Essential Performance in Medical Devices

IEC 60601-1 describes essential performance as performance necessary to achieve freedom from unacceptable risk.

This article aims to explain what the standard means by that and how this essential performance differs from basic safety.

We will also look at IEC 60601-1/AMD1/ISH1:2021 INTERPRETATION SHEET 1.

1. What is essential performance?

a) Definition of the term

 Definition: Essential performance

“Performance of a clinical function, other than that related to basic safety, where loss or degradation beyond the limits specified by the manufacturer results in an unacceptable risk.”

Source: IEC 60601-1

Despite this definition, there are always uncertainties as to what essential performance actually is. The standard seems to be aware of this, which is why it has added a note to the definition:

Essential performance is most easily understood by considering whether its absence or degradation would result in an unacceptable risk.

But this note also raises unanswered questions. As a result, the IEC felt compelled to provide further explanations in an interpretation sheet, which this article will look at later.

b) Examples of essential performance

In contrast to basic safety, essential performance characteristics are typical for the device type, for example:

  • The ability of an irradiator to irradiate at exactly the planned angle with the planned dose.
  • The ability of laboratory equipment to measure laboratory parameters to the specified accuracy (note: IEC 60601-1 is not harmonized for IVD devices).
  • The ability of a refrigerator to cool blood bags.
  • The ability of a heart-lung machine pump to rotate and deliver blood as set.

The answer to the question of how the essential performance differs from basic safety can be found in section 4 of this article (FAQ).

2. Essential performance: regulatory requirements

Section 4.3 of IEC 60601-1 requires manufacturers of medical devices to:

  • define the essential performance characteristics of their devices
  • ensure through testing that their devices actually perform the essential performance characteristics
  • use specific test processes to do this, and
  • demonstrate all this with appropriate documentation.

For programmable electrical medical systems (PEMS) with components that “effect” essential performance, IEC 60601-1 also establishes requirements for development, troubleshooting, the risk management process, and verification and validation.

3. How to define the essential performance

The interpretation sheet for section 4.3 of IEC 60601-1, which we will look at in more detail later, specifies how manufacturers should define essential performance.





Derive the necessary clinical functions from the intended purpose and considering what could negatively affect safety.

An automatic defibrillator (AED) can detect a heart rhythm that requires a shock.



Determine the performance characteristics of these clinical functions.

Measure heart rate correctly, detect ventricular tachycardia on an ECG.


Determine the ranges these performance characteristics have to be in – both in normal condition and in single-fault condition.

AHA (American Heart Association) sensitivity and specificity with test data sets.


Determine the risks if the performance characteristics are outside these specified ranges. If these risks are unacceptable, the performance characteristic is essential.

No shock is delivered when a shock should be delivered (false negative).



A shock is delivered when no shock should be delivered (false positive).

For all essential performance characteristics, manufacturers have to define and implement risk control measures to minimize risks to an acceptable level in both normal and single-fault conditions.

Of course, as with all risk-minimizing measures, the manufacturers must demonstrate that they have actually implemented these measures and that they are effective.


Note that some particular standards, i.e., the IEC 60601-2-x series of standards, explicitly establish the essential performance characteristics.

4. FAQ: frequently asked questions about essential performance characteristics

a) Does essential performance still have to be guaranteed even in a single-fault condition?

The answer to this question, according to the interpretation sheet, is ‘yes’. The authors based their answer on several passages of IEC 60601-1:

  • Firstly, essential performance should be defined in terms of the clinical functions of the medical device.
  • Single faults can cause loss or degradation of clinical functions as well as basic safety and can, therefore, lead to an unacceptable risk.
  • Therefore, the requirement in Section 4.7 that ME equipment must be or remain single-fault safe also applies to essential performance.

b) How is essential performance different from basic safety?

The standard defines basic safety as follows:

 Definition: Basic safety

“Freedom from unacceptable risk directly caused by physical hazards when me equipment is used under normal condition and single fault condition”

Source: IEC 60601-1

Basic safety relates to physical hazards (potential sources of harm) that result from the choice of technical solution and are inherent to the device. These include:

  • Electrical hazards (mains voltage 230 V)
  • Thermal hazards (overheated battery)
  • Mechanical hazards (fast moving parts)

Manufacturers usually achieve basic security through passive protective measures that are not specific to a device type. These include:

  • Electrical insulation (housing)
  • Thermal fuse
  • Reinforcement, arresting cables
  • Fireproof housing

Basic safety is, therefore, a property of a device. Performance characteristics refer to the ability of a functional unit to perform a required function. These could be the aforementioned clinical functions (detection of fibrillation) or even protective functions that detect a hazardous state (overheating) and bring the device to a safe state, keep it there and trigger an alarm.

Events and circumstances leading to the loss or degradation of such functions must be identified and controlled, as failure to do so would result in an unacceptable risk.

c) Can software also have essential performance characteristics?

Both standalone software and software that is part of a medical device can implement essential performance characteristics. Examples are:

  • Standalone software for calculating the dose of cytostatics

Embedded software that controls or monitors a heart-lung machine pump


Note that the standalone software is not within the scope of IEC 60601-1, which introduces the concept of essential performance.

e) Are there devices without essential performance characteristics?

It is, indeed, generally possible to develop medical devices without essential performance characteristics because a fault in them does not lead to unacceptable risks. However, manufacturers should bear the following in mind:

  • Devices without risks often have no clinical benefit. Has this benefit been consistently quantified in the risk management file?
  • The statement that a device has no essential performance characteristics can spur auditors or reviewers to prove otherwise.
  • ISO 14971:2012 requires manufacturers to reduce any risk as much as possible. So, there are no generally acceptable risks.

Typical examples of devices with no essential performance characteristics are surgical instruments (e.g., RF surgery or skin lasers), which by definition are used for treatment (not for diagnosis or therapy) and are, therefore, also medical devices. The fact that these devices often don’t have any essential performance characteristics is due to the fact that the users (e.g., surgeons) can review and correct the result of the work. This means that even the complete failure of the device is often not critical.

f) Is it necessary to check essential performance during operation?

According to the interpretation sheet, manufacturers have to detect undetectable (hazardous) faults. This means that the operating lifetime plays a significant role as the safety function has to be retained throughout the entire operating lifetime.

A self-test of this safety function during operation or prescribed maintenance is therefore essential because otherwise it becomes very difficult to prove that this safety function is active.


a) Overview

In March 2021, the IEC published Interpretation Sheet ISH1 on IEC 60601-1:2005/AMD1:2012 with the title Interpretation of Subclauses 4.3 of IEC 60601-1:2005/AMD1:2012 and 4.7 of IEC 60601-1:2005.

As the name suggests, the document aims to provide an interpretation of section 4.3 of IEC 60601-1, which is the section that deals with essential performance.

The interpretation sheet:

  • summarizes again the essential performance requirements
  • describes how the concept of single fault can be applied to the essential performance characteristics and
  • details specifications for documentation and testing.

Who should read the interpretation sheet?

  • Manufacturers (developers and architects) who develop safety strategies for devices that have essential performance characteristics
  • Notified bodies who review technical documentation
  • Testing laboratories who have to demonstrate safety as the part of a 60601-CB report

b) Purpose and binding nature of interpretation sheet (in general)

According to IEC, an interpretation sheet is a tool and provides

"a quick formal explanation to an urgent request by a user of a standard (testing laboratory, certification body, manufacturer, etc.)."

Interpretation Sheet ISH1

Therefore, the authors can only explain or interpret, they cannot add any new requirements. The interpretation sheet is normative and must therefore be understood in the same by all the named users.

Because the interpretation sheet does not add requirements, but only explains requirements, it is valid from the date of publication. There is no transitional period.

Interpretation sheets are generally available for free and can be downloaded from the IEC’s website.

c) Purpose of the interpretation sheet for IEC 60601-1

IEC 60601-1 introduces the two fundamental concepts of essential performance and single faults. While the single faults mentioned in section 13.2 of the standard are only relate to basic safety, the base standard unfortunately provides little guidance on how to handle faults that do not result in a single fault. The interpretation sheet now aims to close this gap.

The introduction states:

This interpretation sheet is intended to clarify the requirements which are needed to maintain ESSENTIAL PERFORMANCE in SINGLE FAULT CONDITION.

Introduction to the interpretation sheet

d) Authors of Interpretation Sheet ISH1

Interpretation Sheet ISH1 with the title Interpretation of Subclauses 4.3 of IEC 60601-1:2005/AMD1:2012 and 4.7 of IEC 60601-1:2005 was written by subcommittee SC 62A of technical committee TC 62 (Electrical equipment in medical practice).

e) Key statements and content in Interpretation Sheet ISH1

  • Manufacturers have to follow the process described in the table above to determine essential performance characteristics.
  • Essential performance must remain guaranteed even in the event of a single fault.
  • The consideration of single fault conditions should take into account other module, subassembly or component faults or failures, and not just the single faults mentioned in section 13.2, and these should be physically or theoretically simulated.
  • In accordance with section 4.7 b), the consequences of a second independent fault or failure should be investigated, especially if the initial fault or failure remains undetected.
  • Manufacturers have to identify these undetectable faults.
    In terms of functional safety, a distinction is made between detectable and undetectable hazardous faults. An undetectable hazardous fault could be a safety function whose failure is not noticeable as long the device performs its clinical function correctly.
  • In addition to reviewing basic safety, auditors also have to inspect the documentation to review function safety (or functional safety). These are completely new tasks that require additional experience and qualifications. This is likely to drive up costs for manufacturers.

f) Appraisal of Interpretation Sheet ISH1

The intention behind this interpretation sheet should be welcomed. The original standard lacks a comprehensive explanation of how to handle faults with respect to essential performance. The interpretation sheet provides a summary of the important passages and facts in the standard. More examples that make the requirements more understandable would have been nice.

The list in bb) is a good summary of the required activities and makes it clear again that the guide to action in Annex A of the standard is not only informative but also includes guidance for documentation. Manufacturers should incorporate the list in bb) into their risk management SOPs.

There is also criticism:

Unclear interaction with intended use

The question of what is meant by clinical functions and what their relationship to the intended use is remains unanswered. The standard considers clinical functions in the context of the intended use, which according to definition 3.44 also includes maintenance, transport, etc.

Unclear interaction with safety aspects

Essential performance is also related to safety aspects. But this interrelationship remains unclear. Since an interpretation sheet cannot give any examples, the following two should help:

Example 1: In the case of a syringe pump, it is not the correct dosage (dosage would be the clinical function) that is the essential performance characteristic but the accuracy test (intended use) that enables a hazardous situation (e.g., occlusion) to be detected and an alarm generated. The standard does not specify the reliability with which such situations should be detected, and alarms generated. The standard itself states in the explanatory note to 5.1:

On 5.1) Compared with SINGLE FAULT CONDITIONS, this standard does not have verifiable requirements for faults not leading to a SINGLE FAULT CONDITION. This means this standard does not give guidance how reliable it is that faults can be prevented.

Example 2: A defibrillator must not deliver an unexpected shock. The ability to deliver a shock would be the clinical function and the ability not to deliver an unwanted shock would relate to safety. The function that ensures safety must also work reliably. This can be compared to a fire extinguisher that always hangs on the wall and must function reliably in an emergency (when required).

No examples for software

A comment on how to deal with errors in software would have been interesting; especially if the software not only controls the device but also provides diagnostic information.

Imprecise use of terms

In cc) the authors refer to a second independent fault and in section 5.1, the standard refers to simultaneous independent faults and combination of simultaneous independent faults. However, these are not the same thing.

6. Summary

a) Recommendation for manufacturers of medical devices

Use the interpretation sheet. Document how the essential performance characteristics have been derived in the risk management file following the list section bb) 1) to 6). Define appropriate measures that enable the system or user to detect the failure or degradation of performance. These measures could, for example, include regular inspections, maintenance and internal self-testing.

Our recommendation is that you document your considerations in a safety strategy. IEC 60601-1 does not contain any specific documentation requirements. By documenting how the essential performance characteristics have been determined and your design decisions, you will help reviewers and auditors fully grasp the important aspects of your devices and review them without having to ask questions.

b) Recommendation for testing laboratories

Document the essential performance characteristics you have derived in the risk management file, see bb) 1) to bb) 6). It may well be the case that the ME equipment does not have any essential performance characteristics. But if the manufacturer has defined essential performance characteristics for its device, then check whether it can demonstrate functional safety through its requirements, design, calculations and in-house tests. Of course, the calculations and tests must be credible.

As a general rule, a documentation review is sufficient. You only have to test the performance characteristics if it is a requirement of a standard.

c) Recommendations for auditors

As a general rule, (certified) test reports from a recognized testing laboratory will be available. In such cases, you do not need to check the content of how the essential performance characteristics were derived again. As the interpretation sheet is binding, you can assume that the CB report is complete.

d) Note for manufacturers of IVD devices

IEC 60601-1 cannot be applied to IVD devices and its sister standard IEC 61010-1 does not mention essential performance as it is only a safety standard. If your device is also a machine, then you have to comply with the requirements of the Machinery Directive (as required by the IVDR) and this brings you into the area of functional safety and thus into the IEC 61508 series of standards. The philosophy of essential performance can then be applied to safety devices, such as light barriers or interlock systems.


Mario Klessascheck

Find out what Johner Institute can do for you

A quick overview: Our


Learn More Pfeil_weiß

Always up to date: Our


Learn More Pfeil_grau

Privacy settings

We use cookies on our website. Some of them are essential, while others help us improve this website and your experience.