scope:

This Technical Report considers the risk management processes required to ensure patient safety in respect to the deployment and use of health software products either as a new system within a health organization or as changes to an existing system's environment. It is addressed to those persons in health organizations who are responsible for ensuring the safety of health software in health organizations through the application of risk management ("the responsible person" - see definition 2.31). Whilst it is therefore principally addressed to healthcare organizations, it will also prove a useful reference to those involved in the manufacture of health software products. Equally, readers of this Technical Report are recommended also to review ISO/TS 29321 [33] (see 4.1). NOTE 1 The overall life cycle of a health software system includes its concept realization, design, production, deployment, use and eventual decommissioning. This Technical Report provides guidance to the responsible person for the application of risk management to the last three stages of the life cycle whereas the manufacturer is responsible for the first three stages (by applying ISO/TS 29321). As discussed in 4.1, it is recognised that, depending upon contractual conditions, the manufacturer may be involved in deployment and, in some circumstances, in use and Decommissioning. However, the basic processes recommended in this Technical Report are the same as those required of a manufacturer in ISO/TS 29321 so the same processes can be applied throughout and should essentially be applied with the responsible person and manufacturers working together whenever possible. These matters are addressed further in Clause 4. NOTE 2 Throughout this document the term "clinical" is used to make clear that the scope is limited to matters of risks to patient safety as distinct from other types of risk such as financial. The use of the term "clinical" should not be taken to mean that the persons involved in deployment and use are expected to be involved in clinical decisions affecting the treatment of patients in the direct clinical settings, unless this is consistent with some other aspect of their duties. This Technical Report however, makes clear that the assessment of risks to patients in the deployment and use of health software, and in decisions taken about those risks, needs to involve appropriate, experienced and knowledgeable clinicians. NOTE 3 Failures and deficiencies in software products used in the health environment can, of course, have adverse impacts other than causing harm to patients. They may, for example, create administrative inconvenience with a range of impacts on the organization, including financial loss. Harm to a patient may also have a consequent impact on the organization such as loss of reputation and financial loss resulting from litigation. Whereas these adverse organizational impacts will be significant to an organization they are not the subject of this document unless they can result in harm to a patient. It is the potential harm to the patient which is the subject of this document. NOTE 4 Whereas this document is restricted to health software, the recommended risk analysis should be conducted within the context of any overall risk management system in place in the health organization and any wider health information governance processes. NOTE 5 This document is restricted to health software but the risk management processes can readily be applied to hardware on which the software runs.