It may be safe, but is it functionally safe?

Last updated: 25.07.2024

There are many standards focusing on the safety of medical devices. However, functional safety is oddly not so well represented. Much of this is partly due to the long list of standards and guidance documents that medical device manufacturers must work through. Another aspect is the lack of training and knowledge in the industry regarding this subject area.

What do we mean by functional safety?

Let’s start by looking at the definitions.

ISO 26262: absence of unreasonable risk due to hazards caused by malfunctioning behavior of E/E systems.
ISO 25119: system that performs in a way that does not present an unreasonable risk of injury to operators or bystanders.
The IEC 61508 Association: at its simplest, functional safety is the part of the overall safety relating to the equipment under control and its associated control system that depends on the correct functioning of the safety-related system.

Functional safety is ultimately active safety, focusing on a device that implements some ‘intelligent’ functionality. It is a term that usually applies to electrical, electronic, or programmable systems, where the design of the product will introduce a control function that has a safety relevance. So basically, functional safety is about the active parts of the system functioning correctly and not causing harm through malfunction.

In contrast to active safety, passive safety plays a big part in medical device development. Standards such as IEC 60601 and IEC 61010 cover many passive safety topics, e.g. the risk of electrocution, the concerns around mechanical injury, and the risk of burning to either operators or patients.

Passive safety is most easily considered when looking at either the physical spacing across a printed circuit board (PCB) or the number of insulating jackets on a mains cable. In both cases, we have physically added a passive barrier to meet the electrical isolation requirements.

Fig. 1 Passive safety

Functional safety focuses on the potential malfunction or loss of control of an active system. In Figure 2, the microcontroller MCU1 is responsible for controlling the speed and torque of the motor. If there is a malfunction of this motor control, then this could lead to potential harm to a driver and other road users. Hence, our focus here is the safety of this ‘intended function’. To meet the functional safety goals of the motor drive, a second microcontroller, MCU2, is added to check the correct operation of MCU1.

Functional safety inherently means the safe operation of a product in its intended function. So, if we take an ECG stress system, to be functionally safe, it must maintain control of its treadmill throughout the entire time it is operating.

To achieve a functionally safe system, a detailed analysis is required to determine potential malfunctions of the intended functionality followed by adding risk control mechanisms, such as MCU2 in Fig. 2, to mitigate the potential risk.

For passive safety, the risk analysis is equally important, but the outcome will focus more on adding additional creepage, clearance or solid insulation in the form of, for example, cable jackets.

Another passive safety concern might arise from insufficient information being given about the weight of the treadmill, causing an accident when someone moves it. This is typically mitigated by warning symbols and information in the accompanying documents.

Where the medical device industry is going

The medical device sector has seen a number of moves towards functional safety in the last few years. For example, IEC 61010-2-101 for in vitro devices has an annex referring to the use of functional safety standards such as ISO 13849 and IEC 62061, although with minimal explanation of what it actually means. IEC 60601-1 has the Programmable Medical Electrical Systems section 14, which introduces key terms from the functional safety world, but again with no real explanation of the meanings or potential solutions. It will be interesting to see what emerges in V4.0 of IEC 60601.

By Alastair Walker, Owner / Consultant