IEC 60601-1 Clause 4.5 Alternate solutions

This clause is intended to allow manufacturers to use alternate methods other than those stated in the standard.

In Edition 3.0 of IEC 60601-1, Clause 4.5 was titled "Equivalent Safety" and the criteria stated as "the alternative means [having] equal to or less than the RESIDUAL RISKS that result from applying the requirements of this standard".

In Edition 3.1 the title was changed to "Alternative ... measures or test methods" and the criteria to a "...  measure or test method [that] remains acceptable and is comparable to the RESIDUAL RISK that results from applying the requirements of this standard."

The change was most likely required as standards often use worst case assumptions in order to cover a broad range of situations. The result is that for an individual medical device, the requirement is really massive overkill for the risk. The original version required the alternate solution to reach for the same level of overkill, which made little sense. 

In practice, this works if both the standard solution and the alternate solution have negligible risk. In the real world, risk profiles often have a region of significant risk which then transitions to a region of negligible risk. For example, a metal wire might be required to support 10kg weight. If we consider using wire with 10-30kg capacity there is still some measurable probability of mechanical failure. But if we step out a bit further we find that the probability numbers become so small that it really does not matter whether you use 50kg or 200kg wire. Theoretically, a 200kg rating is safer than 50kg, but either solution can be considered as having negligible risk. 

In that context, the standard works well. 

But there are two more difficult scenarios to consider.

The first is that due to technology, competition, commercial issues or whatever, the manufacturer does not want to meet a particular requirement in a standard. The alternate solution has some non-negligible risk which is higher than the solution in the standard, but deemed acceptable according to their risk management scheme.

Clearly, Clause 4.5 is not intended for this case. Instead, manufacturers should declare that they don't meet the particular requirement (either "Fail" or "N/E" in a test report) and then deal with the issue as is allowed in modern medical device regulation. It is often said that in Europe standards are not mandatory - which is true but there is a catch, you need to document your alternate solution against the relevant essential requirement. The FDA has similar allowance, as has most countries. 

Obviously, manufacturers will push to use 4.5 even when significant risk remains, to make a clean report and avoid the need to highlight an issue to regulators. In such a case, test labs should take care to inspect if the alternate solution really has negligible risk, or just acceptable risk.

The second scenario is when the standard has an error, unreasonable requirement or there is a widespread interpretation such as allowing UL flammability ratings in place of IEC ratings. For completeness it can be convenient to reach for Clause 4.5 as a way to formally fix these issues in the standard. In practice though it can crowd the clause as standards have a lot of issues that need to be quietly fixed by test labs. It is probably best to use a degree of common sense rather than documenting every case.  

Finally it should be noted that it is not just a matter of arguing that a requirement in the standard is unreasonable for a particular medical device. Manufacturers should also consider the alternate solution - for example a manufacturer might argue that IPX2 test in IEC 60601-1-11 for home use equipment is overkill. Even if this is reasonable, it does not mean the manufacturer can ignore the issue altogether. It should be replaced by another test which does reflect the expected environment of use, such as 30s rain test at 1mm/min. 

IEC 60601-1 Clause 4.4 Service Life

It is a common assumption that service life should be derived from the properties and testing of the actual medical device. This view is even supported by ISO TR 14969 (guidance on ISO 13485), which states in Clause 7.1.3 that the "... basis of the defined lifetime of the medical device should be documented" and goes on to suggest items to consider.

Fortuntely this view is wrong, and is an example of the blinkered view that can sometimes occur from different medical fields. For some simple medical devices, it is feasible to consider lifetime as an output of the design process, or the result of consideration of various factors. But that's far from true for complex electronic medical devices such as those often covered by IEC 60601-1.

The correct interpretation (regardless of the type of medical device), is that lifetime is simply something which is decided by the manufacturer, and there is no regulatory requirement to document the basis of the number chosen.

It is a requirement that the lifetime must be declared and documented. IEC 60601-1 Clause 4.4 simply asks that this is stated in risk management file.

And, having declared this lifetime, the manufacturer must then go on to show that risks are acceptable over the life of the device.

For some medical devices, lifetime will be an important factor in many risk related decisions, such as sterility, mechanical wear and tear and materials which degrade over time. 

For other medical devices, lifetime hardly gets a thought in the individual risk controls.

Why?

For electrical devices we are a little different in our approach. These days, modern electrical parts last for much (much) longer than the lifetime of the product. And there are thousands of parts in a single product. Inevitably there will be the odd part here and there that breaks down earlier than others, but on a component basis it very rare and hard to predict.

Secondly, we rarely entrust high risk stuff to a single part. We assume that things fail from time to time, and implement protection systems to prevent any serious harm.

There can be cases where lifetime does play a role, but it is the exception rather than the rule. Even then, it would be rare that the lifetime of a part or risk control drives the overall decision on the medical device lifetime. Us electrical engineers don't push things to the edge like that. The risk management might determine that a particular critical part needs a failure rate of less than 1 in 10,000 over the 5 year lifetime of the device. So, we pick a part with 1 in 1,000,000 in 10 years. It's just a different way of thinking in electronic design.

So the next time an auditor asks you how you derived the lifetime of your incredibly complex X-ray machine based on as risk, quietly direct them the marketing department.

IEC 60601-1 Clause 4.3 Essential Performance

The basic idea behind essential performance is that some things are more important than others. In a world of limited resources, regulations and standards should try to focus on the important stuff rather than cover everything. A device might have literally 1000’s of discrete “performance” specifications, from headline things such as equipment accuracy through to mundane stuff like how many items an alarm log can record. And there can be 100’s of tests proving a device meets specifications in both normal and fault condition: clearly it’s impossible check every specification during or after each one of these tests. We need some kind of filter to say OK, for this particular test, it’s important to check specifications A, B and F, but not C, D, E and G.

Risk seems like a great foundation on which to decide what is really “essential”. But is it a complicated area, and the “essential performance“ approach in IEC 60601-1 is doomed to fail as it oversimplifies it to a single rule: "performance ... where loss or degradation beyond the limits ... results in an unacceptable risk".

A key point is that using acceptable risk as the criteria is, well, misleading. Risk is in fact the gold standard, but in practice it gets messy because of a bunch of assumptions hiding in the background. Unless you are willing to tease out these hidden assumptions, it’s very easy to get lost. For example, most people would assume that the correct operation of an on/off switch does not need to be identified as “essential performance”. Yet if the switch fails, the device then fails to treat, monitor or diagnose as expected, which is a potential source of harm. But your gut is still saying … nah, it doesn’t make sense - how can an on/off switch be considered essential performance? The hidden assumption is that the switch will rarely fail - instinctively we know that modern switches are sufficiently reliable that they are not worth checking, the result of decades of evolution in switch design. And, although there is a potential for harm, the probability is generally low: in most cases the harm is not immediate and there is time to get another device. These two factors combined are the hidden assumptions that - in most cases - means that simple on/off switch is not considered essential performance.

In practice, what is important is highly context driven, you can't derive this purely from the function. Technology A might be susceptible to humidity, technology B to mechanical wear, technology C might be so well established that spot checks are reasonable. Under waterproof testing, function X might be important to check, while under EMC test function Y is far more susceptible.

Which means that simply deriving a list of what is "essential performance" out of context makes absolutely no sense.

In fact, a better term to use might be "susceptible performance", which is decided and documented on a test by test basis, taking into account:

  • technology used (degree to which it well established, reliable)

  • susceptibility of the technology to the particular test

  • the relationship between the test condition and expected normal use (e.g. reasonable, occasional, rare, extreme)

  • the severity of harm if the function fails

Note this is still fundamentally risk based: the first three parameters are associated with probability, and the last is severity. That said, it is not practical to analyse the risk in detail for each parameter, specification or test: there are simply too many parameters and most designs have large margins so that there are only a few areas which might be sensitive in a particular test. Instead, we need to assume the designer of the device is sufficiently qualified and experienced to know the potentially weak points in the design, as well as to develop suitable methods including proxies to detect if a problem has occurred. Note also that IEC 60601-1 supports the idea of “susceptible performance” in that Clause 4.3 states that only functions/features likely to be impacted by the test need to be monitored. The mistake is that the initial list of “essential performance” is done independently of the test.

The standard also covers performance under abnormal and fault condition. This is conceptually different to “susceptible performance” as it is typically not expected that devices continue to perform according to specification under abnormal conditions. Rather, manufacturers are expected to include functions or features that minimise the risk associated with out-of-specification use: these could be called “performance RCMs”: risk control measures associated with performance under abnormal conditions. A common example is a home use thermometer, which has a function to blank the temperature display when the battery falls to levels that might impact reliable performance. Higher risk devices may use system monitoring, independent protection, alarms, redundant systems and even back up power. Since these are risk control measures, they can be referenced from the risk management file and assessed independently to “susceptible performance”. Performance RMS can be tricky as it pulls into focus the issue of what is “practical”: many conditions are easy to detect, but many others are not; those that are not detected may need to be written up as risk/benefit if the risk is significant.

Returning to “susceptible performance”, there are a few complications to consider:  

First is that "susceptible performance" presumes that, in the absence of any particular test condition, general performance has already been established. For example, a bench test in a base condition like 23°C, 60% RH, no special stress conditions (water ingress, electrical/magnetic, mechanical etc.). Currently in IEC 60601-1 there is no general clause which establishes what could be called "basic performance" prior to starting any stress tests like waterproof, defib, EMC and so on. Even now, this is a structural oversight in the standard, since it allows the test to focus on parameters that are likely to be affected by the test, which only makes sense if the other parameters have already been confirmed.

Second is that third party test labs are often involved and the CB scheme has set rules that test labs need to cover everything. As such there is reasonable reluctance to consider true performance for fear of exposing manufacturers to even higher costs and test labs thrown into testing they are not qualified to perform. This needs to be addressed before embedding too much performance in IEC 60601-1. Either we need to get rid of test labs (not a good idea), or structure the standards that allows test labs to separate out those generic tests they are competent to perform from specialised tests, as well as practical ways in which to handle those specialised aspects when then cross over into generic testing (such as an IPX1 test).

Third is that for well established technology (such as diagnostic ECGs, dialysis, infusion pumps) it is in the interests of society to establish standards for performance. As devices become popular, more manufacturers will get involved; standardisation helps users be sure of a minimum level of performance and protects against poor quality imitations. This driver can range from very high risk devices through to mundane low risk devices. But the nature of standards is such that it is very difficult to be comprehensive: for example, monitoring ECG have well established standards with many performance tests, but many common features like ST segment analysis are not covered by IEC 60601-2-27. The danger here is using defined terms like “essential performance” when a performance standard exists can mislead people to think that the standard covers all critical performance, when in fact it only covers those aspects that have been around long enough to warrant standardisation.

Finally, IEC 60601-1 has special requirements for PEMS for which applicability can be critically dependent on what is defined as essential performance. These requirements can be seen as special design controls, similar to what would be expected for Class IIb devices in Europe. They are not appropriate for lower risk devices, and again using the criteria of “essential performance” to decide when they are applicable creates more confusion.

Taking these into account, it is recommended to revert a general term "performance", and then consider five sub-types:

Basic performance: performance according manufacturer specifications, labelling, public claims, risk controls or can be reasonably inferred from the intended purpose of the medical device. Irrespective of whether there are requirements in standards, the manufacturer should have evidence of meeting this basic performance.

Standardised performance: requirements and tests for performance for well established medical devices published in the form of a national or international standard. 

Susceptible performance: subset of basic and/or standardised performance to be monitored during a particular test, decided on a test by test basis, taking into account the technology, nature of test, severity if a function fails and other factors as appropriate, with the decisions and rationale documented or referenced in the report associated with the test.

Critical performance: subset of basic and/or standardised performance performance which if fails, can lead to significant direct or indirect harm with high probability; this includes functions which provide or extract energy, liquids, radiation or gases to the patient in a potentially harmful way; devices which monitor vital signs with the purpose of providing alarms for emergency intervention, and other devices with similar risk profile (Class IIb devices in Europe can be used as a guide). Aspects of critical performance are subject to additional design controls as specified in Clause 14 of IEC 60601-1  

Performance RCMs: risk controls measures associated with performance under abnormal conditions, which may include prevention by inherent design (such as physical design), prevention of direct action (blanking display, shut off output), indication, alarms, redundancy as appropriate.

Standards should then be structured in a way that allows third party laboratories to be involved without necessarily taking responsibility for performance evaluation that is outside the laboratories competence.

IEC 60601-1 Clause 4.2 - Risk Management

The ability to apply flexibility in certain places of a standard makes a lot of sense, and the risk management file is the perfect place to keep the records justifying the decisions.

Yet, if you find risk management confusing in real application, you are not alone. The reason is not because you lack skills or experience – instead embedding risk management in IEC 60601-1 is a fundamental mistake for three reasons.

First is simple logistics. The correct flow is that the risk management file (RMF) studies the issue, and proposes a solution. That solution then forms a technical specification which can be evaluated as part of a product standards like IEC 60601-1, particularly those places where the standard allows or requires analysis. When the verification tests are successful, a report is issued. The RMF can be completed and the residual risk judged as acceptable. This forms a kind of mini V-model:

Embedding risk management in a product standard creates a circular reference which can never solved - the RMF cannot be signed off until the product report is signed off, the product report cannot be signed off until the RMF is signed off. This is more than just a technicality – it debases and devalues the risk management by forcing manufacturers to sign off early, especially when test labs are involved.

Which leads us to our second problem: Third party test laboratories are valuable resource for dealing with key risks such as basic electrical safety and EMC. But they are ill equipped to deal with subjective subjects, and ISO 14971 is whopper in the world of subjectivity: everyone has their own opinion. The V-model above isolates the product standard (and third party test labs) from the messy world of risk management.

Which brings us to our third problem – the reason why risk management is so messy. Here we find that ISO 14971 that has its own set of problems. First, there are in practice too many risks (hazardous situations) to document in a risk management file: the complexity of a medical device design, production process, shipping, installation, service, interfaces between the device and the patient, operator and the environment contain tens of thousands situations that have genuine risk controls. ISO 14971 fails to provide a filter for isolating out those situations worth documenting.

Secondly is the rather slight problem that we can’t measure risk. Using risk as the parameter on which decisions are made is like trying to control the temperature of your living room using a thermometer with an accuracy of ±1000°C. Our inability to measure risk with any meaningful accuracy leads to a host of other problems to long to list here.

Yet In the real world we efficiently handle tens of thousands of decisions in the development and production processes that involve risk - it’s only the relatively rare case that we get it wrong.

The answer may lie in “risk minimum theory”, which is planned to be detailed further on this site at a later date. This theory provides a filter function to extract only the risks (hazardous situations) worth investigating and documenting in the risk management file, also provides a way to make risk related decisions without measuring risk. 

In the mean time, we need to deal with ISO 14971. This article recommends:

  • Don’t panic – everybody is confused!

  • Follow the minimum requirements in the standard. Even if you don’t agree or it does not make sense, make sure every document or record that is required exists, and that traceability (linking) is complete. Use a checklist showing each discrete requirement in ISO 14971 and point to where the your records exist for that requirement. Keep in mind that the auditors and test engineers didn’t write the standard, but they have to check implementation, so following the standard - even if blindly - helps everyone.

  • Watch carefully for the places where the standard says a record is needed, and where verification is needed. There is a difference – a “record” can be as simple as a tick in a box or a number in a table, without justification. “Verification” means keeping objective evidence. Verification is only required in selected places, which may be a deliberate decision by the authors to try and limit overkill.

  • Develop your own criteria for filtering what goes in in the file. The risk minimum theory concludes that that risk controls which are clearly safe, standard practice, and easy for a qualified independent person to understand by inspection do not need to be in the file. Risk controls that are complex, need investigation to know the parameters, borderline safety or balanced against other risks should be documented.

  • As an exception to the above, keep a special list of requirements in product standards like IEC 60601-1 that specifically refer to risk management, including a formal judgement if they are applicable (or N/A), and a pointer to the actual place in the risk management file where the item it handled. Again this helps everyone – manufacturer, auditors and test engineers

  • Be aware that there are three zones in safety: the green and red zones, where there is objective evidence that something is either safe or unsafe, and a grey zone in between where there is no hard evidence either way. In the real world, 99% of risk controls put us in the green zone; but there are still 10-100 that inevitably fall in the grey zone.

  • If you are in this grey zone, watch out for the forces that influence poor risk management decisions: conflicts of interest, complexity, new technology, competition, cost, management pressure and so on. Don’t put a lot of faith in numbers for probability, severity, risk or criteria, be aware of camouflage - a warning in a manual magically reducing the risk by 2 orders of magnitude, masking the real risk control. Dig deeper, find the real risk control, and then decide if it is reasonable.

 

IEC 60601-1 and accessories

These days many medical applications are a system comprising of a main unit and accessories or detachable parts.

Under medical device regulations, it is allowed for each part of a system to be treated as an individual medical device. Despite some concerns, regulations do not require any contract or agreement between the different manufacturers making up parts of the system. 

Instead, they rely on risk management, which is appropriate given wide range of situations and regulatory issues. For example, labelling, instructions, sterilisation and bio-compatibility are reasonably under the responsibility of the accessory manufacturer. Electrical isolation from mains parts, EMC emissions and immunity are normally under the responsibility of the main unit manufacturer. In some cases there are shared system specifications (such as system accuracy shared between main unit and sensor), in other cases there are assumptions based on reasonable expectations or industry norms (such as IBP sensor insulation). In the end the analysis should resolve itself into interface specifications which allocate some or all of the system requirements to either the main unit or the accessory. 

There is a valid concern that by keeping the analysis by each manufacturer independent, critical issues could fall through the cracks. Each manufacturer could assume the other will handle a particular requirement. And sometimes system requirements are difficult to separate. 

Even so, the alternative is unthinkable: a system only approach only works if there are agreements and constant exchange of information between the different manufacturers in a system.  This would create an unwieldy network of agreements between tens of thousands of manufacturers throughout the world, difficult to implement, virtually impossible to maintain. While regulators surely recognise the concern, the alternative is far worse. Thus it remains in the flexible domain of risk management to deal with practical implementation. 

IEC 60601-1 makes a mess of the situation, again highlighting the lack of hands on regulatory experience in those involved with developing the standard.

The definition of "ME equipment" in Clause 3.63 has a "Note 1" which states that accessories necessary for normal use are considered part of the ME equipment. The standard also has many requirements for accessories, such as labelling, sterilisation and mechanical tests. This implies a system only approach to testing. 

Yet the standard trips up in Clause 3.55, by defining a "manufacturer" as the "person with responsibility for ... [the] ME equipment".

Both of these definitions cannot be true, unless again we have an impossible network of agreements between all the manufacturers of the different parts of the overall system.

Clause 3.135 also defines a "Type Test" as a "test on a representative sample of the equipment with the objective of determining if the equipment, as designed and manufactured, can meet the requirements of this standard". 

Again, this definition can only be met if the manufacturer of the accessory is contractually involved, since only the accessory manufacturer can ensure that a type test is representative of regular production, including the potential for future design changes.  

What's the solution?

An intermediate approach is to first recognise that the reference to accessories in Clause 3.63 is only a "note", and as the preamble to all IEC standards indicates, "notes" written in smaller type are only "informative". In other words, the note is not a mandatory part of the standard. 

Secondly, it is possible that the writers of the standard never intended the note to mean the standard must cover accessories from other manufacturers. Rather, the intention was probably to highlight (note) that in order to run the various tests in the standard accessories would be needed to establish normal condition. The note is a clumsy way of avoiding that manufacturer insists the tests are done without any regard to the accessories.

A longer term solution would be to add a new clause in the standard (e.g. 4.12) which requires an analysis of accessories from other manufacturers to:

  • Allocate system requirements to either the main unit or accessory, either in part or in full

  • Document a rationale behind the selection of representative accessories to establish normal condition during tests on the main unit

  • Document a rationale to identify accessories in the instructions for use: either directly by manufacturer and type, or indirectly by specification

The following is an example analysis for a patient monitor with a temperature monitoring function (for illustration only):

This analysis should be included in or referenced from the risk management file.

The analysis might appear onerous, but the ability to stream line type testing will save time in the long run, and allow common sense apply. In the current approach, decisions about accessories are made on the run, and can result in both over and under testing.

Manufacturers are also reluctant to mention accessories in the operation manual, partly due to the logistics of keeping the manual up to date, and partly due to a fear of being seen to be responsible for the accessories listed. This fear often extends to the design documentation including the risk analysis, with virtually no mention accessories in the files. The above approach helps to address the fear while at the same time highlighting that accessories can't be simply ignored. A rationale for the requirements, representative selection and documentation to the user is both reasonable and practical.   

The recommendations above cover a simple system of an main unit designed by manufacturer "X" working a sensor designed by manufacturer "Y". There exists another more complicated scenario, where part of the electronics necessary to work with the accessory provided by manufacturer Y is installed inside the main unit from manufacturer X. A common example is an OEM SpO2 module installed inside a patient monitor. Technically, manufacturer X takes responsibility for this "interface module" as it falls under their device label. In such a case, a formal agreement between X and Y is unavoidable. Once this agreement is in place, the same risk analysis for the three points above should apply.

In this special case, a type test also needs some consideration. In general it is not practical for manufacturer of the main unit to support testing for the module, as it usually requires the release of a large amount of information much of which would be confidential. Instead, the laboratory should look for test reports from manufacturer B for the interface module, essentially as a "component certification" similar to an recognised power supply. Another option would be for the report to report to exclude requirements on the presumption that these will be handled by the module/accessory manufacturer, as per the inter-company agreement. The module manufacturer would then have their internal reports to cover the excluded clauses. In case of product certification and CB scheme, some exclusions may not be allowed, in which case the module is best covered by a CB certificate to allow simple acceptance by the laboratory responsible for the main device. 

Finally, there is a bigger role that standard can play to help avoid gaps in responsibility - the development of standards for well established accessories which define clearly which manufacturer should cover which requirements. Such standards already exist at the national level, for example ANSI/AAMI BP 22 for IBP sensors. A generic standard could also be developed which handles accessories not covered by a particular standard, which highlights risk analysis and declaration of assumptions made. 

It's time that the IEC 60601 series was better aligned with modern regulations and reality: accessories are a separate medical device.    

IEC 60601-1 Amendment 1 Update Summary

Overview

Amendment 1 to IEC 60601-1:2005 was released in July 2012 and is now becomming main stream for most regulations. This article, originally published in 2013 summarises the changes

The basic statistics are:

  • 118 pages (English)
  • 67 pages of normative text
  • ~260 changes
  • 21 new requirements
  • 63 modifications to requirements or tests
  • 47 cases where risk management was deleted or made optional
  • 19 corrections to requirements or test methods
  • Remainder were reference updates, notes, editorial points or clarifications
  • USD$310 for amendment only
  • USD $810 for the consolidated edition (3.1)

This document covers some of the highlights, including an in-depth look at essential performance. A pdf version of this analysis is avaliable, which also includes a complete list of the changes on which the analysis is made.

Highlights

Risk management has been tuned up and toned down: the general Clause 4.2 tries to makes it clear that for IEC 60601-1, the use of ISO 14971 is really about the specific technical issues, such as providing technical criteria for a specific test or justifying an alternate solution. Full assessment of ISO 14971 is not required, and post market area is specifically excluded. The standard also clearly states that an audit is not required to determine compliance.

Within the standard, the number of references to risk management have been reduced, with some cases of simply reverting back to the original 2nd edition requirements.  In other places, the terminology used in risk management references has been corrected or made consistent. 

Essential performance has quietly undergone some massive changes, but to understand the impact of the changes you need to look at several aspects together, and some lengthy discussion is warranted.

First, the standard requires that performance limits must be declared. In the past a manufacturer might just say “blood pump speed” is essential performance, but under Ed 3.1 a specification is also required e.g. “blood pump speed, range 50-600mL/min, accuracy ±10% or ±10mL of setting, averaged  over 2 minutes, with arterial pressure ±150mmHg, venous pressure -100~+400mmHg, fluid temperature 30-45°C”.

Next, the manufacturer should consider separately essential performance in abnormal or fault conditions. For example under a hardware fault condition a blood pump may not be expected to provide flow with 10% accuracy, but it should still confidently stop the blood flow and generate a high priority alarm. Care is needed, as the definition of a single fault condition includes abnormal conditions, and many of these conditions occur at higher frequency than faults and therefore and require a special response. User errors, low batteries, power failure, use outside of specified ranges are all examples where special responses and risk controls may be required that are different to genuine fault condition. For example, even a low risk diagnostic device is expected to stop displaying measurements if the measurement is outside of the rated range or battery is too low for accurate measurement. Such risk controls are now also considered “essential performance”.

Essential performance must also be declared in the technical description. This is major change since it forces the manufacturer to declare essential performance in the commercial world, especially visible since most manufacturers incorporate the technical description in the operation manual. Until now, some manufacturers have declared there is no essential performance, to avoid requirements such as PEMS. But writing “this equipment has no essential performance” would raise the obvious question … what good then is the equipment?

Finally many of the tests which previously used basic safety or general risk now refer specifically to essential performance in the test criteria. In edition 3.0 of the general standard, the only test clause which specifically mentioned essential performance was the defibrillator proof tests. Now, essential performance is mentioned in the compliance criteria many times in Clauses 9, 11 and 15. These are stress tests including mechanical tests, spillage, sterilization and cleaning.  The good news is that the standard makes it clear that functional tests are only applied if necessary. So if engineering judgment says that a particular test is unlikely to impact performance, there is no need to actually test performance.

While essential performance is dramatically improved there are still two areas the standard is weak on. First, there is no general clause which requires a base line of essential performance to be established. Typically, performance is first verified in detail under fairly narrow reference conditions (e.g. nominal mains supply, room 23±2°C, 40-60%RH, no particular stress conditions). Once this base line is established, performance is then re-considered under a range of stress conditions representing normal use (±10% supply voltage, room temperature 10-40°C, high/low humidity, IP tests, mechanical tests, cleaning test, and so on). Since there are many stress tests, we normally use engineering judgment to select which items of performance, if any, need to be re-checked, and also the extent of testing. But this selective approach relies on performance having been first established in the base-line reference condition, something which is currently missing from the general standard.

The second problem is the reference to essential performance in PEMS (Clause 14). Many low risk devices now have particular standards with essential performance. And since essential performance is used as a criteria for stress tests, the “no essential performance” approach is no longer reasonable. But the application of complex design controls for lower risk devices is also unreasonable, and conflicts with modern regulations. Under note 2, the committee implies that Clause 14 needs only to be applied to risk controls. A further useful clarification would be to refer to risk controls that respond to abnormal conditions. For example, in a low risk device, the low battery function might be subject to Clause 14, but the main measurement function should be excluded, even if considered “essential performance”. It would be great if the committee could work out a way to ensure consistent and reasonable application for this Clause.

Moving away from essential performance to other (more briefly discussed) highlights are:

  • Equipment marking requirements: contact information, serial number and date of manufacture are now required on the labeling, aligning with EU requirements. The serial number is of special note, since the method of marking method is often different to the main label, and may not be as durable.
     
  • Accessories are also required to marked with the same details (contact information, serial number, date of manufacturer). This also fits with EU requirements, provided that the accessory is placed on the market as a separate medical device. This may yield an effective differentiation between an “accessory” and a “detachable part”. The new requirement implies that accessories are detachable parts which are placed on the market (sold) separately, whereas detachable parts are always sold with the main equipment.
     
  • Both the instructions for use and the technical description must have a unique identifier (e.g. revision number, date of issue)
     
  • For defibrillator tests, any unused connectors must not allow access to defibrillator energy (effectively requires isolation between different parts, or special connectors which prevent access to the pins when not in use)
     
  • Mechanical tests for instability and mobile equipment (rough handling test) are modified (market feedback that found the tests to be impractical)
     
  • The previous 15W/900J exemption of secondary circuits from fire enclosure/fault testing has been expanded to 100VA/6000J if some special criteria are met. Since the criteria are easy to meet, it will greatly expand the areas of the equipment that does not need a fire enclosure or flame proof wiring; welcome news considering the huge environmental impact of flame retardants.
     
  • For PEMS, selected references to IEC 62304 are now mandatory (Clauses 4.3, 5, 7, 8 and 9)

For a complete (unchecked) list of changes, including a brief description and a catergory of the type of change, please refer to the pdf version.  

For comments and discussion, please contact peter.selvey@medteq.jp.