What challenges medical device designers face, and how EDA helps.
Medical devices are adopting, and increasingly adapting, a variety of semiconductor technologies to provide new functions and capabilities in smaller form factors. In doing so, they are leveraging increasing processing capabilities, lower power, and new types of sensors to propel health care forward.
Many different chip types have been used in medical devices for years, many of them developed at older nodes. They are now being combined with, or supplanted by new chips, many including some level of AI or machine learning.
But developing chips for medical applications is different than for other markets. In addition to a huge variety of devices, developers face a flood of issues involving power and power spikes, security, privacy, and especially reliability. They still require the same EDA tools and many of the same components that are used in other markets, but from inception to inclusion in a device may take years, and by that point the entire market may have shifted.
“Time and risk associated with bringing connected medical devices to market is a significant and growing challenge,” said Peter Ferguson, director of health care technologies at Arm. “Within Arm, we recognize that technology cannot stand alone, but should be integrated into solutions.”
In some ways, the chip industry experiences fewer constraints in medical than in automotive, another safety-critical application. Medical chip designers are not responsible for winning regulatory approval of chips, as the regulators look at the device as whole, not the parts. That burden falls on the medical OEM, which commissioned the device. But no chip designer would ignore their customers’ needs, and some are showing compliance or even helping the OEM get the approvals.
“The majority of Infineon devices used in medical applications are tailored to our customers’ requirements,” said Ralf Leuchter, segment head for customized solutions at Infineon Technologies. “Quality requirements are aligned with the customers to fit their exact requirements to ensure highly reliable devices are chosen for the application. The qualification requirements can go beyond automotive requirements, if needed,”
Medical chips also are not targeted for super-harsh environments that automotive and aerospace chips may face. But the emphasis on reliability is just as important, even though simulation of medical ICs is more a matter of coverage than complexity.
“The devices are not that complex,” said Aveek Sarkar, vice president of engineering for Synopsys’ Custom Design Group. “You’re not talking about a 100-million element device. But what you’re talking about is what kind of coverage do you have, what kind of confidence, even though it may be 500,000 elements. All 500,000 elements really need to work across a wide range of operating conditions and not fail, because if they fail, I have no way to replace that particular device without doing something drastic.”
Medical electronics have a much smaller room for error. “The over-arching concern in all this is that you really cannot make any mistakes in terms of failure, or you have to at least reduce them to an absolute minimum,” said Frank Schirrmeister, senior group director for solutions and ecosystems at Cadence. “The elements of safety, the elements of security, the elements of design for low power are pushed to extreme levels.”
Fig. 01: The U.S. Food and Drug Administration classifies medical devices by risk. The flowchart above shows the steps in the approval process by classification. Source: FDA.
Design challenges in medical — reliability
Designers of in-body medical devices have to deal with the saline environment of the human body. When compared with other harsh environments, the human body can almost seem welcoming.
“Here’s the good news,” said Andrew Kelly, director of applications engineering in the integrated circuit development team at Cirtec Medical, a company that designs medical devices. “For the semiconductor industry — think of automotive, aerospace, and commercials — most of the reliability failure modes of an actual chip are accelerated by voltage and temperature. There’s this idea of meantime before failure. These chips are inside our body, so they are largely at 37°C (98.6°F), plus or minus a few degrees. An automotive chip might have to be 150°C (302°F). And so when you do all the physics equations and all the stuff that says what’s the equivalent lifetime of an implant compared with a device on a car’s engine block, for example, it’s trivial.”
It’s rare to have true semiconductor failure modes come out, said Kelly. “Now, when I say rare, it can’t be zero, because it’s all statistical, but it’s rare. So we don’t have much of a concern on that aging thing where it says, ‘Okay, the device has been in your chest for 20 years,’ because our duty cycles are really low. Most of the devices are hardly doing anything. Most of the time, the voltages are moderate, and the temperature is low and quite well controlled. So it’s not nearly the concern that the other parts of the industry have.”
Simulations for ICs bound for medical devices borrow heavily from work done first for PCs, and then automotive. “Typically 10 years ago, a microprocessor design team would probably be the only people who would worry about electromigration analysis, because a microprocessor will be put in a PC or a server rack and you’re expecting it to run for 10 years, and every day of its life,” said Synopsys’ Sarkar. “So we built all these technologies — the fault model. We created those analyses and this framework for automotive applications to meet some of the functional safety requirements. Now we didn’t necessarily do them for biomedical application, but the biomedical application kind of intersects all these different needs simultaneously. So we are able to leverage these technologies that we have already built for others, and provide them in an integrated framework so that when you’re creating this device for these mission-critical requirements, you can tick mark and validate across all these different requirements in one environment.”
All the analyses that run during simulation stages are important to fit to the medical chip’s requirements. “Because here we’re not simulating a large-scale SOC, we’re not simulating like your DRAM, for example, but a very specialized application, it has to be simulated in a way we can comprehend all these different conditions that this chip will go through,” Sarkar said. “And how do we model these varying operating conditions, varying situations that you can go through? That kind of a coverage analysis, that kind of a reliably analysis, aging analysis, fault analysis, all of those become really important.”
Other challenges include power, thermal effects, electromagnetic effects, security, and safety.
Power concerns
Changing the batteries on an implanted device such as pacemakers requires surgery. The medical device therefore has to be a frugal power user and have batteries that can last 15 years. “In medical, power is important,” said Dana McCarty, vice president of sales and marketing at Flex Logix.
Implanted devices are often ultra-low power. “You have to have low power, because in most cases the devices are either operating on very small batteries or energy harvesting, or some other source,” said Synopsys’ Sarkar.
The complexity comes in the power tradeoffs. “In terms of basic needs, we continue to see demand for performance increases to satisfy better/more features in edge appliances, to make devices and packaging smaller, lower power dissipation, more AI capabilities at the same time, and consistent support for safety and security features,” said Subh Bhattacharya, Healthcare & Sciences lead at Xilinx. “There is always a tough set of ask in terms of performance/power or cost/performance that is challenging, but we are staying ahead of the game.”
Thermal, electromagnetic effects
Heat is a big problem in devices next to or inside the body. Even momentary spikes can cause problems, and long-term it can cause premature aging in chips.
“There’s a lot of importance put on our system tools, so looking at things like the thermal effects and how do I impact the thermal effects within the package are important,” said Cadence’s Schirrmeister. “There’s a lot of discussion on the electromagnetic effects because you have to be especially careful if you have a pacemaker, like how does that actually behave when you are within a field from the outside. So there’s a lot of simulation going on in that domain.
Security and privacy
Regulations exist for privacy of medical data, such as the U.S.’s Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, and Europe’s GDPR (General Data Protection Regulation). Japan has the Act on Protection of Personal Information (APPI), which is still to be solidified.
Connection to the internet is both a blessing and curse. “Most new medical devices come with wireless interfaces that enable the device to connect to mobile phones or directly to the internet,” said Arm’s Ferguson. “This connectivity aids security by offering easy and secure update mechanisms, and the possibility of monitoring devices in the field for correct operation. However, as with any device, adding connectivity also opens up an opportunity for remote attacks on-device. Hardware and software exist to protect the device and cloud components, but the challenge medical device manufacturers face is making sure that the systems connect flawlessly end-to-end. Security should not be an afterthought and should be designed as part of the device from the ground-up, as well as maintained and monitored throughout the life of a device.”
This is the basic idea behind the Platform Security Architecture (PSA) framework. Arm played a critical role in the development of PSA Certified, an architecture-agnostic framework intended to simplify IoT security and align the ecosystem under a common security framework. The certification uses lab tests to ensure a system or chip has the installed security it purports to have.
Synopsys participated in the forming of FDA’s “Medical Device Safety Action Plan,” published in April 2018 with updated cybersecurity guidance. ANSI UL 2900-1, released from the same year, has pre-market standards for device cybersecurity, and UL has a certification, the Cybersecurity Assurance (CAP) Certification, based on the standard.
Safety
Sometimes security, privacy, safety, and reliability all mesh together in safety-critical devices, such as automotive and medical. In the medical industry, regulations are mostly made to protect patient safety. The United States Food & Drug Administration (FDA) requires pre-marketing approval on devices, depending on their relation — or not — to existing devices on the market. Devices are classified into Class I, II, III classifications. Class I and II are generally less dangerous devices to use than a Class III device. Also, if a device is related to an already-approved device, the regulatory approvals are much easier. Once approved, the device is deemed safe enough to sell to the U.S. market.
For the FDA, a device is anything “from simple tongue depressors and hospital gowns to complex programmable pacemakers and robotic surgical systems,” according to an FDA web page.
The safety standards carry over into EDA tools, as well. “Some of the IP needs to conform to certain standards, as does the development methodology,” said Cadence’s Schirrmeister. “Just like in the domain of functional safety for automotive, you have similar standards in the health domain that need to be observed. So you need to make sure your tools cannot introduce any bugs and that you look into the safety aspects properly, which include things like verification tools — simulation, emulation, prototyping, all of which are used to run verification of those devices.”
With disposable devices a new safety issue crops up — counterfeiting. Some medical devices are used for a period of time and then disposed of, which means the device could be re-purposed, the data stolen, or the system cloned. “The space that we looked at most fully was the opportunity for our anti-counterfeiting line of products, and its applicability towards medical IoT devices,” said Scott Best, director of anti-tamper technologies at Rambus. “The critical aspect to medical devices is patient safety. What you’re trying to prevent is when a medical device has been end-of-lifed, that it is permanently end of life and it cannot just be easily reprogrammed to come back to life, refurbished, re-sold, and then dangerously re-used on another patient.”
Customers were also concerned about revenue protection and brand protection, he said.
Does hardware design affect regulatory approvals?
Although the medical device industry is regulated in the U.S., medical device OEMs carry the regulatory burden of approvals. Regulatory agencies look at the device as a whole, which puts the OEM in the hotseat to manage regulatory issues. Although the semiconductor suppliers are not seeking approvals on actual chips, it makes good business sense to anticipate and ease the burdens of OEMs.
“As ASIC devices are tailored to customers’ specifications, there are normally no surprises during the certification,” said Infineon’s Leuchter. “Hardware (ICs) can have a huge impact on passing regulatory, but when they are designed together with the entire system, this risk is nearly eliminated.”
Fig. 02: Mobile medical applications (MMAs) intersect medical devices, software, and mobile apps. The regulatory scrutiny of the MMA depends on its function — whether it affects patent care and how risky it is to use. The FDA updated its guidance document on MMAs in 2019. Source: FDA (‘Is My Product a Medical Device?’ presentation, by CDR Kimberly Piermatteo, MHA, Consumer Safety Officer, Division of Industry and Consumer Education, Office of Communication and Education, Center for Devices and Radiological Health, U.S. Food and Drug Administration.)
In some ways, medical customers are much less demanding. “They’re not worried about the certifications. They just want the processing power,” said Flex Logix’ McCarty. “In automotive, the certification and the timelines are very different. The automotive companies are saying, ‘You have to have this certification.’ In medical it’s more about, ‘How fast can you run?’ They’re more worried about performance and how fast can they deploy and what our environment looks like — more product-based discussions earlier in our engagement.”
Others report similar experiences. “Since the medical equipment and the health care industry have more rudimentary regulatory processes, there are no certification requirements directly for any semiconductor suppliers,” said Xilinx’ Bhattacharya. “The only certification that is required by the FDA is on the end medical equipment, so the onus on selection of hardware and software and suppliers is on the medical OEM.”
But there are still plenty of rules. “There are specific IEC guidelines they need to follow like IEC60601 for electrical design, or IEC62304 for software life cycle processes,” Bhattacharya said. “And then as they go through the validation/verification, as well as risk management, there are some ISO certifications required in, for example, the manufacturing plant. Typically, most common medical equipment goes through a standard 510(k) process submission and approval at the FDA, and as long as these types of equipment have been marketed in the industry for a while it’s not hard to get the certification, just the normal timeline. Sometimes recall, etc. can cause a classification change, and that creates lots of problems in the regulatory process. A totally new concept with no predicate may create a PMA (premarket approval) or De-Novo process. Class III equipment always has to follow a long PMA process, though typically we are not involved.”
The importance of EDA tools for medical
Designing chips that go into medical devices still relies on many of the same tools as other chips. There are existing IP blocks and sub-systems, and there is complex packaging that can vary greatly depending upon the end application.
“We are seeing growing innovation in the medical space and a broad range of Arm-based healthcare devices and applications that utilize low power, embedded ML, and endpoint intelligence to provide improved insights and outcomes,” said Arm’s Ferguson.
As with other safety-critical markets, simulation is both imperative and more thorough than for many other types of chips. “This is where we start to see a lot of innovation from our customers in which, when they put these things together, we work with them to understand how do they simulate this,” said Synopsys’ Sarkar. “You can manufacture this device and then you can validate it, but it’s just way too expensive a proposition where if something is wrong, you have to go remask and remanufacture. You have to simulate it. You have to create the layout, you have to create the model extraction and all of that and use a SPICE simulation. This is where we get a lot of feedback and input from our customers about, ‘How do we simulate it?’”
The best tools are the best bet, said Cirtec Medical’s Kelly, who was part of Cactus Semiconductor, a medical IC company that was acquired by Cirtec Medical in 2019. “When we started as Cactus Semiconductor 15-ish years ago, we were pretty small and didn’t have many resources. So we used some of the PC-based design tools, and they’re much, much less expensive and completely manageable and quite good, but the difference between quite good and excellent cost us dearly. There were a handful of projects where we kind of felt like we did everything right, and the tools — the conglomeration of various tools from different places that were let’s call them ‘budget tools’ — had gaps. All it takes is one error, and boy, it’s costly, because you spend engineering hours trying to figure out what went wrong.”
Conclusion
While medical device standards may not be labeled as such, there are plenty of standards already used in and plugged into analysis models.
“In the grand scheme, these devices — a lot of it is essentially similar to IoT, but it gets amplified because you have the direct connection to the human being, so potential to negatively impact life needs to be avoided by as many means as you have,” said Schirrmeister.
The tools will continue to get better, but improvements may not always be specific to medical industry.
Medical chips fit into the existing semiconductor environment. “We largely over-test medical chips and we largely over-design out of practicality,” said Kelly. “If we could develop an entire semiconductor industry infrastructure that was geared toward the type of chips we did, all this stuff would be much better. But you’re not selling enough chips to justify it, so we have to piggyback on the rest of the industry.”
Related
Rising Fortunes For ICs In Health Care
Despite an initially slow adoption curve, designs are picking up for chips used in a wide variety of devices.
Leave a Reply