Re: IEC 60601-1 Single fault conditions of electronic PCB components
Big subject, but useful for everyone.
There is a fundamental problem in the use of the single fault condition (SFC). It served us well for 50 years or so, but it needs to give way to a broader concept of simply providing protection against potential hazards.
The problems with the SFC are:
(1) if applied strictly, it implies an endless FMEA analysis, not only considering thousands of possible fault conditions, but each of these need to be considered under a range of operating conditions, settings etc, possible multiple faults etc etc, reaching millions of combinations;
(2) it often tricks designers into focusing on fault conditions rather than well designed protection;
(3) it ignores other events such as user mistakes, clinical events, the environment which also require protection systems. With the standard expanding into performance and clinical issues, these events are often more important than component faults because they occur at higher frequency, yet fault conditions get more air time;
(4) it fails to capture an assessment of the reliability of the protection system as being appropriate, taking into account the probability of the triggering event (fault, user error, etc) and the severity of the potential harm.
Following ISO 14971, the focus should simply be on designing effective protection against identified hazards. If the protection is reasonably independent, simple, reliable, it should obviously mitigate the risk irrespective of the triggering events. Single fault conditions may form part of the verification tests, but they should not the driver for the original analysis and design of the risk control.
In the particular case in hand, we have an identified risk from patient auxiliary current, with a limit of 10uA in normal condition and 50uAdc in abnormal condition.
Rather than focusing on faults, the designer should ask, what component(s) or feature provide protection? You could intentionally split the 330k resistor into two 160k resistors, such that failure of either one ensure the 50uA cannot be exceeded (kind of double insulation).
Or, you could reasonably argue that a 1608 SMD 330k resistor is being used so far below it's ratings that it will never short, and then write it up as high integrity component (equivalent to reinforced insulation).
Either way, there should be a specific part which is identified as providing the "protection".
Once that is in place, you don't need to worry about MOSFETs shorting, logic circuits or software failures. You might select to short the MOSFET as a worst case verification test, or write some special software that turns it on continuously. Or could just do by inspection 3V / 160k = 18uA --> Pass. All of these are valid methods for verification of a risk control.
So you can see, the single fault condition is really just one of the options you can use in verification, and that's where it should be relegated to.