ARTICLE FOCUS:
• Risk assessment in the compliance process
• Essential performance and basic safety
• Status update for the US, Canada, and Europe

The third edition of IEC 60601-1—as compared to the second edition—presents a monumental change in approach to the testing of medical devices. This standard places a lot of attention on the risk management, ISO 14971, and essential performance of the equipment. Because of the lack of uniformity between the European Union, the United States, and Canada at this time, both standards are still used today. For medical device manufacturers, it is often hard to decide which version of the standard is the one they should use. Most people in industry are opting for both versions of IEC 60601-1 to satisfy the requirements.

IEC 60601 medical device testing.

Risk assessment
Everyone who participated in the third edition certification process and worked on the risk assessment portion of it understands the laborious nature of this process. Since the risk assessment in the third edition is an all-encompassing requirement, it requires a lot of effort on the manufacturer’s part. Clause-by-clause analysis needs to take place to make the risk assessment a valuable document; otherwise, a back and forth with the certification agency and/or test lab is needed to ensure that this important document is accurate and useful. The compliance of the risk assessment requirement is normally checked by a careful review of the risk management file.¹

A major difference between the second and third editions of IEC 60601-1 is that the third edition requires the use of the risk assessment in the compliance process. It requires the manufacturers of the medical products to perform a risk analysis using a formal risk management system. This should not come as a total surprise to most medical device manufacturers, since in the past several years these manufacturers have been adopting the ISO 14971 standard pertaining to the application of risk management to medical devices as a result of regulatory requirements issued in the United States, Europe, and Canada. Manufacturers should refer to both ISO 13485 as a quality management standard and to ISO 14971, which technically is not a requirement for the IEC 60601 third edition but serves as an aid for the management of the risk.^2,3

Risk management is an inherent part of the third edition. Not only is there a general requirement for manufacturers to establish a risk management process that conforms to ISO 14971, but there are also more than 100 times where the standard directs manufacturers to determine risk acceptability in applying a particular requirement. At each of these decision points, the manufacturer must estimate the risk of its device and take an action dependent upon how that risk compares with its predefined levels of risk acceptability. The third edition still contains objective tests and pass/fail criteria, and a manufacturers may choose simply to follow such requirements in the design of its device. There are still more than 100 decision points, however, where risk acceptability must be assessed in order to select an appropriate option to achieve compliance, define necessary pass/fail criteria, determine testing parameters, and add a particular safety feature if needed.

The risk management process does much more than this though in determining compliance to the third edition. The introduction to the 60601 third edition standard states that, “In all cases, the risk management process will determine whether the requirements of the standard are appropriate and acceptable.” Therefore, the risk management process that is established by the manufacturer should allow a certain amount of freedom. Based upon the risk management process, the manufacturer is allowed to interpret the requirements of the standard to the needs of the device and its intended use, rather than adjusting the device design to the requirements of the standard. The second edition of the standard included a similar idea in an alternate construction clause, but the risk management process required by the third edition has much more far-reaching effects. ¹

In order to claim conformity with the third edition, a manufacturer must establish a risk management process that conforms to ISO 14971. It is important to note that this risk management process must address the entire life cycle of the device, not just the design. Risk management, as described by ISO 14971, is a self-development process through which the manufacturer must use knowledge gained at the maturity stage of the life cycle process to gauge, improve, and refine the safety of the device. Every step of this risk management process must be properly documented, much like a quality management system, and the manufacturer must establish acceptable risks for its device that are based upon regulations, standards, and other relevant factors.