In December 2005, the International Electrotechnical Commission (IEC) released a new standard for medical devices, IEC 60601-1:2005, Medical electrical equipment—Part 1: General requirements for basic safety and essential performance, Third Edition. This edition is a major redirection as it is much less prescriptive and now relies on risk management as the tool to assure that a medical device is safe. In fact, the standard requires manufacturers to use a risk management system that complies with ISO 14971:2000, Medical devices—Application of risk management to medical devices.
In the complex world of standards, the update process for a single standard is difficult enough to monitor, but now we have a new second edition of International Organization for Standardization (ISO) 14971 expected to be released by the end of 2006. Fortunately for this discussion, we find that ISO 14971 Second Edition will not be a major redesign as was IEC 60601-1 Third Edition. Note: The American National Standard versions of these documents are ANSI/AAMI/IEC ES60601-1:2005 and ANSI/AAMI/ISO 14971:2000, respectively.
For the medical device manufacturer, there are also a series of collateral and particular standards that may apply to their device. Each of these standards is a part of the 60601 family and as the parent, 60601-1, has been extensively revised, each of the collateral and particular standards also must be revised to mesh with the new parent. The manufacturer must also determine if other standards may apply to their product, such as those covering biocompatibility and sterilization.
For our discussion, we will concentrate on the relationship between 60601-1 and 14971, or how to use risk management to comply with the general safety standard. We will pick a specific set of examples to illustrate how to use these two standards together. We will also incorporate the use of the ANSI/AAMI/ISO 10993 biocom-patibility standards and the sterilization family of standards in our examples as well.
60601-1 Requirements for Sterilization, Cleaning, and Disinfection
In clause 11.6.1, the general requirement for protection against hazards, the standard states that the manufacturer shall “…ensure a sufficient degree of protection against HAZARDS caused by…cleaning, disinfection, and sterilization as well as compatibility with substances used…”
Clause 11.6.6 allows manufacturers to define cleaning and disinfection procedures, but an analysis must be performed to ensure that these procedures will not result in unacceptable risks. Here is where the risk management process is applied. The manufacturer is required to place documents in the risk management file addressing the effects of multiple processing over the service lifetime of the product, and this documentation is inspected by the product certifying body (and possibly regulatory agencies) to ensure compliance.
In order to meet this requirement, the manufacturer must not only apply risk management, but also establish the service lifetime of the product. If the product is intended for single use, the manufacturer is not required to place instructions for the processing in documents accompanying the device. But if the device is intended for multiple use, then the instructions for processing must be available to the user.
In clause 11.6.7, the standard requires that products that are intended to be sterilized shall meet the assessment and documentation requirements of ANSI/AAMI/ISO 11134 covering moist heat sterilization, ANSI/AAMI/ISO 11135 for ethylene oxide sterilization, or ANSI/AAMI/ISO 11137 for radiation sterilization as appropriate to the sterilization process recommended for the device. So, once again, the new 60601-1 standard includes requirements that the manufacturer use other standards to achieve compliance.
Additionally, the new 60601-1 standard requires that the manufacturer demonstrate that the device shows no signs of deterioration as a result of following the recommended sterilization process by recording the results of testing dielectric strength and leakage current after conducting the sterilization process recommended by the manufacturer as stated in clause 11.6.7, Sterilization of equipment and systems of 60601-1.
In addressing the adequate treatment and documentation of these complex requirements, the question arises, how does the manufacturer demonstrate compliance in the risk management file? We can refer to an international document for some guidance on documenting compliance. The Global Harmonization Task Force (GHTF) released a Study Group 3 document entitled Implementation of risk management principles and activities within a quality management system in 2005 that provided an example “risk management summary table.” By adapting this table to the manufacturer's product, the manufacturer may demonstrate compliance with the risk management requirements of 60601-1. As an example, in Table 1 compliance is demonstrated by documenting the results of testing for insulation deterioration after sterilization processing. Our summary table refers to the actual documents used in supporting our position regarding the risk of the product. Additional hazards related to sterilization processes may be required to be documented in the same table.
Note: The assignment of identification (i.e. paragraph numbering) to the various documents is determined by the manufacturer and can be any convenient system.
To complete Table 1, the following steps were taken:
A hazard was identified and evaluation of the risk for the hazard was completed.
When the risk level exceeded the manufacturer's threshold for risk acceptability, a risk control measure (mitigation) was developed and a new risk evaluation for the mitigated hazard was completed.
A specification for the mitigation was determined and entered into the device engineering requirements.
When the specification was identified, it was made part of the verification plan so that verification testing could determine that the mitigation was implemented and effective.
When the testing was performed, it was documented in the test report including the results of the test performed.
If the test results met the requirements of the standard (and any other requirements set by the manufacturer) then the result indicates a “pass.”
Requirements for Biocompatibility
For issues of biocompatibility, 60601-1 takes a slightly different direction. The standard states that devices “…intended to come into direct or indirect contact with biological tissues, cells, or body fluids shall be assessed and documented according to the guidance and principles given in the 10993 series of standards.”
Again, we find some standards issues, as AAMI/ANSI/ISO 10993-1, Biological evaluation of medical devices—Part 1: Evaluation and testing, currently is in the third edition. A fourth edition is under development, with an effort to include 14971 requirements within this standard as well. Until the release of the fourth edition, we have to interpret these various standards to document the efforts to ensure the manufacturer's device complies with the risk management requirements of 60601-1, and the requirements of 10993. We can develop a similar table to Table 1 to summarize the development and compliance effort. In Table 2 above, one hazard identified in 10993-1 for a device with skin contact was “sensitization.” The manufacturer prepared specifications for the material and testing of the material as guided by ANSI/AAMI BE78:2002, Biological evaluation of medical devices—Part 10: Tests for irritation and delayed-type hypersensitivity (the U.S. version of ISO 10993-10). (Note that this standard is also in the revision cycle.)
Risk Management Documentation
Each of the steps in the previous two tables are documented in a report and these reports are part of the design history file, and also a part of the risk management file for the device. The risk management file may include the summary table above, and also a document that has pointers to the location of each of the risk management documents created to support the release of the electro-medical device. This would be similar in nature to the pointer document created to meet FDA requirements for the device master record. It is not necessary that the risk management file be in a single physical file.
As a part of device certification to 60601-1, the certifying body will inspect the risk management file for the device. This file will also be required to support the technical file for the product under the Medical Device Directive (MMD), necessary for CE marking.
With the examples above we have demonstrated for our selected topics that our device meets the risk management requirements of 60601-1. An expansion of the tables to include all of the risk management requirements would be useful to identify how the manufacturer has met all of the risk management requirements of the standard.
By setting up a file system under the manufacturer's quality system that meets the requirements of the 14971 risk management standard, the manufacturer will be able to effectively demonstrate compliance with a number of applicable standards, including 60601-1, and also be able to demonstrate the device meets FDA product safety requirements. The file system would also be useful in creating the technical file for the MDD.
A risk management summary table similar to the one recommended by the GHTF will assist the manufacturer in tracking the documentation required to support this effort. A list of the hazards identified for the product is contained in the summary table and the summary table will also aid in determining if all of the required steps in the risk management process have been completed for each hazard. This table will become an important record in the risk management file.
Edwin Bills is the principal consultant at Bilanx Consulting LLC and specializes in risk management. As a member of AAMI/QM/WG01, Application of quality systems to medical devices, and AAMI/QM/WG04, Application of risk management to medical devices, Bills participated in the development of IEC 60601-1 Third Edition and also in the development of ISO 14971 First Edition Amendment 1 and in the upcoming Second Edition. He may be contacted at: email@example.com.