Home
In Depth
Stopping it all going wrong

Stopping it all going wrong

18 Jul 2017 by Evoluted New Media

Safety assessments for medical devices typically focus on potential hazards occurring during use from electrical or mechanical aspects of the design. But, asks Richard Poate, how do we prevent malfunction?

An important step to consider when dealing with medical devices is functional safety, which provides assurance that safety-related systems in the device will minimise the severity and probability of harm to the end-user or patient if it should malfunction.

Functional safety is therefore part of the overall safety of a system or piece of equipment, and uses a systemic approach to identify potentially dangerous conditions or events that might result in an accident that causes harm to the persons interacting with the device. Effective functional safety of electric and electronic medical devices and systems means that they have built-in safety mechanisms that activate to reduce potential risks to a tolerable level, thereby enabling corrective or preventive actions to avoid or reduce the impact of an accident. By undertaking risk analysis and manufacturing medical devices that are functionally safe, a manufacturer will benefit from increased market acceptance and positive brand associations. Failure to ensure functional safety can have dire consequences for end-users and the corporate reputation of the business selling faulty goods.

How to assess

While there is no functional safety standard specific to medical devices, the Medical Electrical Equipment Standard (IEC 60601-1) states that “the devices must be designed in such a way that they will not compromise the safety of patients”; and that “the solutions adopted by the manufacturer for the design and construction of the devices must conform to safety principles, taking account of the generally acknowledged state of the art.” Traditional safety assessment focuses on potential hazards from electrical, mechanical or other aspects of a design occurring during usage. Functional safety is an additional step focussing on the reliability of the product to function correctly and safely in response to its inputs. It therefore provides assurance that safety-related systems in the device minimise the severity and probability of harm in the event of malfunction.

The general goal of functional safety is to avoid a hazard caused by the malfunction of the device. This applies to all of the components that contribute to the performance of a safety function, such as sensors, drive elements, control electronics and contactors. A safety related control function is one of the measures that make a contribution to the overall reduction of risk with medical devices, but a single control function is not always adequate. Functional safety principles are therefore used to control random hardware failures during operation and control systematic failures during operation. The approach also avoids system faults during design, development and manufacturing. Hence a detailed risk management file (RMF) must be kept to not only demonstrate compliance, but to complement a strong design process to minimise product development delays.

Functional safety reduces the risk of failure during malfunction, and for medical devices IEC 61508 (functional safety of electrical/electronic/programmable electronic safety-related systems) is therefore the standard that should be followed, which is applicable to all types of industry. The standard defines functional safety as “part of the overall safety relating to the EUC (equipment under control) and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities.” IEC 61508 teaches us that zero risk can never be reached, that safety must be considered from the beginning and that non-tolerable risks must be reduced. The standard has seven parts. Parts 1-3 contain the requirements of the standard, while Parts 4-7 are guidelines and examples for development.

Unacceptable risk

Specific steps must be carried out by manufacturers to ensure the absence of unacceptable risk due to hazards caused by the malfunctional behaviour of their products and systems. The standard therefore states that “the EUC risks must therefore be evaluated, or estimated, for each determined hazardous event.” In selecting the most appropriate solutions, the manufacturer must apply the following principles in the following order:

Eliminate or reduce risks as far as possible (inherently safe design and construction).
Where appropriate take adequate protection measures, including alarms if necessary, in relation to risks that cannot be eliminated.
Inform users of the residual risks due to any shortcomings of the protection measures adopted.

The standard advises that “either qualitative or quantitative hazard and risk analysis techniques may be used” and offers guidance on a number of approaches. A good example is an infusion pump, where functional safety would consider potential hazards related to this function, such as the wrong flow rate or volume infused, an unintended start or stop of infusion, a build-up of excessive pressure or an air infusion.

Once both the hazards and the safety functions which must be put in place to mitigate them have been identified, next is an assessment of the risk-reduction required. This will reveal a safety integrity level (SIL) or performance level (PL) of the safety-related control and the final system. The identified SIL number has a corresponding requirement in the standard, which details how the development process should be set up to achieve that SIL. Part 2 and 3 of IEC 61508 give guidance on activities to perform in order to attain a SIL in conjunction with Part 5.

It must then be ensured that the safety function performs as intended, also allowing for incorrect operator use. This will involve having the design and lifecycle managed by qualified engineers carrying out processes to IEC 61508. The next step is verification that the system meets the assigned SIL or PL by determining the mean time between failures and the safe failure fraction (SFF) – in other words, assessing the probability of the system failing in a safe state.

Finding fault

Clause 4.7 of the Medical Electrical Equipment Standard (IEC 60601-1) states that “equipment shall be so designed and manufactured that it remains single fault safe, or the risk remains acceptable through risk management process.” Failures can be either systematic, which are built-in design flaws, or random. For example, systematic failure in hardware can include an error in PCB layout, components used out of specification, environmental conditions not met or an error in instructions for use.

While failures should be avoided, IEC 60601-1 states that the combination of two independent failures are acceptable if they are not life threatening. If life threatening, systematic failures must be avoided, or at the very least have a control mechanism in place to mitigate that hazard when it occurs. However, despite correct design and production methods, random failures do happen. Examples of these include the short circuit of electronic components, stuck relay contacts and sensor failures. It is important that these are controlled while the device is operating using design measures such as redundancy, diversity or self-tests.

Medical device designers and manufacturers must pay attention to the concept of functional safety and identify the individual safety functions of a product. This means that you understand the concept of ‘functions’ and can break them down – vital skills to help comply with regulations and standards.