Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/TR 28318 — Health Informatics: Application of Clinical Risk Management to Health Software
A Technical Framework for Systematic Clinical Risk Assessment and Control in Health IT Systems
Understanding ISO/TR 28318 and Its Clinical Risk Management Approach
ISO/TR 28318 provides comprehensive guidance on the application of clinical risk management principles to health software systems. While ISO 14971 establishes the general framework for risk management of medical devices, ISO/TR 28318 extends and adapts these principles specifically for the health software domain, recognizing that software presents unique risk characteristics distinct from hardware. These include the potential for systematic faults affecting all instances, the difficulty of exhaustive testing, the complexity of software-mediated clinical workflows, and the challenges of maintaining safety across frequent update cycles.
The technical report establishes a clinical risk management process that integrates with existing quality management systems, software development lifecycles, and healthcare delivery operations. It emphasizes that clinical risk management is not a one-time assessment activity but an ongoing organizational commitment that requires dedicated resources, governance structures, and organizational culture supportive of safety reporting and continuous improvement.
Clinical risk management according to ISO/TR 28318 should be integrated into your existing software development lifecycle rather than treated as a separate parallel process. This integration reduces duplication of effort and ensures that risk information directly informs design decisions.
Clinical Risk Assessment Methodology
The risk assessment methodology described in ISO/TR 28318 follows a systematic approach adapted from ISO 14971 but tailored to the specific characteristics of health software. The process begins with establishing the intended use and reasonably foreseeable misuse of the health software, documented in a formal intended purpose statement. This statement defines the medical indication, patient population, user profile, and clinical environment of use, all of which influence the risk assessment scope.
| Risk Assessment Step | Description | Health Software Specifics |
|---|---|---|
| Intended Purpose Definition | Document the clinical intended use, user profile, and use environment | Must account for variability in clinical workflows, user skill levels, IT infrastructure |
| Hazard Identification | Systematically identify all potential sources of harm | Include data integrity hazards, interoperability hazards, cybersecurity threats, algorithmic bias |
| Situation Analysis | Analyze hazardous situations and sequences of events | Consider multi-factor failures, cascading errors, latent conditions in clinical environment |
| Risk Estimation | Assign probability and severity to each hazardous situation | Use clinical evidence base, usability data, field experience, expert judgment |
| Risk Evaluation | Compare estimated risk against predefined acceptability criteria | Clinical significance thresholds, regulatory requirements, ethical considerations |
A distinctive feature of ISO/TR 28318 is its emphasis on clinical context in risk evaluation. The same software fault may have dramatically different risk implications depending on the clinical setting, patient acuity, availability of backup systems, and clinician training. For example, a decision support system that fails to provide a drug interaction alert carries higher risk in an emergency department than in a well-controlled outpatient clinic where pharmacists independently verify prescriptions.
Risk estimation for health software must account for the clinical environment of use. A risk acceptable in a tertiary hospital with 24/7 pharmacist coverage may be unacceptable in a remote primary care clinic with limited staffing. Context matters significantly in clinical risk assessment.
Risk Control and Mitigation Strategies
ISO/TR 28318 defines a hierarchy of risk control measures, prioritizing inherent safety by design over protective measures and information for safety. Inherent safety measures eliminate hazards entirely through software architecture decisions, such as restricting allowable input ranges, using safety by default configurations, and eliminating single points of failure in critical clinical workflows. Protective measures reduce the probability or severity of harm without eliminating the underlying hazard, such as confirmation dialogs, redundant verification steps, and automated safety checks.
Information for safety constitutes the third line of defense, including warning labels, contraindication notices, clinical training materials, and safety-related documentation. The report notes that information for safety is the least reliable risk control measure and should only be relied upon when design-level controls are not feasible. Human factors engineering plays a critical role throughout the risk control process, ensuring that safety measures align with clinical workflow and cognitive ergonomics rather than creating additional burden or confusion for clinicians.
| Risk Control Category | Examples | Reliability |
|---|---|---|
| Inherent Safety by Design | Input validation, range checking, fail-safe defaults, architectural isolation | High — hazard eliminated regardless of user action |
| Protective Measures | Confirmation dialogs, alarms, interlocks, redundant checks | Medium — may be bypassed or ignored in practice |
| Information for Safety | Warnings, training materials, contraindication labels | Low — dependent on user attention and compliance |
The standard also addresses the challenge of residual risk communication between manufacturers and healthcare providers. ISO/TR 28318 recommends that manufacturers provide a clinical risk management file to deploying organizations, documenting identified hazards, implemented controls, and recommended clinical mitigations. This transparency enables healthcare providers to make informed procurement decisions and establish appropriate local safety protocols.
Adopting the risk control hierarchy from ISO/TR 28318 helps organizations allocate resources effectively. Investing in inherent safety by design almost always proves more cost-effective than relying on training and warnings, while also achieving higher levels of patient protection.
Integration with Healthcare Quality Management
ISO/TR 28318 emphasizes that clinical risk management must be integrated with broader healthcare quality management systems, including incident reporting, root cause analysis, and continuous quality improvement processes. The technical report recommends establishing a clinical safety committee with cross-functional membership to oversee risk management activities, review safety incidents, and ensure organizational learning from adverse events and near misses.
The standard also addresses the importance of supply chain risk management in health software. As modern health IT systems increasingly depend on third-party components, cloud services, and interoperable interfaces, the clinical risk management process must extend beyond organizational boundaries. ISO/TR 28318 provides guidance on vendor assessment, service level agreement requirements for safety-critical functions, and contingency planning for third-party service disruptions.
Do not underestimate the clinical risk introduced by third-party software components and cloud services. A failure in a seemingly innocuous component such as a patient data lookup service can cascade into delayed clinical decisions with serious patient consequences. Ensure contractual protections include safety performance requirements.
Frequently Asked Questions
Q1: What is the relationship between ISO/TR 28318 and ISO 14971?
ISO/TR 28318 extends and adapts the risk management principles of ISO 14971 specifically for health software. While ISO 14971 provides the general risk management framework applicable to all medical devices, ISO/TR 28318 addresses software-specific risk characteristics including systematic faults, update-related risks, and clinical workflow integration challenges.
ISO/TR 28318 extends and adapts the risk management principles of ISO 14971 specifically for health software. While ISO 14971 provides the general risk management framework applicable to all medical devices, ISO/TR 28318 addresses software-specific risk characteristics including systematic faults, update-related risks, and clinical workflow integration challenges.
Q2: Who should be involved in clinical risk management according to this standard?
The standard recommends a multidisciplinary approach involving clinical subject matter experts, software engineers, human factors specialists, quality assurance professionals, regulatory affairs personnel, and patient safety officers. Clinical input is particularly critical for accurate hazard identification and risk evaluation.
The standard recommends a multidisciplinary approach involving clinical subject matter experts, software engineers, human factors specialists, quality assurance professionals, regulatory affairs personnel, and patient safety officers. Clinical input is particularly critical for accurate hazard identification and risk evaluation.
Q3: How does ISO/TR 28318 address cybersecurity risks?
While cybersecurity is not the primary focus, ISO/TR 28318 recognizes that security vulnerabilities can lead to patient safety hazards. It recommends that cybersecurity risk assessment be integrated with clinical risk management, particularly for hazards involving unauthorized modification of clinical data, denial of service affecting clinical operations, and breaches of patient confidentiality.
While cybersecurity is not the primary focus, ISO/TR 28318 recognizes that security vulnerabilities can lead to patient safety hazards. It recommends that cybersecurity risk assessment be integrated with clinical risk management, particularly for hazards involving unauthorized modification of clinical data, denial of service affecting clinical operations, and breaches of patient confidentiality.
Q4: What documentation does ISO/TR 28318 require?
Key documentation includes the clinical risk management plan, hazard identification records, risk analysis worksheets, risk control documentation, residual risk evaluation reports, clinical risk management report, and post-market surveillance records. The level of documentation should be commensurate with the software’s safety risk classification.
Key documentation includes the clinical risk management plan, hazard identification records, risk analysis worksheets, risk control documentation, residual risk evaluation reports, clinical risk management report, and post-market surveillance records. The level of documentation should be commensurate with the software’s safety risk classification.
