Ensure life-saving energy even in an emergency

The standards stipulate that a life-sustaining medical device must be able to continue to emit an audible alarm in the event of an initial fault after the fault has occurred. For example, ISO 80601-2-84 for emergency ventilators still requires at least 120 seconds. In addition to a redundant alarm system, this also requires a redundant power supply, usually in the form of a battery, rechargeable batteries or supercapacitors (EDLC). The power supply requirements must be taken into account in the design from the outset in order to avoid expensive retrofitting. Uncertainties can already arise when defining the word redundancy. This is because if the device is specified for mobile use, unplugging the power supply is not a fault but a normal application. This means that two independent internal power sources are required. If a battery may also be replaced during operation, the risk assessment may even require three internal storage units under certain circumstances.

Recognising and avoiding pitfalls during implementation

Having several independent energy sources is a necessary, but by no means sufficient condition for being able to supply the alarm system with power even in the event of an initial fault. This is because backup systems in particular naturally use energy from any available source such as a power supply unit, battery or supercapacitor. If the sources are connected incorrectly, for example with simple diodes, a short circuit in the backup system can also short-circuit all sources. Care must be taken here to ensure that a separate current limiter is implemented on each path in order to disconnect the faulty part from the system and avoid a total blackout. In addition, the current limitation must react quickly enough before secondary systems such as the battery's protective circuit intervene.

Consider switching between energy sources

Other stumbling blocks are functions that are not used in normal applications and are therefore often forgotten when analysing faults. For example, the Power Manager should be able to switch off and restart the system if the software stops responding and regular switching off via the touchscreen no longer works. The trick of holding down the power button for 10 seconds, which is familiar and popular in consumer products, is practical and is already integrated in some power management ICs. However, this can be fatal in life-sustaining medical devices. A defective button, buffer or IO pin is enough to reset the entire system - even without an alarm, depending on the implementation. Application errors must also be taken into account. If the device is pushed against a wall, the button can be permanently actuated without being noticed.

If an energy source fails unexpectedly, the power management system must switch over very quickly to prevent the system voltage from dropping too low. With sub-optimal implementation, large capacitors are required to bridge the gap. However, capacitors in the millifarad range are not only expensive, but also require space that is often not planned for in the mechanical design. The reason for this is that the behaviour can only be determined with the running prototype. By then, the mechanical design is usually well advanced.

The capacitors also have to be recharged. If this happens too quickly, more energy is briefly consumed than in normal operation. This must also be taken into account to avoid triggering an overcurrent limit. A hot swap of batteries, i.e. a battery exchange during operation, generates large current peaks, which in turn generate large voltage peaks due to long cables or filter inductances. Without a varistor or equivalent protective elements, the maximum permissible supply voltage can be exceeded - with catastrophic consequences.

Reliability and resilience – well thought-out design helps

However, even the ideal design on paper is useless in everyday use if the circuit fails after just a few years. Components such as rechargeable batteries, supercapacitors and electrolytic capacitors have a limited service life that is strongly influenced by temperature. For example, the service life of a supercapacitor is halved for every 10°C increase in temperature. This is where a well-thought-out thermal design helps to circulate the critical components directly with the cool ambient air and not use the warm exhaust air from a processor or other power components.

In addition, electrolytic capacitors in particular should be placed as close as possible to a load such as a DC/DC converter for best efficiency. If the DC/DC converter heats up during operation, it is thermally connected to the capacitor via the PCB, which can cause the working temperature of the capacitor to rise far above the ambient temperature.

The design should also be as resilient as possible to user errors. For example, it can happen that dirty filter mats are not cleaned or are simply removed. This can cause dust and dirt to accumulate on the circuit board, which, depending on the environment, may contain conductive particles or become conductive due to excessive humidity. Coating the critical areas with varnish can provide a remedy here.

The principles outlined here are only a selective excerpt from the requirements of IEC 60601-1 and the product-specific standards. Depending on the device class and country, further requirements may be added or omitted. In any case, it is worth carrying out detailed research into standards before drawing up the power management concept.

Article from "medizin & technik" from 14 February 2024