Safety and effectiveness of health IT software and systems - Part 3: Application of risk management
|Publication Date:||1 January 2019|
This part of AAMI HIT1000 (Part 3: Application of risk management) identifies the core concepts and principles needed to maintain safe and effective health IT software and systems in order to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls.
This standard applies throughout the whole lifecycle of health IT software and systems, as well as to all sizes and types of actors involved with that system-from Developers and system Integrators who create the systems, to healthcare delivery organizations (HDOs) who own, configure, implement, and use the systems, and to those responsible for operating and ultimately decommissioning health IT systems or health IT system components.
This standard defines the points in the health IT lifecycle where different roles-Top Management, Business Owner, Developer, Integrator, Implementer, Operator, and User (see Table 1)-assume primary responsibility for managing risks and identifies the communication necessary among the different roles at those points.
Note: Roles in this standard are activity-based and not dependent upon the entity or organization involved. For example, a HDO may be the Business Owner but may also create or substantively modify health IT system components during certain stages of the health IT software and systems lifecycle. At those stages, the HDO would also be serving as a Developer and would assume the appropriate responsibilities of that role.
This standard provides guidance for managing risk, including best practices for assessing, classifying and prioritizing the relative risks and includes examples of means for controlling these risks. It does not specify acceptable risk levels, nor does it address regulatory or legal requirements.
It is recognized that not all incorporated parts of health IT software and systems will have used this series of standards or applicable medical software standards throughout the lifecycle. Where this lack of use is the case, the safety impacts of these parts, including the use of other standards must be considered and addressed to appropriately mitigate potential negative consequences.