Disabling measurement data during fault conditions

[mwaller]

Hello -
My company is developing a product to comply IEC 60601-2-34 (Invasive Blood Pressure Monitoring Equipment) This standard identifies "accuracy of pressure measurements" as essential performance.
Our risk analysis identifies a number of detectable component failures that may cause measurements to be be inaccurate (outside of the tolerance allowed by the standard). In these circumstance, the operator would be alerted via a technical alarm / warning message. Our team is trying to determine whether it is also necessary to completely disable the measurement function so potentially inaccurate data *cannot* be displayed.
Thoughts on what the standard intends?
Thanks!

 

[Peter Selvey]

In general it's not expected that patient monitoring equipment can detect and react to all possible faults, even if the parameter is critical (Class IIb in Europe). The only way to do this reliably would be to duplicate the circuits (including the sensor) and compare the outputs. At this time that level of risk control is not state of the art. Exactly why this is OK might take a bit of deeper analysis and likely to be a mix of costs, reliability, practicality, physical size, risk of false alarms, physician using multiple diagnostic sources (not just one parameter), the use in both critical and non-critical patients (so would be a waste of effort in many cases) and could just be historical. Anyway, not expected

The standard does require that some faults are detected (208.6.6.2.102). These are quite specific (open/short of sensor wires) and should be easy to detect. Most manufacturers would also go further with some level of diagnostics for the measurement circuits, for example checking ADC function using a spare channel connected to an independent reference voltage. However, self diagnostics are rarely comprehensive so care needs to be taken in claiming that all faults can be detected.

Essential performance under normal condition should have a blanket statement that under "all normal conditions" the equipment is accurate within specification, but there may be qualifications or exceptions e.g. assumption that the user has zeroed the sensor correctly and periodically, the sensor is not moved up or down, T-joints are not closed (these being possible in normal condition, but not practical for the IBP manufacturer to detect).

Essential performance under abnormal/SFC condition should be the reverse, i.e. the blanket statement should say that there is no reliable performance except that specific conditions can be detected, and then list each condition and the reaction to each condition. The reaction can be different depending on the type of fault and situation, e.g. if it's clear that the sensor is useless, then normally blank the display and indicate a technical alarm, the priority depending on the physiological alarms associated with the function. If the sensor is out of spec but still useful (e.g. some drift detected say not more than ±10mmHg), maybe a technical alarm ("check sensor") but keep the display and physiological alarms active. Case by case.

As mentioned, the standard does have some specific requirements so these need to be followed. But apart from that, common sense can be used.

 

[mwaller]

In general it's not expected that patient monitoring equipment can detect and react to all possible faults, even if the parameter is critical (Class IIb in Europe). The only way to do this reliably would be to duplicate the circuits (including the sensor) and compare the outputs. At this time that level of risk control is not state of the art. Exactly why this is OK might take a bit of deeper analysis and likely to be a mix of costs, reliability, practicality, physical size, risk of false alarms, physician using multiple diagnostic sources (not just one parameter), the use in both critical and non-critical patients (so would be a waste of effort in many cases) and could just be historical. Anyway, not expected

The standard does require that some faults are detected (208.6.6.2.102). These are quite specific (open/short of sensor wires) and should be easy to detect. Most manufacturers would also go further with some level of diagnostics for the measurement circuits, for example checking ADC function using a spare channel connected to an independent reference voltage. However, self diagnostics are rarely comprehensive so care needs to be taken in claiming that all faults can be detected.

Essential performance under normal condition should have a blanket statement that under "all normal conditions" the equipment is accurate within specification, but there may be qualifications or exceptions e.g. assumption that the user has zeroed the sensor correctly and periodically, the sensor is not moved up or down, T-joints are not closed (these being possible in normal condition, but not practical for the IBP manufacturer to detect).

Essential performance under abnormal/SFC condition should be the reverse, i.e. the blanket statement should say that there is no reliable performance except that specific conditions can be detected, and then list each condition and the reaction to each condition. The reaction can be different depending on the type of fault and situation, e.g. if it's clear that the sensor is useless, then normally blank the display and indicate a technical alarm, the priority depending on the physiological alarms associated with the function. If the sensor is out of spec but still useful (e.g. some drift detected say not more than ±10mmHg), maybe a technical alarm ("check sensor") but keep the display and physiological alarms active. Case by case.

As mentioned, the standard does have some specific requirements so these need to be followed. But apart from that, common sense can be used.

Hi Peter -
Thanks very much for the detailed response! This is very much in line with the way I would approach it, but others expressed concern that an operator may become confused if the device displays a warning message but continues to display data. How do most patient monitors behave?
Thanks!

 

[Peter Selvey]

Yeah, I was thinking about that.

Approaching from an engineering discussion (thinking as I type):

In theory it's OK to have a wider tolerance for fault condition e.g. ±10mmHg if the normal condition limit is ±4mmHg. It might also be OK just to continue monitoring with any notification to the user, maybe just a log for service personnel.

But, something doesn't feel right.

The limit in the standard of ±4mmHg/±4% is fairly wide and much higher than modern electronics needs. This high tolerance is most likely there to cover the non-linearity of the sensor. The measurement circuit itself it typically stable within ±0.1mmHg. At that level, statistically, it's fairly unlikely to have a drift in the order of ±4mmHg. It's even rarer (impossible) to have a fault that neatly fits between ±4mmHg and ±10mmHg and is, most importantly, stable.

A measurement circuit with >10mmHg error is more likely to be suffering from unstable kind of breakdown. In that case, it's no longer reliable for monitoring and as such it should then trigger a normal technical alarm and kill the display.

So, on consideration, I would not display any data if the self diagnostics detects an error is >4mmHg. I use 4mmHg rather than 10mmHg since even 4mmHg suggests there is trouble with the measurement circuit, I would not wait until it hits 10mmHg to take action.

 

[yodon]

@Peter Selvey hit on some great points and I'd like to throw a little process on top of all that. Risk Management (14971) expects that the effects of controls are evaluated to determine if any new risks arise. I think this is an ideal opportunity to do that evaluation and document your conclusions. Further, the point about the operator possibly becoming confused just screams (to me, a process guy) that the situation should be evaluated in usability study (62366). Certainly, engineering should provide solutions but the users' comprehension will be critical.

 

[mwaller]

Thanks for the input! This will be helpful to the team!