The Role of Risk Management in the New IEC 60601-1

Medical Device & Diagnostic Industry Magazine
MDDI Article Index

Originally Published MDDI January 2006

Regulatory Outlook

IEC 60601 is no longer a standard of absolutes. The third edition allows, and in some instances requires, safety features and test requirements to be modified on the basis of risk management.

By Harvey Rudolph and Charles Sidebottom
Underwriters Laboratories Inc. and Medtronic Inc.

The third edition of International Electrotechnical Commission (IEC) 60601-1 embodies a fundamental change in approach to consensus standards for medical devices. The document is no longer simply a test standard made up of definitive risk-control measures, prescribed safety limits, and specific test procedures. The third edition represents a transition from test specification to risk management and all the changes that such a transition entails. It is essential to examine the effect of these changes on third-party certifiers and how they will need to certify to the third edition.

History

The first edition of IEC 60601 was published in 1977. The second edition followed in 1988.¹ Over the next several years, the second edition was amended twice, and the current version of IEC 60601 emerged. IEC 60601 is really a family of standards encompassing the general standard (IEC 60601-1), six collateral standards (IEC 60601-1-X) that apply to all electromedical devices, and more than 50 particular standards (IEC 60601-2-Y) that modify the requirements of the general standard for particular electromedical devices. Throughout the development of the 60601 family of standards, the goal has been to produce a test standard that would ensure the basic safety of electromedical devices.

What has changed? First of all, experience with the standard demonstrated that the rapid growth in technology in many instances outpaced the ability of the standard to properly address basic safety requirements. In some instances, one or more of the requirements no longer made sense for some devices, or the requirements did not prove sufficient to ensure safety. There needed to be some way to ensure that the standard could keep up with technology.

Second, the sufficiency of addressing only basic safety came into question. Many electromedical devices are either life supporting or life sustaining. Failure of such devices to perform as intended can be a more significant risk to the patient than basic fire, shock, and mechanical hazards. Because of this, performance characteristics began to creep into the 60601 standards, especially the particular standards. At the heart of the matter was the question of what constituted “essential performance,” i.e., device performance necessary such that patients are not exposed to unnecessary or unacceptable risk. The various working groups of IEC Technical Committee (TC) 62 have struggled with this question with regard to the requirements of the general standard as well as for use in the particular standards. During the 1990s, the title of the particular standards evolved from “standards for safety” to “standards for safety and essential performance.”

Third, risk management has entered the vocabulary of both regulatory bodies and standards writers. Risk management was always an implicit part of standards writing. In developing a standard, hazards are identified, resultant risks are estimated and evaluated as to whether they need to be addressed, and performance criteria are set as risk-control measures. But with the development of ISO 14971, it became clear that risk management could also become an explicit part of standards.² Further, when regulatory bodies began to talk about risk management, standards writers listened. Regulatory bodies are significant drivers for standards development. They either allow the use of consensus standards to satisfy regulatory requirements or (in some cases) require conformity to consensus standards as a prerequisite for market entry. In either case, it is obvious that the second edition of IEC 60601 was not as effective as it could have been in establishing conformity to regulatory requirements.

For all these reasons, it was important to incorporate risk management more explicitly into IEC 60601. This was done by establishing ISO/IEC Joint Working Group 1 on Risk Management, which was made up of members of IEC Subcommittee (SC) 62A Working Group 15 and ISO TC 210 Working Group 4. In this way, the development of ISO 14971 and creation of the third edition of IEC 60601 could evolve along parallel paths. The output of the joint working group, ISO 14971:2000, became the basis for the risk-management process to be used in the third edition of IEC 60601. Various working groups incorporated risk management as part of the third edition and intricately wove the results of risk-management activities throughout the standard.

Many other changes that have occurred in the evolution of the third edition of IEC 60601-1 fall outside the scope of this article. An article by Michael Schmidt in the February 2005 issue of MD&DI provides a description of those changes.³

Risk Management in the Third Edition

To appreciate the effect on compliance with and certification to the third edition of the standard, it is important to look in some detail at how risk management and risk-management terminology are used in the third edition.4 Risk-management terminology is currently described in ISO 14971, which forms the basis for risk management in the third edition. Table I lists the number of times that individual risk-management terms are found in the third edition of IEC 60601.

However, the table is more than a statistical summary. It represents a basic change in philosophy. For example, manufacturers must have a risk-management process in place that conforms to ISO 14971 (subclause 4.2). The introduction to the third edition includes the statement “In all cases, the risk-management process will determine whether the requirements of this standard are appropriate and acceptable.” Therefore, manufacturers may use ISO 14971 to determine whether any requirement of the third edition is appropriate for their device, i.e., whether that requirement:

• Is applicable.

• Is not applicable.

• Can be replaced with an alternative requirement.

• Can be satisfied with alternative test criteria.

• Can be satisfied with alternative testing procedures.

The risk-management process is a powerful tool allowing manufacturers to tailor the requirements of the standard to the needs of the device. Note that such changes to the requirements of the third edition cannot be made arbitrarily. When manufacturers make such decisions, they do so by using criteria for acceptable risk that are established for their device based upon its intended use, regional or national regulations, and the current state of the art.

In addition to allowing manufacturers to challenge the validity of third-edition requirements through the risk-management process, the third edition frequently uses the results of the risk-management process to determine whether particular clauses apply to the device, and in what way. In some instances, specific parts of the risk-management process, such as risk analysis or risk assessment, are identified for choosing specific requirements to apply. Again, the requirements of the third edition are tailored to the device, as opposed to the device being tailored (designed) to requirements of the standard. The following examples demonstrate the range of decisions that must be made based upon the fact that a risk-management process (conforming to ISO 14971) is in place:

Clause 5.7: Where the risk management process suggests that the me equipment can be exposed to high humidity for extended periods (such as me equipment intended for outdoor use), the period shall be extended appropriately.

Clause 8.1 (b): single fault condition includes: . . . unintended movement of a component; but only if the component is not mounted securely enough to ensure that such movement will be very unlikely to occur during the expected service life of the me equipment, as determined by the risk management process.

Clause 8.3 (d): For a part that is identified according to 4.6 as needing to be subject to the requirements for an applied part (except for marking), the requirements for a type b applied part shall apply unless the risk management process identifies a need for the requirements for a type bf applied part or type cf applied part to apply.

Clause 11.2.2.1 (b): The following configurations, alone or in combination as appropriate (as determined by the application of the risk management process), are considered to provide an acceptable residual risk of fire in an oxygen rich environment . . .

Clause 13.2.6 (regarding leakage of liquid): A risk management process shall be used to determine the appropriate test conditions for the me equipment.

In some cases, specific issues must be addressed in the risk-management process:

Clause 4.6: The risk management process shall include an assessment of whether parts that can come into contact with the patient but fall outside of the definition of applied parts shall be subject to the requirements for applied parts.

Clause 7.9.1: accompanying documents may be provided electronically, e.g. electronic file format or CD-ROM. If the accompanying documents are provided electronically, the risk management process shall include consideration of which information also needs to be provided as hard copy or as markings on the me equipment, e.g. to cover emergency operation.

Clause 10.1.2: The manufacturer shall address in the risk management process the risk from unintended X-radiation from me equipment designed to produce X-radiation for diagnostic and therapeutic purposes.

Thus, the risk-management process has a controlling interest beyond the specific requirements of the third edition. This presents a significant philosophical change for third-party certifiers. Based on their risk-management process, including their establishment of criteria for acceptable risk, manufacturers will come to conclusions regarding the applicability of particular requirements. It is quite possible that two reasonable manufacturers of the same medical electrical equipment may come to different conclusions as to permitted deviations from the requirements of the standard or for actual risks to be addressed that are not addressed specifically in the standard. Hence, testing and certification protocols (including test conditions) can be highly device- and manufacturer-specific, and third-party certifiers can no longer take a general approach to testing. This does not mean that the need for product testing or for allowable limits can be disregarded arbitrarily. All changes require a rationale based upon an effective risk-management process.

The Risk-Management File

A risk-management file is required by both ISO 14971 and the third edition of IEC 60601. The risk-management file is not new to IEC 60601; it was introduced as part of the second-edition collateral standard on programmable medical electrical systems, IEC 60601-1-4.

There are more than 100 references to the risk-management file in the third edition, almost all as part of compliance statements. Thus, all of the evidence for decision making regarding application of specific requirements and modification of requirements should be found in the risk-management file. Third-party certifiers will almost certainly need all or part of the risk-management file to determine compliance with many of the provisions of the standard. Some typical examples of references to the risk-management file include:

Clause 8.4.2: Compliance is checked by inspection of the risk management file, by reference to the instructions for use and by measurement.

Clause 8.5.2.2: Compliance is checked by inspection, by the leakage current tests of 8.7.4, by the dielectric strength test of 8.8.3, by measurement of relevant creepage distances and air clearances, and by reference to the risk management file.

Clause 8.8.4.1: Compliance is checked by inspection of the me equipment and the risk management file and, if necessary, in conjunction with the following tests:

Clause 8.11.5: Justification for omission of fuses or over-current releases shall be included in the risk management file.

Clause 9.2.2.4.3: Compliance is checked by conducting any applicable tests and inspection of the me equipment and review of the risk management file.

Clause 9.2.3.2: Compliance is checked by inspection of the me equipment, the risk management file, specifications of materials used and the processing specifications for these materials.

Note that, occasionally, a manufacturer is directed to place certain information in the risk-management file, such as in Clause 8.11.5. This is additional evidence that the risk-management file will be essential for determining compliance with the third edition, from the point of view both of specific requirements and of compliance with ISO 14971.

Acceptability of Risk

Probably the thorniest problem that third-party certifiers will face is the use of the term unacceptable risk in the third edition. This term is used 115 times in the standard and is employed in making decisions on what features to include in the device as well as on what tests to perform and the pass/fail criteria for testing. The following are examples of how this phrase is used:

Clause 7.2.5: If me equipment is intended to receive its power from other equipment including me equipment in an me system and connection to another source could result in an unacceptable risk, the model or type reference of the specified other equipment shall be marked adjacent to the relevant connection point. See also 7.9.2.3, 8.2.1 and 16.3.

Clause 7.2.17: Where premature unpacking of me equipment or its parts could result in an unacceptable risk, the packaging shall be marked with a suitable safety sign (see 7.5).

Clause 8.5.2.3: The straight unjointed test finger with the same dimensions as the standard test finger of Figure 6 shall not make electrical contact with the said part if applied in the least favourable position against the access openings with a force of 10 N, unless the risk management process demonstrates that no unacceptable risk exists from contact with objects other than a mains socket or a flat surface (e.g. corners or edges).

Clause 9.2.2.4.4: If in a single fault condition of the protective measure, an unacceptable risk could arise, one or more emergency stopping function(s) in the me equipment shall be provided (see 9.2.4).

Clause 9.2.2.6: The overtravel (stopping distance) of such movement, occurring after operation of a control to stop the movement, shall not result in an unacceptable risk.

Clause 9.3: Rough surfaces, sharp corners and edges of me equipment that could result in an unacceptable risk shall be avoided or covered.

The third edition does not define unacceptable risk, but rather takes its cue from ISO 14971 as stated in clause 4.2:

Note 4: Where requirements of this standard refer to freedom from unacceptable risk, acceptability or unacceptability of this risk is determined by the manufacturer in accordance with the manufacturer's policy for determining acceptable risk.

Thus, the manufacturer sets the level of acceptable risk through which application of the standard is tailored to the device.

It is essential to remember that a manufacturer is not free to create the risk-acceptability criteria from whole cloth. ISO 14971, and consequently the third edition of IEC 60601-1, requires that a manufacturer's top management define and document the policy for determining criteria for risk acceptability. This policy must ensure that criteria are based upon applicable national or regional regulations and relevant international standards, and must take into account available information such as the generally accepted state of the art and known stakeholder concerns.

However, once the acceptability criteria are established, it is the intent of the writers of the third edition that this decision-making by the manufacturer be the overriding factor in certifying to the standard; i.e., third-party certifiers are prohibited from second-guessing the manufacturer on its choices of acceptable risks so long as its choices are based upon a risk-management process that conforms to ISO 14971. This is apparent from the compliance statement for subclause 4.2:

Compliance is checked by inspection of the risk management file. The requirements of this clause and all requirements of this standard referring to inspection of the risk management file are considered to be satisfied if the manufacturer has: established a risk management process;established acceptable levels of risk; and demonstrated that the residual risk(s) is acceptable (in accordance with the policy for determining acceptable risk).

Hence, third-party certifiers will be presented with conclusions based upon a process. As long as manufacturers have a process conforming to ISO 14971, the certifiers are prohibited from questioning the manufacturers' conclusions. A manufacturer will, however, need to provide evidence to the third-party certifier that its risk-management process does indeed conform to ISO 14971. The question naturally arises as to what level of evidence the third-party certifiers need in order to obtain such assurance.

Summary and Conclusions

It is clear that one key to certification of medical devices to the third edition of IEC 60601 will be an assessment of evidence of risk management. It is also clear that this assessment will be as important as conventional testing and review of documentation (as currently done for certification to the second edition). The minimum set of such evidence must be contained in the risk-management file for the device. The risk-management file will contain all of the rationale for the choice of acceptable risk and for the acceptability of risks that are analyzed. It will also be the reservoir of evidence for decisions noting whether a particular requirement applies or to justify the choice of a particular test limit.

However, in addition to assessing evidence that risk management was applied during the design and development of the device, the third-party certifier must also assess evidence that a manufacturer's risk-management system conforms to ISO 14971, i.e., that it has a management system in place that ensures continued vigilance for evidence of new or enhanced risks and that this information is used to improve device safety. All of the decisions made by a manufacturer rely on the fact that it has a functioning risk-management process conforming to ISO 14971 is in place.

What form would this evidence take? Would it be possible for a manufacturer to self-certify its conformity to ISO 14971? Perhaps, but experience with quality management system assessment suggests that self-certification may not be a valid way of demonstrating conformity for most manufacturers.

Would an ISO 13485:2003 certificate be sufficient evidence?⁵ Although ISO 13485 does require risk management, it is a very limited requirement, applying only during the product realization process. Risk management as defined by ISO 14971 would apply throughout the product life cycle, so the risk-management requirements of ISO 13485 would not be sufficient. Further, there is no specification in ISO 13485 for what type of risk management should be performed. One may use ISO 14971, but there is no mandate to do this (reference to ISO 14971 is part of an informative note). Hence, an ISO 13485 auditor looks for generic risk-management activities and does not assess conformity to ISO 14971 during the audit.

Perhaps the best and easiest way would be certification to ISO 14971 by a qualified auditor either at the time of IEC 60601 certification or as part of an ongoing audit assessment program.6 The auditor assessment would be similar to what is currently done for a quality management system registration. Lacking a certificate of compliance to ISO 14971, it would be up to the third-party certifier to assess for itself that the manufacturer's risk-management system complies with ISO 14971. This could be similar to what is currently done for assessing conformity to IEC 60601-1-4 (programmable medical electrical systems). Therefore, it is quite possible for third-party certification to IEC 60601, third edition, to involve an initial audit in addition to testing of the product and review of documentation. Whether such an audit would need to be conducted each time the manufacturer submits a significant modification to its device or submits an entirely new device for certification is a question that will need to be assessed as industry becomes more familiar with the standard.

With regard to the nonaudit portion of the certification, it is quite clear that this will mean a significant change in the third-party certifier's approach. No longer will the certification engineer live in a world of absolutes, such as required features and test limits. The third edition allows, and in some instances requires, decisions regarding safety features and test requirements to be modified on the basis of risk management, and the third-party certifier is prohibited from second-guessing the manufacturer. The first thing the third-party certifier may do is to review the risk-management file for those changes to the normally required safety features and the modifications to tests or test limits, carefully examining the rationale developed by the manufacturer based upon its risk-management process.

References

1. IEC 60601-1, “Medical Electrical Equipment—Part 1: General Requirements for Safety,” 2nd ed. (Geneva: International Electrotechnical Commission, 1988).

2. ISO 14971:2000, “Medical Devices—Application of Risk Management to Medical Devices” (Geneva: International Organization for Standardization, 2000).

3. Michael W Schmidt, “IEC 60601-1, 2005: A Revolutionary Standard, Part 1,” Medical Device & Diagnostic Industry 27, no. 2 (2005): 50–56.

4. IEC 60601-1, “Medical Electrical Equipment, Part 1: General Requirements for Basic Safety and Essential Performance,” 3rd ed. (Geneva: International Electrotechnical Commission, 2006).

5. ISO 13485:2003, “Medical Devices—Quality Management Systems—Requirements for Regulatory Purposes” (Geneva: International Organization for Standardization, 2003).

6. Harvey Rudolph, “Do We Need Medical Device Risk Management Certification?,” Medical Device & Diagnostic Industry 25, no. 11 (2003): 44–49.

Harvey Rudolph is global program manager for medical devices at Underwriters Laboratory (Northbrook, IL). He can be e-mailed at [email protected]. Charles Sidebottom is director of corporate standards for Medtronic Inc. (Minneapolis). Contact him at [email protected].

Copyright ©2006 Medical Device & Diagnostic Industry