPA transformation process.
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide 10
10
TIPA Transformation Process IEC 80001-1
Collection of Requirements for
IEC 80001-1
Requirement Trees
Goal Trees
ISO/IEC 15504-2 Requirements
ISO/IEC TR 24774 Guidance
Process Reference Model
for IEC 80001-1
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Process Assessment Model
for IEC 80001-1
Lero© 2013. Slide 11
11
PRM and PAM Process Overview
Medical Device
Manufacturer
Risk Management Processes:
PLAN
Risk Management Policy Processes
Medical IT Network Risk Management Planning Processes
Medical
Medical IT
IT Network
Network Planning
Planning
Medical
Medical IT
IT Network
Network Documentation
Documentation
DO
Medical IT Network Risk
Management Processes
Responsibility
Responsibility Agreements
Agreements
Organisational
Organisational Risk
Risk
Management
Management
Change Release Management
& Configuration Management
Medical IT Network Risk Management
M
Risk Analysis & Evaluation
Risk Control
Residual Risk
Change Release & Configuration
Management
Decision on how to apply Risk
Management
Go Live
Live Network Risk Management Processes
Monitoring
Event Management
CHECK
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
ACT
Providers of
Other Information
Technology
Responsible Organisation
Risk Management Policy
Lero© 2013. Slide 12
IEC 80001-1 PRM Sample Process : RO
Name:
Context:
Purpose:
Outcomes:
Risk Analysis & Evaluation
This process allows the Responsible Organisation to identify risks related to the
incorporation of medical devices into an IT network. Once these risks have been
identified, the process allows the Responsible Organisation to analyse & evaluate
the risks throughout the life cycle. The risk evaluation process will be based on the
risks identified during the risk analysis phase.
The purpose of the Risk Analysis process is to identify, analyse & evaluate risk
related to the incorporation of Medical Device into IT Networks.
As a result of the successful implementation of the Risk Analysis process :
1. Hazards that are likely to arise from the medical IT–network are identified.
2. For each identified hazard, the associated risks are estimated using available
information or data throughout the lifecycle.
3. Possible consequences of harm (where probability of occurrence cannot be
estimated) are listed for use in risk control.
4. The results of these activities are recorded in the medical IT-network risk
management file.
5. Where the estimated risk(s) is so low that risk reduction need not to be pursued,
the rationale for this decision is documented in the medical IT-network risk
management file.
6. Where the estimated risk(s) are not acceptable, risk control measures are
implemented according to ‎the Risk Control Process.
Requirements
traceability:
IEC 80001-1, 4.4.2.
IEC 80001-1, 4.4.3, (a).
IEC 80001-1, 4.4.3, (b).
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Risk Analysis [1,2,3,4]
Risk Evaluation [5]
Risk Evaluation [6]
Lero© 2013. Slide
IEC 80001-1 PAM Sample Process: RO
Base
Practices:
MRM.1.1.BP1: Identify likely hazards. Identify hazards that are likely to arise from
the Medical IT Network. [IEC 80001-1, 4.4.2] [Expected Result: 1].
MRM.1.1.BP2: Estimate associated risks. Estimate associated risks using available
information or data throughout the lifecycle for each identified hazard. [IEC 800011, 4.4.2] [Expected Result: 2].
MRM.1.1.BP3: List possible consequences of harm. List possible consequences of
harm (where probability of occurrence cannot be estimated) for use in risk control.
[IEC 80001-1, 4.4.2] [ Expected Result : 3 ]
MRM.1.1.BP4: Record results of Risk Analysis and Evaluation activities. Record the
results of these activities in the medical IT Network Risk Management file. Record
instances where the estimated risk is so low that risk reduction need not be
pursued (as per RM plan) in the medical IT Network Risk Management File. [IEC
80001-1, 4.4.2] [IEC 80001-1, 4.4.3, (a)] [Expected Result 4, 5].
MRM.1.1.BP5: Implement Risk Control Measures. Implement Risk control measures
according to the Risk Control Process, where estimated risk(s) are not acceptable.
[IEC 80001-1, 4.4.3, (b)]
[Expected Result : 6]
Inputs:
08-03 Risk Management plan [MRM1.1, BP.4] [Expected Result 4,5]
08-04 Risk Mitigation plan [MRM1.1, BP.5] [Expected Result 6]
Outputs:
03-02Risk log [MRM1.1, BP.1] [Expected Result 1]
15-01 Risk analysis report [MRM1.1, BP.2] [Expected Result 2]
15-02 Risks status report [MRM1.1, BP.2] [Expected Result 2]
07-01 Risk Measure [MRM1.1, BP.2, 3] [Expected Result 2, 3]
03-03 Hazard log [MRM1.1, BP.1] [Expected Result 1]
03-04 Consequences log [MRM1.1, BP.3] [Expected Result 3]
13-02 Risk action request [MRM1.1, BP.5] [Expected Result 6]
16-02 Medical IT network Risk Management file [MRM1.1, BP.4] [Expected Result 4,5]
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide
IEC 80001-1 PRM Sample Process: MDM
Name:
Context:
Purpose:
Outcomes:
Responsibility Agreements
In order to establish the responsibilities of Medical Device Manufacturers and
Other IT providers, Responsibility Agreements are drafted.
The purpose of the process is to establish the responsibilities of Medical Device
Manufacturers and Other IT providers in regard to risk management
responsibilities.
As a result of the successful implementation of the Responsibility Agreements
Process:
1. The need for one or more documented responsibility agreements is determined
whenever a medical device is incorporated into an IT network or the configuration
of such a connection is changed.
2. A responsibility agreement defines the responsibilities of all relevant
stakeholders throughout the lifecycle.
3. A responsibility agreement covers one or more projects or the maintenance of
one or more medical IT-networks.
Requirements
traceability:
IEC 80001-1, 4.3.4.
IEC 80001-1, 4.3.4 (a) to (h).
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Responsibility Agreements [1, 3]
Responsibility Agreements [2]
Lero© 2013. Slide
Assessment Method
• In order to assess against the IEC 80001 PAM, an assessment
method is required.
• Ensures that the assessment is consistent and that evidence is
obtained to substantiate any ratings which are given.
• Ensures that the assessment scope is clear and that the
documentation process is sufficient.
• An assessment method provides details on the organizations
performance through using a set of questions (related to each
process) to enable the assessor to determine the capability
level at which the process is being performed.
• Currently being developed - 1 process from the 14 processes
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide 16
16
Assessment Method – Goals &
Concerns
• Addressing the perspectives of various risk management
stakeholders (within the RO and external stakeholders).
• Variation in scale among ROs.
• Experience of IT Medical IT Network Risk Manager
• Lightweight Assessment Method.
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide 17
17
Assessment Method - Overview
Site Briefing( RO or MDM)
Assessment Briefing
Conduct Interviews
Generate Assessment Results
Strengths
Weaknesses
Prepare Finding Report
Deliver Finding Report
Recommendations
Implement
Recommendations
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide 18
18
Assessment Questions
• Assessment method will contain question(s) related to each of
the base practices
• Based on the interviews a rating will be given for each of the
questions
• Ratings will be Fully, Largely, Partially or Not Complete
• Findings Report will be drafted identifying strengths and
weaknesses related to current RM processes and if applicable
make recommendations to improve current RM processes.
• Follow up Assessment may be performed at a later date
following the implementation of improvement actions.
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide 19
19
IEC 80001-1 Assessment Method
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide
Assessment Method:
St James’s Hospital
• Working with Clinical Engineering team
• Provide an understanding of the assessment process – PRM,
PAM and Assessment Method
• Development of the assessment questions
• Working with cross disciplinary team within the hospital also –
IT department, management and clinicians
• Assessment method is updated on the basis of feedback
• Performing mock assessments
• Improvements to RM process have been made based on the
mock assessments
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide 21
21
Progress to Date and Future Work
• PRM and PAM approved as NP for inclusion in IEC 80001
family of standards – comment resolution.
• IEC 62A JWG7 – Validation by developers of IEC 80001-1
standard.
• Validation of AM in HDO setting – St James’s Hospital, Dublin.
• Validation of PRM and PAM Models by the SPICE community
• Trial Assessment and Follow-up Assessment.
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide 22
22
Conclusion
• IEC 80001-1 has been developed to address these risks related
to placing a medical device onto an IT network by setting out
the roles, responsibilities and activities during the risk
management process.
• In order to fully realise the benefits that networked medical
devices can provide and ensure quality patient care, ROs and
MDMs need to co-operate in the management of risk thoughout the life cycle of the medical device.
• The development of a PRM, PAM and Assessment method will
allow ROs and MDMs to assess themselves against the
requirements of the standard and can be used as a baseline
for the improvement of risk management processes.
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2013. Slide 23
23
Thank You - Any Questions?
Silvana Togneri MacMahon
[email protected]
This research is supported by the Science Foundation Ireland (SFI) Stokes Lectureship Programme, grant number
07/SK/I1299, the SFI Principal Investigator Programme, grant number 08/IN.1/I2030 (the funding of this project was
awarded by Science Foundation Ireland under a co-funding initiative by the Irish Government and European Regional
Development Fund), and supported in part by Lero - the Irish Software Engineering Research
Centre (http://www.lero.ie) grant 10/CE/I1855
THE
Lero©
IRISH
2012
SOFTWARE ENGINEERING RESEARCH CENTRE
Lero© 2012.
2013. Slide 24