The Trials and Tribulations of Modern Medical Devices

The primary standard for Medical electrical equipment, IEC 60601-1, ensures that electrical products across many markets and countries conform to basic safety and effectiveness. The standard is a universal set of safety requirements and while most countries have adopted their own versions, it has essentially the same core material covering various areas of electronics and applications.

But there’s more to designing a medical device than simply following an IEC standard. This paper will explore IEC 60601, its purpose in the past, today, and tomorrow.

A Brief Overview of IEC 60601

IEC standards have been around for over 80 years, with the first standard covering electrotechnical vocabulary (now called Electropedia). The original IEC 60601 standard was published in 1977 by the International Electrotechnical Commission (IEC), back when electronics were beginning to play a major part in medical treatments and instrumentation. A second revision focusing more on patient safety was published on 1988 and it wasn’t until the third edition, just recently published in 2005, that equipment and patient protection became even more rigorous.

While meeting these standards through test and development can help bring a medical device to market, it doesn’t ensure it. Perhaps the most time intensive and costly stage is getting FDA approval (or equivalent outside of US) through clinical trials that provide a demonstration of the device’s overall effectiveness.

Most companies that develop and manufacture medical devices follow a general design control system such as:

• 1.  A business case and user requirements that are driven by market research
• 2.  Design requirements that are meant to address the user requirements
• 3.  A design verification that tests the design and ensures it meets the design requirements
• 4.  A design validation that tests the design and ensures it meets the user requirements
• 5.  A design transfer to manufacturing, and then a launch

For medical devices, though, there are usually special elements that are baked into these stages, including:

• •  Designing electronics that conform to IEC 60601 standards, and then testing these standards during verification and validation
• •  A risk management process that outlines potential hazards and how they are controlled
• •  Conduct a trial and record enough data to build a case to present to the FDA that your product is safe and ready to launch

While the third bullet point focuses more on patient trials and documentation, it’s important that electrical designers understand the first two bullet points as these are what ultimately drives the design process and all of the extra layers of protection. And depending on the class of the device, the protection can be quite extensive.

Medical Devices Classes

There are three classifications for a medical device based on the overall risk associated with use. Class I is lowest, while Class III is highest and requires a pre-market approval (PMA) application before launch. The design intensity with regards to safety is highest for a Class III device and may consist of several layers of redundancy and protection, while Class I requires less precautions and risk management.

Class I medical devices are generally non-invasive medical equipment or accessories, many of which are generally used at home, such as band aids, facemasks, tongue depressors, or a thermometer (though based on its accuracy and whether or not it’s electronic, this device can fall into Class II).

Most Class II medical devices are used for diagnosis or treatments, and have a higher level of risk management or potential harm. Examples of Class II medical devices are glucose monitors, blood pressure cuffs, syringe pumps, or any other minimally-invasive instrumentation.

Class III medical devices have the highest level of risk management. Examples consist of implantables, life-sustaining equipment, and electronics that monitor and convey critical health status and information. Compliance with IEC 60601 is required to bring medical devices to market, but in addition to these standards, extra precautions must occasionally be considered (stemming either from risk management or general design for reliability/safety).

Examples of Medical Device Classes II and III

It’s very rare that a Class I medical device will contain electronics, so let’s skip to Class II and Class III examples. For our Class II example, we’ll look at a thermometer. A misdiagnosis of temperature can be significant, so let’s take a look at some of the common safety and reliability features in a thermometer’s design.

To begin, most thermometers are digital and so contain a screen/display, or at least some way to transmit data remotely. That being the case, it’s safe to assume there’s a microcontroller included in the device.

Figure 1a demonstrates the core inner workings of a typical thermometer, with a few added layers of protection. For the analog to digital conversion, one can either use a microcontroller (MCU)’s internal ADC, or an external ADC. Since external ADCs are able to go higher in resolution (and assuming you’d want at least 16-bit or 24-bit resolution), and MCU internal ADCs are infamous for requiring additional calibration, we’ve included an external ADC with a clean, accurate reference voltage.

One additional thing to consider for this ADC is that it can be influenced by ambient temperature, and so it is best to be physically isolated on the PCB via slots (as shown in Figure 1b) to minimize temperature drift for high sensitivity/accuracy applications. For the analog sensing portion, low pass filtering can help with data smoothing and averaging while ferrites on the thermistor signals can help reject high frequency noise and nearby inductive coupling. Redundant thermistors can be used for systems requiring increased reliability. A reset supervisor can be added to provide an undervoltage lockout (or reset) feature which guarantees that the microcontroller (and its peripherals) are only used when sufficiently powered and stable, thereby protecting against false or inaccurate readings. Finally, the heat transfer portion of a thermometer is critical and may require offsets and additional calibration (after physical assembly) due to thermal loss during transfer of body heat to the thermistor.

Figure 1a                                                                                 Figure 1b

Figure 1. Example of a) Digital Thermometer Design with Added Protection, Safety, and Reliability and b) PCB Layout Strategy to Minimize Thermal Drift of an ADC (U6)

For the Class III example, we’ll look at a pacemaker. Pacemakers have been around for a while -- 60 years to be exact. What started out as a simple, analog-based design back then (Figure 2a) has now transformed into very complex, digital circuit-based design, with advanced signal analysis and generation (Figure 2b). From a safety and reliability standpoint, general analog circuitry has less risk than programmable, digital components due to potential bugs and complex state machines. However, it is worth noting that recent digital designs feature integrated components with high accuracy ADCs for ECG-detection measurements and DACs for pulse generation. This can provide highly effective and adjustable pace-making functions with closed-loop feedback. But like most applications, most of the design reliability comes from the analog portion, such as filtering, well-designed pre-amplifiers, dedicated timers and oscillators, and incorporating PCB layout strategies to minimize noise, coupling, and temperature drift.

Figure 2a                                                                                 Figure 2b

Figure 2. Examples of a) Analog and b) Digital Pacemaker Designs

List of Design Strategies to Maximize Safety and Reliability

Below is a general list of design considerations for added safety and protection for medical devices, or any other device that may require it.

• •  Built in security (common in higher end MCU’s these days) with authentication and dedicated external memory for confidential patient data and logs
• •  Supervisor circuitry and other power management components that help with stable voltage rails and avoid undervoltage, overvoltage, and overcurrent conditions, especially for battery-powered applications
• •  Incorporating resettable fuses to help protect critical circuitry
• •  Incorporating ferrites and ESD suppressors for off-board connections to help protect against high frequency noise and stray transients
• •  Redundancy on critical components
• •  PCB layout strategies that assist with minimizing impact by environmental or local conditions, such as temperature or potential electromagnetic interference
• •  Filtering of sensor connections that are sampled at high data rates to help with data smoothing and averaging
• •  Occasional calibration routines for programmable components that can have gains or offsets change over time
• •  Interlocked systems when using potentially unsafe components such as lasers or motors

Hazard/Risk Matrix

A risk matrix (shown in Figure 3) can be used to help drive a robust, low-risk design, and is generally used to build a strong case for a safe and reliable product during launch. A typical risk matrix lists each reasonable, potential hazard in a system, rates that hazard in terms of impact/severity, probability/occurrence, and based on those values, if that hazard is acceptable.

Even if some hazards are acceptable, there may still be interest in controlling the risk to mitigate harm or occurrence, but the point is to outline each failure point that can lead to harm (to user or the system), and how it will be controlled or managed to an acceptable risk. The outcome of these risk control measures typically leads to design tasks such as extra protection, redundancy, and system recovery. Some tasks may even simply ready “design according to IEC 60601 standard” to address the risk associated with it.

Figure 3. Hazard Traceability Matrix for Risk Management for a Medical Device

Conclusion

Medical devices certainly require more design rigor and planning than a normal product, but can vary quite a bit depending on the classification and application. While IEC 60601 serves as a useful guideline, having a risk management process to track potential hazards and describe how they are controlled can greatly assist in building a case for an acceptable product, while also helping designers to maximize safety and reliability.

References:

Figure 2a Image: Article — “The Evolution of Pacemakers" - by S. Haddad, R. Houben, W. A. Serdijin
Figure 2b Image: Article — “Design of Wavelet-Based ECG Detector for Implantable Cardiac Pacemakers" - by Y. Min, H. K. Kim, Yu-Ri Kang, Gil-Su Kim, J. Park, and S. Kim
Figure 3 Image: Website - https://medicaldevicehq.com/fmea-vs-iso-14971/