IEC 60601 – Essential Performance, Safety and Risk Management
IEC 60601 is a series of technical standards for the safety and essential performance of medical electrical equipment. Although if focuses primarily on electromechanical devices, it also applies to aspects of the software components. It is a widely recognized standard that most, if not all, medical device companies have to comply with.
The concept of Essential Performance of a Medical Device is at the center of IEC 60601-1. It is intended to be one of the outputs of the Risk Management Process.
Any function identified as Essential Performance must be maintained after the applicable tests listed in the standard. In practice it must be ensured in any single fault condition.
Essential performance is defined as “performance of a clinical function, other than that related to basic safety, where loss or degradation beyond the limits specified by the MANUFACTURER results in an unacceptable risk. NOTE: ESSENTIAL PERFORMANCE is most easily understood by considering whether its absence or degradation would result in an unacceptable RISK”.
Par 4.3 then goes into the details of how to determine what Essential Performance is for a specific medical device. It is intended to be a risk-based approach, where failures resulting in unacceptable risks are pointers to essential performance.
But, as required by ISO 14971, unacceptable risk is by definition, well, not acceptable. The manufacturer must mitigate it to bring it to an acceptable level. So, after mitigation, all risk should be acceptable. Does it mean there is no Essential Performance?
At the same time, the risk levels before mitigation could be scored significantly high due to uncertainty in the design and lack of data. Many of them could be at an Unacceptable level. This may result then in an unnecessary flooding of Essential Performance.
Annex A of IEC 60601-1 provides some insight on a balanced determination of Essential Performance. It suggests that taking the list of hazards and harms then scoring them assuming P1=1, would lead to the correct identification of this performance. If P1 is not available, then it is required to define the probability of each harm happening assuming that the fault occurs. Limiting the selection to the identified hazards and harms will provide a much smaller list. The standards also specifies that Basic Safety requirements, covered by the different clauses, are not to be considered Essential Performance, and should not be listed as such.
The resulting Essential Performance should be a concise list of basic characteristics without which the device would be “too dangerous” to use; risk controls can also be essential performance, e.g. the correct operation of alarms under single fault condition. This list is typically quite short, and is not uncommon for devices not to have any Essential Performance.