Functional safety for medical devices


Medical Electrical Equipment must meet the legal requirements for safety and performance. A frequently used term in the context of safety and performance is the term “functional safety”. The demonstration of functional safety is increasingly required by testing laboratories and authorities. Unfortunately, the relevant standards and laws for medical devices do not use or define the term "functional safety." This article provides clarity.

1. Functional safety: the background

a) Who has to deal with it?

The following roles must understand the concepts of functional safety:

  • Individuals working for medical device manufacturers who are responsible for
    • the development of medical electrical equipment, such as system architecture, risk management, or inspection of the functional and basic safety of medical electrical equipment,
    • regulatory affairs.
  • Staff at notified bodies and testing laboratories responsible for
    • the review of technical documentation,
    • the inspection of the functional and basic safety of medical electrical equipment.

b) What is it about?

Medical devices must not put patients at risk. Examples:

  • The pump of a heart-lung machine must not fail.
  • An infusion pump must not pump air into a patient's vein.
  • An incubator must not burn an infant.
  • An automated defibrillator must not shock a patient with a normal heartbeat.

The objective of functional safety is to prevent such risks caused by faults within a safety function or control function.

2. The concept of functional safety

a) Definition of IEC 61508

The relevant standards and laws for medical devices do not define the term "functional safety." However, definitions can be found in other safety domains.


Definition: Functional safety

Part of the overall safety related to the EUC and the EUC control system, which depends on the correct functioning of the E/E/PE safety-related system, safety-related systems of other technology, and external devices for risk minimization.

­­IEC 61508, Part 4, Chapter 3.1.9

The standard uses the following abbreviations:

  • EUC: equipment under control (in this case the medical device)
  • E/E/PE: Electrical/electronic/programmable electronics (here the safety function)



Medical devices are not included in the scope of IEC 61508, but its concepts and specifications are still helpful for medical device manufacturers.

According to the definition of IEC 61508, functional safety is "only" a concept of electrical, electronic, or programmable devices, in our case, medical electrical equipment.

You can buy the standards of the IEC 61508 family here.


Functional safety in this definition refers only to freedom from unacceptable risk in the following problems:

Risks related to functional safety


Risks due to errors or failures within the control system of the medical device

The software for the motor control of the heart-lung machine contains a programming error.

The control unit of the defibrillator fails.

Proper functioning of other safety-related functions (not clinical functions) to minimize risk are not present

The detector of an infusion pump does not detect an air bubble.

The air supply of the CPU fan of the ventilator is blocked by a surgical gown.

The sensor for temperature monitoring of the incubator is defective.

The correct function of an external device is not given

The necessary cooling of the surrounding room has failed. The external power supply has failed.


These circumstances and events also apply to medical devices. This is because the requirement for safety or reliability is primarily found in the standard for medical electrical equipment IEC 60601-1 in Section 4.3 on essential performance characteristics and Section 4.7 for single fault safety.


c) Delimitation

Functional safety does not refer to freedom from the following risks:

Risks not related to functional safety


Risks due to lack of basic safety (in the event of a single fault, see below)

There is voltage at the enclosure of the medical electrical equipment because an insulation is broken.

Mechanical tension in the enclosure because of the too high internal temperature.

Risks that are neither caused by nor intended to be controlled by the electrical, electronic or programmable part of the medical device

The device has sharp edges due to a production defect.

A holder breaks and the device falls onto the user's feet.

The paint of the device contains carcinogenic substances.

The device is not sterile.

d) Conclusion

Functional safety refers to those functions of the device,

  • that have an impact on clinical performance,
  • that are intended to detect transient operating conditions that are not a fault of the device (e.g., kinking of a catheter, external power failure), and
  • safety functions that are intended to prevent a hazardous situation (e.g., exceeding a limit value).

3. Functional safety: regulatory requirements

a) MDR requirements

The MDR does not use the term functional safety. It nevertheless imposes requirements on it directly or indirectly:

Devices shall achieve the performance intended by their manufacturer and shall be designed and manufactured in such a way that, during normal conditions of use, they are suitable for their intended purpose.

They shall be safe and effective and shall not compromise the clinical condition or the safety of patients, or the safety and health of users or, where applicable, other persons

MDR Annex I

The MDR also requires repeatability, dependability, and performance (MDR Annex I, Chapter 17.1), as well as the safety of devices even when a defect first occurs (Chapters 17.1, 18.1).


b) IEC 60601-1 requirements

Single-fault safe

IEC 60601-1 requires medical devices to be single-fault safe. It defines this as follows:


Definition: Single-fault safe

Characteristic of ME EQUIPMENT or its parts whereby it remains free of unacceptable RISKS during its EXPECTED SERVICE LIFE under SINGLE FAULT CONDITIONS.

DIN EN 60601-1:2022-11 3.117

The standard also defines the term "single-fault condition":


Definition: Single-fault condition

Condition of ME EQUIPMENT in which a single means for reducing a RISK is defective or a single abnormal condition is present.

DIN EN 60601-1:2022-11 3.116

The term "single-fault condition" thus refers to the parts of the device in which means of protection are implemented. Examples of such single-fault conditions are:

  • Short circuit of an insulation
  • Interruption of a protective earth conductor
  • Failure of a sensor for temperature monitoring or air bubble detection


Ensuring the essential performance characteristics

In addition, IEC 60601-1 requires that manufacturers determine and guarantee the essential performance characteristics of their devices. IOS 14971 also contains this requirement (5.3. Characteristics related to safety).

IEC 60601-1 also defines this term:


Definition: Essential performance characteristics.

Performance characteristic of a clinical function, other than basic safety, where loss or degradation beyond the limits specified by the MANUFACTURER results in an unacceptable RISK.

DIN EN 60601-1:2022-11 3.27

For example, the essential performance characteristics would not be met if

  • the heart-lung machine blood pump is not pumping at the specified flow rate,
  • the defibrillator delivers too high or too low an energy during shock,
  • the linear accelerator irradiates at the wrong angle.


In November 2021, the IEC published the interpretation sheet ISH1 for IEC 60601-1, which summarizes the requirements of the standard for single-fault-safety with reference to the essential performance characteristics.

The document is a guidance; however, it does not provide guidance on how to build functional safe devices, which was not the intent. An IEC working group is currently working on a Technical Report to be published in 2024 to provide guidance. The Johner Institute is actively involved in the development.

4. IEC 61508

a) General

The most important generic standard for functional safety is the IEC 61508 series, which serves as a guide for authors writing sector-specific standards. The standard cannot, therefore, be used to demonstrate basic safety and essential performance.

The IEC 61508 describes a generic approach to all safety lifecycle activities for systems consisting of electrical and/or electronic and/or programmable electronic elements used to perform safety functions. The standard states generally applicable (design) principles for the prevention and control of random and systematic faults. It

  • provides methods for the specification of safety requirements,
  • provides requirements for the prevention and control of systematic faults, and
  • describes approaches for the control of random hardware faults.

This unified approach is intended to help develop safety concepts for all safety-related systems on an electrical and/or electronic and/or programmable operation principle.

b) Applicability for medical devices

Even though medical devices are not included in the scope of IEC 61508, its principles and approaches can still be applied to medical devices. The principles do not contradict IEC 60601-1 or other relevant standards such as IEC 61010-1; on the contrary, IEC 61508 perfectly complements these standards. It was also the inspiration for the IEC 62304 standard.

Physical hazards are essentially completely covered by the IEC 60601-1 or IEC 61010-1 standards. However, these two standards only specify requirements for passive means of protection, such as insulation or tensile safety factors for materials. If, on the other hand, a physical hazard is to be controlled by an active means of protection (E/E/EP), e.g., temperature monitoring or a contact monitor, then the principles of IEC 61508 can be applied to the design of such safety functions.



The Johner Institute uses these principles when assisting manufacturers in creating safety concepts for medical devices.

5. Functional safety: solutions

The manufacturers achieve functional safety through a suitable concept (design, architecture) of the system. For this purpose, they should

1. make assumptions,

2. consider design principles, and

3. consider fault tolerance architectures,

as described in more detail below.

a) Making assumptions

Manufacturers should make the following assumptions when creating system architectures and security concepts:

1. Hardware faults are random faults and can occur at any time.

2. Software faults are systematic faults and are controllable only through the design process.

3. The probability of simultaneous failure of two or more systems is much lower than that for a single means of protection.

4. Detectable faults obvious to the operator considered safe faults if the system can be taken out of service.

5. If a first single fault condition remains undetected, another simultaneous faults must be assumed after a time.

6. Faults leading to further faults are considered single faults.

7. Systems without means of protection must be intrinsically safe.

8. The combination of simultaneous independent single faults shall not lead to a hazardous situation.

9. Simultaneous failure of several functional groups due to a common cause of failure shall not lead to a hazardous situation.

10. Failures that are probable, whose probability cannot be estimated, or which cannot be detected shall be considered a normal condition.

b) Consider design principles

System requirements are derived from this, for example:

The system must ...

  • fault-tolerant and, for example, detect and control errors that occur due to the failure of individual components, or the risk must remain acceptable.
  • ...detect and control systematic errors (e.g., software errors), e.g., by:
    • using operationally proven architectures
    • verifying safety functions through tests and simulation
    • defining a safety lifecycle process
    • designing the design process with checklists and work instructions
    • defining appropriate test strategies
  • ...detect and control faults within the multiple fault occurrence time (mean time between failures). That is, if a fault goes undetected, another fault must be expected. The time in between is the MTBF. Therefore, the failure of a means of protection must be detected before the control system itself or a second means of protection fails.
  • ...divide responsibilities, e.g., between the protection system and the control system.
  • insensitive to failures with a common cause of failure (e.g., if someone pours water over the device, which affects the control and protection systems equally).

When specifying safety goals, manufacturers should also consider the reaction time it takes for a user to avoid patient harm.

c) Consider multi-channel architectures


Multi-channel architectures provide a way to detect and minimize risks from the failure and malfunction of parts and components.

Here, components of one channel monitor the components of the other channel (e.g., their sensors and actuators) and react when they fail or malfunction. Options for response include:

  • Information processing is switched from one channel to the other.
  • The sensor or actuator of the other channel is used.
  • If there are multiple sensors, a majority decision takes place.
  • The device is set to a safe state.
  • An alarm condition is triggered.

Two-channel architectures

Dual-channel architectures are characterized by redundant components in the chain of sensor, logic and actuator.


Homogeneous and diverse architectures

In multi-channel architectures, a distinction is made between homogeneous and diverse architectures. In a homogeneous architecture, the two channels are homogeneous, i.e., they consist of identical components. With diverse architectures, random (statistical) errors, in particular, such as component failure due to aging, can be controlled.

In the case of systematic errors, for example, design errors or software bugs, diversified architectures are required because otherwise, the error would be duplicated in both channels. Diversity, especially in programmable systems (which contain software), can refer to:

  • Hardware: processor, memory
  • Tools: compiler, programming language
  • Reused software (SOUP): libraries, operating system
  • Organization: separate development teams



It is a mistake to believe that two- or multi-channel architectures are necessarily better than single-channel architectures. Two channels can even make a system insecure. The more components are installed in a system, the higher the probability that one will fail.

So what happens when two corresponding components send conflicting signals? If, for example, one sensor claims that there is air in the hose of an infusion pump, and the other claims the opposite? Who is right?

If the output causes the device to shut down more frequently, this can increase the risk to patients. Manufacturers must weigh availability and safety in these cases.

d) Single-channel architecture with monitoring

A usually simpler option is a single-channel architecture that is monitored by a test function or a watchdog. The test function can also be taken over by a user, who then acts correctly.



Johner Institute experts help medical device manufacturers and their service providers,

  • to develop architecture and safety concepts,
  • check these for effectiveness and legal compliance (e.g., through architecture reviews),
  • create and review test plans to demonstrate safety,
  • ensure smooth inspection in test houses, and
  • to increase the competence of all stakeholders with customized seminars, e-learning units, or one-on-one coaching.

Contact us right away, e.g., here via our website. This way, we can ensure that you will get through the approval process quickly and without unnecessary costs with safe and high-performance devices and that you will be successful in the market.

6. Conclusion and summary

Functional safety is freedom from unacceptable risks that would result as consequences of a device malfunction, especially in the protective system. In the case of medical devices, functional safety is spoken of almost only in the context of medical electrical devices and IVD devices.

Manufacturers achieve functional safety during the system design of the devices (e.g., through multi-channel architectures). Technical experts and risk managers must work hand in hand to achieve this.

It is usually very costly, often impossible, to eliminate errors that occur during the design phase. Such errors threaten device compliance and patient safety.

Therefore, manufacturers need the appropriate time and competencies to develop functionally safe devices.


Mario Klessascheck

Find out what Johner Institute can do for you

A quick overview: Our


Learn More Pfeil_weiß

Always up to date: Our


Learn More Pfeil_grau

Privacy settings

We use cookies on our website. Some of them are essential, while others help us improve this website and your experience.