This document establishes requirements and gives guidance on assurance case framework for healthcare delivery organizations (HDOs) and for health software and medical device manufacturers (MDMs) and can be used to support the communication and information transfer between all parties. An assurance case can be used to communicate information and knowledge about different risks to other roles.

This document establishes:

—     an assurance case framework for HDOs and health software and MDMs for identifying, developing, interpreting, updating and maintaining assurance cases.

—     one of the possible means to bridge the gap between manufacturers and HDOs in providing adequate information to support the HDOs risk management of IT-networks;

—     best practice by leveraging ISO/IEC/IEEE 15026-2 and other standards to identify key considerations and for the structure and contents of an assurance case, e.g. iterative and continuous approaches;

—     example structure, method and format to improve the consistency and comparability of assurance cases.

This document is applicable to all parties involved in the health software and health IT systems life cycle, including:

a)       organizations, health informatics professionals and clinical leaders specifying, acquiring, designing, developing, integrating, implementing and operating health software and health IT systems, for example health software developers and MDMs, system integrators, system administrators (including cloud and other IT service providers);

b)       healthcare service delivery organizations, healthcare providers and others who use health software and health IT systems in providing health services;

c)        governments, health system funders, monitoring agencies, professional organizations and customers seeking confidence in an organization’s ability to consistently provide safe, effective and secure health software, health IT systems and services;

d)       organizations and interested parties seeking to improve communication in managing safety, effectiveness and security risks through a common understanding of the concepts and terminology used in safety, effectiveness and security management;

e)       providers of training, assessment or advice in safety, effectiveness and security risk management for health software and health IT systems;

f)         developers of related safety, effectiveness and security standards.

This document is for use by organizations and people who build, acquire, operate, maintain, use or decommission health software and health IT systems (including medical devices). It is applicable to all organizations involved, regardless of size, complexity or business model.