Functional Safety Testing of Medical Devices

Generally, functional safety deals with hazards, which arise from the function of a device. According to IEC 61508, it is the ability of a safety-related system to carry out the actions necessary to achieve a safe state for the EUC (equipment under control) or to maintain a safe state for the EUC.

We should apply functional safety in the following situations:

a. significant risk is related to a function of a medical device, or

b. product specific standard contains explicit requirements related to functional safety.

Significant risk means that there is an unacceptable risk related to a function before risk mitigation measures have been applied or that there is a high severity (e.g. death or serious injury) behind a functional risk regardless of the probability.

The second option is necessary because when a very low probability is assumed behind risks of a high severity, might result in an acceptable risk even before risk mitigation measures have been applied. Additionally, we need to challenge the evidence regarding this low probability and look into those functions as well.

A typical example would be that the probability of a micro-controller failure is rated so low that the risk is acceptable without mitigation measures.

By undertaking risk analysis and manufacturing medical devices that are functionally safe, your company benefits from increased market acceptance and positive brand associations. Failure to ensure functional safety can have dire consequences.

The follow six items build the basis of a functional safety evaluation:

1. A first random hardware failure can occur at any time at any place.
2. The first failure shall not cause an unacceptable risk.
3. If the first failure is obvious to the operator, the device will no longer be used and it will be fixed (operators manual!). End of procedure.
4. If the first failure cannot be detected, then after some time (MFOT*) a second failure has to be assumed.
5. Also, the combination of first and second failure shall not cause a hazard.
6. End of procedure. Note: The occurrence of three independent random hardware failures is usually not assumed within the typical lifetime of an electrical medical device (valid only for functional safety.

The MFOT is the time in which two independent failures can be neglected.

For some products the MFOT is defined in the respective standards. For instance, the MFOT for infusion pumps is defined as the replacement time of the disposable. It is worth noting that there are some other standards which are lacking a definition. However, it is common that the MFOT is assumed to be in the range of one treatment (in case the treatment is not too long), once a day etc.

For simple components where a high reliability can be shown by objective evidence the MFOT can be extended (e.g. a high reliable emergency stop button might be tested once a year during the regular safety inspection).

The mean time between two failures is the average time between two failures. The mean time to failure is the average time till a (first) failure. The probability of those event is ~50% at those points in time. Those times are significantly higher than the MFOT (e.g. a factor of 100).

The fault tolerance time describes the time an error can persist before it gets dangerous. In contrast to the MFOT, the fault tolerance time depends on the hazard.

Self-tests of the device help to make a sleeping first failure detectable/visible to user. In case they are visible, point #3 of the philosophy applies.

Self-tests have to be executed at intervals smaller than the multiple fault occurrence time (MFOT).

The most common system architectures, along with their suitability and requirements regarding functional safety are described in the table below. The control system controlling the function (relevant to functional safety) is marked as C and the protective system is marked as P.

The example shows a simplified part of a baby incubator. The hazard used as example is over-temperature (temperature above 41 °C). The control system is responsible for controlling the temperature e.g. with a closed loop controller. In the event when the temperature reaches 41 °C, a protective system has to turn off the heater. *Remark: other parts of the system, like sensors are not shown.

Simplified architecture	Suitability and requirements
	Pure control system (C) "Not suitable" A pure control system (C) is not acceptable for functional safety as it violates item 2) of the philosophy.
	Control system + independent shutdown path (C + WD) "Could be acceptable" Requirements for self-tests: - self-tests of C in times ≤ FTT and the category "medium" according to IEC 61508 - self-test of the watchdog + shutdown-path in times ≤ MFOT and the category "simple" according to IEC 61508 or functionality as black-box A control system which has an additional watchdog might be acceptable. However, this is complicated to achieve because the entire functionality of the control system must be tested in the fault tolerance time. In addition to that, with increased deepness of the self-test (category medium according to IEC 61508). The watchdog including its shutdown path has to be tested in the MFOT. It might be possible to reduce the self-tests by implementing a diverse (not redundant) control and protective system within the only physical channel. The diversity will be such that no single hardware failure affects both channels in the same way. Potential common-mode-failures still needs be covered by the intense self-tests mentioned before.
	Control system + protective system (CP) "The standard case" Requirements for self-tests: - self-test of P in times ≤ MFOT and the category "simple" according to IEC 61508. The self-test can be done piece by piece or as black-box for the functionality. A control system with and independent protective system is widely used in functional safety. The protective system has to be tested in the MFOT (category simple according to IEC 61508 or as black-box).
	Control system + protective system (CPP) "This case used when self-tests are not possible" Requirements for self-tests: - none A control system with two independent protective systems does not require any self-tests. This kind of architecture is typically used when self-tests are not possible - e.g. for over-voltage protection.
	Control system + protective system in one piece of hardware (CP in one hardware) "The complex case" Requirements for self-tests: - the level of self-tests needed for the controller (C and P) depends on the diversity of C and P -self-test of the watchdog + shutdown-path in times≤MFOT and the category "simple" according to IEC 61508 or functionality as black-box