IEC 60601-1 - Essential performance doesn't make sense

Hello,

When determining essential performance, the guidance in 60601-1 is to assume with 100% certainty that a device's performance has degraded beyond some limit (determined by the manufacturer) which results in unacceptable risk. In reality if this was to happen, since a patient is getting treatment from said medical devices, there is a very high probability that this will result in harm due to loss of treatment. The manufacturer is then required to put risk controls in place to make the risk acceptable. A lot of the time this seems to default to adding alarms. What happens when a manufacture assumes performance has degrade but cannot make the risk acceptable? For example, if one was to assume that a critical care ventilator failures with 100% probability its very difficult to imagine that adding alarms will make the risk acceptable. In reality there should be significant risk controls to prevent the ventilator from failing in the first place... especially if it is failing due to reliability problems or software bugs, etc. You can't say its OK for a critical care ventilator to fail to deliver therapy as long as you have suitable alarms. This doesn't make sense to me. Have I miss understood the concept of essential performance?

Thanks

When determining essential performance, the guidance in 60601-1 is to assume with 100% certainty that a device's performance has degraded beyond some limit (determined by the manufacturer) which results in unacceptable risk. In reality if this was to happen, since a patient is getting treatment from said medical devices, there is a very high probability that this will result in harm due to loss of treatment.

Click to expand...

Yes, this is the idea, this is just a way to say that to determine the essencial performance, you have to verify the performance which is related to unacceptable risk.

The manufacturer is then required to put risk controls in place to make the risk acceptable. A lot of the time this seems to default to adding alarms.

Click to expand...

Not right. You need to evaluate the risk control options from the beginning (the first one is to have an inherently safe design). Also, you cannot do this to a device already designed, you have to start from scratch (maybe that's the reason you mention - A lot of the time this seems to default to adding alarms - which does not make sense?).

Have I miss understood the concept of essential performance?

Click to expand...

probably, but anyway, a lot of people misunderstand it (because it IS a little confusing).

Anyway, most of your comments are right, in fact, for a critical care ventilator, you would need to put a lot of controls to make sure essential performance is maintained, some of these are (in generic terms and not a exhaustive list):

This is why particular standards are in place: ISO 80601-2-12:2011

More generally - the way I understand it, it's just a way of telling Essential Performance from the rest: If a given performance fails and the result is unacceptable risk, it is considered Essential. Some devices and some performances may fail in ways that only create acceptable risk, so these performances won't be considered Essential, and will be treated accordingly.

As Marcelo has mentioned, in the hierarchy of mitigating risk (i.e. turning unacceptable risks to acceptable), inherently safe design comes before alarms. This means if a performance is considered Essential and an unacceptable risk exists to it, a redesign must be attempted first. For a critical device like a critical care ventilator one of the obvious measures is redundancy (think about a passenger airplane). Luckily there are already particular standards in place so you don't have to reinvent the wheel.

Marcelo Antunes said:

Not right. You need to evaluate the risk control options from the beginning (the first one is to have an inherently safe design). Also, you cannot do this to a device already designed, you have to start from scratch (maybe that's the reason you mention - A lot of the time this seems to default to adding alarms - which does not make sense?).
.

Click to expand...

Thank you Marcelo. My gut feel was that essential performance and risk management should be conducted as per your post but.... as I read 60601-1 it states

"The MANUFACTURER shall then evaluate the RISK from the loss or degradation of the identified performance beyond the limits specified by the MANUFACTURER. If the resulting RISK is unacceptable, then the identified performance constitutes an ESSENTIAL PERFORMANCE of the ME EQUIPMENT or ME SYSTEM

The MANUFACTURER shall implement RISK CONTROL measures to reduce the RISK from the loss or degradation of the identified performance to an acceptable level".

Within the context of essential performance, and within the guidance given in the Annex, when read literally I interpreted this to mean that you assume that performance has degraded and you need to make the risk acceptable. But as per your post I assume this is the wrong interpretation?

If I interpret, "The MANUFACTURER shall implement RISK CONTROL measures to reduce the RISK from the loss or degradation of the identified performance to an acceptable level", in isolation it makes more sense i.e. look at risk around loss of clinical function rather than assuming clinical function is lost. Although given it says "RISK from the loss or degradation" one would read this to mean that degradation has occurred rather than could occur. I would argue the wording leaves a bit up to interpretation.

It does get quite confusing when particular standards (e.g. 80601-2-12) often state essential performance as delivery of therapy or alarm. In my experience this is often understood to mean its acceptable to fail to deliver therapy as long as the devices alarms as per the particular standard which is clearly incorrect.

Thanks

david316 said:

It does get quite confusing when particular standards (e.g. 80601-2-12) often state essential performance as delivery of therapy or alarm. In my experience this is often understood to mean its acceptable to fail to deliver therapy as long as the devices alarms as per the particular standard which is clearly incorrect.

Click to expand...

You should read it in conjunction with ISO 14971 and IEC 60601-1. In essence risk mitigation through inherently safe design (improved design) takes precedence over implementing alarms. This is a more fundamental risk management layer than any specifics prescribed by a particular standard. However, sometimes implementing an alarm is the overall best solution. In such a case sounding an alarm might mitigate a serious failure, such that the failure of that alarm might constitute an unacceptable risk, whereby that alarm sounding should be considered an Essential Performance and treated accordingly. I don't see a consistency issue here (other than it's not a single-fault mode anymore, so maybe a little over-conservative).

Thanks for your input guys and I agree with everything you have stated but I have an additional question around this topic. Quite often in particular standard essential performance is stated as a performance limit or alarm. For example in 80601-2-55, essential performance is stated as:

"MEASUREMENT ACCURACY and ALARM CONDITION for the GAS READING or generation of a TECHNICAL ALARM CONDITION"

Is it correct to read above as the risk is acceptable (as judged by the standard committee) as long as the device meets this definition of essential performance? Personally I think that is the literal interpretation but as discussed it doesn't make sense when IEC 60601-1 should be read in conjunction with ISO 14971.

Next to the TECHNICAL ALARM CONDITION it lists a couple of sub clauses that have alarm requirements for specific scenarios. If the device fails to meet its accuracy requirement and ALARM CONDITION requirement and raises a technical alarm, is the technical alarm limited to the specific scenarios listed in the sub clauses? If this is the case does that mean it is only appropriate to maintain essential performance via an alarm for a limited set of scenarios?

Maybe I am overthinking this...

Thanks a lot for any input.

ISO 24971 has a discussion and flowchart on how to use IsO 14971 with standards, including an example based on IEC 60601. Basically, if you use the requirement of a product standard as a risk control measure, and you pass the test, you deem the risk acceptable.

Thanks. Will purchase iso 24971.

By the way, IEC 60601-1 Ed. 3.1 has the following in Annex A.4 (sub-clause 4.3):

[...] For example, it might be possible to build a critical care ventilator that will continue to function in the presence of a single component failure, but, given the generally accepted technology, this is not practicable. Therefore, the MANUFACTURER might rely on a protective measure, such as an ALARM SYSTEM, to alert the OPERATOR of the failure so the OPERATOR can take appropriate and timely action to prevent the onset of HARM. The ALARM SIGNAL coupled with required OPERATOR training might be adequate RISK CONTROL measures to reduce the RISK arising from the loss or degradation of the identified performance to an appropriate level, i.e. the RESIDUAL RISK is acceptable. [...]

Click to expand...

Yes. But the problem is that particular standards often state something like maintaining therapy within alarm conditions parameters or alarming as essential performance. Hence as pointed out above as long as the device alarms when therapy is lost the risk is usually deemed acceptable (as per the particular standard). So you can have a device that often loses therapy but as long as it alarms (as per the particular standard) the risk is deemed acceptable. Doesn't really make sense. Anyway I think it's just that is poorly worded and ultimately you need to look at the intent of defining essential performance and ultimately follow iso 14971.