Blog

Essential Performance & Single Faults – Gray Issues for Grey Matter! (Part 1 of 2)

Why is it that the “wise” are so uncertain yet the “fool” so certain?!  We live in a gray world, heck even the spelling of gray is grey! In the spirit that nothing is absolute I’d like to attempt to clarify a couple areas that can be gray and hence challenging to navigate. The intent here is to help remove some uncertainty, yet not foolishly, as it will always remain a bit gray (see story problem blog).

 

My original plan was to discuss single fault conditions (SFC) as called out in the IEC 60601-1 Medical Device Electrical Safety & Essential Performance Standard. Unfortunately, SFC needs some context and because of this and the desire to be concise this will be a two-part blog. Part 1: Essential Performance with a splash of Safety (the context) and Part 2: Single Fault Conditions.

The 3rd Edition of IEC 60601-1 was published back in 2005 and one of the big changes (besides risk) was it went from Basic Safety to Basic Safety & Essential Performance.  Now in the spirit of full disclosure, during my product development days, 60601-1 was a big hurdle and was considered “Safety Testing” with little emphasis on essential performance. “Safety Testing” included the collateral 60601-1-2 (Electromagnetic Compatibility or EMC), usability (60601-1-6 now superseded by 62366-1), programmable electrical medical systems (PEMS now replaced with 62304) and any particular “safety tests” 60601-2-XX (see below):

Note: the horizontal “collateral” standards tend to apply across the board for medical devices (as appropriate) while the vertical “particular” standards focus on specific product clinical domains. Collateral standards like EMC require essential performance be monitored for unacceptable impacts. The particular standards prescribe more on testing essential performance critical specifications since they are domain oriented (i.e., pressure signal or ECG signal accuracy).

With the above framework we can now discuss essential performance with a splash of safety as this lays the foundation for our subsequent discussion on single faults. First the splash of safety: 

I’m briefly mentioning safety because safety is easier to understand. Safety is indeed paramount for medical devices as fundamental to place on the market; safe and effective. Basic safety of a medical device is defined (60601-1) as: “Freedom from unacceptable risk directly caused by physical hazards when medical electronic equipment is used under normal condition and single fault condition.”  In this context we are referring to physical hazards. Hazards are a potential source of harm, and this is what we are ultimately trying to avoid while still providing clinical benefit.

The technology employed in a medical device and its application generally create inherent hazards such as electrical hazards (mains voltage), thermal hazards (hot components), and mechanical hazards (sharp edges, moving parts, etc.).  During design and development, the risks are analyzed by identifying the hazards. Hazards are then analyzed to reduce the likelihood they will occur and create harm under normal and single fault conditions. We will discuss some of these techniques in the 2nd part of this blog regarding single fault conditions. Safety is critical and a whole lot can be said regarding it in medical devices and in vitro diagnostics (IVDs), and because it is somewhat understandable, safety is not so gray/grey. 

Related to our goal to have a discussion on single fault conditions (SFC) and what we’ll tackle next, is the less understandable element, essential performance.  Essential performance is defined (60601-1) as: “Performance of a clinical function, other than related to basic safety, where loss or degradation beyond the limits specified by the manufacturer results in an unacceptable risk.” To further clarify, a note is added to the definition (60601-1): “Essential performance is most easily understood by considering whether its absence or degradation would result in an unacceptable risk.”

Even with this note, it is still gray, compelling the IEC to issue an interpretation sheet (Interpretation Sheet ISH1 on Essential Performance & SFC). Which BTW, FDA recently added to its recognition of AAMI ES60601-1; https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfStandards/detail.cfm?standard__identification_no=43309

The purpose of the interpretation sheet is to clarify section 4.3 of IEC 60601-1 which is where essential performance is discussed.  The interpretation sheet explains and interprets without adding any new requirements and is a “must-read” for manufacturers, National Recognized Testing Laboratories (NRTLs), and Notified Bodies. The interpretation sheet is valid from the date of publication, no transition period.

Before we glean out a few tidbits from the interpretation sheet, there are a few thoughts I’d like to share. Historically essential performance has been treated seriously by some manufacturers but not so much by others. I’ve seen, the unfortunate organizational integrity scenario, where a medical device is promoted as a “clinical must have” by the manufacturer but it doesn’t have an essential performance. It is indeed possible for medical devices not to have essential performance because a fault in them does not lead to unacceptable risks, but this should all be well documented in the risk management file. Devices without risk often have no clinical benefit. Quantifying the clinical benefit in the risk management file is key to fully documenting and understanding essential performance.

Unacceptable risks need to be clearly defined at the senior level. I’ve seen where the more junior project team members are saddled with grappling to define essential performance and unacceptable risks when these can clearly be defined for a product line and domain by the senior level (Clinical, Regulatory, R&D, Quality) personnel of the organization. This is more important than ever now that essential performance is getting more and more attention from regulators and test labs with its addition to the standard. It permeates throughout the collateral and particular standards and hence is evaluated just like safety has always been.

 If we compare basic safety with essential performance, we find basic safety is general to the device while essential performance is specific to the device’s clinical function:

Attribute

Basic Safety

Essential Performance

Mechanical

System support breaks.

(Mechanical injury to user or patient)

Mechanical Ventilator fails. (Lack of therapeutic air delivery)

Electrical

High voltage or excessive currents present to users or patient. (shock)

Diagnostic sensor signals out of specification. (Misdiagnosis).

Thermal

Device overheats. (Burns user or patient).

Blood bag refrigerator cooling unit fails. (Loss of blood vitality)

Radiation

User/patient exposed to unintentional radiation. (burn, carcinogenic)

Intentional radiation not applied to correct area. (Lack of therapeutic benefit – harm to adjacent tissue.)

Applicability

Generic, not specific to a particular device.

Device specific pertaining to its function/performance.


Another way to think about essential performance is by understanding its link in the care-providing chain. Caregivers apply a medical device to the condition at hand expecting the device to perform a needed clinical function. When the device fails to perform its function as depended upon, harm can be created which may create an unacceptable risk.

When we only focus on safety during risk analysis, type testing, and outside agency testing, we miss key risks associated with the medical device failing to perform. Hence the need to identify essential performance early in development and manage it like safety throughout the development.  The IEC interpretation sheet outlines the steps manufacturers should take to define their essential performance:

Step

Description

Example

1

Identify performance, other than that related to basic safety, that is necessary to achieve the intended use or that could affect safety.

An automatic defibrillator or AED, detects the heart’s electrical activity to determine if a shock should be delivered.

2

Specify performance limits between fully functional and total loss of the identified performance in both 1) normal and 2) single fault conditions

AED correctly identifies ventricular tachycardia or other criteria on the ECG. These limits may come from data sources such as the AHA (American Heart Association) on sensitivity and specificity.

3

Evaluate the risk from loss or degradation of the performance beyond specified limits.

False Negative: No shock is delivered when a shock should be delivered.

False Positive: Shock is delivered when no shock should be delivered.

4

Implement risk control measures to reduce these risks to an acceptable level for both normal & single fault conditions.

High integrity components, redundant detection paths, self-diagnostics, error communications etc. (Topic of 2nd Blog).

5

Assess and determine which risk control measures need verification of effectiveness.

From above, establish how to test the mitigations under normal and identified single fault conditions. What are pass/fail criterial in terms of performance and residual risks.

6

Specify methods for verification of risk control measures.

Establish verification test plans and include EMC, safety, user testing, particular standards in assessing mitigations. Apply the same pass/fail performance criteria during EMC, safety etc. testing.

 

Essential performance can be degraded under single fault conditions if the degradation is within acceptable risks limits. We will discuss degradation more in part 2 but at a basic level, it means the medical device still performs under a single fault condition but not necessarily within the same specified limits (as long as it doesn’t create an unacceptable risk). These kinds of analyses are gray and require wisdom, logic, and transparency. Software is also not off the hook. Software is now a significant component of high-risk medical devices and integrated into the essential performance path. Software monitors/controls life support equipment, medicine injections, infusion pumps, image analysis, etc. 

Given the above, essential performance should be a bit less gray, a new appreciation of essential performance gained, and along with our understanding of safety, we can next tackle (part 2) what we mean by single fault conditions (with a splash of normal conditions).

Qserve is able to help manufacturers define essential performance(s), since there may be several for a given device. Qserve’s team of clinical, regulatory, risk/useability experts, and technical experts routinely work with many manufacturers navigating through these gray areas. 

Post date: August 18, 2022
Tags
How can we help you? Contact us