Functional Safety Analysis/Report Example

Ibomol

Registered
Dear All,

Our medical electric device complies with IEC60601 standards however we have been asked by the notified body to provide a 'functional safety report' (As I understand an overview of our control/protection systems and how they mitigate risk) in addition.

Does anybody have an example of such an exercise or a standard format such a report should take?

Regards,
 

yodon

Leader
Super Moderator
Just tossing out an idea... do you have a trace report showing linkage between risk controls [to system requirements] to verification?

Kind of a curious request, IMO, since 60601 now requires a review of the risk file so seemingly, this should already have been established / reviewed.
 

QARAMar

Registered
Is your NB TuV Sud?

A colleague of mine has been asked for the same thing (Class IIb PEMS device). I don't understand why the safety/risk management requirements of the applied harmonized standards appear not to be enough for the NB.

I don't personally have any experience, but I believe you need to look at IEC 61508.
 

jayantusu

Registered
Does this NB has an arm that does testing and consulting? For example Tuv Sud provides "functional safety test" as a service.
If so, that is the reason they are asking for it.
They are misusing their position to get business.
Fight with them. And spread the news. So that clients stay away from them.
May be you can also write to EU and ask whether such a requirement exists.
 

klappa17

Registered
We are being asked for similar evidence for functional safety as well by our NB. It appears to be linked to the single fault safety concept from IEC 60601-1 and state of the art safety concepts. There seems to be a sentiment out there that manufacturers and test houses aren't sufficiently covering the aspects of single fault safety for medical devices. There appears to be more scrutiny on this recently especially with EU MDR from our NB. I haven't posted enough to be able to post links so google "Functional Safety for Medical Devices" and there should be a TUV SUD website explaining how to apply the concepts. If you search for the same thing on youtube there is a video from TUV SUD UK about this as well.
 

Tidge

Trusted Information Resource
If the device is a medical electrical device, certification to 60601-1 will require that the manufacturer has addressed concerns about functional safety through a 14971-compliant process (section 4 of 3rd edition). If the manufacturer is somehow deficient on this front (and somehow escaped this review during 60601-1 certification) a 3rd-party would presumably be able to be more specific about the defect.

The NRTLs (for 60601-1 certification) may require different levels of analysis when evaluating compliance (again, section 4). My experience has been that a system level hazard analysis with sufficient linkages between use cases, hazards, and risk controls (see question asked by @yodon above) is usually sufficient for a NRTL.

Again my experience: the NRTL doesn't want to spend too much time digging through a suite of risk files, but any NRTL should be doing a thorough enough review that the manufacturer ought to be able to explain how the evaluation for functional safety was done (for 3rd edition certified devices).
 

Peter Selvey

Leader
Super Moderator
Just my 2 cents as a past functional safety test engineer: generally, risk management is a poor tool for documenting functional safety, it's too high level. It would be great for all parties if the 601 series had a basic checklist for protection systems for high severity harm (like death, serious injury), covering things like:

- overview of control/protection (how it works)
- operating point (nominal value, range of adjustment, tolerance, suitability, margins to safe limits)
- response time (suitability, margins)
- independence (from control system or cause)
- alarms/notification
- reset methods (latching, non-latching, operator intervention, suitability, risks)
- long term reliability (sleeping fault detection by start up tests, high speed testing, annual maintenance)
- additional protection for any weak points (e.g. common parts used by control and protection, slow response under certain conditions)

These are the key points that a third party should be reviewing when assessing the design of a high risk protection system, such as in a dialysis system, surgical laser, ESU, infusion pump, infant incubator etc.

Despite the importance, I have found that few manufacturers prepare such information, so it's almost always been necessary to reverse engineer it from the circuit diagram or tests, research. If designers know these are the things to consider in the design phase, and they need to document, it would be a smoother process for everyone. It's not that difficult, and entirely reasonable considering it's protecting against death or serious injury. But it's not something that naturally comes out of ISO 14971 risk management, or even PEMS, 62304. These are all just management systems.

Examples of classic mistakes: setting the protection operating point or response time based on the limits of technology rather than clinical aspects; auto-reset leading to dangerous outcomes; no consideration of periodic tests; going cheap and using same parts for control and protection like reference voltages, sensors, CPUs.
 
Top Bottom