IEC 60601-1 describes essential performance as performance necessary to achieve freedom from unacceptable risk.
This article aims to explain what the standard means by that and how this essential performance differs from basic safety.
We will also look at IEC 60601-1/AMD1/ISH1:2021 INTERPRETATION SHEET 1.
“Performance of a clinical function, other than that related to basic safety, where loss or degradation beyond the limits specified by the manufacturer results in an unacceptable risk.”
Source: IEC 60601-1
Despite this definition, there are always uncertainties as to what essential performance actually is. The standard seems to be aware of this, which is why it has added a note to the definition:
Essential performance is most easily understood by considering whether its absence or degradation would result in an unacceptable risk.
But this note also raises unanswered questions. As a result, the IEC felt compelled to provide further explanations in an interpretation sheet, which this article will look at later.
In contrast to basic safety, essential performance characteristics are typical for the device type, for example:
The answer to the question of how the essential performance differs from basic safety can be found in section 4 of this article (FAQ).
Section 4.3 of IEC 60601-1 requires manufacturers of medical devices to:
For programmable electrical medical systems (PEMS) with components that “effect” essential performance, IEC 60601-1 also establishes requirements for development, troubleshooting, the risk management process, and verification and validation.
The interpretation sheet for section 4.3 of IEC 60601-1, which we will look at in more detail later, specifies how manufacturers should define essential performance.
Derive the necessary clinical functions from the intended purpose and considering what could negatively affect safety.
An automatic defibrillator (AED) can detect a heart rhythm that requires a shock.
Determine the performance characteristics of these clinical functions.
Measure heart rate correctly, detect ventricular tachycardia on an ECG.
Determine the ranges these performance characteristics have to be in – both in normal condition and in single-fault condition.
AHA (American Heart Association) sensitivity and specificity with test data sets.
Determine the risks if the performance characteristics are outside these specified ranges. If these risks are unacceptable, the performance characteristic is essential.
No shock is delivered when a shock should be delivered (false negative).
A shock is delivered when no shock should be delivered (false positive).
For all essential performance characteristics, manufacturers have to define and implement risk control measures to minimize risks to an acceptable level in both normal and single-fault conditions.
Of course, as with all risk-minimizing measures, the manufacturers must demonstrate that they have actually implemented these measures and that they are effective.
Note that some particular standards, i.e., the IEC 60601-2-x series of standards, explicitly establish the essential performance characteristics.
The answer to this question, according to the interpretation sheet, is ‘yes’. The authors based their answer on several passages of IEC 60601-1:
The standard defines basic safety as follows:
“Freedom from unacceptable risk directly caused by physical hazards when me equipment is used under normal condition and single fault condition”
Source: IEC 60601-1
Basic safety relates to physical hazards (potential sources of harm) that result from the choice of technical solution and are inherent to the device. These include:
Manufacturers usually achieve basic security through passive protective measures that are not specific to a device type. These include:
Basic safety is, therefore, a property of a device. Performance characteristics refer to the ability of a functional unit to perform a required function. These could be the aforementioned clinical functions (detection of fibrillation) or even protective functions that detect a hazardous state (overheating) and bring the device to a safe state, keep it there and trigger an alarm.
Events and circumstances leading to the loss or degradation of such functions must be identified and controlled, as failure to do so would result in an unacceptable risk.
Both standalone software and software that is part of a medical device can implement essential performance characteristics. Examples are:
Embedded software that controls or monitors a heart-lung machine pump
Note that the standalone software is not within the scope of IEC 60601-1, which introduces the concept of essential performance.
It is, indeed, generally possible to develop medical devices without essential performance characteristics because a fault in them does not lead to unacceptable risks. However, manufacturers should bear the following in mind:
Typical examples of devices with no essential performance characteristics are surgical instruments (e.g., RF surgery or skin lasers), which by definition are used for treatment (not for diagnosis or therapy) and are, therefore, also medical devices. The fact that these devices often don’t have any essential performance characteristics is due to the fact that the users (e.g., surgeons) can review and correct the result of the work. This means that even the complete failure of the device is often not critical.
According to the interpretation sheet, manufacturers have to detect undetectable (hazardous) faults. This means that the operating lifetime plays a significant role as the safety function has to be retained throughout the entire operating lifetime.
A self-test of this safety function during operation or prescribed maintenance is therefore essential because otherwise it becomes very difficult to prove that this safety function is active.
In March 2021, the IEC published Interpretation Sheet ISH1 on IEC 60601-1:2005/AMD1:2012 with the title Interpretation of Subclauses 4.3 of IEC 60601-1:2005/AMD1:2012 and 4.7 of IEC 60601-1:2005.
As the name suggests, the document aims to provide an interpretation of section 4.3 of IEC 60601-1, which is the section that deals with essential performance.
The interpretation sheet:
Who should read the interpretation sheet?
According to IEC, an interpretation sheet is a tool and provides
"a quick formal explanation to an urgent request by a user of a standard (testing laboratory, certification body, manufacturer, etc.)."
Interpretation Sheet ISH1
Therefore, the authors can only explain or interpret, they cannot add any new requirements. The interpretation sheet is normative and must therefore be understood in the same by all the named users.
Because the interpretation sheet does not add requirements, but only explains requirements, it is valid from the date of publication. There is no transitional period.
Interpretation sheets are generally available for free and can be downloaded from the IEC’s website.
IEC 60601-1 introduces the two fundamental concepts of essential performance and single faults. While the single faults mentioned in section 13.2 of the standard are only relate to basic safety, the base standard unfortunately provides little guidance on how to handle faults that do not result in a single fault. The interpretation sheet now aims to close this gap.
The introduction states:
This interpretation sheet is intended to clarify the requirements which are needed to maintain ESSENTIAL PERFORMANCE in SINGLE FAULT CONDITION.
Introduction to the interpretation sheet
Interpretation Sheet ISH1 with the title Interpretation of Subclauses 4.3 of IEC 60601-1:2005/AMD1:2012 and 4.7 of IEC 60601-1:2005 was written by subcommittee SC 62A of technical committee TC 62 (Electrical equipment in medical practice).
The intention behind this interpretation sheet should be welcomed. The original standard lacks a comprehensive explanation of how to handle faults with respect to essential performance. The interpretation sheet provides a summary of the important passages and facts in the standard. More examples that make the requirements more understandable would have been nice.
The list in bb) is a good summary of the required activities and makes it clear again that the guide to action in Annex A of the standard is not only informative but also includes guidance for documentation. Manufacturers should incorporate the list in bb) into their risk management SOPs.
There is also criticism:
The question of what is meant by clinical functions and what their relationship to the intended use is remains unanswered. The standard considers clinical functions in the context of the intended use, which according to definition 3.44 also includes maintenance, transport, etc.
Essential performance is also related to safety aspects. But this interrelationship remains unclear. Since an interpretation sheet cannot give any examples, the following two should help:
Example 1: In the case of a syringe pump, it is not the correct dosage (dosage would be the clinical function) that is the essential performance characteristic but the accuracy test (intended use) that enables a hazardous situation (e.g., occlusion) to be detected and an alarm generated. The standard does not specify the reliability with which such situations should be detected, and alarms generated. The standard itself states in the explanatory note to 5.1:
On 5.1) Compared with SINGLE FAULT CONDITIONS, this standard does not have verifiable requirements for faults not leading to a SINGLE FAULT CONDITION. This means this standard does not give guidance how reliable it is that faults can be prevented.
Example 2: A defibrillator must not deliver an unexpected shock. The ability to deliver a shock would be the clinical function and the ability not to deliver an unwanted shock would relate to safety. The function that ensures safety must also work reliably. This can be compared to a fire extinguisher that always hangs on the wall and must function reliably in an emergency (when required).
A comment on how to deal with errors in software would have been interesting; especially if the software not only controls the device but also provides diagnostic information.
In cc) the authors refer to a second independent fault and in section 5.1, the standard refers to simultaneous independent faults and combination of simultaneous independent faults. However, these are not the same thing.
Use the interpretation sheet. Document how the essential performance characteristics have been derived in the risk management file following the list section bb) 1) to 6). Define appropriate measures that enable the system or user to detect the failure or degradation of performance. These measures could, for example, include regular inspections, maintenance and internal self-testing.
Our recommendation is that you document your considerations in a safety strategy. IEC 60601-1 does not contain any specific documentation requirements. By documenting how the essential performance characteristics have been determined and your design decisions, you will help reviewers and auditors fully grasp the important aspects of your devices and review them without having to ask questions.
Document the essential performance characteristics you have derived in the risk management file, see bb) 1) to bb) 6). It may well be the case that the ME equipment does not have any essential performance characteristics. But if the manufacturer has defined essential performance characteristics for its device, then check whether it can demonstrate functional safety through its requirements, design, calculations and in-house tests. Of course, the calculations and tests must be credible.
As a general rule, a documentation review is sufficient. You only have to test the performance characteristics if it is a requirement of a standard.
As a general rule, (certified) test reports from a recognized testing laboratory will be available. In such cases, you do not need to check the content of how the essential performance characteristics were derived again. As the interpretation sheet is binding, you can assume that the CB report is complete.
IEC 60601-1 cannot be applied to IVD devices and its sister standard IEC 61010-1 does not mention essential performance as it is only a safety standard. If your device is also a machine, then you have to comply with the requirements of the Machinery Directive (as required by the IVDR) and this brings you into the area of functional safety and thus into the IEC 61508 series of standards. The philosophy of essential performance can then be applied to safety devices, such as light barriers or interlock systems.