Necessity of external watchdog next to internal watchdog

D

Do ya like dags?

Dear all,

We have a non-implantable device with a microcontroller. This controller has an internal watchdog. During execution of code on the microcontroller it periodically "kicks" this internal watchdog and if something goes wrong with the code execution, this "kicking" stops and the microcontroller is reset. The watchdog makes sure, together with the complete software design approach, architecture, etc. that faulty code leads to a reset.

We have also implemented an external watchdog. This one is also kicked by the microcontroller and it has the exact same purpose as the internal watchdog. So, the current design has 2 watchdogs: an internal one (on the same die as the rest of the microcontroller) and an external one (a separate chip).

We have done a risk assessment (DFMEA) and our conclusion is that this external watchdog does not lower the risk beyond what the internal watchdog already provides. The design is deemed safe with only the internal watchdog present so our conclusion is that we can remove the external watchdog.

The only element we are not 100% sure about is how a notified body/FDA would view such a move. We believe we can provide them with a sound technical, risk based rationale why an external (redundant, backup) watchdog is not in the design but sometimes these regulatory agency have an opinion of their own, for example, because of cases they ran into in the past that we are not aware of.

My question is if you are aware of such a focus of notified bodies/FDA on the mandatory use of an external watchdog because if this is indeed the case and regulatory agencies feel that an external watchdog should be in the design no matter what then we can better keep it in our current design, not because it is needed from safety perspective but more for "political" reasons. Do you have any experience with this? What is your opinion?

We need to comply with IEC 60601-1, but there is no essential performance, only basic safety compliance is required.

Many thanks in advance for any feedback!
 

Hemanth Kumar

Registered
FDA/Notified body doesn't mandate the use of external watchdog. They would like to see an independent external watchdog circuit as a risk control for safety - critical devices since the Software can disable the internal watchdog timers either intentionally or unintentionally, so they do not provide the same level of protection. If your medical device is not a safety critical one, you can provide them a sound technical risk based rationale as you mentioned and that shall be okay with FDA/Notified body. We did receive a FDA approval for a medical device (Glucose Monitor) with internal watchdog alone way back in 2010
 
Top Bottom