Richard Poate highlights the importance of ensuring the functional safety of medical devices – a vital necessity for manufacturers

Ensuring the functional safety of medical devices is critically important for manufacturers as it provides assurance that safety-related systems in the device will minimise the severity and probability of harm to the end-user or patient if it should malfunction. This applies to all of the components that contribute to the performance of a safety function, such as sensors, drive elements, control electronics and contactors.

Effective functional safety of electric and electronic medical devices and systems means that they have built-in safety mechanisms that activate to reduce potential risks to a tolerable level, thereby enabling corrective or preventive actions to avoid or reduce the impact of an accident. While a safety related control function is one of the measures that makes a contribution to the overall reduction of risk with medical devices, a single control function is not always adequate.

By undertaking risk analysis and manufacturing medical devices that are functionally safe, a manufacturer will benefit from increased market acceptance and positive brand associations. Failure to ensure functional safety can have dire consequences for end-users and the corporate reputation of the business producing and selling faulty goods.

Taking a Functional Safety approach also avoids system faults during design, development and manufacturing. Hence a detailed risk management file (RMF) must be kept to not only demonstrate compliance, but to complement a strong design process to minimise product development delays.

As Functional Safety reduces the risk of failure during malfunction, for medical devices IEC 61508 ‘Functional safety of electrical/electronic/ programmable electronic safety-related systems’ is the standard that should be followed, which is applicable to all types of industry.

Specific steps must be carried out by manufacturers to ensure the absence of unacceptable risk due to hazards caused by the mal-functional behaviour of their products and systems. The Standard therefore states that: “The EUC (equipment under control) risks must therefore be evaluated, or estimated, for each determined hazardous event.”

In selecting the most appropriate solutions, the manufacturer must apply the following principles in the following order:

  • Eliminate or reduce risks as far as possible (inherently safe design and construction).
  • Where appropriate take adequate protection measures, including alarms if necessary, in relation to risks that cannot be eliminated.
  • Inform users of the residual risks due to any shortcomings of the protection measures adopted.

The standard advises that: “Either qualitative or quantitative hazard and risk analysis techniques may be used”, and offers guidance on a number of approaches.

Once both the hazards and the safety functions, which must be put in place to mitigate them, have been identified, an assessment of the risk-reduction required by the safety function must be completed. This will reveal a Safety Integrity Level (SIL) or Performance Level (PL) of the safety-related control and the final system. The identified SIL number has a corresponding requirement in the Standard, which details how the development process should be set up to achieve that SIL. Part 2 and 3 of IEC 61508 give guidance on activities to perform in order to attain a SIL in conjunction with Part 5.

It must then be ensured that the safety function performs as intended, also allowing for incorrect operator use. This will involve having the design and lifecycle managed by qualified engineers carrying out processes to IEC 61508.

The next step is verification that the system meets the assigned SIL or PL by determining the Mean Time Between Failures (MTBF) and the Safe Failure Fraction (SFF). In other words, assessing the probability of the system failing in a safe state.

Clause 4.7of the Medical Electrical Equipment Standard (IEC 60601-1) states that: “Equipment shall be so designed and manufactured that it remains single fault safe, or the risk remains acceptable through Risk Management Process.”

While failures should be avoided, IEC 60601-1 states that the combination of two independent failures are acceptable if they are not life threatening. If life threatening, systematic failures must be avoided, or at the very least have a control mechanism in place to mitigate that hazard when it occurs.

However, despite correct design and production methods, random failures do happen. Examples of these include the short circuit of electronic components, stuck relay contacts and sensor failures. It is important that these are controlled while the device is operating, using design measures such as redundancy, diversity and/or self-tests. Redundancy controls use the same method twice and protect only from random hardware failures. Diversity controls use two different methods with the same functionality, additionally partly protecting from systematic failures.

Ensuring the functional safety of medical devices is critically important for manufacturers to comply with regulations and standards. It is therefore essential that the individual safety functions of a product are identified, as you can then be assured that you are understanding the concept of ‘functions’ by being able to break them down. This is a vital skill to be assured of compliance, and to ensure that as a manufacturer of medical devices that your brand integrity remains intact.

Richard Poate
Richard Poate is Senior Manager at TÜV SÜD Product Service, a global product testing and certification organisation, and at its sister company, TÜV SÜD BABT, the world’s leading radio and telecommunications certification body. TÜV SÜD Product Service analyses over 20,000 products each year in Europe, Asia-Pacific and the Americas, ensuring that products are safe, reliable and compliant and minimising liability risks for manufacturers, importers and retailers. TÜV SÜD BABT, is the world’s leading radio and telecommunications certification body, and is a Notified Body under the European Union’s Marine Equipment, Radio Equipment and Machinery Directives.