Risk Management of Medical Devices Regarding Electromagnetic Disturbances

The risk management requirements of EN/IEC/ANSI/AMIEE 60601-1-2 Edition 3 (2007) and IEC 60601-1-2 Edition 4 (2014) are mostly either ignored or misunderstood by manufacturers, their EMC test labs, and medical regulatory assessors (other than in Germany). This article describes what they are, and a practical method for complying with them to make medical devices, equipment and systems safe enough as regards the consequences of electromagnetic interference (EMI).

First, some necessary background…

As Figure 1 shows, the way we test our medical devices, equipment and systems for EMC can bear little/no relationship with the reality of how they are used.

In any case, it has long been impossible to fully test any microprocessor or the software that runs on it, in any reasonable timescale (say, less than 10 years of 24/7 testing). This means that, where errors, malfunctions or failures in a digital system can result in an unacceptable safety risk, it is impossible by testing alone to prove that it can be safe enough over its intended operational lifecycle (except in very special and very limited circumstances).

This is even more true for EMC testing, because to prove EMI couldn’t cause excessive safety risks we would have to test digital systems by enough (which is impossible) for all reasonably foreseeable:

• Electromagnetic disturbances that could occur over the entire lifecycle;
• Effects of physical and climatic stresses, aging, etc.;
• Degradations/faults in filtering, shielding, surge suppression, and circuits;
• Angles of incidence and polarisation, modulation types/frequencies, transient waveshapes and repetition rates, etc.;
• Combinations of any/all of the above independent variables.

For more detail on the above issues, see [1].

This understanding that microprocessors and software can never be tested sufficiently to prove they are safe enough for the vast majority of safety-related applications gave rise to IEC 61508 [2], the IEC’s basic standard on Functional Safety, first published in 2000, with Edition 2 published in 2010.

The concept of functional safety is concerned with managing the risks that could be caused by any reasonably foreseeable errors, malfunctions or failures in hardware or software.

[2] describes well-proven Techniques and Measures (T&Ms) in system, hardware and software design, verification and validation, and how to use them to ensure that digital equipment and systems could not cause excessive safety risks. Many product-family functional safety standards have been developed, based upon [2], but IEC medical standards based their risk management requirements on ISO 14971 [3] instead.

Although ISO 14971 has the same general, overall functional safety/risk management requirements as IEC 61508, it uses completely different terminology and does not include any of 61508’s well-proven T&Ms, with unfortunate consequences that I will discuss later on.

IEC 60601-1-2 [4] applies to medical electrical equipment and medical electrical systems, which it calls me equipment and me systems respectively, using small capital letters which makes reading it very difficult. So in this article I will just use “medical devices, equipment and systems” to mean the same thing. Please note that “devices” includes all modules, products, etc., and “systems” includes installations too.

OK, that’s enough backgrounding, let’s start digging into the details. (I’m sorry that it’s a rather dry subject, but I’ll do my best to keep you interested!)

EN/IEC/ANSI/AMIEE 60601-1-2, Edition 3

Compliance with any of the three medical directives in the European Union [5] requires complying with the EN version of IEC 60601-1-2 Edition 3:2007 from the 1^st of June 2012, and complying with FDA requirements in the U.S. [6] requires complying with either the IEC or the ANSI/AMIEE versions of [4] from the end of June 2013.

The testing, marking and documentation changes that Ed.3 made with respect to its previous version (Ed.2.1:2004) have been described in articles and conference papers by several other authors, so I am not going to repeat what they said. However, they didn’t tend to write much about the requirement to risk manage the effects of electromagnetic disturbances; the subject of this article.

[4] requires medical devices, equipment or systems to achieve the defined terms “Basic Safety” and “Essential Performance”, despite the effects of electromagnetic disturbances. Note that it is not concerned at all with any other, non-safety-related, EMI effects on functional performance.

The terms Basic Safety and Essential Performance are not specified in [4], so we turn to the definitions used in its base standard – IEC 60601-1 [7]. This defines Basic Safety as the:

“…freedom from unacceptable risk directly caused by physical hazards when me equipment is used under normal condition and single fault condition.”

This definition includes such physical hazards as those caused by excessive touch temperatures, electrical shocks, fire, radiation, sharp edges, etc. EMI cannot generally affect these, other than by interfering with the correct operation of electronics that control them.

Essential Performance (EP) is the new concept that was introduced into IEC 60601-1 at Edition 3 to deal with risk management due to the inability to fully test programmable digital systems. For this new term, [7] borrowed the definitions given in ISO 14971, to define it as the:

“…performance of a clinical function, other than that related to basic safety, where loss or degradation beyond the limits specified by the manufacturer results in an unacceptable risk…”

“…most easily understood by considering whether its absence or degradation would result in an unacceptable risk…”

In turn, “Risk” is defined in [7] (again, borrowing from [3]) as the:

“…combination of probability of occurrence of harm and the severity of that harm…”

[7] goes on to warn that performing a risk analysis, as required, might find that the actual EP for a certain medical device, equipment or system might need to go beyond its definition above. It is worth noting that some of [7]’s “particular standards”, such as IEC/ISO 80601-2-72 for ventilators, can extend its rather woolly, generic definition of EP by including some very specific requirements.

[4] allows us to choose whether to do immunity tests on all of the functions of our medical device, equipment or system; or just on those that provide its EP. Each function associated with EP must be tested in its most critical mode (from a patient outcome perspective).

The most critical mode must be based upon a risk analysis which takes into account equipment build-options, cable layout, and accessories, in a typical configuration consistent with normal use (an example might be Figure 1), including the use of a patient simulator where one is needed to verify normal operation. Of course, each different type of immunity test could have a different “most critical mode”.

Although I said I wasn’t going to go into the details of the testing requirements, it is worth mentioning here – because it is so often overlooked – that any protection or warning functions such as alarms, which help ensure that faults, damage, incorrect use, etc., do not cause excessive safety risks, must be tested to make sure that they do not operate when they should not, and then tested again to make sure that they do operate when they should, which of course requires simulating the conditions they are protecting/warning against.

Because [4] requires electromagnetic disturbances not to prevent the medical device, equipment or system from achieving EP, and because EP is defined in terms of Risk, it is clear that 60601-1-2 Ed.3:2007 requires what is sometimes called the risk management of EMC. But it only actually mentions risk management in its Forward, and again in an Informative Annex, so this important new requirement is very easy to overlook!

The result is that most manufacturers seem to assume that [4] can be complied with by testing alone, like it’s earlier versions could, so they don’t bother to read the standard very carefully (if at all) and assume their EMC test lab will take care of compliance by telling them whether their product passes or fails the tests.

Most test labs don’t seem to bother to read a standard carefully from cover to cover, and many seem to merely turn straight to the tables of test requirements. If any of them did notice the risk management issues relating to EMC, it seems they generally ignored them because they were the manufacturer’s responsibility.

[4] does not include any guidance on how to actually do risk management with regard to electromagnetic disturbances, even in an Informative Annex. This makes it even more likely that its users will not notice its important new risk management requirements. It’s only slight hint is to list the IEC’s basic publication on EMC for functional safety, IEC TS 61000-1-2:2001 at that time [8], in its Bibliography.

Unfortunately, even if a medical manufacturer did take the trouble and managed to obtain a copy of IEC [8], all he would probably learn from it is that what he should do is ask his EMC test laboratory to double the immunity test levels in [4]. This would have been better than nothing, but not risk management.

Long before [4], first published in 2007, came into force in the EU in June 2012 there was a new version of IEC TS 61000-1-2, Edition 2:2008 [9], which I helped to create as the UK’s representative on its IEC team.

Our hypothetical clued-up medical manufacturer might have hoped to get better guidance on the risk management of electromagnetic disturbances from this second edition of the TS, but unfortunately he would have been little better off. This was because part of its progress from the 2001 edition to its 2008 edition had involved rewriting it using the functional safety terminology specific to IEC 61508, as if it was 61508’s missing EMC section, so that it would be listed as a normative reference in Edition 2 of IEC 61508 when it was published in 2010.

IEC 61508’s functional safety terminology and detailed approach does not correspond at all with the medical risk management standard ISO 14971. But if our clued-up manufacturer had been regularly attending IEEE EMC Symposia and reading certain EMC magazines, and had been assiduous in seeking out the information he needed to properly risk-manage electromagnetic disturbances, he would have found that the IET’s 2008 “Guide on EMC for Functional Safety” was available [10].

[10] is a guide to complying with [9] written by the IET Working Group on EMC for functional safety which I had set-up in 1997 and which I still chaired in 2008. Because I could see that problems would arise with 60601-1-2, I made sure that this IET Guide was written in ordinary English engineering language so it could easily be used with any functional safety or risk management standard, including ISO 14971. For more on this, see [11].

Unfortunately, as we discovered in 2010, neither [9] nor [10] provided a practical method of complying – see below!

EN/IEC 60601-1-2, Edition 4

IEC 60601-1-2 Edition 4 [12] was first published in 2014, and its equivalent EN 60601-1-2 Ed.4:2015 is the only acceptable version that may be used for compliance with EU Medical Directives from 31^st December 2018.

The U.S. FDA has accepted a slightly modified version of IEC 60601-1-2 Edition 4 as the only acceptable standard to be used for U.S. compliance on or after 31^st December 2018. (They had originally set this date to the 1^st April 2017, but changed it to align with the EU.)

As before, the testing, marking and documentation changes that Ed.4:2014 made with respect to its previous version (Ed.3:2007) have been described in articles and conference papers by several other authors, so I am not going to repeat what they said.

However, also as before and despite a great deal of text on the subject in Edition 4, almost without exception these authors have managed to ignore or misunderstand its requirements concerning the risk management of electromagnetic disturbances, the subject of this article. (Of course, I do not include my own articles and conference papers in this terribly harsh judgement!)

Just like Ed.3, Ed.4 is entirely and only about “EMC for Safety”, but it does describe how to risk manage electromagnetic disturbances, using text based upon the IET’s 2008 Guide.

Also, just like Ed.3, Ed.4 requires Basic Safety and EP to be maintained both during and after its specified immunity tests.

Ed.4 makes it clear that this is the case even if Basic Safety and EP are achieved at the expense of functional performance, for example if the medical device, equipment or system stops working – even if it has to be repaired by its manufacturer – as long as it remains safe enough.

Like Ed.3, Ed.4 ignores anything and everything to do with functional performance that has no impact on safety. However, now at least we can apply IEC TR 60601-4-2 Ed.1:2016 [13] to cover such EMC issues. [13] has been carefully written to use mostly the same test methods as [12], so that the two sets of tests can be done at the same time, saving testing time and cost.

The immunity tests are done in the configurations that are most likely to result in unacceptable safety risk, as determined by the manufacturer’s risk analysis, experience, engineering analysis, or pretesting. The cables used in the tests must be the specified types, and replicate the real installation and use conditions as much as possible. It is worth mentioning here that, following some avoidable deaths due to EMI, the term “cables” has been extended to include tubes intentionally filled with conductive liquids, such as blood.

It used to be assumed that portable/mobile radio transmitters would be kept more than a specific distance away from any/all medical devices, equipment or systems to prevent EMI. However, in recent years there has been a widespread recognition that the nearby use of mobile and portable radio transmitters is necessary for the provision of effective (and cost-effective) healthcare.

This is obviously an especially important issue for a medical EMC standard, and as a direct result Ed.4 includes a new “proximity field from wireless communications” test based on 300mm (about 12 inches) distance between the medical device, equipment or system and a mobile or portable radio transmitter.

Clearly, mobile or portable radio transmitters can get a lot closer than 300mm in real life, and can even be placed right up against or on top of a medical device or equipment, so equally clearly this should be taken fully into account in any risk analysis that attempts to cover reasonably foreseeable real-life possibilities.

There is a great deal of guidance on risk managing electromagnetic disturbances in informative Annex F of IEC 60601-1-2 Ed.4:2014. This is strongly based on the IET’s 2008 Guide, which is itself listed as a reference for more detailed advice on how to comply.

The manufacturer documents what he has done about risk managing the EMC of his equipment/system over its “Expected Service Life” (ESL) in a “Risk Management File”, which will also detail the risk management activities that have been undertaken for compliance with IEC 60601-1 Ed.3:2005 and any other 60601-x standards that apply.

Compliance depends on the assessment of this file by the relevant safety assessor, such as an EU Notified Body [14], the FDA, etc., and not merely on EMC test results. It is important to understand that, just as for Ed.3:2007, a manufacturer’s risk management activities cannot be performed by an EMC test laboratory.

An EMC test lab can check that something has been written for each of the risk management requirements in the standard, but it cannot actually perform the risk management on behalf of the manufacturer.

Like Ed.3:2007, Ed.4:2014 includes EMC tests that address the commonplace electromagnetic disturbances that can be expected to afflict typical medical devices, equipment and systems. However, the risk management must consider all of the reasonably foreseeable EM disturbances in all of in the intended use locations over the ESL, and the results taken into account in the design, and in its verification and validation by using at least one of a variety of appropriate methods such as expert design review, testing, etc.

Compliance with Ed.4 requires maintaining Basic Safety and EP throughout the ESL in the intended use locations’ EM environments, which means that all aging and wear issues that could affect EMC must be taken into account in the risk assessment, and must also be taken into account in the EMC design and its verification/validation. For this reason, I recommend simulating the worst case environmental conditions over the life on examples of the medical equipment (e.g., using highly accelerated lifecycle simulation methods) and then redoing all of the EMC tests on the artificially aged units

Ed.4:2014’s Informative Annex F gives additional guidance on the risk management of electromagnetic disturbances, referring to IEC 61000-1-2 Ed.2:2008 and the IET’s 2008 Guide. For example, it recommends that the risk management also takes into account the effects on emissions/immunity of reasonably foreseeable:

1. Faults;
2. EM disturbances, including the actual modulation frequencies that can occur in the use environment(s);
3. Physical and climatic phenomena;
4. Use and misuse;
5. And reasonably foreseeable simultaneous combinations of any/all of the above.

However, as I said earlier, we discovered in 2010 that neither IEC TS 61000-1-2 Ed.2:2008, nor the IET’s 2008 Guide provided a practical method of complying, so now it is time to describe the solution which the IET’s Working Group developed between 2010 and 2013.

Finally – A Practical Way To Comply

This final section introduces the first and so far the only practical method of complying with the requirements for risk managing electromagnetic disturbances according to the requirements of IEC 60601-1-2 Ed.3 2007 or its Ed.4:2014.

The approach adopted for risk-managing electromagnetic disturbances by IEC TS 61000-1-2 Ed.2:2008, the IETs 2008 Guide on it, and IEC 60601-1-2 Ed.4:2014 was based upon:

1. Specifying the likely electromagnetic environment(s) over the whole of the ESL, and
2. Designing, verifying and validating the device, equipment or system to ensure that it would be safe enough despite the very worst electromagnetic disturbances that could foreseeably occur; and
3. Taking into account foreseeable wear, aging, corrosion, misuse, failures, etc., etc.

However, by 2010 it was becoming abundantly clear that the industry experience of trying to apply [9] [10] or [12] was that:

1. There were too few EMC engineers willing to even try;
2. There were too few medical regulatory assessment bodies able to do any more than check whether EMC test reports were marked as pass or fail; and
3. There was no interest, in both academia and industry, in developing the necessary competencies.

As a result, in 2010 the IET’s Working Group on EMC for Functional Safety started developing alternative guidance that would be practical, and would not expect anyone to learn much more than they already knew. This new, practical guidance was published in August 2013 [15].

Unfortunately, although this new guidance was included in IEC 61000-1-2:2016 [16] (in its Annex B), it appeared too late for inclusion in 60601-1-2 Ed.4:2014, although it has been proposed for inclusion in Amendment 1 to IEC 60601-1-2 Ed.4:2014 which is due to be published in 2019.

The IET’s new practical guidance says either use the rugged, high-specification electromagnetic mitigation (i.e., shielding, filtering, surge/transient suppression, etc.) which we are familiar with from military projects (see Figure 2), or else use 61508-type T&Ms that provide sufficient “EMI Resilience.”

What is this new thing: EMI Resilience?

The IET’s Working Group determined which IEC 61508 T&Ms had benefits for protecting against the effects of electromagnetic disturbances, developed, updated and added to them, to achieve the following:

• EM mitigation plus appropriate design ensure that devices, equipment and systems are mostly unaffected by most electromagnetic disturbances over the ESL (in other words, most electromagnetic disturbances will not cause EMI during the lifecycle);
• Any EMI that occurs is reliably-enough detected by appropriate T&Ms, whether it is caused by unforeseen levels of electromagnetic disturbances; multiple simultaneous electromagnetic disturbances; wear; aging; corrosion; faults; misuse, etc., combinations of any/all of these, or anything else; and
• When EMI is detected, other T&Ms ensure that appropriate actions are taken to maintain safety risks at acceptable levels – for example by switching the system into a “safe state”; or by correcting for the effects of the EMI and continuing to operate as usual.

The result of all of the above bullets was dubbed “EMI Resilience” by the authors of the IET’s 2013 Guidance (see Figure 3).

61508 industry functional safety designers and assessors are very experienced in the use of suitable T&Ms in design, verification and validation to make systems, hardware and software more resilient to the effects of errors, malfunctions, faults, etc. [15] details which of these T&Ms are good for EMI Resilience, and how to modify them to make them more effective for EMI. This will not require them to learn very much more. Some brief examples of good T&Ms for EMI Resilience are:

• EMI Resilience T&Ms for system design:
  • Separating safety and non-safety functions in both hardware and software
  • Specification of system requirements and design approaches, including for e.g.,
    • redundancy and diversity
    • error detection and error correction
    • static and dynamic self-testing
  • Careful integration of subsystems, power supplies and communication links
  • Fault monitoring and recording (to help identify causes of malfunctions and improve future designs)
• EMI Resilience T&Ms for redundancy and diversity:
  • Multiple sensors sense the same parameters
  • Multiple copies of data are stored
  • Multiple communications carry the same data
  • Multiple processors process the same data
  • In each of the above cases, comparison (error detection) or voting, for example choosing any two that agree out of three (error correction) is used
  • All the above can use a wide range of diverse technologies/techniques to improve their effectiveness against the common-cause failures typically caused by EMI
• EMI Resilience T&Ms in error detection and correction:
  • Error detection coding (EDC) means knowing if data is corrupt, and is achieved by adding redundant data designed to make errors detectable
  • Error correction coding (ECC) means adding enough redundant data that data corruption is not only detected, but also restored to sufficient accuracy
• EMI Resilience T&Ms for static and dynamic self-testing:
  • Static testing checks the safety functions’ hardware and software before operation, preventing operation if necessary for safety
  • Dynamic testing checks the correct operation of the safety functions during operation, with critical aspects of data processing being checked as often as once per second, or less, if necessary

A number of T&Ms which are good for EMI Resilience will probably have been designed-in anyway for non-EMI reasons, and some of them may be modified to improve their EMI resilience (e.g., by using technological diversity).

Additional T&Ms might need to be added to achieve sufficient EMI Resilience overall.

In a system, some items of equipment may use “good T&Ms for EMI Resilience” while others might use the “rugged, high-specification electromagnetic mitigation” approach (e.g. Figure 2).

It is possible to rely solely on 61508-type T&Ms to create systems that are functionally safe despite any/all electromagnetic disturbances, faults, misuse, aging, etc., over the ESL, by switching them to a safe state whenever EMI is detected, and this has been done on at least one occasion.

The problem with this approach is that because they are frequently being switched to a safe state they can suffer too much downtime, potentially resulting in unacceptably low levels of functional availability.
Such unreliably-operating systems can be expected to be modified by users or owners to improve availability (usually by ripping out or otherwise disabling the protection measures). Any subsequent dangerous failures would be the manufacturer’s fault, because such misuse is reasonably foreseeable.

Adequate availability simply needs compliance with the normal EMC emissions/immunity test standards, both for the application and its EM environment(s). The EMC industry has great experience with doing exactly this, and the only new thing required for EMI Resilience is that this compliance should be maintained throughout the whole lifecycle, and not simply achieved when the device, equipment or system is brand-new. This will not require EMC experts to learn much more.

Using the IET’s 2013 guidance for medical devices, equipment and systems

The IET’s 2013 guidance is simply a selection of techniques and measures for designing, verifying and validating the EMI Resilience of systems, hardware and software. In itself, it provides no guidance regarding how to choose which T&Ms to apply, but its abbreviated version published in Annex B of IEC 61000-1-2:2016 does provide guidance on selecting T&Ms.

So, Annex B of [16] can be used to comply with the requirements to risk manage electromagnetic disturbances for medical devices, equipment and systems that are in IEC 60601-1-2 Ed.3:2007 and Ed.4:2014 ([4] and [12] respectively), with [15] providing additional details if required.

In early 2017, the IET’s Standards department will publish a Code of Practice on EMI Resilience [17]. This will be a paid-for publication which updates and improves on the T&Ms in [15], and which also includes complete guidance on choosing which T&Ms to apply depending on the acceptable level of safety risk. However, when it is published, all the IET’s free guidance (including [10] and [15]) will be removed from its website.

During late 2017 or early 2018 the IEEE Standards Association is planning to publish a new standard entitled “Techniques and Measures to Manage Risks with Regard to Electromagnetic Disturbances,” which will also be based upon the original 2013 IET guidance.

There are, however, a couple of difficulties standing in the way of applying this practical guidance on risk-managing electromagnetic disturbances, to medical devices, equipment and systems.

The first difficulty is that IEC 61000-1-2:2016, the IET’s 2013 guidance, and the forthcoming IET Code of Practice are all written using IEC 61508’s terminology – the worldwide language of functional safety engineering used by every industry except the medical industry. I don’t believe it will be necessary to translate all the IEC 61508 language in [16], [15] or [17] into ISO 14971-speak; mostly it is just a question of translating IEC 61508’s four SILs into the risk-graph approach used by ISO 14971.

Figures 4 and 5 are examples of (parts of) what the result might look like.

Note: In Figures 4 and 5, M means mandatory, HR means highly recommended, and R means recommended.

A technique or measure labelled as HR should always be applied unless the manufacturer provides an acceptable technically-detailed argument for why it was not – for example arguing that it is not applicable in this case, or that a different technique or measure was effective in creating the same risk-reduction.

The second and perhaps larger difficulty, is that most of the regulatory medical assessors worldwide do not appear to be at all familiar with the “well-proven T&Ms” approach used by IEC 61508 (and by the many functional safety standards based upon it). So they will probably not be comfortable when manufacturers try to apply this approach in the context of ISO 14971 compliance. If the medical industry had developed its own product-family risk-management standard based on IEC 61508 – like every other industry has had to – this difficulty would not exist.

(I have been told that IEC rules specifically do not allow the committee that writes a standard to tell those who will be required to assess/enforce it, anything at all about it. The assessors/enforcers have to purchase the standard, read it, and understand it, all on their own with no help from the committee that wrote it. Ed.3:2007 has proved that this approach doesn’t work.)

Most, if not all of the big safety assessment companies (UL, SGS, Intertek, the various TUVs, etc.) have departments dedicated to IEC 61508-type functional safety assessments, so one solution might be for regulatory medical assessors to sub-contract these functional safety T&M experts to assess the electromagnetic disturbance aspects of a Medical Risk Management File that was based on the IET’s practical approach first published in 2013.

Now, let’s get into even more detail: list all the normative risk management requirements in IEC 60601-1-2 Ed.4:2014 and see how they can be satisfied by EMI Resilience from [15] or [17].

• Clause 4.1: The overall requirement to apply ISO 14971-style risk management to electromagnetic disturbances.
• Clause 8.1: Assess the electromagnetic environment (EME) over the ESL, and apply other immunity tests if found to be necessary.
• Clause 8.9: Base the risk management and immunity testing on the predicted EME and on the use of electromagnetic mitigation, plus assess the reliability of the electromagnetic mitigation used.
• Clause 8.9, Table 4 (Enclosure port): Risk-assess whether to use different modulations in radiated immunity tests.
• Clause 8.9 Tables 5 (Power port); 6 (DC port); 7 (Patient port); and 8 (SIP/SOPs): Risk-assess whether to use different modulations in the conducted immunity tests.
• Clause 8.10: Assess new/other wireless communications services, plus the likelihood of close proximity of mobile transmitting devices, expanding the proximity field radiated immunity tests as appropriate.

Clauses 8.1, 8.9, and 8.10 assess the future electromagnetic environment(s), so that the immunity test methods and their levels are relevant. They also assess whether the medical device, equipment or system has any special electromagnetic susceptibilities, so that immunity tests can use the relevant modulations.

Clause 8.9’s risk management requirements also try to foresee the degradations in electromagnetic performance over the ESL, from faults, aging, wear, corrosion, etc. so that the risks that electromagnetic disturbances might cause EMI that causes a safety hazard can be kept low-enough by suitable design, testing and maintenance.

Unfortunately, we can’t perform these activities accurately-enough to ensure low-enough risks over the entire ESL, but the IETs EMI Resilience approach effectively says that we can comply with these requirements by:

• Assessing the existing and future electromagnetic environment, including the close proximity of mobile transmitters, etc., as best as we can;
• Then test accordingly to ensure no electromagnetic disturbances cause EMI in the medical device, equipment or system most of the time throughout its ESL;
• Plus, use hardware, software and system T&Ms to detect any/all occurrence of EMI in the medical device, equipment or system, whatever its cause; and
• Use hardware, software and system T&Ms that – in the event that EMI is detected – take appropriate actions to ensure that safety risks remain low-enough, thereby complying with the overall risk management requirement in Clause 4.1.

Appropriate actions include, for example:

• Switching the medical device, equipment or system into one of its safe states; or,
• Correcting the effects of the EMI (e.g., by error-correction T&Ms) so that its operation can continue safely-enough.

It is worth noting that all of these normative risk-management requirements can be satisfied by using the rugged high-specification electromagnetic mitigation approach. EM Resilience therefore tends to be most appropriate when this method is unsuitable, usually for reasons of cost, size, and/or weight, but sometimes just because of the difficult aesthetics of what is essentially just a big grey box.

The remaining normative risk-management requirements (in Clauses 4.2, 4.3.1, 8.5, 8.7, and Table 3 of Ed.4:2014) are just plain risk assessment issues, having nothing to do with electromagnetic disturbances as such, so the EMI Resilience approach does not affect them at all.

Conclusion

If you made it this far, well done! And if you understood everything above, you genuinely deserve a medal! (If you didn’t understand it all, treat it like a test standard: read it again and again until it makes some kind of sense.)

Like I said, it’s a very dry subject but I’m sure you will agree that the risk management of medical devices as regards EM disturbances is important and necessary. [15], Annex B of [16], and [17] will provide you with the necessary technical tools until Amendment 1 to IEC 60601-1-2 Ed.4:2014 is published.

References

1. “Why Do We Need an IEEE EMC Standard on Managing Risks?”, Keith Armstrong, 2016 IEEE Electromagnetic Compatibility Magazine – Volume 5 – Quarter 1, pages 80-84, http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7477140.
2. “Functional Safety of Electrical/Electronic/programmable Electronics Safety-Related Systems”, IEC 61508 Parts 1-7, Edition 1:2000, https://webstore.iec.ch.
3. “Medical devices — Application of risk management to medical devices”, ISO 14971 Edition 1:2000, www.iso.org/iso/home/store.htm.
4. “Medical electrical equipment – Part 1-2: General requirements for basic safety and essential performance – Collateral standard: Electromagnetic compatibility – Requirements and tests”, IEC 60601-1-2 Edition 3:2007, https://webstore.iec.ch.
5. List of standards notified under the Medical Devices Directive 93/42/EC: https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards/medical-devices/index_en.htm.
6. The U.S. FDA: The U.S. Food and Drug Administration, www.fda.gov.
7. “Medical Electronic Equipment – Part 1: General requirements for basic safety and essential performance”, IEC 60601-1 Edition 3:2005, https://webstore.iec.ch.
8. “Electromagnetic Compatibility (EMC) – Part 1-2: General – Methodology for the achievement of the functional safety of electrical and electronic equipment with regard to electromagnetic phenomena”, IEC TS 61000-1-2 Edition 1:2001, https://webstore.iec.ch.
9. “Electromagnetic compatibility (EMC) – Part 1-2: General – Methodology for the achievement of functional safety of electrical and electronic systems including equipment with regard to electromagnetic phenomena”, IEC TS 61000-1-2 Edition 2:2008, https://webstore.iec.ch.
10. “IET 2008 Guide on EMC for Functional Safety”, the IET, 2008, free (for now!) from: www.theiet.org/factfiles/emc/emc-factfile.cfm.
11. “Why few (if any) medical devices comply with their EMC standard, and what can be done about it”, Keith Armstrong, 2014 IEEE International EMC Symposium, Raleigh, NC, Aug 3-8, 2014, ISBN (CD-ROM): 978-1-4799-5543-5, available from www.ieeexplore.ieee.org.
12. “Medical electrical equipment – Part 1-2: General requirements for basic safety and essential performance – Collateral standard: Electromagnetic disturbances – Requirements and tests”, IEC 60601-1-2 Edition 4:2014, https://webstore.iec.ch.
13. “Medical electrical equipment – Part 4-2: Guidance and interpretation – Electromagnetic immunity: performance of medical electrical equipment and medical electrical systems”, IEC TR 60601-4-2 Edition 1:2016, https://webstore.iec.ch.
14. European Union Medical Device Directive Notified Bodies. A list is available from http://ec.europa.eu/growth/tools-databases/nando/index.cfm?fuseaction=directive.main.
15. “Overview of techniques and measures related to EMC for Functional Safety”, The IET, London UK, August 2013, free (for now!) from: www.theiet.org/factfiles/emc/emc-overview.cfm.
16. “Electromagnetic Compatibility (EMC) – Part 1-2: General – Methodology for the achievement of functional safety of electrical and electronic systems including equipment with regard to electromagnetic phenomena”, IEC 61000-1-2 Edition 1:2016, https://webstore.iec.ch.
17. “Code of Practice for Electromagnetic Resilience, supporting the functional safety of safety-related systems”, The IET, London, UK, to be published in early 2017, www.theiet.org.

Keith Armstrong is the founder and principal of Cherry Clough Consultants, a UK-based engineering firm that utilizes field-tested EMC engineering principles and practices to help companies achieve compliance for their products and reduce their potential risk. He is a fellow of the IET and a Senior Member of the IEEE, and holds an Honours Degree in Electrical Engineering from the Imperial College, London (UK). Armstrong can be reached at keith.armstrong@cherryclough.com.