How do you ensure that medical devices are functionally safe?

Author : Jean-Louis Evans, TÜV SÜD Product Service

03 November 2016

Ensuring the functional safety of medical devices is critically important for designers and manufacturers as these devices can impact the health and wellbeing of the operators that use them and patients that rely on them.

(Click here to view article in digital issue)

Functional safety is therefore part of the overall safety of a system or piece of equipment, and uses a systemic approach to identify potentially dangerous conditions or events that might result in an accident that causes harm to the persons interacting with the device. 

Effective functional safety of electric and electronic medical devices and systems means that they have built-in safety mechanisms that activate to reduce potential risks to a tolerable level, thereby enabling corrective or preventive actions to avoid or reduce the impact of an accident.

By undertaking risk analysis and manufacturing medical devices that are functionally safe, a manufacturer will benefit from increased market acceptance and positive brand associations. Failure to ensure functional safety can have dire consequences for end-users and the corporate reputation of the business selling faulty goods.

How to assess functional safety

While there is no functional safety standard specific to medical devices, the Medical Electrical Equipment Standard (IEC 60601-1) states “The devices must be designed in such a way that… they will not compromise the … safety of patients…” and “The solutions adopted by the manufacturer for the design and construction of the devices must conform to safety principles, taking account of the generally acknowledged state of the art.” 

Traditional safety assessment focuses on potential hazards from electrical, mechanical or other aspects of a design occurring during usage. Functional safety is an additional step focussing on the reliability of the product to function correctly and safely in response to its inputs. It therefore provides assurance that safety-related systems in the device minimise the severity and probability of harm in the event of malfunction.

The general goal of functional safety is to avoid a hazard caused by the malfunction of the device. This applies to all of the components that contribute to the performance of a safety function, such as sensors, drive elements, control electronics and contactors. A safety related control function is one of the measures that makes a contribution to the overall reduction of risk with medical devices, but a single control function is not always adequate.

Functional safety principles are therefore used to:

• Control random hardware failures during operation
• Control systematic failures during operation

Taking a Functional Safety approach also avoids system faults during design, development and manufacturing. Hence a detailed risk management File (RMF) must be kept to not only demonstrate compliance, but to complement a strong design process to minimise product development delays.

Functional Safety reduces the risk of failure during malfunction, and for medical devices IEC 61508 ‘Functional safety of electrical/electronic/programmable electronic safety-related systems’ is therefore the standard that should be followed, which is applicable to all types of industry. 

The Standard defines functional safety as: “part of the overall safety relating to the EUC (Equipment Under Control) and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities.”

IEC 61508 teaches us the following:

• Zero risk can never be reached
• Safety must be considered from the beginning
• Non-tolerable risks must be reduced 

The standard has seven parts. Parts 1-3 contain the requirements of the standard (normative), while Parts 4-7 are guidelines and examples for development (informative).

Specific steps must be carried out by manufacturers to ensure the absence of unacceptable risk due to hazards caused by the mal-functional behaviour of their products and systems. The Standard therefore states that: “The EUC (equipment under control) risks must therefore be evaluated, or estimated, for each determined hazardous event.”

In selecting the most appropriate solutions, the manufacturer must apply the following principles in the following order:

• Eliminate or reduce risks as far as possible (inherently safe design and construction).
• Where appropriate, take adequate protection measures, including alarms if necessary, in relation to risks that cannot be eliminated.
• Inform users of the residual risks due to any shortcomings of the protection measures adopted.

The standard advises that: “Either qualitative or quantitative hazard and risk analysis techniques may be used” and offers guidance on a number of approaches. A good example is an infusion pump, where functional safety would consider potential hazards related to this function, such as:

• Wrong flow rate.
• Wrong volume infused.
• Too many bolus (Patient Control Analgesia).
• Reverse flow direction.
• Unintended start or stop of infusion.
• Build-up of excessive pressure.
• Air infusion (Normal Condition).

Once both the hazards and the safety functions, which must be put in place to mitigate them, have been identified, an assessment of the risk-reduction required by the safety function must be completed. This will reveal a Safety Integrity Level (SIL) or Performance Level (PL) of the safety-related control and the final system. The identified SIL number has a corresponding requirement in the Standard, which details how the development process should be set up to achieve that SIL. Part 2 and 3 of IEC 61508 give guidance on activities to perform in order to attain a SIL in conjunction with Part 5.

It must then be ensured that the safety function performs as intended, also allowing for incorrect operator use. This will involve having the design and lifecycle managed by qualified engineers carrying out processes to IEC 61508. 

The next step is verification that the system meets the assigned SIL or PL by determining the Mean Time Between Failures and the Safe Failure Fraction (SFF). In other words, assessing the probability of the system failing in a safe state.

Finding fault

Clause 4.7of the Medical Electrical Equipment Standard (IEC 60601-1) states that: “Equipment shall be so designed and manufactured that it remains single fault safe, or the risk remains acceptable through Risk Management Process.”

Failures can be either systematic, which are built-in design flaws, or random. For example, systematic failure in hardware can include:

• Error in PCB layout.
• Components used out of specification.
• Environmental conditions not met.
• Error in instructions for use i.e. wrong component specifications.

While failures should be avoided, IEC 60601-1 states that the combination of two independent failures are acceptable if they are not life threatening. If life threatening, systematic failures must be avoided, or at the very least have a control mechanism in place to mitigate that hazard when it occurs.

However, despite correct design and production methods, random failures do happen. Examples of these include the short circuit of electronic components, stuck relay contacts and sensor failures. It is important that these are controlled while the device is operating, using design measures such as redundancy, diversity and/or self-tests. Redundancy controls use the same method twice and protect only from random hardware failures. Diversity controls use two different methods with the same functionality, additionally partly protecting from systematic failures.

Medical device designers and manufacturers must pay attention to the concept of functional safety and identify the individual safety functions of a product. This means that you are understanding the concept of ‘functions’ and can break them down – vital skills to help comply with regulations and standards. 

Contact Details and Archive...

Print this page | E-mail this page