Basic safety and essential performance are the two organising concepts of EN 60601-1:2006+A1+A12+A2+A13:2024. Basic safety is freedom from unacceptable risk caused directly by physical hazards when the device is used under normal and single-fault conditions. Essential performance is the performance of a clinical function, other than that related to basic safety, where loss or degradation beyond specified limits would result in unacceptable risk. Both concepts are defined against a live ISO 14971 risk management file, and both map to specific provisions in MDR Annex I — Sections 14, 17, and 18. The MDR states the safety outcome. The standard provides the vocabulary and the method. Founders who do not define essential performance in writing before the test lab visit cannot pass the test campaign, because the lab has no acceptance criteria to check against.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • Basic safety is freedom from unacceptable risk caused directly by physical hazards — electric shock, burns, mechanical injury, excess radiation — when the device is used under normal and single-fault conditions.
  • Essential performance is the performance of a clinical function, other than that related to basic safety, whose loss or degradation beyond specified limits would result in unacceptable risk to the patient, operator, or other persons.
  • Both concepts are risk-based. They only exist inside a live ISO 14971 risk management file. Without one, the two terms have nothing to measure against.
  • EN 60601-1:2006+A1+A12+A2+A13:2024 uses basic safety and essential performance as the pass/fail yardstick for every test in its scope, and for every collateral and particular standard built on top of it.
  • Basic safety and essential performance map to MDR Annex I Sections 14, 17, and 18. The standard is the tool that proves the obligation; the Regulation is the obligation itself.

Why these two concepts are the organising spine of the entire 60601 family

Open EN 60601-1:2006+A1+A12+A2+A13:2024 at any clause that describes a test, and you will find the same two phrases in the pass/fail language: basic safety, essential performance. The concepts are not ornamental. They are the pair of ideas that tie every electrical, mechanical, thermal, and radiation test back to a single question: did the device stay safe, and did it keep doing what it is clinically meant to do?

Without these two concepts, the standard would be a catalogue of measurements with no interpretation. A leakage current of 85 microamps is not inherently pass or fail — it is pass or fail only against a limit whose job is to keep a patient-contact part from delivering unacceptable risk. A firmware reset during radiated RF exposure is not inherently a failure — it is a failure only if it crosses the essential performance line the manufacturer has defined. The two concepts turn raw measurements into compliance decisions.

The consequence for a startup is simple and often painful. If you show up at a test lab without a written definition of essential performance for your device, the lab cannot tell you whether you passed or failed immunity testing. They can run the tests. They can record the results. They cannot conclude anything, because they do not know what "still working" means for your device. We have watched test campaigns stop in the first hour for exactly this reason.

What basic safety means

Basic safety is defined in EN 60601-1:2006+A1+A12+A2+A13:2024 as freedom from unacceptable risk directly caused by physical hazards when the device is used under normal condition and single-fault condition.

Three parts of that sentence carry weight.

"Directly caused by physical hazards" points at the hazard families the standard covers — electric shock, excessive leakage, dielectric breakdown, mechanical injury from moving parts or falling equipment, burns from hot surfaces, fire, non-ionising radiation overexposure, and the other concrete physical effects a device can produce on a human body. These are hazards that the device itself, as an object, can inflict on a patient or operator.

"Unacceptable risk" is the risk-management hook. The word "unacceptable" only has meaning inside a risk management file that defines acceptance criteria. EN ISO 14971:2019+A11:2021 is the standard that supplies those criteria, and EN 60601-1 is built on top of it. A hazard with a probability of 10 to the minus 6 and a severity of "minor inconvenience" may be acceptable. The same probability paired with a severity of "death" is not. Basic safety asks whether the residual risk from physical hazards stays on the acceptable side of those lines.

"Normal condition and single-fault condition" is the test architecture. The standard requires the device to be safe in two states. Normal condition means the device, its power supply, its environment, and its use are all as intended — nothing is broken, nothing is abused. Single-fault condition means one thing has gone wrong — one insulation barrier has failed, one protective earth has opened, one cable has become disconnected, one component has shorted. The device has to remain basically safe in either state. Two faults at once are not part of basic safety; the rationale is that a single fault is reasonably foreseeable, while two unrelated simultaneous faults are rare enough to handle through other risk controls.

In practice, basic safety is what most founders mean when they say "electrical safety." Leakage, insulation, earth integrity, touch temperature, enclosure strength, applied-part classification, mechanical stability — all of these live in the basic safety half of the standard. The hub post on MDR electrical safety walks through the hazard families in more detail.

What essential performance means

Essential performance is defined as the performance of a clinical function, other than that related to basic safety, where loss or degradation beyond limits specified by the manufacturer would result in an unacceptable risk.

Three parts again matter.

"Clinical function" anchors the concept in what the device does for the patient, not in what the device does as an object. A patient monitor's clinical function is to display accurate vital signs. An infusion pump's clinical function is to deliver a specified volume over a specified time. A defibrillator's clinical function is to deliver a shock of the specified energy when triggered. Each of these is a clinical outcome the device is meant to produce. Essential performance is about the integrity of that outcome.

"Other than that related to basic safety" draws the line between the two concepts. If the device electrocutes the patient, that is a basic safety failure, not an essential performance failure. Essential performance deals with the clinical output of the device — accuracy, timing, dosing, signal integrity, alarm behaviour — not the physical hazards the device itself produces. In some devices the line is sharp. In others it blurs, and the manufacturer must draw it deliberately in the risk file.

"Limits specified by the manufacturer" is where the manufacturer's homework shows up. Essential performance is not a list the standard gives you. It is a list you have to write, specific to your device, and specific enough that a test lab can verify it. For a patient monitor, essential performance might read: "The displayed heart rate shall remain within plus or minus 5 beats per minute of the true rate for signal-to-noise ratios above X, the alarm shall sound within Y seconds of the threshold being crossed, and the display shall not freeze for longer than Z seconds." For an infusion pump, it might read: "The delivered volume shall stay within the accuracy specified in the IFU under all single-fault conditions." The numbers and the phrasing are yours. The defence of those numbers comes from the risk management file.

Essential performance is not optional. Every device in the scope of EN 60601-1:2006+A1+A12+A2+A13:2024 must have essential performance defined — or, if after analysis the manufacturer concludes the device has no essential performance, that conclusion must be documented with justification. "No essential performance" is a legitimate outcome for some devices, but it is a conclusion that requires a written argument. Silent absence is not acceptable.

How to define basic safety and essential performance for a specific device

The definition work runs in four steps, and it runs inside the ISO 14971 risk management file, not alongside it.

Step 1 — Identify the hazards. Start from the intended use, the intended environment, and the foreseeable misuse. Work through the hazards the device can cause — electrical, mechanical, thermal, radiation, from the device to the patient or operator. This list feeds basic safety.

Step 2 — Identify the clinical functions. List what the device does for the patient. For each clinical function, ask: if this function were lost or degraded, would that produce harm? If yes, that function is a candidate for essential performance. If no, it is not.

Step 3 — Set the limits. For each candidate essential performance function, define the threshold beyond which loss or degradation becomes unacceptable. This is where risk management and clinical judgment meet. The threshold has to be defensible: specific, measurable, tied to patient harm, and justified against the risk acceptance criteria.

Step 4 — Write the acceptance criteria for testing. Turn the basic safety hazards and the essential performance limits into pass/fail criteria a test lab can apply. For basic safety, the criteria are typically the numerical limits in EN 60601-1:2006+A1+A12+A2+A13:2024 clauses (leakage currents, dielectric strengths, touch temperatures). For essential performance, the criteria are the ones the manufacturer wrote in Step 3. Together, they form the test plan that the lab will execute.

These four steps produce the artefacts the Notified Body and the test lab both need. Skip any of them and the campaign stalls.

How IEC 60601-1 tests basic safety and essential performance

The test structure in EN 60601-1:2006+A1+A12+A2+A13:2024 is organised by hazard, and each test has the same shape: subject the device to a defined condition, observe what happens, compare against the acceptance criteria.

For basic safety, the criteria are mostly numerical and mostly specified by the standard. Leakage current limits for different applied-part types (B, BF, CF), dielectric strength test voltages based on the Means of Protection required, temperature limits for patient-contact and operator-contact surfaces, creepage and clearance distances based on working voltage and pollution degree. The lab measures; the standard specifies the limit; pass or fail is numerical.

For essential performance, the criteria come from the manufacturer's definition. The lab subjects the device to the condition — for example, an immunity exposure under EN 60601-1-2:2015+A1:2021, a single-fault condition under EN 60601-1:2006+A1+A12+A2+A13:2024, a mechanical shock or drop — and then observes whether the clinical function stays inside the manufacturer-defined limits. If the display freezes for longer than the specified time, fail. If the alarm fails to trigger when the threshold is crossed, fail. If the dosing accuracy degrades beyond the specified tolerance, fail.

Both halves of the test use the same "normal and single-fault condition" architecture. The device must keep basic safety and essential performance in normal condition. It must also keep basic safety — and, where applicable, essential performance — under each single-fault condition that the standard or the risk file identifies.

The test report is the output. It records the measured values, the observed behaviour, and the pass/fail decision against each criterion. The report then feeds the technical file as evidence against the MDR Annex I provisions that the test addresses.

How basic safety and essential performance map to MDR Annex I

The mapping is where the standard earns its role under MDR Article 8 and the principle of presumption of conformity. EN 60601-1:2006+A1+A12+A2+A13:2024, when applied correctly, provides presumption of conformity with specific provisions in MDR Annex I — the general safety and performance requirements for medical devices.

Three Annex I sections carry most of the weight.

Annex I Section 14 — Construction of devices and interaction with their environment. Section 14 requires that devices be designed and manufactured so they can be used safely under normal conditions and in single-fault conditions, and so they remove or reduce as far as possible the risks linked to the use of energy sources and the environment. Basic safety is the standard's answer to Section 14's physical-hazard requirements — electrical, mechanical, thermal, radiation. The test evidence produced under the basic safety clauses of the standard maps directly against Section 14 obligations.

Annex I Section 17 — Electronic programmable systems. Section 17 requires that devices incorporating electronic programmable systems be designed to ensure repeatability, reliability, and performance in line with their intended use. Essential performance is the standard's answer to Section 17's reliability requirement. A programmable device that resets in the presence of a foreseeable electromagnetic disturbance, or that produces incorrect clinical output under a single-fault condition, is not reliable in line with its intended use. Essential performance defined in writing, and verified under the standard's test conditions, is the evidence that Section 17.1 is met.

Annex I Section 18 — Active devices and devices connected to them. Section 18 covers the specific risks of active devices, including mains isolation, protection against unauthorised access, alarms, and energy delivery. Both basic safety (for the hazards) and essential performance (for the delivered energy or substance) contribute evidence against Section 18 obligations.

The technical file must show this mapping explicitly. For each basic safety test and each essential performance test in the report, the file states which MDR Annex I provision the test addresses. The Notified Body reviewer uses this mapping to confirm that the harmonised standard evidence actually covers the GSPRs it claims to cover. Missing the mapping is one of the most common Notified Body findings for startups that treated 60601 as a standalone compliance target.

Common misunderstandings

A short list of the confusions we see most often.

  • Confusing essential performance with product specifications. The product specification sheet has every parameter the device can measure or control. Essential performance is the subset of those parameters whose loss or degradation would cause unacceptable harm. The two are different lists, and the essential performance list is usually shorter.
  • Assuming the standard defines essential performance for you. It does not. The standard defines the concept and the test architecture. The specific essential performance content for your device is your job to write, and no template substitutes for the risk analysis behind it.
  • Treating "no essential performance" as the default. For some devices, after proper analysis, there is genuinely no essential performance. But this has to be concluded, not assumed. A documented argument is required.
  • Thinking basic safety and essential performance are the same thing. They are deliberately separated. Basic safety concerns the physical hazards the device inflicts. Essential performance concerns the clinical output the device produces. Mixing them produces acceptance criteria that are too vague to apply.
  • Writing essential performance in marketing language. "The device shall be accurate and reliable" is not a verifiable acceptance criterion. "The delivered volume shall remain within plus or minus 5 percent under single-fault conditions" is. A test lab cannot verify the first; it can verify the second.
  • Leaving the definitions until the test lab week. By the time the device is at the lab, the definitions should have been stable for months, because they drive the design. Late definitions produce late redesigns.

The Subtract to Ship angle on basic safety and essential performance

The Subtract to Ship move here is not to cut corners on safety. It is to be precise about what the device actually has to keep intact, and then to design against that precise target instead of against a vague "make everything safe and reliable" instinct.

Precision in the essential performance definition is subtraction. The tighter and more specific the list, the less speculative testing the device needs. A device with three clear essential performance functions and numerical limits for each is cheaper to test, cheaper to defend, and cheaper to iterate on than a device whose essential performance is undefined and whose test plan therefore has to cover everything.

Precision in the basic safety scoping is also subtraction. If the device has no battery, no radiated emitter, no high-temperature surface, and no moving parts, the basic safety hazards are narrower and the test plan can be scoped narrower. Every hazard the device genuinely does not present is a hazard you can argue out of scope in the risk file and remove from the test plan — with documented justification. The goal is not to test less than the Regulation requires. The goal is to test exactly what the device actually needs to prove, no more and no less.

The obligation remains the MDR. Annex I Sections 14, 17, and 18 define the outcome. Basic safety and essential performance under EN 60601-1:2006+A1+A12+A2+A13:2024 are the tools that let you prove the outcome efficiently. Keep the direction clear between the two, and the work becomes tractable.

Reality Check — Where do you stand?

  1. Do you have a written definition of essential performance for your device, specific enough that a test lab could verify it without asking questions?
  2. If your conclusion is that the device has no essential performance, have you written down the analysis and the justification for that conclusion?
  3. Is your risk management file under EN ISO 14971:2019+A11:2021 open and live, and does it feed the basic safety and essential performance definitions?
  4. Have you identified the normal conditions and the single-fault conditions that the device must survive, both for basic safety and for essential performance?
  5. For each essential performance limit you have written, can you defend it against the risk acceptance criteria in your risk file?
  6. Have you mapped each planned basic safety test and each planned essential performance test back to a specific section of MDR Annex I — 14, 17, or 18?
  7. When does your team first walk the design against basic safety and essential performance — before schematic freeze, or at the test lab?

Frequently Asked Questions

What is the difference between basic safety and essential performance? Basic safety is freedom from unacceptable risk directly caused by physical hazards the device produces — electric shock, burns, mechanical injury, excess radiation — under normal and single-fault conditions. Essential performance is the performance of a clinical function, other than basic safety, whose loss or degradation beyond specified limits would result in unacceptable risk. Basic safety concerns what the device does to the body as an object. Essential performance concerns whether the device still delivers its clinical function correctly.

Can a medical electrical device have no essential performance? Yes, in principle. After analysis, some devices reach the conclusion that no clinical function exists whose loss or degradation would cause unacceptable harm beyond what basic safety already covers. This conclusion has to be documented with justification in the risk management file. Silent absence of essential performance is not acceptable. A written "no essential performance identified, because..." is.

Who defines essential performance — the standard or the manufacturer? The manufacturer. EN 60601-1:2006+A1+A12+A2+A13:2024 defines the concept, the method, and the role essential performance plays in the test architecture, but the specific clinical functions, limits, and acceptance criteria are the manufacturer's responsibility to write, defend against the risk management file, and include in the technical file.

How does essential performance relate to the immunity tests in EN 60601-1-2? EN 60601-1-2:2015+A1:2021 uses the manufacturer-defined essential performance as the pass/fail yardstick for immunity testing. When the device is exposed to a radiated RF field or a conducted disturbance, the question the test asks is whether basic safety and essential performance remain within the specified limits. Without a written essential performance definition, immunity testing cannot produce a valid pass/fail decision.

Does basic safety cover cybersecurity? Not directly. Basic safety covers physical hazards — electric shock, burns, mechanical injury, radiation. Cybersecurity risks are addressed in MDR Annex I Section 17.2 and Section 17.4, and in the cybersecurity-specific standard EN IEC 81001-5-1:2022 and MDCG 2019-16 guidance. A cybersecurity failure can of course produce a safety failure downstream, and the risk management file is where that connection is made. But the basic safety clauses of EN 60601-1:2006+A1+A12+A2+A13:2024 are not the cybersecurity layer.

What happens if I change essential performance after the test report is issued? A change to the essential performance definition typically invalidates the parts of the test report that depended on the old definition. The change has to run through the QMS change control process, risk management has to be updated, and the affected tests have to be re-run against the new acceptance criteria. This is another reason to set essential performance early and stabilise it before tape-out.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Annex I Chapter II, Section 14 (construction of devices and interaction with their environment), Section 17 (electronic programmable systems), Section 18 (active devices and devices connected to them). Official Journal L 117, 5.5.2017.
  2. EN 60601-1:2006+A1+A12+A2+A13:2024 — Medical electrical equipment — Part 1: General requirements for basic safety and essential performance.
  3. EN ISO 14971:2019+A11:2021 — Medical devices — Application of risk management to medical devices.

This post is part of the Electrical Safety & Systems Engineering Under MDR series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. The MDR is the North Star. Basic safety and essential performance under EN 60601-1:2006+A1+A12+A2+A13:2024 are the two concepts that turn raw measurements into compliance decisions — useful, powerful, and only ever in service of the Regulation itself.