IEC 60601-1 describes essential performance as performance necessary to achieve freedom from unacceptable risk.
This article aims to explain what the standard means by that and how this essential performance differs from basic safety.
The article also addresses the IEC 60601-1/AMD1/ISH1:2021 INTERPRETATION SHEET 1.
1. What is essential performance?
a) Definition of the term
“performance necessary to achieve freedom from unacceptable RISK”
Source: IEC 60601-1
Despite this definition, there are always uncertainties as to what essential performance actually is. The standard seems to be aware of this, which is why it has added a note to the definition:
Essential performance is most easily understood by considering whether its absence or degradation would result in an unacceptable risk.
But this note also raises unanswered questions. As a result, the IEC felt compelled to provide further explanations in an interpretation sheet, which this article will address later.
b) Examples of essential performance
In contrast to basic safety, essential performance is typical for the device type, for example:
- the ability of an irradiator to irradiate at exactly the planned angle with the planned dose
- the ability of laboratory equipment to measure laboratory parameters to the specified accuracy (note: IEC 60601-1 is not harmonized for IVD medical devices)
- the ability of a refrigerator to cool blood bags
- the ability of a heart-lung machine pump to rotate and deliver blood as set
The answer to the question of how the essential performance differs from basic safety can be found in section 4 of this article (FAQ).
2. Essential performance: Regulatory requirements
Section 4.3 of IEC 60601-1 requires manufacturers of medical devices to
- define the essential performance of their devices,
- ensure through testing that their devices actually perform the essential performance,
- use specific test processes to do this, and
- demonstrate all this with appropriate documentation.
For Programmable Electrical Medical Systems (PEMS) with components that “effect” essential performance, IEC 60601-1 also establishes requirements for development, problem solving, the risk management process, and verification and validation.
3. How to define the essential performance
The interpretation sheet for Section 4.3 of IEC 60601-1, which we will look at in more detail later, specifies how manufacturers should define essential performance.
| # | step | example |
| 1 | derive the necessary clinical functions from the intended purpose and considerations what could negatively affect safety | an automatic defibrillator (AED) can detect a heart rhythm that requires a shock |
| 2 | determine the performance characteristics of these clinical functions | measure heart rate correctly, detect ventricular tachycardia on an ECG |
| 3 | determine the ranges these performance characteristics have to be in – both in normal condition and in single fault condition | AHA (American Heart Association) sensitivity and specificity with test data sets |
| 4 | determine the risks if the performance characteristics are outside these specified ranges (if these risks are unacceptable, the performance characteristic is essential) | No shock is delivered when a shock should be delivered (false negative). Conversely: A shock is delivered when no shock should be delivered (false positive). |
For all essential performance characteristics, manufacturers have to define and implement risk control measures to minimize risks to an acceptable level in both normal and single fault condition.
Of course, as with all risk-minimizing measures, the manufacturers must demonstrate that they have actually implemented these measures and that they are effective.
Note that some particular standards, i.e., the IEC 60601-2-x series of standards, explicitly determine the essential performance characteristics.
4. FAQ: Frequently asked questions about essential performance
a) Does essential performance also has to be guaranteed in a single fault condition?
The answer to this question, according to the interpretation sheet, is “yes.” The authors based their answer on several passages of IEC 60601-1:
- Firstly, essential performance should be defined in terms of the clinical functions of the medical device.
- Single faults can cause loss or degradation of clinical functions as well as basic safety and can, therefore, lead to an unacceptable risk.
- Therefore, the requirement in Section 4.7 that ME equipment must be or remain single fault safe also applies to essential performance.
b) How does essential performance differ from basic safety?
The standard defines basic safety as follows:
“freedom from unacceptable RISK directly caused by physical HAZARDS when ME EQUIPMENT is
used under NORMAL CONDITION and SINGLE FAULT CONDITION”
Source: IEC 60601-1 3.10
Basic safety relates to physical hazards (potential sources of harm) that result from the choice of technical solution and are inherent to the device. These include:
- electrical hazards (mains voltage 230 V)
- thermal hazards (overheated battery)
- mechanical hazards (fast moving parts)
Manufacturers usually achieve basic safety through passive protective measures that are not specific to a device type. These include:
- electrical insulation (casing)
- thermal fuse
- reinforcement, arresting cables
- fireproof casing
Basic safety is, therefore, a property of a device. Essential performance refers to the ability of a functional unit to perform a required function. These could be the aforementioned clinical functions (detection of fibrillation) or even protective functions that detect a hazardous state (overheating) and bring the device to a safe state, keep it there, and trigger an alarm.
Events and circumstances leading to the loss or degradation of such functions must be identified and controlled, as failure to do so would result in an unacceptable risk.
c) Can software also have essential performance characteristics?
Both standalone software and software that is part of a medical device can implement essential performance characteristics. Examples are
- a standalone software for calculating the dose of cytostatics or
- an embedded software that controls or monitors a heart-lung machine pump.
Note that standalone software is not within the scope of IEC 60601-1, which introduces the concept of essential performance.
e) Are there devices without essential performance characteristics?
It is generally possible to develop medical devices without essential performance characteristics because a fault in them does not lead to unacceptable risks. However, manufacturers should bear the following in mind:
- Devices without risks often have no clinical benefit. Has this benefit been consistently quantified in the risk management file?
- Stating that a device has no essential performance characteristics can encourage auditors or investigators to prove otherwise.
- ISO 14971:2012 requires manufacturers to reduce any risk as much as possible. So, there are no generally acceptable risks.
Typical examples of devices with no essential performance characteristics are surgical instruments (e.g., RF surgery or skin lasers), which by definition are used for treatment (not for diagnosis or therapy) and are, therefore, also medical devices. Such devices often have no essential performance characteristics because the users (e.g., surgeons) can check and correct the result of the work. Even a complete failure of the device is often not critical.
f) Is it necessary to check essential performance during operation?
According to the interpretation sheet, manufacturers must identify undetectable (hazardous) faults. This means that the operating lifetime plays a significant role as the safety function has to be retained throughout the entire operating lifetime.
Therefore, a self-test of this safety function during operation or prescribed maintenance is essential because otherwise, proving that it is active becomes very difficult.
5. IEC 60601-1/AMD1/ISH1:2021 INTERPRETATION SHEET 1
a) Overview
In March 2021, the IEC published the Interpretation Sheet ISH1 on IEC 60601-1:2005/AMD1:2012 with the title Interpretation of Subclauses 4.3 of IEC 60601-1:2005/AMD1:2012 and 4.7 of IEC 60601-1:2005.
As the name suggests, the document aims to provide an interpretation of Section 4.3 of IEC 60601-1, which is the section that deals with essential performance.
The interpretation sheet
- summarizes again the essential performance requirements,
- describes how the concept of single fault can be applied to the essential performance characteristics, and
- specifies requirements for documentation and testing.
Who should read the interpretation sheet?
- Manufacturers (developers and architects) who develop safety strategies for devices that have essential performance characteristics
- Notified bodies who review technical documentation
- Testing laboratories that have to demonstrate safety as part of a 60601-CB report
b) Purpose and binding nature of interpretation sheet (in general)
According to IEC, an interpretation sheet is an aid and provides
“a quick formal explanation to an urgent request by a user of a standard (testing laboratory, certification body, manufacturer, etc.)”
Interpretation Sheet ISH1
The authors may only explain or interpret but not add any new requirements. The interpretation sheet is normative and must, therefore, be understood in the same way by all users mentioned.
Because the interpretation sheet does not add requirements but only explains requirements, it is valid from the date of publication. There is no transition period.
Interpretation sheets are generally available for free and can be downloaded from the IEC’s website or, in Germany, the VDE.
c) Purpose of the interpretation sheet for IEC 60601-1
IEC 60601-1 introduces the two fundamental concepts of essential performance and single faults. While the single faults mentioned in Section 13.2 of the standard only relate to basic safety, the base standard unfortunately provides little guidance on how to handle faults that do not result in a single fault. The interpretation sheet aims to close this gap.
The introduction states:
This interpretation sheet is intended to clarify the requirements which are needed to maintain ESSENTIAL PERFORMANCE in SINGLE FAULT CONDITION.
Introduction of the interpretation sheet
d) Authors of Interpretation Sheet ISH1
Interpretation Sheet ISH1 with the title Interpretation of Subclauses 4.3 of IEC 60601-1:2005/AMD1:2012 and 4.7 of IEC 60601-1:2005 was written by the subcommittee SC 62A of the technical committee TC 62 (Electrical equipment in medical practice).
e) Key statements and contents in Interpretation Sheet ISH1
- Manufacturers have to follow the process described in the table above to determine essential performance characteristics.
- Essential performance must remain guaranteed even in the event of a single fault condition.
- The analysis of single fault conditions should not only refer to the single faults mentioned in Section 13.2 but also to other failures or failures of modules, assemblies, or components that are to be simulated theoretically or in real life.
- In accordance with Section 4.7 b), the consequences of a second independent fault or failure should be investigated, especially if the initial fault or failure remains undetected.
- Manufacturers have to identify these undetectable faults.
In terms of functional safety, a distinction is made between detectable and undetectable hazardous faults. An undetectable hazardous fault could be a safety function whose failure is not noticeable as long the device performs its clinical function correctly. - In addition to checking basic safety, auditors also have to inspect the documentation to check function safety (or functional safety). These are completely new tasks that require additional experience and qualifications. This is likely to drive up costs for manufacturers.
f) Appraisal of Interpretation Sheet ISH1
The intention behind this interpretation sheet is welcomed. The original standard lacks a comprehensive explanation of how to handle faults with respect to essential performance. The interpretation sheet provides a summary of the important passages and facts in the standard. More examples that make the requirements easier to understand would be desirable.
The list in bb) is a good summary of the required activities and makes it clear again that the guide to action in Annex A of the standard is not only informative but also includes guidance for documentation. Manufacturers should incorporate the list in bb) into their risk management SOP.
There is also criticism:
Unclear interaction with intended use
The question remains unanswered regarding what is meant by clinical functions and how this relates to the intended use. The standard considers the clinical functions within the scope of the intended use, which, according to definition 3.44, also includes servicing, maintenance, transport, etc.
Unclear interaction with safety aspects
Essential performance is also related to safety aspects. But this interaction remains unclear. Since an interpretation sheet cannot give any examples, the following two should help:
Example 1: In the case of a syringe pump, it is not the correct dosage (dosage would be the clinical function) that is the essential performance characteristic but the accuracy test (intended use) that enables a hazardous situation (e.g., occlusion) to be detected and an alarm generated. The standard does not specify the reliability with which such situations should be detected, and alarms generated. The standard itself states in the explanatory note to 5.1:
On 5.1) Compared with SINGLE FAULT CONDITIONS, this standard does not have verifiable requirements for faults not leading to a SINGLE FAULT CONDITION. This means this standard does not give guidance how reliable it is that faults can be prevented.
Example 2: A defibrillator must not deliver an unexpected shock. The ability to deliver a shock would be the clinical function and the ability not to deliver an unwanted shock would relate to safety. The function that ensures safety must also work reliably. This can be compared to a fire extinguisher that always hangs on the wall and must function reliably in an emergency (when required).
No examples for software
A comment on how to deal with errors in software would have been interesting; especially if the software not only controls the device but also provides diagnostic information.
Imprecise use of terms
In cc) the authors refer to a second independent fault and in Section 5.1, the standard refers to simultaneous independent faults and combination of simultaneous independent faults. However, these are not the same thing.
6. Summary
a) Recommendation for manufacturers of medical devices
Use the interpretation sheet. Document how the essential performance characteristics have been derived in the risk management file following the list Section bb) 1) to 6). Define appropriate measures that enable the system or user to detect the failure or degradation of performance. Such measures could, for example, include regular inspections, maintenance, and internal self-testing.
Our recommendation is that you document your considerations in a safety concept. IEC 60601-1 does not contain any specific documentation requirements. By documenting the derivation and your design decisions, you help investigators and auditors fully understand your devices’ important aspects and check them without any questions.
b) Recommendation for testing laboratories
Have the results for deriving the essential performance characteristics shown in the risk management file; see bb) 1) to bb) 6). It may well be that ME equipment has no essential performance characteristics. If the manufacturer has defined essential performance characteristics for his device, then check whether he can prove functional safety through requirements, design, calculations, and in-house tests. Of course, the calculations and tests must be credible.
Usually, inspection of the documentation is sufficient. You only have to test the performance characteristics if it is a normative requirement.
c) Recommendations for auditors
Usually, (certified) test reports from a recognized testing laboratory are available. In this case, you do not need to recheck the derivation in terms of content. Since the interpretation sheet is binding, you can assume the CB report is complete.
d) Note for manufacturers of IVD medical devices
IEC 60601-1 does not apply to IVD, and the sister standard IEC 61010-1 does not address essential performance, as it is only a safety standard. If your device is also a machine, you must comply with the requirements of the Machinery Directive (as required by the IVDR), which brings you into the area of functional safety and, thus, into the IEC 61508 series of standards. The philosophy of essential performance can then be applied to safety devices such as light barriers or interlock systems.
If you need support in identifying, specifying, and documenting your medical device’s essential performance and comparing it with risk management, please get in touch with us, e.g., via the contact form.
We will answer brief questions in our micro-consulting service free of charge. This will assure you that your devices are safe and that no unexpected difficulties will arise during the audit, product testing, and approval.
Many thanks to Dominik Kowalski for his input on the interpretation sheet.
