It seems that something like the existing ISO 14971 risk management standard for medical device manufacturers will be used to address networked medical devices. Several major revisions will be required, not the least of which is the kind of risk. The potential harm that ISO 14971 tries to mitigate is risk of injury to patients. Medical device connectivity entails this risk, as well as others. Another difference is that 14971 applies to the development of new medical devices, and much of connectivity entails the integration of legacy medical devices. And of course, as noted before, the connectivity risk management standard will "pierce the veil of commerce" and apply to users as well as manufacturers.

As a group we reviewed the following concerns; stepping on other's regulatory toes, the decree of proscriptiveness, getting input and participation from users, scalability of the standard so it works as well for a 50 bed hospital as it does one with 500 beds, the costs that might be incurred by implementing this standard, and how the standard might disrupt care or negatively impact clinical practice. All these topics were discussed and resolved.

We started working on a scope, but didn't make much progress. One thing that vendors desired was that the standard not apply to vendor "products" that include general purpose computing components (like servers, PCs and network gear) as long as they are isolated and standalone. Any time general purpose computing components are included in a solution, whether it is a "medical device" (a closed vendor supplied system) or integrated onto the hospital's network and tied to other systems, connectivity problems can arise. This preference will probably remain because more and more hospitals are refusing to buy standalone systems (islands of information), and there's nothing to prevent buyers from including the risk management process in negotiations for standalone systems - whether required by the standard or not.

So why is this standard being contemplated? The objective is to provide the key stakeholders (regulators, vendors, users, third parties) with a common tool to facilitate communications, coordinate efforts and manage risk when medical devices are integrated into the highly variable general purpose computing environment. I think the resulting standard will be a boon to all stakeholders, and especially users. The standard should provide a framework for detailed information and capabilities to negotiate with vendors at the point of sale, establishing responsibilities and service level agreements (SLAs) for things like component obsolescence, operating system patches and other connectivity issues.

Next steps will be to capture the problems, hazards and risks to be managed by the process, and to write a scope. There are two subsequent meetings planned, one in Frankfurt, Germany in March and another somewhere in the "lowland countries" in September. My next focus will be to tease out problems, hazards and risks. Any suggestions, observations or input is appreciated.

You can read about the first day of this meeting here, and some pre-meeting background here.