Ensuring functional safety of medical devices
As digitalisation and automation progress, electrical, electronic or programmable electronic systems (E/E/PES) are used increasingly in the field of safety applications. Growing complexity and connectivity bring new requirements for the functional safety of systems, with previously separate applications growing closer together. Richard Poate, Medical Health Services Manager at TÜV SÜD explains.
Functional safety has become a critically important issue across all areas of industry, from transportation, healthcare and medical devices to the design of power plants or amusement parks and rides. As a result, manufacturers and operators place top priority on the quality and safety of products in order to protect people, property and the environment against technology related risk.
As new applications develop and become increasingly interconnected, the landscape of standardisation is changing, and medical devices are among the most heavily regulated products in the world, as faults can have serious consequences for patients and users. Consequently, ensuring the functional safety of medical devices is critically important for designers and manufacturers as it can impact the health and well-being of the operators that use them and patients that rely on them. Regulations and standards therefore lay down a number of requirements that can only be fulfilled by applying the principles and methods of functional safety.
Functional safety is part of the overall safety of a system or piece of equipment, and uses a systemic approach to identify potentially dangerous conditions or events that might result in an accident that causes harm to the persons interacting with the device. Effective functional safety of electrical and electronic medical devices and systems means that they have built-in safety mechanisms that activate to reduce potential risks to a tolerable level, thereby enabling corrective or preventive actions to avoid or reduce the impact of an accident.
By undertaking risk analysis and manufacturing medical devices that are functionally safe, a manufacturer will benefit from increased market acceptance and positive brand associations. Failure to ensure functional safety can have dire consequences for end users and the corporate reputation of the business selling faulty goods.
How to assess functional safety
While there is no functional safety standard specific to medical devices, the Medical Electrical Equipment Standard (IEC 60601-1) states that ‘The devices must be designed in such a way that,… they will not compromise the … safety of patients…’ and that ‘The solutions adopted by the manufacturer for the design and construction of the devices must conform to safety principles, taking account of the generally acknowledged state of the art.’
Particular safety standards such as IEC 60601-2-24:2012 (infusion pumps), partially cover the aspect of functional safety and can be of good use, depending on the purpose of use and the complexity of the medical device.
Traditional safety assessments focus on potential hazards from electrical, mechanical or other aspects of a design occurring during usage. Functional safety is an additional step focussing on the reliability of the product to function correctly and safely in response to its inputs. It therefore provides assurance that safety related systems in the device minimise the severity and probability of harm in the event of malfunction.
The general goal of functional safety is to avoid a hazard caused by the malfunction of the device and the detectability of the malfunction. This applies to all of the components that contribute to the performance of a safety function, such as sensors, drive elements, control electronics and contactors. A safety related control function is one of the measures that makes a contribution to the overall reduction of risk with medical devices, but a single control function is not always adequate.
Functional safety principles are therefore used to:
- Control random hardware failures during operation.
- Control systematic failures during operation.
- Avoid systemic failures during design, development and manufacturing.
Taking a functional safety approach also avoids system faults during design, development and manufacturing. Hence a detailed risk management file (RMF) must be kept to not only demonstrate compliance, but to complement a strong design process to minimise product development delays.
Functional safety reduces the risk of failure during malfunction, and for medical devices IEC 61508 ‘Functional safety of electrical/electronic/programmable electronic safety related systems’ is therefore the standard that should be followed, which is applicable to all types of industry.
The standard defines functional safety as: ‘part of the overall safety relating to the EUC (Equipment Under Control) and the EUC control system which depends on the correct functioning of the E/E/PE safety related systems, other technology safety related systems and external risk reduction facilities.’
IEC 61508 teaches us the following:
- Zero risk can never be reached.
- Safety must be considered from the beginning.
- Non-tolerable risks must be reduced.
The standard has seven parts. Parts 1-3 contain the requirements of the standard (normative), while Parts 4-7 are guidelines and examples for development (informative).
Specific steps must be carried out by manufacturers to ensure the absence of unacceptable risk due to hazards caused by the malfunctional behaviour of their products and systems. The Standard therefore states that: ‘The EUC (equipment under control) risks must therefore be evaluated, or estimated, for each determined hazardous event.’
In selecting the most appropriate solutions, the manufacturer must apply the following principles in the following order:
- Eliminate or reduce risks as far as possible (inherently safe design and construction).
- Where appropriate take adequate protection measures, including alarms if necessary, in relation to risks that cannot be eliminated.
- Inform users of the residual risks due to any shortcomings of the protection measures adopted.
The standard advises that: ‘Either qualitative or quantitative hazard and risk analysis techniques may be used’ and offers guidance on a number of approaches. A good example is an infusion pump, where functional safety would consider potential hazards related to this function, such as:
- Wrong flow rate.
- Wrong volume infused.
- Too many bolus (patient control analgesia).
- Reverse flow direction.
- Unintended start or stop of infusion.
- Build-up of excessive pressure.
- Air infusion (normal condition).
Once both the hazards and the safety functions, which must be put in place to mitigate them, have been identified, an assessment of the risk-reduction required by the safety function must be completed. This will reveal a Safety Integrity Level (SIL) or Performance Level (PL) of the safety related control and the final system. The identified SIL number has a corresponding requirement in the standard, which details how the development process should be set up to achieve that SIL. Part 2 and 3 of IEC 61508 gives guidance on activities to perform in order to attain a SIL in conjunction with Part 5.
Above: By undertaking risk analysis and manufacturing medical devices that are functionally safe, a manufacturer will benefit from increased market acceptance and positive brand associations
It must then be ensured that the safety function performs as intended, also allowing for incorrect operator use. This will involve having the design and lifecycle managed by qualified engineers carrying out processes to IEC 61508.
The next step is verification that the system meets the assigned SIL or PL by determining the Mean Time Between Failures (MTBF) and the Safe Failure Fraction (SFF). In other words, assessing the probability of the system failing in a safe state.
Finding fault
Clause 4.7 of the Medical Electrical Equipment Standard (IEC 60601-1) states that: ‘Equipment shall be so designed and manufactured that it remains single fault safe, or the risk remains acceptable through the risk management process.’
Failures can be either systematic, which are built-in design flaws, or random. For example, systematic failure in hardware can include:
- Error in PCB layout.
- Components used out of specification.
- Environmental conditions not met.
- Error in instructions for use i.e. wrong component specifications.
While failures should be avoided, IEC 60601-1 states that the combination of two independent failures are acceptable if they are not life threatening. If life threatening, systematic failures must be avoided, or at the very least have a control mechanism in place to mitigate that hazard when it occurs.
However, despite correct design and production methods, random failures do happen. Examples of these include the short circuit of electronic components, stuck relay contacts and sensor failures. It is important that these are controlled while the device is operating, using design measures such as redundancy, diversity and/or self-tests. Redundancy controls use the same method twice and protect only from random hardware failures. Diversity controls use two different methods with the same functionality, additionally partly protecting from systematic failures.
Growing digitalisation and automation across all areas of life and industry not only increase the significance of functional safety, it also offers economic opportunities. Safe product design, early prevention of conformity related problems, fewer product recalls and shorter time to market are a few examples. Medical device designers and manufacturers can best use these opportunities by establishing a systematic process focus, including consideration of the entire system lifecycle. The increasing connectivity of systems, plus the growing possibilities of remote control, further require suitable approaches to protect systems against unauthorised access and safety relevant manipulation of the safety functions embedded in hardware and software.
Medical device designers and manufacturers must pay attention to the concept of functional safety and identify the individual safety functions of a product. This means that you are understanding the concept of ‘functions’ and can break them down – vital skills to help comply with regulations and standards.