Medical devices must comply with the legal requirements for functional safety.
Unfortunately, the relevant standards and laws for medical devices do not define or use the term “functional safety.” This article provides clarity.
1. Functional safety: The background
a) Who has to deal with it?
The following roles must understand the concepts of functional safety:
- Individuals working for medical device manufacturers who are responsible for
- the development of medical electrical equipment, such as system architecture, risk management, or testing of the functional and basic safety of medical electrical equipment,
- regulatory affairs.
- Staff at notified bodies and testing laboratories responsible for
- the review of technical documentation,
- the testing of the functional and basic safety of medical electrical equipment.
b) What is it about?
Medical devices must not put patients at risk. Examples:
- The pump of a heart-lung machine must not fail.
- An infusion pump must not pump air into a patient’s vein.
- An incubator must not burn an infant.
- An automated defibrillator must not shock a patient with a normal heartbeat.
Functional safety aims to avoid such risks through “functional failure.”
2. The concept of functional safety
a) Definition of IEC 61508
The relevant standards and laws for medical devices do not define the term “functional safety.” However, definitions can be found elsewhere.
Part of the overall safety relating to the EUC and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities.
IEC 61508, Part 4, Chapter 3.1.9
The standard uses the following abbreviations:
- EUC: Equipment Under Control (in this case the medical device)
- E/E/PE: Electrical/Electronic/Programmable Electronics (here the safety function)
Medical devices are not included in the scope of IEC 61508, but its concepts and specifications are still helpful for medical device manufacturers.
According to the definition of IEC 61508, functional safety is “only” a concept of electrical, electronic, or programmable devices, in our case, medical electrical equipment.
In this definition, functional safety refers only to freedom from unjustifiable risks for the following problems:
Risks related to functional safety | Examples |
Risks due to errors or failures within the control system of the medical device | The software for the motor control of the heart-lung machine contains a programming error. The control unit of the defibrillator fails. |
Proper functioning of other safety-related functions (not clinical functions) to minimize risk is not provided | The detector of an infusion pump does not detect an air bubble. The air supply of the CPU fan of the ventilator is blocked by a surgical gown. The sensor for temperature monitoring of the incubator is defective. |
The correct functioning of an external device is not provided | The necessary cooling of the surrounding room has failed. The external power supply has failed. |
These circumstances and events also apply to medical devices. This is because the requirement for functional safety can be found in the standard for medical electrical equipment, IEC 60601-1, in Section 4.3 on essential performance and Section 4.7 on single fault condition.
c) Delimitation
Functional safety does not refer to freedom from the following risks:
Risks not related to functional safety | Examples |
Risks due to lack of basic safety (in the event of a single fault condition, see below) | There is voltage at the enclosure of the medical electrical equipment because an insulation is broken. Mechanical tension in the enclosure because of the too high internal temperature |
Risks that are neither caused nor intended to be controlled by the electrical, electronic, or programmable part of the medical device | The device has sharp edges due to a production defect. A holder breaks and the device falls onto the user’s feet. The paint of the device contains carcinogenic substances. The device is not sterile. |
d) Conclusion
Functional safety refers to those functions of the device,
- that have an impact on clinical performance,
- that are intended to detect transient operating conditions that are not a fault of the device (e.g., kinking of a catheter, external power failure), and
- safety functions that are intended to prevent a hazardous situation (e.g., exceeding a limit value).
3. Functional safety: Regulatory requirements
a) MDR requirements
The MDR does not use the term “functional safety.” However, it does place requirements on it, either directly or indirectly:
Devices shall achieve the performance intended by their manufacturer and shall be designed and manufactured in such a way that, during normal conditions of use, they are suitable for their intended purpose.
They shall be safe and effective and shall not compromise the clinical condition or the safety of patients, or the safety and health of users or, where applicable, other persons […]
MDR Annex I
The MDR also requires repeatability, reliability, and performance (MDR Annex I, Chapter 17.1), as well as the safety of devices even in the event of a single fault condition (Chapters 17.1, 18.1).
b) IEC 60601-1 requirements
Single fault safe
IEC 60601-1 requires medical devices to be single fault safe. It defines this as follows:
characteristic of ME EQUIPMENT or its parts whereby it remains free of unacceptable RISK during its EXPECTED SERVICE LIFE under SINGLE FAULT CONDITIONS
DIN EN 60601-1:2022-11 3.117
The standard also defines the term “single fault condition”:
condition in which a single means for reducing a RISK is defective or a single abnormal condition is present
DIN EN 60601-1:2022-11 3.116
The term “single fault condition” thus refers to the parts of the device in which protective measures are implemented. Examples of such single fault conditions are:
- Short circuit of an insulation
- Interruption of a protective conductor
- Failure of a sensor for temperature monitoring or air bubble detection
Ensuring the essential performance
In addition, IEC 60601-1 requires that manufacturers determine and guarantee the essential performance of their devices. IOS 14971 also contains this requirement (5.3. Characteristics related to safety).
IEC 60601-1 also defines this term:
performance necessary to achieve freedom from unacceptable RISK
DIN EN 60601-1:2022-11 3.27
For example, the essential performance would not be given if
- the heart-lung machine blood pump is not pumping at the specified flow rate.
- the defibrillator delivers too high or too low an energy during shock.
- the linear accelerator irradiates at the wrong angle.
In November 2021, the IEC published the interpretation sheet ISH1 for IEC 60601-1, which summarizes the requirements of the standard for single fault safety in relation to the essential performance.
The document is a guide, but it does not provide instructions on how to build safe devices, which was not the intention. An IEC working group is currently working on a technical report that should provide guidance and is due to be published in 2024. The Johner Institute is actively involved in its development.
4. IEC 61508
a) General
The most important generic standard for functional safety is the IEC 61508 series of standards. It serves as a guide for authors writing sector-specific standards. It cannot, therefore, be used to demonstrate general safety and performance requirements.
IEC 61508 describes a generic approach for all safety lifecycle activities for systems that consist of electrical and/or electronic and/or programmable electronic elements used to perform safety functions. The standard specifies generally valid (design) principles for preventing and controlling random and systematic faults. It
- provides methods for the specification of safety requirements,
- sets requirements for the prevention and control of systematic failures, and
- describes approaches for the control of random hardware failures.
This unified approach is intended to help develop safety concepts for all safety-related systems on an electrical basis.
b) Applicability for medical devices
Even though medical devices are not included in the scope of IEC 61508, its principles and approaches can still be applied to them. These principles do not contradict IEC 60601-1 or other relevant standards such as IEC 61010-1. Rather, IEC 61508 perfectly complements these standards. It also served as the basis for the standard IEC 62304.
The IEC 60601-1 or IEC 61010-1 standards essentially fully cover physical hazards. However, the two standards only specify requirements for passive protective measures such as insulation or tensile safety factors for materials. If, on the other hand, a physical hazard is to be controlled by an active protective measure (E/E/EP), e.g., by temperature monitoring or a contact monitor, then the principles of IEC 61508 can be applied to the design of such safety functions.
The Johner Institute uses these principles when assisting manufacturers in creating safety concepts for medical devices.
5. Functional safety: Solutions
Manufacturers achieve functional safety through a suitable concept (design, architecture) of the system. For this purpose, they should
- make assumptions,
- consider design principles, and
- consider multi-channel architectures,
as described in more detail below.
a) Making assumptions
Manufacturers should make the following assumptions when creating system architectures and safety concepts:
- Hardware faults are random faults and can occur at any time.
- Software faults are systematic faults and are controllable only through the design process.
- The probability of two or more systems failing simultaneously is much lower than that of a single system failing.
- Recognizable errors are safe if the system can be removed from operation.
- If a single fault condition remains undetected, it can be assumed that another simultaneous fault will occur after a time.
- Faults leading to further faults are considered single faults.
- Systems without protective measures must be intrinsically safe.
- The combination of simultaneous independent faults must not lead to a hazardous situation.
- Simultaneous failure of several functional groups due to a common cause of failure must not lead to a hazardous situation.
- Faults that are likely, whose probability cannot be estimated, or that cannot be detected must be considered the normal condition.
b) Considering design principles
System requirements are derived from this, for example:
The system must …
- …be fault-tolerant and, for example, detect and control errors that occur due to the failure of individual components, or the risk must remain acceptable.
- …detect and control systematic errors (e.g., software errors), e.g., by:
- using operationally proven architectures
- verifying safety functions through tests and simulation
- defining a safety lifecycle process
- designing the design process with checklists and work instructions
- defining appropriate test strategies
- …detect and control faults within the multiple-fault occurrence time. This means that if a fault remains undetected, another fault must be expected. The time in between is the MTBF. Therefore, the fault of a protective measure must be detected before the control system itself or a second protective measure fails.
- …divide responsibilities, e.g., between the protection system and the control system.
- …be insensitive to failures with a common cause of failure (e.g., if someone pours water over the device, which affects the control and protection systems equally).
When specifying the safety objectives, manufacturers should also consider the time it takes for a user to avoid harming a patient.
c) Considering multi-channel architectures
General
Multi-channel architectures provide a way to detect and minimize risks from the failure and malfunction of parts and components.
Here, components of one channel monitor the components of the other channel (e.g., their sensors and actuators) and react when they fail or malfunction. Options for response include:
- Information processing is switched from one channel to the other.
- The sensor or actuator of the other channel is used.
- If there are multiple sensors, a majority decision takes place.
- The device is set to a safe state.
- An alarm is triggered.
Dual-channel architectures
Dual-channel architectures are characterized by redundant components in the chain of sensor, logic, and actuator.
Homogeneous and diverse architectures
In multi-channel architectures, a distinction is made between homogeneous and diverse architectures. In a homogeneous architecture, the two channels are homogeneous, i.e., they consist of identical components. With homogeneous architectures, particularly random (statistical) errors, such as component failure due to aging, can be controlled.
In the case of systematic errors, for example, design errors or software bugs, diversified architectures are required because otherwise, the error would be duplicated in both channels. Diversity, especially in programmable systems (which contain software), can refer to:
- Hardware: processor, memory
- Tools: compiler, programming language
- Reused software (SOUP): libraries, operating system
- Organization: separate development teams
It is a mistake to believe that dual- or multi-channel architectures are necessarily better than single-channel architectures. Two channels can even make a system insecure. The more components are installed in a system, the higher the probability that one will fail.
So what happens when two corresponding components send conflicting signals? If, for example, one sensor claims that there is air in the hose of an infusion pump, and the other claims the opposite? Which one is right?
If the result causes the device to shut down more frequently, this can increase the risk to patients. Manufacturers must weigh availability and safety in these cases.
d) Single-channel architecture with monitoring
A usually simpler option is a single-channel architecture that is monitored by a test function or a watchdog. The test function can also be taken over by a user, who then acts correctly.
Johner Institute experts help medical device manufacturers and their service providers to
- develop architecture and safety concepts,
- check these for effectiveness and legal compliance (e.g., through architecture reviews),
- create and review test plans to demonstrate safety,
- ensure smooth testing in test houses, and
- increase the competence of all stakeholders with customized seminars, e-learning courses, or one-on-one coaching.
Contact us right away. This is how we ensure that you can get through the approval process quickly and without unnecessary costs with safe and high-performance devices and be successful in the market.
6. Conclusion and summary
Functional safety is the freedom from unacceptable risks resulting from a device malfunction. In the case of medical devices, functional safety is almost exclusively discussed in the context of medical electrical and IVD equipment.
Manufacturers achieve functional safety in the system design of the devices (e.g., through multi-channel architectures). Technical experts and risk managers must work hand in hand to accomplish this.
It is usually very costly, often even impossible, to eliminate errors made during the design phase. Such errors threaten the conformity of the devices and the safety of patients.
Therefore, manufacturers need the appropriate time and competencies to develop functionally safe devices.