Nurse using touchscreen

Developing Safe Medical Devices Means Following These Principles

By Milton Yarberry

“What happens if ___ fails?”

As technology-powered medical devices gain widespread acceptance in clinical practice and device complexity and capability expands, device safety becomes more critical than ever. So too does the need to evolve these devices to ensure they become safer for a more diverse and less technically sophisticated range of users, including patients themselves.

Toward that end, the FDA and other regulatory bodies today have elevated safety expectations of medical device manufacturers through guidance, initiatives, and standards, such as IEC 14971 (risk management) and the recent recognition of IEC 62366 (human factors and user experience). As a result, safety systems in medical devices are moving from traditional piecemeal solutions to coherently conceived, self-reinforcing, multi-tiered systems.

Within these systems, there are a number of safety principles device makers should follow. These principles tend to be application agnostic and are implemented in hardware and software. Each should be carefully evaluated when designing a new medical device. 

Safety Principles

Here are six common safety principles, along with descriptions of how they might be applied.

1. Isolate Critical Functions

A critical function is typically whatever is closely tied to the therapy. For example, in an IV pump the critical function would be the delivery of a life-sustaining infusate. Challenges to making critical functions safe are isolating them in a (technology) box and applying appropriate care.

Applying the principle

Take critical functions that can cause harm and put them on a dedicated processor or processing core so they’re not affected by software failures in the rest of the system. Maintain minimal communication to critical functions and make them operationally independent. Isolation can also apply to poorly behaved functions, which usually involve real-time management of hardware (e.g., Wi-Fi, Ethernet, touchscreens). 

Hardware drivers can cause unpredictable gaps in processor operation that are undesirable when combined with critical, time-dependent functions. Isolating them on a single processor allows the rest of the system to operate seamlessly.

Relevant technology

Embedded computers typically packaged as a system on module (SoM) are about 4in2. They can contain two processing elements (cores) and an array of features for less than $50. They deliver PC-level power to medical devices through multi-touch screens, smooth and responsive graphics, advanced media and fast communications. Processors also bundle large/fast cores with small/simple processors to provide multiple tiers of capabilities.

2. Double-Check Inputs

If reliant on sensors to ensure patient safety, double down on reliability.

Applying the principle

Essential input sensors (heart rate, EEG, fluid flow) can require complex signal processing for precision measurement. A second processor can cross-compute a sanity check against the first measurement and catch misreadings due to algorithmic boundary conditions. Sensors that measure data in a different way can provide more robust measurement. Extreme cases call for completely redundant sensors, processors, and algorithms to compare with the primary measurement.

Relevant technology

Communication options include solutions with addressable serial inputs (CAN bus), a strategy that overcomes limits on the number of inputs on hardware. Advanced communications allow a high number of sensors with few physical inputs on the SoM.

3. Monitor Outputs

Outputs (motors, transducers) that apply therapy can cause patient harm, even if that harm is delayed therapy.

Applying the principle

Therapy applied to a patient by a transducer allows an external processor to monitor transducer modulation or output. Primum non nocere, akin to the physician’s Hippocratic Oath, “First, do no harm,” also applies to machines.

Relevant technology

Inexpensive sensors, sophisticated transducers allow multi-core SoMs with different tiers of cores for support functions.

4. Monitor Everything

Only the paranoid survive so be sure to monitor all processors with another processor. Every processor has a virtual heartbeat that is continually checked with contingencies readily available.

Applying the principle

Every processor that can cause a negative outcome should be monitored externally to ensure the processor hasn’t crashed or locked up. This strategy hedges against growing system complexity as designers stack technologies on other technologies.

Relevant technology

Communication channels, multi-core SoMs with different tiers of cores for support functions allow complete sub-systems that do nothing but ensure everything is running normally.

5. Fail Safely

If a component in a medical device fails in a non-recoverable way (motor, sensor burning out), the system should revert to a preferred (safe) state.

Applying the principle

Design failure mode effects analysis (dFMEA) uncovers consequences of individual component failures. Where preventing failure is impractical, failing in a known state that balances the safety considerations is a good approach. The amount of possible failures creates a combinatorial number of symptoms to handle. A monolithic response to most failures is a good solution to the combinatorial problem.

Have one-to-three modes that the system falls back to when a failure is detected. However, running to a safe state at the first sign of trouble might create its own risk, and sometimes insufficient therapy is better than no therapy.

Relevant technology

Low-cost, high-power computing platforms benefit this principle to some degree, but failing safely isn’t strongly reliant on a particular technology.

6. Don’t Fail Silently

When things fail, complain loudly.

Applying the principle

Clinicians must be able to respond to failures quickly. A second or third notification for users could include audible, visual notifications, such as buzzers or flashing lights; or wireless notifications, such as text messages or email. However, these should be used as backups, not primary interaction methods.

Relevant technology

Redundant, inexpensive speakers, LEDs, displays are the primary drivers. Inexpensive Wi-Fi and mobile devices in the clinical space can provide backups.

Looking Ahead

The Moore’s-Law-esque advance of technology (microprocessors doubling in power every 18 months for the same cost) has provided designers and developers with myriad high-powered tools, from multi-core processors and novel transducers to redundant electronics and abundant communication connections. 

In this environment, it’s inevitable that users’ expectations will climb as technology grows more complex and capable. In turn, safety solutions will — must — evolve to become more comprehensive.