AAMI Health IT Committee Embraces Life Cycle Approach in Developing HIT1000 Series of Standards
By: D. Classen and M. Segal
June 23, 2021
Categories: AAMI News, HTM Professionals, Medical Device Manufacturers
David Classen, MD, MS, is the chief medical information officer at Pascal Metrics in Salt Lake City, UT; a professor of medicine at the University of Utah School of Medicine in Salt Lake City; and a co-chair of the AAMI Health IT Committee. Email: firstname.lastname@example.org
Mark Segal, PhD, is the principal and founder at Digital Health Policy Advisors, LLC, in Oak Park, IL and a co-chair of the AAMI Health IT Committee. Email: email@example.com
In late 2014, AAMI launched an initiative to develop standards for health information technology (IT) patient safety. This effort grew out of AAMI’s extensive work on quality systems standards (ANSI/AAMI/ISO 13485) and medical network risk management standards (ANSI/AAMI/IEC 80001 series), as well as from the recognition that significant U.S.-specific conditions exist for health IT that make adopting medical device standards in this area problematic.
The launch of the initiative was motivated by the rapid expansion of health IT development and implementation in U.S. healthcare since 2006, most of which was not subject to Food and Drug Administration (FDA) regulatory control. It built on a growing consensus that there was a need for a risk-based approach to health IT safety—a need that was reflected in work that includes a report from the Bipartisan Policy Center, the 2014 FDASIA (Food and Drug Administration Safety and Innovation Act) Health IT Report, and the health IT safety provisions of the 21st Century Cures Act (enacted into law in late 2016).
The AAMI Health IT Committee held its first meeting in October 2015. Its work has reflected the recognition that a systems-based approach (addressing safety, quality systems, risk management, and usability), which has been very successful for regulated medical devices, can also be used to benefit U.S. health IT, most of which is not regulated by the FDA. The committee’s work has acknowledged that health IT differs from traditional medical devices in that fewer regulatory controls exist and responsibilities for safety and effectiveness are dispersed among different stakeholders throughout product life cycles, with health IT systems often having many separate components and being highly configurable.
As the committee’s work progressed, it sought to develop standards that promote:
- Safety, effectiveness, and access.
- A shared culture of safety across the health IT sociotechnical system and life cycle.
- Scalable solutions that are consistent between regulated and less regulated health IT (given varying global approaches to health IT regulation).
- Solutions that are timely and can address specific national conditions and requirements.
Thus far, the AAMI/HIT1000 (health IT software and systems) series has three parts, with a fourth standard in development and expected to be published in late 2021 or early 2022:
- Part 1: Fundamental concepts and principles
- Part 2: Application of quality systems principles and practices (in development)
- Part 3: Application of risk management
- Part 4: Application of human factors engineering
The remainder of this article provides more detail on each standard and their overall structure.
The AAMI HIT1000 series was conceived as being fundamentally different than prior health IT standards, which in the U.S. were focused on the vendor or developer and specifically did not generally apply to the users, implementers, or integrators. In addition, these previous standards applied to the development of the software and not its implementation, integration, ongoing use, and decommissioning. Some health IT standards did address the product life cycle; however, even in those situations, they only applied to the developer’s portion of that life cycle.
The AAMI HIT1000 series was designed to apply across the whole life cycle of design, development, integration, implementation, ongoing use, and decommissioning, as well as to all organizations involved in any part of the life cycle. This approach was based in part on the aviation model, in which both plane manufacturers and plane operators maintain collective responsibility for safe operation of the airliner. This approach, often called shared responsibility, was also strongly endorsed in a landmark report on health IT safety by the Institute of Medicine.
A major reason for using the whole life cycle approach was the fact that health IT software is rarely used “out of the box.” Unlike most medical devices, it typically requires modification and configuration when implemented and usually is tightly integrated with other systems and components within a healthcare delivery organization’s (HDO’s) health IT ecosystem.
For example, health IT software applications such as electronic health records often are highly customized by the implementing organization and by end-users in ways that the developer never envisioned—in effect, the user in the HDO setting becomes a developer. Prior health IT standards, as indicated above, have had no provision for these life cycle attributes of health IT software.
The AAMI HIT1000 series specifies the core concepts and principles needed to maintain safe and effective health IT software and systems. It identifies roles and defines the responsibilities, activities, and best practices necessary for managing the safety and effectiveness of the health IT ecosystem. These standards apply throughout the whole life cycle of health IT software and systems and to all sizes and types of actors involved with that system: from developers and system integrators who create the systems; to HDOs that own, configure, implement, and use the systems; and to those responsible for operating and ultimately decommissioning health IT systems or components.
|Figure 1. Life cycle approach of the AAMI HIT1000 series of standards.|
The HIT1000 series also defines the points in the life cycle in which different roles (i.e., Top Management, Business Owner, Developer, Integrator, Implementer, Operator, and User) assume primary responsibility for maintaining safety and effectiveness. It also identifies the communications necessary among the different roles at those points. The roles in the standards series are activity based and not dependent on the entity or organization involved (Figure 1). For example, in addition to being the Business Owner, an HDO may create or substantively modify health IT system components during certain stages of the health IT software and systems life cycle. At those stages, the HDO also would be serving as a Developer and would assume the appropriate responsibilities of an Operator.
The series is broken into four parts, with a general overview provided in HIT1000-1, a quality systems section in HIT1000-2, a risk management section in HIT1000-3, and human factors and usability section in HIT1000-4. This structure aligns with approaches used for other high-risk industries. The vital role that standards for quality systems, risk management, and usability can play in enhancing safety and effectiveness in other industries, as well as in healthcare, has been recognized both in the U.S. and global contexts.
Safety and effectiveness are properties of health IT software or systems that directly affect patient outcomes—both positively and negatively—and quality systems, human factors (usability) engineering, and risk management are tools to support that safety and effectiveness. This standards triad (quality systems, risk management, and usability) is being used successfully in many high-risk industries, including medical devices, nuclear engineering, and aeronautics. A comprehensive and integrated standards approach using these three dimensions has not been previously used in health IT, but the obvious relevance of its success in medical devices to health IT convinced the AAMI Health IT Committee to follow this approach.
This standards series was developed by referring to existing standards wherever possible and not recreating standards for which well-adopted guidance already existed. Therefore, these standards frequently refer to existing medical standards, including:
- ANSI/AAMI/ISO 13485, which outlines a quality system framework for medical devices.
- ANSI/AAMI/ISO 14971, which maps the steps expected in a medical device risk management process.
- ANSI/AMI/IEC 62304, which sets out processes and deliverables for medical device software, scaled by risk.
- ANSI/AAMI/IEC 80001-1, which describes the application of risk management for IT networks incorporating medical devices.
The HIT1000 series was developed from the perspective that each section would initially be an AAMI Provisional Standard (i.e., a trial use standard) that could then be revised and developed into an AAMI/ANSI standard. Where appropriate, they would also provide important input into new or existing ISO standards. Indeed, the AAMI HIT1000 series has influenced corresponding ISO/IEC standards, such as ISO/IEC 81001-1 and ISO/IEC 80001-1, which are adopting a similar life cycle approach to that used in the AAMI series.
Development of the AAMI HIT1000 series with a total life cycle approach required the creation of a very diverse AAMI Health IT committee that would represent all the many stakeholders across the life cycle. Committee formation placed a special emphasis on end users and operators, such as health systems and clinicians.
As the first published part of this series, AAMI/PS HIT1000-1 provided an overview of the series as a whole and was released in 2018 as a provisional standard. It is being revised for advancement to become an ANSI American National Standard - publication is expected to be in late 2021. The next part of the series, HIT1000-3 (risk management) was released as a provisional standard in 2019; it is now being updated and is expected to be published as an ANSI standard in 2021. Most recently, HIT1000-4 (human factors/usability) was published as a provisional standard in 2020. Finally, HIT1000-2 (quality systems) is under development and expected to be published as an AAMI/ANSI standard in 2021.
One of the reasons for including several clinicians and health system experts on the AAMI Health IT Committee is that these standards will be tested in health systems as part of their ongoing evolution and ultimately used in such clinical settings. In addition, these standards likely will be considered by various U.S. federal agencies for inclusion in their health IT–relevant standards.
This work by AAMI and the Health IT Committee has been groundbreaking and increasingly will be available to help guide the safe evolution of health IT in the U.S. and internationally, serving as a resource for a variety of public and private sector stakeholders. Interested readers are encouraged to follow the work of the AAMI Health IT Committee.