About the single fail-safe requirement/functional safety requirement in ISO80601-2-

12:2020 Enterprise self-check table

Requirements Information
provided by
enterprises
1) The requirements of the standard are as follows

ISO 80601-2-12

201.13.2.103 * Independence of ventilation control function and related

risk control measures
a) A single fault condition shall not cause the simultaneous failure of:
1) a ventilation control function; and
2) the corresponding protection device.
b) A single fault condition shall not cause either:
1) a ventilation control function and the corresponding monitoring
equipment; or
2) a ventilation control function and the corresponding alarm system
to fail in such a way that the loss of the ventilation control function is
not detected.
Check conformity by inspection and functional testing.
2) Provide a schematic diagram of the gas path, briefly /
describing the pressure range of each part, indicating
which components are used as safety protection, and the
limit value of pressure protection.
Here is an example of a simple gas path diagram:

The red circle in the figure is the control piece, the protection action is to
switch the power supply of these control pieces.
Inherent safety: due to the characteristics of the turbine itself, the ultimate
pressure cannot exceed 100cmH2O, far less than the pressure limit of
125cmH2O.
See Appendix 1 for detailed description of the protection
system and control system

3) In the risk management report in the CE technical file, the number of the
listed risks and the risk control and verification documents are marked on
the report.
The risk items that must be listed include:
- The pressure is too high, the tidal volume exceeds the set requirement
range (too high or too low), and the oxygen concentration is wrong
Other risk items related to system functions, including but not limited to:
- Start or stop unexpectedly
- The pipe accidentally falls off or is blocked
- Flow control valve failure
- Continuous positive pressure output exceeds the set value
- Parameter input error
- The input setting parameters are incorrectly modified and output
inside the device
- Pressure is too low
- Failure of external or internal power supply
 - The power supply of key vital parts is too high or too low
- Clock error
- Communication error between CPUs or CPU failure due to
communication
- Alarm unit failure
Risks of other units, such as humidifiers, negative pressure devices, etc.
4) According to functional safety requirements, describe FTT and MFOT
• FFT (Fault tolerance time, defined as the time between occurrence
of failure and harm to patient or operator)
• MFOT (Multiple fault occurrence time, defined as the time after a
first failure within which the probability for a second independent
failure is sufficiently low)

5) Provide circuit diagram (schematic diagram, official document, drawing

number, version, date, etc.) (For example, remove the specific values of
resistance and capacitance, IC model, etc., but the label of the component
must be correct, and it must be compatible with the actual circuit board.)

6) Describe the inspection during power-on self-test and regular

maintenance:
- What components (sensors, AD, RAM, ROM, calculations, valves,
etc.) have been self-checked, and how are they implemented? How
to trigger an alarm when an error occurs?
- Does the above self-test include the self-test of the protection part?
How to achieve? How to trigger an alarm when an error occurs? Are
there scheduled inspections of safety valves? How long is the test
period?
In particular, it is important to describe: according to the description of
the previous "protection system", describe the related components of the
entire "protection system" (or self-test of the entire "protection system"),
and provide a verification report.
7) List the common cause failures considered (included or not included in
the listed risk items)? How is it controlled (only for common cause
failures not described in 6)? E.g:
- Do the two CPUs have overvoltage/undervoltage protection?
 Appendix 1

Note:
1) The connection in the figure only shows that the DSP or the signal of each analog sensor is
obtained. The signal DSP of each analog sensor in the figure is obtained through the external
ADC, and the protection MCU is obtained through the internal ADC.
2) Uart communication between DSP and MCU, transfer data for comparison, and judge the
operating status of each other at the same time
The functional safety architecture of this product uses a combination of a control system and an
independent protection system. The protection system has its own independent processing unit and
output, can monitor and control system multiplex or independent sensor, and can ensure that the
product is still safe when the control system fails. The protection action is to switch and control the
power of these control parts, which is controlled by the protection MCU.
1. Airway pressure safety
Inherent safety: Due to the characteristics of the turbine itself, the ultimate pressure cannot exceed
100 cmH2O, which is far less than the pressure limit of 125 cmH2O
A: Protection architecture:
Adopt control system + protection system (cp) + self-test
B: Implementation description：
This system has two airway pressure sensors, the control DSP and the protection MCU
simultaneously and independently obtain two sensor signals , the DSP uses the external ADC , and
the MCU uses the internal ADC to collect, and then compare with each other through UART
communication to confirm whether the pressure sensor is working properly. It can alarm when the
pressure is abnormal. When the pressure exceeds the safety range, the protection MCU can cut off
the power supply of the oxygen valve through the Mos tube , and the turbine power supply can be
cut off through the Nmos turbine power switch Pmos tube and alarm can be sent through the
display screen.
C: Self-test description：
The protection and control system performs self-test on the oxygen valve and the power switch of
the oxygen valve when it is powered on, and the sensor can perform regular self- test.
The protection and control system performs self-test on the turbine and the turbine power switch
when it is powered on, and the sensor can perform real-time self- test.
2. Oxygen concentration safety
A: Protection architecture:
Adopt control system + protection system (cp) + self-test
B: Implementation description：
Both the control DSP and the protection MCU can simultaneously and independently collect the
oxygen flow rate sensor , the inhalation flow rate sensor , the flow rate value and the oxygen sensor
value . Through the ratio of the two flow rates, the expected and reasonable oxygen concentration
value of the oxygen concentration can be calculated, so as to infer whether there is a problem with
the oxygen concentration control for protection. If the protection MCU judges that the oxygen
concentration is beyond the safe range, the oxygen valve power can be cut off through the Mos tube
, and if necessary, the turbine power can be cut off by the Nmos turbine power switch Pmos tube
and alarm can be sent through the display screen.
C: Self-test description：
The protection and control system performs self-test on the oxygen valve and the power switch of
the oxygen valve when it is powered on, and the sensor can perform regular self- test.
The protection and control system performs self-test on the turbine and the turbine power switch
when it is powered on, and the sensor can perform real-time self- test.

The control DSP and the protection MCU are independently powered. The control DSP is powered
by LDO from 6.8V, and the protection MCU is powered by another LDO from 12V, so there is no
common cause failure of the power supply voltage.
Although the sensor is powered by the same power supply (control system power supply), the
protection MCU will monitor and control the sensor power supply A5V to determine that its
voltage is within the normal range.
In other abnormal circumstances, such as a power failure or the failure of any processor to
communicate, protection and alarm can be triggered.