How are Acceptable Degradations under Performance Criteria Defined?

[Alisa542]

I’m looking for input on how to appropriately classify and justify device behavior during ESD testing under IEC TS 60601-4-2:2024.


Situation:
Our device includes a feature that is part of the intended use, but not part of essential performance. We are currently treating this feature as a performance criterion per IEC TS 60601-4-2:2024. During ESD events, this feature can malfunction. When this occurs, the user can perform a manual reset, after which the feature functions normally again. Importantly, the malfunction of this feature: does not result in unacceptable risk, does not prevent the user from continuing to use the device safely.

Concern:
IEC 60601-4-2 assigns Performance Criterion B to ESD, which states that the equipment shall continue to meet performance without operator intervention. In our case, recovery requires operator intervention (reset), which seems to conflict with Criterion B.

Questions:

Similar to how acceptable degradations of essential performance are permitted provided they do not lead to unacceptable risk, we read it is possible to define acceptable degradations of non-essential performance provided they do not lead to unacceptable performance. However, the term “unacceptable performance” appears vague and is not explicitly defined in IEC 60601-4-2 or the 60601-1 framework. How is unacceptable performance typically determined in practice for non-essential performance?

Since we are proposing to treat this behavior as an acceptable degradation of performance during ESD events, we are trying to understand what expectations are commonly used to justify that classification.

 

[Peter Selvey]

In principle immunity testing is intended to represent the "normal environment", similar to the "normal" range of temperature, humidity, pressure that a device could experience. In that sense, a device should not require reset or operator intervention regardless of whether the function is formally defined as essential performance. Or more correctly, "essential performance" should include all features related to the intended purpose, no matter how low on the scale of important they might be. The reason is that if any feature supporting the intended purpose, no matter how minor, fails in normal use, the risk should be unacceptable, since it implies that feature could fail all the time and hence provides no medical benefit, and the absence of benefit is also a harm, albeit indirect. Low impact, indirect harms can have a much higher probability for acceptability, but nothing should reach probability of 1 (always fails in normal use). In simple terms: in everyday normal use, stuff should work as specified, no excuses.

Unfortunately the IEC 60601 series includes a lot of stuff that is really more like an abnormal condition rather than a normal condition, and then they ask for essential performance. Sometimes this is just to simplify the test. Sometimes this is to account for uncertainty in knowing what is normal. And sometimes it's just overreach by the standard. Regardless, if the design team is confident the test is more in the abnormal space (could happen, but rare) then it's OK to drop off some less critical functions and features in the compliance criteria.

If you do this via the typical workaround of narrowly defining essential performance as the more "critical" functions, then keep in mind:
- this is a workaround, don't take it to heart and start accepting failure in real normal condition
- make sure everyone agrees the test is really more in the abnormal space
- make sure the device can still handle normal condition (back down the test method, check it works OK at normal levels)

For example I understand ESD is now specified as ±15kV which does seem to be in the abnormal region. I'm not a deep expert so that's just a gut feeling, it's worth to ask a real expert. If this test level is really abnormal, and some non-critical functions fails and the device requires a reset, then it's OK. But then I would ask for testing at ±8kV which I understand is more in line with real world levels. And at that level, the device should be fine, no reset required.

 

[d_addams]

are you defining 'unacceptable risk' as a situation that induces harm? Risk acceptability is when the benefit outweighs the risk. As Ed noted, a failure that removes benefit could result in an unacceptable situation since there is no 'only harm' and no benefit.

As you've described the situation it seems the situation is recoverable. An acceptable risk reduction end point is meeting a validated user need. Thus if it is acceptable to the users to lose the impacted function for the time it takes to reset (and complete the necessary function) there is a clear path to say this temporary interruption (of the relevant duration) is not unacceptable because you are still able to meet the validated user need. [disruptions less than X time are acceptable].

 

[d_addams]

are you defining 'unacceptable risk' as a situation that induces harm? Risk acceptability is when the benefit outweighs the risk. As Ed Peter noted, a failure that removes benefit could result in an unacceptable situation since there is no 'only harm' and no benefit.

As you've described the situation it seems the situation is recoverable. An acceptable risk reduction end point is meeting a validated user need. Thus if it is acceptable to the users to lose the impacted function for the time it takes to reset (and complete the necessary function) there is a clear path to say this temporary interruption (of the relevant duration) is not unacceptable because you are still able to meet the validated user need. [disruptions less than X time are acceptable].

whoops, corrections noted.

 

[Alisa542]

Thank you both for your insight! This is helpful

 

[yodon]

Or more correctly, "essential performance" should include all features related to the intended purpose, no matter how low on the scale of important they might be. The reason is that if any feature supporting the intended purpose, no matter how minor, fails in normal use, the risk should be unacceptable, since it implies that feature could fail all the time and hence provides no medical benefit, and the absence of benefit is also a harm, albeit indirect.

Getting a bit off topic (but I think the OP's question has been sufficiently answered). That makes sense (as opposed to 60601-1's definition)! And that would seem in line with what I've seen of FDA perspective. If I had a tongue depressor with a built in light and the light goes out, there's no "unacceptable risk" but certainly it's not meeting its intended purpose.

 

[Peter Selvey]

In simple cases like the tongue depressor light, people will normally unconsciously assume the failure is rare, because it would have to be poor design for it not to work with normal reliability. So that gets baked into any failure being judged "acceptable risk". However if for example a manufacturer changed to LED lights which draw very low current, which means the on/off switch contacts need to be a special type to ensure reliable turning on, but the manufacturer didn't know this and kept using the same old switch. This will cause a high failure rate in the market for the LED light to actually turn on, especially after typical storage time. A case like that should be deemed "unacceptable risk". Obviously it's not a high risk, and generally a spare will be available, even so such a scenario should still formally be judged unacceptable risk in a well designed ISO 14971 system, with no option to but to change to a better quality switch that is known to work with LEDs.