It may be safe, but is it functionally safe?

There is no shortage of standards concerning medical device safety, and quite rightly so. However oddly enough functional safety is not so well represented. We’ll leave aside the question of why this is and why this matters for subsequent posts but, for non-specialists in particular, this begs the question of what exactly is the difference between functional and non-functional safety.

Let’s start by looking at a definition.

Here’s what the IEC has to say:

“Functional safety is the part of the overall safety [of a system or piece of equipment] that depends on a system or equipment operating correctly in response to its inputs.”

Functional safety focuses on the ability of a product to respond correctly to commands it receives and function safely, reliably and consistently every time. It is a term that usually applies to electrical, electronic or programmable systems. So basically, functional safety is about the electronic parts of the system functioning correctly and not causing harm by malfunctioning. It also covers electronic aspects of the system that function to prevent harm occurring in the case of a malfunction.

A key part of ensuring functional safety is a robust risk management system. This allows us to identify functional safety threats early in the system development process and ensure that their risk is minimised by inherent good design, or if not possible, by incorporating corrective or preventative mechanisms to avoid or mitigate potential harm.

Non-functional safety on the other hand usually covers hazards like fire, electrical shock, radiation and toxicity that are not caused by the malfunction of electrical or electronic systems.

Non-functional safety is well covered by standards such as IEC 60601-1, but assessing the risks of, for example, a pacemaker failing to fire due to a systematic software fault or random hardware failures is not so well addressed.

IEC 61508 provides the following example to help show the distinction. A thermal sensor in a system that causes the system to cut out if it overheats is a functional safety measure. Insulation to protect the system against high temperatures is a safety measure but not a functional safety measure. Both may prevent fire.

Now let’s work through a further example in more detail.

Functional safety inherently means the safe operation of a product during its primary function. So, if we take an ECG stress system, to be functionally safe it must maintain control of its treadmill throughout the entire time it is operating. Going further, it controls the treadmill exactly as defined in the requirements specification for the treadmill.

Non-functional safety means meeting safety requirements that are not functional. For the ECG stress system non-functional safety issues could arise if the electrical isolation is not adequate. The patient or nurse may be electrocuted by the treadmill when they touch it. This is non-functional as it is not a factor of the control of the treadmill speed or elevation. It is purely a case of designing the electrical isolation properly.

Another non-functional safety issue might arise from insufficient information being given about the weight of the treadmill, causing an accident when someone moves it.

Definitions and by extension standards are important. Without a functional safety standard, medical device manufacturers may well do the right thing to ensure the safety of their device, but without a standard to refer to, it’s hard to prove that. We’ll look at this in more detail soon.