Risk Management Implications of IEC
60601-1, 3rd Ed.
Leonard Eisner, Robert M. Brown, and Dan Modi
Manufacturers should gear up to change their practice of risk management
in engineering medical electrical equipment.
|Figure 1. Schematic of the risk management process presented in ISO 14971:2000 (click to enlarge).
The third edition of the standard IEC 60601-1 on general safety requirements for medical electrical equipment is on its way. Equipment manufacturers should expect change. The second committee draft vote (2CDV) for the third edition of IEC 60601-1 was approved in August 2004.1 The final draft international standard is scheduled to be published in April 2005.
Approval of the 2CDV was followed by the submission of more than 1400 comments, about half of which were editorial comments and the rest, technical. These editorial and technical comments will be resolved by the final draft standard. Voting on the final standard will be the next step. If the vote is for approval, the third edition of IEC 60601-1 could be published by the end of 2005.
The 2CDV includes many changes from the second edition of IEC 60601-1. First, the scope of the standard, along with the definition of medical electrical equipment, has broadened. Extending the scope from “diagnosis, treatment, or monitoring of a patient” in the second edition to including “for compensation or alleviation of disease, injury, or disability” in the third will increase the number of device types that fall under the standard.
Wording to specifically exclude in vitro diagnostic equipment covered by the IEC 61010 series and the implantable parts of active implantable medical devices covered by the ISO 14708 series of standards has been added to the third-edition draft. IEC 60601-1 never intended to include these two specific product categories. The new edition more clearly states that the standard covers only electromedical devices that “diagnose, treat, or monitor a patient.” The concept of safety has been expanded from basic safety to include also essential performance, such as, for example, the necessary accuracy of critical physiological monitoring equipment used in an intensive-care unit.
|Figure 2. Risk-management activities as applied to a medical device, based on ISO 14971:2000 and citing sections of that standard (click to enlarge).
Other noteworthy changes in the draft third edition include:
• Significant expansion of definitions.
• Specification that for normative standards that do not have dates, the latest edition of the standard applies (including amendments).
• Harmonization of some of IEC 60950-1 (covering information technology equipment) into IEC 60601-1 (in some cases, medical devices may be allowed to use an IEC 60950-1 power source).
• Changes to insulation requirements.
• Substantial revision of the mechanical hazards section.
• Changes in temperature requirements for patient-applied parts.
• Incorporation of IEC 60601-1-1 (regarding electromedical systems) and IEC 60601-1-4 (programmable electrical medical systems) into the standard.
This article discusses the two predominant subjects of the new edition of IEC 60601-1: risk management and essential performance.
Essential Performance of Medical Equipment
The draft third edition has introduced the term essential performance into the standard. Essential performance relates to any feature or function of an item of medical equipment that might cause harm or injury to the patient, to others, or to the operator of the equipment. The concept of essential performance integrates well with, and is a key part of, the manufacturer’s risk analysis plan.
The addition of the concept of essential performance is a major change in the standard, but one that leaves room for interpretation as to what is covered by the term. The standard does address some basic aspects of essential performance; however, most is left for the manufacturer to determine during the risk analysis process and through reference to collateral and particular standards. Collateral and particular standards are standards that extend, replace, or modify IEC 60601-1.2 It is intended that these standards become the preferred vehicle for addressing essential performance requirements for a specific characteristic or function of a particular type of medical equipment.
Determining features and functions essential to
performance can be viewed as a subset of the risk analysis. Calculating a level of acceptable risk is also part of determining whether a feature or function should be defined as essential to performance.
During the risk analysis process, the manufacturer must establish acceptance criteria based upon its tolerance for risk, the probability of a given risk being manifested, and the level of harm to the patient or operator. The next section of this article examines risk analysis in more detail.
|Figure 3. Risk chart distinguishing levels of risk acceptability (click to enlarge).
A systems approach is useful for listing and evaluating essential performance features. The manufacturer begins by defining the intended use of the medical device. For example, the manufacturer of an ultrasound imaging system may characterize the device as being appropriate for producing high-resolution ultrasound images of the eye. Once the intended use is defined, the next step is to develop a list of features and functions of the medical device necessary to achieve its intended use and without which harm to the operator, patient, or others could occur. This is best accomplished in a team environment, putting ideas on a white board.
All functions that implement essential performance or risk-control measures must be verified. This requirement is stated in the programmable electrical medical systems section in the IEC 60601-1 third-edition draft with respect to essential performance, and in ISO 14971 for risk control measures. The key areas that must be addressed in verification are:
|Table I. A simplified sample risk analysis, featuring calculations of the risk product number (RPN) before and after risk reduction (click to enlarge).
• The time or milestone at which the verification is to be performed.
• The verification strategy to be used, such as walk-through, inspection, or testing at the board or system level.
• The test tools required and their intended use.
• The criteria for testing.
The draft third-edition requires a verification plan and
documentation of the results.
Prior to the release of the third-edition draft, essential performance will likely be clarified, as this topic has generated much commentary. It has been a straightforward matter to evaluate a product based upon safety alone. But it is expected that sorting out the essential performance and risk analysis sections of the new edition will take certification agencies a while before they can become familiar with their details.
In turn, certification agencies will determine their own method for evaluating a product to the third edition of the standard. The concept of essential performance in connection with risk analysis is familiar to these agencies, and to manufacturers, because it is incorporated in other international and national regulations and international standards. These two requirements are, however, new to IEC 60601-1.
Risk Management: IEC 60601-1
Draft Third Edition
|Table II. Hypothetical categorization of RPNs for the example in Table I (click to enlarge).
Soon, the days of bringing a product to a certification agency for safety testing in order to obtain a certification mark will be gone. The draft third edition requires the manufacturer to perform a risk analysis using a formal risk management system. This should not surprise most medical device manufacturers as, in the past several years, these manufacturers have adopted the ISO 14971 standard pertaining to the application of risk management to medical devices as a result of regulatory requirements issued in the United States by FDA, in Canada by Health Canada, in Japan by the Ministry of Health & Welfare, and across Europe through the Medical Devices Directive.3
These regulatory requirements reference, or will reference in the near future, the ISO 13485:2003 quality management standard, which, in its clause 7.1, requires risk management for the product realization process and references ISO 14971 (not a requirement, but a guide for risk management).4 In addition, ISO 13485:2000 references risk analysis in clause 4.1 where it does not identify ISO 14971 specifically. By mid-2006, compliance with ISO 13485:2003 will be mandatory for manufacturers of certain types of products that operate within the regulatory frameworks named above. Many medical device manufacturers are making the transition to this more recent standard in order to meet the new regulatory requirements. Also,
ISO 14971 is required or referenced in many medical device and clinical standards. These include IEC 60601-1-2, IEC 60601-1-4, IEC 60601-1-6, IEC 60601-1-8, ISO 14155-1:2003, and Draft IEC 62304 (which is now at the committee draft for vote stage).
The second edition of IEC 60601-1 is titled “Medical Electrical Equipment—Part 1: General Requirements for Safety.”5 The third-edition draft changes this to “Medical Electrical Equipment—Part 1: General Requirements for Basic Safety and Essential Performance.” One reason for the title change is the inclusion of a provision in the standard for assessing the adequacy of the design process via risk management as an alternative to the type tests (laboratory tests) that the standard now describes.
Risk management is pervasive in the draft third edition of IEC 60601-1. The draft standard contains more than 200 references to risk management and more than 500 references to risk. Because it requires risk management compliance with ISO 14971, a manufacturer complying with the draft standard will have to use ISO 14971 to satisfy those requirements. Compliance is to be checked by inspection of the risk management file.
Any requirements of the standard respecting inspection of the risk management file are satisfied if the manufacturer has established a risk management process, established acceptable levels of risk, and demonstrated that any residual risk or risks are acceptable. The draft standard states that the acceptability or unacceptability of a risk is determined by the manufacturer in accordance with its own policy.
ISO 14971 and Risk Management
Several key terms from the risk management standard are hazard, harm, and risk. Understanding these is important for understanding the standard. Hazard is defined as a potential source of harm. Harm is physical injury or damage to the health of people, or damage to property or the environment. Finally, risk is a factor determined from a combination of the probability of the occurrence of harm and the severity of that harm.
An initial step in the risk analysis process is to define the intended use and purpose of the medical device and to characterize it. Clause 220.127.116.11 of IEC 60601-1-6 provides some helpful ideas for how to do this.6 The device is to be characterized by
• Medical purpose, that is, the conditions(s) or disease(s) to be screened, monitored, treated, or diagnosed.
• Patient population in terms of age, weight, region of the body affected, general health, and condition.
• Part of the body or type of tissue to which applied or with which interacting.
• Profile of the intended operator.
• Application, that is, the environment of use, frequency of use, location of use, and extent of mobility.
The risk management process requires that the manufacturer have a risk management plan—that is, a project plan—and a risk management file. The risk management plan, as detailed in ISO 14971, should include the scope of the plan, an identification and description of the medical device, and the life cycle phases of the device for which the plan is applicable. This plan also contains a verification plan and an allocation of responsibilities. Other integral parts of the risk management plan are the requirements for review of risk management activities and the criteria for risk acceptability.
ISO 14971 specifies that the risk management file is to include, at a minimum, the risk management plan, a description of the intended use or purpose of the product, a statement naming any foreseeable misuse of the product, and an estimate of the risk associated with foreseeable hazards. The risk management file must contain results of risk evaluations, residual-risk evaluations, a risk/benefit analysis, and a risk management report.
Although ISO 14971 is not a quality-system standard, it does contain parallels to ISO 13485 for management responsibility.
Company management is directed to provide resources and trained personnel adequate to carry out the risk management process. A process for establishing acceptable risk levels is to be defined and established, and should take into account appropriate standards and regulatory requirements. In addition, responsible persons should review the results of risk management activities on a regular basis in order to ensure the suitability and effectiveness of the process.
Figure 1 is a schematic representation of the overall risk management process presented in ISO 14971, showing that the basic steps of the process are risk analysis (identification), risk evaluation (basis for decision making), risk control (decision implementation), and postproduction information gathering and review (monitoring). The risk assessment portion of the process includes analysis and evaluation of all identified hazards. The concept of risk management extends this by also incorporating risk control and a program of postproduction monitoring of the product in order to assure continuing safety in performance.
Figure 2 breaks down the four blocks of the risk management process into 13 detailed steps guided in part by a decision tree.
A risk management procedure needs to be established in order to fulfill this process. Important details requiring specification for this procedure include methods for estimating risk and deciding on acceptability criteria for risk. Typically, a three-region risk chart along the lines of that in Figure 3 is used to place a particular risk within areas of broad acceptability at one end, intolerability at the other, and in between, acceptability, but with the risk being kept as low as reasonably possible (ALARP).
Practicing Risk Management
The process of risk management involves a multifunctional project team. This group, working collaboratively, identifies product hazards, estimates attendant risks, determines whether those risks are acceptable, develops and implements means of mitigating the risks, verifies that the risk mitigation is acceptable, and verifies that the risk mitigation does not itself cause any additional risks. Importantly, this risk analysis needs to be a living document that incorporates ongoing market surveillance and internal feedback from company regulatory, production, engineering, marketing, and other functional departments. This assimilation of new data into the analysis is the postproduction information step in the process.
Remembering the definitions from the risk management standard, consider an example: a hospital bed that has a pinch point that might crush a finger. The hazard is the pinch point. (If there were no pinch point in operating the bed, then there would be no hazard for this specific equipment use.) The harm would be the resulting damage to the finger. The risk consists of the probability of the finger getting crushed combined with the severity of the injury the finger sustains.
A manufacturer that relies on IEC 60601-1 for conducting tests that deal with pinch points for fingers is finished with its risk analysis for this issue once it has identified it in the risk analysis and proved that it has tested and labeled appropriately to this portion of IEC 60601-1. The test report and labeling should be in the risk management file. In other words, the manufacturer must provide objective evidence of risk mitigation in the risk analysis documentation.
Quantifying the level of risk involves applying a simple formula, as shown in Table I. The severity of possible harm (in the example, how badly the finger pinching damages the victim) is assigned a numerical value that is multiplied by the similarly determined value of the frequency with which the harm could be expected to occur. This product is multiplied again by the detectability, or latency, of the existing hazard. The result of this mathematical operation is the risk product number (RPN). The RPN can be categorized to correlate with the risk regions in Figure 3 (see Table II).
Table I represents only a small portion of a typical risk analysis procedure. The terms and ratings used in the example are fictitious and not meant to be adopted by manufacturers as a basis for analyzing risk in their own products. Each manufacturer should determine what method of analysis works best with its product.
Changes to Anticipate
The third edition of IEC 60601-1 carries several important implications for the performance of risk management.
• The standard becomes more than a single-fault test standard.
• The standard introduces a requirement for risk management (risk control) and for verification of its effectiveness.
• The manufacturer will have to maintain a risk management file to prove adherence to the standard.
• The IEC 60601-1 test report is a document that will have to be referenced in the risk management file.
It is very important to remember that both IEC 60601-1 and ISO 14971 state that it is the manufacturer’s responsibility to determine whether or not a risk is acceptable. The certification agency is not to determine this for the manufacturer. This is based on the idea that the manufacturer is knowledgeable about its products and how they are intended to be used. With respect to how the agencies are going to deal with risk management as presented in the new standard, there is nothing to do but wait and see.
Manufacturers of medical equipment can expect significant changes to come with the third edition of IEC 60601-1 in the requirements for risk management and essential performance. Some manufacturers may already be incorporating these requirements into their risk management procedures and will simply need to document their procedures. Others will soon be implementing new risk management and essential performance programs.
1. IEC 60601-1, 3rd ed., doc. 62A/449/CDV, “Medical Electrical Equipment—Part 1: General Requirements for Basic Safety and Essential Performance” (Geneva: International Electrotechnical Commission, 2004).
2. L Eisner, RM Brown, and D Modi, “A Primer for IEC 60601-1,” Medical Device & Diagnostic Industry 25, no. 9, (2003): 48–58.
3. ISO 14971, “Medical Devices—Application of Risk Management to Medical Devices” (Geneva: International Organization for Standardization, 2000).
4. ISO 13485:2003, “Medical Devices—Quality Management
Systems—Requirements for Regulatory Purposes” (Geneva: International Organization for Standardization, 2003).
5. IEC 60601-1, “Medical Electrical Equipment—Part 1: General Requirements for Safety” (Geneva: International Electrotechnical Commission, 1988).
6. IEC 60601-1-6, “Medical Electrical Equipment—Part 1: General Requirements for Safety—Collateral Standard: Usability” (Geneva: International Electrotechnical Commission, 2004).
Leonard Eisner, PE, is head of Eisner Safety Consultants (Portland, OR), a firm that specializes in helping medical device manufacturers through the regulatory process. He is a member of the US TAG for TC 62 and SC 62A. He can be reached at firstname.lastname@example.org. Robert M. Brown is director of electrical safety test products for QuadTech (Maynard, MA), and Dan Modi is assistant director at Alcon Research Inc. (Irvine, CA).