“Basic Safety” and “Essential Performance” are key to medical device design.
- Posted by Nick Greusel
- On September 7, 2021
- Basic Safety, Essential Performance, Medical Device Design
Applying concepts of “Basic Safety” and “Essential Performance” are key to medical device design. Essential Performance is more nuanced than Basic Safety, and this article focuses on the concept of Essential Performance. We explain the concept, how it’s used, and provide practical examples for medical device R&D leaders and engineers.
If you’re going to make a medical electrical device, you’re going to have to meet the requirements of IEC 60601. Within 60601, one phrase appears many times across its various clauses and tests: “Basic safety and essential performance shall be maintained.” In fact, the title of 60601-1 is “Medical electrical equipment – Part 1: General requirements for basic safety and essential performance.” If a device fails to maintain either “basic safety” or “essential performance” in any of a multitude of 60601-specified tests and fault conditions, it won’t get certified to 60601, causing delays (or worse). Before submitting a device for testing and certification, it’s important to understand those terms and have confidence that the design meets basic safety and essential performance requirements.
Both basic safety and essential performance are crucial for patient and operator safety, but in different ways. “Basic safety” has a fairly straightforward definition in 60601, but “essential performance” is more nuanced, and requires the manufacturer to help define it for their particular product. For that reason, this article will focus on the “essential performance” half of this pair. Does your product have it, and what is it? When you submit your device for 60601 certification, the reviewer will ask you for documentation containing your answers to these questions. The good news is that as the manufacturer, you get to decide! But don’t get too excited; there’s a catch: your decision needs to be supported by a good risk management process and documentation, or the reviewer may disagree with your definition and not certify your device.
The definition of essential performance in IEC 60601-1 is short, but the concept is integral to developing safe and effective devices. A well-constructed risk management process and clinical insight are key to establishing essential performance. We encourage you to contact the authors if you would like to discuss specific examples or share your experiences with unique cases.
In Brief:
- IEC 60601 requires that a device maintain basic safety and essential performance in normal and single-fault conditions.
- Essential performance is any performance (apart from basic safety) that, if lost, results in unacceptable risk. Risk acceptability is determined through ISO 14971-compliant risk management processes.
- The manufacturer determines the essential performance, but their determination will be reviewed for conformance with 60601 and 14971 when it is submitted for certification.
- Many particular standards for certain device types and functions (60601-2-xx and 80601-2-xx series) have specific performance requirements that must be included in the manufacturer-defined essential performance.
- Not all medical devices have essential performance, but if a device is serving an important function, it’s likely to have some.
What are “basic safety” and “essential performance”?
First, the definitions:
- “Basic safety: freedom from unacceptable risk directly caused by physical hazards when ME equipment is used under normal condition and single fault condition.” (IEC 60601-1 Edition 3.2 (2020), clause 3.10)
- “Essential Performance: performance of a clinical function, other than that related to basic safety, where loss or degradation beyond the limits specified by the manufacturer results in unacceptable risk.” (IEC 60601-1 Edition 3.2 (2020), clause 3.27)
In other words: Basic safety concerns the physical hazards related to your device. For example: Can it pose a shock hazard, a crushing hazard, have sharp edges, etc.? Essential performance concerns whether your device is doing what it is designed to do well enough that it’s not creating any unacceptable risk. For example, if a heart rate monitor isn’t reading correctly, that could create risk to the patient if a clinician is relying on that information to guide treatment. Inaccurate heartrate readings don’t create a direct physical hazard, but nevertheless it’s potentially risky to the patient since it may cause the clinician to make decisions based on incorrect information.
It’s important to note that not every medical device has essential performance. However, it is very common. Generally, the more important a device’s intended use is, the more likely it is to have essential performance. If a clinician will be relying on your device to accomplish an important task, that’s an indicator that it likely has essential performance.
Clause 4.3 of 60601-1 describes the general requirements around essential performance, explaining in more detail how a manufacturer must identify the performance limits that constitute essential performance. We will look at some of these steps in more detail in a moment, but first it’s important to understand that the determination of a product’s essential performance is an output of the full risk management process required by ISO 14971, “Medical devices – Application of risk management to medical devices”. Essential performance is not something that can be defined and determined separately from that risk management process. Without a foundation in a good risk management process, any definition of a product’s essential performance won’t hold up to scrutiny by a reviewer. The definition of essential performance hinges on determining performance that, if lost, results in “unacceptable risk.”
Determining what constitutes an “unacceptable risk” and the process for identifying and analyzing risks are governed by ISO 14971 (also see guidance in ISO/TR 24971:2020 “Medical devices – Guidance on the application of ISO 14971”). Establishing a good 14971-compliant risk management process is beyond the scope of this article, but is critical to good determination of a device’s essential performance, and to good analysis of risks and hazards well-informed by clinical insight. If the risks are not clearly identified and analyzed, it’s impossible to make a good judgement about which performance aspects of the device are “essential” to prevent unacceptable risks.
Essential performance requirements outside of 60601-1
The concept of essential performance is used not only in the general 60601-1 standard, but throughout its collateral standards such as 60601-1-2 (electromagnetic disturbances), and its many particular standards for various equipment types or features, such as 80601-2-56 (clinical thermometers). Many of these standards include their own requirements regarding conditions under which essential performance must be maintained, and some of the particular standards have explicit performance requirements that must be included as part of a device’s essential performance if that particular standard is applicable.
How is essential performance determined in practice, step by step?
- Begin risk analysis per ISO 14971. Make sure the process for identifying and analyzing risks is well-understood. Contact the authors if you would like to see examples of this risk analysis process in action.
- Consult any particular standards (60601-2-xx and 80601-2-xx series) that are applicable to your device. They may specify performance that must be included in essential performance (the accuracy of a pulse oximeter, for example). However, the following steps must also be completed to determine if there is essential performance in addition to what any particular standards specify.
- During risk analysis, “identify the performance of the clinical function(s), other than that related to basic safety, that is necessary to achieve its intended use or that could affect the safety of the ME equipment or ME system” (per 60601-1 cl 4.3). Start by thinking about the intended use of your device. If it fails to do what it is intended to do, what are the risks? A performance specification like “the blade is sharp enough (to cut the tissue as intended)” is something that might end up being essential performance, since it involves achieving the intended use. Specifications related to direct physical hazards like “the handle is strong enough (and will not break and expose the operator to an electrical shock hazard)” would instead fall under the definition of basic safety and thus be excluded from essential performance.
- “Specify performance limits between fully functional and total loss of the identified performance in both normal condition and single fault condition” (per 60601-1 cl 4.3). This is where the manufacturer’s judgement starts to come into play. Bear in mind that the limits chosen will be analyzed for risks in the next step. Also note that two sets of limits can be chosen. One set of limits can be chosen for normal condition while a different set of limits can be chosen for single fault conditions, or the limits can be the same. But if different limits are chosen, performance outside of both sets of limits still needs to be analyzed for risks in the next step.
- Evaluate the risks of the device failing to perform within those limits. (Per 60601-1 cl 4.3: “…evaluate the risk from the loss or degradation of the identified performance beyond the limits specified by the manufacturer.”) Evaluate these risks in the same manner as any other risk according to the manufacturer’s 14971-compliant risk management process.
- Are the resulting risks (of failing to perform within the specified limits) acceptable or unacceptable risks according to the criteria established in the manufacturer’s risk management plan? Any identified performance that has unacceptable risks when the performance is outside the limits is considered essential performance
It may take a few iterations of these steps to settle on the essential performance (particularly steps 4, 5, and 6, since the choice of the performance limits affects the resulting risks of performance outside those limits). But at the end, if the risk management process is sound, the essential performance should be relatively clear.
If your device has essential performance, then:
- “Implement risk control measures to reduce the risk from the loss or degradation of the identified performance to an acceptable level” (60601-1 cl 4.3). This clause also includes an important note: “The performance of the risk control measure might well become an aspect of the essential performance of the ME equipment or ME system. For example, the generation of the alarm signal to indicate the interruption of the supply mains could be “essential” if an interruption of the supply mains could result in an unacceptable risk if it went unattended.”
- “The manufacturer shall specify the methods used to verify the effectiveness of the risk control measures. This shall include any assessment made to determine whether verification is needed.” (60601-1 cl. 4.3)
- There are many tests in 60601-1 and its collateral and particular standards that specify “basic safety and essential performance shall be maintained” during or after the test. Ensure that your device will maintain its essential performance in those tests.
If your device does not have any essential performance, then:
- Double check. The more important the intended use of your device, the more likely it is that it could have unacceptable risks if it fails to perform as intended.
- Your device will still need to maintain basic safety, so be sure to analyze those risks properly and ensure that your device will maintain basic safety wherever required by tests in 60601.
Let’s look at several examples, simplified for brevity.
These examples do not represent real cases, real technical specifications, or complete risk management processes.
A sequential compression device (SCD) to improve blood flow in the legs and prevent deep vein thrombosis (DVT).
- Start the risk analysis process – The manufacturer starts risk analysis and begins identifying and analyzing all kinds of risks relevant to the device.
- Consult particular standards – Looking at the list of particular 60601-2-xx and 80601-2-xx standards, the manufacturer does not identify any particular standards applicable to their device, so no specific essential performance aspects are required by any of those particular standards.
- Identify necessary performance – The manufacturer determines that to achieve its intended use, the bladders of the SCD are intended to achieve a pressure of approximately 50 mmHg.
- Specify performance limits – The manufacturer chooses to specify that the pump should supply between 25 and 75 mmHg to the bladders in both normal and single fault conditions.
- Evaluate risks outside limits –
- At less than 25 mmHg, the manufacturer determines there is a risk that the SCD may not provide sufficient pressure to effectively improve circulation. In the manufacturer’s risk analysis, clinical experts advised them that this is a low-severity risk in the particular clinical context that their device is to be used. According to the manufacturer’s risk acceptability criteria in their risk management plan, this risk is deemed acceptable.
- At pressures greater than 75 mmHg, the manufacturer determines that tissue damage can become a risk, but this is a direct physical hazard that falls under the category of “basic safety.” This risk still needs to be analyzed and controlled to acceptable levels, but it because it is captured in basic safety, it is excluded from essential performance.
- Determine essential performance – All risks from performance outside the identified limits meet the criteria for acceptable risks, so the manufacturer determines that the device has no essential performance.
The definition of essential performance in IEC 60601-1 is short, but the concept is integral to developing safe and effective devices. A well-constructed risk management process and clinical insight are key to establishing essential performance. We encourage you to contact the authors if you would like to discuss specific examples or share your experiences with unique cases.
A thermometer intended to sound an alarm if the patient’s temperature suddenly increases.
- Start the risk analysis process – The manufacturer starts risk analysis, and begins identifying and analyzing all kinds of risks relevant to the device.
- Consult particular standards – Looking at the list of particular 60601-2-xx and 80601-2-xx standards, the manufacturer initially identifies 80601-2-56 “Clinical thermometers for body temperature measurement” as relevant. It specifies some essential performance aspects related to accuracy and alarms, so the manufacturer make sure to include them as essential performance for their device, but continues analysis to determine if their thermometer has any other essential performance.
- Identify necessary performance – Among other requirements, the manufacturer determines that to achieve its intended use, the device should be able to respond to a 1°C change in temperature within 30 seconds.
- Specify performance limits – The manufacturer chooses to specify that when the measurement site changes temperature by 1°C, the thermometer must respond to within a 0.2°C maximum tolerance within 30 seconds.
- Evaluate risks outside limits – If the thermometer takes longer than 30 seconds to respond to an increase of 1°C, the manufacturer determines that the alarm may not sound in time to alert a clinician to an important condition, which may be a hazard to the patient. After analyzing this risk, the manufacturer finds it unacceptable according to the risk acceptability criteria in their risk management plan.
- Determine essential performance – The risks due to response time slower than the 30 second limit were found unacceptable, so the manufacturer determines that this performance limit is part of essential performance, in addition to the essential performance aspects already defined in 80602-2-56. The manufacturer must now put in place risk controls to reduce the risk from loss of essential performance to acceptable levels. And they must also maintain essential performance wherever 60601 requires that it be maintained.
ABOUT THE AUTHOR(S)
Nick Greusel
Nick has been designing products for 12 years in the consumer electronics and medical industries, from rugged outdoor GPS systems to delicate surgical instruments and dozens of things in between. He designs, tests, and optimizes products for reliable mechanical performance in whatever conditions and uses it might encounter.