The essential performance of an active medical device or system has a direct impact on patient safety. Given this, safety and security assessments also address potential hazards that might arise during its clinical use. Functional safety, also known as “essential performance in single-fault condition”, marks an additional step in the safety assessment of a device that focuses on the reliability of its correct and safe function. It guarantees that in the event of a fault the function of a device is maintained and the system switches to a safe state. Given this, functional safety guarantees user and patient safety even in single-fault condition, and thus plays a critical role for the manufacturers, importers and distributors of medical devices.
Both normative and legal requirements focus on the principle of single-fault safety, which means that a single first(-occurring) fault must not cause any hazards for either users or patients or result in unacceptable risk levels. A fault in the dosage control unit of an infusion pump, for example, must not result in an overdose or underdose being administered to the patient.
Basically, single faults can occur anytime and anywhere—throughout the control circuit, its parts, and components and in the software. They cannot be predicted. To keep health risks for users and patients to a minimum, high requirements are imposed on the essential performance and safety of medical devices by both the applicable laws and standards.
Compliance with Legal Requirements and Standards
In the European Union, the Medical Device Regulation (EU) 2017/745 (also known as MDR) defines the requirements for distributing medical devices within the EU. As far as functional safety is concerned, it includes the following requirement, “In the event of a single fault condition, appropriate means shall be adopted to eliminate or reduce as far as possible consequent risks or impairment of performance” (Annex I, 17.1).
In other words, in the event of a single fault, functional safety measures must either fully control the risk or at least reduce its probability of occurrence to an acceptable level. To guarantee this, both manufacturers and developers should implement measures to comply with the regulatory requirements and state-of-the-art standards.
As one of the fundamental series of standards, the IEC 60601 (“Medical electrical equipment”), and Part 1 in particular, defines the general requirements for the safety and essential performance (EP) of active medical devices. These general requirements include the requirement that medical electrical equipment and systems must by design ensure single-fault safety or residual risk must be reduced to an acceptable level as defined by risk management. The essential performance of a medical device must thereby be ensured.
However, the standard does not explicitly specify how to implement and test single-fault safety from a technical perspective. It only refers to risk management. The standard also does not adequately define how to handle latent faults, the term used for faults in the protective system that do not immediately result in a single fault. Upon occurrence of a single fault, a latent fault causes the protective system to fail.
Recognizing this shortcoming, the International Electrotechnical Commission (IEC) published an interpretation sheet in March 2021 (IEC 60601-1/AMD1/ISH1:2021), explaining how to apply the concept of single-fault safety to essential performance and clinical function. The interpretation sheet also includes provisions for documentation (Sections bb 1 to bb 6) and document review. However, the question of how to achieve and verify single-fault safety is not answered by the Interpretation sheet either.
Identifying Faults, Controlling Risks
Safe medical devices can only be achieved with comprehensive risk management. Manufacturers must identify the risks related to design and function and mitigate them by establishing suitable control measures or taking appropriate countermeasures. The ISO 14971 standard (“Application of risk management to medical devices”) provides guidance for this process.
Risk management must cover the entire product lifecycle and consider the information collected at every stage, including during post-marketing surveillance. This approach ensures that even very rare malfunctions and age-related degradation and failures are recorded and controlled.
Suitable diagnostic measures can identify single faults in a timely manner and initiate a targeted response before the multiple fault occurrence time (MFOT) expires after which a second fault must be expected. In suitable architectures the so-called watchdogs can, for example, monitor the microcontroller in a medical device, and put the device into a safe state in case of a fault. However, single faults may also affect protective systems. Given this, risk assessment should also consider (latent) faults that have no immediate consequences. In conjunction with a second fault, these latent faults could otherwise lead to an unacceptable risk.
While systematic errors cannot be fully excluded, their probability of occurrence and their consequences must be minimized. Integrated control and monitoring functions such as plausibility checks improve the robustness of devices. As a matter of principle, the more complex the product, the higher the potential risk of systematic faults. Given this, all tools used in development need to be qualified. This applies to software frameworks, but also to the hardware and the production process. Redundant (and, where necessary, diverse) structures, such as a second shut-off unit in the circuit and master-checker architectures, help to ensure effective control of random faults.
Example: A Functionally Safe Incubator
Without adequate safety functions, a single fault in an incubator’s temperature control unit may cause the temperature to rise above the acceptable limit. A protective system typically identifies a single fault in temperature control and shuts off the system as soon as the temperature exceeds the defined limit. If there is a latent fault in the safety system, however, the latter may not be able to identify the fault in the temperature control unit.
In this simplified model, a redundant architecture with two safety devices would ensure a sufficient level of functional safety. In case of a latent fault in one of the two safety systems, the other system will step in and ensure the safe function of the device. Important in this context is that safety devices must be independent of the system that they protect and not share features such as the same power supply.
The applicable regulations and standards require single-fault safety of clinical functions without defining technical details. Given this, many tests in accordance with the IEC 60601-1 standard fail to address the aspects of functional safety in adequate detail. Third-party review of the documentation and independent safety assurance (ISA) reduce health risks for patients and users. This approach secures the sustainable economic success of the medical device.