Challenges for Single-Fault Safety in Medical Devices

TÜV SÜD examines obstacles in the development of safe electrical or electronic medical devices.

Dr. Abtin Rad, global director, functional safety, software, and digitization

February 23, 2022

5 Min Read
Funktional teilweise_sicher.jpg
Figure by Abtin Rad/TÜV SÜD

Designers and developers of medical devices are aware of the relevance and risks involved in single faults, which must be avoided in all states of operation. However, the dynamics of development, technological progress, and the normative framework require in-depth expertise—especially for innovative equipment.

From a regulatory and technical perspective, it is very clear why single-fault safety should be ensured in electrical, electronic, and programmable electronic medical equipment (E/E/PE systems). For example, the drug dose delivered by an infusion pump must never be too high or too low, and a neonatal incubator for premature newborns must safely and reliably keep the temperature within narrow limits, never going above or below those limits even in the case of a malfunction.

However, in practice, the types of equipment posing additional challenges for manufacturers are mostly far more complex, including X-ray devices, MRI scanners, or machines for extracorporeal membrane oxygenation (ECMO). To make matters worse, technical standards are not always unambiguous. This is also made clear by Interpretation Sheet IEC 60601-1:2005/AMD1:2012/ISH1:2021, published in March 2021 by the International Electrotechnical Commission (IEC).1

Less Leeway for Interpretation

The document underlines that the basic standards do not provide satisfactory answers to important questions, such as: How can manufacturers ensure the functional safety of their medical equipment and document it in line with the requirements for market access? Which requirements do software, control systems, and safety devices have to fulfill? Which system and safety architectures are suitable for continuing to maintain key functions of the equipment and protect patient and user safety even in the event of a fault?

The legal framework applicable in the European Union is established by the Medical Device Regulation (EU) 2017/745, also referred to as MDR.2 It describes all requirements that must be fulfilled by the manufacturers or distributors (e.g., importers) of medical equipment before they are allowed to place their products on the European market. However, the requirements related to functional safety are kept relatively generic. For example, in Annex I, the regulation includes the following requirement for single fault safety: “In the event of a single-fault condition, appropriate means shall be adopted to eliminate or reduce as far as possible consequent risks or impairment of performance.” 3

Two Options for Medical Device Design and Architecture

Basically, this results in two options for product design and system architecture. Either the product design and system architecture are such that the possibility of single faults is completely eliminated, or manufacturers carry out risk analyses, thereby ensuring that (1) the occurrence of a fault is highly unlikely or (2) that its consequences are of minor or negligible severity. Depending on the complexity of a device, full exclusion of single faults may be impossible.

Safe Architecture.jpg

The IEC 60601 standard series describes these two options in greater detail.4 The standard presents the state of the art in medical equipment and defines the basic functional safety and essential performance requirements, particularly in Part 1. However, it likewise fails to provide designers and developers with any explicit requirements or explanations of how single-fault safety of a medical device can be implemented, tested, and documented in compliance with legal requirements for accessing the respective markets. Again, the standard only refers to risk management according to ISO 14971 in that context.5

It further fails to describe in sufficient detail the potential sources of malfunctions, including latent faults, or the possible measures to prevent them. These latent faults remain undetected by definition, causing inconspicuous malfunctions in the safety devices and monitoring systems. In case of a fault, these safety devices and systems then fail to function correctly and do not, for example, trigger an alarm if an actual single fault occurs. Admittedly, the Interpretation Sheet issued by the IEC shows how the concept of single-fault safety is applied to essential performance and clinical function. It also includes requirements related to documentation (Sections bb 1 to bb 6) and its review. However, this document likewise does not provide satisfactory answers to the questions of how single-fault safety can be achieved and tested under consideration of “latent faults.”

Finding Possible Solutions in Other Sectors

In view of the above, the manufacturers, designers, and developers of medical equipment are well-advised to gain an overview of the basics and principles of functional safety beyond industry- and technology-specific standards. Additional guidance, for example, can be found in the standards of the EN 61508 series. They serve as basic safety standards for all sectors of industry that rely on E/E/PE systems in safety-related applications where their functional safety must be ensured at all times.

In the case of design and development of innovative and complex medical devices that might involve major health risks for patients or users in the event of faults, it may prove worthwhile to take the odd excursion into other sectors of industry, where malfunctions of E/E/PE systems can cause equally severe consequences (e.g., process industry, atomic energy, or rail industry). Third parties with expertise and a long track record in widely varied safety-related sectors of industry, such as TÜV SÜD, can provide significant impetus to designers and developers and help them to identify any potential sources of errors—for example, in system architecture, software, or even improper operation—and develop possible solutions.


  1. IEC 60601-1:2005/AMD1:2012/ISH1:2021: Interpretation Sheet 1 - Amendment 1 - Medical electrical equipment - Part 1: General requirements for basic safety and essential performance.

  2. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC.

  3. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, (Annex I, 17.1).

  4. IEC 60601-1 Medical electrical equipment – Part 1: General requirements for basic safety and essential performance.

  5. ISO 14971:2020-07 Medical devices – Application of risk management to medical devices.

About the Author(s)

Dr. Abtin Rad

global director, functional safety, software, and digitization, TÜV SÜD Product Service GmbH

Dr. Abtin Rad serves as global director, functional safety, software, and digitization, for TÜV SÜD Product Service


TÜV SÜD Product Service GmbH
Medical & Health Services
Ridlerstraße 65
80339 Munich

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like