IEC 60601-1 - Essential performance doesn't make sense

david316

Involved In Discussions
#1
Hello,

When determining essential performance, the guidance in 60601-1 is to assume with 100% certainty that a device's performance has degraded beyond some limit (determined by the manufacturer) which results in unacceptable risk. In reality if this was to happen, since a patient is getting treatment from said medical devices, there is a very high probability that this will result in harm due to loss of treatment. The manufacturer is then required to put risk controls in place to make the risk acceptable. A lot of the time this seems to default to adding alarms. What happens when a manufacture assumes performance has degrade but cannot make the risk acceptable? For example, if one was to assume that a critical care ventilator failures with 100% probability its very difficult to imagine that adding alarms will make the risk acceptable. In reality there should be significant risk controls to prevent the ventilator from failing in the first place... especially if it is failing due to reliability problems or software bugs, etc. You can't say its OK for a critical care ventilator to fail to deliver therapy as long as you have suitable alarms. This doesn't make sense to me. Have I miss understood the concept of essential performance?

Thanks
 
Elsmar Forum Sponsor

Marcelo

Inactive Registered Visitor
#2
When determining essential performance, the guidance in 60601-1 is to assume with 100% certainty that a device's performance has degraded beyond some limit (determined by the manufacturer) which results in unacceptable risk. In reality if this was to happen, since a patient is getting treatment from said medical devices, there is a very high probability that this will result in harm due to loss of treatment.
Yes, this is the idea, this is just a way to say that to determine the essencial performance, you have to verify the performance which is related to unacceptable risk.

The manufacturer is then required to put risk controls in place to make the risk acceptable. A lot of the time this seems to default to adding alarms.
Not right. You need to evaluate the risk control options from the beginning (the first one is to have an inherently safe design). Also, you cannot do this to a device already designed, you have to start from scratch (maybe that's the reason you mention - A lot of the time this seems to default to adding alarms - which does not make sense?).

Have I miss understood the concept of essential performance?
probably, but anyway, a lot of people misunderstand it (because it IS a little confusing).

Anyway, most of your comments are right, in fact, for a critical care ventilator, you would need to put a lot of controls to make sure essential performance is maintained, some of these are (in generic terms and not a exhaustive list):
- pressure measurement in the y-circuit​
- alarm in the case pressure is more than a limit (and usability evaluation to ensure user will perform the correct action the alarm is requiring)​
- pressure-relief valve (with a specified reliability) in case of alarm failure​
- internal battery​
- alarm for internal battery​
- require alternative ventilation methods in IFU​
and things like that.​
 

Ronen E

Problem Solver
Staff member
Moderator
#3
This is why particular standards are in place: ISO 80601-2-12:2011

More generally - the way I understand it, it's just a way of telling Essential Performance from the rest: If a given performance fails and the result is unacceptable risk, it is considered Essential. Some devices and some performances may fail in ways that only create acceptable risk, so these performances won't be considered Essential, and will be treated accordingly.

As Marcelo has mentioned, in the hierarchy of mitigating risk (i.e. turning unacceptable risks to acceptable), inherently safe design comes before alarms. This means if a performance is considered Essential and an unacceptable risk exists to it, a redesign must be attempted first. For a critical device like a critical care ventilator one of the obvious measures is redundancy (think about a passenger airplane). Luckily there are already particular standards in place so you don't have to reinvent the wheel.
 

david316

Involved In Discussions
#4
Not right. You need to evaluate the risk control options from the beginning (the first one is to have an inherently safe design). Also, you cannot do this to a device already designed, you have to start from scratch (maybe that's the reason you mention - A lot of the time this seems to default to adding alarms - which does not make sense?).
.
Thank you Marcelo. My gut feel was that essential performance and risk management should be conducted as per your post but.... as I read 60601-1 it states

"The MANUFACTURER shall then evaluate the RISK from the loss or degradation of the identified performance beyond the limits specified by the MANUFACTURER. If the resulting RISK is unacceptable, then the identified performance constitutes an ESSENTIAL PERFORMANCE of the ME EQUIPMENT or ME SYSTEM

The MANUFACTURER shall implement RISK CONTROL measures to reduce the RISK from the loss or degradation of the identified performance to an acceptable level".

Within the context of essential performance, and within the guidance given in the Annex, when read literally I interpreted this to mean that you assume that performance has degraded and you need to make the risk acceptable. But as per your post I assume this is the wrong interpretation?

If I interpret, "The MANUFACTURER shall implement RISK CONTROL measures to reduce the RISK from the loss or degradation of the identified performance to an acceptable level", in isolation it makes more sense i.e. look at risk around loss of clinical function rather than assuming clinical function is lost. Although given it says "RISK from the loss or degradation" one would read this to mean that degradation has occurred rather than could occur. I would argue the wording leaves a bit up to interpretation.

It does get quite confusing when particular standards (e.g. 80601-2-12) often state essential performance as delivery of therapy or alarm. In my experience this is often understood to mean its acceptable to fail to deliver therapy as long as the devices alarms as per the particular standard which is clearly incorrect.

Thanks
 

Ronen E

Problem Solver
Staff member
Moderator
#5
It does get quite confusing when particular standards (e.g. 80601-2-12) often state essential performance as delivery of therapy or alarm. In my experience this is often understood to mean its acceptable to fail to deliver therapy as long as the devices alarms as per the particular standard which is clearly incorrect.
You should read it in conjunction with ISO 14971 and IEC 60601-1. In essence risk mitigation through inherently safe design (improved design) takes precedence over implementing alarms. This is a more fundamental risk management layer than any specifics prescribed by a particular standard. However, sometimes implementing an alarm is the overall best solution. In such a case sounding an alarm might mitigate a serious failure, such that the failure of that alarm might constitute an unacceptable risk, whereby that alarm sounding should be considered an Essential Performance and treated accordingly. I don't see a consistency issue here (other than it's not a single-fault mode anymore, so maybe a little over-conservative).
 

david316

Involved In Discussions
#6
Thanks for your input guys and I agree with everything you have stated but I have an additional question around this topic. Quite often in particular standard essential performance is stated as a performance limit or alarm. For example in 80601-2-55, essential performance is stated as:

"MEASUREMENT ACCURACY and ALARM CONDITION for the GAS READING or generation of a TECHNICAL ALARM CONDITION"

Is it correct to read above as the risk is acceptable (as judged by the standard committee) as long as the device meets this definition of essential performance? Personally I think that is the literal interpretation but as discussed it doesn't make sense when IEC 60601-1 should be read in conjunction with ISO 14971.

Next to the TECHNICAL ALARM CONDITION it lists a couple of sub clauses that have alarm requirements for specific scenarios. If the device fails to meet its accuracy requirement and ALARM CONDITION requirement and raises a technical alarm, is the technical alarm limited to the specific scenarios listed in the sub clauses? If this is the case does that mean it is only appropriate to maintain essential performance via an alarm for a limited set of scenarios?

Maybe I am overthinking this...

Thanks a lot for any input.
 

Marcelo

Inactive Registered Visitor
#7
ISO 24971 has a discussion and flowchart on how to use IsO 14971 with standards, including an example based on IEC 60601. Basically, if you use the requirement of a product standard as a risk control measure, and you pass the test, you deem the risk acceptable.
 

Ronen E

Problem Solver
Staff member
Moderator
#9
By the way, IEC 60601-1 Ed. 3.1 has the following in Annex A.4 (sub-clause 4.3):

[...] For example, it might be possible to build a critical care ventilator that will continue to function in the presence of a single component failure, but, given the generally accepted technology, this is not practicable. Therefore, the MANUFACTURER might rely on a protective measure, such as an ALARM SYSTEM, to alert the OPERATOR of the failure so the OPERATOR can take appropriate and timely action to prevent the onset of HARM. The ALARM SIGNAL coupled with required OPERATOR training might be adequate RISK CONTROL measures to reduce the RISK arising from the loss or degradation of the identified performance to an appropriate level, i.e. the RESIDUAL RISK is acceptable. [...]
 

david316

Involved In Discussions
#10
Yes. But the problem is that particular standards often state something like maintaining therapy within alarm conditions parameters or alarming as essential performance. Hence as pointed out above as long as the device alarms when therapy is lost the risk is usually deemed acceptable (as per the particular standard). So you can have a device that often loses therapy but as long as it alarms (as per the particular standard) the risk is deemed acceptable. Doesn't really make sense. Anyway I think it's just that is poorly worded and ultimately you need to look at the intent of defining essential performance and ultimately follow iso 14971.
 
Thread starter Similar threads Forum Replies Date
W IEC 60601 - Essential performance c.2.34 IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
shimonv IEC 60601-1 Essential Performance - Is the signal accuracy specification an essential requirement? IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
rezayatmand IEC 60601-2-18 Medical electrical equipment - Part 2-18: Particular requirements for the basic safety and essential performance of endoscopic equipmen IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
Z In which country is essential to have and IEC 60601 CB Report? Other Medical Device Related Standards 0
D IEC 60601-1 - Performance limits for essential performance IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
K IEC 60601-1 and Essential Performance IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
M IEC 60601 - Limits of agreement as Essential Performance IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
D IEC 60601-2-44: 202.101 Immunity Testing of Essential Performance IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
L "Potential" Essential Performance in IEC 60601-2-54 (Definition) IEC 60601 - Medical Electrical Equipment Safety Standards Series 9
A Essential Performance in IEC 3rd edition of the 60601-1 IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
JoCam IEC 60601-1 and 60601-1-2 retest after PCBA change IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
K IEC 60601-1:2005/AMD2:2020, Why this standard version is 3.0? IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
C IEC 60601 - 8.8.3 Dielectric Strength test. 4kv being applied to the ground conductor?! IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
R IEC 60601-1 Clause 15.3.2, Push test IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
A Defining a lower ESD test level in IEC 60601 safety test IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
J IEC 60601-1-11 Home Class II With Ballasts IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
A Coverage and differences: EN 60601-1:2006+A12:2014 Vs AAMI/IEC 60601-1:2005+AMD1:2012 IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
T IEC 60601-1-8:2020 Is it necessary to change the alarm melody? IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
M Is it normal / sufficient to have only the IEC 60601-1-2 test report without indicating IEC 60601-1? IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
S IEC 60601-2-30 - Is it mandatory to claim alarms? IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
Y Auditory alarm standard IEC 60601-1-8 Reliability Analysis - Predictions, Testing and Standards 0
R IEC 60601-1 - Power Supply Cords (Section 8.11.3.1) IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
A Outsourcing IEC 60601-1 Ed 3.2 Testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
R Complex IEC 60601-1 gap assessment IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D SINGLE FAULT CONDITION, short circuit and open circuit of any component (IEC 60601-1 3.1) IEC 60601 - Medical Electrical Equipment Safety Standards Series 9
H IEC 60601-1 ME equipment or ME system IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
M How does IEC-60601-1 apply to a non-medical device in the patient vicinity? IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
R IEC 60601-1 - 11.1.3 e) Test criteria - Temperature Measurements IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
R IEC 60601-1 - Magnesium oxide used for the electrical insulation of heating elements IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
M Is IEC 60601-1-2 required by FDA for all electronic medical devices? IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
Z IEC 60601-2-25; Frequency response test Medical Device and FDA Regulations and Standards News 1
N IEC 60601-1-1 - Stress test, reference voltage IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
R IEC 60601-1:2005+AMD1:2012+AMD2:2020 CSV IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
B IEC 60601 - Creepage Distance - Relay that acts as a means of physical mechanical protection Process Maps, Process Mapping and Turtle Diagrams 0
T Single Fault Condition IEC 60601 Clause 8.7.1 shorting Cr/Cl in Patient Applied Part IEC 60601 - Medical Electrical Equipment Safety Standards Series 7
M What to Expect from Next IEC 60601-1 and IEC 60601-1-2 Amendments? IEC 60601 - Medical Electrical Equipment Safety Standards Series 7
D IEC 60601-1 - Service life testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 8
R Hand transmitted vibration 9.6.3 of IEC 60601-1 IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
A IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
E PEMS Hazards - IEC 60601 Clause 14.6 - Internal data use - Pressure sensor IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
B IEC 60601-2-43 - Clause 203.6.103 - Physical button? IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
M IEC 60601-1 1988 - Device developed in 2012 with standard of 1988 IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
A IEC 60601-1 Dielectric Strength test for battery operated devices IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
E IEC 60601-1 - Unearthed Medical Device Metal Parts IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
JoCam Failure to test Class I medical device to IEC 60601-1-11 IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
R IEC 60601-1 - Different methods of achievement of the isolation IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
K What is mean by Oxygen Rich Environment as per the IEC 60601-1 clause no 11.2.2 IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
K Dielectric strength test as per IEC 60601-1 -Infant incubator IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
A Unused SIP/SOPs - IEC 60601-1 and IEC 60601-1-2 IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
K Proper document of SMPS used in infant warmer for IEC 60601-1 testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 1

Similar threads

Top Bottom