Medical Electrical Equipment must meet the legal requirements for safety and performance. A frequently used term in the context of safety and performance is the term “functional safety”. The demonstration of functional safety is increasingly required by testing laboratories and authorities. Unfortunately, the relevant standards and laws for medical devices do not use or define the term "functional safety." This article provides clarity.
The following roles must understand the concepts of functional safety:
Medical devices must not put patients at risk. Examples:
The objective of functional safety is to prevent such risks caused by faults within a safety function or control function.
The relevant standards and laws for medical devices do not define the term "functional safety." However, definitions can be found in other safety domains.
Definition: Functional safety
Part of the overall safety related to the EUC and the EUC control system, which depends on the correct functioning of the E/E/PE safety-related system, safety-related systems of other technology, and external devices for risk minimization.
IEC 61508, Part 4, Chapter 3.1.9
The standard uses the following abbreviations:
Medical devices are not included in the scope of IEC 61508, but its concepts and specifications are still helpful for medical device manufacturers.
According to the definition of IEC 61508, functional safety is "only" a concept of electrical, electronic, or programmable devices, in our case, medical electrical equipment.
Functional safety in this definition refers only to freedom from unacceptable risk in the following problems:
Risks related to functional safety
Risks due to errors or failures within the control system of the medical device
The software for the motor control of the heart-lung machine contains a programming error.
The control unit of the defibrillator fails.
Proper functioning of other safety-related functions (not clinical functions) to minimize risk are not present
The detector of an infusion pump does not detect an air bubble.
The air supply of the CPU fan of the ventilator is blocked by a surgical gown.
The sensor for temperature monitoring of the incubator is defective.
The correct function of an external device is not given
The necessary cooling of the surrounding room has failed. The external power supply has failed.
These circumstances and events also apply to medical devices. This is because the requirement for safety or reliability is primarily found in the standard for medical electrical equipment IEC 60601-1 in Section 4.3 on essential performance characteristics and Section 4.7 for single fault safety.
Functional safety does not refer to freedom from the following risks:
Risks not related to functional safety
Risks due to lack of basic safety (in the event of a single fault, see below)
There is voltage at the enclosure of the medical electrical equipment because an insulation is broken.
Mechanical tension in the enclosure because of the too high internal temperature.
Risks that are neither caused by nor intended to be controlled by the electrical, electronic or programmable part of the medical device
The device has sharp edges due to a production defect.
A holder breaks and the device falls onto the user's feet.
The paint of the device contains carcinogenic substances.
The device is not sterile.
Functional safety refers to those functions of the device,
The MDR does not use the term functional safety. It nevertheless imposes requirements on it directly or indirectly:
Devices shall achieve the performance intended by their manufacturer and shall be designed and manufactured in such a way that, during normal conditions of use, they are suitable for their intended purpose.
They shall be safe and effective and shall not compromise the clinical condition or the safety of patients, or the safety and health of users or, where applicable, other persons
The MDR also requires repeatability, dependability, and performance (MDR Annex I, Chapter 17.1), as well as the safety of devices even when a defect first occurs (Chapters 17.1, 18.1).
IEC 60601-1 requires medical devices to be single-fault safe. It defines this as follows:
Definition: Single-fault safe
Characteristic of ME EQUIPMENT or its parts whereby it remains free of unacceptable RISKS during its EXPECTED SERVICE LIFE under SINGLE FAULT CONDITIONS.
DIN EN 60601-1:2022-11 3.117
The standard also defines the term "single-fault condition":
Definition: Single-fault condition
Condition of ME EQUIPMENT in which a single means for reducing a RISK is defective or a single abnormal condition is present.
DIN EN 60601-1:2022-11 3.116
The term "single-fault condition" thus refers to the parts of the device in which means of protection are implemented. Examples of such single-fault conditions are:
In addition, IEC 60601-1 requires that manufacturers determine and guarantee the essential performance characteristics of their devices. IOS 14971 also contains this requirement (5.3. Characteristics related to safety).
IEC 60601-1 also defines this term:
Definition: Essential performance characteristics.
Performance characteristic of a clinical function, other than basic safety, where loss or degradation beyond the limits specified by the MANUFACTURER results in an unacceptable RISK.
DIN EN 60601-1:2022-11 3.27
For example, the essential performance characteristics would not be met if
In November 2021, the IEC published the interpretation sheet ISH1 for IEC 60601-1, which summarizes the requirements of the standard for single-fault-safety with reference to the essential performance characteristics.
The document is a guidance; however, it does not provide guidance on how to build functional safe devices, which was not the intent. An IEC working group is currently working on a Technical Report to be published in 2024 to provide guidance. The Johner Institute is actively involved in the development.
The most important generic standard for functional safety is the IEC 61508 series, which serves as a guide for authors writing sector-specific standards. The standard cannot, therefore, be used to demonstrate basic safety and essential performance.
The IEC 61508 describes a generic approach to all safety lifecycle activities for systems consisting of electrical and/or electronic and/or programmable electronic elements used to perform safety functions. The standard states generally applicable (design) principles for the prevention and control of random and systematic faults. It
This unified approach is intended to help develop safety concepts for all safety-related systems on an electrical and/or electronic and/or programmable operation principle.
Even though medical devices are not included in the scope of IEC 61508, its principles and approaches can still be applied to medical devices. The principles do not contradict IEC 60601-1 or other relevant standards such as IEC 61010-1; on the contrary, IEC 61508 perfectly complements these standards. It was also the inspiration for the IEC 62304 standard.
Physical hazards are essentially completely covered by the IEC 60601-1 or IEC 61010-1 standards. However, these two standards only specify requirements for passive means of protection, such as insulation or tensile safety factors for materials. If, on the other hand, a physical hazard is to be controlled by an active means of protection (E/E/EP), e.g., temperature monitoring or a contact monitor, then the principles of IEC 61508 can be applied to the design of such safety functions.
The Johner Institute uses these principles when assisting manufacturers in creating safety concepts for medical devices.
The manufacturers achieve functional safety through a suitable concept (design, architecture) of the system. For this purpose, they should
1. make assumptions,
2. consider design principles, and
3. consider fault tolerance architectures,
as described in more detail below.
Manufacturers should make the following assumptions when creating system architectures and security concepts:
1. Hardware faults are random faults and can occur at any time.
2. Software faults are systematic faults and are controllable only through the design process.
3. The probability of simultaneous failure of two or more systems is much lower than that for a single means of protection.
4. Detectable faults obvious to the operator considered safe faults if the system can be taken out of service.
5. If a first single fault condition remains undetected, another simultaneous faults must be assumed after a time.
6. Faults leading to further faults are considered single faults.
7. Systems without means of protection must be intrinsically safe.
8. The combination of simultaneous independent single faults shall not lead to a hazardous situation.
9. Simultaneous failure of several functional groups due to a common cause of failure shall not lead to a hazardous situation.
10. Failures that are probable, whose probability cannot be estimated, or which cannot be detected shall be considered a normal condition.
System requirements are derived from this, for example:
The system must ...
When specifying safety goals, manufacturers should also consider the reaction time it takes for a user to avoid patient harm.
Multi-channel architectures provide a way to detect and minimize risks from the failure and malfunction of parts and components.
Here, components of one channel monitor the components of the other channel (e.g., their sensors and actuators) and react when they fail or malfunction. Options for response include:
Dual-channel architectures are characterized by redundant components in the chain of sensor, logic and actuator.
In multi-channel architectures, a distinction is made between homogeneous and diverse architectures. In a homogeneous architecture, the two channels are homogeneous, i.e., they consist of identical components. With diverse architectures, random (statistical) errors, in particular, such as component failure due to aging, can be controlled.
In the case of systematic errors, for example, design errors or software bugs, diversified architectures are required because otherwise, the error would be duplicated in both channels. Diversity, especially in programmable systems (which contain software), can refer to:
It is a mistake to believe that two- or multi-channel architectures are necessarily better than single-channel architectures. Two channels can even make a system insecure. The more components are installed in a system, the higher the probability that one will fail.
So what happens when two corresponding components send conflicting signals? If, for example, one sensor claims that there is air in the hose of an infusion pump, and the other claims the opposite? Who is right?
If the output causes the device to shut down more frequently, this can increase the risk to patients. Manufacturers must weigh availability and safety in these cases.
A usually simpler option is a single-channel architecture that is monitored by a test function or a watchdog. The test function can also be taken over by a user, who then acts correctly.
Johner Institute experts help medical device manufacturers and their service providers,
Contact us right away, e.g., here via our website. This way, we can ensure that you will get through the approval process quickly and without unnecessary costs with safe and high-performance devices and that you will be successful in the market.
Functional safety is freedom from unacceptable risks that would result as consequences of a device malfunction, especially in the protective system. In the case of medical devices, functional safety is spoken of almost only in the context of medical electrical devices and IVD devices.
Manufacturers achieve functional safety during the system design of the devices (e.g., through multi-channel architectures). Technical experts and risk managers must work hand in hand to achieve this.
It is usually very costly, often impossible, to eliminate errors that occur during the design phase. Such errors threaten device compliance and patient safety.
Therefore, manufacturers need the appropriate time and competencies to develop functionally safe devices.