IEC/AWI 81001-5-1

IEC 81001-5-1:2021/ISH1:2025 © IEC 2025
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
IEC 81001-5-1
Edition 1.0  2021-12
Health software and health IT systems safety, effectiveness and security -
Part 5-1: Security - Activities in the product life cycle

INTERPRETATION SHEET 1
This interpretation sheet has been prepared by subcommittee 62A: Common aspects of medical
equipment, software, and systems, of IEC technical committee 62: Medical equipment,
software, and systems.
The text of this interpretation sheet is based on the following documents:
DISH Report on voting
62A/1692/DISH 62A/1706/RVDISH
Full information on the voting for the approval of this interpretation sheet can be found in the
report on voting indicated in the above table.

___________
This interpretation sheet is intended to clarify the following:
a) Requirements which are needed to provide essential ACCOMPANYING DOCUMENTATION to the
operators of the HEALTH SOFTWARE product regarding the transfer of risk related to software
items from the MANUFACTURER to the responsible organization or operator.
b) Requirements which are needed to maintain SECURITY of the HEALTH SOFTWARE product
Interpretation of IEC 81001-5-1:2021, Introduction, 0.2
The HEALTH SOFTWARE is part of a connected and complex healthcare ecosystem, which is
integrated into a surrounding HEALTH IT SYSTEM and HEALTH IT INFRASTRUCTURE. ISO 81001-1
provides a definition of the sociotechnical ecosystem in which the HEALTH SOFTWARE operates
in, and how to reference the security aspect of the HEALTH SOFTWARE within an IT-system inside
a broader HEALTHCARE SYSTEM.
ICS 11.040.01, 35.240.80
IEC 81001-5-1:2021-12/ISH1:2025-11(en)

IEC 81001-5-1:2021/ISH1:2025 © IEC 2025
Interpretation of IEC 81001-5-1:2021, 4.1
4.1.7 Disclosing SECURITY-related issues
NOTE 1 This activity is related to 9.3 through 9.5 where additional supporting details are provided.
NOTE 2 On a) “CVSS” and “ranking” address the rating of the severity and characteristics of security vulnerabilities.
4.1.9 ACCOMPANYING DOCUMENTATION review
NOTE For clarification, the documents mentioned with “SECURITY guidelines” are detailed in 5.8.2 and 5.8.7.
Interpretation of IEC 81001-5-1:2021, 4.3
4.3 SOFTWARE ITEM classification relating to risk transfer
NOTE 1 (foundations, intentions):
Table 1 – SOFTWARE ITEM classification mapped to affected clauses

* Implied inclusion in clause since IEC 81001-5-1:2021, Clause 3 explicitly defines SUPPORTED SOFTWARE “includes
MAINTAINED SOFTWARE” and REQUIRED SOFTWARE “includes SUPPORTED SOFTWARE”.
SOFTWARE ITEM classification related to risk transfer from 4.3 is clarified as follows:
a) The SOFTWARE ITEM classification categories are nested, but only to ensure clauses that
explicitly mention a category are also understood to include the nested categories. Table 1
above notes all clauses that detail requirements specific to a SOFTWARE ITEM classification
and notes the implicit inclusion of nested categories. Further requirements of SOFTWARE
ITEM classification that are not explicit in an associated clause are not part of this document.
b) The manufacturer shall apply risk transfer activities for all SOFTWARE ITEMS according to their
associated category. An organization’s policy and procedures may choose different terms
for these classifications if clauses citing requirements for these SOFTWARE ITEM
classifications are satisfied. Risks for all SOFTWARE ITEMS should be identified and managed
(5.2.3), updates for SOFTWARE ITEMS controlled by the manufacturer or PRODUCT user should
be communicated (6.3.1) and updates to manufacturer provided SOFTWARE ITEMS should be
made available (6.3.2) and have verifiable integrity (6.3.3). For 4.3, any declaration of
conformance, or internal policy/procedure, should state the alternative terminology
leveraged and how it maps to the sp
...