In 2000, the International Organization for Standardization (ISO) published a document that describes a holistic approach to understanding and controlling the risks associated with medical devices. ISO 14971 was developed by a joint working group composed of technical experts from ISO Technical Committee (TC) 210, which is responsible for publication of medical device quality systems standards, and IEC TC 62, which publishes electrical medical device standards, including IEC 60601-1.1,2
The new ISO standard expands on conventional risk assessment processes such as identifying hazards and estimating risk. The standard includes the evaluation of whether risks are acceptable (risk evaluation), the introduction of risk reduction techniques for unacceptable risks (mitigations or risk control methods), and validation that the risk control methods have adequately reduced the risk. It also introduces the concept that even when individual risks are deemed acceptable, the overall residual risk (the aggregate risk presented by a device) may still be unacceptable and may require further mitigation or risk control. Finally, ISO 14971 recognizes that identifying, estimating, and controlling risks during the product development process is at best an enlightened guessing game and must continue throughout a product's life cycle.
The reasons for IEC-TC 62's participation in the creation of ISO 14971 were twofold. The first reason was that one of the committee's standards already contained the core of what would eventually be known as risk management. That standard was IEC 60601-1-4, the collateral standard for ensuring the safety of programmable electrical medical systems. The second reason was that TC 62 had decided to introduce a requirement to implement risk management in what would become the third edition of IEC 60601-1, which was published in December 2005.
However, the officers of TC 62 could not have anticipated how critical ISO 14971 would become for all of the standards in the IEC 60601 series. The IEC 60601-1-X collateral standards that are now mandatory for compliance with the 60601-1 general standard also invoke the requirements of ISO 14971 directly or by implication. By following the process of identifying essential performance for a simple device, this article examines some of the explicit and implicit risk management requirements of IEC 60601-1 and two of its collateral standards. In doing so, this article attempts to help device manufacturers understand how ISO 14971 is the thread that ties the IEC 60601 series of standards together.
It is important to begin by looking at the IEC 60601-1 general standard. Most notably, Clause 4.2 of the standard requires that manufacturers have a risk management system compliant with ISO 14971 in place and that the system is applied to the device being evaluated. This requirement has been a significant source of concern and discussions among certification bodies.
Although certification body employees responsible for product certifications generally have significant expertise when it comes to measurement and testing, most are not experienced in auditing quality systems. Furthermore, although many major certification bodies (UL, CSA, TÜV, etc.) have quality systems auditing divisions, there is currently no standardized criterion for compliance with ISO 14971. This lack of a criterion explains why some auditors accept risk management systems that others do not. The lack of experience and consistency is likely to result in inconsistent risk management evaluations.
Some certifiers may perform only superficial reviews of a manufacturer's risk management systems while others not only review compliance with the ISO 14971 standard but also critique the decisions made during execution of the process. Inadequate evaluations could result in a certification that is not accepted by regulatory authorities or by certification bodies in other countries. Overzealous auditors might be tempted to critique likelihood or severity estimates or even the effectiveness of mitigations, all of which are outside of the scope of their responsibility.
Currently, certification bodies participating in the IEC CB Scheme (the system that generates test reports acceptable to all participating certification bodies) are trying to develop the needed criteria. But the fact that this effort has been in process for more than a year indicates that there is not universal agreement.
Nonetheless, manufacturers need to focus on the requirements of the new 60601-1 standard in terms of establishing and applying risk management to the device being certified. According to the compliance criteria for Clause 4.2, certifiers are to verify that
- The manufacturer has established a risk management system compliant with ISO 14971.
- The manufacturer has established what constitutes acceptable levels of risk.
- The manufacturer can demonstrate that all risks associated with the device are acceptable in accordance with its own risk acceptance policy.
In addition to the general requirements related to risk management contained in Clause 4 of the standard, there are more than 85 requirements in the new 60601-1 standard that address performing analyses and risk management.
Essential Performance and Single-Fault Safety
Clause 4.3 of IEC 60601-1 requires the manufacturer to identify essential performance by applying risk management. To determine which aspects of a device's performance are essential, it is first necessary to list all aspects of performance as potential sources of harm (i.e., hazards). For each function, the firm must determine whether operation in excess of or below the specified level of performance would result in harm. The levels of performance at which harm would occur establish the range of operation that constitutes essential performance. If variation in a given performance characteristic does not result in injury, then it is not essential performance. (Note: Some types of medical devices might not have any essential performance characteristics.)
For example, a warming blanket is used to treat hypothermia. Establishing essential performance for this product might include the following analysis: An unintentional increase in temperature above the set point of more than 10% has been determined to be potentially harmful (from burning or other thermal tissue damage). Further analysis indicates that an unintentional decrease in temperature of the blanket by more than 30% will harm the patient. This is because when treating hypothermia, returning the patient's core temperature to an acceptable level as quickly as possible is critical to recovery. And it is unlikely that clinicians would immediately detect the blanket's failure to heat. Therefore, theoretical analysis suggests that essential performance of the blanket would be operation between 10% and –30% of the set point. (Please note that all numbers are for example purposes only and do not reflect real-world parameters.) All information justifying this conclusion, including test data, clinical research, and scientific literature, must be placed in the risk management file.
Keep in mind that failure to provide essential performance by definition results in unacceptable risk. And because acceptable risk must be maintained under normal and single-fault conditions (according to 60601-1, Clause 4.7), the manufacturer must maintain essential performance in both normal operation and during the failure of any one component of the device. This means that the blanket must maintain the set temperature (between 10% and –30%) even if a component fails. In this way, maintaining essential performance becomes a significant task.
The original evaluation determined that unintended increases in temperature of greater than 10% could result in tissue damage, but it did not consider time as a factor. Obviously, skin can abide short-term increases without damage but the question that arises is, “How long?” For purposes of this example, assume that (in the worst case) a 10% increase above the set point could be withstood for a period of 1 minute before tissue damage occurs. Assume also that operation at 30% below the set temperature can be experienced without harm for up to 10 minutes.
Clause 4.3 of 60601-1 indicates that identifying essential performance is the responsibility of the manufacturer based on its policy for acceptability of risk. However, documented analyses supporting the decision process must be in the risk management file. Finally, it should be noted that when a particular standard from the 60601-1 series identifies specific essential performance characteristics, manufacturers of equipment falling within the scope of those standards must provide significant justification for any deviations. Incidentally, IEC 60601-2-35 (Particular Requirements for Basic Safety and Essential Performance of Blankets, Pads and Mattresses, Intended for Heating in Medical Use) does specify essential performance for warming blankets. According to this standard, essential performance for these devices is maintaining +1ºC or providing an alarm. Wider thermal ranges have been used for this article to better demonstrate the evaluation process.
If the system incorporates a protective device that stops the delivery of energy to the heating circuit within 45 seconds of exceeding the set temperature, it should be able to prevent injury caused by overheating. However, to maintain safety under single-fault conditions, the protective device must operate reliably (as determined through testing according to Clause 126.96.36.199) and independent of the thermostat and temperature-control circuitry. Also, once the protective device operates, the operator must be alerted that heating has been stopped so that action can be taken (such as replacing the blanket) before injury occurs. Such an alert would be considered a technical alarm.
Because this technical alarm is meant to prevent an undertemperature condition, it can also be used to alert the operator to failures in the thermostat or temperature-control circuitry that would stop heating. The undertemperature alarm should sound within two minutes of a failure that would stop heating. Based on the above assumptions, the overtemperature protection circuit and the technical alarm signal are risk mitigations that ensure that risks associated with under- or overheating of the patient are acceptable.
Table I. (click to enlarge) The IEC 60601-1 collateral standards. Note that applicable collateral standards must be applied.
Defining essential performance is one of the most critical tasks associated with risk management and with planning a compliance strategy for IEC 60601-1. Poorly thought out or badly described essential performance characteristics can make it nearly impossible to comply with the general and collateral standards of the IEC 60601 series. It is worth noting that the essential performance for the blanket is defined in compound terms: Temperatures are maintained within 10% and –30% of the set point or an alarm signal is generated that allows action to be taken before injuries occur. Obviously, such compound descriptions must become even more intricate and detailed as the complexity of the device increases. However, it is worth the time and effort to maintain the safety of the equipment (in terms of performance characteristics) in normal and single-fault conditions.
Keep in mind that the alarm signal is intended to maintain risk at acceptable levels. Therefore, the circuitry responsible for producing the alarm signals must be independent of the thermostatic system components for the blanket. If the same components that cause a temperature failure are also used to control the alarm, the mitigation is insufficient (based on Clause 4.7 of IEC 60601-1, which states that all subsequent failures arising from an initial failure are considered one single-fault condition). This logic is straightforward and is consistent with the 1988 publication of IEC 60601-1.
Still, we have not yet fully addressed essential performance. Designing an alarm system that is independent of the thermal controller ensures that the alarm signal will reliably sound when a temperature control system failure occurs (that it is “single-fault safe”). But can the operators recognize what the alarm signal is trying to tell them? Do they know what actions they need to take? Do they have the presence of mind to take that action? To answer these questions, manufacturers must go to another standard in the IEC 60601-1 series: IEC 60601-1-6, Usability Engineering.
Usability engineering is the process that helps to ensure that interactions between the operator and equipment will occur safely and as intended. IEC 60601-1-6, like most of the standards in the series, says to begin the usability engineering process with risk analysis. All risks associated with the interactions between the equipment (including labeling and the accompanying documents) and operators must be assessed through the application of usability engineering. This includes cases in which unintended actions by the operator (e.g., selecting an incorrect control or setting) could result in harm. It also includes cases in which information provided by the equipment (such as unclear or misleading information displayed by the equipment, or contained in labeling or the instructions for use) causes the operator to take inappropriate and hazardous actions. For each hazard associated with the man-and-machine interface, the manufacturer must identify a design requirement to ensure that the associated risk is maintained at an acceptable level (according to the manufacturer's risk acceptability criteria). These usability design requirements must be identified in a document called the Usability Specification. As with any specification, implementation of the usability requirements must be verified before release of the design. In addition, usability specifications must be validated to demonstrate that they effectively reduce risks to acceptable levels.
Studying how operators interact with the equipment in actual or simulated use can validate whether usability specifications adequately reduce risk. In planning the usability validation, it is necessary to determine how many individuals must participate in the study (sample size), what scenarios (simulations of real-life conditions) will be used, and what results are considered acceptable. These activities can leverage similar studies performed as part of marketing activities in most cases (where customers are asked to interact with the device to determine whether it meets their expectations).
In the warming blanket example, use-scenario testing has helped validate that the operator understands that an alarm signal indicates that the blanket's thermal control has failed. Usability engineering has validated that the instructions for use help the operator understand the actions that must be taken when the alarm sounds.
The next step is to ensure that operators can discern the meaning of the alarm in an environment in which other equipment may be generating concurrent alarm signals. Although this last determination could be made through user studies, doing so would require an extensive list of use scenarios with an almost unlimited list of other pieces of equipment. IEC 60601 series of answers offers an alternative.
Alarm Systems Collateral Standard
IEC 60601-1-8 is the collateral standard for safety of alarm systems. It defines the process for classifying different alarm conditions (potential source of harm that initiates the alarm signal). This classification technique uses an approach similar to that of risk analysis. Each alarm condition is evaluated to determine the severity of harm that can occur when action is not taken. The alarm conditions are also ranked according to how quickly such harm will occur once the condition arises. Similar to likelihood and severity in a risk analysis, the alarm system standard must be classified based on the immediacy of the required action and the severity of harm. Based on these criteria, every alarm condition and its associated alarm signal is classified as high, medium, or low priority.
The alarm system collateral standard allows manufacturers to provide unique alarm signals (defined in 60601-1-1-8) as long as they are validated as effective in conveying the intended information. This validation can be done through usability engineering compliant with IEC 60601-1-6. That said, a basic set of default audible alarm signals must be provided (with the manufacturer's unique alarm signals available as an option). The default set of audible alarm signals consists of a series of tone bursts. The pitch (frequency) of the tone must increase with priority (low pitch for low-priority alarms; high pitch for high priority). It also requires that the interval between bursts shortens as priority increases.
The standard also allows what are called intelligent audible alarm signals, meaning the priority of the alarm escalates with time. In other words, if the harm associated with an alarm condition is significant but the alarm sounds well before any harm would occur, it could begin as low or medium priority. As the time to react decreases, the priority of the alarm signal automatically escalates.
Let's return to the warming blanket and the undertemperature alarm example. It has been determined that the thermal control system can cease operation for 10 minutes without causing harm. It has also been decided that waiting two minutes (to prevent false alarms) before initiating the alarm signal is acceptable because it still allows eight minutes for operator action to prevent hypothermia. Based on these time frames, we can initiate the alarm signal as medium priority 2 minutes after the alarm condition arises. At 6 minutes after the alarm condition occurs (2-minute delay followed by a 4-minute medium-priority alarm signal), the alarm signal will escalate to a high priority because prompt operator response is required to prevent harm.
Implementing ISO 14971 into the product development process ensures compliance with Clause 4.2 of IEC 60601-1. The risk management process helps identify what constitutes essential performance for the blanket as directed by Clause 4.3 of the General Standard. In the case of the warming blanket, an alarm system helps keep the risk associated with essential performance at an acceptable level. To make certain the failure of the thermal control system (the alarm condition) does not disable the alarm, the alarm system circuitry is independent of the temperature controller in accordance Clauses 4.7 and 13 of the IEC with 60601-1.
A usability engineering process ensures that operators recognize the alarm signal and can take appropriate action through application of IEC 60601-1-6 collateral standard. The IEC 60601-1-8 collateral standard dictates that the alarm signals must be heard and be able to convey the immediacy of the required action. The design of the warming blanket now adequately addresses the safety (freedom from unacceptable risk) performance under normal and single-fault conditions.
Although these activities may seem to take a lot of effort and resources, they actually address efforts that should always be made to confirm the safety of medical equipment. Incorporating risk management according to ISO 14971 into the third edition of IEC 60601-1 and developing collateral standards that define usability engineering and alarm systems development provides a structured methodology that will make these efforts productive and effective. Most importantly, using a state-of-the-art process provides organizations with increased protection in litigation and facilitates regulatory compliance.
Mike Schmidt is the principal consultant and owner of Strategic Device Compliance Services (Cincinnati). He can be contacted at [email protected].
1. ISO 14971:2000, “Medical Devices—Application of Risk Management to Medical Devices,” (Geneva, International Organization for Standardization, 2000).
2. IEC 60601-1, “Medical Electrical Equipment—Part 1: General Requirements for Basic Safety and Essential Performance,” (Geneva, International Electrotechnical Commission, 2005).