Auditory Alarm Requirements in IEC 60601-1-8 and Risk Management Considerations
Auditory Alarm Requirements in IEC 60601-1-8 and Risk Management Considerations
How do the requirements for risk management according to ISO 14971 affect collateral standard IEC 60601-1-8? The subject is addressed by Ken Dybdahl and ChanYo Won of Underwriters Laboratories, with particular consideration of how IEC 60601-1-8 applies to infusion pumps and patient monitoring equipment.
Alarm type recognised by IEC 60601-1-8
The second edition of IEC 60601-1-8, General requirements, tests and guidance for alarm systems in medical electrical equipment and medical electrical systems, published in 2006, covers alarm systems incorporated into medical equipment (ME). An alarm system is defined by the standard as "part of ME equipment or a ME system that detects alarm conditions and, as appropriate, generates alarm signals.” In the context of alarm signals, the standard refers to indicator lights for visual alarms signals (Clause 6.3.2) and melody (note 1)
or optional verbal sounds for auditory alarms signals (Clause 6.3.3).
Looking into the standard, the difference in technical complexity of generating auditory alarms signals compared with visual alarm signals becomes apparent, and it is the intent of this article to look into this complexity of auditory alarm systems. We will look at the some of the considerations one must observe for auditory alarms and also look at the influence risk management has on the integrity of the alarm system itself. Specifically, we will consider how the IEC 60601-1-8 standard applies to infusion pumps and patient monitoring equipment.
Definition of auditory alarms
The IEC 60601-1-8, Clause 220.127.116.11 describes auditory alarms as "Melodies” and/or "Verbal Alarms.” The term "melody” is used to describe combinations of very few music notes, while the term "verbal” is to be taken literally and defined as a human voice speech.
The psychoacoustic association
Many melodies have a meaning exceeding just the combination of the tones from which they are composed. Our history is filled with short tune melodies, which have a meaning and give association to many of us. One of the most well-known short tune melodies, the four tones of BBC’s World War II broadcasters, taken from Ludwig van Beethoven, Symphony No. 5, was used for propaganda purposes and means much more than just a melody for many people. The short-short-short-long tune equivalence Morse code for "V” as association with the word "victory" can produce full attention for whole generations of people.
It is the relationship between the melody itself and its association, which is called the Psychoacoustic Association and is valuable when utilised in the right context.
For the medical care sector, melodies can be used to improve patient safety and with our technology advancement, tone generation and verbal messages can be used to optimise promptness of action.
IEC 60601-1-8, Tables 3, 4 and Annex F
The IEC 60601-1-8 standard provides sets of melodies consisting of three notes for medium priority alarms and five tones for high priority. The melodies were "composed” by musically trained experts from the IEC subcommittee 62A and ISO subcommittee SC3 (note 2). The Annex F.A1 Table contains eight melody sets. Each melody was created distinctly different from all others to ensure they were unique and could be remembered easily. The eight melodies relate to the cause of ALARM state: General, Cardiac, Artificial Perfusion, Ventilation, Oxygen, Temp/Energy Delivery, Drug or Fluid Delivery, Equipment or Supply Failure. Equipment producing alarms must use one or more of the eight predefined alarms according to Annex F, based on the alarm category. If the equipment alarm falls outside the mentioned categories, the manufacture may compose a new alarm melody following the guidelines of Tables 3 and 4 or follow Clause 18.104.22.168 (b) covering VERBAL alarms, which we will cover later in this article.
Technique behind the melody – Harmonic
IEC 60601-1-8 describes the melodies by the subcomponents "pulse” and "burst.” Tables 3 and 4 define all the timing aspects for these melodies such as number of pulses in a burst, pulse spacing, difference of amplitude between pulses and many other parameters. An interesting parameter is number of harmonic components, which can have a great influence on volume at a given point. The following describes the difference between single sound waves and waves with harmonics components.
Single sound waves played in free field have the following characteristic: If a point source in a free field produces a sound pressure level of 90 dB at a distance of one metre, the sound pressure level at two metres is 84 dB, at four metres is 78 dB, and so forth. If the same sound wave is played in a room, the walls cause some of the sound to reflect producing an interference pattern. If the forward and reflected waves have the same phase, the two waves will produce higher or lower sound levels than the free field wave. Under worst-case situations it may be impossible to hear a single sound wave at certain locations. If the sound wave contains one or more harmonics signals, the risks associated with standing waves are reduced dramatically, which is why the standards prescribe a minimum of four harmonics components.
Increasing the number of harmonics also improves the "quality” of the sound making it more pleasant to listen to.
The intent of the eight alarm set is to provide information on the nature of the given alarm. This requires that the medical personnel be trained to distinguish between each of the eight melodies from Annex F and any other melody or verbal alarms not following Annex F. How does each device manufacturer ensure that alarms generated by his equipment are not confused by other devices’ alarms of the same type? In Annex F the denoted keys (for example "c”, "f”) are not absolute frequencies, but can be varied.
Because the human ear has a fine resolution down to 1 Hz or better, each device manufacturer can allow programming of the keys within a certain range. This flexibility allows the responsible organisation (such as a hospital) to program a device to generate the same alarm category at a slightly different pitch. As an example, a device would be assigned 440 Hz for its pitch "a” while a different device would be assigned 444 Hz for the same key "a.” The responsible organisation shall verify the effectiveness of the overall alarm system when configured and it shall also ensure proper training of its personnel, so that each member of the health care team knows exactly which alarms are produced by which equipment.
As this example shows, the interaction between the device manufacturer and the responsible organisation is very important. The device manufacturer’s risk management file may indicate that the effectiveness of the device’s risk controls depends on effective adjustment of the equipment parameters.
Risk Management File and alarms
With all the variables involved in the design and effective use of alarms, there are many risks that must be considered. Some of these risks must be addressed as part of the standards requirements, other risks are the concerns of the regulatory bodies that approve medical devices.
In the following section we will look at an example of a Risk Management File (RMF) (note 3) for an infusion pump. This example is inspired by Defects on Alarm of Infusion Pump described on the FDA website, Examples of Reported Infusion Pump Problems. The issue was stated as follows:
The infusion pump fails to generate an audible alarm for a critical problem such as an occlusion (e.g., clamped tubing) or the presence of air in the infusion tubing.
In special cases, infusion of drugs is considered a critical infusion, meaning that the absence of a proper infusion is hazardous to the patient; hence the absence of an alarm is equally critical.
The RMF for this device considers a single entry for a particular hazard of pump tubing occlusion (air embolism) caused by air bubbles in the drug delivery system. The situation may arise during substitution of fluid bags and in the real world this hazardous situation of air bubbles in delivery tubing does happen quite often. In this fictitious example, the manufacturer assumes the probability of occurrence (air in delivery tubing) to be 1 out of 100 operations, and considers the severity of harm to be serious to the patient. From the RMF table (see Table 1 below), before the manufacturer considers any risk control measures, the calculated risk, based on probability multiplied by severity, is "unacceptable.”
Risk control measures
Going back to the alarm system definition, outlined in Clause 3.11 it describes the detection of ALARM CONDITIONS as well as generation of alarm. In this example, both the detection of ALARM CONDITIONS and generation of alarm are part of the hazard mitigation, which in the risk management terminology are defined as risk control measures, addressed by ISO 14971, Clause 6. In the example, the as low as reasonably practicable (ALARP) region for the particular risk is defined as Severity = "Serious injury” and the manufacturer defines the Probability as 1 out of 100,000. Because the severity is not affected by the level of risk, the manufacturer determines that compliance to ALARP can only be achieved by reducing probability of occurrence from 1/100 to 1/100,000.
Effectiveness of risk control measures
The final task is to ensure effectiveness of the risk control measure as described in Clause 6.3 of ISO 14971, where compliance to IEC 60601-1-8 could help reduce the probability of occurrence.
Part of the effectiveness assessment could be to analyse how robust the risk control is. Because the risk control is the alarm system itself, it is also important to consider the following:
1. Is component failure detectable?
2. Is software failure detectable?
From this assessment, the manufacturer determines that the probability of occurrence influences the likelihood of failure rate for the risk control.
The following statement should be fulfilled:
Probability of failure for a Risk Control ≤ Probability of the Risk Control itself
In the example, the probability was lowered from 1/100 to 1/100,000 by the risk control measure. Hence, the failure rate for a risk control should then be 1/100,000 or better. In other words, the manufacturer must ensure that the Alarm System (Risk Control Measure) is very reliable (High Integrity).
Alarm melodies generated by Audio Codec and sampling files
Technical aspects associated with the generation of alarms signals according to the IEC 60601-1-8, envisage solutions using computer technology.
For one moment imagine that a device manufacturer of infusion pumps wishes to upgrade an existing model to comply with IEC 60601-1-8 alarm requirements. The manufacturer has limited resources and the upgrade needs to be completed immediately. There are some approaches the manufacturer could take:
An Internet search for "IEC 60601-1-8 and sound” may be a solution because someone may already have produced the melodies within the specification of the IEC 60601-1-8, Tables 3, 4 and Annex F. The perceived easy solution is to purchase an Audio Codec to replay the sampling file each time there is a need for an Alarm. The question now is how reliable an off-the-shelf hardware/software combination really is.
Risk management considerations for software
Software (note 4) may also be considered as the source of failure in the hardware/software system. Because the alarm is considered a risk control, manufacturers must consider any new risk introduced by risk controls as specified in ISO14971, Clause 6.6 Risk arising from risk control measures.
In the Audio Codec example, the manufacturer introduces new hardware and software including little or no information regarding design and information’s according to ISO14971. This kind of software is often referred to as COTS (Commercial off-the-shelf software) and SOUP software of unknown pedigree. COTS and SOUP are acronyms covered in software standards and a description can be found in the Technical Information Report, AAMI TIR 32.
Software expert, Steve McRoberts once said: "The probability of error in calculating the probability of failure is probably higher than the real probability of failure”.
What McRoberts’ comment implies is that it is virtually impossible to estimate the probability of failure for a piece of software, because the safety of software primarily comes from reliable software development processes. This of course makes SOUP very hard to estimate and the manufacturer must therefore consider whether such a device is allowed to operate as a stand-alone or requires another independent safety device. In other words, because the software, and the process that developed the software is of unknown origin, the probability of its failure must be considered 100%. The net effect is that the manufacturer should have a totally redundant and reliable (1/100,000) backup.
Alarms in patient monitoring equipment
Another area where alarms are critical is in patient monitoring. The patient monitoring equipment used in emergency room, ICU or other critical care facilities is always provided with an alarm function and thus it is required to be in compliance with IEC 60601-1-8:2006 and also with IEC 60601-2-49:2001, Particular requirements for the safety of multifunction patient monitoring equipment (note 5).
Together with defibrillation immunity and other clinical performances, the alarm function is one of the essential performances in patient monitoring equipment. IEC 60601-2-49: 2001 (First Edition) addresses the alarm requirements to be applied to multifunction patient monitoring equipment. Although this standard only specifies auditory and visual alarms, AAMI IEC 60601-1-8:2006 includes more types of alarms including verbal, vibratory and other means.
IEC 60601-1-8:2006 standard is a collateral standard of IEC 60601-1:2005 and must be used in conjunction with other applicable standards to address the functional safety of devices that have alarms. IEC 60601-1:2005, Sub-Clause 12.3, states that the manufacturer shall address the need for alarm systems as a means of risk control and risks associated with operation or failure of alarm system in the risk management process. The prioritisation of the alarm signal is needed to be determined during the risk management process.
Therefore while the characteristics and prioritisation of the alarm signal are critical in patient monitoring equipment to ensure the alarm signal is perceived correctly by the operator, these requirements are not included in IEC 60601-2-49. The alarm signal is inactivated if the operator has recognised the alarm condition and, according to IEC 60601-2-49, the alarm signal can be disable of auditory alarm part only or both auditory alarm and visual alarm parts. See Table 2 for the major differences in terminology between the two standards.
In patient monitoring equipment, any technical or physiological alarm is provided for failure of the medical device or urgent condition of the physiological parameter, with both auditory alarm manifestation and visual manifestation together. Table 3 shows these requirements on the physiological alarm and the technical alarm, required by IEC 60601-2-49.
In addition to unique requirements from IEC 60601-1-8 such as auditory alarms, when applying for regulatory approvals, it is also important to provide basic information on how to apply IEC 60601-1-8 together with IEC 60601-2-49 to the patient monitoring equipment because this equipment can be a good example in application of the alarm
As seen in the examples provided for infusion pumps and patient monitoring equipment, auditory alarms play an important role in the safety of medical devices. While the standards define the types of alarms to be used, medical device manufacturers can also use risk management to determine if the alarm in itself mitigates the risk sufficiently for the foreseen and unforeseen hazards. As more devices rely on software and new technologies for safety, that may or may not be covered within the scopes of the existing standards, alarms will continue to remain a viable safety mitigation tool.
1. In the context of Annex F, the Standard is using the terminology "Melody” for each of the nine examples given in Table A.1 of this annex F, even if one hardly can call the first melody named "GENERAL”, consisting of ccc or ccc – cc, a true Melody.
This also means that a Single Tone is to be considered a Melody per the Standard.
The Standard allows the use of other Melodies, but the Standard does set rules for melodies to align with Annex F to avoid misunderstanding.
2. These sounds were originally "composed” by ISO TC 121 SC3 as part of ISO 9703-2, which was withdrawn when 60601-1-8 was published.
3. The RMF is the result of risk Management activities executed according to risk management standard used for medical equipment, ISO 14971.
4. Software shall comply with IEC 60601:2005, Clause 14 (and IEC 62304) when deemed critical for the application in the RMF.
5. The referenced standards are listed as harmonised standards in Europe for the Medical Device Directive, and also published as national AAMI standards, but in the US, IEC 60601-1-8 only is listed as FDA’s recognised standard.
For more information or to contact the authors, write to:
Tara Kambeitz, Global Marketing Manager - Health Sciences, Underwriters Laboratories,
If you found this article interesting please
Sign Up Now for your free subscription to