When the 3rd edition of IEC 60601-1 was published, it marked the beginning of a new era. The standard now incorporates the concept and application of risk management in the design and production of devices. Implementation of risk management has implications for not only the end-product manufacturer, but component providers as well, and further cascades through the entire supply chain. All parties now face a series of choices and opportunities in determining how best to ensure, for the entire lifetime of a device, that basic safety and essential performance are preserved. This article explores some of those choices and their consequences.

1. Choices – IEC 60601-1 3rd Edition
and Component Selection

2. Choices – IEC 60601-1 3rd Edition and Component Selection
Choices – IEC 60601-1
3rd Edition and Component Selection
Abstract — When the 3rd edition of IEC 60601-1 was published, it marked the
beginning of a new era. The standard now incorporates the concept and application
of risk management in the design and production of devices. Implementation of
risk management has implications for not only the end-product manufacturer, but
component providers as well, and further cascades through the entire supply chain.
All parties now face a series of choices and opportunities in determining how best to
ensure, for the entire lifetime of a device, that basic safety and essential performance
are preserved. This article explores some of those choices and their consequences.
Background And in 21 CFR 820.30(g) - Design Validation:
The publication of the 3rd Edition “ … shall include software validation
of IEC 60601 sparked debate and and risk analysis (emphasis added) ... ”
discussion about the need to perform
In practice, some manufacturers have
a risk management assessment of
relied on third-party certification to
component power supplies that will be
ensure adequacy of design of supplied
used in medical electrical equipment.
components. With certain qualifiers,
In reality, this is not a new concern.
the FDA has acknowledged this approach.
Many regulators have long required
According to the preamble to the 1996
manufacturers to incorporate risk
quality systems regulation
management in the design and
(comment No. 103):
production of medical devices.
For example, the U.S. Food and Drug “… [FDA] cautions manufacturers against
Administration’s (FDA) quality system relying solely on certification by third
regulation (QSR) requires manufacturers parties as evidence that suppliers have
to, (as noted in 21 CFR 820.30(c) - the capability to provide quality products
Design Inputs) or services ... third party certification
“ … ensure that the design requirements should not be relied on exclusively
relating to a device are appropriate in initially evaluating a supplier. If a
and address the intended use of the device manufacturer has established
device, including the needs of the user confidence in the supplier's ability to
and patient … ” provide acceptable products or services,
page 2

3. Choices – IEC 60601-1 3rd Edition and Component Selection
certification with test data may in both normal and fault conditions. “…The MANUFACTURER of ME SYSTEMS
be acceptable.” This documentation shall be maintained in should make this determination on a
the risk management file.” system level. The MANUFACTURER should
The national and international standards
assess RISKS resulting from the fact that
used to certify these components have Therefore, if a manufacturer’s risk
individual system components have
also provided a solid foundation to ensure management process has identified
been integrated into one system. This
the safety of medical devices. a certain feature as critical to basic
assessment should include all aspects of
safety or essential performance, it is the
Going Forward manufacturer’s responsibility to ensure
the information exchanged between the
To ensure the safety and effectiveness system components…” (emphasis added)
that the feature is preserved through the
of the finished device after the design expected service life of a device. This latter statement makes it clear
phase, the finished device manufacturers that the risk assessment needs to
must control all contractors. In the past, In the past, if a feature was dependent
consider the intended function of a
end-product manufacturers have, to on a particular construction within an
device and how it may relate to a
some degree, relied on the certifications outsourced component, the end-product
device’s essential performance.
of off-the-shelf components to ensure manufacturer relied on compliance
of the component with national and The rationale continues:
safety. Because of the reliance on
certifications, original equipment international standards and their “…Even when these components are
manufacturers (OEM) may not have had certifications. Theoretically, if component non-me electrical components, the
detailed knowledge of design features manufacturers had risk management potential RISK related to the integration
at the component level. However, to processes in place, and if it were possible of these components into the ME
truly manage the risks involved in the for them to know the intended use and SYSTEM need to be considered. Further
application of a component within essential performance of the ultimate requirements for the integration of
an overall system additional analysis, end product, this approach could non-medical equipment into a ME SYSTEM
and knowledge of design details and continue. However, many component are described in clause 16. It gives the
construction features of the component, manufacturers are not familiar with requirements for an ME SYSTEM and how
may be needed. these risk management requirements RISKS associated with non-ME EQUIPMENT
and may never take the initiative to learn are addressed…”
According to clause 4.2 of ISO 14971
them. It is then an OEM’s responsibility
(Application of Risk Management to From 16.1 of IEC 60601-1:2005:
to follow through and ensure appropriate
Medical Devices): “…An ME SYSTEM shall provide:
risk-management measures are taken.
“ ... The manufacturer shall identify To see what this actually means, it is • within the PATIENT ENVIRONMENT,
and document those qualitative and necessary to dig deeper. the level of safety equivalent to ME
quantitative characteristics that could From the rationale to Sub clause 4.2 EQUIPMENT complying with this
affect the safety of the medical device and, of IEC 60601-1:2005: standard; and
where appropriate, their defined limits. • outside the PATIENT ENVIRONMENT,
“…The MANUFACTURER is responsible
This documentation shall be maintained the level of safety equivalent
for ensuring that the design and
in the risk management file.” to equipment complying with
construction of the ME EQUIPMENT
And according to clause 4.3 of ISO 14971: their respective IEC or ISO
renders it suitable for its INTENDED
“The manufacturer shall compile safety standards…”
PURPOSE and that any RISKS that are
documentation on known and foreseeable associated with its use are acceptable Additional details apply, but the net
hazards associated with the medical device when weighed against the benefits….” effect is that a manufacturer must pay
page 3

4. Choices – IEC 60601-1 3rd Edition and Component Selection
close attention to where and under what process, OEMs may also require With respect to challenges, the single
conditions a given component is to be some level of supplier control over a biggest hurdle may be implementation
employed. In some cases, compliance component to preserve basic safety and of an ISO 14971 process, or at the least,
with an applicable component safety essential performance. This may involve putting processes and procedures in place
standard alone may be sufficient. second-party audits by an OEM, which that support the information needs and
In other cases, a manufacturer must may also need to understand how a actions of an end-product manufacturer’s
identify associated hazards and estimate component manufacturer’s suppliers ISO 14971 process. Since many component
and evaluate the risks they carry. are controlled. The certification agency manufacturers have quality management
A manufacturer must take action to evaluating a finished device may also systems in place, there are resources that
control those risks and monitor the need access to such information. If can assist. The Global Harmonization Task
effectiveness of the controls. this same component is then sold to Force (GHTF) produced document GHTF/
other end-product medical device SG3/N15R8 titled “Implementation of risk
Business Implications
manufacturers for similar purposes, management principles and activities
Of course, there are business within a Quality Management System.”
suppliers may find themselves duplicating
implications associated with the
such assessments and information This document discusses and supports
selection of components, and they are
sharing processes. the implementation and integration
more extensive when risk management
of a risk management system within a
is required. This is true for both a From the OEM’s perspective, they must
medical device manufacturer’s quality
component supplier and OEM. With demonstrate compliance with clause 4.8
management system and provides
regard to risk management for medical of IEC 60601-1:2005, which states in part:
practical explanations and examples.
devices, there are two basic scenarios: “All components, including wiring,
either a component supplier elects to Another challenge, perhaps better
the failure of which could result in a
perform the risk management or not. stated as an additional requirement,
HAZARDOUS SITUATION shall be used in
is establishing and communicating
At least initially, most component accordance with their specified ratings
unless a specific exception is made the design intent of a component.
suppliers will probably not perform
in this standard or through the RISK Previously, a supplier could produce a
risk management. This means that, for
MANAGEMENT PROCESS…” component with certain features and
them, business will continue as usual
ratings, and it was up to the OEM to
with regard to design, development and With this information in hand, an OEM
determine whether the component
production processes. will need to determine whether any
was acceptable for the ultimate end
However if a component is purchased by supplemental actions or end-product
use. However, a foundational element
a medical device manufacturer and its design changes are needed to maintain
of risk management for any device is a
application requires risk management, an acceptable level of risk on an ongoing
clear statement of intended use and a
an OEM will need information about basis. OEMs may impose vendor
declaration of the essential performance.
the component beyond its ratings and requirements (such as supplier controls)
These establish the basis for design
certifications. This might include design on suppliers to maintain an acceptable
features, performance characteristics, and
details of the component construction, level of risk.
the identification of any limitations for
e.g. transformer bobbin construction As discussed previously, some suppliers a device. The risk management process
and material, creepage and clearance follow a risk management process when is then used to define, establish and
distances, and dielectric strength. developing components. This presents implement any necessary risk mitigation
To fulfill applicable regulatory obligations challenges to the component supplier, but to preserve the essential performance and
and follow their risk management also offers some distinct benefits. basic safety of the ultimate end-product.
page 4

5. Choices – IEC 60601-1 3rd Edition and Component Selection
The information that is developed in field issues, and greater profitability. There are additional potential benefits for
answer to the challenges provides the OEMs, including the following:
OEMs that work with suppliers that have
key benefits of implementing a risk
implemented a risk management process • Reduced effort to identify
management program—namely, a
will see distinct advantages beyond being component design features and
supplier’s ability to demonstrate due
able to demonstrate compliance with a characteristics that may have
diligence to a purchaser in the form of
safety standard. This begins with supplier an impact on basic safety and
objective evidence of compliance with
assessments. As noted in the FDA’s QSR, essential performance
the relevant parts of Clauses 4.2, 4.8
Sec. 820.50 on purchasing controls: • Clear identification of any features
and others of IEC 60601-1. Suppliers that
are able to provide a clear statement of “Each manufacturer shall establish or characteristics that may be
intended use and a definition of essential and maintain procedures to ensure candidates for some level of
performance for a component, as well as that all purchased or otherwise supplier control
details of the risk analysis and mitigation received product and services conform • Reduced overhead to maintain
actions performed, put OEMs in a much to specified requirements. the device risk management
better position to complete their risk • Evaluation of suppliers, file, due to the availability of
management processes. Because of this, contractors, and consultants. information regarding the
OEMs may prefer vendors that can offer Each manufacturer shall establish purchased component
such risk management documentation and maintain the requirements, In short, when both an OEM and a
because they can reduce the OEM’s including quality requirements, supplier have an ISO 14971 process in
burden in terms of cost and time. that must be met by suppliers, place, communication between the two
Suppliers may find additional intangible contractors, and consultants is greatly enhanced. Both parties will have
benefits to implementing a risk Each manufacturer shall: a more comprehensive understanding
management process. Specifically, of the design and production risks
• Evaluate and select potential
manufacturers that develop components associated with the finished device.
suppliers, contractors, and
with the aid of a risk management This offers the opportunity for reduced
consultants on the basis of
analysis will find a clear and duplication of effort, making the entire
their ability to meet specified
comprehensive understanding of the supply chain leaner, and focusing
requirements, including quality
actual risks associated with its declared activities on the preservation of basic
requirements. The evaluation
intended use. As a result, the risk controls safety and essential performance. This
shall be documented.” is in line with the imperative of
applied to product design features and
characteristics will be focused right where A supplier with an ISO 14971-compliant regulators around the world for good
they need to be — on preserving basic process could readily produce the manufacturing practices.
safety and essential performance. This, information and documentation needed
in turn, can result in a more efficient to support and simplify an OEM’s efforts
allocation of resources, a reduction in to evaluate and select suppliers.
page 5

6. Choices – IEC 60601-1 3rd Edition and Component Selection
Conclusion
Medical devices certified according to the 3rd edition of IEC 60601-1 must be developed
under a process compliant with ISO 14971. This is also true for critical outsourced
components. This presents an end-product manufacturer and a component provider
alike a choice: OEMs must decide if they are going to require outsourced components to
be developed under an ISO 14971 process. Similarly, component providers must decide if
they’re going to implement an ISO 14971 process.
Clearly these choices represent the potential for significant change in the industry,
and the options faced by OEMs and component providers must be weighed carefully.
However as history has demonstrated, change also brings opportunity; and with the 3rd
edition of IEC 60601-1, change is upon the industry.
For more information about the “Choices – IEC 60601-1 3rd Edition and Component
Selection” white paper, please contact Mark Leimbeck, Health Sciences Program
Manager at Mark.A.Leimbeck@ul.com.
UL and the UL logo are trademarks of UL LLC © 2012. No part of this document may be copied or distributed without the prior written
consent of UL LLC 2012.
page 6