Challenges for single-fault safety in medical devices
Designers and developers of medical devices are aware of the relevance and risks associated with single defects, which must be avoided in all operating states. However, the dynamics of development, technological progress and the normative framework require cutting-edge expertise, particularly for innovative equipment.
From a regulatory and technical point of view, it is very clear why first fault safety must be ensured in electrical, electronic and programmable electronic medical equipment (E/E/PE systems). For example, the dose of medicine delivered by an infusion pump must never be too high or too low, and a neonatal incubator for preterm infants must safely and reliably maintain the temperature within narrow limits, never exceeding or drop below these limits, even in the event of a malfunction.
However, in practice, the types of equipment posing additional challenges to manufacturers are mostly much more complex, including X-ray machines, MRI scanners, or extracorporeal membrane oxygenation (ECMO) machines. To make matters worse, technical standards are not always straightforward. This is also clarified by the interpretation sheet IEC 60601-1:2005/AMD1:2012/ISH1:2021, published in March 2021 by the International Electrotechnical Commission (IEC).1
Less leeway for interpretation
The document points out that the basic standards do not provide satisfactory answers to important questions such as: How can manufacturers ensure the functional safety of their medical equipment and document it in accordance with market access requirements? What requirements must software, control systems and safety devices meet? What system and safety architectures are suitable to continue to maintain key equipment functions and protect patient and user safety even in the event of a failure?
The applicable legal framework in the European Union is established by the Medical Device Regulation (EU) 2017/745, also known as MDR.2 It describes all the requirements that must be met by manufacturers or distributors (eg importers) of medical equipment before they are allowed to place their products on the European market. However, the requirements related to functional safety remain relatively generic. For example, in Appendix I, the regulation includes the following requirement for first-fault safety: “In the event of a single-fault condition, appropriate means shall be adopted to eliminate or reduce as far as possible the risks or resulting degradation in performance.” 3
Two options for medical device design and architecture
Basically, this results in two options for product design and system architecture. Either the product design and system architecture are such that the possibility of single faults is completely eliminated, or the manufacturers perform risk analyses, thus ensuring that (1) the occurrence of a fault is highly unlikely or ( 2) that its consequences are minor or of negligible gravity. Depending on the complexity of a device, complete exclusion of single faults may not be possible.
The IEC 60601 series of standards describes these two options in more detail.4 The standard presents the state of the art in medical equipment and defines the basic requirements for functional safety and essential performance, in particular in part 1. However, it also does not provide designers and developers of explicit requirements or explanations of how single fault safety of a medical device can be implemented, tested and documented according to legal requirements to access the respective markets. Again, the standard only refers to risk management according to ISO 14971 in this context.5
It also does not describe in sufficient detail the potential sources of malfunctions, including hidden defects, or the possible measures to prevent them. These hidden faults remain by definition undetected, causing discrete malfunctions of safety devices and monitoring systems. In the event of a fault, these safety devices and systems then do not function correctly and do not trigger, for example, an alarm if only one real fault occurs. Certainly, the interpretation sheet issued by the IEC shows how the single default security concept is applied to essential performance and clinical function. It also includes requirements for documentation (Sections bb 1 to bb 6) and its review. However, this document also does not provide satisfactory answers to questions about how single-fault safety can be achieved and tested with consideration for “latent faults”.
Find possible solutions in other sectors
In view of the above, manufacturers, designers and developers of medical equipment are well advised to have an overview of the basics and principles of functional safety beyond industry and market specific standards. technology. Further guidance, for example, can be found in the standards of the EN 61508 series. They serve as basic safety standards for all sectors of industry that rely on E/E/PE systems in applications. related to safety where their functional safety must be guaranteed at all times.
In the case of the design and development of innovative and complex medical devices that can lead to major health risks for patients or users in the event of a breakdown, it may be worthwhile to make a few detours to other sectors of the industry, where malfunctions of E/E/PE systems can have equally serious consequences (e.g. process industry, atomic energy or railway industry). Third parties with expertise and long experience in a wide variety of safety-related industry sectors, such as TÜV SÜD, can give designers and developers a significant boost and help them identify all potential sources of error, e.g. , in system architecture, software, or even incorrect operation, and develop possible solutions.
- IEC 60601-1:2005/AMD1:2012/ISH1:2021: Interpretation sheet 1 – Amendment 1 – Medical electrical equipment – Part 1: General requirements for basic safety and essential performance.
- Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223 /2009 and repealing Council Directives 90/385/EEC and 93/42/EEC.
- Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 relating to medical devices (annex I, 17.1).
- IEC 60601-1 Medical electrical equipment – Part 1: General requirements for basic safety and essential performance.
- ISO 14971:2020-07 Medical devices – Application of risk management to medical devices.