Case study
Defibrillator Capacitor Delivered Energy Shortfall Case Study
Biomedical engineering case study on defibrillator delivered-energy verification, capacitor aging, waveform integration, load impedance, uncertainty, risk controls, and release evidence.
A defibrillator can charge its high-voltage capacitor to the expected voltage and still deliver too little energy to the test load. Stored energy, delivered energy, waveform shape, load impedance, relay loss, cable loss, capacitance aging, and measurement uncertainty are not interchangeable. A release decision must be based on the energy actually delivered at the defined test boundary.
This case study follows a bench verification finding for a defibrillator energy-delivery subsystem. The example is simplified for engineering education. It is not clinical advice, a treatment recommendation, a regulatory test method, or a substitute for qualified medical-device review. The purpose is to show how biomedical and electronics engineers connect capacitor physics, waveform integration, risk controls, service evidence, and release criteria.
The central question is:
Does the device deliver the selected energy within the project-specific acceptance band when tested under the intended load conditions?
The answer cannot be taken from the displayed charge voltage alone.
Case Context
The device under review uses a high-voltage capacitor bank, switching network, output relay, patient-interface cable, and waveform-control firmware. During periodic verification, one unit passes its charge-voltage self-test but fails a bench delivered-energy test at the selected setting.
The internal verification criterion in this simplified case is:
| Item | Value |
|---|---|
| Selected energy setting | 150\ \text{J} |
| Internal delivered-energy acceptance band | 150\ \text{J}\pm15\% |
| Lower acceptance limit | 127.5\ \text{J} |
| Upper acceptance limit | 172.5\ \text{J} |
| Nominal capacitor value | 140\ \mu\text{F} |
| Measured aged capacitor value | 120\ \mu\text{F} |
| Charge voltage reported by high-voltage monitor | 1450\ \text{V} |
| Bench load used for this verification point | 50\ \Omega |
| Estimated delivery efficiency before correction | 90\% |
| Waveform integration standard uncertainty | 4\% |
| Capacitance measurement standard uncertainty | 3\% |
| High-voltage measurement standard uncertainty | 1\% |
The acceptance band is a project-specific example. A real device program must use the applicable intended use, waveform family, test loads, accessories, standards, regulatory requirements, risk management file, service procedure, calibration system, and release authority.
Stored Energy Estimate
The energy stored in an ideal capacitor is:
where:
- E_C is stored capacitor energy;
- C is capacitance;
- V is capacitor voltage.
If the nominal capacitor value is used, the stored energy appears close to the selected setting:
That number looks acceptable against a 150\ \text{J} setting, but it is not the delivered-energy result. It assumes nominal capacitance and does not account for switch loss, cable loss, waveform truncation, load interaction, or measurement uncertainty.
The service measurement finds that the capacitor has aged to:
The stored energy at the same voltage is therefore:
This is already below the lower delivered-energy limit before delivery losses are considered.
Engineering Comment
The failure is easy to miss if the self-test only checks charge voltage. For a capacitive energy source, a 14.3\% reduction in capacitance produces the same percentage reduction in stored energy at a fixed voltage. Voltage alone is not enough evidence for energy delivery.
Delivered Energy to the Load
Delivered energy must be measured at a defined electrical boundary. For a resistive test load:
and because:
the delivered energy can be computed from the measured voltage waveform:
For the failed unit, the captured waveform across the 50\ \Omega load gives:
Therefore:
The same conclusion follows from a first-pass delivery-efficiency estimate:
The measured delivered energy is below the lower acceptance limit:
Engineering Comment
Stored energy is a useful diagnostic, but the release decision should use waveform-integrated delivered energy at the required test boundary. If the load, cable, relay, waveform duration, sampling rate, or integration window is wrong, the energy result can be misleading even when the arithmetic is correct.
Measurement Uncertainty and Guard Band
The relative standard uncertainty combines capacitance, high-voltage, and waveform-integration contributions. Since stored energy depends on V^2, the voltage contribution is doubled:
The standard uncertainty on the failed delivered-energy result is:
Even the upper one-standard-uncertainty screening value remains below the lower limit:
An expanded-uncertainty interval is useful for reporting, but it does not convert a failed measured value into a pass. Under the internal guarded release rule used here, the device cannot be released unless the measured delivered energy and the uncertainty allowance support the acceptance decision.
Failure Mode Reconstruction
The engineering review identifies four interacting contributors:
| Contributor | Evidence | Engineering interpretation |
|---|---|---|
| Aged capacitor | Measured 120\ \mu\text{F} instead of 140\ \mu\text{F} | Lower capacitance reduces stored energy at the same charge voltage. |
| Voltage-only self-test | Charge monitor reaches 1450\ \text{V} | The self-test proves voltage, not capacitance or delivered energy. |
| Delivery path loss | Waveform integration matches about 90\% delivery efficiency | Relay resistance, cable loss, switching loss, and waveform truncation must be included. |
| Weak service screen | No periodic capacitance or delivered-energy check in the field procedure | Degradation can remain hidden until a bench verification is performed. |
The root cause is not one bad display value. It is an evidence gap: the device accepted a voltage condition as if it were equivalent to delivered therapeutic energy.
Corrective Action
The corrective action package includes:
- replace the high-voltage capacitor assembly on affected units;
- add capacitance and equivalent-series-resistance checks to service verification;
- require delivered-energy waveform integration at representative 25\ \Omega, 50\ \Omega, and 100\ \Omega loads;
- calibrate the high-voltage divider and waveform acquisition channel as part of the energy test chain;
- update firmware diagnostics so the self-test estimates available energy from measured voltage and capacitor-health evidence, not voltage alone;
- add a lockout or service flag when delivered-energy evidence is outside the acceptance band;
- update risk controls, service records, and field-feedback review criteria.
The engineering principle is direct: the control must measure or infer the safety-critical output, not only a convenient internal proxy.
Post-Correction Verification
After capacitor replacement, the measured capacitance and voltage are:
Stored energy becomes:
With a measured delivery efficiency of 96\%:
This is inside the acceptance band:
The corrected waveform integration gives consistent evidence:
Validation Matrix
The release review checks more than one nominal waveform.
| Verification item | Before correction | After correction | Acceptance interpretation |
|---|---|---|---|
| 50\ \Omega delivered energy at 150\ \text{J} setting | 113.6\ \text{J} | 144.4\ \text{J} | Corrected unit passes the main verification point. |
| 25\ \Omega delivered energy | not tested in service procedure | 143\ \text{J} | Low-impedance boundary is covered by added test. |
| 100\ \Omega delivered energy | not tested in service procedure | 141\ \text{J} | High-impedance boundary is covered by added test. |
| Charge-voltage monitor error | within local calibration limit | within local calibration limit | Voltage monitor remains necessary but insufficient. |
| Capacitor health screen | absent | capacitance and ESR recorded | Hidden energy-source degradation is now detectable. |
| Service release decision | blocked | released for the tested configuration | Release is tied to objective delivered-energy evidence. |
Engineering Comment
The 25\ \Omega and 100\ \Omega points do not represent every possible patient condition. They show that the corrected subsystem was tested across defined load boundaries instead of only at the easiest nominal condition. The actual verification envelope must match the device design, waveform family, accessories, and intended-use claims.
Risk Review
A simplified RPN screen is used to prioritize the corrective action. The hazardous situation is a device that appears ready but delivers materially less energy than the selected setting during the verified output condition.
Before the corrective action:
where severity is high, occurrence is credible because capacitor degradation is plausible, and detection is weak because the self-test checks voltage rather than delivered energy.
After the corrective action:
Severity remains high because the consequence of under-delivery has not changed. Occurrence and detection improve because capacitor health and delivered-energy evidence are now part of the controlled release process.
Engineering Comment
The RPN reduction is not the safety argument by itself. The safety argument is the combination of design correction, test-chain calibration, waveform-integrated delivered-energy evidence, service lockout behavior, updated maintenance controls, and traceability back to the risk file.
Lessons for Engineering Review
This case illustrates several transferable lessons:
- A proxy variable is not enough when the safety-critical claim is about output energy.
- Capacitor aging can reduce energy even when charge voltage appears normal.
- Delivered-energy testing must define load, waveform, integration window, sampling method, calibration chain, and acceptance band.
- Measurement uncertainty should influence release decisions, not be added after the decision is already made.
- Field service procedures need evidence that can detect the degradation mode being controlled.
- Biomedical engineering decisions often sit across electronics, firmware, calibration, usability, maintenance, and risk management.
The corrected design is stronger because it makes the relevant output observable. It does not rely on an internal voltage passing as a substitute for delivered energy.
Review Checklist
When reviewing a therapeutic energy-delivery subsystem, ask:
- Which energy boundary matters: capacitor, internal bus, output connector, cable end, test load, or delivered waveform?
- Is the acceptance criterion tied to the selected setting, load range, waveform family, accessories, and intended use?
- Does the self-test detect capacitance loss, leakage, relay degradation, cable loss, output-stage faults, and waveform truncation?
- Are voltage, current, load resistance, integration window, sampling rate, and calibration traceable?
- Does the service procedure block release when delivered-energy evidence is missing or out of tolerance?
- Are uncertainty, drift, aging, firmware version, and accessory configuration visible in the verification record?
Good medical-device verification does not ask whether a subsystem can charge. It asks whether the device can deliver the controlled output it claims, with evidence strong enough to support the release decision.