Software as hard as it is to imagine is a relatively young industry. It may look like it is with us since ever, but in reality, we are just starting to use it to solve the problems that count the most. Don’t get me wrong, yes ERP, banking, insurance, military, space, aviation, CAD, etc. software is essential. It does aid us in day to day real-life activities, but treating software as a medical device is a different stretch. Saving lives, boosting the quality of life and lowering healthcare cost are goals on a different scale.
Back in the 80ies, we sadly became fully aware of the consequence software in the medical field has. The Therac-25 disaster, where patients got killed by radiation overdoses was a loud wake-up call for the authorities and the medical software industry. Lousy software design, poor development practices and inadequate quality control were smoking guns. Eventually, everybody involved learned a lot and measures to prevent such risks derived from the usage of software medical devices were implemented around the world. The FDA, EU Commission, MHRA, TGA, BfArM and other authorities established governance over software medical devices. Standard organisations backed up by the industry leaders gathered best practices into a set of standards and guidance. Standards for software development lifecycle, risk management, quality management systems, usability and accessibility guidelines now complete the backbone for safe medical software development and maintenance.
In this post, I will cast some light on the evolution of regulatory requirements and underlying standards in the European Union market.
MDD – First step to requirements harmonisation
In the 90ies, the European Commission delivered legislative acts that needed harmonisation within all member states. The 90/385/EEC – Active Implantable Medical Devices (AIMD), 93/42/EEC – Medical Device Directive ( MDD) and 98/79/EEC – ln Vitro Diagnostic Devices Directive (IVDD) were one after another valid in the EU. For the sake of simplicity, I will today limit the discussion just to the MDD because it is the one that mentions software after all.
The main goal of the MDD was just one; allowing medical devices to be marketed only when manufacturers proved that the medical benefits using the device are outweighing the risks associated when using it. MDD and associated guidelines such as MEDDEV, NB-MED, GMDSV and Borderline manuals have done an excellent job for non-software medical devices. Specifying what the concerns needed to be addressed, did help all stakeholders. Known problematic areas such as sterilisation, electrical safety, magnetic interferences, packaging, labelling, operations manual, safety manuals, etc. were adequately covered.
The manufacturer has to answer the following questions:
- Does the device meet the definition of a medical device or the accessory,
- What is the intended purpose of the device,
- What is the risk classification,
- Does the device meet general safety requirements and
- Does the usage of the device outweighs the risk of using it before placing it to the market.
Gravity does not apply to the software. It is different than the hardware device; it is hard to verify and validate invisible work.
The Technical File is the product; the device is just a side effect
Yes, it sounds as non-sense at first, however, if you follow the line of thought of the authorities and industry leaders, it makes perfect sense. Manufacturers have to invest a lot of efforts into proving that the medical gains for the patient exceed the risks associated by using the medical device. This is possible only with a thick pile of paper proving that the device that will be manufactured at a later stage indeed brings positive medical outcomes and low-risk to the patient. Technical File is in the centre of all certification and assessment procedures and contains all the information needed. Hence, the product meets all essential MDD requirements. The Technical File has to answer all the questions asked above.
To help Manufacturers and auditors the industry leaders distilled good and bad experiences they had into a set of standards. These standards need to be adopted to guarantee that all activities performed before putting the device into the market were done considering the know-how. Using standards, we are aiming to prevent reoccurrence of past mistakes that lead to hazards for the patients.
Some of the most important standards and recommended guidelines to be followed are:
- ISO 13485 – Medical devices – Quality management system,
- IEC 62304 – Medical device software – Software life cycle processes,
- ISO TS 25238 Health informatics – Classification of safety risks from health software,
- ISO 14971 – Medical devices — Application of risk management to medical devices,
- IEC 62366 – Medical devices — Application of usability engineering to medical devices and
- IEC 60601 – Medical electrical equipment – Safety and essential performance of medical electrical equipment.
It is not the aim of this post to go into detail of every standard mentioned above. However, if you plan to enter the medical software field, it is strongly suggested you go through them several times and please get a consultant as well. Some well-spent consultancy hours can save you a lot of money and stress along the line.
The “darker” sides of MDD
It may sound that MDD was tremendous, and there is no need for any updates. All is well defined, standards are there, authorities as well, regulation clear and roles and duties understood.
However, there are some issues with MDD that required intervention. Because MDD was already a big snowball rolling downhill, the EU Commission decided that a new act is needed. The lesson learned led to the approval of the Medical Device Regulation in 2017, which will be explained later. Ok, so what exactly was the problem?
MDR is a lengthy regulative act that tried to address the following pain areas of MDD and connected guidelines:
- Lack of consensus between EU members; a lot of requirements were interpreted in different ways among EU members
- Poor oversight by Notified Bodies (NB); less of an industry partner, more an extension of authorities; tighter requirements for NB
- Technical file structure and relevance; It was possible to have 20 pages Technical file for a Class III medical device; the exact composition was not prescribed, it was a nightmare for NB
- Transparency and traceability of medical devices; the end to end quality was hard to prove and maintain
- Clinical Evaluation was too often not scientific or just based on literature research of other “similar” medical devices
- Post Market Safety; relaxed vigilance procedures are possible, no real system for post-market surveillance is needed.
- Globalisation; too relaxed rules about cross-continent collaboration
Welcome MDR – MDD on steroids
MDR was approved on the 26th of May 2017, and now we are in the transition period that will end on the 26th of May this year. Please note that devices certified according to MDD, IVD and AIMD can still be placed to the market, until the 27th of May 2024. Now the dates are evident. From the 26th of May, it will be impossible to start and finish any certification process according to MDD, IVD and AIMD regulations, just MDR will be valid.
Notified Bodies & Manufacturers Honeymoon
Let’s move forward now and see how MDR addressed the MDD pain points mentioned above. The solution for the shared view on the subject was simple. The EU Commission didn’t produce just another directive but a new regulation. And regulation must be 100% adopted by all EU members. Simple!
Notified Bodies (NB) were found guilty of being too relaxed when evaluating the manufacturer’s technical files, especially the clinical evaluation part was, at times, absurd. There was no trace of any scientific argument to prove the medical benefits for the stated intended purpose.
Also, risk management was weak, and companies failed to show a positive benefit/risk ratio. Because of this, the EU Commission requested that all Notified Bodies must go through a detailed audit to prove that they are MDR compliant. The result? Bad news for everybody.
Almost all NB lost the right to assist manufacturers in their MDR efforts. At this moment there are less than 10 NB for the entire EU and 2 of them are in the UK (we all know Brexit, right?). So the pressure on NB is overwhelming, and this means that now the elapsed time for certification is between 2-4 years. The commission also introduced new classification rules that affected that more devices now have fallen into higher risk classification and thus need NB assistance. Well, this is no good for waiting queues. And yes, medical device software was one of those cases. Now a lot of devices that under MDD would not be a medical device or a Class I medical device are suddenly a moderate-risk medical device in class II.
Chaos was the law of nature; Order was the dream of mankind
The technical file was a mess before. Every NB had its own preferred structure and manufacturers tend just to give NB all they have. Paperwork, digital documents, etc. were given to the NBs, and the duty of them was to figure if the device meets the requirements. This situation is terrible for transparency and efficiency, and now MDR introduced a shared exact Technical File structure that is mandatory across the EU. For increased transparency also a central register of medical devices, manufacturers, importers, distributors, complaints and vigilance reports – EUDAMED has been established. It will replace the EU members’ registers.
If the facts don’t fit the theory, change the facts
Clinical Evaluation at first didn’t change too much from the MDD era. Nonetheless, this is just the first impression. The demonstration of device equivalence is more complicated, even impossible between market players. There are extremely hard to find companies willing to share 100% of the technical file to a competitor, so they can prove equivalence. Clinical trials now must follow ISO standard. Literature research now can be conducted only by an expert that meets MEDDEV 2.7/1 rev. 4 requirements.
The Loop
MDR introduces novelties into MDD Post Market Surveillance (PMS), including the strengthening of post-marketing surveillance requirements. The newest regulations state that manufacturers must play an active role during the post-marketing phase. It is required implementing processes to actively and systematically collect, record and analyse data on the safety, quality and performance of the device throughout its expected lifetime.
Furthermore, as a part of this process, some medical device manufacturers will need to conduct a post-market clinical follow-up (PMCF) studies. The PMCF study design and methodology should be described in a clinical investigation plan (CIP). CIP should include a description of the rationale, objectives, endpoints, statistical methods and clinical processes which must be appropriate for addressing the stated objectives. A statistical analysis plan (SAP), giving a detailed description of the statistical methods is also required.
There are two additional significant changes. Manufacturers are now required to prepare Medical Device Periodic Safety Update Reports (PSUR) and Post Market Surveillance Reports (PMSR).
The PMSR needs to summarise results and conclusions of the PMS data alongside with a rationale and description of any corrective measures taken for a device used on the market. This report must be an integral part of the Technical File.
The PSUR is essentially an extension of a PMSR containing information for higher-risk devices. Is it clear now that the requirements are far more demanding and costly for the manufacturers.
Globalisation felt like a runaway train, out of control
Globalisation is a fact, and MDD didn’t consider it back in 1993. The word “importer” only appears three times in the entire MDD and the word “distributor” does appear just once. The EU MDR, however, raises the importance of all economic operators, an “importer” and “distributor” appear dozens of times in the regulation. That should tell us something about how EU regulators now view the importance of the supply chain through the entire life cycle of the medical device. The most significant change is that the MDR requires the importer and distributor to verify that the manufacturer and device meet the requirements before the device is imported or sold into the EU.
This fact now legally bounds both parties for following MDR, boosting transparency and end to end compliance with MDR. Importers and distributors now must be registered in the EUDAMED register and must be on the labels as well. Both must possess the Declaration of Conformity of the device even ten years after the device was on the market. And, finally, importers and distributors are responsible for tracking and reporting complaints.
Wrap-up
If a device has a medical benefit, then it is a medical device and must follow MDD or MDR; otherwise, it should not be on the market. Manufacturers, Notified Bodies, distributors, importers, suppliers and other involved parties who participate in design, development, production, distributing and maintaining medical devices in the EU will have a lot of work in the upcoming years, and this is all for a crucial reason.
The safety of patient must never be neglected as it was back in the 80′. The device on the market must fulfil what promised in terms of benefits and intended purposes with reasonable risk for the patient.
Standards are there to help not to inhibit you from success. The regulative horizon is vast and getting a consultant is a wise move.
Don’t forget the pile of papers is the output; the device is just a side effect.
I have tried to keep things simple, and I hope I had decent success with it.
Miloš Cigoj, Head of Quality and Compliance
Views are my own and do not necessarily reflect the official policy or position of any other agency, organization, employer or company.