functional safety in the medical industry

Functional Safety Testing of Medical Devices

Transform an innovative design into a reliable and marketable product

Transform an innovative design into a reliable and marketable product

Functional Safety in the Medical Industry

Medical devices are among the most highly regulated products in the world. Functional safety is an additional step focusing on the product's reliability to function correctly and safely in response to its inputs. It assures that a safety-related system in the device will offer the necessary risk reduction required to minimize the severity and probability of harm in malfunction.

Under regulatory requirements, all medical electrical equipment must comply with the IEC 60601 standard series to ensure its safety. Per IEC 60601-1, the safety of medical electrical equipment covers basic safety and essential performance (EP). For that reason, medical device manufacturers must be aware of any changes in the standardization initiative for single fault safety in the IEC 60601 series.

Webinar: Functional & Single Fault Safety In Medical Devices

Our assessment services

Functional Safety of Medical DevicesFunctional safety should be addressed throughout the product development cycle, particularly in the product’s initial design, to avoid costly rework. Our testing services cover every step of product development.

  • Independent Safety Assessment (ISA) - TÜV SÜD’s team of experts can test the functional safety concept of a medical device while it is in the design stage, and after it is implemented and prototyped. We also offer ISA on the overall risk management system to determine if it is sufficient for the stringent requirements placed on medical devices.
  • Software Safety Assessment - A software glitch in sophisticated medical equipment such as MRI and X-Ray machines can have catastrophic consequences for patients and operators. That is why TÜV SÜD’s functional safety program emphasizes the assessment of medical software against safety standards such as IEC 60601 and IEC 62304.
  • Product Testing - We also offer electrical safety testing, electromagnetic compatibility testing and environmental testing services for medical devices.

our functional safety expertise

TÜV SÜD developed the world’s first functional safety certification program for professionals in the process industry in 1999. Since then, we have certified more than 1,000 functional safety experts globally and issued more than 2,000 certificates for functionally safety tested products. Our experts preside on standardization committees for functional safety and can inform you about emerging standards and regulations so that you stay ahead of the competition.

In the field of medical devices, TÜV SÜD is the largest Notified Body in the world, having over 700 dedicated medical health and services experts situated in major markets worldwide. In addition, we have a dedicated Regulatory Foreign Affairs & Clinical Department for monitoring and understanding updates in medical health services and devices regulations worldwide.


Our experts actively participate in international advisory bodies and standardization committees. This industry-leading expertise underpins the wide public awareness and the first-class international reputation of the TÜV SÜD brand.

medical device safety


  • What is functional safety?

    Generally, functional safety deals with hazards, which arise from the function of a device. According to IEC 61508, it is the ability of a safety-related system to carry out the actions necessary to achieve a safe state for the EUC (equipment under control) or to maintain a safe state for the EUC.

  • When do we have to apply functional safety?

    We should apply functional safety in the following situations:

    a. significant risk is related to a function of a medical device, or

    b. product specific standard contains explicit requirements related to functional safety.

    Significant risk means that there is an unacceptable risk related to a function before risk mitigation measures have been applied or that there is a high severity (e.g. death or serious injury) behind a functional risk regardless of the probability.

    The second option is necessary because when a very low probability is assumed behind risks of a high severity, might result in an acceptable risk even before risk mitigation measures have been applied. Additionally, we need to challenge the evidence regarding this low probability and look into those functions as well.

    A typical example would be that the probability of a micro-controller failure is rated so low that the risk is acceptable without mitigation measures.

  • Why is functional safety important?
    By undertaking risk analysis and manufacturing medical devices that are functionally safe, your company benefits from increased market acceptance and positive brand associations. Failure to ensure functional safety can have dire consequences.
  • What is the functional safety philosophy?

    The follow six items build the basis of a functional safety evaluation:

    1. A first random hardware failure can occur at any time at any place.
    2. The first failure shall not cause an unacceptable risk.
    3. If the first failure is obvious to the operator, the device will no longer be used and it will be fixed (operators manual!). End of procedure.
    4. If the first failure cannot be detected, then after some time (MFOT*) a second failure has to be assumed.
    5. Also, the combination of first and second failure shall not cause a hazard.
    6. End of procedure. Note: The occurrence of three independent random hardware failures is usually not assumed within the typical lifetime of an electrical medical device (valid only for functional safety.
  • What is the Multiple Fault Occurrence Time (MFOT)?

    The MFOT is the time in which two independent failures can be neglected.

    For some products the MFOT is defined in the respective standards. For instance, the MFOT for infusion pumps is defined as the replacement time of the disposable. It is worth noting that there are some other standards which are lacking a definition. However, it is common that the MFOT is assumed to be in the range of one treatment (in case the treatment is not too long), once a day etc.

    For simple components where a high reliability can be shown by objective evidence the MFOT can be extended (e.g. a high reliable emergency stop button might be tested once a year during the regular safety inspection).

  • What is the Mean Time Between Failure (MTBF) or the Mean Time To Failure (MTTF)?

    The mean time between two failures is the average time between two failures. The mean time to failure is the average time till a (first) failure. The probability of those event is ~50% at those points in time. Those times are significantly higher than the MFOT (e.g. a factor of 100).

  • What is the fault tolerance time (FTT)?

    The fault tolerance time describes the time an error can persist before it gets dangerous. In contrast to the MFOT, the fault tolerance time depends on the hazard.

  • Why are self-tests required?

    Self-tests of the device help to make a sleeping first failure detectable/visible to user. In case they are visible, point #3 of the philosophy applies.

  • How often should the device execute a self-test?

    Self-tests have to be executed at intervals smaller than the multiple fault occurrence time (MFOT).

  • Which architectures are suitable to fulfill functional safety?

    The most common system architectures, along with their suitability and requirements regarding functional safety are described in the table below. The control system controlling the function (relevant to functional safety) is marked as C and the protective system is marked as P.

    The example shows a simplified part of a baby incubator. The hazard used as example is over-temperature (temperature above 41 °C). The control system is responsible for controlling the temperature e.g. with a closed loop controller. In the event when the temperature reaches 41 °C, a protective system has to turn off the heater. *Remark: other parts of the system, like sensors are not shown.

    Simplified architecture
    Suitability and requirements
    Functional safety - Pure control system (C)
    Pure control system (C)

    "Not suitable"

    A pure control system (C) is not acceptable for functional safety as it violates item 2) of the philosophy.

    Functional safety - Control system + independent shutdown path (C + WD)

    Control system + independent shutdown path (C + WD)

    "Could be acceptable"

    Requirements for self-tests:

    - self-tests of C in times ≤ FTT and the category "medium" according to IEC 61508
    - self-test of the watchdog + shutdown-path in times ≤ MFOT and the category "simple" according to IEC 61508 or functionality as black-box

    A control system which has an additional watchdog might be acceptable. However, this is complicated to achieve because the entire functionality of the control system must be tested in the fault tolerance time. In addition to that, with increased deepness of the self-test (category medium according to IEC 61508). The watchdog including its shutdown path has to be tested in the MFOT.

    It might be possible to reduce the self-tests by implementing a diverse (not redundant) control and protective system within the only physical channel. The diversity will be such that no single hardware failure affects both channels in the same way. Potential common-mode-failures still needs be covered by the intense self-tests mentioned before.

    Control system + protective system (CP)

    "The standard case"

    Requirements for self-tests:

    - self-test of P in times ≤ MFOT and the category "simple" according to IEC 61508. The self-test can be done piece by piece or as black-box for the functionality.

    A control system with and independent protective system is widely used in functional safety. The protective system has to be tested in the MFOT (category simple according to IEC 61508 or as black-box).

    Functional safety - Control system + protective system (CPP)

    Control system + protective system (CPP)

    "This case used when self-tests are not possible"

    Requirements for self-tests:

    - none

    A control system with two independent protective systems does not require any self-tests. This kind of architecture is typically used when self-tests are not possible - e.g. for over-voltage protection.  

    Functional safety - Control system + protective system in one piece of hardware (CP in one hardware)

    Control system + protective system in one piece of hardware (CP in one hardware)

    "The complex case"

    Requirements for self-tests:

    - the level of self-tests needed for the controller (C and P) depends on the diversity of C and P
    -self-test of the watchdog + shutdown-path in times≤MFOT and the category "simple" according to IEC 61508 or functionality as black-box


IEC 60601-1

IEC 60601-1 (Edition 3.2)

Learn about the IEC 60601-1 (Edition 3.2) and be aware of the varying regulatory transition periods worldwide.

Read More


Next Steps

Site Selector