IEC 60601-1 Single fault conditions of electronic PCB components

Hi All,

We are embarking on a new design and we were wondering to what degree single fault conditions on electronic PCB components must be considered in the design. All PCB mounted components are likely to be surface mounted.
In particular we are referring to the circuits that might be patient contacting where the 10uA current limit applies with a 50uA limit under single fault conditions.

For a Class II medical device, battery powered, non-mains connected, non-earth connected and fully enclosed in a plastic enclosure (with the exception of patient contacts), what do people regard as being adequate single fault risk analysis (ISO 14971 also ties into this).

Two-lead passive components (caps and resistors)
For example, if a patient contacting probe is supplied by a 3V DC battery and current limited through two resistors before returning to 0V. One resistor is 10K, the second 330K? would a single fault short circuit in one of the resistors need to be considered as a potential fault? Note that if the 330K resistor fails short, the current might exceed the 10uA limit. The likelihood of a surface mount resistor going short circuit in electronics is extremely low.

Simple semi-conductors (e.g. MOSFETs)
Similar to the above, if you introduce a MOSFET to switch the current on and off. Would you consider a MOSFET going short circuit as a potential single fault? Again, MOSFETs are very reliable components if they are operated within their bounds.


Integrated circuits (e.g. logic gates and MUXs)
Again, based on the above, if you include some type of multiplexer or other IC, would you consider this device failing as a short circuit to 0V as a failure mode? If it were to go short, there is a risk that the 330K resistor might be shorted and thus current higher than 10uA might flow.

Programmable code executing semi-conductors (e.g. micro-controllers)
If we now tie the input to an analogue input on a micro-controller, there is a risk of failure whereby the micro fails creating a short to ground, again bypassing the 330K resistor. Would that be a single failure mode that would need to be mitigated against?

The IEC 60601-1 standard and ISO 14971 risk analysis standard are a little vague on this and allow for ?expert opinion?.


I guess part of the question is, where do you stop with your single fault risk analysis?

Big subject, but useful for everyone.

There is a fundamental problem in the use of the single fault condition (SFC). It served us well for 50 years or so, but it needs to give way to a broader concept of simply providing protection against potential hazards.

The problems with the SFC are:
(1) if applied strictly, it implies an endless FMEA analysis, not only considering thousands of possible fault conditions, but each of these need to be considered under a range of operating conditions, settings etc, possible multiple faults etc etc, reaching millions of combinations;

(2) it often tricks designers into focusing on fault conditions rather than well designed protection;

(3) it ignores other events such as user mistakes, clinical events, the environment which also require protection systems. With the standard expanding into performance and clinical issues, these events are often more important than component faults because they occur at higher frequency, yet fault conditions get more air time;

(4) it fails to capture an assessment of the reliability of the protection system as being appropriate, taking into account the probability of the triggering event (fault, user error, etc) and the severity of the potential harm.

Following ISO 14971, the focus should simply be on designing effective protection against identified hazards. If the protection is reasonably independent, simple, reliable, it should obviously mitigate the risk irrespective of the triggering events. Single fault conditions may form part of the verification tests, but they should not the driver for the original analysis and design of the risk control.

In the particular case in hand, we have an identified risk from patient auxiliary current, with a limit of 10uA in normal condition and 50uAdc in abnormal condition.

Rather than focusing on faults, the designer should ask, what component(s) or feature provide protection? You could intentionally split the 330k resistor into two 160k resistors, such that failure of either one ensure the 50uA cannot be exceeded (kind of double insulation).

Or, you could reasonably argue that a 1608 SMD 330k resistor is being used so far below it's ratings that it will never short, and then write it up as high integrity component (equivalent to reinforced insulation).

Either way, there should be a specific part which is identified as providing the "protection".

Once that is in place, you don't need to worry about MOSFETs shorting, logic circuits or software failures. You might select to short the MOSFET as a worst case verification test, or write some special software that turns it on continuously. Or could just do by inspection 3V / 160k = 18uA --> Pass. All of these are valid methods for verification of a risk control.

So you can see, the single fault condition is really just one of the options you can use in verification, and that's where it should be relegated to.

Thanks Peter. I interpret this as "...we must make the device inherently safe by design no matter what the SFC and thus reduce the risk to broadly acceptable".

Thanks,
Peter