Charles B. Sidebottom, P.E., Director, Corporate Standards, Medtronic Inc.; Secretary, IEC SC 62A; Secretary, ISO TC 150, SC 5

Charles B. Sidebottom, P.E., Director, Corporate Standards, Medtronic Inc.; Secretary, IEC SC 62A; Secretary, ISO TC 150, SC 5

13 May 2013

For more than 35 years, IEC 60601-1 has been one of the most widely recognized standards for demonstrating the safety of medical electrical equipment. The IEC 60601 family of standards has long been recognized by regulatory agencies in Europe, North and South America, and Asia as establishing conformance with their regulatory requirements.

The third edition of IEC 60601-1 was published in December 2005 and represented a major step forward in the generally acknowledged state of the art of risk control measures for medical electrical equipment. However, the generally acknowledged state of the art is not a fixed target.  It advances as the industry identifies new ways of dealing with hazardous situations that arise with new technology and new applications for medical electrical equipment.

Background of Amendment 1

During the final phases of the development of IEC 60601-1:2005, the National Committee members of IEC Subcommittee (SC) 62A identified a short list of issues that emerged too late in the process to be included in the third edition. With the agreement of the National Committees, these comments were deferred to a future amendment or revision of the standard.

Within a year of its publication, SC 62A began receiving feedback from manufacturers and conformity assessment bodies (test houses) on the practical challenges they were facing in implementing and testing to the third edition. Also in 2007, the European Union revised its Medical Devices Directive to incorporate certain essential requirements from the Machinery Directive and apply them to medical electrical equipment and systems that qualified as machines within the scope of the European Machinery Directive. An examination of IEC 60601-1 found that some of these safety concerns were not as thoroughly dealt with in the standard as was needed to use a claim of compliance with the third edition to support the full presumption of conformity with the Medical Device Directive.

By the spring of 2008, IEC Technical Committee (TC) 62 was ready to begin work on the first amendment to IEC 60601-1:2005. In addition to dealing with the deferred issues and new safety requirements arising for application of the European Machinery Directive, the TC 62 instructed SC 62A to specifically address and clarify the way in which risk management has been introduced into the standard and the way the concept of essential performance is used in IEC 60601-1:2005.

With the approval of the Technical Committee, SC 62A put together a four-year plan for developing the amendment. Formal work began in the fall of 2008 and concluded with the publication of Amendment 1 on July 13, 2012.

Amendment 1 contains 496 individual changes. As the amendment was developed, the teams of experts working on the document assessed each change for its perceived impact on the users of the standard. Each change was placed into one of four categories: No impact, minimal impact, moderate impact, or significant impact. A change was assessed as having the potential for a moderate or significant impact because it could require some change to a product, to its documentation, or a change to the testing that would be required to demonstrate compliance with the standard. The distinction between the moderate and significant categories was based on an intuitive assessment of the effort required to comply.

Most of the changes in Amendment 1 were assessed as either technical changes with the potential for a minimal impact or editorial changes having no direct impact on the equipment, although hopefully making the standard clearer and easier to use.

For example, the modification to the transformer short-circuit test in Subclause 15.5.1.2. This subclause was modified to deal with transformers other than mains transformers. As this could have some impact on the way testing is done in certain cases, it was assessed as having the potential for a minimal impact overall.

An example of a no impact change was the restructuring of the requirement in Subclause 7.2.7 for stating the rated power input from the supply mains on the equipment label. The technical requirement was not altered. The objective was to clarify the options the manufacturer has when the rated power factor exceeds 90%. Unless a manufacturer or test house was misapplying the requirement in both the second and third editions, this change simply makes the standard easier to read for someone coming to it for the first time.

Of the 496 changes, a total of 83 changes affecting 88 subclauses in the standard were assessed as having the potential for either a moderate or significant impact.

One advantage of an amendment over a new edition of a standard is that the amendment itself is the raw gap analysis between editions. Amendment 1 clearly identifies where all the changes have been made between Edition 3 and Edition 3.1. While the amendment tells you where changes are located, it doesn’t tell you how or if those changes will impact your product. Every user of the standard has to make their own assessment.

To assist the users of the standard, Subcommittee 62A published a second edition of IEC Technical Report (TR) 62348. This Technical Report contains a one or two paragraph summary of each of the 83 changes that were assessed as having the potential for a moderate to significant impact. They are separated into two groups based on that impact assessment. Table 1 in IEC/TR 62348 lists the 25 subclauses that are affected by the changes assessed to have the potential for a significant impact. Table 2 lists the 63 subclauses that are affected by the changes assessed to have the potential for a moderate impact. The changes are further subdivided based on whether the change could impact many users of the standard or only particular users.IEC/TR 62348:2012 is a tool to help start the process of making your own impact assessment. A word of caution when using IEC/TR 62384: because any assessment is somewhat subjective, users of the standard are still encouraged to review the entire content of the amendment and determine its impact on the sections of 60601-1 that are relevant to their products. In addition, impact is in the eye of the beholder. What might seem minor from the point of view of the general standard may turn out to be significant in the context of a particular piece of medical electrical equipment with a specific intended use. This technical report is a good place to start, but it is not the end of the journey.

Consider a few examples extracted from Table 1 of IEC/TR 62348:2012.

Restructuring of Risk Management (Subclause 4.2)

Because of the ubiquitous use of the risk management process in the third edition of 60601-1, any change to the application of risk management will affect all users of the standard. In a particular case it may not be a negative impact that requires more work, but it will have an impact. Clarifying how risk management should be applied within the standard is one of the areas that Subcommittee 62A was asked to address in Amendment 1.

One of the major enhancements of the third edition of 60601-1 was the inclusion of a formal risk management process within the context of a design verification, or “type testing” standard. Of course, IEC 60601-1 has always been about managing risk by providing either a set of tried-and-true risk control measures to mitigate certain risks, or test methods and limits used to verify the effectiveness of the manufacturer’s design to mitigate other risks. However, a general standard like IEC 60601-1 cannot possibly address all the risks associated with every device within all possible intended uses. It can cover many, perhaps most, of the risks associated with a piece of medical electrical equipment or a medical electrical system; but even when a particular standard exists, it cannot guarantee that all risks are properly mitigated to the generally acknowledged state of the art. To address this gap, a formal process was introduced into the third edition of IEC 60601-1 by making an apparently simple reference to ISO 14971.

That rather simple approach turned out to be somewhat problematic. ISO 14971 describes a life-cycle process. While parts of the process are very useful within the context of a type test standard, there are aspects such as production and post-production monitoring that go well beyond what can be addressed within the boundaries of a standard like IEC 60601-1. Standards like IEC 60601-1 are intended to assess the manufacturer’s design solutions, not the life-cycle of the product. Some organizations interpreted Subclause 4.2 in the third edition as requiring an on-going assessment of life-cycle phases of the risk management process in ISO 14971, such as production and post-production monitoring, in order to maintain the type assessment. This was never the intent of the authors. Early on, the subcommittee responded to a series of questions from the IEC Certified Testing Laboratories (CTL) to clarify its intent. The CTL is the governing body that administers the “CB scheme,” which promotes mutual recognition among member testing laboratories. While this guidance helped with testing laboratories that are members of the CB scheme, it did not change the standard and left open the possibility for a “misinterpretation” of the intent.

So how did Subcommittee 62A tackle this issue in Amendment 1?

To begin, Subclause 4.2 and its rationale have been significantly modified and expanded. The subclause describes in greater detail the elements of the risk management process to be employed in complying with 60601-1. The subclause has been further subdivided into three parts.

Subclause 4.2.1 introduces the concepts and the purposes of risk management within the framework of a type test or design verification standard. While this subclause is primarily informative, it was felt that the information was important enough to include in the main body of the standard rather than placing it in the rationale. This is to make sure that the author’s intent is understood before the user begins to implement risk management.

Perhaps the most important part of Subclause 4.2.1 is the final sentence, which states:

“Furthermore, verification of compliance with the risk management requirements of this standard can be accomplished by examination of the records and other documentation required by this standard and assessment of the processes cited in this standard and does not require auditing of the risk management process.”

This is intended to clarify that it was never the expectation of the authors of IEC 60601-1 that a manufacturer be required to have a certified risk management process, although having a certified process may reduce the overall workload if the manufacturer has a number of complex products to be tested to IEC 60601-1.

Subclause 4.2.2 is the heart of 4.2 and sets out the basic process requirements needed for compliance with IEC 60601-1. These requirements are identical to those in ISO 14971 except that the requirements related to production and post-production monitoring and the requirement for management to conduct periodic reviews of the suitability of the risk management process are excluded. There is no intent to back away for ISO 14971, only to make clear that some parts of the process life-cycle do not need to be considered as part of evaluation of a specific device to IEC 60601-1.

Finally, Subclause 4.2.3 details how the requirements of the 60601 family are to be applied when evaluating risk. There are, in effect, four cases described. In case 1, IEC 60601-1 or its collateral or particular standards specify requirements addressing a particular hazard or hazardous situation, together with specific acceptance criteria. If the hazard or hazardous situation is present, no risk evaluation is required. The user simply applies the standard requirement or shows their design passes the test in the standard. Unless there is objective evidence to the contrary, the resulting residual risk is deemed acceptable.

In case 2, IEC 60601-1 or its collateral or particular standards specify requirements addressing a specific hazard or hazardous situation but does not provide specific acceptance criteria. This is indicated by such phrases as “could result in an unacceptable risk.” In this instance, the manufacturer has to determine if the residual risk is acceptable based on their risk acceptance criteria in the context of their particular device and its intended use.

Case 3 deals with the situation where IEC 60601-1 or its collateral or particular standards identify a particular hazard or hazardous situation that has to be investigated without providing specific technical requirements. An example is Subclause 10.6 that deals with infrared radiation. Subclause 10.6 simply states, “When applicable, the manufacturer shall address in the risk management process the risks associated with infrared radiation, other than that produced by lasers and light emitting diodes.” If the equipment is capable of producing infrared radiation, the manufacturer has to deal with this hazard using the risk management process. A particular standard may well provide more details for dealing with such a hazard such as providing limits or specific test procedures.

Finally, case 4 is a primary reason risk management that was added to the third edition of IEC 60601-1 in the first place. That is to identify if the normative requirements specified in IEC 60601-1, together with the requirements of applicable collateral and particular standards, have addressed all the hazards and hazardous situations associated with the particular medical electrical equipment or system under consideration. If not, the manufacturer is obligated under Subclause 4.2 to address those hazards or hazardous situations before they can claim compliance with IEC 60601-1. The intent was that going forward a claim of compliance with IEC 60601-1 does, in fact, provide reasonable assurance of a safe device.

So fundamentally, Amendment 1 did not change the way risk management is used within the context of IEC 60601-1. Hopefully the changes to Subclause 4.2 make the intent clearer while maintaining the alignment with the process set out in ISO 14971.

Application of Essential Performance

Another major enhancement of the third edition of IEC 60601-1 was the addressing of functional safety, which the standard calls “essential performance.” Like risk management, this was one of the items SC 62A was asked to address in Amendment 1.

Amendment 1 refined the definitions of essential performance. The definition is in two parts.  The first part relates essential performance to the performance of a clinical function of the equipment within its intended use. However, the amendment is careful to separate that from any performance related to basic safety. For example, the “performance” of insulation, which is its ability to prevent the transfer of electrical energy, is not essential performance because protection against electric shock is clearly a matter of basic safety. In many cases, the distinction between essential performance and basic safety may not be terribly important because the standard requires that both basic safety and essential performance be maintained in normal condition and in single fault condition. However, there are instances in the standard where it is important to understand what the essential performance is of a particular item of medical electrical equipment. One of those instances will be discussed later in this article.

The second part of the definition relates to when the loss or degradation of the performance would make it “essential.” That is when its loss or its degradation beyond the limits specified by the manufacturer would result in an unacceptable risk. If there is no unacceptable risk then there is no essential performance.

So when looking at a particular aspect of the equipment, the manufacturer is faced with the question: “Is it basic safety or essential performance?”

Here is a simple rule of thumb that can be applied when trying to answer that question.

  • If the equipment does something it is not intended to do and that results in an unacceptable risk, it is likely basic safety. You are not supposed to get a shock from the equipment. If you do, that is a failure of basic safety.
  • If the equipment fails to do something it is intended to do and that results in an unacceptable risk, it is likely essential performance. For example, a defibrillator is intended to deliver a shock to the patient. If it fails to deliver the appropriate shock on command and that failure could result in an unacceptable risk, then delivery of the appropriate shock on command is an essential performance of the defibrillator.

Like any rule of thumb, it is not infallible, but it is a good place to start when trying to decide if a particular aspect is basic safety or essential performance. Please note that if there is no unacceptable risk as a result of the equipment either doing something that it is not intended or not doing something that is intended, then there is neither basic safety nor essential performance.

The third edition of 60601-1 simply required the manufacturer to identify and document the essential performance in the risk management file. Where the standard specified that essential performance is to be maintained following a particular test, these were the functions to be evaluated and compliance was checked by inspection, and if necessary, by functional test. No particular guidance or instructions were provided to help the manufacturer in identifying the essential performance. It became clear early on that more needed to be said about the process the manufacturer should follow in making this assessment. As a result, Amendment 1 expanded Subclause 4.3 to provide some direction to the manufacturer when considering if some aspect of their equipment is essential performance.

It was never the intent of the authors of the third edition of IEC 60601-1 that identifying some performance aspect as essential performance meant that it can never fail. It means that the risks associated with that failure have to be managed to an acceptable level. Providing an alarm when the equipment detects it is unable to perform within its specifications is a good example. However, the alarm has to be effective. If the patient is already injured when the alarm goes off, it can hardly be considered an effective risk control measure. Also, if there is no one around who is capable of dealing with the problem in a timely manner, then an alarm can hardly be considered an effective risk control measure to mitigate the loss of essential performance.

It is also important to realize that the performance of the risk control measure can become part of the essential performance. Take a case where the essential performance depends on the source of mains power. The manufacturer might employ an alarm to tell the user that the supply mains has been interrupted or the internal battery is depleted. As a consequence, the equipment is unable to deliver its essential performance. To be effective as a risk control, the alarm system would need its own source of power that is independent from the primary supply.

Disclosure of Essential Performance

Related to the identification of essential performance is a new requirement for the technical description section of the accompanying documents. This is an example where appropriately identifying the essential performance is important.

While the third edition of 60601-1 required the manufacturer to identify the essential performance and document it in the risk management file, there was no requirement to say anything about essential performance in any of the materials provided to the user. As you might imagine, some people saw this as an oversight and asked repeatedly for the standard to require disclosure of the essential performance. The manufacturing community resisted fearing such a requirement would result in a great deal of highly technical, ultimately non-value added information being added to their instructions for use. Some manufacturers were also concerned about the need to disclose what would otherwise be considered proprietary information. This was one of the technical issues that remained unresolved at the time the third edition was published.

After a good deal of back-and-forth discussion, the national committee members of SC 62A agreed to include a requirement in the section of the accompanying documents intended primarily for service personnel—that is the technical description.

The manufacturer is required to provide information pertaining to the essential performance and any necessary recurrent testing including details of the means, methods and recommended frequency.

It can be argued that this was already required to be included in the instructions for use under the heading of maintenance. This new requirement is intended to make clear when such reoccurring testing procedures are directly related to maintaining the safety of the equipment; they need to be highlighted in the technical description.

Equivalent Safety

The IEC 60601 series has long recognized that alternative forms of construction were acceptable provided it could be demonstrated that an equivalent degree of safety was obtained. In the second edition, this was covered by Subclause 3.4. With the introduction of risk management in the third edition, the manufacturer was given a formal tool to help them assess an equivalent degree of safety.

In the third edition, the concept was incorporated in Subclause 4.5 under the heading of “equivalent safety.” A manufacturer could employ an alternative means of addressing a risk identified in the standard provided they could justify through risk management that the residual risk that remained after applying the alternative means of addressing the risk was less than or equal to the residual risk that remained after applying the requirement of the standard.

Recognizing that demonstrating equivalent safety can be difficult because many of the requirements in IEC 60601-1 do not provide enough detail regarding the level of residual risk, Amendment 1 modified Subclause 4.5 to allow alternative risk control measures or test methods to be used when it can be demonstrated that the residual risk resulting from their application remains acceptable and is comparable to the residual risk that results from applying the requirements in IEC 60601-1.

The residual risk must satisfy the manufacturer’s risk acceptance criteria and must be comparable to that remaining after applying the requirements of the standard. The first criterion is relatively easy to assess using risk management. The second part of the requirement presents the real challenge for the manufacturer.

Some tools the manufacturer can use to demonstrate comparable residual risks include:

  • scientific data,
  • clinical opinion,
  • comparative studies, or
  • a combination of all three methods.

It is still a substantial hurdle for the manufacturer to get over, but the standard provides a little more guidance on how the manufacturer might go about the work.

Conclusion

Amendment 1 contains 496 individual changes. Of those, a total of 83 changes affecting 88 subclauses in the standard were assessed as having the potential for either a moderate or significant impact. The rest of the changes were assessed as having a minor impact or no direct impact on the equipment.

I selected four of the 83 changes for this article because they were assessed as having both the potential for a significant impact and they will likely impact a substantial number of users of 60601-1. The goal was to give you a brief introduction, but only an introduction, to each one.

Please remember that any assessment is somewhat subjective. Users of the standard still need to review all the contents of the amendment. You need to understand which parts of Amendment 1 affect sections of 60601-1 that are relevant to your products, and then determine if those changes have any impact on you. Take a simple example. If you are already including a version date in your accompanying documents, then the addition of the requirement in 7.9.2.19 has no effect on you. If not, then your accompanying document will have to be updated to incorporate a unique version identifier.