Have you hugged a meticulous person lately? I think we all appreciate the fruit of those who methodically work through the intricacies although we often just take it for granted. Fine art, beautiful architecture, robust, reliable technology, rocket science and brain surgery all come to mind as examples of where someone has taken the time to check every box and assume nothing. Some of us have this “bent”, while others learn it and still others need to be compelled. Medical device regulations and standards don’t care which detail-oriented category a developer/manufacturer occupies as all must meet a minimum level when it comes to compliance. Single fault analysis is a good example.
In Part 1 we looked at Safety and Essential Performance as key requirements for a medical device. The 60601-1 family standard provides a clear level of expectation for safety and for essential performance under normal operating conditions and in the case of a single fault. Understanding the single fault expectation is important for effective and compliant risk management.
Real-world components, subsystems and systems can be specified, and these specifications have tolerances. When developing a product, the system specification becomes the sum of all the component and subsystem specifications contributing to the system. Depending on the components and conditions, the tolerances of the specification can narrow (tighten) or widen (loosen). Figure 1 shows an example how a particular components value can change – in this case over an extended temperature range. It is up to the developer/manufacturer to create the specifications (nominal and non-nominal) and understand how they can change and to determine whether these are sufficient to guarantee safety and essential performance for the system under normal conditions but also under single fault conditions in cases where a severe harm could result.
Definition Break: The IEC 60601-1 standard defines normal condition and single fault conditions as follows (ME Equipment means Medical Electrical Equipment):
- Normal Condition (NC): condition in which all means provided for protection against HAZARDS are intact.
- Single Fault Condition (SFC): condition of ME EQUIPMENT in which a single means for reducing a RISK is defective or a single abnormal condition is present.
If we take a step back, there are 4 basic areas that we need to define or have defined for our medical device (Note: Normal conditions include our variations over temperature, humidity, pressure etc.):
*Where A1 may or may not equal B1 and A2 may or may not equal B2 i.e. B1 or B2 may be degraded but must not create an unacceptable risk.
In safety cases, many specification tolerance windows are defined by a standard (i.e., 60601-X-X general, collateral or particular standards see Part 1). In essential performance cases some tolerances are specified by the standards while for others the specification tolerance window is defined by the manufacturer based on clinical and risk analysis (see clause 4.3 of 60601-1). Ultimately for both the safety case (NC, SFC) and the essential performance case (NC, SFC) freedom from unacceptable risks must be transparently (documented) established either by the appropriate standard or by the manufacturer.
Let’s look at a couple examples of normal & single fault conditions before we discuss single fault analysis.
Safety Example: One area we can all appreciate is that if you connect a device to the “mains” (wall) power, we want to be sure there is no danger to the patient or the user of being shocked. Electricity follows the path of least resistance and hence the construction of the medical device needs to assure it won’t “leak” from the device into the patient (or user) under normal conditions and under a single fault condition. The term “applied part” is used for the parts of the medical device that comes in contact with the patient (surface or internally). There are six basic categories of applied parts each with their own specifications. Their symbols and names are depicted in Figure 2.
In Figure 3 from 60601-1 (general safety) there are various specifications for the applied part types under normal conditions & single fault conditions (d.c. power or a.c. power). Note how under single fault conditions (SFC in yellow) the specification is wider (looser) or degraded. In mains power leakage safety case, the published degraded limit is deemed free from unacceptable risk by the standard so if under a single fault you are within this outer limit you pass. (You need to be under the normal condition (NC) limits with no single fault.) This is a “type test” spec tested during electrical safety and tied to the bill of materials submitted during testing. What are the single fault conditions (SFC) here? Typically fault conditions like swapped polarities between “hot” and “neutral” power lines, disconnected “neutral” line, missing “ground” etc. They are tested by analyzers and the leakage measured as a part of electrical safety testing. (This testing is also done periodically by hospitals on equipment per a maintenance program.)
Essential Performance Example: Okay let’s look at an essential performance (EP) example. As mentioned in Part 1 of this blog, EP is dependent on the purpose of the medical device hence in many cases there are particular Safety & EP standards that specify windows of acceptability. This is particularly true for common medical measurements; so, for this example, let’s look at the 60601-2-34 Particular Standard.
IEC 60601-2-34 is titled “Particular Requirements for the Basic Safety and Essential Performance of Invasive Blood Pressure Monitoring Equipment”. We are using this particular standard as an example of how a standard establishes a specification window for the critical blood pressure measurement. For measurement range and measurement accuracy the standard states: The pressure measurement range shall be at least -30mmHg to 250mmHg. The combined effects of sensitivity, repeatability, non-linearity, drift, and hysteresis shall be within ± 4% of reading or ±0.5 kPa (±4 mmHg), whichever is greater.
Don’t worry about the numbers in this spec, the point is that the standard sets minimum requirements for essential performance, and in this case, it doesn’t say NC or SFC like the safety example above. It does provide some allowances during Electromagnetic Interference (EMI) testing (i.e., on how the device recovers its measuring capability) and it discusses self-diagnostics and device technology alarms. We’ll discuss how these play into our addressing SFC with essential performance below.
Given our context above, let’s look at how we address the challenge of single faults in preventing unacceptable risks for either safety or essential performance.
60601-1 Clause 4.7 defines single fault condition criteria for ME Equipment. Paraphrasing:
ME Equipment shall be so designed and manufactured that it remains single fault safe, or the risks remain acceptable as determined through Risk Analysis.
Single Fault Analysis:
The medical device is considered single fault safe if it meets one or more of the following conditions for each unacceptable risk.
- PREVENTION: It employs a single means for reducing risks that have negligible probability of failure (e.g., reinforced insulation, design employs a large safety factor or uses components with high-integrity characteristics) or:
- DETECTION: single fault condition occurs but it will be detected during the expected service life and before a second means for reducing a risk fails or,
- REDUNDANCY: The probability that the second means of reducing risk will fail during the expected life of the device is negligible.
(Note a single fault condition that causes one or more other another signal fault conditions is treated as one single fault. i.e., cascade failures).
What are the implications of this? Well, this is why we love our exacting developers/manufacturers! A very thorough analysis of the design focused on safety and essential performance in all areas needs to be done for single fault failures. For each identified potential failure mode, one or more of the a), b) or c) mitigations above needs to be applied and documented!
Yowzer, that is a lot more than just looking at normal tolerance specification windows in a power supply circuit, chain of signal processing circuits, thermal analysis, or mechanical stack up. This is very important to understand because it is a mentality that may not be obvious until encountered downstream during safety/EP testing/analysis.
Let’s look at these a, b, c categories with a few examples to get a flavor of how this works.
A - Prevention: Component failures that impact basic safety and/or essential performance with severe hazards that can’t be mitigated by redundancy or detection drive the need for prevention. This is a risk control measure (mitigation) that reduces the probability of occurrence of a particular failure mode via prevention of the failure mode from occurring in the first place (drive higher reliability). Prevention can be accomplished by increasing the design margin in commercial off-the-shelf (COTS) parts or by using Components with High Integrity Characteristics (CHIC). The analysis can be conducted in a hierarchical fashion (start at a block level) and then dive deeper. For each subassembly or component involved in the safety or essential performance chain, analysis is performed and mitigated either by proper de-rating of COTS or the use of CHICs.
COTS: Use of standard parts such as resistors, capacitors and mechanical fasteners with proper de-rating applied. Clause 4.8 speaks to using within their specifications. With de-rating they are considered inherently reliable over the service life of the ME Equipment. Examples are power ratings for resistors or voltage ratings for capacitors whereby they have ratings >2x in excess of worse case environment/functional application.
CHIC: Clause 4.9 states that a component with high-integrity characteristics shall be used when a fault in a particular component can generate an unacceptable risk. These components may meet IEC or ISO relevant standards which serves as evidence combined with type testing. If not, they can be tested according to the 60601-1 series.
B - Detection: Detection mitigation detects the occurrence of a particular failure mode of a module and/or component before the harm/hazard occurs due to the loss of its impacted functions. Detection methods such as a self-test, diagnostic monitoring circuits and/or software and integrity checks with alarms are all examples of detection schemes design to inform the user prior to there being an opportunity for a hazard to cause a harm. The detection rate is important for its appropriateness (i.e., performing a self-test once per month on a device used multiple times a day is not an appropriate detection scheme, whereas measuring impedance between defibrillation paddles prior to administering a shock is an appropriate detection scheme for paddle electrode placement).
C - Redundancy: Redundancy is what pops into mind under being single fault safe. Redundancy mitigation (risk control measure) is a completely independent backup electrical circuit, redundant mechanical design, backup software or clinical method that will ensure a failure mode in the primary component won’t result in an unacceptable risk. A couple examples for both Safety and/or Essential Performance are below:
Single Fault Analysis is rigorous, involves the entire system and is documented. It may result in specific tailored mitigations for specific single fault conditions (SFC) or it may consist of broader mitigations that pick up a series of SFC. It is designed in, tested, and documented which may result in set of records for the various areas of the architecture. It is an important part of Safety & Essential Performance testing and is to be performed in conjunction with risk analysis throughout.
At Qserve we have detail attending engineers, quality, regulatory and clinical resources to assist with defining Essential Performance, perform Risk Analysis and Single Fault Analysis. It is our passion to embrace the details necessary in assisting our clients in getting their medical and in-vitro diagnostic devices on the global highly regulated market.