slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Dipl.-Ing. Oliver P. Christ PowerPoint Presentation
Download Presentation
Dipl.-Ing. Oliver P. Christ

Loading in 2 Seconds...

play fullscreen
1 / 21

Dipl.-Ing. Oliver P. Christ - PowerPoint PPT Presentation

  • Uploaded on

Oct . 2 nd 2012, San Francisco .

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Dipl.-Ing. Oliver P. Christ' - tan

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Oct. 2nd 2012, San Francisco

Openingthediscussion …• Why is it so important to manage Risk in health IT solutions?• How can we optimally protect the privacy and integrity of patients' records?• How can hospitals and medical device manufacturers benefit from latest safety standards?

Dipl.-Ing. Oliver P. Christ

CEO Prosystem AG / Prosystem USA LLC


the company
The Company
  • PROSYSTEM AGis an international consulting company providing comprehensive services for the medical device industry.
  • The company was established in 1999 by Prof. Dr. Jürgen Stettin and his partner Oliver P. Christ. Together with its subsidiary PROSYSTEM USA LLC,located in San Diego, CA/USA, PROSYSTEM AG services clients in more than 25 countries.

the company1
The Company
  • Our clients are manufacturers and developers of medical devices, suppliers, operators, the pharmaceutical industry, universities, and Notified Bodies.
  • Being an active member of different standardization groups,PROSYSTEMcan provide its clients with detailed background information about the origin, implementation and future development of respective applicable standards.
  • Business activities include analysis, training, consulting services, and the realization of projects:
  • more than 150 clients in 25 countries
  • app. 30% of the annual turnover outside Europe (North America / Asia)
  • all services from one source


The Company


Software Development, Verification, and Validation

On-Site Trainings and Workshops , Seminars

On-Site Trainings and Workshops , Seminars in the US

Demanding needs of General Hospitals for a Safe & Effective Use of Medical Devices and Health Software

Source: Julian Goldman


IOM Report a “Game Changer”?

American Institute of Medicine (IOM) Report, Published late 2011, 220 pages

Key findings:

  • Health IT may lead to safer care and/or introduce new safety risks
  • Safety is a characteristic of a sociotechnical system that includes people, process, environment, organization and technology
  • System-level failures occur almost always because of unforeseencombinationsofcomponentfailures


  • Health care accreditingorganizations should adopt criteria relating to EHRsafety.
  • All healthITvendors should be required to publiclyregister and list their products
  • Health IT vendors should be required to adopt quality and riskmanagementprocesses
  • Reporting of health IT– related adverseevents should be mandatory for vendors and voluntary and confidential for users.
focus on patient safety
Focus on Patient Safety

How does Risk Management focus on Patients?The Intended Use of a medical device can be depicted using an idealized functional input/output diagram:





Medical Benefit






User (Operator)

electrical safety iec 60601 1 3 rd edition
Electrical Safety: IEC 60601-1 (3rd edition)

In an environment of 1,5 maround an (accommodated) Patient …

… increased requirements for Medical Electrical Equipment do apply including their connection to (medical) IT networks.

iec 60601 1 a1 fdis verteilt als 62a 805 fdis vom 27 4 2012

PEMS = Programmable Electrical Medical Systems

IEC 60601-1/A1 - FDIS (verteilt als 62A/805/FDIS; vom 27.4.2012)

14.13. PEMS intended to be connected to an IT-Network

If the pems is intended to be incorporated into an it-network that is not validated by the pemsmanufacturer, the manufacturershall make available instructions for implementing such connection including the following:

a) the purpose of the pems’s connection to an it-network;

b) the required characteristics of the it-network incorporating the pems;

c) the required configuration of the it-network incorporating the pems;

d) the technical specifications of the network connection of the pems including security specifications;

  • e) the intended information flow between the pemsthe it-network and other devices on the it-network, andthe intended routing through the it-network; andNOTE 1 This can include aspects of effectiveness and data and system security as related to BASIC SAFETY

and ESSENTIAL PERFORMANCE (see also Clause H.6 and IEC 80001-1:2010).

f) a list of the hazardous situations resulting from a failure of the it-network to provide the characteristics required to meet the purpose of the pems connection to the it-network.

Compliance is checked by inspection of the instructions.

iec 60601 1 a1 fdis verteilt als 62a 805 fdis vom 27 4 20121
IEC 60601-1/A1 - FDIS (verteilt als 62A/805/FDIS; vom 27.4.2012)


In the accompanying documents the manufacturer shall instruct the responsible organisationthat:– connection of the pems to an it-network that includes other equipment could result in previously unidentified risks to patient, operators or third parties;– the responsible organisation should identify, analyze, evaluate and control these risks;– subsequent changes to the it-network could introduce new risks and require additional analysis; and– changes to the it-network include: • changes in the IT-network configuration;• connection of additional items to the it-network;• disconnecting items from the it-network;• update of equipment connected to the it-network; • upgrade of equipment connected to the it-network.

NOTE 3: IEC 80001-1 provides guidance for the RESPONSIBLE ORGANIZATION to address these risks.

Compliance is checked by inspection of the accompanying documents.

scope and key properties of iec 80001 1 2010
Scope and Key Properties of IEC 80001-1: 2010
  • “ This standard defines roles, responsibilities and activities that are necessary for RISK MANAGEMENT of IT-NETWORKS incorporating MEDICAL DEVICES to address
  • Data & system Security (theKEY PROPERTIES), …

the medical it network protection goal of iec 80001 1
The „Medical IT-Network“ (protection goal of IEC 80001-1)
  • Originally separate Medical Devices get connected via an (unsafe & unsecure) IT-Network of the Responsible Organization
  • Out of this „general“ IT-Network emerge a new

„Medical IT-Network“

The Issues are

  • Heavily regulated „safe Medical Devices“ get connected with „off-the-shelf IT-Hardware“
  • There is no clear Responsibilities established (MT vs. IT)
  • Disturbances/Overload at an IT-Network could compromise the safety of Medical Devices
  • IT-Networks are supposed to „run“ 24/7

risk management planning for each key propery
Risk-Management Planningforeach Key Propery
  • Definition for each Medical IT-Network (separately)
  • Key Properties for Risk-Management are:


    • for Patient, User/Operator und Third Parties


    • for intended workflows supported by the IT-Networkability to produce the intended result for the patient and the Responsible Organization

Data- & System Security

    • reasonable protection from degradation of confidentiality, integrity and availability (of information assets)

requirements to
Requirements to:

important roles and responsibilities in iec 80001 1
Important roles and responsibilities in IEC 80001-1

Responsible Organization

Top Management


provide Information


Medical Devices Manufacturer

the structure of the iec 80001 1 series
The structure of the IEC 80001-1 series

IEC 80001-1

Part 1: Roles, ResponsibilitiesandActivities

IEC 80001-2-Y


IEC 80001-XReferences to otherIT Standards / Spec

ISO/IEC 20000-1:2005IEC 62304:2006IEEE 11073-ffHL7, DICOM

Y = 1: Step-byStep RMY = 2: SecurityY = 3: WirelessY = 4: HDO Guidance

up date on iec 80001 1 activities
Up-date on IEC 80001-1 activities

On July 19, 2012 threenew Technical Reports hasbeenpublished:

IEC 80001-2-1 TR Ed.1.0 - Application of risk management for IT-networks incorporating medical devices - Part 2-1: Step by step risk management of medical IT-networks - Practical applications and examples  IEC 80001-2-2 TR Ed.1.0 - Application of risk management for IT-networks incorporating medical devices - Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and controlsIEC 80001-2-3 TR Ed.1.0 - Application of risk management for IT-networks incorporating medical devices - Part 2-3: Guidance for wireless networks