When the Backup Was the Operator: The Draeger Atlan A350 Anesthesia Workstation Correction

A mechanical ventilator on an anesthetized patient has exactly one job, and an anesthesia workstation has exactly one job: do not drop the airway. So when the manufacturer's stated workaround for a piston-drive defect is "use the device under permanent supervision until we can come replace the motor," the interesting question is never "what was wrong with the motor." It's who decided that permanent human supervision was an acceptable residual-risk control, and against which clause of which standard they checked.

The Draeger Atlan story is being reported as a manufacturing defect that nobody got hurt by — yet. The defect is real. So is the "yet." But the engineering lesson is not the impurity in the motor. It is that a Class IIb life-supporting device was placed in a posture where the only remaining barrier between a deep-sag motor and a hypoxic patient is the anesthesia provider physically standing next to the bag-valve, and that posture is being held for as long as it takes a service technician to drive to every hospital and swap a ventilator motor assembly.

This is a medical device story, so the automotive vocabulary stays in its box. The lenses that matter are ISO 80601-2-13 (the particular standard for anesthesia workstations), the umbrella IEC 60601-1 with its alarm collateral IEC 60601-1-8, ISO 14971 for risk management, and the U.S. quality-system rule at 21 CFR 820 — because the root cause is a production-process control failure, not a software defect.

1. The public record

On May 18, 2026, the U.S. Food and Drug Administration published an Early Alert identifying an expansion of Draeger Inc.'s October 15, 2024 Urgent Medical Device Correction on the Atlan A350 and Atlan A350 XL anesthesia workstations. The Early Alert is the FDA's accelerated-notice mechanism for situations where the agency expects the resulting recall to be classified as high risk; the expansion adds new units that share the same defect population from the original correction (FDA, Early Alert: Anesthesia Machine Issue from Draeger, Inc., May 18, 2026).

The originating event is described by Draeger and by FDA in matter-of-fact terms. A manufacturing process used to assemble the ventilator drive introduced impurities for a defined time window. Units built during that window can suffer piston-ventilator motor failure. The failure presents in one of two ways. If the impurity-induced defect manifests before a case — in standby or during the workstation's power-on system test — the workstation cannot start mechanical ventilation. If it manifests during a case, the ventilator stops and the unit displays the operator-facing message "Ventilator error!!!" (FDA, Anesthesia Machine Correction: Draeger, Inc., Issues Correction for Atlan A350 and A350 XL, October 15, 2024).

The patient-harm enumeration in the FDA notice is unusually plain for a device-correction page: hypoxia, loss of lung recruitment, bradycardia, cardiac arrest, and death. As of the May 6, 2026 cutoff cited in the Early Alert, no injuries and no deaths have been reported to FDA in association with this issue (FDA Early Alert, May 18, 2026). That is good news, and it is the only piece of good news here.

Draeger's mitigation is two-fold. First, every affected workstation receives a ventilator-motor-assembly replacement on a schedule arranged by the local service representative. Second, until the replacement happens, customers are instructed to use the workstation under permanent supervision — and the device's "manual ventilation or spontaneous breathing remains possible" path is being relied on as the in-period control. In effect, the provider is the backup ventilator (MedTech-trade reporting summarising the May 7, 2026 Draeger Dear-Customer letter, Respiratory Therapy, May 21, 2026; Healthcare Purchasing News, May 2026).

The Atlan A350 is indicated for adults, children, and neonates during surgical or diagnostic procedures. That is its entire patient base. There is no operating context in which this workstation is not on someone who needs ventilation. That matters for what the standards expect.

2. The standards lens

A precision note first, because the regulatory categories cluster. "Class 2 recall" is an FDA enforcement classification — situations where use of the product may cause temporary or medically reversible adverse health consequences, with remote probability of serious adverse consequences. The original 2024 Atlan correction is recorded in the FDA Recalls database as Class 2 (FDA accessdata record ID 204697). The May 18 Early Alert flags that the expansion may be reclassified upward; FDA uses Early Alerts when it believes a recall is likely to be more serious than initially scored.

That FDA enforcement class is not the IEC 62304 software safety class, not the IEC 60601-1 device classification, and not the EU MDR risk class. The Atlan family is a Class IIb device under EU MDR Rule 11 and 21 CFR 868.5160 anesthesia gas-machine, Class II under U.S. law. Conflating those scales is a small but reliable indicator that the speaker has not read the underlying documents.

2.1 ISO 80601-2-13 — essential performance of the anesthesia workstation

ISO 80601-2-13:2022 Medical electrical equipment — Part 2-13: Particular requirements for basic safety and essential performance of an anaesthetic workstation is the standard that defines the essential performance of an Atlan-class device. The standard's essential-performance clause requires, among other things, the delivery of inspiratory and expiratory tidal volumes within stated tolerances, the maintenance of a chosen ventilation pattern in continuous mode, and timely detection and annunciation of conditions that compromise either of those.

The Draeger failure mode is the textbook essential-performance loss described by that clause. The piston ventilator stops, tidal volume goes to zero, and the maintained ventilation pattern is no longer maintained. The standard does not say loss of essential performance is forbidden; it says it must be detected, annunciated at an appropriate priority, and not produce an unacceptable residual risk after risk-control measures.

The detection part is there — the device throws "Ventilator error!!!" The annunciation part is where the design choice is worth a second look. A status text on the workstation display is one thing; an IEC 60601-1-8 high-priority audible-and-visual alarm signal is a different thing. High-priority alarms have specified frequency content, pulse cadence, and acknowledgement requirements precisely because in an operating room the human in the loop is wearing a mask, looking at a surgical field, and counting on the alarm system to redirect their attention away from where they are presently focused. A textual error code on a screen is acceptable as a technical alarm indicator; it is not, on its own, acceptable as the sole annunciation of loss of essential performance on a life-supporting device.

2.2 IEC 60601-1 §4.7 — single-fault tolerance is not human supervision

IEC 60601-1 §4.7 requires that medical electrical equipment be single-fault safe — any single failure in the device shall not produce an unacceptable risk. The relevant question is what counts as "the device" and what counts as "an external risk-control measure."

The Atlan failure is, by Draeger's own description, a single fault: one motor assembly, one impurity, one failure mode. The risk being controlled — unacceptable patient harm from lost ventilation — is being held off by the anesthesia provider performing manual bag ventilation. That is a human, external to the device, executing a risk control. ISO 14971 §3.5 explicitly allows for risk controls implemented by information for safety, by procedural means, or by training; what it does not allow is for that control to be invoked silently as a workaround in lieu of fixing the device's own single-fault tolerance.

The dispositive language is in ISO 14971 §6.6 and §7: residual risk after risk controls must be evaluated against the acceptability criteria, and the use of human-mediated controls in this evaluation must explicitly address whether the user can be expected to perform the control reliably under the conditions of use. "Provider takes over manual ventilation immediately on a textual ventilator-error message during a case where the provider was simultaneously titrating an anesthetic and watching the surgical field" is a perfectly legitimate residual-risk argument — but it has to be written down, and the alarm system has to be designed to make it work. Otherwise the standard's "user can be expected to perform reliably" condition is not met.

2.3 21 CFR 820.70(i) and 820.250 — production process control

The defect is not a design defect in the conventional sense. It is a production-process defect — Draeger has stated publicly that impurities were introduced during a bounded time window in the assembly of the ventilator drive. That falls squarely under U.S. 21 CFR 820.70(a) (general production controls), 820.70(i) (automated processes — software used as part of production or quality system must be validated), and 820.250 (statistical techniques for verification of process capability).

Two things should have caught this before any unit shipped to a hospital. First, end-of-line functional test of the assembled workstation must exercise the ventilator over an envelope that includes the failure mode the impurity produces. If the impurity causes intermittent stalling at certain torques or temperatures, the EOL test envelope did not include those conditions. Second, incoming inspection at the motor-assembly stage should have detected impurity-induced metallurgical or electrical signatures. Either the inspection plan did not require those signatures, or it required them and they were not detected. Both are 21 CFR 820 quality-system findings, and both apply equally under ISO 13485:2016 §7.5.6 (validation of processes for production and service provision).

2.4 IEC 60601-1-8 — alarm priority for loss of essential performance

The U.S. Standard for alarm systems in medical electrical equipment, IEC 60601-1-8:2006+A2:2020, lays out the matrix that converts an abnormal condition + onset time + potential for harm into a required alarm priority. Loss of mechanical ventilation in an anesthetized patient is a high-priority condition under any reasonable mapping of that matrix — onset of harm in seconds to tens of seconds, severity catastrophic, intervention required in seconds. The required alarm-signal characteristics for high priority are specified at the clause level: defined audible burst, defined visual flash rate, defined acknowledgement behavior, and explicit prohibition on a degraded or paused state without a remaining visual indicator.

A "Ventilator error!!!" text message on the workstation screen is not, on its face, a high-priority IEC 60601-1-8 alarm signal. If the Atlan's full annunciation chain includes the high-priority audible burst and the visual flash, the device complies; if the annunciation is text-only, the device does not. Field reports during the supervision-period mitigation will reveal which it is in practice. The point for design teams reading this: an alarm system designed to a clause is not the same thing as a screen line of red text that you assumed clinicians would notice.

3. A worked snippet

ISO 14971 risk-evaluation row — the entry that should already exist

Severity scale below: Negligible / Minor / Serious / Critical / Catastrophic. Probability decomposed into P1 (hazardous situation occurs) and P2 (hazardous situation leads to harm given the deployed risk-control measures).

| ID | Hazard | Foreseeable sequence | Hazardous situation | Harm | Severity | P1 × P2 | Residual risk | |---|---|---|---|---|---|---|---| | RM-VENT-01 | Loss of mechanical ventilation mid-case | Ventilator drive motor stalls due to manufacturing impurity; piston ventilator stops; workstation posts "Ventilator error!!!" | Anesthetized patient is apneic with no machine ventilation while provider attends to surgical field, anesthetic titration, or peripheral monitor | Hypoxia, bradycardia, cardiac arrest, death | Catastrophic | Occasional × Occasional | Unacceptable without enhanced annunciation | | RM-VENT-02 | Loss of mechanical ventilation pre-case (standby / POST) | Same motor defect; workstation refuses to enter mechanical ventilation | Case delay; substitute workstation required; anesthetic plan disturbed | Procedural delay; risk of substitute device unfamiliarity | Serious | Occasional × Remote | Acceptable with workaround | | RM-VENT-03 | Reliance on manual ventilation as in-period risk control | Provider must initiate bag ventilation within seconds of "Ventilator error!!!" notification | Single-task overload during a moment when the provider is also titrating, communicating with the surgical team, and monitoring hemodynamics | Delayed manual ventilation; transient hypoxia | Critical | Occasional × Probable | Undesirable |

RM-VENT-01 is the engineering story. The standard expects a row that says, plainly: in the operating context of an anesthetized adult/pediatric/neonatal patient, loss of mechanical ventilation is a catastrophic harm with onset measured in seconds, and the residual-risk control cannot be a screen line of red text and an assumption that the provider will pivot instantly.

Fault tree — top event: undetected loss of mechanical ventilation under anesthesia

Top: Undetected loss of mechanical ventilation in an anesthetized patient
        OR
        ├── A. Workstation stops ventilation and provider does not pivot in time
        │       AND
        │       ├── A1. Piston-drive motor stalls (manufacturing impurity)
        │       ├── A2. Detection annunciation does not redirect provider
        │       │        attention in seconds (text alert only; no
        │       │        IEC 60601-1-8 high-priority audible burst)
        │       └── A3. Provider is task-loaded (titration, surgical field,
        │                hemodynamic monitor) at moment of failure
        ├── B. Manual ventilation path itself fails
        │       OR
        │       ├── B1. Bag-valve circuit disconnected or mis-set
        │       ├── B2. APL valve in mechanical-ventilation position
        │       └── B3. Fresh-gas flow inadequate for spontaneous /
        │                manual ventilation
        └── C. Pre-case detection misses defective unit
                AND
                ├── C1. EOL functional test envelope omits the failure mode
                ├── C2. Daily/system test does not exercise sustained
                │        ventilation under load
                └── C3. Anesthesia-tech check-out procedure does not
                         include a sustained-ventilation period before
                         the case begins

Gate A's AND structure is doing the work. A1 is the manufacturing defect — genuinely a metallurgy and production-control problem. A2 and A3 are design and human-factors problems that the manufacturer controls today and that, once specified, remove gate A as a contributor. A2 is one IEC 60601-1-8 clause-level alarm-priority requirement. A3 is one usability-engineering requirement under IEC 62366-1 that obligates the device to annunciate in a modality the provider cannot miss while task-loaded.

Process-FMEA — incoming and end-of-line controls (S/O/D, 1–5 scale)

| Step | Failure mode | Effect | S | O | D | Risk | |---|---|---|---|---|---|---| | Incoming inspection — ventilator-drive motor sub-assembly | Impurity present in motor materials passes inspection because incoming acceptance plan does not require chemistry / metallurgical signature | Defective sub-assembly enters production | 5 | 3 | 5 | High | | End-of-line functional test — assembled workstation | Sustained-ventilation soak under load not part of EOL test envelope; intermittent stall does not present during short test | Defective workstation passes EOL and ships | 5 | 3 | 5 | High | | Daily / power-on system test in clinical use | POST exercises ventilator briefly; not under sustained load nor at full duty-cycle | Defective unit clears POST but fails mid-case | 5 | 2 | 4 | High |

Every one of the three rows is a process-control or test-envelope decision. The metallurgy is hard; the test envelope is not.

4. Derived requirements (excerpt)

• SR-VENT-001 — On any condition that causes the workstation to lose its ability to deliver the set mechanical ventilation pattern, the device shall annunciate the condition as a high-priority alarm signal per IEC 60601-1-8:2006+A2:2020 §6.3.3.1, with the full audible-burst and visual-flash characteristics defined therein, in addition to any textual indication on the workstation display. Acknowledgement of the audible signal shall not extinguish the visual flash until the condition is resolved.

• SR-VENT-002 — The end-of-line functional test for the assembled workstation shall include a sustained-ventilation soak of not less than 30 minutes at maximum continuous duty-cycle, exercising the ventilator drive across the full set of pressure-control, volume-control, and pressure-support modes. The acceptance criterion shall be uninterrupted delivery of the commanded tidal volume within the ISO 80601-2-13 tolerance for the entire soak.

• SR-VENT-003 — Incoming acceptance for the ventilator-drive motor sub-assembly shall include a verification of material composition against a documented chemistry / metallurgy specification, with statistical-sampling parameters defined per 21 CFR 820.250 and ISO 2859-1, recorded in the device master record.

• SR-VENT-004 — The workstation's residual-risk evaluation for loss of mechanical ventilation shall, per ISO 14971 §6.6, document the assumption that the anesthesia provider performs manual ventilation as an in-period risk control. The evaluation shall justify, with reference to IEC 62366-1 usability-engineering evidence, that the provider can be expected to pivot to manual ventilation within a time bounded by the patient's hypoxic-event tolerance under maximum task load conditions of normal use.

• SR-VENT-005 — When the workstation is operating under a manufacturer-issued Urgent Medical Device Correction that requires permanent supervision as a temporary risk control, the workstation shall, on power-up and at intervals not exceeding one hour, display a persistent banner-level indicator that the unit is operating under correction and that manual ventilation must be staged at the bedside. This indicator shall not be dismissible by the user.

Every ID above traces to a row in §3. SR-VENT-001 attacks leaf A2 and RM-VENT-01. SR-VENT-002 and SR-VENT-003 attack leaves C1 and the incoming/EOL rows of the process FMEA. SR-VENT-004 attacks leaf A3 and RM-VENT-03. SR-VENT-005 is a correction-period requirement that did not exist because nobody anticipated that an Urgent Medical Device Correction would be in effect on a life-supporting device for the months it takes to replace motor assemblies in the field.

5. What the headline really tells us

The headline is "FDA Early Alert on anesthesia workstations — no injuries reported." The engineering story is smaller and more uncomfortable than that.

The manufacturing defect is real. A defined-window impurity in a motor sub-assembly is a credible production-control finding, and Draeger is doing the right thing by replacing the motors fleet-wide rather than re-flashing a parameter and hoping. But the defect is not what is holding the residual risk at acceptable. What is holding it at acceptable, until every motor is swapped, is a sentence in the customer letter that says use the device under permanent supervision. That sentence is a risk control that ISO 14971 §6.6 demands a documented, evidence-backed argument for. It is not a policy; it is an engineering claim about a human in the loop.

The missing artifacts here are two rows and one alarm clause. A residual-risk row that names the operating context in plain language — provider task-loaded, anesthetic titration in progress, surgical field in view — and demonstrates that the annunciation of mechanical-ventilation loss penetrates that context. A process-control row that says the end-of-line test envelope shall include a sustained-ventilation soak long enough to surface intermittent motor stalls. And the IEC 60601-1-8 alarm clause that converts a screen line of red text into a high-priority signal designed to redirect attention by audible and visual modalities at the same time.

If you build life-supporting equipment and your residual-risk arguments do not name the task-loaded provider explicitly, that gap is the actionable item — not the recall notice. A workaround that requires the operator to be the backup ventilator is fine when the standard's evidence requirements have been met. It is not fine when the evidence is "we wrote it in the customer letter." The fastest way to reach me to walk through how that row gets built is the contact link on the main site.

— Jherrod Thomas, The Lion of Functional Safety™