128 104 14MB
English Pages [671]
Reference Series in Biomedical Engineering Tissue Engineering and Regeneration Series Editor: Heinz Redl
Christian Baumgartner · Johann Harer Jörg Schröttner Editors
Medical Devices and In Vitro Diagnostics Requirements in Europe
Reference Series in Biomedical Engineering
Tissue Engineering and Regeneration Series Editor Heinz Redl, Ludwig Boltzmann Institute for Traumatology in coop. with AUVA, Austrian Cluster for Tissue Regeneration, Vienna, Austria
This series Tissue Engineering and Regeneration consists of comprehensive reference texts encompassing the biological basis of tissue regeneration, basic principles of tissue engineering and the current state-of-the-art in tissue engineering of specific tissues and organs. Each volume combines established fundamentals and the latest developments, thus forming an invaluable collection for both experienced researchers as well as practitioners from other areas of expertise. The spectrum of topics ranges from the use of cells for tissue regeneration and tissue engineering, growth factors and biological molecules affecting tissue development and regeneration, to the specific roles of biophysical factors in tissue development and regeneration. Tissue engineering lies at the crossroads of medicine, life sciences and engineering. The field has developed extensively over the last two decades, addressing the requirements of tissue and organ replacement as well as regeneration in a variety of congenital, traumatic, disease and aging-related conditions, including some of the most critical unmet challenges in modern medicine. Both our increased understanding of the biological basis of tissue engineering as well as significant technological advances mean that engineering design principles can now be used for the de novo construction of functional tissue replacements that meet the requirements of research and clinical applications.
Christian Baumgartner • Johann Harer • Jo¨rg Schro¨ttner Editors
Medical Devices and In Vitro Diagnostics Requirements in Europe
With 165 Figures and 50 Tables
Editors Christian Baumgartner Institute of Health Care Engineering with European Testing Center of Medical Devices Graz University of Technology Graz, Austria
Johann Harer QMD Services GmbH Wien, Austria
Jörg Schröttner Institute of Health Care Engineering with European Testing Center of Medical Devices Graz University of Technology Graz, Austria
ISSN 2731-0493 ISSN 2731-0507 (electronic) Reference Series in Biomedical Engineering ISSN 2731-0558 ISSN 2731-0566 (electronic) Tissue Engineering and Regeneration ISBN 978-3-031-22090-6 ISBN 978-3-031-22091-3 (eBook) https://doi.org/10.1007/978-3-031-22091-3 Translation and extension of the German language edition: „Anforderungen an Medizinprodukte: Praxisleitfaden für Hersteller und Zulieferer“, © Carl Hanser Verlag GmbH & Co. KG 2018. Published by Carl Hanser Verlag GmbH & Co. KG. All Rights Reserved. © Springer Nature Switzerland AG 2023 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG. The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland Paper in this product is recyclable.
To all medical device and in vitro diagnostics companies that are not deterred by major financial and regulatory challenges from developing and bringing to market innovative products that improve the diagnosis, treatment, and prevention of disease, and especially to our beloved families
Preface
The market for medical devices in Europe is very interesting for both manufacturers and suppliers due to its size, growth rates, and still attractive profit margins. However, medical device manufacturers have to comply with increasing regulatory requirements in all major international markets, which proves to be a high barrier to entry, especially for market newcomers. Those who do not meet all the requirements for European market approval, that is, the relevant European regulations, national laws, such as the medical devices act, and international standards, are denied access to the European market. In particular, the two EU regulations for medical devices (MDR 2017/745) and in vitro diagnostics medical devices (IVDR 2017/746) as well as EN ISO 13485:2016 (requirements for a quality management system), EN ISO 14971 (application of risk management to medical devices), and several others are essential requirements for manufacturers of such products. With its 20 chapters, this book offers a comprehensive guide on how medical device manufacturers, suppliers, and all involved parties comply with the specified regulatory framework throughout the entire life cycle, that is, from product planning, development, approval, manufacture, installation and support, and the post-market phase up to withdrawal of the product from the market with a balanced mix of expert knowledge, empirical values, and proven methods. As a result, the contributions not only provide an overview of the most important requirements in the medical device sector but also show concrete and proven ways of implementing these requirements in practice. The book is aimed both at people from non-European markets, such as the USA, Canada, Australia, Latin America, Asia, or Africa, who are planning a successful market entry in Europe, and at people from Europe who want to enter the medical device industry for the first time or are already active manufacturers and suppliers who want to expand and deepen their knowledge of the most important regulatory dos and don’ts. In particular, it is aimed at all persons in development, production, quality assurance, complaints processing, purchasing and engineering, as well as in quality management at a company who want to gain an in-depth overview of specific issues. It is also recommended for scientists and researchers as well as students from technical and medical disciplines who want to familiarize themselves with this topic and pursue possible product ideas, for example, in the context of a start-up.
vii
viii
Preface
Particularly in view of the increased requirements for suppliers, such as increased documentation requirements or unannounced audits by authorities and notified bodies, it is also advisable for all suppliers of critical parts, services, and products to familiarize themselves with what their customers, the manufacturers of medical devices, expect from them and what requirements they face. In the course of qualifying suppliers, it is often found that while they have excellent technical skills and efficient production processes and facilities, in many cases they also have significant deficits in mastering the areas that are important for compliance, that is, they are not proficient in the legally compliant design of medical devices or their components. SMEs in particular often have problems understanding the specific regulatory requirements for medical device manufacturers, such as process validation, computer validation, traceability, clinical trials, retention samples, post-market surveillance, as well as the extensive documentation and recording obligations, and subsequently implementing them in compliance with the regulations. It requires extensive knowledge and a great deal of experience to find the right balance between ensuring product quality and minimizing safety risks on the one hand and reasonable costs and effort on the other, when making demands on suppliers and service providers. The knowledge and experience gained in this process are also conveyed in this book. Despite the challenging topic, we wish the readers an exciting read and hope that the communication of the regulatory environment as well as the illustrative examples will contribute to a better understanding of the regulatory requirements for medical devices in Europe. Ultimately, the newly acquired knowledge should enable you to bring your medical devices to market quickly, efficiently, and in compliance with the law on the basis of the new regulations. Graz, Austria Wien, Austria Graz, Austria September 2023
Christian Baumgartner Johann Harer Jörg Schröttner
Acknowledgments
We would like to thank all the authors of this comprehensive work for contributing their knowledge and many years of experience from their fields of expertise to this book and for elaborating those issues that are essential for understanding the respective subject area. We also thank Hanser-Verlag for allowing us to adopt parts of the book “Anforderungen an Medizinprodukte” for this edition.
ix
Contents
Regulatory Framework for Medical Devices and IVDs in Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Christian Baumgartner, Jörg Schröttner, and Peter S. Müllner
1
The Notified Body: The Conformity Assessment Body for Medical Devices in Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jörg Schröttner and Christian Baumgartner
39
Quality Management Requirements in Compliance with European Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Johann Harer and Jörg Schröttner
63
Risk Management for Medical Devices in Compliance with EN ISO 14971 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Brigitte Gübitz and Udo Klinger
89
Medical Device Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Peter S. Müllner and Udo Klinger Safety Requirements for Medical Devices in Compliance with European Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Robert Neubauer, Jörg Schröttner, and Christian Baumgartner Software as Medical Device in Europe . . . . . . . . . . . . . . . . . . . . . . . . . . Sara Stoppacher and Peter S. Müllner
121
157 187
Clinical Evaluation and Clinical Investigations of Medical Devices Under the MDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wolfgang Ecker
217
Performance Evaluation and Performance Studies of in Vitro Diagnostic Medical Devices Under the IVDR . . . . . . . . . . . . . . . . . . . . Wolfgang Ecker
251
xi
xii
Contents
Validation of Methods and Analytical Processes for In Vitro Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Karin Schwenoha and Johann Harer Medical Products: Packing and Labeling Requirements . . . . . . . . . . . . Elizma Parry
273 291
GMP-Compliant Design for Plants Manufacturing Medical Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Marie-Astrid Haibl and Clemens Borkenstein
319
Integrated Qualification of Manufacturing Systems for Medical Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Clemens Borkenstein, Marie-Astrid Haibl, and Johann Harer
357
How to Implement a Risk-Based and Life-Cycle Approach for Commissioning and Qualification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Brigitte Gübitz
413
Management for Critical Medical Device and IVD Suppliers . . . . . . . . Johann Harer
449
Process Validation for Medical Device Manufacturing . . . . . . . . . . . . . Johann Harer
475
Manufacturing and Quality Assurance in Compliance with the MDR and IVDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Johann Harer
505
Mastering Quality System Audits and Inspections for Medical Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Andrej Smogavc Cestar and Johann Harer
543
Post-Market Surveillance and Vigilance on the European Market . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Johann Harer
585
A Regulatory Guide for Medical Device Start-Ups in Europe: Challenges and Pitfalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tibor Zajki-Zechmeister
625
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
651
About the Editors
Univ.-Prof. Dipl.-Ing. Dr. Christian Baumgartner, PhD, is Professor and Head of the Institute of Health Care Engineering with European Testing Center of Medical Devices at Graz University of Technology, Austria. He received his M.Sc. (1994) and Ph.D. degrees (1998) from Graz University of Technology, Austria; Habilitation in Biomedical Engineering from UMIT Tirol, Austria (2006); Diploma in organ and conducting (1998) from the Conservatory of Graz, Austria. From 1998 to 2002, Dr. Baumgartner held an R&D position at Tecan.com. From 2007 to 2008, he joined the Barnett Institute of Chemical and Biological Analysis at Northeastern University and Harvard Medical School, Boston, MA, where Dr. Baumgartner worked in bioinformatics for biomarker discovery. In 2009, he was appointed Professor and Director of the Institute of Electrical and Biomedical Engineering at UMIT Tirol. Since 2015, he has been Head of the Institute of Health Care Engineering with European Testing Center of Medical Devices at Graz University of Technology, Austria. Dr. Baumgartner is the author of more than 200 publications in refereed journals, books, and conference proceedings, as well as patents, and is a reviewer for more than 40 scientific journals. He has served as deputy editor of the Journal of Clinical Bioinformatics, is associate editor of Frontiers in Physiology (Computational Physiology and Medicine section), section editor of Sensors (Biomedical Sensors section), co-section editor of the IMIA Yearbook of Medical Informatics (Sensors, Signals and Imaging informatics section), and a member of the editorial boards of Cell Biology and Toxicology and Methods of Information in
xiii
xiv
About the Editors
Medicine. His main research interests include cellular electrophysiology, biomedical sensors and signal processing, biomedical modeling and simulation, clinical bioinformatics and computational biology, and medical device development, safety, and regulatory affairs. Dipl.-Ing. Dr. Johann Harer is currently a project manager and senior technical expert at QMD Services GmbH, a notified body for medical products and in vitro diagnostic medical products according to EU 2017/745 and 2017/746. He holds a master degree in Electrical Engineering from Graz University of Technology and a doctorate in Law from the Karl-Franzens University in Graz. In 1980 he had his first industrial experience as developer and project manager for medical instruments. From 1986 to 1990 he was employed at an international company in the field of telecontrol systems and industrial automation in Germany. From 1990 to 2001 at AVL Medical Systems, he was responsible for business development and various additional functions, including global system support and product management. From 2001 to 2014, he was global Head of Quality Management for the Near Patient Testing business unit and Head of QM, QA, and Regulatory Affairs at Roche Diagnostics Graz. From 2014 to 2022 he was Managing Director at Human.technology Styria GmbH, a private-publicpartnership organization to support MedTech and biotech companies and research organizations in Austria. He has conducted regular trainings and lectures as well as audit activities and company assessments within the framework of EN ISO 13485 and the EFQM Business Excellence Model. Assoc.-Prof. Dipl.-Ing. Dr. Jörg Schröttner is currently an Associate Professor at the Institute of Health Care Engineering with European Testing Center of Medical Devices at Graz University of Technology, Austria. He received his M.Sc. (2000), Ph.D. degree (2003), and habilitation in Health Care Engineering (2008) from Graz University of Technology, Austria. From 2000 to 2003 Dr. Schröttner held a research and teaching assistant position at the Institute of Biomedical Engineering at Graz University of Technology, Austria. From 2003 to 2008 he was Deputy Head of the Institute
About the Editors
xv
of Clinical Engineering with European Notified Body (PMG), where he developed the conformity assessment procedures of quality management systems for active medical devices according to the medical device regulations. Since 2008 he is the Deputy Head of the Institute of Health Care Engineering, and in 2014 he became the Head of the European Testing Center of Medical Devices, formerly European Notified Body. In view of current sociodemographic developments, Dr. Schröttner’s scientific work deals with methodological, technical, organizational, economic, and quality assuring aspects of intra- and extramural healthcare, with a special focus on patient safety. The goal is to help patients cure or alleviate their illness efficiently, economically, without adverse events, and in a qualityassured manner. He is the author of more than 100 publications in reviewed journals, books and conference proceedings, and patents. Dr. Schröttner has also been active in the field of medical device approval at the stateaccredited Testing and Certification Body for Medical Devices PMG for over 20 years. He is an expert in the development, manufacturing, and testing of active medical devices and is lead auditor for quality management systems according to EN ISO 13485 and EN ISO 9001.
Contributors
Christian Baumgartner Institute of Health Care Engineering with European Testing Center of Medical Devices, Graz University of Technology, Graz, Austria Clemens Borkenstein ZETA GmbH, Wien, Austria Wolfgang Ecker University of Applied Sciences Upper Austria for Medical Technology, Linz, Austria Brigitte Gübitz VTU Engineering GmbH, Raaba-Grambach, Austria Marie-Astrid Haibl ZETA GmbH, Wien, Austria Johann Harer QMD Services GmbH, Wien, Austria Udo Klinger Graz, Austria Peter S. Müllner Wien, Austria Robert Neubauer Institute of Health Care Engineering with European Testing Center of Medical Devices, Graz University of Technology, Graz, Austria Elizma Parry Regulatory Affairs, QMD Services GmbH, Wien, Austria Jörg Schröttner Institute of Health Care Engineering with European Testing Center of Medical Devices, Graz University of Technology, Graz, Austria Karin Schwenoha QMD Services GmbH, Wien, Austria Andrej Smogavc Cestar Faculty of Economics and Business, University of Maribor, Maribor, Slovenia Sara Stoppacher Dedalus HealthCare GesmbH, Graz, Austria Tibor Zajki-Zechmeister CommuModo GmbH, Graz, Austria
xvii
Regulatory Framework for Medical Devices and IVDs in Europe Christian Baumgartner, Jo¨rg Schro¨ttner, and Peter S. Mu¨llner
Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Certification of Medical Devices in Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Successful Market Access Through Fulfillment of General Requirements . . . . . . . . . . . 3 Approval of Medical Devices in Non-European Markets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 USA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 China . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4 Japan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5 Brazil . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Patents and Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 3 3 20 20 25 26 29 31 32 33 33
Abstract
The publication of the new Medical Device Regulation MDR 2017/745 and the In Vitro Diagnostics Regulation IVDR 2017/746 in April 2017 ushered in a new era for the approval of medical devices in Europe. These regulations repealed the European Council Directives 90/385/EEC, 93/42/EEC, and 98/79/EC and are now legally binding, requiring manufacturers and distributors to make special efforts to successfully enter the European market with their medical products. In this chapter, we address the legal environment and the additional requirements for medical device certification imposed by the new regulations. We go into detail on the definitions of what is a medical device and who is a C. Baumgartner (*) · J. Schröttner Institute of Health Care Engineering with European Testing Center of Medical Devices, Graz University of Technology, Graz, Austria e-mail: [email protected]; [email protected] P. S. Müllner Wien, Austria e-mail: [email protected] © Springer Nature Switzerland AG 2023 C. Baumgartner et al. (eds.), Medical Devices and In Vitro Diagnostics, Reference Series in Biomedical Engineering, https://doi.org/10.1007/978-3-031-22091-3_11
1
2
C. Baumgartner et al.
manufacturer or economic operator for the purposes of the regulations. We also highlight changes in conformity assessment procedures and extensions in the technical documentation, particularly for the clinical and performance evaluation and the post-market procedures. The chapter also introduces and discusses the most important European standards for medical devices. Finally, we provide a brief overview of the international situation regarding the approval of medical devices with a focus on the USA, Canada, China, Japan, and Brazil, as this overview may help to identify differences and peculiarities in the approval strategies of these markets compared to Europe. This introductory chapter of the book outlines the framework of a challenging journey through the European medical device certification process and highlights the necessary requirements for a successful European market entry with a short view to the non-European medical device approval situation.
1
Introduction
If companies are active in the field of medical devices or their accessories, they will quickly realize that this is a highly regulated environment. Terms such as EU regulations, EU directives, general safety and performance requirements, countryspecific medical device laws, harmonized standards, common specifications, medical device registration, but also risk management, usability, patents, reimbursement, cybersecurity, vigilance, and many, many more accompany them throughout the life cycle of such a product. This chapter is intended to provide an overview of these different terms and their interrelationships, and to provide a guide through the challenging world of European medical device approval. Questions such as whether the product is a medical device or an accessory, which contexts of use are to be covered, or which target markets and countries are to be reached should already be answered or decided after the idea for a new medical product has been generated, but at the latest during the subsequent conception phase. The legal environment is essentially determined by European regulations and directives, but also by country-specific requirements such as laws and other ordinances and regulations. These are elicited in advance and analyzed in detail to enable successful and rapid market access and a safe product for patients and users. However, not only administrative law (e.g., market access and operating regulations) has to be taken into account, but also legal regulations in contract law, tort law, and product liability law have to be considered as well as entrepreneurial risks when planning a market entry. The latter in particular are crucial in the context of liability cases and are critical for legal certainty. These provide essential input for understanding the liability sums and penalties that sometime reach horrendous proportions, depending on the country, that can result from errors or wrongful acts in the course of a product life cycle. Accordingly, risk minimizing measures such as sufficient coverage of insurable risks as well as a complete quality management that supports proof of defect-free
Regulatory Framework for Medical Devices and IVDs in Europe
3
design, manufacture, instruction, and market surveillance with appropriate documentation should be comprehensively implemented. In addition, it is advisable to deal with the respective country-specific social security legislation in the countries of distribution in order to address the issue of reimbursement, reimbursement options, and market opportunities from the outset and, if necessary, to include requirements for design and/or necessary clinical trials and efficacy studies. However, the main focus of this chapter is on successful market access by addressing the legal requirements for medical device certification through the new regulations MDR 2017/745 and IVDR 2017/746.
2
Certification of Medical Devices in Europe
2.1
Successful Market Access Through Fulfillment of General Requirements
For a successful market entry, it is necessary to familiarize oneself with the applicable regulatory requirements and country-specific features already before or at the latest during the conception and development phase of the medical product. The most important prerequisites here are the defined intended purpose of the product and the determination of the targeted countries. These can then be used to draw up an initial approval strategy. Although numerous harmonization efforts are taking place or have taken place, it is still necessary to familiarize oneself very intensively with the approval details of the targeted countries and their “cultural” differences. Costs and time to approval should also be considered, as it is often not uncommon for approval times to exceed 1 year or more. Until the introduction of the MDR 2017/ 745 and the IVDR 2017/746, many manufacturers in Europe found it convenient to have an initial launch of their products in Europe. However, the shortage of notified bodies and increased requirements may change this strategy. In the following sections, the requirements for the European market and some selected international markets are presented in more detail.
2.1.1 The European Union and Associated Countries The efforts of the European Union to standardize access requirements for the European market and to reduce trade barriers have made life easier for manufacturers in recent years. In order to be placed on the European market, medical devices must, on the one hand, comply with the “general safety and performance requirements” of the applicable EU regulation (formerly directive) and, on the other hand, the manufacturer must prove the effectiveness of its post-market surveillance (PMS) system as part of the so-called conformity assessment procedure. Based on the documents proving these essential requirements, which confirm the safety and performance as well as the effectiveness of the product for the intended use, with
4
C. Baumgartner et al.
clinical evaluation playing a central role, the manufacturer declares in the form of the Declaration of Conformity DoC (involving a notified body, except in the case of risk class 1 or class A devices) that the product is in compliance with the requirements of the EU regulations and affixes the CE mark to the product. The respective national or country-specific market surveillance authority has the right to inspect and verify this evidence. However, the first fundamental question that must be clarified even before development starts, and in which the defined purpose (intended use) of the product plays a central role must be: “Is my product a medical device or similar to a medical device?” Other questions that immediately follow: “Am I a manufacturer or one of the other economic operators (distributor or importer) in the sense of a regulation?” and “What does placing on the market mean?” If the questions regarding medical device and manufacturer can be answered with a clear “yes,” the next step is to clarify under which of the two regulations, the Medical Device Regulation MDR 2017/745 or the In Vitro Diagnostics Regulation IVDR 2017/746, or both, the product is to be classified. With the enactment of these new European regulations in spring 2017, the regulatory foreground landscape has fundamentally changed. The familiar three EU directives AIMD 90/385/EEC, MDD 93/42/EEC, and IVD 98/79/EC were replaced by the two new, directly applicable EU regulations with numerous accompanying necessary legal adjustments. According to the new EU regulations (as of 05/2017), there are now the following two options: Regulation (EU) 2017/745 of the European Parliament and of the Council on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009, and repealing Council Directives 90/385/EEC and 93/42/EEC (European Parliament and European Council 2017a). Regulation (EU) 2017/746 of the European Parliament and of the Council on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (European Parliament and European Council 2017b). It should be mentioned that if no valid “directive” certificate is available during an appropriately defined transition period, solely the new regulations MDR 2017/745 and IVDR 2017/746 apply. The EU regulations are freely accessible on the corresponding page of the European Commission (EUR-Lex). Practice shows that manufacturers repeatedly encounter difficulties in defining medical devices. Note that the exact definition of the products covered can be found in the respective definitions of the regulations (MDCG 2020-16 and MDCG 202124; European Commission 2020, 2021). The following three questions are crucial for the manufacturer: (a) Does the product meet the definition of a medical device? (b) Is the intended purpose/use such that the product can be considered a medical device? (c) How is the principal intended action achieved?
Regulatory Framework for Medical Devices and IVDs in Europe
5
Regarding a): The most important criterion here is that the product is intended for human use. Veterinary medical products – in contrast to pharmaceuticals – are not subject to the definition of medical products. In principle, all physical products for human beings, i.e., instruments, apparatus, devices, implants, reagents, and substances, but also software can be included in the definition. In part, cosmetic products and products without an intended medical purpose (Annex XVI, MDR 2017/745) are equated with medical devices by the new EU regulations and thus covered by the legislation. These include: 1. Contact lenses or other items intended to be introduced into or onto the eye. 2. Products intended to be totally or partially introduced into the human body through surgically invasive means for the purpose of modifying the anatomy or fixation of body parts with the exception of tattooing products and piercings. 3. Substances, combinations of substances, or items intended to be used for facial or other dermal or mucous membrane filling by subcutaneous, submucous, or intradermal injection or other introduction, excluding those for tattooing. 4. Equipment intended to be used to reduce, remove, or destroy adipose tissue, such as equipment for liposuction, lipolysis, or lipoplasty. 5. High-intensity electromagnetic radiation (e.g., infrared, visible light, and ultraviolet) emitting equipment intended for use on the human body, including coherent and noncoherent sources, monochromatic and broad spectrum, such as lasers and intense pulsed light equipment, for skin resurfacing, tattoo, or hair removal or other skin treatment. 6. Equipment intended for brain stimulation that apply electrical currents or magnetic or electromagnetic fields that penetrate the cranium to modify neuronal activity in the brain. According to the IVDR 2017/746, in vitro diagnostic medical devices are reagents, reagent products, calibrators, control materials, kits, instruments, apparatus, pieces of equipment, software, or systems, intended by the manufacturer to be used in vitro for the examination of specimens, including blood and tissue donations, derived from the human body. There is no additional Annex under the IVDR 2017/746 available also not for products without an intended medical purpose. Regarding b): The device must have a medical purpose or fall within the scope of the regulations accordingly. It must be intended for at least one of the purposes specified in the definition: • For example, diagnosis, prevention, monitoring, prediction, prognosis, treatment, and alleviation of, or compensation for, an injury or disability, investigation,
6
C. Baumgartner et al.
replacement, or modification of the anatomy or of a physiological or pathological process or state, devices for the control or support of conception, or products specifically intended for the cleaning, disinfection, or sterilization of devices. • Providing information by means of in vitro examination of specimens derived from the human body, including organ, blood, and tissue donations concerning a physiological or pathological process or state, congenital physical or mental impairments, predisposition to a medical condition or a disease, to determine the safety and compatibility with potential recipients, to predict treatment response or reactions, and to define or monitoring therapeutic measures. The prevention (!) of injury or disability is, by definition, reserved for personal protective equipment as defined in the PPE Regulation (EU) 2016/425 (European Parliament and European Council 2016) and therefore not covered by the MDR/IVDR regulations. Regarding c): The definitions for a medical device in a) and b) are largely identical to the definition of a medicinal product within the meaning of the medicinal product directive (Directive 2001/83/EC, European Parliament and European Council 2001). However, the main criterion for distinguishing between medicinal products and medical devices is the principal intended action. Of particular importance is the description of how the mechanism of action is achieved in or on the human body. The manufacturer must prove that the principal effect is not achieved by pharmacological, immunological, or metabolic means. The description of the delineation must take into account the pharmacological, metabolic, and immunological definitions – these terms have been defined in the guidance document MDCG 2022–5 “Guidance on borderline between medical devices and medicinal products under Regulation (EU) 2017/745 on medical devices” (European Commission 2022c) and, due to their importance, are briefly summarized. Pharmacological means is understood as an interaction typically at a molecular level between a substance or its metabolites and a constituent of the human body (e.g. cells and their constituents, components of extracellular matrix, components of blood and components of body fluids) which results in initiation, enhancement, reduction or blockade of physiological functions or pathological processes.
The definition of the term “pharmacological” must be considered in the light of the current case law of the European Court of Justice. In a recent judgment (European Court of Justice 2012), the Court of Justice ruled that a pharmacological effect is not exclusively restricted to human cells. It is already a sufficient criterion for the existence of a pharmacological effect that such an effect also occurs in the human body on nonhuman cells (e.g., bacterial cells).
Regulatory Framework for Medical Devices and IVDs in Europe
7
Immunological means is understood as an action initiated by a substance or its metabolites on the human body and mediated or exerted (i.e. stimulation, modulation, blocking, replacement) by cells or molecules involved in the functioning of the immune system (e.g. lymphocytes, toll-like receptors, complement factors, cytokines, antibodies). Metabolic means is understood as an action of a substance or its metabolites which involves an alteration, including stopping, starting or changing the rate, extent or nature of a biochemical process, whether physiological or pathological, participating in, and available for, function of the human body (MDCG 2022-5).
Note that the description of an effect being achieved “purely physically” is not a sufficient criterion for the delimitation as a medical device, since every process – also processes in the human body – can be described by means of physical or quantum mechanical methods! The documentation for the delineation of a medical device must take into account the current scientific evidence. For the selection of criteria that can be evaluated against this scientific evidence or literature, the recommendations made for the clinical evaluation (see chapter ▶ “Clinical Evaluation and Clinical Investigations of Medical Devices Under the MDR”) should be used. The manufacturer must also consider whether additional EU regulations or directives are applicable to the product in parallel with the MDR 2017/745 and IVDR 2017/746. EU directives represent a superordinate set of rules which, after an appropriately defined transitional period, must be incorporated into the respective national legislation, so that the legally binding basis continues to be national law. EU regulations, on the other hand, are legally effective directly and immediately after publication in the Official Journal of the European Union (European Union law, Official Journal). Often, assignments to a corresponding EU regulation or directive are not always clear, so that the European Commission and other organizations offer additional assistance in the form of guidance documents (see MDCG and IMDRF guidelines). After successful assignment to one of the medical device regulations, the next step is the risk-based classification of the device, which is regulated separately in the respective regulation. MDR 2017/745 and IVDR 2017/746 classify according to Annex VIII using 22 rules for medical devices and 7 rules for IVDs, respectively. Depending on the risk-based classification of the product, this may have consequences for product market access path, such as the mandatory involvement of a notified body, which the manufacturer is free to choose in the European Union. It should be explicitly pointed out here that only one notified body can be selected and a change can usually only be achieved with great effort (see chapter ▶ “The Notified Body: The Conformity Assessment Body for Medical Devices in Europe”). Considerations such as recognition and combination of certificates, level of awareness in market countries outside the EU, expertise in the product concerned, accessibility and availability, and average turnaround times for product testing should be taken into account in the selection process of a notified body. A complete
8
C. Baumgartner et al.
overview corresponding to each regulation is available on the corresponding website of the European Commission (European Commission, NANDO).
2.1.2 MDR 2017/745 and IVDR 2017/746: The “New” EU Regulations Due to various incidents and scandals, the European Commission has decided to further adapt and harmonize the regulations for medical devices, which have brought significant changes and implications for all those working in this highly regulated environment. The main central feature of these changes was that the rank within the legislature was changed. Once introduced as directives and transposed into national laws, it was now decided to have two European regulations that are directly valid and applicable. According to the current state of knowledge, national laws will be amended to the extent that they are in line with the European regulations and where necessary, further additions may be regulated. After the final agreement between Commission, Council, and Parliament, the regulations were published in the Official Journal of the European Union on May 5, 2017. Twenty days later, these regulations entered into force, so that medical devices with the original plan for May 26, 2020 and in vitro diagnostics on May 26, 2022 will have to comply with the new regulations after the end of the transition period. For existing directive certificates, there was also the option to extend these transition periods again by 4 years for MDR 2017/745 and 2 years for IVDR 2017/746. The global corona pandemic (2020) postponed the initial timeline for the end of the transition period from May 2020 to May 26, 2021 for the MDR and to May 26, 2022 for the IVDR for all new devices (note that there are extended transition periods for IVD products already placed on the market). It should be noted here that although the regulations have already entered into force (May 2017), some additions may still be added in accordance with the “delegating act” and the “implementing act” by the EU Commission under the Lisbon Treaty. Therefore, it is necessary to carefully follow any development of the applicable regulation. The changes in EU legislation were extremely far-reaching both in scope and depth. The three directives became two regulations – AIMD 90/385/EEC and MDD 93/42/EEC together became MDR 2017/745 and IVD 98/79/EC became IVDR 2017/746, respectively. In addition, it can be noted that the scope of application was significantly expanded. In the MDD 93/42/EEC, 23 articles were sufficient to define the rules and requirements, whereas 123 articles were required in the MDR 2017/745, and instead of the 24 articles of the IVD 98/79/EC, 113 articles were required in the IVDR 2017/746. According to Article 120, MDR 2017/745, products that were placed on the market for the first time under the MDD 93/42/EEC may be made available for the market or put into service until May 2025 at the latest. After this date, conformity according to MDD 93/42/EEC is no longer permissible and goods in stock will become worthless accordingly. In overview, the following selected requirements have been changed or expanded:
Regulatory Framework for Medical Devices and IVDs in Europe
9
In order to comprehensively increase transparency, as well as improve traceability and the information flow of all parties involved (economic actors, notified bodies, EU Commission, member states, etc.), all relevant information is to end up in the EUDAMED database (European Commission, EUDAMED). The registration of the products takes place via a unique UDI (unique device identification) code. For the acting economic actors – manufacturers, suppliers, importers, distributors, and authorized representatives in the European Community – new or more precise requirements were defined. The supply chain in particular should also be subject to increased transparency. Requirements for risk management, vigilance, and post-market surveillance are seen as an integral part of quality management, which, in contrast to EN ISO 13485 (CEN/CENELEC 2016), should also be continuously improved for manufacturers in accordance with Article 10(9) of the EU regulation. Systematic analyses and regular reporting documentation as well as the updating of technical documentation are of particular importance. The MDR 2017/745 itself also extends its scope to products with a “nonmedical” purpose (Annex XVI) and products that are similar to medical devices in their functionality and risk profile. Persons acting as a “person responsible for regulatory compliance (PRRC)” (Article 15) have a much broader range of tasks and more responsibility than the role of the security officer, which is familiar in the Germany-Austria-Switzerland region. The classification rules and also the underlying definitions have been revised, mostly also clarified or supplemented. In some cases, this is associated with a higher classification of the products and thus also a necessary higher documentation and testing effort and, if necessary, also the involvement of a notified body. Classification rule 11 under the MDR 2017/745 in particular and the associated classification for software (specifically stand-alone software, see MDCG 2021–24) continue to be the subject of numerous discussions among experts, especially for AI-based software applications. Substances of human origin and nanomaterials have been updated in the regulations, but again further findings from the EU Commission specifically on nanomaterials are expected. Theoretically, any plastic tube or catheter that comes into contact with the patient could release nanomaterials. For high-risk products, the involvement of the Medical Device Coordination Group (MDCG), the EU Commission itself, expert panels, and reference laboratories is envisaged (scrutiny procedure). The MDCG also publishes numerous guidance documents on its website (European Commission, MDCG), which further specify the text of the regulation and must be taken into account. The IVDR 2017/746 defined and introduced four risk classes (classes A–D) for which higher-risk devices (classes As-D) require the involvement of a notified body (see also MDCG 2020–16 [European Commission 2020]). In general, the concept of “common specifications (CS)” (see Article 9) was introduced, thus circumventing the very slow harmonization process for standards. It should be noted that, according to the EU Commission, the “acknowledged” state of
10
C. Baumgartner et al.
the art should also be taken into account. In addition, the common specifications are mandatory in the Declaration of Conformity (DoC). Additional safety and performance aspects were added to the general safety and performance requirements (Annex I of the two regulations). Persons entrusted with clinical evaluations must be able to demonstrate a sufficiently high level of expertise. Greater emphasis is generally placed on benefit-risk assessment and comprehensive risk management. Emphasis was also placed on post-market surveillance activities (see chapter ▶ “Post-Market Surveillance and Vigilance on the European Market”) – (active) market monitoring has become significantly more important and requires additional solutions in the reporting system of the manufacturers. In this regard, it should also be noted that the notification period for serious incidents under Article 87 (MDR 2017/745) and Article 82 (IVDR 2017/746) was shortened to 15 days (previously 30 days), which could force some organizations to make an initial notification to the competent authorities as a precaution. The already known unannounced audits have now been directly included in the text of the regulation and oblige the notified body to perform an unannounced audit at least once in 5 years. Samples may also be taken during an audit, which will be compared with the regulatory requirements. The designation procedure for notified bodies has been regulated in more detail and tightened up, and the qualification requirements for personnel (technical experts/ auditors) have been increased. Adjustments and changes have also been made to the conformity procedures.
2.1.3
Conformity Assessment Procedures Under the MDR 2017/745 and IVDR 2017/746 According to Article 52, MDR 2017/745 and Article 48, IVDR 2017/746, prior to placing a device on the market or putting a device into service that is not placed on the market, manufacturers must undertake an assessment of the conformity of the device, in accordance with the applicable conformity assessment procedures set out in Annex IX (quality management system), Annex X (EU-type examination), or Annex XI (Part A – production quality assurance or Part B – product verification under the MDR or production quality assurance under the IVDR), respectively. For detailed information, see chapter ▶ “The Notified Body: The Conformity Assessment Body for Medical Devices in Europe.” The biggest difference is in the conformity assessment procedures between IVDR 2017/746 and the repealed Directive IVD 98/79/EC. While in the past about 15% of the IVDs required a notified body, after the introduction of the new regulation it is probably about 85%. This reversal definitely leads to a bottleneck for the notified bodies, as they also have to create corresponding resources and capacities, and on the other hand the manufacturers will now have to disclose their technical documentation extensively to a notified body for the first time. This already indicates that market entry will be delayed for manufacturers and that costs are expected to increase significantly.
Regulatory Framework for Medical Devices and IVDs in Europe
11
2.1.4 Change in the Technical Documentation In addition to the revision and renaming of the “essential requirements” to “general safety and performance requirements” (Annex I), Annex II and III (technical documentation) provide mandatory content for the technical documentation. This format, which closely follows the Summary Technical Documentation STED (GHTF/ IMDRF, Global Harmonization Task Force 2011), includes, for example, the general description of the product including the intended patient population as well as inclusion and exclusion criteria, risk classification, and product history; it also includes the product’s labeling and instructions for use. In addition, the exact steps and locations of product realization – from development to manufacturing to final inspection – must be outlined in the documentation. The general safety and performance requirements (formerly essential requirements) must be justified, and the safety of the product must be proven based on a benefit-risk analysis and risk management. In addition, unique identification should be possible for each product. For this purpose, the unique device identification (UDI) system is made mandatory. With the help of the UDI, a product can be clearly traced back from the manufacturer to the treating physician or patient. This is intended to improve the transparency of the system and make it more difficult to counterfeit products (see also chapters ▶ “Medical Products: Packing and Labeling Requirements” and ▶ “Manufacturing and Quality Assurance in Compliance with the MDR and IVDR”). The UDI system will be introduced gradually, starting with high-risk products, in particular class III medical devices such as active implants and soft tissue implants, cardiac catheters, or implantable infusion pumps. Note that the introduction of a unique device identification does not only apply to Europe, the USA has also issued clear rules on this! However, not only the products are affected by the registration and unique identification, but also the economic operators. These also require a corresponding uniform registration number (SRN). This number must also be provided to the notified body by the manufacturer as part of the application for assessment. Another section of the technical documentation is devoted to product verification and validation. Particular attention is paid here to preclinical and clinical data. In particular, the manufacturer’s obligation to conduct a clinical evaluation and to establish a post-market clinical follow-up (PMCF) is explicitly mentioned. Annex III – technical documentation on post-market surveillance essentially reflects the defined requirements for the post-market surveillance system (PMS). The manufacturer shall establish appropriate procedures for handling customer feedback so that patient safety is ensured throughout the intended life cycle of the product. In order to emphasize the responsibility for regulatory compliance more clearly, the appointment of a qualified person (person responsible for regulatory compliance, PRRC), comparable to the safety officer for medical devices with a significantly expanded scope of tasks and responsibilities, is to be mandatory for manufacturers and European authorized representatives. In general, some significant increases in requirements or effort in the pre- and post-marketing phase are to be expected (e.g., in the case of an upgrade, annual postmarket reports on safety and performance) with the greatest impact on IVDs coming
12
C. Baumgartner et al.
from the introduction of risk classification and the associated impact on conformity assessment procedures (involvement of a notified body from class As), or, in the case of high-risk class III products, with the scrutiny procedure. However, the effort required for the transition, especially in the IVDR area (the end of the transition period for the MDR has already been reached in 2021), should not be underestimated, as manufacturers must carry out new conformity assessments for each of their products in accordance with the new rules and standards. Many older products whose technical documentation has grown historically have to be brought up to date in terms of documentation or have already done so. In particular, manufacturers who have not had to involve a notified body to date and who cannot take advantage of an extension of the transition period through existing certificates must act quickly, as the transition period ends in 2022 for all new devices.
2.1.5 Harmonized Standards/Common Specifications The definition of harmonized standards according to the European Commission Guide is: Harmonized standards are European standards prepared by European standards organizations on the basis of a mandate issued by the Commission after consultation of the member states, in accordance with the general guidelines agreed between the Commission and the European standards organizations (European Commission 2018). The European standards organizations responsible for the publication of harmonized standards, marked with the prefix EN, are the Comité Européen de Normalisation (CEN) for general standards or the Comité Européen de Normalisation Electrotechnique (CENELEC) for electrotechnical standards. However, international standards such as ISO (International Organization for Standardization) or IEC (International Electrotechnical Commission) are often adopted in their wording by the abovementioned bodies and only provided with a corresponding preface. Corresponding standards are then also adopted by national standards bodies such as the Austrian Standards Institute (ÖNORM), the German Institute for Standardization (DIN), or the Association française de normalisation (NF), with the organizations again prefixing their corresponding prefix (e.g., ÖNORM EN ISO 13485, DIN EN ISO 13485, NF EN ISO 13485). Harmonized standards which can be used to meet the general safety and performance requirements and which confer a presumption of conformity are published regularly in the Official Journal of the European Commission. The journal is available on the relevant EU website (European Union law, Official Journal). The associated harmonized standards under the regulations MDR 2017/745 and IVDR 2017/746 can be found on the respective websites (European Commission 2022a, b). The European Commission is expected to further expand the lists of harmonized standards in support of the MDR 2017/745 and IVDR 2017/746 in the coming months and years. In addition to the harmonized standards, the new regulations also introduce common specifications (CS). This will enable the EU Commission, in consultation with the Medical Devices Coordination Group, to issue CSs within the framework of implementing acts if no harmonized standards exist or if the relevant harmonized
Regulatory Framework for Medical Devices and IVDs in Europe
13
standards are insufficient or if these no longer take account of public health and safety concerns. This would allow the Commission to circumvent long-standing disputes over harmonization progress. However, this also means that the discussion about the topicality of the (harmonized) standards used/applied is gaining in importance again. If there are already new valid standards from older harmonized predecessors, or even new ones, and if these bring new insights into safety and/or performance aspects, then these are to be preferred to the older harmonized standards and applied (the regulations speak here of “(acknowledged) state of the art”). In this regard, it is also worth taking a look at the Product Liability Act, which takes into account the state of the art in science and technology when placing a product on the market. Compliance with standards, and thus also with harmonized standards, is in principle voluntary (Note: state of the art will be assessed by the notified body). In the case of harmonized standards, however, the presumption of conformity means that the level of protection described therein must be taken into account in the design of the products and may not be undercut. However, it must also be checked whether the “state of the art” already provides for a higher level of protection! As is well known, standards represent a generally applicable set of rules and merely define the minimum requirements for a system, a product, or a process. In this context, the following verbal forms have special significance in interpretation: • “Shall” indicates a requirement. This specification is mandatory to implement and leaves no room for discussion. • “Should” indicates a recommendation. A requirement is recommended for compliance with the standard, but is not mandatory. However, practice shows that it requires a valid justification to notified bodies or authorities not to comply with it. • “May” indicates a permission; “can” a possibility or a capability, indicating a possibility to comply with the standard specification.
2.1.6
The Most Important European Standards in the Field of Medical Devices The following standards are of central importance for systems, processes, and the product. Harmonization of the first standards has already been carried out for the new regulations. • EN ISO 13485 – “Medical devices – Quality management systems – Requirements for regulatory purposes” (CEN/CENELEC 2016). This standard specifies requirements for a quality management system where an organization (manufacturer, distributor, and supplier) needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. Points such as documentation requirements, management responsibility, management of resources, product realization, procurement, production, measurement, analysis, and improvement are explicitly addressed in this standard.
14
C. Baumgartner et al.
• EN ISO 14971 – “Medical devices – Application of risk management to medical devices” (CEN/CENELEC 2019). This standard specifies terminology, principles, and a process for risk management of medical devices, including software as a medical device and in vitro diagnostic medical devices. With the introduction of this life cycle standard and its referencing in most medical device-specific standards, a process has been defined to identify the hazards associated with the product for patients, users, and third parties, and to assess and manage the associated risks. The operation of product risk management in all life cycle phases of the product is one of the most important obligations of the manufacturer (see also chapter “Risk Management for Medical Devices in Compliance with EN ISO 14971”). • EN 62366–1 – “Medical devices – Application of usability engineering to medical devices” (CEN/CENELEC 2015). This standard specifies a process for a manufacturer to analyze, specify, develop, and evaluate the usability of a medical device as it relates to safety. This applicable standard is the further development of IEC 60601-1-6, which sets requirements for analysis, specification, development, and verification and validation of usability. The importance of the requirement for this fulfillment of usability is evident in many evaluations of “incidents.” Many incidents can be traced back to a lack of usability, so that notified bodies and authorities are also paying increasing attention to compliance to this area. • EN 62304 – “Medical devices software – Software life cycle processes” (CEN/CENELEC 2006). This standard defines the life cycle requirements for medical device software. The set of processes, activities, and tasks described in this standard establishes a common framework for medical device software life cycle processes. It applies both to software as a stand-alone product and as part of a medical device. Here too, as in EN 62366-1, the link to risk management is of central importance. • EN ISO 14155 Clinical investigation of medical devices for human subjects – Good clinical practice (CEN/CENELEC 2020). This standard addresses good clinical practice for the design, conduct, recording, and reporting of clinical investigations carried out in human subjects to assess the clinical performance or effectiveness and safety of medical devices. It is also related to Annex XV of MDR 2017/745 and Annex XIV of IVDR 2017/746, respectively. In product-specific terms, the safety-relevant standards are essentially worth mentioning in this overview. The EN IEC 60601 and EN ISO 10993 series of standards is particularly relevant for the MDR 2017/745, and the EN IEC 61010 and EN ISO 10993 series of standards as well as the EN ISO 17664-1 (CEN/CENELEC 2021a) and EN ISO 20916 (CEN/CENELEC 2021b) for the IVDR 2017/746. The basic structure of the series of standards is identical. The basic standard specifies the general requirements for safety and the essential performance characteristics. Supplementary parts define additional requirements for safety and performance characteristics. In addition, there may be specific requirements in the area of safety (special requirements) and/or performance characteristics.
Regulatory Framework for Medical Devices and IVDs in Europe
15
Corresponding standards are to be taken from the list of harmonized standards as a reference and checked for corresponding applicability (European Commission 2022a, b). For safety and performance standards, objective evidence in the form of CB certificates and test reports is often required for international registration purposes. CB stands for certification bodies, which perform specific tests according to the CB scheme in accordance with the applicable standard and issue a corresponding certificate after a positive test result. For more information, visit the relevant IECEE website (International Commission on the Rules for the Approval of Electrical Equipment, IECEE). In addition to these internationally recognized procedures, the testing and certification bodies themselves also offer their own test marks (e.g., for Germany the GS mark [tested safety] from TÜV, Dekra, KEMA, BSI, SGS, UL, and many more testing bodies), which are very often also used to prove the safety requirements for the corresponding country and to mark them accordingly. In addition to product-specific standards, standards and guidelines on the subject of cyber security have recently come into focus as a result of advancing digitalization. These include the ISO/IEC 27034 series, IEC 80001-5-1, AAMI TIR 57, and guidance documents such as MDCG 2019-16, the FDA Guide to Cybersecurity, and the MHRA Guide. In practice, an additional “quality standard list” has proved useful for each product, providing an overview of the applicable standards for the product and serving as a basis for conformity assessment. If standards are only partially applied, it must be argued how the required protection goals can be achieved otherwise. The so-called “Z” annexes of the standards can also provide support in this respect.
2.1.7 Important Steps for a Successful Market Entry in Europe Once the procedural route has been defined, the part of the preparation of the technical documentation required for the conformity assessment procedure also begins at the same time as the development of the product. It has also proven advisable to involve the notified body at an early stage, if necessary, in order to save costs and time accordingly. A major hurdle for involving a notified body is the complete availability of the technical documentation prior to testing at the notified body and commissioning. Some notified bodies allow a maximum of three supplements to the technical documentation. If these applications are negative, they reject the commissioning and must also store this rejection in the EUDAMED database in accordance with the regulation! 2.1.8 Clinical Evaluation In both EU regulations one is obliged to perform a clinical/performance evaluation as part of the conformity assessment procedure. According to the MDR 2017/45, the performance requirements for the intended use of a medical device must be demonstrated by a clinical evaluation. Similarly, the evaluation of adverse effects and an assessment of the acceptability of the benefit-risk ratio must be performed. This can be done, as specified in the
16
C. Baumgartner et al.
European MedDev Guideline 2.7-1 (Clinical Evaluation: A Guide for Manufacturers and Notified Bodies, European Commission 2016), using current data from the available scientific literature on safety, performance, design characteristics, and intended use, as well as data from clinical experience reports and clinical trial results, although the pathways are somewhat different for clinical investigations (medical devices) and clinical performance studies (IVDs) (see chapters ▶ “Clinical Evaluation and Clinical Investigations of Medical Devices Under the MDR” and ▶ “Performance Evaluation and Performance Studies of in Vitro Diagnostic Medical Devices Under the IVDR”). Evidence of clinical suitability and safety, as well as performance aspects, can in principle be based both exclusively on scientific literature and in combination with clinical experience and the results of clinical trials – however, there are certain restrictions on the sole use of individual sources, and the path via a pure literature approach has been made significantly more difficult in the regulations due to the equivalence consideration of the products. In addition, many proofs of safety can be substantiated based on in vitro studies or on animal models (preclinical) without endangering test subjects in the context of an application in humans. Scientific Literature Scientific literature is the most common source of clinical data in daily practice. Based on such data, evidence of clinical safety and clinical performance of equivalent medical devices can be provided. However, it must be proven that the results in the literature are valid for the medical device under consideration. Particular attention must be paid to comparability with respect to the devices under consideration, areas of application, indications, and also patient groups. Data from scientific literature must be subjected to critical appraisal and evaluation. In particular, the source of the data must be taken into account. The scientific literature should primarily be peer reviewed by experts in the field. The following literature databases are recommended to be primarily used as sources for such literature: • Scientific databases such as Medline/PubMed, Embase, or Medion database. • Systematic review databases such as the Cochrane Collaboration. • Clinical trial directories such as CENTRAL database (Cochrane Central Register of Controlled Trials) and incident databases such as Maude database (Manufacturer and User Facility Device Experience) of the US FDA. (For websites of databases, see References) Clinical Experience Clinical experience and follow-up studies are an important part of demonstrating the safety of medical devices in clinical use. They are obtained during post-market surveillance and are therefore important sources for clinical safety, especially during the lifetime of the medical device. Clinical experience reports as the sole source for an initial clinical evaluation prior to first market access are generally not sufficient.
Regulatory Framework for Medical Devices and IVDs in Europe
17
The data must have been legally generated – pro forma CE marking to circumvent clinical testing violates the requirements of the national Medical Devices Acts. When evaluating clinical experience reports – just as when evaluating scientific literature – the transferability of the data to the medical device under consideration must be demonstrated, especially if they were not obtained with the actual product but with a comparator product. In addition, it should be noted that clinical experience data are only suitable for estimating complaint statistics to a limited extent, since the handling of incident reports varies in different countries, sometimes considerably. Clinical Investigation The clinical investigation represents the demonstration of clinical safety and performance within the framework of a defined experimental set-up with human subjects. However, it should be noted that, for ethical reasons, only information that cannot be obtained by other means may be collected in the context of a clinical trial. For example, evidence of biocompatibility, electrical or functional safety, or clinical usability must be available prior to the start of a clinical trial. It often turns out that the technical validation of medical devices is very well mastered by the manufacturers. This applies in particular to the proof of the design and dimensioning of the products, the selection of materials, and the design of surfaces. In particular, technical tests, e.g., electrical safety or in vitro proof of biocompatibility, are available for almost all medical devices. However, clinical data is often only incompletely recorded. This is particularly problematic in direct interaction with biological systems – such as the human body. Technical modeling only incompletely captures the real conditions in this highly complex system. In particular, if the clinical evaluation was based on scientific literature or clinical trials, clinical feedback must be collected and evaluated in practice. Within the scope of this post-market clinical follow-up according to the MDR 2017/745, Annex XIV or IVDR 2017/746, Annex XIII (post-market clinical follow-up, PMCF), information on additional safety aspects can be obtained and thus complement the existing clinical data. Based on this evaluation, the existing residual risk and thus also the benefit-risk ratio must be reassessed. It can thus be seen that it is precisely clinical experience that is of particular importance in clinical evaluation. Clinical evaluation is closely linked to the conformity assessment of the medical device under consideration via risk management. The three systems – clinical evaluation, risk management, and conformity assessment – can therefore not be considered in isolation, but have a multitude of interfaces. A clinical investigation with medical devices may only be conducted if safety for the patient and user is guaranteed. For in vitro diagnostic devices, the evidence of technical and functional safety must be available prior to the start of the trial. The basic requirements for conducting clinical trials in humans are defined in the harmonized standard EN ISO 14155 (CEN/CENELEC 2020). This standard defines in particular requirements for the protocol or the clinical investigator’s manual, but also the responsibilities of the sponsor, the monitor, and the clinical investigator.
18
C. Baumgartner et al.
2.1.9 Clinical Evaluation of IVDs: Performance Evaluation The clinical evaluation for in vitro diagnostic devices is referred to as performance evaluation and represents the corresponding equivalent. The manufacturer has to prove that the product can provide the specified performance data – in particular sensitivity and specificity, repeatability, but also precision. A distinction is made between the diagnostic and therapeutic relevance and informative value of a diagnostic product. As part of the conformity assessment procedure, the manufacturer must, on the one hand, demonstrate that the product is technically capable of meeting these performance parameters. However, evidence must also be provided that these parameters have clinical significance and relevance for a diagnosis or a further therapeutic decision. The requirements for performance evaluation testing are defined in the harmonized standard EN 13612 (CEN/CENELEC 2002). In addition, EN ISO 20916 (CEN/CENELEC 2021b) or CLSI documents are further valuable sources of information. The effort required for clinical evaluation, especially if a clinical trial is to be conducted, should not be underestimated. Not only the corresponding regulatory deadlines and activities have to be planned for, but also legal contractual aspects with the respective partners (e.g., physicians, hospitals, third-party investigators, etc.) cost the manufacturer a lot of time and money. However, the introduction and establishment of appropriate standardized processes can help the manufacturer to minimize the corresponding effort in case of recurrence and to avoid nasty surprises. External service providers can also provide support in this activity. 2.1.10 Declaration of Conformity and the CE Marking of the Product Before placing the product on the market for the first time and after successful completion of the conformity assessment procedure, the manufacturer must issue a Declaration of Conformity (DoC), either on his own responsibility or in cooperation with the notified body depending on the procedural route, stating that he has complied with all the regulations and provisions applicable to the product. The EU regulations provide in Annex IV a compilation of the information to be included in the Declaration of Conformity. Finally, the product can be marked with the CE mark. 2.1.11
Registration of the Manufacturer, Economic Operators, and the Product Anyone wishing to place the product on the market as the “person responsible for placing it on the market for the first time in the European Economic Area,” i.e., the manufacturer, the authorized representative or the importer must notify the authorities in accordance with national legislation or be registered before commencing activities. National registrations have been gradually replaced by registration in the EUDAMED database. It is very important to clarify the roles of all economic operators (distributor, importer, etc.) to ensure legal certainty. This includes not only registration aspects or identification of all economic operators within the supply chain but also handling communication and especially market surveillance activities. In case of
Regulatory Framework for Medical Devices and IVDs in Europe
19
nonconformities, all relevant economic operators shall cooperate with the competent authorities, e.g., they have to ensure that all appropriate corrective actions are taken for all the devices concerned they have made available on the European market. To support an international exchange of information, efforts are also being made to establish a uniform nomenclature for medical devices. Currently, the Universal Medical Device Nomenclature System (UMDNS) is used for medical devices and the European Diagnostic Market Statistics (EDMS) for in vitro diagnostic devices. UMDNS and EDMS are to be replaced by the European Medical Device Nomenclature (EMDN), which uses the Italian CND Code (Classificazione Nazionale dei Dispositivi medicini) as its basis. This in turn, along with the UDI, is the basis for registration in EUDAMED. In the harmonization efforts, one also recognizes the increased willingness of the authorities to cooperate internationally. Particularly in the area of patient safety and the exchange of information in the event of incidents (vigilance – incident reporting), the mandatory approaches are clearly evident (e.g., through the mandatory application of the IMDRF codes in the context of incident reports).
2.1.12 Placing on the Market Once the registration activities and the issuance of the Declaration of Conformity as well as the affixing of the CE mark have been successfully completed, the product can be freely marketed and traded on the European domestic market. Here, too, it should be noted that national legal requirements, such as the relevant national language for the instructions for use, or national registrations, as in Italy, must be met before the product can be launched on the market. However, the manufacturer’s obligations do not end when the product is placed on the market. As stated in the regulations, the manufacturer is responsible for taking care of his product throughout its life cycle. For this purpose, market surveillance must be carried out.
2.1.13
Market Surveillance and Information on Post-marketing Incidents This obligation to monitor derives, on the one hand, from the regulations and implemented laws and, on the other hand, from harmonized standards such as the risk management, software life cycle, or quality management standard (EN ISO 14971, EN 62304, EN ISO 13485). Here, the manufacturer has to evaluate feedback from the market and, if necessary, derive appropriate measures and actions. From the point of view of the supervisory authorities and the notified bodies, the manufacturer must also proactively monitor the market. According to European legislation, EU member states must operate national incident or near-incident reporting systems, which are to be harmonized in the next few years, in which manufacturers, operators, and patients can report their incidents. Manufacturers can also use these to derive useful information for their own product in terms of market surveillance.
20
C. Baumgartner et al.
2.1.14
Monitoring of the Manufacturer by the Authorities and Notified Bodies The authorities and notified bodies are also obliged to monitor manufacturers for compliance with the regulations. This usually takes the form of inspections and audits, during which products, documents, and processes are examined, depending on the conformity assessment procedure. In the meantime, the authorities cooperate and inform each other about incidents so that corresponding reporting deadlines should not be overlooked. Notified bodies also cooperate with each other, at the European level in the European Association of Notified Bodies for Medical Devices (Team NB), with the aim of having more weight vis-à-vis the authorities and industry in matters of safety and ethical standards and to reach consensus on certain problems.
3
Approval of Medical Devices in Non-European Markets
3.1
USA
Next to the European single market, the US market is the second most important market for many European manufacturers. The following section therefore examines the approval situation on the US market, also looking at specific differences between the approval procedures of the two markets.
3.1.1 The Legal Situation Medical devices in the USA are legally subject to the Federal Food, Drug, and Cosmetic Act (FD&C Act), which, like the Constitution (Bill of Rights), is enacted by Congress. This regulation, more precisely for medical devices, Chap. V – Drugs and Devices, forms the legal framework within which the FDA (Food and Drug Administration) must operate. This in turn, in accordance with the Administrative Procedure Act, other Federal Laws, and involvement of the public, known as notice and comment rulemaking, fleshes out its rules and requirements for compliance with the FD&C Act. For medical devices, this has been implemented in the twenty-first title of the Code of Federal Regulation, more specifically in CFR Title 21 – Food and Drugs: Parts 800 to 1299 (FDA, CFR). In addition to the legal requirements, which are reviewed by the FDA, i.e., by the regulatory authority, there are also guidance documents issued by the FDA, which are intended to serve as interpretation aids for FDA personal and manufacturers. Unlike the statutory regulations, these are not legally binding, but are of great importance for successful market approval. In addition, similar to the harmonized standards in Europe, there are the Recognized Consensus Standards, which can be used to meet regulatory requirements. These, as well as many other useful documents, are published on the websites of the respective agency. As for the European market, the first question to ask is: “Does the product fall within the definition of a ‘Medical Device’?”
Regulatory Framework for Medical Devices and IVDs in Europe
21
Under FD&C Sec 201(h) one finds, “A Medical Device is [. . .] an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is: • recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, • intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or, • intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.” Once this is clearly established, the second question is: “In which of the three classes (class I, II, III) could the FDA classify the product?” The first difference to the European system is that only the FDA itself makes the final classification for the respective product. The manufacturer must therefore estimate the device class himself at the beginning, as the further procedure largely depends on this. The classes are divided according to risk – class I low risk, class III highest risk. Accordingly, different requirements are placed on the products. Generally according to FD&C Sec 513: • Class I: general controls with/without exemptions (example: examination gloves and wheelchairs). • Class II: general controls + special controls with/without exemptions (example: ultrasound diagnostic devices and blood gas analyzers). • Class III: general controls + premarket approval (example: active implants and markers for HIV). Specifically, the FDA has classified about 1700 general product types according to this scheme. The main difference with the European system is that there are no different regulations for medical devices and IVDs, but only these three classes into which all systems are classified. To find the classification of the product and to find out if there are exceptions, there are two ways: first, the direct way via the classification database (FDA, Product Classification), where you can search for a part of the device name (e.g., thermometer and glucose). Or second, if you know which device panel the device falls under, you can find the classification there. A list of panels can be found on the Internet (FDA, Device Classification Panels). With the classification, the further procedure up to market approval is almost fixed. Essentially, there are two procedures for new products, based primarily on classification:
22
C. Baumgartner et al.
• The simplified approval procedure according to FD&C Sec 510(k). • PMA (premarket approval) usually preceded by IDE (investigational device exemption) to conduct clinical trials.
3.1.2 510(K) Approval Process The requirements for 510(k) clearance for class I or II products are: • The existence of a comparator product already approved in the US market with which the comparison is intended to be substantially equivalent in safety and effectiveness. • Clinical studies are not required. A traditional 510(k) clearance consists of 21 sections that must be completed with supporting evidence for the medical device. For each of these sections, the FDA usually provides a more or less detailed description or even guidance, e.g., for software (Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices) on its website (FDA, Guidance Document). To speed up the review process, the authorities have introduced two important innovations. Firstly, the file must now also be made available electronically (see the guideline “eCopy Program for Medical Device Submissions”) and, secondly, the FDA has introduced a type of incoming inspection at the Document Control Center (DMC) (see the “Refuse to Accept Policy for 510(k)s”). Using an internal FDA checklist, the basic requirements are checked before the DMC accepts the submission. Upon completion of the process (under regulations, the FDA has 90 days to complete the review), the FDA issues a notice stating whether or not the respected product is substantially equivalent to a product already on the market. If the review is positive, the product is allowed to be launched on the market, and the requirements to be met, such as annual registration, GMP requirements, listing, and obligations for medical device reporting, are listed. In addition, a so-called 510(k) Decision Summary is provided in accordance with 21 CFR 807.92, which can also be viewed by anyone in the 510(k) database and is a more or less a brief summary of the submitted data. Note that the 90 days listed only apply if the FDA has no queries or requests additional documents. If data are subsequently requested, the time is paused until the relevant data are subsequently submitted. If relevant data are not submitted within the agreed time, consideration should be given to withdrawing the application.
3.1.3 Premarket Approval (PMA) The second procedure applies to class III products – high-risk products: • All class I and II devices not covered by the 510(k) process. • Devices that require clinical studies to be conducted (an investigational device exemption [IDE] application must be submitted prior to conducting the clinical studies (FDA, Investigational Device Exemption)).
Regulatory Framework for Medical Devices and IVDs in Europe
23
The PMA is the most stringent process for FDA marketing approval (FDA, Premarket Approval). Here, the FDA examines whether there is sufficient scientific evidence that the product is safe and effective for the intended purpose. If approval is successful, the submitting party (usually the manufacturer) receives a license to enter the market. The time frame provided by the FDA for a review is 180 days. In reality, due to queries and subsequent submissions, the timeframe is many times this, and not infrequently may even have a duration of several years. Before the FDA accepts or rejects a PMA, the relevant FDA advisory board may discuss the facts with the applicant in a public hearing or involve scientific reviewers, and only then make a recommendation to the FDA to accept or reject the PMA. Acceptance or rejection is again communicated to the submitting party through a public, reasoned decision. “Interested parties” then have the opportunity to appeal the decision within 30 days. The most common procedure today is the Modular PMA, in which the overall requirements are divided into modules, each of which is reviewed and evaluated separately. For details, see FDA guidance document “Premarket Approval Application Modular Review” (FDA, Guidance Document). An IDE application must be submitted to collect clinical data, demonstrating the safety and effectiveness of a PMA or 510(k) as part of a clinical trial.
3.1.4 Investigational Device Exemption (IDE) With few exceptions, all clinical trials must have an IDE before the trial can begin. In most cases, the following requirements must be met: • • • • • •
FDA informed consent for an IDE. A positive vote by the ethics committee (Institutional Review Board [IRB]). Informed consent from the patients. Labeling for investigational use only. The monitoring procedure for the study. Required records and reports.
Prior to the IDE, a so-called pre-IDE should be carried out. This is an agreement between the “sponsor” (¼ submitter) and the Office of Device Evaluation (ODE) of the FDA on the procedure for the actual IDE. However, it must be accepted that these are generally nonbinding statements on the part of the agency.
3.1.5 FDA Programs In addition to the classic approval procedures, the FDA also has special programs, which are essentially intended to accelerate the procedures listed above. These include, for example: • • • •
Breakthrough Devices Program (FDA, Breakthrough Devices Program). Safer Technology Program (STeP) (FDA, Safer Technology Program). Digital Health Precertification (Pre-Cert) Program (FDA, Pre-Cert). Q-Submission Program (FDA, Q-Submission Program).
24
C. Baumgartner et al.
3.1.6 Premarket Requirements: Labeling, Registration, and Listing Before approval is granted, it must be ensured that the labeling (¼ any written presentation of information) complies with FDA labeling regulations (FDA, Device Labeling). In addition, the following companies must register in accordance with 21 CFR 807 (Establishment Registration): • • • • • • • •
Medical device manufacturers. Distributors. Companies that package or change labeling. Developers for products/specifications. OEM manufacturers. Contract sterilization companies. Accessory/Component manufacturers for direct distribution to the USA. Non-US manufacturers.
This is largely done electronically in the FDA’s Unified Registration and Listing System (FURLS) (FDA, How to Register and List). Foreign establishments must designate a US agent to serve as a contact person to the FDA who physically resides or has a business address in the USA (i.e., not a post office box) and can be reached by telephone during normal office hours – 21 CFR 807.3 (r). In addition to registration, the following companies are required to have a device listing under 21 CFR 807: • • • • •
Medical device manufacturers. Companies that package or change labeling. Developers for products/specifications. Accessory/Component manufacturers for direct distribution to the USA. Non-US manufacturers or exporters or their US sole distributors.
There are also post-market requirements that must be met by the manufacturer in addition to premarket requirements. Manufacturers must establish and maintain a quality management system to ensure that their products comply with applicable requirements and specifications. The quality management systems for FDA-regulated products are known as cGMP (current Good Manufacturing Practice) and are specifically addressed for instruments, devices, etc. in 21 CFR 820, which is constantly being expanded to include the latest knowledge (influenced by IMDRF [GHTF] and ISO 13485, e.g., 61 FR 52602). In addition to the requirements for a quality management system, the FD&C Act also requires medical device reporting in Sec 519(a). Thus, in the event of a fatal incident or serious injury, every manufacturer is subject to the obligation to report this to the authority within a certain period of time, similar to the situation in Europe.
Regulatory Framework for Medical Devices and IVDs in Europe
25
For occupational safety and health reasons, the Occupational Safety and Health Administration (OSHA, Website) requires product testing in accordance with applicable protective regulations, in particular compliance with current safety standards. Evidence can also be provided in the form of test reports and certificates from nationally recognized testing laboratories (NRTLs), which, with good planning, can be carried out at the same time as the tests for the CB report.
3.2
Canada
Marketing authorization in Canada is set out in the Food and Drug Act and regulated by the Medical Device Regulation via Statutory Orders and Regulations 98-282 (SOR 98-282). These can be viewed publicly in the Canada Gazette, the official Canadian government journal (Government of Canada, Canada Gazette). It can be seen that approaches from Europe and the USA have been incorporated. Product licensing in Canada depends largely on the product risk class requirements for the quality management system and on the registration of the manufacturing and distribution companies, and requires proof of safety and effectiveness for the product. Products are classified into four classes according to “Schedule 1” of SOR 98-282, with class I being the lowest risk class and class IV being the highest. IVDs are also classified into these four risk classes. Note that in Canada, advertising for class II, III, and IV products is only permitted in the presence of a valid marketing license, and for high-risk class III and IV products, advertising (which falls under labeling) must be submitted as part of the approval process. For classes II, III, and IV, a Medical Device License must be applied for and a form must be completed for the respective product and the corresponding risk classes (Health Canada, medical device application and report forms, and Health Canada, guidance document, For websites see References). Table 1 shows typical representative products according to the classification rules. In addition to an individual medical device, there are additional possibilities for registration: • “Medical device family”: Means a group of medical devices that are made by the same manufacturer, that differ only in shape, color, flavor, or size, that have the same design and manufacturing process, and that have the same intended use. • “Medical device group”: Means a medical device comprising a collection of medical devices, such as a procedure pack or tray, that is sold under a single name. Table 1 Risk classes
I II III IV
Wheelchairs and surgical instruments Diagnostic ultrasound and contact lenses Dialysis machines and orthopedic implants Cardiac pacemaker
26
C. Baumgartner et al.
• “Medical device group family”: Means a collection of medical device groups that are made by the same manufacturer, that have the same generic name specifying their intended use, and that differ only in the number and combination of products that comprise each group. • “System”: A system is a medical device comprising a number of components or parts intended to be used together to fulfill some or all of the device’s intended functions, and that is sold under a single name. • “Test Kit”: Means an in vitro diagnostic device that consists of reagents or articles, or any combination of these, and that is intended to be used to conduct a specific test (Department of Justice Canada, Medical Devices Relegations). Approved class II through IV products are registered in the MDALL public database (Health Canada, MDALL); only then may marketing of these products begin. A Medical Device License is not required to apply for class I, but companies that do not have a distributor in Canada and distribute their products directly will need a Medical Device Establishment License. Another requirement of the medical devices regulation, which must be met even before the product is registered, is certification of the quality management system in accordance with CMDCAS rules (Canadian Medical Device Conformity Assessment System). The underlying basis is ISO 13485, which has been expanded to include corresponding requirements from the medical device regulation. This certification must be performed by a Health Canada accredited body. Accredited bodies can be found at the cited websites (Standards Council of Canada, CMDCAS, Health Canada, Quality Systems ISO 13485). However, as of 2019, Canada is discontinuing the CMDCAS program and is mandatorily transitioning to the MDSAP (Medical Single Audit Program) (Health Canada, MDALL). Note that changes in the QM system must be reported to the certifying body and Health Canada according to provided deadlines (30 days). There are also requirements for subcontractors! It is also mandatory in Canada for a medical device reporting system to be implemented for adverse events. This requires reporting of incidents in Canada (system failures, effectiveness failures, and labeling inadequacies that resulted or could have resulted in death or serious injury) or incidents outside of Canada if the product is sold in Canada and has been reported to the appropriate authority. Note: There are also statutory time limits (10/30 days). In addition, Canada is increasing obligations on manufacturers under post-market surveillance (Canada Gazette, Part II, Vol. 154, No. 26).
3.3
China
China has been one of the fastest growing markets in the world, also in the health care and medical device sector. Many companies are thus striving to register their products on the Chinese market, despite the fact that these registrations can be very
Regulatory Framework for Medical Devices and IVDs in Europe
27
lengthy and labor intensive. Essential information on regulations and requirements is often only available locally and in the local language. In addition, registration must be carried out in English and Mandarin. The competent authority is the NMPA (National Medical Products Administration, NMPA), which has taken over the approval and supervision of drugs and medical devices. Structurally, this central authority is organized similarly to the FDA. In a first step, one must ask how a medical device is defined in China. The Regulations for the Supervision and Administration of Medical Devices (State Council Decree No. 680) show that there are hardly any deviations from the European or American regulations (State Council of the People’s Republic of China, State Council Decree No. 680). After any clarification of the product’s classification as a medical device, a classification must be carried out. Chinese regulations provide for classification into three medical device classes according to risk and duration of use by the NMPA (State Council of the People’s Republic of China, Decree No.15): • Class I: “Medical Devices are those for which safety and effectiveness can be ensured through routine administration.” • Class II: “Medical Devices are those for which further control is required to ensure their safety and effectiveness.” • Class III: “Medical Devices are those which are implanted into the human body, or used for life support or sustenance, or pose potential risk to the human body and thus must be strictly controlled in respect to safety and effectiveness.” The classification, regulated by Provisions for Medical Device Classification (Decree No. 15), also provides for a Medical Device Classification Catalog (4- to 6-digit code), which can be used for one’s own product, where a wide variety of medical devices are already subdivided according to duration of use, invasiveness, and site of use (National Medical Products Administration, The Catalog of Medical Device Classification). A further requirement from the agency that must now be followed before the actual registration can begin. The NMPA requires all medical device, IVD, and pharmaceutical manufacturers that do not have a branch office in China to have a locally registered legal representative and customer service representative. This person is responsible for serving as: • Interface between manufacturer and NMPA (e.g., be available for registration queries, arrange inspection appointments, in-country testing, etc.) • Initial contact person for all Chinese authorities. • Vigilance reporter. • Assistance with the five-yearly reregistration process. It must also be clarified whether China Compulsory Certification (CCC) is not required for the product in question (e.g., X-ray equipment, ECGs, pacemakers,
28
C. Baumgartner et al.
heart-lung machines, dialysis equipment, etc.). This is usually done at a China Quality Certification Center (CQC), where a CB test report according to applicable standards is already very helpful. However, there are also agreements with some renowned European testing bodies (e.g., TÜV SÜD PS, UL, and ITL), so that on-site testing is no longer necessarily required in China. Class II or III devices classified in China may also require a clinical trial. This is always the case for long-term implantable devices. For all others, it depends on whether clinical data from studies outside China are already available or whether the devices have recognized approvals/registrations such as in the USA or Canada. For class II and III products, there are also requirements for the QM system, unless the certificate is recognized by the authorities. In this case, for class III products, the QM manual must be submitted, and NMPA subsequently performs a corresponding audit at the manufacturer’s premises. For class II, a self-audit must be performed and the authority decides whether or not an additional audit is necessary after the result has been submitted. For classes II and III, test reports in accordance with Chinese product requirements/technical safety standards must also be submitted. This can usually be provided by an internationally valid CB test report and is generally also recognized. However, the authorities reserve the right to check again according to their requirements. In overview, the following documents must thus be available for a submission: • Application form for the registration. • Qualification certificate(s) (business license etc.) of the applicant (manufacturer). • Copy of business license of the application agent and the authorization letter written by the applicant to the agent. • Marketing authorization certificate issued by a foreign competent authority to allow the product to be marketed in that country (or region) as a medical device. • Adapted product standard. • Instruction manual of the device (in Mandarin). • Product testing report issued by a NMPA-recognized testing lab (applicable for class II and III products). • Clinical test report or clinical data (according to specific product). • Product quality guarantee letter of the applicant. • Authorization letter written by the applicant to a representing agent in China, letter of promise written by the representing agent, and business license or the organization registration certificate of the agent. • Authorization letter written by the applicant to a responsible post-marketing service agent in China, letter of promise written by the agent, and qualification certificate of the agent. • Self-declaration for the authenticity of all submitted items. Meanwhile, China also allows electronic registration at https://erps.cmde.org.cn similar to the eCopy procedures of the US FDA. However, in order to be able to do
Regulatory Framework for Medical Devices and IVDs in Europe
29
this at all, a so-called “Certificate Authority” must be applied for and collected in person within 30 days. This is the only way to gain access to the system. The submission documents must then be uploaded to the system in accordance with the IMDRF Table of Content (ToC). In the future, it should also be possible to communicate directly with the reviewer via the system and to submit any missing documents (International Medical Device Regulators Forum, IMDRF). As can be seen from this explanatory introduction, the agent is of particular importance, and should therefore be chosen carefully. After successful registration, one then receives a certificate that is valid for 5 years, after which it must be renewed. The reregistration is carried out with similar specifications, also taking into account the product history of the last 5 years (vigilance reporting). If you are planning to “conquer” the Chinese market despite all its complexities, you will need to keep up to date with the latest legislation. In China, the designations, documents, and templates, as well as the laws themselves, are constantly changing. It is a very dynamic country and a large market. Therefore, it is highly recommended to have a trusted local representative who has the appropriate knowledge and skills.
3.4
Japan
In Japan, medical devices, pharmaceuticals, in vitro reagents, cosmetic products, and medical supplies are regulated by the Pharmaceutical and Medical Devices Act (PMD Act) (Ministry of Health, Labor and Welfare, MHLW). This law, in turn, can be expanded by regulations such as governmental ordinances and ministerial ordinances, as well as administrative notices (Ministry of Health, Labor, and Welfare) and their announcements. The central competent authority remains the Pharmaceuticals and Medicals Devices Agency (PMDA) (Website see References), a subgrouping of the Ministry of Health, Labor, and Welfare (MHLW). In Japan, there are two key elements for market entry: the license (“Kyoka”) and a product approval per corresponding risk class (“Todokede,” “Ninsho,” and “Shonin”). A license (“Kyoka”) is required by the Marketing Authorization Holder (MAH – manufacturer, preparer, and distributor), with the MAH playing the most important role for a manufacturer outside Japan. The MAH, resident and contactable in Japan, is the official applicant to the authority, thus is the official holder of the product approval and has three roles to fulfill with the authority: • General marketing supervisor. • Quality manager. • Safety manager. The license can be divided into three different classes:
30
C. Baumgartner et al.
First class: responsible for all risk classes. Second class: for risk class I and II. Third class: only risk class I. For manufacturers outside Japan, a Foreign Manufacturer Accreditation must also be applied for using Form 63-5. All applications must be submitted in Japanese. Furthermore, for a JGMP (Japan Good Manufacturing Practice) inspection, which is required at least every 3 years, the following points, among others, are important for the manufacturer and the MAH: • Retention periods according to legal requirements. • Infrastructural requirements (pest control, access restrictions, clothing, etc.) • Risk management. In addition, the following individuals shall be designated at the MHLW: • A domestic warehouse manager. • A person responsible for sales and distribution. • A person responsible for repairs. Medical devices in Japan are classified into four classes, risk based and according to JMDN (Japan Medical Device Nomenclature). According to their class, there are also requirements for the quality management system: • Class I: General Medical Device: “Todokede” – e.g., X-ray films. Class I products receive a marketing notification “Todokede” if the MAH and manufacturing site licenses, respectively, and the Kijun Tekigo Sho (QMS Conformity Attestation) are available. • Class II: Designated Controlled Medical Device and Specially Controlled Medical Devices: “Ninsho” – e.g., endoscopes. Devices in this class are certified by a recognized certification body (RCB). The RCB has a similar function as a notified body in the European Union. On the one hand, it performs product certification, and, on the other hand, it has to perform a quality management audit according to the JGMP (MHLW Ordinance No. 169). Since Japan also participates in the MDSAP program, this could be another way to bundle costs. Reputable notified bodies have accreditation of PMDA as RCB. This would also have the advantage that the MAH could possibly engage the same notified body for the audit in the country outside Japan and save associated costs. A license for MAH and manufacturing as well as Kijun Tekigo Sho is also assumed again. • Class III (e.g., balloon catheter) and class IV (e.g., pacemaker): “Shonin.” These higher classes already require an approval (“Shonin”) directly by the PMDA.
Regulatory Framework for Medical Devices and IVDs in Europe
31
Note that classification is not rule based as in Europe. Therefore, the term cannot be equated on a one-to-one basis. Application dossier is required for a successful product approval. This is usually the application form plus the STED documentation according to IMDRF (formerly GHTF) plus proof that the device data comply with the GHTF Essential Principles (Japan has adopted the GHTF documents into law). If the licenses and the results of a positive JGMP inspection are also available, nothing more stands in the way of marketing the product.
3.5
Brazil
Brazil is one of the fastest growing markets for medical devices. Brazil, a member of the Southern Common Market (Mercosur – along with Argentina, Paraguay, Uruguay, and Venezuela) has introduced and strengthened its medical device regulations over the last decade. Medical devices are regulated under Brazilian Law No. 6360/1976 and Decree 8077/2013. Resolutions RDC-185/2001, RDC 423/2020 for medical devices, and RDC-36/2015 for IVDs, as well as RDC 270/2019 describe the necessary documents and registration steps for the respective products. The competent authority is the Agência Nacional de Vigilância Sanitária (Brazilian Health Regulatory Agency, ANVISA). The classification, which is regulated in the respective annexes of the RDCs, is divided into four subgroups. In order to be able to place a product on the Brazilian market, one needs either a branch office in the country or a distributor approved by the authorities and an “Autorização de Funcionamento” (according to national regulation IN 01/94), a kind of work permit, before one can even start the registration process. In the narrower sense of the authority, both are the Brazilian Registration Holder, i.e., that representative for ANVISA inquiries and information. Electrically operated medical devices must additionally be tested and certified in a testing laboratory accredited by INMETRO before registration. These certificates are valid for a maximum of 5 years and must always be renewed. In addition, medical devices that have a radio module require an ANATEL certificate. ANATEL is the national telecommunications authority that only recognizes national product tests. For some medical devices, an Economic Information Report according to RE n 3385/2006 is also required. This includes questions on price comparisons with other countries, patient population, promotional materials, etc. For high-risk products and new products with innovative technology, Brazilian authorities may require a study. Early communication with ANVISA is advisable. Another hurdle in the process is demonstrating compliance with Brazilian Good Manufacturing Practice (BGMP) as per RDC-183/2017, which is required for many class II devices and for all class III and class IV devices. Recognition of MDSAP
32
C. Baumgartner et al.
audits as well as audits from IMDRF Recognized Bodies enables a shortening in the approval process. Note devices are classified into four classes based on risk (class I-IV). ANVISA’s classification system is based on the classification rules in Annex IX of the European Medical Devices Directive MDD 93/42/EEC. As such, classifications are often consistent between Europe and Brazil. For example, a class IIa/IIb device in Europe is usually a class II/III device in Brazil. ANVISA or commissioned accredited bodies shall inspect compliance with the requirements every 2 years, whereby each production site must have its own certificate. The costs for these inspections are to be borne by the manufacturer. For the registration itself, the documents specified in the relevant RDCs and their annexes must be prepared, including the proposed marking of the devices (labeling) and the instructions for use. In some cases, the manufacturer must also submit a Free Sales Certificate from the country of origin. The authorities assume that everything required must be done in the national language. If the verification by ANVISA is finally successful, ANVISA publishes the registration number in the Diário Oficial da União (DOU). The registration itself is then valid for 5 years and must then be renewed. As in many other countries, manufacturer responsibility does not end with registration, but also requires post-market surveillance and a vigilance reporting system. Accordingly, certain deadlines for notifications must be met.
4
Patents and Licenses
In addition to all country-specific legal requirements, other legal aspects must also be taken into account. Patent and licensing law peculiarities are significant in this respect. A patent is a sovereignly granted industrial property right for an invention (World Intellectual Property Organization, WIPO). On the one hand, it can be used to protect one’s own innovation from use and imitation for a specific period of time; on the other hand, care must be taken in the course of development to ensure that the relevant property rights are not infringed against, to ensure that in a worst case, this is not followed by many years of legal disputes or court-ordered sales bans that could threaten the existence of the company. Under certain circumstances, however, it is possible to acquire defined rights of use to such an industrial property (IP) right in the form of a license. Various licensing models may be available for this purpose or are already established. Discussing these patent and licensing aspects would extend beyond the scope of the information provided here, as each situation can be very different and varied and there is no general recipe for how to proceed. Nevertheless, these aspects must be regularly and completely reviewed during development or when product changes are made.
Regulatory Framework for Medical Devices and IVDs in Europe
5
33
Conclusions
This chapter provides an overview of the basic requirements for European certification of medical devices as well as the most common approval procedures and their requirements in some non-European markets. Specific information, also due to the ever-occurring changes, has to be compiled by oneself on the basis of the respective current legal situation or purchased through the appropriate involvement of global service providers. These not only help with translations and questions of interpretation, since they usually maintain offices in the respective countries, but also make their knowledge available for the search for a distributor or market authorization holder. In summary, it is possible to recognize a systematic in the process of each approval/registration: • • • • • •
Familiarization with the legal situation of the respective country. Classification of the product. Necessity of a registration holder, agent etc. Need for an import license or manufacturer license. Quality management system requirements. Additional requirements for safety and effectiveness of the product (e.g., safety engineering tests and clinical trials). • Vigilance activities. • Reregistration requirements. Approval activities always require forward-looking, continuous monitoring of country-specific legislation, regulations, applicable country-specific standards or supplements to standards, etc. It must therefore be determined at an early stage in a development process in which countries’ respective product is to be marketed. Subsequent country-specific adaptations will involve a great deal of effort, or may even be altogether impracticable. Efforts toward global harmonization should also be supported so that the variety of necessary documents can be standardized and also that at times bizarre proliferation of the documents required can be further reduced. Patent and licensing issues must also be clarified clearly and completely as part of the development process.
References Brazilian Health Regulatory Agency/Agência Nacional de Vigilância Sanitária (ANVISA). Retrieved from: https://www.gov.br/anvisa/pt-br/english Cochrane Library. Retrieved from: https://www.cochranelibrary.com Department of Justice Canada. Medical Devices Relegations, SOR/98-282. Retrieved from: https:// laws-lois.justice.gc.ca/eng/regulations/sor-98-282/fulltext.html Embase. Retrieved from: https://www.embase.com
34
C. Baumgartner et al.
European Commission (2016) MedDev 2.7/1 Guidelines on Medical Devices. Clinical Evaluation: A Guide for Manufacturers and Notified Bodies under Directives 93/42/EEC and 90/385/EEC European Commission (2018) Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee. Harmonised standards: Enhancing transparency and legal certainty for a fully functioning Single Market. Retrieved from: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri¼CELEX:52018DC0764&from¼EN European Commission (2019) Manual on Borderline and Classification in the community regulatory framework for medical devices. Retrieved from: https://ec.europa.eu/health/sites/health/ files/md_topics-interest/docs/md_borderline_manual_05_2019_en.pdf European Commission (2020) MDCG 2020-16 Guidance on Classification Rules for in vitro Diagnostic Medical Devices under Regulation (EU) 2017/746. Retrieved from: https://ec. europa.eu/health/system/files/2022-01/md_mdcg_2020_guidance_classification_ivd-md_ en.pdf European Commission (2021) MDCG 2021-24 Guidance on classification of medical devices. Retrieved from: https://health.ec.europa.eu/system/files/2021-10/mdcg_2021-24_en_0.pdf European Commission (2022a) Commission Implementing Decision (EU) 2022/6 of 4 January 2022 amending Implementing Decision (EU) 2021/1182 as regards harmonised standards for biological evaluation of medical devices, sterilisation of health care products, aseptic processing of health care products, quality management systems, symbols to be used with information to be supplied by the manufacturer, processing of health care products and home light therapy equipment. Off J Eur Union. L 1, 11–13. Retrieved from: https://eur-lex.europa.eu/legalcontent/EN/TXT/PDF/?uri¼CELEX:32022D0006&from¼EN European Commission (2022b) Commission Implementing Decision (EU) 2022/15 of 6 January 2022 amending Implementing Decision (EU) 2021/1195 as regards harmonised standards for sterilization of health care products, aseptic processing of health care products, quality management systems, symbols to be used with information to be supplied by the manufacturer and requirements for establishing metrological traceability of values assigned to calibrators, trueness control materials and human samples. Off J Eur Union. L 4, 16–18. Retrieved from: https://eurlex.europa.eu/legal-content/EN/TXT/PDF/?uri¼CELEX:32022D0015&from¼EN European Commission (2022c) MDCG 2022-5 Guidance on borderline between medical devices and medicinal products under Regulation (EU) 2017/745 on medical devices. Retrieved from: https://ec.europa.eu/health/latest-updates/mdcg-2022-5-guidance-borderline-between-medicaldevices-and-medicinal-products-under-regulation-eu-2022-04-26_en European Commission. Guidance – MDCG endorsed documents and other guidance. Retrieved from: https://ec.europa.eu/health/md_sector/new_regulations/guidance_en European Commission. NANDO (New Approach Notified and Designated Organisations) Information System, Retrieved from: https://ec.europa.eu/growth/tools-databases/nando European Commission. EUDAMED – European Database on Medical Devices, Retrieved from: https://ec.europa.eu/tools/eudamed/#/screen/home European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2002) EN 13612:2002 Performance evaluation of in vitro diagnostic medical devices European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2006) EN 62304:2006 – Medical device software – Software life cycle processes European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2015) EN 62366–1:2015 + A1:2020 Medical devices – Part 1: Application of usability engineering to medical devices European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2016) EN ISO 13485:2016 Medical devices – Quality management systems – Requirements for regulatory purposes
Regulatory Framework for Medical Devices and IVDs in Europe
35
European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2019) EN ISO 14971:2019 Medical devices – Application of risk management to medical devices European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2020) EN ISO 14155:2020 Clinical investigation of medical devices for human subjects – Good clinical practice European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2021a) EN ISO 17664-1:2021 Processing of health care products – Information to be provided by the medical device manufacturer for the processing of medical devices – Part 1: Critical and semi-critical medical devices European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2021b) prEN ISO 20916:2021 In vitro diagnostic medical devices – Clinical performance studies using specimens from human subjects – Good study practice European Court of Justice (2012) Judgment of the Court (Fifth Chamber) 6 September 2012 Chemische Fabrik Kreussler & Co. GmbH v Sunstar Deutschland GmbH, formerly John O. Butler GmbH. Reference for a preliminary ruling from the Oberlandesgericht Frankfurt am Main. Directive 2001/83/EC — Medicinal products for human use — Article 1(2)(b) — Meaning of ‘medicinal product by function’ — Definition of the term ‘pharmacological action. In Case C-308/11. Retrieved from: https://eur-lex.europa.eu/legal-content/EN/ALL/? uri¼CELEX%3A62011CJ0308 European Parliament and European Council (2001) Directive 2001/83/EC of the European Parliament and of the Council of 6 November 2001 on the Community code relating to medicinal products for human use European Parliament and European Council (2016) Regulation (EU) 2016/425 of the European Parliament and of the Council of 9 March 2016 on personal protective equipment and repealing Council Directive 89/686/EEC. Off J Eur Union. L 81, 51–98 European Parliament and European Council (2017a) Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 concerning medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 98/385/EEC and 93/42/EEC. Off J Eur Union. L 117, 1–175. Retrieved from: https://ec.europa.eu/growth/single-market/european-standards/harmonised-stan dards/medical-devices_en European Parliament and European Council (2017b) Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU. Off J Eur Union. L 117, 176–332. Retrieved from: https://ec.europa.eu/growth/single-market/european-standards/ harmonised-standards/iv-diagnostic-medical-devices_en European Union law (EUR-Lex). About EUR-Lex. Retrieved from: https://eur-lex.europa.eu/ content/welcome/about.html European Union law (EUR-Lex). Access to the Official Journal. Retrieved from: https://eur-lex. europa.eu/oj/direct-access.html Global Harmonization Task Force (2011) Summary Technical Documentation (STED) for Demonstrating Conformity to the Essential Principles of Safety and Performance of In Vitro Diagnostic Medical Devices Government of Canada. Canada Gazette. Retrieved from: https://gazette.gc.ca/accueil-home-eng. html Health Canada. Medical device application and report forms. Retrieved from: https://www.canada. ca/en/health-canada/services/drugs-health-products/medical-devices/application-information/ forms.html Health Canada. Guidance document. How to Complete the Application for a New Medical Device License. Retrieved from: https://www.canada.ca/content/dam/hc-sc/migration/hc-sc/dhp-mps/ alt_formats/pdf/md-im/applic-demande/guide-ld/md_gd_licapp_im_ld_demhom-eng.pdf
36
C. Baumgartner et al.
Health Canada. Medical Devices Active Licence Listing (MDALL) – Your reference tool for licensed medical devices in Canada. Retrieved from: https://health-products.canada.ca/mdalllimh Health Canada. Quality Systems ISO 13485. Retrieved from: https://www.canada.ca/en/healthcanada/services/drugs-health-products/medical-devices/quality-systems-13485.html International Commission on the Rules for the Approval of Electrical Equipment (IECEE). Retrieved from: https://www.iecee.org International Medical Device Regulators Forum (IMDRF). Retrieved from: https://www.imdrf.org/ documents Medion Database. Retrieved from: http://urlm.nl/www.mediondatabase.nl Ministry of Health, Labor and Welfare (MHLW). Retrieved from: https://www.mhlw.go.jp/english National Medical Products Administration (NMPA). Retrieved from: http://english.nmpa.gov.cn National Medical Products Administration (NMPA). The Catalog of Medical Device Classification. Retrieved from: http://www.nmpa-classification.com Occupational Safety and Health Administration (OSHA). Retrieved from: https://www.osha.gov/ dts/otpca/nrtl/index.html Pharmaceuticals and Medical Devices Agency (PMDA). Retrieved from: https://www.pmda.go.jp/ english PubMed Retrieved from: https://pubmed.ncbi.nlm.nih.gov Standards Council of Canada. CMDCAS-recognized certification bodies. Retrieved from: https:// www.scc.ca/en/accreditation/management-systems/cmdcas/cmdcas-recognized-certificationbodies State Council of the People’s Republic of China. Rules for Classification of Medical Devices (Decree No.15). Retrieved from: http://english.nmpa.gov.cn/2019-10/11/c_415411.htm State Council of the People’s Republic of China. Regulations on the Supervision and Administration of Medical Devices (State Council Decree No. 680). Retrieved from: http://en.osmundacn. com/shows/10/20.html Trials Central. Retrieved from: https://www.trialscentral.com U.S. Food and Drug Administration (FDA). Maude – Manufacturer and User Facility Device Experience. Retrieved from: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfmaude/ search.cfm U.S. Food and Drug Administration (FDA). CFR Title 21 – Food and Drugs: Parts 800 to 1299. Retrieved from: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm? CFRPartFrom¼800&CFRPartTo¼1299 U.S. Food and Drug Administration (FDA). Product Classification. Retrieved from: https://www. accessdata.fda.gov/scripts/cdrh/cfdocs/cfpcd/classification.cfm U.S. Food and Drug Administration (FDA). Device Classification Panels. Retrieved from: https:// www.fda.gov/medical-devices/classify-your-medical-device/device-classification-panels U.S. Food and Drug Administration (FDA). Guidance Document. Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices. Retrieved from: https:// www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-pre market-submissions-software-contained-medical-devices U.S. Food and Drug Administration (FDA). Investigational Device Exemption (IDE). Retrieved from: https://www.fda.gov/medical-devices/how-study-and-market-your-device/ investigational-device-exemption-ide U.S. Food and Drug Administration (FDA). Premarket Approval (PMA). Retrieved from: https:// www.fda.gov/medical-devices/premarket-submissions/premarket-approval-pma U.S. Food and Drug Administration (FDA). Guidance Document. Premarket Approval Application Modular Review. Retrieved from: https://www.fda.gov/regulatory-information/search-fdaguidance-documents/premarket-approval-application-modular-review U.S. Food and Drug Administration (FDA). Breakthrough Devices Program. Retrieved from: https://www.fda.gov/medical-devices/how-study-and-market-your-device/breakthroughdevices-program
Regulatory Framework for Medical Devices and IVDs in Europe
37
U.S. Food and Drug Administration (FDA). Safer Technologies Program (SteP) for Medical Devices. Retrieved from: https://www.fda.gov/medical-devices/how-study-and-market-yourdevice/safer-technologies-program-step-medical-devices U.S. Food and Drug Administration (FDA). Digital Health Software Precertification (Pre-Cert) Program. Retrieved from: https://www.fda.gov/medical-devices/digital-health-center-excel lence/digital-health-software-precertification-pre-cert-program U.S. Food and Drug Administration (FDA). Guidance Document. The Q-Submission Program. Retrieved from: https://www.fda.gov/regulatory-information/search-fda-guidance-documents/ requests-feedback-and-meetings-medical-device-submissions-q-submission-program U.S. Food and Drug Administration (FDA). Device Labeling. Retrieved from: https://www.fda.gov/ medical-devices/overview-device-regulation/device-labeling U.S. Food and Drug Administration (FDA). How to Register and List. Retrieved from: https://www. fda.gov/medical-devices/device-registration-and-listing/how-register-and-list World Intellectual Property Organization (WIPO). Retrieved from: https://www.wipo.int/patents/en
The Notified Body: The Conformity Assessment Body for Medical Devices in Europe Jo¨rg Schro¨ttner and Christian Baumgartner
Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Definition of a Notified Body . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Requirements for Notified Bodies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Organizational and General Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Quality Management Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Resource Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4 Process Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5 Notified Body and EUDAMED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Situational Need for a Notified Body . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Tasks of a Notified Body in Conformity Assessment Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Audit of the Quality Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Product Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Preclinical/Clinical Evaluation and Performance Evaluation Assessment . . . . . . . . . . . . 5.4 Specific Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.5 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.6 Recertification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.7 Mechanism for Scrutiny of Conformity Assessments of Certain Class III and Class IIb Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.8 Certificates of Conformity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.9 Voluntary Change of Notified Body . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Experiences from a Notified Body . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1 Most Common Objections During Quality Management System Audits . . . . . . . . . . . . . 6.2 Most Common Objections During Product Testing and Verification . . . . . . . . . . . . . . . . . 6.3 Most Common Objections During Clinical or Performance Evaluation . . . . . . . . . . . . . . 7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
40 41 42 43 43 43 45 46 46 51 51 52 53 55 55 55 56 57 57 57 58 58 59 59 60
J. Schröttner (*) · C. Baumgartner Institute of Health Care Engineering with European Testing Center of Medical Devices, Graz University of Technology, Graz, Austria e-mail: [email protected]; [email protected] © Springer Nature Switzerland AG 2023 C. Baumgartner et al. (eds.), Medical Devices and In Vitro Diagnostics, Reference Series in Biomedical Engineering, https://doi.org/10.1007/978-3-031-22091-3_1
39
J. Schro¨ttner and C. Baumgartner
40
Abstract
A Notified Body (NB) is a conformity assessment body designated under the Medical Device Regulation (MDR 2017/745) or the In Vitro Diagnostic Regulation (IVDR 2017/746) that assesses the conformity of medical devices for CE marking before they enter the European market. The European member state in which a Notified Body is to be located is responsible for enforcing the organization, quality management, resources and procedural requirements for the Notified Body specified in these regulations. Once a Notified Body is designated, it carries out the conformity assessment activities according to the requirements of a chosen conformity assessment procedure that includes quality management system auditing, product testing, review of technical documentation, preclinical and clinical evaluation assessment, IVD performance evaluation assessment, and special procedures, if applicable. In this chapter, we present in detail what a Notified Body is in the sense of the aforementioned regulations and what special requirements are placed on designated notified bodies. We describe when a Notified Body is required for CE marking and what the main tasks of a Notified Body are in the conformity assessment procedure chosen by the manufacturer. Finally, challenges and pitfalls from the perspective of a Notified Body are summarized and discussed to ensure that manufacturers and distributers of medical devices entering the European market are optimally prepared for CE-marking approval.
1
Introduction
Since the 1990s, regulation of medical devices in Europe has remained relatively unchanged. However, new regulations passed and published by the European Parliament and European Council in 2017 have changed this situation and ushered in a new era in this highly regulated area (Clemens 2018; Melvin and Torre 2019). As a medical device manufacturer, distributor, or importer, it is crucial to have a good understanding of the new regulations which have dramatically changed the activities of the manufacturers and distributors, and even impacted the composition of their existing and future product portfolios (Kaule et al. 2020; Ben-Menahem et al. 2020). Medical devices in the European Union (EU) and associated countries such as Norway, Iceland, Switzerland, or Turkey must pass a strict conformity assessment according to the new Medical Device Regulation MDR 2017/745 (European Parliament and European Council 2017a) and/or the In Vitro Diagnostic Regulation IVDR 2017/746 (European Parliament and European Council 2017b), in order to demonstrate that they meet all legal requirements and ensure they are safe for the intended use (Migliore 2017; Martelli et al. 2019). For the approval of medicinal products that are not part of these regulations, however, different procedures with different requirements, classifications, and deadlines are applied either in a centralized
The Notified Body: The Conformity Assessment Body for Medical Devices in Europe
41
procedure performed by the European Medicines Agency (EMA) or in a decentralized procedure with a competent authority of a member state (Marshall et al. 2021). A Notified Body (NB) plays a central role in the conformity assessment procedure of most of medical devices and in vitro diagnostic devices. The term refers to an accredited body that assesses the conformity of a product with the respective regulation before it can enter the European market and ensures that all requirements are met for as long as the product is on the market. The Notified Body performs the tasks related to the conformity assessment procedures under MDR 2017/745 and/or IVDR 2017/746, when a third party is required, especially for higher risk class devices. The designation and surveillance of a Notified Body are the responsibility of the respective EU member state, which may designate notified bodies for the entire European market to carry out conformity assessments for the approval of medical devices in order to receive a CE marking (Vincini 2004). In this chapter, we address the following: • • • • •
2
Definition of a Notified Body Requirements for notified bodies Situational need for a Notified Body Tasks of a Notified Body in conformity assessment procedures Experiences from a Notified Body
Definition of a Notified Body
Notified bodies are government-appointed and government-audited bodies responsible for carrying out the conformity assessment of manufacturers and products of various types. One of the key principles of the European Union is the free movement of goods, so long as the respective products meet the requirements of European directives or regulations. MDR 2017/745 or IVDR 2017/746 are especially relevant for medical devices, where a high level of health protection for patients and users must be ensured. The requirements and scope of a Notified Body are defined in the respective regulations. Such notified bodies must be impartial and independent (usually privately organized and operated) to verify and ensure the high requirements and standards regarding the quality and safety of medical devices, and be authorized by an authority of the respective European member state to which these regulations apply. Paragraphs 54 and 55 in the introduction of the MDR 2017/745 states: “The Member State in which a Notified Body is established should be responsible for enforcing the requirements of this Regulation with regard to that Notified Body. In view, in particular, of the responsibility of Member States for the organisation and delivery of health services and medical care, they should be allowed to lay down additional requirements on notified bodies designated for the conformity assessment of devices and established on their territory as far as issues that are not regulated in
J. Schro¨ttner and C. Baumgartner
42
this Regulation are concerned. Any such additional requirements laid down should not affect more specific horizontal Union legislation on notified bodies and equal treatment of notified bodies.” The term “conformity assessment body” is used synonymously for a Notified Body. In MDR 2017/745 and IVDR 2017/746, this term refers to a body that carries out conformity assessment activities, including quality management audits, calibrations, testing, inspections, and certifications, and thus acts as an independent third party. Conformity assessment itself is the procedure of determining whether a product meets the requirements of a European directive or regulation. Conformity assessment bodies can submit an application for designation to the competent authority responsible for notified bodies which review the application and supporting documentation in accordance with a clearly defined procedure. The authority, together with a joint assessment team of experts, conducts an on-site assessment of the applicant conformity assessment body. Only after positive completion of the procedure and taking into account possibilities of objection and the publication of the notification (database of notified bodies, NANDO), does the designation of a Notified Body become valid. The published notification states the scope of the conformity assessment activity of the Notified Body. Each Notified Body receives a four-digit identification number for unique identification and traceability (MDR 2017/745 and IVDR 2017/746, Chap. IV, Notified bodies). The European Commission provides a list of the bodies notified under the regulations MDR 2017/745 and IVDR 2017/746, including the identification numbers assigned to them and the conformity assessment activities as defined in the respective regulation and the types of devices and products for which they have been notified. The list is available to the public in NANDO (see identification number and list of notified bodies, Article 43, MDR 2017/745 and Article 39, IVDR 2017/746). The authorities responsible for notified bodies are obligated to monitor the notified bodies, their subsidiaries and subcontractors to ensure ongoing compliance with the requirements and the fulfillment of its obligations as set out in the regulation.
3
Requirements for Notified Bodies
Each Notified Body must meet the requirements assigned to it by the relevant regulation. For this purpose, organizational requirements, requirements for quality assurance, resources, and processes must be fulfilled. In MDR 2017/745 and IVDR 2017/746, these requirements are outlined in a separate Annex (Annex VII). In detail, the requirements for notified bodies can be subdivided into four key areas: • • • •
Organizational and general requirements Quality management requirements Resource requirements Process requirements
The Notified Body: The Conformity Assessment Body for Medical Devices in Europe
3.1
43
Organizational and General Requirements
In addition to the complete documentation of the legal entity and legal status of the Notified Body, the allocation of responsibilities along with reporting lines and operation of the Notified Body must be clearly defined in order to ensure confidence in the performance of the Notified Body and in the results of the conformity assessment activities it conducts. One of the most essential requirements is the independence and impartiality of the body. In any case, it must be a third party that has no business connections (not even involvement in consultancy services) with the manufacturer of the device for which it performs conformity assessment activities. As such, any potential conflicts of interest must be reviewed to ensure impartiality. Notified bodies are also bound by confidentiality of information when conducting conformity assessment activities. Note that there are exceptions when disclosure of information received from a Notified Body is required by law.
3.2
Quality Management Requirements
The Notified Body must establish, document, implement, maintain, and operate a quality management (QM) system that is appropriate for the conformity assessment activities and is capable of demonstrating the consistent fulfillment of such requirements. The QM system must address all basic elements such as organizational structure and responsibilities, assessment and decision-making processes, control of documents, management reviews, internal audits, corrective and preventing action handling, training, etc.
3.3
Resource Requirements
All tasks of a Notified Body must be carried out with the highest degree of professional integrity and the requisite competence in the field. The personnel required for this purpose ranges from adequate administrative to technical and scientific staff. Such personnel must be able to meet appropriate qualification criteria (knowledge, experience, and other competence required) in the field of the products and technologies concerned. Basically, qualification criteria can be grouped into various functions within the conformity assessment process, including productrelated testing, technical documentation review, quality management system auditing, as well as the assessment of devices and technologies, such as biocompatibility, sterilization, tissues and cells of human and animal origin, or clinical evaluation. Proven knowledge and experience of any personnel must be demonstrated in the following areas, for example (excerpt from MDR 2017/45 and IVDR 2017/746):
J. Schro¨ttner and C. Baumgartner
44
• Successful completion of a college or university degree • Four years of professional experience in the field of healthcare products and experience in conformity assessment procedures • Appropriate knowledge and experience of any legislation relevant to the respective device as well as related harmonized standards, specifications, and guidelines • Appropriate knowledge and experience of quality management, risk management, and clinical or performance evaluation In addition, specific qualification criteria are defined for the assessment of: • • • • • • • •
Preclinical evaluation Clinical evaluation Tissues and cells of human and animal origin Functional safety Software Packaging Products that integrate as an integral part a medicinal product Products that are composed of substances or of combinations of substances that are absorbed by or locally dispersed in the human body • Different types of sterilization processes For in vitro diagnostic devices in particular, specific qualification criteria are defined for the assessment of: • • • • • • • • •
Biological safety Performance evaluation Products for self and near patient testing Self-administration and near-patient testing Companion diagnostics (CDx) Functional safety Software Packaging Different types of sterilization processes
In addition, notified bodies must have permanent availability of personnel with relevant clinical experience who are an active part in the Notified Body’s assessment and decision-making process. Personnel with overall responsibility for final reviews and decision-making on certification must in any case be employed by the Notified Body itself and must therefore not be external experts or subcontractors. Qualification and fulfillment of the qualification criteria must be comprehensively documented. It should be noted that the requirements for notified bodies have increased considerably in recent years and are strictly reviewed by the authority responsible for notified bodies (see Article 35, MDR 2017/745 and Article 31, IVDR 2017/746). This of course also concerns the monitoring of the procedures to be applied by the
The Notified Body: The Conformity Assessment Body for Medical Devices in Europe
45
manufacturer. Consequently, the requirements for the manufacturer during conformity assessment are increasing in order to ensure complete documentation as evidence for the Notified Body.
3.4
Process Requirements
Process requirements specify that the Notified Body has in place documented processes and sufficiently detailed procedures for the conduction of conformity assessment activities for which it is designated (from the application to decisionmaking and monitoring). If applicable, special characteristics of the products (e.g., sterile conditions) must be taken into account. The relevant procedure including these steps is shown in simplified form in Fig. 1. After a formal application signed by the manufacturer, the Notified Body begins the review process for the application. It should be noted that the contract between a Notified Body and a manufacturer must take the form of a written agreement signed by both parties, which clearly outlines the business conditions as well as the obligations and rights of both parties. It is only possible to contract with one Notified Fig. 1 Simplified workflow of the activities of a Notified Body from application to ongoing monitoring activities
J. Schro¨ttner and C. Baumgartner
46
Body. After internal resource allocation by the Notified Body for each assessment task, the relevant conformity assessment activities (e.g., product verification, quality management system audit, clinical or performance evaluation assessment) can start. Detailed information can be found in the section “Tasks of a Notified Body in Conformity Assessment Procedures.” Upon completion of the conformity assessment, the Notified Body must draw up a report that includes the results of the assessment, a clear conclusion from the verification of the manufacturer’s conformity with the requirements of the regulation, and a recommendation for the forthcoming final review and final decision to be taken. This report must in any case be made available to the manufacturer. Based on the assessment documentation and additional available information, the decision must be made by appropriately authorized personnel who were not involved in the conformity assessment activities. Finally, if there are no nonconformities, the procedure for decision-making and subsequent approval steps can be initiated. However, this step is not the end of the assessment procedure: Based on the contractual agreement between the Notified Body and the manufacturer, changes and modifications to the approved design of a device or the quality management system, for example, must be reported and assessed again. After certification, ongoing surveillance activities and post-certification monitoring activities must be conducted at least once a year (even if no changes are made to the product or the QM system). Monitoring activities may also include unannounced audits of the manufacturer or/and subcontractors and suppliers. The conditions for unannounced audits must be specified in the contract between the Notified Body and the manufacturer.
3.5
Notified Body and EUDAMED
According to the MDR 2017/745 and IVDR 2017/746, notified bodies should register in EUDAMED (European Commission) any information regarding certificates issued (including amendments and supplements), suspended, reinstated, withdrawn or refused, and other restrictions imposed on these certificates. This information is accessible to the public.
4
Situational Need for a Notified Body
Before a manufacturer can place a CE-marked product on the European market, a conformity assessment procedure must be carried out. Table 1 provides an overview of the corresponding Annexes of the possible conformity assessment procedures under the Medical Devices Regulation MDR 2017/745 and the In Vitro Diagnostic Regulation IVDR 2017/746. Depending on the risk class of the medical device, the manufacturer may either choose one of the conformity assessment procedures or a combination thereof.
The Notified Body: The Conformity Assessment Body for Medical Devices in Europe
47
Table 1 Annexes of the conformity assessment procedures: comparison between the Medical Devices Regulation MDR 2017/745 and the In Vitro Diagnostics Regulation IVDR 2017/746 Procedure Quality management system EU type examination Production quality assurance Product verification
MDR 2017/745 IX X XI – Part A XI – Part Ba
IVDR 2017/746 IX X XI n/a
n/a not applicable Every device must be examined and tested
a
Table 2 Annexes of the conformity assessment procedures under the Medical Devices Regulation MDR 2017/745 for the MP risk classes I to III
MP class III IIb IIa Is, Im, Irsa I
MDR 2017/745 II and III and IX or X+XI II and III and IX or X+XI II and III and IX or XI II and III and IX or XI (Part A only) II and III
a
Note that all special procedures (e.g., sterile conditions, measurement function) must be verified by a Notified Body
Table 3 Annexes of the conformity assessment procedures under the In Vitro Diagnostic Regulation IVDR 2017/746 for the IVD risk classes A to D IVD class D C B As A
IVDR 2017/746 II and III and IX or X+XI II and III and IX or X+XI II and III and IX or XI II and III and IX or XI (manufacture and sterile conditions only) II and III
Table 2 provides an overview of the procedures that may be selected or combined under MDR 2017/745, while Table 3 lists the possible procedures under IVDR 2017/ 746. In Tables 2 and 3, Annexes II and III concern the requirements of the technical documentation which need to be met for all risk classes. The risk class of a medical device or an in vitro diagnostic medical device need to be defined by the manufacturer according to Annex VIII (Chap. III, Classification rules) of the regulations. The application of the classification rules (22 rules under MDR 2017/745 and 7 rules under IVDR 2017/746) must be governed by the intended purpose of the devices (see also MDCG 2021–24 Guidance on classification of medical devices). In case of borderline products –where it is not clear from the outset whether a given product is a medical device or an in vitro diagnostic medical device – guidance documents are provided to manufacturers to assist them in classifying their new products (European Commission 2019). Essentially, the involvement or the scope of activities of the Notified Body results from the combination of the defined risk class of the product and the conformity
48
J. Schro¨ttner and C. Baumgartner
assessment procedure chosen by the manufacturer. From the risk class Is, Im, Irs (MDR 2017/745) or class As (IVDR 2017/746), the involvement of a Notified Body is required in any case. Only products of risk class I (MDR 2017/745) or class A (IVDR 2017/746) can be placed on the market without the involvement of a Notified Body. The manufacturer declares the conformity of their product on their own responsibility by issuing an EU Declaration of Conformity (DoC). It should be noted that the manufacturer is obliged to complete the technical documentation of their product in accordance with the requirements of the regulation (Annex II and Annex III), keep it updated, and make it available to the market surveillance authority at any time. For class I medical devices, additional consideration must be given to whether products are placed on the market in a sterile condition (Is), the product has a measuring function (Im), or it is a reusable surgical instrument (Irs). In this case, the manufacturer has to apply the procedures set out in Chaps. I and III of Annex IX, or in Part A of Annex XI under the MDR 2017/745. However, the involvement of the Notified Body in those procedures is limited to the following aspects: • Aspects relating to the establishment, assurance, and maintenance of sterile conditions (for Is products) • Aspects relating to the evaluation of metrological requirements (for Im products) • Aspects relating to the reuse of the device (for Irs products), e.g., cleaning, disinfection, maintenance, functional testing, etc. For class A IVD products, additional consideration must be given to whether products are placed on the market in a sterile condition (S). In this case, the manufacturer has to apply the procedures set out in Chaps. I and III of Annex IX under the IVDR 2017/746. However, the involvement of the Notified Body in those procedures is limited to the aspects of manufacture concerned with securing and maintaining sterile conditions. If software is considered a medical device (SaMD, software as medical device) by definition, it must be classified as an active medical device according to classification rule no. 11 under MDR 2017/745 (Annex VIII): “Software intended to provide information which is used to take decisions with diagnosis or therapeutic purposes is classified as class IIa, except if such decisions have an impact that may cause: death or an irreversible deterioration of a person’s state of health, it is classified as class III; or – a serious deterioration of a person’s state of health or a surgical intervention, in which case it is classified as class IIb. Software intended to monitor and control physiological processes is classified to class IIa, except if it is intended for monitoring of vital physiological parameters, where the nature of variations of those parameters is such that it could result in immediate danger to the patient, in which case it is classified as class IIb. All other software is classified as class I.” Note that software that controls a device or affects its use is classified in the same class as the device. If the software is independent of a device, it is classified as a separate product. Similarly, this classification also applies to in vitro diagnostic
The Notified Body: The Conformity Assessment Body for Medical Devices in Europe
49
Fig. 2 Conformity assessment procedures for medical devices under MDR 2017/745. For risk class I, no Notified Body (NB) is required for CE marking
devices (IVDs). However, there is no separate classification rule for software under IVDR 2017/746. Further information on SaMD is available in the chapter ▶ “Software as Medical Device in Europe”. Figures 2 and 3 illustrate and summarize the conformity assessment procedures based on the risk classes under the MDR 2017/745 and the IVDR 2017/746. Both regulations allow multiple routes for the conformity assessment procedures or
50
J. Schro¨ttner and C. Baumgartner
Fig. 3 Conformity assessment procedures for in vitro diagnostic devices under IVDR 2017/746. For risk class A, no Notified Body (NB) is required for CE marking
combinations thereof. Note that the MDR 2017/745 and IVDR 2017/746 always require a quality management system, but its certification by a Notified Body is not mandatory for class I and class A devices, respectively.
The Notified Body: The Conformity Assessment Body for Medical Devices in Europe
5
51
Tasks of a Notified Body in Conformity Assessment Procedures
The Notified Body carries out the conformity assessment activities according to the requirements of the chosen conformity assessment procedure (cf. Annexes IX to XI of MDR 2017/745 and IVDR 2017/746, respectively). This includes the quality management system auditing, product testing, review of technical documentation, preclinical or preanalytical evaluation assessment, clinical or performance evaluation assessment, and special procedures, if applicable. Good compliance with the requirements of MDR 2017/745 or IVDR 2017/746 for quality management systems is ensured by applying EN ISO 13485 (CEN/CENELEC 2016a). This standard may be used as a basis for compliance with both regulations.
5.1
Audit of the Quality Management System
The Notified Body audits the quality management system to determine whether it meets the requirements. Prior to the actual audit, all documents submitted to the Notified Body in accordance with the selected Annex that are relevant for the conformity assessment are reviewed as part of the quality management system assessment. An audit program must be established to demonstrate that the QM system meets the requirements of the respective regulation. Any responsibilities and links between, and allocation of responsibilities among, to different manufacturing sites, as well as the provisions for suppliers and/or subcontractors of the manufacturer must be taken into account. Note that at this stage, it is decided whether a specific audit is required for suppliers or subcontractors or both. This is the case when the conformity of the product is significantly affected by the activities of the suppliers and, in particular, when the manufacturer cannot demonstrate sufficient control over its suppliers and the subcontracted activities (see MDR 2017/745 or IVDR 2017/746, Annex VII). The detailed objectives, criteria, and scope of the audit must be defined in a so-called audit plan so that the specific requirements for the products, technologies, and processes concerned are taken into account. In addition, for class IIa and IIb or class B and C products, a sampling plan for the assessment of the technical documentation must be drawn up so that the manufacturer’s entire product range is covered. The plan ensures that all devices covered by the certificate are sampled over the period of validity of the certificate. Once appropriately authorized personnel are selected and assigned, and the respective roles, responsibilities, and authorities of the team members are clearly defined and documented, the audits can begin. The Notified Body is responsible for the following:
J. Schro¨ttner and C. Baumgartner
52
• Audit of the manufacturer’s quality management system in order to verify that the QM system and thus the products covered are in conformance with the relevant provisions of the regulation (from product design through final quality control to ongoing surveillance) • Review and audit of the manufacturer’s processes and subsystems based on the relevant technical documentation, in particular for: – Design and development of the product – Production and process controls – Product documentation – Purchasing control including verification of purchased products – Corrective and preventive actions for post-market surveillance (PMS) – Post-market clinical follow-up (PMCF) • Verification of compliance with the general safety and performance requirements as specified in Annex I of the MDR 2017/745 and the IVDR 2017/746, respectively The documentation must be sampled to reflect the risks associated with the intended use of the product, the complexity of the manufacturing technologies, the range and classes of products, and any available post-market surveillance information.
5.2
Product Testing
5.2.1 Assessment of the Technical Documentation The focus of this assessment is to verify the conformity of the design of the product with the regulation. That assessment includes the examination of the implementation of incoming, in-process, and final checks by manufacturers and the results thereof. If further tests or other evidence is required, the Notified Body may also carry out physical checks or laboratory tests in relation to the device or request the manufacturer to perform such checks or tests. It may also include the assessment of the clinical evaluation or performance evaluation, and special procedures if required. 5.2.2 Type Examinations The Notified Body must have – depending on the class of the medical or in vitro diagnostic device – documented procedures, sufficient expertise and facilities for the type examination of devices in accordance with Annex X. This involves the examination and assessment of the technical documentation and the verification that the type has been manufactured in conformity with that documentation. A test plan must be drawn up which must contain all relevant and critical parameters (including documentation of its rationale for the selection of those parameters) which need to be tested by the Notified Body. In any case, the Notified Body has to carry out the appropriate examinations and tests to verify that the solutions adopted by the manufacturer meet the general safety and performance requirements set out in Annex I (MDR 2017/745, IVDR 2017/746). The examinations and inspections
The Notified Body: The Conformity Assessment Body for Medical Devices in Europe
53
include all tests necessary to verify that the manufacturer has in fact applied the relevant standards it has opted to use. Note that the required tests do not have to be carried out directly by the Notified Body. However, test reports submitted by the manufacturer will only be considered by the Notified Body if they were provided by a competent conformity assessment body acting independently of the manufacturer (e.g., by an accredited testing laboratory).
5.2.3
Verification by Examination and Testing of Every Product or Every Product Batch Depending on the chosen conformity assessment procedure, verification by examination and testing of every product is a possible procedure under MDR 2017/745 (Part B of Annex XI) and of a product batch under the IVDR 2017/46 (Annexes IX and XI, risk class D), respectively. Here, too, a test plan must be established to verify the conformity of every product with the type described in the EU type examination certificate for class IIb products or verify the conformity with the technical documentation for class IIa products (Annexes II and III). The requirements of the regulation, of course, applicable to these products, must be confirmed by the Notified Body. Again, if it is not necessary that the tests be carried out by the Notified Body, test reports submitted in agreement with the manufacturer will only be taken into account if they have been prepared by a competent conformity assessment body that is independent of the manufacturer.
5.3
Preclinical/Clinical Evaluation and Performance Evaluation Assessment
The Notified Body reviews the manufacturer’s procedures and documentation relating to the evaluation of preclinical/clinical requirements of the product under MDR 2017/745 or the performance requirements of the product under IVDR 2017/746 (Ivanovska et al. 2019; Zenner and Božić 2019). In particular, the following needs be considered in relation to the evaluation of preclinical aspects: • The planning, conduct, assessment, reporting, and where appropriate, updating of the preclinical evaluation using data from preclinical literature search and preclinical testing (e.g., laboratory testing, simulated use testing, computer modeling, the use of animal models) • The nature and duration of the body contact and specific associated biological risks • The interface with the risk management process • The appraisal and analysis of the available preclinical data and its relevance with regard to demonstrating conformity with the general safety and performance requirements (Annex I)
54
J. Schro¨ttner and C. Baumgartner
The Notified Body’s assessment of preclinical evaluation procedures and documentation must address the results of literature searches and all validation, verification, and testing performed and conclusions drawn, and must typically include considering the use of alternative materials and substances and taking account of the packaging, stability, and shelf life of the finished device. Where no new testing has been undertaken by a manufacturer or where there are deviations from procedures, the Notified Body in question must critically examine the justification presented by the manufacturer (see Annex VII, Section 4). The review of the clinical evaluation or the performance evaluation has to assess the following aspects in detail: • The planning, conduct, assessment, reporting, and updating of the clinical evaluation according to Annex XIV of the MDR 2017/745 and the performance evaluation according to Annex XIII of the IVDR 2017/746 • The interface with the risk management process • The post-market surveillance and clinical or performance follow-up after placing the product on the market • The appraisal and analysis of the available clinical data or performance and its relevance with regard to demonstrating conformity with the general safety and performance requirements (Annex I) • The conclusions drawn with regard to the clinical evidence and the drawing up of the clinical evaluation or performance report These procedures must take into consideration available common specification (CS), guidance, and best practice documents. The Notified Body’s assessment of clinical evaluations as referred to in Annex XIV of MDR 2017/745 and of performance evaluation as referred to in Annex XIII of IVDR 2017/746 cover the following aspects: • The intended use specified by the manufacturer and claims for the device defined by it • The planning of the clinical or performance evaluation • The methodology for the literature search • Relevant documentation from the literature search • The clinical investigation or performance studies • Validity of equivalence claimed in relation to other devices, the demonstration of equivalence, and the suitability and conclusions data from equivalent and similar devices • Post-market surveillance and clinical or performance follow-up • The clinical evaluation report • Justifications in relation to non-performance of clinical investigations or PMCF More details of the assessment of the clinical evaluations or performance evaluations by the Notified Body according to Annex XIV of MDR 2017/745 or Annex XIII of IVDR 2017/746, respectively, are comprehensively described in the chapters
The Notified Body: The Conformity Assessment Body for Medical Devices in Europe
55
▶ “Clinical Evaluation and Clinical Investigations of Medical Devices Under the MDR” and ▶ “Performance Evaluation and Performance Studies of in Vitro Diagnostic Medical Devices Under the IVDR”.
5.4
Specific Procedures
Depending on the particular characteristics of certain products, it may be necessary for the Notified Body to consider specific procedures (see Sections 5 and 6 of Annex IX, Section 6 of Annex X, and Section 16 of Annex XI for MDR 2017/745; and Section 5 of Annex IX for IVDR 2017/746). Examples include: • Class III devices intended to introduce a medicinal product into and/or remove it from the body • Products of which a medicinal product is an integral part • Tissues or cells of human or animal origin or their derivatives • Products consisting of substances that are absorbed by the human body or distributed locally in the body • Companion diagnostic products (CDx) Manufacturers wishing to place on the market products for which “specific procedures” may be required should contact the Notified Body to find out exactly how to proceed and what deadlines must be met.
5.5
Reporting
All steps of the conformity assessment must be documented by notified bodies so that the conclusions of the assessment are clear and demonstrate compliance with the requirements of the regulation and can represent objective evidence of such compliance to persons that are not themselves involved in the assessment (e.g., personnel in designating authorities). The report of the Notified Body must clearly document the outcome of the assessment, draw clear conclusions from the verification of the manufacturer’s conformity with the requirements, and make a recommendation for a final review and for a final decision to be taken by the Notified Body (see Annex VII, Section 4 of MDR 2017/745 or IVDR 2017/746).
5.6
Recertification
As shown in Fig. 1, the entire process is not yet complete when the conformity assessment activities and subsequent steps to certification are successfully completed. Recertification reviews and the renewal of certificates must take place at least every 5 years (e.g., recertification of approved quality management system, EU type examination certificates). As part of these procedures, the manufacturer must
J. Schro¨ttner and C. Baumgartner
56
submit a summary of changes and scientific findings for the product (see Annex VII, Section 11 of MDR 2017/745 or IVDR 2017/746). This includes: • • • • • • • • •
All changes to the originally approved product, including changes not yet notified Experience gained from post-market surveillance Experience from risk management Experience gained from updating the proof of compliance with the general safety and performance requirements set out in Annex I of the respective regulation Experience from reviews of the clinical evaluation, including the results of any clinical investigations and post-market clinical follow-up (for products under the MDR 2017/745) Experience from reviews of the performance evaluation reviews, including the results of any performance studies and post-market performance follow-up (for products under the IVDR 2017/746) Changes to the requirements, to components of the device, or to the scientific or regulatory environment Changes to applied or new harmonized standards, common specifications (CS), or equivalent documents Changes to the medical, scientific, or technical state of knowledge Changes in medical, scientific, or technical knowledge may include:
• New treatments • Changes in test methods • New scientific findings on materials and components, including findings on their biocompatibility • Experience from studies on comparable products • Data from registers and registries • Experience from clinical investigations or performance studies with comparable products
5.7
Mechanism for Scrutiny of Conformity Assessments of Certain Class III and Class IIb Devices
In accordance with Article 55 (MDR 2017/745) and Article 51 (IVDR 2017/746), a mechanism for scrutiny of conformity assessments of certain class III and class IIb devices and class D devices, respectively, has been established. A Notified Body must notify the competent authorities of the certificates it has granted to devices for which the conformity assessment has been performed pursuant to Article 54 (1), including class III implantable devices, and class IIb active devices intended to administer and/or remove a medicinal product, and to Article 50, including class D devices. Such notification must include the summary of safety and clinical
The Notified Body: The Conformity Assessment Body for Medical Devices in Europe
57
performance, the assessment report by the Notified Body, the instructions for use, and, where applicable, the scientific opinion of an expert panel. In the case of divergent views between the Notified Body and the expert panel, a full justification must also be included.
5.8
Certificates of Conformity
According to Article 56, MDR 2017/745 and Article 51, IVDR 2017/746 certificates issued by the Notified Body in accordance with Annexes IX, X and XI must be in an official EU language and are valid for the period they indicate, not exceeding 5 years. Where a Notified Body finds that the requirements of the regulation are no longer met by the manufacturer, the Notified Body has the right to suspend or withdraw the certificate issued, or impose any restrictions on it unless compliance with such requirements is ensured, giving the reasons for its decision. This compliance may be restored through appropriate corrective action taken by the manufacturer within an appropriate deadline set by the Notified Body.
5.9
Voluntary Change of Notified Body
In cases where a manufacturer terminates their contract with a Notified Body and enters into a contract with another Notified Body with respect to the conformity assessment of the same device, the detailed arrangements for the change of Notified Body must be clearly defined in an agreement between the manufacturer, the incoming Notified Body, and, where practicable, the outgoing Notified Body (Article 58, MDR 2017/745, or Article 53, IVDR 2017/746).
6
Experiences from a Notified Body
In this section, we summarize collected observations and experiences from conformity assessment activities of a former Notified Body. The European Testing Center for Medical Devices (PMG) at Graz University of Technology, which is headed by the authors of this chapter, is a state-accredited testing and certification body for medical devices that has also acted as a Notified Body for more than 20 years. The most frequent complaints are differentiated according to the conformity assessment activities described in the Sect. 5. Note that the observations and complaints summarized below are to be considered examples and are by no means complete. Further examples can be found in Akra (2020).
58
6.1
J. Schro¨ttner and C. Baumgartner
Most Common Objections During Quality Management System Audits
• Responsibilities and authorizations are inadequately defined. • The document review (reference to templates, approval procedures, etc.) is inadequate. • The review and monitoring of external documents, such as standards or IMDRF guidance documents (documents are not available or search is too spaced out) is inadequate. • Employees release documents even though they are not authorized to do so. • Clear job descriptions of the quality management representative or safety specialists are missing. • Employee training is often neglected. • Unqualified personnel is involved (e.g., in risk management or even internal audits). • Management reviews rarely address regulatory requirements. • Product design and development related to regulatory requirements are neglected. • Product development assessments during the engineering process are often not carried out. • The terms and activities associated with verification and validation are often misunderstood. • Classification of suppliers into critical and noncritical suppliers often causes difficulties. • Quality criteria for suppliers are not clearly defined. • Measurement and testing equipment is monitored poorly. • The scope of internal audits is inadequate (e.g., no audit criteria in accordance with the regulation). • Faulty or deficient process monitoring methods are used. • Corrective actions are not documented or monitored in a traceable manner. • The obligation to report changes is underestimated. • Processes and procedures are defined but are not consistently implemented.
6.2
Most Common Objections During Product Testing and Verification
• The medical device file is not up to date (e.g., incorporation of annual updates is not documented). • Test documentation is inadequate. • Standards applicable to the product are not taken into account. • Compliance with general requirements is not sufficiently documented (traceability!). • External test reports cannot be accepted or are not available (no accredited testing body has been commissioned). • The technical documentation is not kept up to date.
The Notified Body: The Conformity Assessment Body for Medical Devices in Europe
59
• Changes in technical specifications (e.g., current standards) are not taken into account. • The link between risk management with other normative specifications (e.g., EN 60601-1 (CEN/CENELEC 2013) or EN 62304 (CEN/CENELEC 2016)) is not documented in a comprehensible way. • The risk management file is not updated. • Feedback from the market or from customers is not incorporated into the risk management process.
6.3
Most Common Objections During Clinical or Performance Evaluation
• Clinical evaluation procedures were not established according to the specifications (MDR 2017/745, MDCG 2020-5, and IVDR 2017/746). • The qualifications of personnel for literature research and evaluation as well as for the final evaluation are inadequate. • The scope of the literature review is insufficient. • The scientific evaluation of the literature is poorly done and not documented in a comprehensible manner. • The clinical or performance evaluation is not kept up to date. • The post-market clinical follow-up process or its results are not included in the clinical or performance evaluation.
7
Conclusions
A CE marking on any medical product, its packaging, or its commercial documentation represents the end of a lengthy conformity assessment process. All products under MDR 2017/745 or IVDR 2017/746, except for risk classes 1 (medical devices) and A (in vitro diagnostic devices), require the active involvement of a Notified Body for medical device approval. In this chapter, we presented the requirements for notified bodies from the perspective of the European authorities and provided an overview of the tasks of a Notified Body in close cooperation with the manufacturer. A former Notified Body gave examples of commonly observed problems and pitfalls during the conformity assessment process that could be helpful to the manufacturer and distributers in preparing for the CE marking. We believe that this chapter will provide basic information to a growing number of academic institutions working with proven evidence to translate new methods and technologies into clinical applications, including manufacturers from non-European countries and markets, in order to understand how procedures for medical device approval work. Moreover, it is essential to know what should be considered from a regulatory point of view when wishing to venture into the European market with a certified and CE-marked medical product (Kedwani et al. 2019; Fraser et al. 2020; Letourneur et al. 2021).
60
J. Schro¨ttner and C. Baumgartner
References Akra B (2020) Inspection and examination: experiences of a notified body. In: Lanzerath D, Kielmansegg S, Hasford J (eds) The development of medical devices: ethical, legal and methodological impacts of the EU Medical Device Regulation, LIT- Verlag, Münster pp 43–56 Ben-Menahem SM, Nistor-Gallo R, Macia G, von Krogh G, Goldhahn J (2020) How the new European regulation on medical devices will affect innovation. Nat Biomed Eng 4(6):585–590 Clemens N (2018) The European Medical Device Regulation 2017/745/EU: changes and impact on stakeholders. J Clin Res Best Pract 14(9):1–7 European Commission. EUDAMED (European database on medical devices). Retrieved from: https://ec.europa.eu/tools/eudamed/#/screen/home European Commission. MDCG 2020-5 Clinical evaluation – equivalence: a guide for manufacturers and notified bodies. Retrieved from: https://ec.europa.eu/docsroom/documents/40903? locale¼en European Commission. MDCG 2021-24 Guidance on classification of medical devices. Retrieved from: https://ec.europa.eu/health/system/files/2021-10/mdcg_2021-24_en_0.pdf European Commission. NANDO (New Approach Notified and Designated Organisations) Information System. Retrieved from: https://ec.europa.eu/growth/tools-databases/nando European Commission. Manual on borderline and classification in the community regulatory framework for medical devices, Version 1.22 (05-2019). Retrieved from: https://ec.europa.eu/ health/system/files/2020-08/md_borderline_manual_05_2019_en_0.pdf European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2013) EN 60601–1: 2006+A1:2013 Medical electrical equipment, Part 1: General requirements for basic safety and essential performance European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2016a) EN ISO 13485:2016 Medical devices – Quality management systems – Requirements for regulatory purposes European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2016b) EN 62304:2016 – Medical device software – Software life cycle processes European Parliament and European Council (2017a) Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 concerning medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 9s0/385/EEC and 93/42/EEC. Official Journal of the European Union. L 117, 1–175 European Parliament and European Council (2017b) Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU. Official Journal of the European Union. L 117, 176–332 Fraser AG, Byrne RA, Kautzner J, Butchart EG, Szymański P, Leggeri I, de Boer RA, Caiani EG, Van de Werf F, Vardas PE, Badimon L (2020) Implementing the new European Regulations on medical devices-clinical responsibilities for evidence-based practice: a report from the Regulatory Affairs Committee of the European Society of Cardiology. Eur Heart J 41(27):2589–2596 IMDRF. International Medical Device Regulators Forum, Retrieved from: http://www.imdrf.org/ documents/documents.asp Ivanovska E, Ribarska JT, Lazova J, Popstefanova N, Jovanoska MD, Jolevska ST (2019) Providing clinical evidence under the MDR 2017/745–new challenges for manufacturers in medical device industry. Arch Farmaciju 69(1):39–49 Kaule S, Bock A, Dierke A, Siewert S, Schmitz K, Stiehm M, Klar E, Leuchter M, Lenarz T, Zygmunt M, Schmidt W, Grabow N (2020) Medical Device Regulation and current challenges for the implementation of new technologies. Curr Dir Biomed Eng 6(3):334–337
The Notified Body: The Conformity Assessment Body for Medical Devices in Europe
61
Kedwani M, Schröttner J, Baumgartner C (2019) Analysis of regulatory requirements of medical devices and in-vitro diagnostics worldwide for the development of an efficient procedure of registration for manufacturers of medical products. Curr Dir Biomed Eng 5(1):609–612 Letourneur D, Joyce K, Chauvierre C, Bayon Y, Pandit A (2021) Enabling MedTech translation in academia: redefining value proposition with updated regulations. Adv Healthc Mater 10(1): e2001237 Marshall J, Morrill K, Gobbe M, Blanchard L (2021) The difference between approval processes for medicinal products and medical devices in Europe. Ophthalmologica 244(5):368–378 Martelli N, Eskenazy D, Déan C, Pineau J, Prognon P, Chatellier G, Sapoval M, Pellerin O (2019) New European Regulation for medical devices: what is changing? Cardiovasc Intervent Radiol 42(9):1272–1278 Melvin T, Torre M (2019) New medical device regulations: the regulator’s view. EFORT Open Rev 4(6):351–356 Migliore A (2017) On the new regulation of medical devices in Europe. Expert Rev Med Devices 14(12):921–923 Vincini GA (2004) The challenge of CE marking. Commun Dis Public Health 7(3):231–233 Zenner HP, Božić M (2019) Clinical evaluation of medical devices in Europe. In: BodirogaVukobrat N, Rukavina D, Pavelić K, Sander G (eds) Personalized medicine in healthcare systems. Europeanization and globalization, vol 5. Springer, Cham
Quality Management Requirements in Compliance with European Regulations Johann Harer and Jo¨rg Schro¨ttner
Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Quality Management Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Regulatory Requirements and EN ISO 13485 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 The Essential Requirements of EN ISO 13485 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Document Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
64 66 66 71 79 85 86
Abstract
Quality management is a central requirement in the area of medical and in vitro diagnostics devices. Based on the new European regulations, it is mandatory for all manufacturers, regardless of the risk class of the products, to introduce, document, apply, maintain, keep up to date, and continuously improve a quality management system. In addition to the requirements in the regulations, the international standard EN ISO 13485 is the central source of defining the requirements for organizations involved in the life cycle of a medical or in vitro diagnostic medical device. The basis of this standard is the process-oriented approach to quality management systems, which means that identifying and managing the interrelated activities within an organization and with respect to its external stakeholders becomes a necessity.
J. Harer (*) QMD Services GmbH, Wien, Austria e-mail: [email protected] J. Schröttner Institute of Health Care Engineering with European Testing Center of Medical Devices, Graz University of Technology, Graz, Austria e-mail: [email protected] © Springer Nature Switzerland AG 2023 C. Baumgartner et al. (eds.), Medical Devices and In Vitro Diagnostics, Reference Series in Biomedical Engineering, https://doi.org/10.1007/978-3-031-22091-3_12
63
J. Harer and J. Schro¨ttner
64
This chapter describes the essential requirements for the quality management system of medical device and in vitro diagnostic manufacturers. The extent to which the EN ISO 13485 meets the requirements of the new EU regulations for medical devices and in vitro diagnostics is discussed. The basics of a quality management system, the responsibility of the management, resource management and options of continuous improvement are presented. Special emphasis is put on document management, as this is a prerequisite for an efficient and compliant quality management system and starting point for external audits and inspections. For those who consider a migration from EN ISO 9001 to EN ISO 13485, the conceptual differences between these two standards are described and in particular, the following requirements are introduced: management responsibility, risk management, documentation, control of working environment, and Post Market Surveillance (PMS). In addition, solutions for meeting these requirements are presented.
1
Introduction
In a quality management system (QM system), an organization specifies its organizational structures, procedures, processes, and resources as well as the requirements for its products and services aiming at obtaining reproducible results, i.e., maintaining and improving the quality of its products and services in accordance with customer requirements. In addition, a functioning QM system should ensure that, in the event of deficiencies, these are identified at an early stage and managed in a comprehensible manner. For medical device manufacturers following the new regulations – MDR 2017/ 745 and IVDR 2017/746 (European Parliament and European Council, 2017) – QM systems should focus on two main points – reproducible product and service performance and guided troubleshooting mechanisms – because the malfunction of a product may not only affect the user but may also have a direct or indirect healththreatening impact on the patient or even the society. Based on this potential hazard situation, it is understandable that high expectations regarding safety and compliance with performance characteristics exist for the development, manufacture, and marketing of medical devices. This has led to medical devices and in vitro diagnostics being heavily regulated and high demands are made on the manufacturer’s QM system. Thus, both regulations (MDR 2017/745 and IVDR 2017/746) require the following as stated in Art. 10 (9): “Manufacturers of devices . . ., shall establish, document, implement, maintain, keep up to date and continually improve a quality management system that shall ensure compliance with this Regulation in the most effective manner and in a manner that is proportionate to the risk class and the type of device.” In sub-items (a) through (m) of this article (Article 10, MDR 2017/745 and IVDR 2017/746), the following minimum requirements for the QM system are demanded:
Quality Management Requirements in Compliance with European Regulations
a) b) c) d) e) f) g) h) i) j) k) l) m)
65
A strategy for regulatory compliance Identification of applicable general safety and performance requirements Responsibility of the management Resource management, including selection and control of suppliers and sub-contractors Risk management Clinical evaluation, including Post-Market Clinical Follow-up (PMCF) Specifications regarding product realization A Unique Device Identifier (UDI)-System A Post-Market Surveillance (PMS)-System Handling communication with competent authorities, notified bodies, etc. Processes for reporting of serious incidents and field safety corrective actions in the context of vigilance Management of corrective and preventive actions and verification of their effectiveness Processes for monitoring and measurement of output, data analysis, and product improvement.
Many of the above requirements are not found in the most widely used QM system in the world, EN ISO 9001 (CEN/CENELEC 2015a). In contrast to the “traditional” ISO 9001 QM system, however, the two above-mentioned regulations do not contain any requirements with regard to “business excellence” (e.g., increasing the efficiency of procedures and processes, knowledge and opportunity management, customer satisfaction, ...) because the adjustments of an organization in the medical device market for improving business results must end where a risk to users or patients due to product or process changes cannot be excluded with a high degree of probability. The QM system relevant in the field of medical technology is therefore EN ISO 13485 (CEN/CENELEC 2016a). It contains specific requirements, which give the highest priority to product safety. A central role is assigned to risk management. The establishment and implementation of a risk-based approach is explicitly required at all points, when product functionality or patient safety could be compromised. The requirements of EN ISO 13485 are supplemented by many national and international laws, norms, and standards. Only within the context of the entire “regulatory hierarchy” the requirements for medical device manufacturers may be fully understood and implemented in a “suitable” QM system. For the US market, 21 CFR 820, also abbreviated as QSR or cGMP, forms the legal basis for medical device manufacturers. It is largely coordinated with EN ISO 13485 in essential points, in particular via the “interpretation rules” of the FDA or international bodies such as the Global Harmonization Task Force (GHTF), International Medical Device Regulators Forum (IMDRF), or the International Council for Harmonization (ICH). For this reason, no special consideration of the QSR will be given in the following explanations in this chapter, unless relevant differences between these two QM systems have to be described.
J. Harer and J. Schro¨ttner
66
2
Quality Management Systems
2.1
Regulatory Requirements and EN ISO 13485
Medical devices and in vitro diagnostics must successfully demonstrate their conformity with the EU Regulations (MDR 2017/745 and IVDR 2017/746) in a conformity assessment procedure before they can be placed on the market in the European Union. In this context, EN ISO 13485 certification can be seen as a first, but not sufficient, step toward achieving conformity with the European regulations. This standard is also closely connected to a lot of further standards, which are essential for MDR and IVDR manufacturers, like the EN ISO 14971 (CEN/CENELEC 2019) or the EN 62304 (CENELEC 2016b). For example, process related standards require a quality management system and standards used for product development affect the product realization process defined in the quality management system, which vice versa requires a risk management system (see Fig. 1). The overview in Table 1 shows that a QM system according to EN ISO 13485: 2016 no longer means “automatic conformity and compliance” with the requirements of the MDR or IVDR. Every manufacturer is required to check whether the new EU regulations contain additional requirements, but the EN ISO 13485:2016 can still be applied very well as a basis and starting point for a medical device/in vitro diagnostics compliant QM system.
European regulations, directives, national laws, etc.
Risk management EN ISO 14971
requires
requires requires
Quality management system EN ISO 13485 Product development (Hardware, Software)
Process-standards e.g. EN 62304
product standards e.g. EN 60601-1 EN 60601-2-X, etc.
influences
influences
Fig. 1 Relationships of EN ISO 13485 with other standards and regulations
Quality Management Requirements in Compliance with European Regulations
67
Table 1 Examples of requirements of the MDR and IVDR not covered in EN ISO 13485:2016 MDR / IVDR Art. 10, Par. 9 a) A strategy for regulatory compliance, including compliance with conformity assessment procedures and procedures for management of modifications to the devices b) Identification of applicable general safety and performance requirements and exploration of options to address those requirements f) Clinical evaluation in accordance with Article 61 and Annex XIV, including PMCF h) Verification of the UDI assignments made in accordance with Article 27(3) i) Post-market surveillance system, in accordance with Article 83 j) Handling communication with competent authorities, notified bodies, other economic operators, customers and/or other stakeholders k) Processes for reporting of serious incidents and field safety corrective actions in the context of vigilance
EN ISO 13485:2016 Partly covered, a documented concept for compliance is not present
Partly covered, the general safety and performance requirements or harmonized standards are not mentioned Not covered, no details from Article 61 are specified Not covered, details are missing from Article 27 and 29 Partly covered, a system for monitoring is required, but no details according to Article 83 Partly covered, the terms competent authority and Notified Body are not explicitly mentioned Partly covered, details for vigilance reporting and appointments are missing
Depending on the criticality of a device, proof of compliance of the QM system with the requirements of the specified EU regulations can either be provided by a self-declaration of the manufacturer or it requires an additional confirmation by a so-called Notified Body. Only after a positive assessment that a QM system compliant with the EU regulations is implemented, authorization is granted to label the products with the CE marking, which at the same time includes permission to market a medical device or in vitro diagnostic medical device, after registration with a national competent authority, throughout the European Union. In addition, some countries outside the EU have special national requirements for the QM system, such as Canada or Japan, which must be considered in the certification if marketing is planned in these countries. For details, see chapter ▶ “Regulatory Framework for Medical Devices and IVDs in Europe”). A clear distinction must be made between medical device manufacturers on the one hand and suppliers on the other. The former must maintain a QM system compliant with the laws (MDR 2017/745 and IVDR 2017/746), while for the latter a certified QM system is not an absolute necessity. However, medical device manufacturers increasingly demand certification according to an international standard when selecting their suppliers, or they stipulate the applicable requirements of the MDR or IVDR as contractual components within the framework of a quality assurance agreement, e.g., as an addendum to the supplier’s existing EN ISO 9001 QM system (see also chapter ▶ “Management for Critical Medical Device and IVD Suppliers”). Relevant suppliers of medical device manufacturers without a certified QM system will hardly be accepted nowadays. Suppliers of product-critical materials and services are also encouraged to be certified according to EN ISO 13485 in
68
J. Harer and J. Schro¨ttner
the long run. Suppliers named as “critical” by the manufacturer must also expect unannounced audits by authorities or Notified Bodies at any time according to Annex VII (4.5.2) of the new EU regulations (MDR 2017/745 and IVDR 2017/746). In this context, also note the requirements for authorized representatives, importers and distributors according to Art. 11 to 16 MDR and IVDR. An authorized representative performs tasks that have been agreed upon in writing between him/her and the manufacturer in a mandate. Some obligations of the manufacturer cannot be transferred to the authorized representative. Another important aspect is a clear agreement if there will be a change of the authorized representative. Importers must verify that the product complies with the regulations before it can be placed on the European market. This includes, e.g., checks of CE-marking, declaration of conformity, product labelling, or UDI assignment. Regarding the quality management system of importers, it is essential to have documented processes to comply with the storage and transport conditions, to keep a register of complaints and co-operate with the manufacturer and competent authorities to ensure necessary corrective actions. Also, distributors of medical devices or in vitro diagnostics have to perform verification activities (CE-marking, declaration of conformity, product information, etc.). The main tasks in quality management are compliance with storage and transport conditions, cooperation if corrective actions are necessary and complaint handling. Without becoming a manufacturer, it is allowed for importers and distributors to provide and translate the product information and to change the outer packaging of a device. The latter may be done only under special conditions. Both mentioned procedures must be implemented into the quality management system of the importer or distributor.
2.1.1 The New Revisions of EN ISO 9001 and EN ISO 13485 ISO 9001 is the most widely used QM system standard in the world. It was first introduced in 1994 and then further developed in a total of three major revisions, in 2000, 2008, and 2015. In particular, the aging ISO 9001:2008 underwent a complete revision in 2015 to incorporate necessary enhancements and improve alignment with other management system standards. The fundamental change in the chapter structure becomes immediately obvious. Instead of the previous eight chapters, the 2015 edition is divided into ten chapters – “Scope,” “Normative references,” “Terms and definitions,” “Context of the organization,” “Leadership,” “Planning,” “Support,” “Operations,” “Performance evaluation,” and “Improvement.” The new chapter structure is now more closely aligned with the requirements rather than the goals and processes of the organization. The context of the organization was also revised significantly. This expands from a pure customer orientation to stakeholder management according to the European Foundation for Quality Management (EFQM)/Business Excellence Model (EFQM 2021). It is deemed important to identify all parties relevant to the organization and to reflect their expectations appropriately in the QM system. This also applies to requirements of a legal and regulatory nature. In the new revision of ISO 9001, the topic of risk management was also given greater emphasis and now runs through the entire standard, addressing not only the risks but also the
Quality Management Requirements in Compliance with European Regulations
69
opportunities, with respect to the continuous improvement process. Planning, execution, and evaluation of performance were separated and thus became more transparently assignable. Topics such as communication and competence were given greater emphasis, and knowledge and the management of knowledge were explicitly required for the first time. By September 2018 at the latest, all ISO 9001 certified organizations had to have converted their QM system to the 2015 revision. Internationally, EN ISO 13485 represents the normative basis for the requirements of a QM system for medical device manufacturers. This standard describes an overall management system for the design, manufacture, and distribution of medical devices. EN ISO 13485 was first published in 2003 and replaced previously valid documents, such as ISO 46001 and ISO 46002 (both from 1997) and ISO 13488 (from 1996). This first edition was slightly modified in 2007, 2009, and 2012 before being extensively revised in 2016 to align with the IMDRF/GHTF International Guidelines and CFR 21 Part 820. EN ISO 13485:2016 has retained its chapter structure of eight chapters for the time being and has thus moved even further away from the ISO 9001 family than before. The distance between the two standards has also increased in terms of content. While the new EN ISO 9001:2015 is moving increasingly in the direction of the business excellence model, EN ISO 13485:2016 continues to focus primarily on product safety and performance. This is expressed, among other things, in the numerous requirements for comprehensive risk management. For example, the chapter “Product realization” of EN ISO 13485:2016 alone calls for adequate consideration of “associated risk” eight times. A risk-based approach is required, for example, in the validation and revalidation of computer software (Chap. 7.5.6 of the EN ISO 13485) and in the procurement process (Chap. 7.4.1 of the EN ISO 13485) too. Greater emphasis than before is placed on the risk of the procured device in connection with the finished product. Both the (initial) selection of suppliers and measures with the supplier due to the non-fulfillment of procurement requirements must be carried out in relation to the risk and in compliance with the applicable legal provisions. In this context, it is important to mention that in EN ISO 13485:2016, the references to “regulatory requirements” (laws, rules, regulations, ordinances) have increased from previously seven to now 36 compared to the 2012 edition. For example, the scope of traceability must comply with regulatory requirements and, if required by regulation, it becomes necessary to include a documented system for unique device identification (Chap. 7.5.8 of the EN ISO 13485). Since a Unique Device Identifier (UDI) is required in the MDR and IVDR, this is therefore automatically a requirement of the QM system. To protect the device from modification, contamination or damage under the expected conditions during processing, storage, handling and distribution, suitable packaging, and transport containers must be designed and constructed (Chap. 7.5.11 of the EN ISO 13485). Chapter 8.2.2 requires a documented complaint handling process with the following requirements: • Receiving and recording feedback • Assessment of whether the feedback is a complaint • Investigating the complaint (documented reason if not investigated)
70
J. Harer and J. Schro¨ttner
• Determining whether a report to the authority is required • Handling of the devices which are the subject of the complaint • Determining if corrective and preventive action is required A new feature of corrective and preventive actions is that an explicit post-market surveillance (PMS) process is required and that corrective actions must be verified to ensure that no undesirable side effects occur (see Chaps. 8.4 and 8.5 of the EN ISO 13485, among others). Due to the numerous additional requirements, including references to regulatory requirements and risk management, additional requirements for validation, outsourced processes, supplier management, customer feedback, and specifications and records, the QM system according to the new EN ISO 13485:2016 has entailed an increase in workload compared to the past. The now large systemic difference between EN ISO 9001:2015 and EN ISO 13485:2016 and the additional workload to be expected, will force many manufacturers to decide whether they want to maintain both certifications in the future or whether they are satisfied with the mere EN ISO 13485 certification. The original approach of starting with the general ISO 9001 and then continuing with specialization will have to be reconsidered due to the different chapter structure and divergent requirements. However, it may well be justified for companies who not only manufacture medical devices but also supply other markets to continue to maintain both QM systems. However, this must be evaluated on a case-by-case basis.
2.1.2
Differences Between ISO 9001:2015 and ISO 13485:2016 in Detail In the past, EN ISO 13485 was aligned with EN ISO 9001 in many areas. However, as explained in the previous chapter, the systemic and content-related differences have increased significantly in the latest editions of the two standards. EN ISO 13485:2016 (CEN/CENELEC 2016a) differs in short from EN ISO 9001:2015 (CEN/CENELEC 2015a) primarily concerning the following points: • Focus on product safety and performance, whereas business excellence is not an area of interest • High number (33) of required documented procedures • Specific requirements for the creation, approval, modification, and archiving of specification and verification documents • Multiple references to observing and complying with regulatory requirements • Stakeholder management limited to customer and regulatory requirements • Management responsibility with respect to regulatory requirements and assessment of deviations and corrective actions • Specified activities and evidence during product development, in particular specific requirements for the Design History File (DHF) • Qualification and validation evidence for infrastructure, equipment, computers, and processes
Quality Management Requirements in Compliance with European Regulations
71
• Control of the working environment, in particular, hygiene and clothing regulations • “Competences and knowledge” only required in a limited form (competence determination, training requirements, and evidence) • End-to-end risk management process over the entire life cycle of a device, with the respective precautions and measures depending on the potential impact on product safety and functionality • Risk-based qualification and evaluation of suppliers • Specific requirements in product manufacturing, especially regarding records (e.g., clear product labeling) • Specific requirements to verify the effectiveness of corrective and preventive actions • Requirement for a PMS process and reporting of serious incidents and safety risks to authorities • Specific requirements for “special devices” such as transplantable parts or sterile devices • No explicit requirement for a continuous improvement process, specified processes must be revalidated after each major change.
2.2
The Essential Requirements of EN ISO 13485
2.2.1 General Requirements For medical devices and in vitro diagnostics manufacturers, it is mandatory to establish, document, implement, maintain, keep up to date and continuously improve a quality management system. In order to fulfill this, the required processes must be defined in terms of the process-oriented approach. The sequence and interaction of these processes must be determined, and a risk-based approach is needed to control the appropriate processes. The organization shall manage these quality management system processes in accordance with applicable regulatory requirements (MDR 2017/745 or/and IVDR 2017/746). High attention is paid to so-called outsourced processes. The organization must keep its responsibility regarding conformity with the requirements for these outsourced processes. Among other things, written quality agreements are required for this purpose (see also chapter ▶ “Management for Critical Medical Device and IVD Suppliers”). Another general requirement of the EN ISO 13485 is a document management system (for details see paragraph 1.3.3 Sect. 2.3 of this chapter). The documentation of the quality management system shall include a quality manual, the quality policy and quality objectives, required procedures, documents and records to ensure the effective planning, operation and control of the processes and finally any other documentation based on regulatory requirements. It is also specified which kind of information has to be part of the quality manual. It shall include the scope of the quality management system and exclusions of requirements, if justified. Also, documented procedures or at least references to the procedures are required as
72
J. Harer and J. Schro¨ttner
well as a description of the interaction of all processes and the structure of the used documentation. In adaptation to the European regulations, also a medical device file is required for each type or model of the manufacturer’s products. The minimum content of the file is specified in the standard, but it does not correspond to the requirements of the technical documentation according to MDR or IVDR. It is therefore very important to create one single medical device file for each type or model, which contains all required information acc. to Annex II of the regulations.
2.2.2 Management Responsibility It is the responsibility of the management to establish the quality policy and the quality objectives to ensure the availability of resources and to conduct management reviews. Another important topic is the focus on regulatory requirements as well as costumer wishes. The management has to communicate the importance of meeting costumers’ and regulatory requirements within the organization. This must be done in a comprehensible manner, like regularly documented meetings focusing on this topic. Such internal communication procedures must be established and specified in the form of a process description. Responsibility and authority must not only be defined and communicated within the organization but also documented. It is important to know the mutual relationships of all persons who manage, perform, and evaluate work that affects the quality of products. One person within the organization must take over the role of the “management representative.” The responsibility and authority of this person includes the supervision of all processes needed for the quality management system, reports to the management concerning performance of the quality management system and need for improvements as well as promotion of awareness of regulatory and costumer requirements. The management must ensure their independency and authority. The management has to check the quality management system at regular intervals in so-called management reviews. EN ISO 13485 defines the minimally required inputs and necessary outputs. Examples for inputs are results from audits, customer feedback, complaints or process performance. The output of the review shall comprise necessary improvements for the products and the quality management system, changes based on new regulatory requirements or needs for resources. In this regular management review, also the item “applicable new or revised regulatory requirements” must be addressed to ensure that the organization complies with the applicable regulatory requirements. This could be national legislation such as the Act on Medical Devices, technical standards such as “electrical safety standards” (e.g., EN 60601-1:2006 + A1:2013 or EN 61010-1:2010 + A1:2019), or special standards such as risk management according to EN ISO 14971:2019. The underlying idea is that, due to the existing hazard potential, the performance data of medical devices must be specially safeguarded, and the management must bear the ultimate responsibility for this. In many inspections, especially by the FDA, deviations in the management responsibility area are found. To avoid such office actions, management is expected to be regularly informed in particular about complaints and
Quality Management Requirements in Compliance with European Regulations
73
deviations and to actively support all necessary corrective and preventive measures (by means of suitable processes, sufficient resources, trained employees, and specification and follow-up of suitable targets). In addition, management must ensure through regular internal audits that all specifications of the QM system are implemented effectively and sustainably.
2.2.3
Management of Human Resources and Infrastructure
Human Resources Personnel performing work influencing product quality must be competent. The competence of these persons must be demonstrated via appropriate education, additional trainings (internal or external) and experience. What competence for what job position is necessary has to be documented in the competence management system. For this reason, the organization provides adequate trainings, evaluates the effectiveness of these trainings and keeps records as evidence. Finally, maybe most important, the organization has to ensure that its personnel are aware of the relevance and importance of their activities. Qualification of Infrastructure, Facilities, Computers, and Processes All quality-relevant rooms, supply facilities (water, gas, air, heating), production and testing equipment, and IT systems (infrastructure, hardware, and software) must be qualified before they are used for the first time in development and/or series production (for details, see chapter ▶ “Integrated Qualification of Manufacturing Systems for Medical Devices”). In this context, “quality-relevant” refers to all those facilities and systems whose malfunction could lead to an impairment of the finished product or to a hazard for the user or patient. If, for example, a malfunction cannot be detected with 100 % certainty by subsequent checks or tests, then qualification or validation of these plants and systems is mandatory. However, qualification or validation may also be appropriate for economic reasons instead of a 100 % verification in subsequent process steps. Testing and approval methods, as well as production processes, must also be validated (for details, see chapter ▶ “Process Validation for Medical Device Manufacturing”). The final development validation, as well as clinical studies, must be carried out with series or at least “near-series” parts and devices (see also EN ISO 13485:2016 Chap. 7.4.3). Maintenance plans must be available for quality-relevant equipment, and the performance of the prescribed maintenance activities must be documented. The personnel must be trained in a correspondingly documented manner. Control of the Working Environment, Hygiene, and Clothing Regulations Since many medical devices are used in aseptic areas (e.g., operating rooms) or come into direct contact with the patient, “hygiene” is an important requirement for many medical device manufacturers. EN ISO 13485 takes this into account with special specifications for sterile products. However, even devices that do not have to be sterile per se (such as in vitro diagnostics) can have their specified performance compromised by uncontrolled environmental conditions (air particles, humidity,
74
J. Harer and J. Schro¨ttner
Correct use of protecve clothing needs to be trained • Put gloves over your shirt-sleeves • Cover your hair, beard, ears and nose completely
Fig. 2 Work clothing – Examples of dos and don’ts in a clean room environment
room temperature, bacterial contamination) or utilities (water, gases). This can lead to anything from a reduction in storage time to incorrect readings. Therefore, to eliminate contamination of devices as much as possible, EN ISO 13485 and other regulations require that the company establish documented requirements for hygiene, working environment, and cleanliness of devices if the working environment and the people acting in it can directly or indirectly influence the quality of the product. This applies to: • Training, health, cleanliness, and work clothing of the personnel; for example, in a clean room, a detailed clothing regulation is mandatory (see Fig. 2) • The working environment, e.g., particle count, temperature, humidity, . . . . • Personnel who have to work under special environmental conditions.
2.2.4 Product Realization The organization must have a documented plan for the product realization. This includes defining the necessary processes, records and implementing a risk management system. In detail, the organization has to consider the requirements of the product, product-specific resources, necessary documents and records, required
Quality Management Requirements in Compliance with European Regulations
75
verification, validation, monitoring, inspection and test activities specific to the product as well as the criteria for the final product acceptance. Customer Satisfaction and Continuous Improvement The topics of customer satisfaction and continuous improvement of the management system have been replaced in EN ISO 13485 by the fulfillment of legal and customer requirements as well as the maintenance of the effectiveness of implemented measures. The legislator obviously assigns a higher value to a “safe” device than to an “improved” device, probably also due to the experience that each change of a device or process leads to a potential risk of product defects, and that this could result in a risk to users or patients. Another cause is that, before being introduced to the market, devices must undergo very extensive and costly verification and validation steps or approval procedures to prove that they meet their specified performance characteristics and are “safe.” Any major change now means that some or even all of these steps and approvals have to be repeated. In many cases, this effort cannot be justified by the expected additional benefit. In any case, the manufacturers must determine the requirements of their products. This includes not only requirements specified by the customer, but also requirements necessary, however not stated by the customer, as well as regulatory requirements related to the product. As an example, requirements for safety aspects of medical devices or in vitro diagnostics can be found in product related standards (see chapter ▶ “Safety Requirements for Medical Devices in Compliance with European Standards”). Once the requirements have been identified, they must be evaluated and in consequence, it must be determined whether the organization is capable of meeting those requirements. This decision and further measures must be recorded. This step of evaluation is especially important when there are changes in the product requirements. Product Development EN ISO 13485 requires that a defined procedure is documented for design and development. This procedure must include evaluation, verification, and validation of the design for each development phase. The development input shall include functional, performance, and safety requirements, according to the intended use, applicable regulatory requirements and standards, results from risk management, and other information, e.g., from previous designs. These inputs must be evaluated and approved. This step is necessary for verification of the development results against the approved inputs. The organization is completely free to define the development phases but must conduct development assessments at appropriate stages. Verifications must be performed to ensure that development deliverables meet the requirements for development inputs. Validations must be performed to ensure that the resulting product can fulfill its intended use. Validation must be completed before the product is released for use by the customer. Additionally, documented specifications for the transfer of development results to production and for the control of design and development changes are required. In principle, records must be kept of all design
76
J. Harer and J. Schro¨ttner
and development results (Design History File). For more details, see chapter ▶ “Medical Device Development.” Risk Management MDR and IVDR require in Art. 10(2) that the manufacturer must describe, document, apply, and maintain a risk management system. As stated in Annex I, Section 3 of the Regulations, the company must maintain a continuous iterative risk management process throughout the life cycle of a device (from development through production, delivery, putting into service, and usage to decommissioning). This means, the “risk management file” must be reviewed and, if necessary, updated at all important milestones during product development and subsequently at regular intervals, but especially in the event of changes or after the occurrence of extraordinary events (e.g., frequent failures in production, customer complaints, product recalls, information from literature, etc.). Traceable records must be kept of the risk management process itself as well as the identified risks and the measures taken to reduce the identified risks. The results of the risk management process should also be incorporated as requirements in new development projects. For details, see also chapter ▶ “Risk Management for Medical Devices in Compliance with EN ISO 14971.” In the medical device and in vitro diagnostics sectors, EN ISO 14971 has established itself as the standard for the risk management process. This standard defines the terminology, principles, and processes for risk management. The requirements are largely aligned with the MDR and IVDR and can be used, with minor additions, as a guideline for “state-of-the-art” implementation. Guidance on the application of EN ISO 14971:2019, including information on the relationship between the EU directives on medical devices and in vitro diagnostic medical devices, can be found in the ISO/TR 24971:2020 guide (ISO 2020). Qualification of Suppliers For suppliers (including subcontractors), the company must define a documented procedure of how suppliers are qualified, selected, and their performance is monitored on an ongoing basis. This can include procedural instructions which define the criticality of purchased parts and services, as well as supplier selection including initial sample approval and incoming goods inspection. The main objective of the procurement process is to ensure that the products procured comply with the specifications. The selection of suppliers must consider both the criticality of the purchased parts and services and the testability/detectability of any device deficiencies. A quality assurance agreement between the manufacturer and the supplier shall be signed before the first order is placed to ensure both the quality of the devices supplied and the supplier’s capability to be a reliable partner in the long term. This agreement shall further include obligations of the supplier, such as maintaining a QM system, performing inspections of incoming goods and in-process controls, keeping records, allowing inspections, notifying changes, and implementing a clear communication matrix (who is to be informed when and for which event). EN ISO 13485 requires a
Quality Management Requirements in Compliance with European Regulations
77
verification of the procured products whose extent is based on the evaluations of the suppliers and the risk of the procured product. It has to be mentioned that, according to MDR and IVDR, a Notified Body is allowed to audit manufacturers, suppliers or sub-contractors, if the manufacturer cannot demonstrate sufficient control of their suppliers. The outcome of all inspections and decisions must be documented accordingly. For details, see chapter ▶ “Management for Critical Medical Device and IVD Suppliers.” Requirements in Product Manufacturing and Traceability For production or service provision, EN ISO 13485 requires the organization to determine how the specified state of a device is maintained throughout the manufacturing process and how it can be protected from modification, contamination, or damage under the expected conditions of processing, storage, handling, and distribution. This is especially valid for devices with a limited shelf life. The handling of measuring equipment must be regulated in a separate specification document (see paragraph 1.3.2.4.6 “Control and Monitoring of Measurement Equipment” in this chapter). According to Annex II, Chap. 3 of MDR and IVDR, the manufacturer must provide complete information and specifications in the Technical Documentation, which will create an understanding of all design phases that the device goes through, including manufacturing processes and their validation, excipients used, ongoing monitoring and testing of the final product. Defined work procedures must be described regarding packaging and labeling. Computer software used in critical manufacturing processes must be validated. When organizations manufacture devices with special requirements, for example sterile devices, there must be a described procedure for this. In such cases strict adherence to validation procedures and thorough recording of the sterilization process parameters for each sterilization batch are mandatory. Validation is also required for all production processes, if it is not possible to verify the results of these processes via monitoring or measurement activities. For details, see chapter ▶ “Process Validation for Medical Device Manufacturing.” Defective devices must undergo an approval process before use, release, or special release. It must be evident who is authorized to issue these approvals and who actually carried them out, what type of defects were involved and what measures were taken to rectify these defects. A reworked part/product must be retested and approved to prove conformity. Such product approvals generally require a “4-eyes principle” control. If a product test or approval could not be passed successfully, an attempt must first be made to determine the root cause. Suitable corrective measures must then be taken before the tests can be repeated. Testing into compliance is a serious violation of the requirements of the QM system. Example: Release of a batch of 1000 bottles of calibration solution in the final QC department. Specified filling volume is 100 [ml]. For a positive decision the mean filling volume (sample size 20 bottles) must be > ¼ 98.0 [ml] and < ¼ 102.0 [ml]. The actual mean value is 97.8 [ml]. You must correctly analyze why the minimal filling volume was not achieved and decide, after analysis and corrective actions, how to proceed with this batch (scrap, rework,
78
J. Harer and J. Schro¨ttner
special release). You must not take another 20 bottles of the same batch without any analysis and/or corrective action, rerun the test and hope that the mean filling volume will be >98 [ml] this time. An important topic of EN ISO 13485 is the identification and traceability of devices. During the entire product manufacturing process and throughout its entire service life, the company must ensure that the device is clearly identifiable. Therefore, a documented procedure is required, which clearly describes the required records and their handling. On the one hand, traceability should ensure that no defective devices reach the market; on the other hand, it must be possible to quickly identify defective products in the market and, if necessary, to implement any recalls from the market without unnecessary delays. There are special requirements in this regard in connection with implantable products. As far as traceability is concerned, records of components, materials, and conditions of the working environment used must be presented, if the medical device does not meet its specified safety and performance requirements. EN ISO 13485 also demands comprehensive cooperation within the complete distribution chain. Rapid traceability and unique device identifiability (UDI) of defective devices in the market are also required in the new EU regulations (MDR 2017/745 and IVDR 2017/746), as they have been for some time in other international requirements (FDA, Unique Device Identification 2013) and guidelines (IMDRF, UDI guidance 2013). The requirement of EN ISO 13485, according to which a company must measure whether customer requirements are met, must also be seen in this context. This is associated with the mandatory requirement that a feedback system (vigilance system as well as PMS) is in place to provide early warning of quality problems in the market. The procedures and methods for this purpose must be defined and described. Control and Monitoring of Measurement Equipment For the aspect of verification, it could be necessary to carry out monitoring and measurement activities. The required monitoring and measuring equipment for proving the conformity of the product must be available for this purpose. To meet the requirements of a complete quality assurance system, it is therefore necessary to implement a measuring equipment management system. The minimum requirements of the EN ISO 13485 comprise the following: • Measuring equipment must be identifiable • Metrological traceability of the equipment (calibration and or verification) at specified intervals or before use, using measurement standards, if needed, performing adjustments and re-adjustments • Equipment must be secured against adjustments that would invalidate the measurement results • Equipment must be protected against damage and deterioration during handling, maintenance, and storage. In this context, it is necessary to establish procedures, comply with them, and keep the calibration/verification results of metrological traceability.
Quality Management Requirements in Compliance with European Regulations
79
2.2.5 Analysis and Improvement Each quality management system requires implementation of monitoring, analysis, and improvement processes. EN ISO 13485 also requires this, with the aim to ensure conformity of the realized product and of the quality management system and maintain the effectiveness of the quality management system. Aspects are customer/market feedback, complaint processing, performing internal audits, as well as analysis of results from process and product monitoring. Internal audits must be performed at scheduled intervals, usually at least once a year. The procedure for conducting audits, the necessary recording and reporting of audit results must be described. Within the audit program, the criticality of the processes and area to be audited, as well as the results of previous audits have to be taken into account. Also, criteria, scope, frequency and methods of the audit must be defined and recorded, which is usually content of the audit plan. Selected auditors must ensure objectivity and impartiality; auditors may never audit their own activities. It is clearly stated that any necessary corrective actions are taken without unjustifiable delay to eliminate non-conformities and their causes (for further information see Chap. 8.2.4 of the EN ISO 13485 and chapter ▶ “Mastering Quality System Audits and Inspections for Medical Devices”). Improvements are a basic principle of any quality management system. EN ISO 13485 requires that all changes necessary for the effectiveness of the quality management system and for the safety and performance of the medical device must be identified and implemented. As usual, corrective action and preventive action procedures must be documented and implemented for this purpose (for detailed information with regard to the requirements see Chap. 8 of the EN ISO 13485 and chapter ▶ “Post-Market Surveillance and Vigilance on the European Market”).
2.3
Document Management
One of the main requirements of EN ISO 13485, but also of 21 CFR 820, is that all specifications (standard operating procedures, test plans. . .) as well as all evidence data (test records, machine data, batch records. . .) must be documented. For this reason, principle of the FDA, which is now generally accepted among medical device manufacturers, is: “What is not documented is not existent.” This principle can be explained in accordance with the two requirements for repeatability and traceability. Repeatability as a prerequisite for a stable process and consequently reproducible results and “safe” products; traceability as a prerequisite for the clear identification of defective devices and the associated rapid initiation of appropriate corrective actions. A well described, implemented, and above all actively lived document management is therefore one of the main pillars of a functioning QM system for medical device manufacturers. The requirements for documentation have increased significantly in the EU regulations (MDR 2017/745 and IVDR 2017/746) compared to the previous directives (European Parliament and European Commission: 90/385 AIMD and 93/42
80
J. Harer and J. Schro¨ttner
MDD and 98/79 IVDD). It is likely that in the future more objections in this area are to be expected from the Notified Bodies, especially concerning the technical documentation according to Annex II of the MDR and IVDR. Also, in the FDA warning letters, serious violations of the document management regulations are found in a high percentage of all inspection reports (FDA Data Dashboard, 2022). Either written procedures are not provided, or the document change management shows serious deficiencies. However, errors in document retention, failure to conduct periodic reviews, as well as inadequate communication and training on documents are also main subjects of objection. Documents can basically be divided into specification and verification documents. Specification documents are binding documents that describe responsibilities, processes, product requirements, workflows, tools, etc. They include, for example, the process manual, procedural instructions, execution documents (e.g., work instructions, development specifications, manufacturing documents, test instructions, sales and service documents). Specification documents must not be created, checked, and released by one and the same person, but require at least the signature of two different persons. Newly created specification documents must be marked with document number, revision, and date. Specification documents must be continuously checked and revised in order to be up to date with the latest knowledge, experience, and the applicable regulations and standards. A procedure has to be in place which ensures that the specifications are always up-to-date, and the latest document version is available at the points of use. It has proven successful that the respective department or process manager is responsible for the creation and management of specification documents. The results of quality-relevant activities (e.g., development, test, inspection, assembly, maintenance, monitoring, registration, audit . . .) must be recorded. These verification documents shall prove the quality of the devices and processes as well as the functioning of the management system to customers and authorities. Evidence documents (and/or raw data) testify the execution or the results of the work or document a specific fact. Meeting minutes, such as minutes of management or project team meetings, must only be managed according to strict documentation procedures if facts or decisions that are the object or result of the meeting could have an influence on the functionality or safety of the devices or processes and those decisions are only documented in these minutes. In the following, the most important requirements, but also best practice experiences on the topic of documentation in the GxP-environment, are summarized (see also EN ISO 13485:2016 Chaps. 4.2.4 and 4.2.5).
2.3.1 Basic Rules for Documentation in the GxP Environment A fully described and strictly executed document management system is a central requirement for every medical device manufacturer (see Fig. 3). Documents may only be created and approved by technically competent and organizationally responsible persons. After a document has been approved, the personnel must be trained,
Quality Management Requirements in Compliance with European Regulations
81
Fig. 3 Document management workflow
before the document can be distributed to the point of use and come into effect. All employees must be demonstrably trained in the basic principles of document management, and in all regulations relevant to their area of work. Training records must be kept. A document change should be managed, evaluated, and approved only by those persons who signed the original version. If individual persons are no longer available, persons from the corresponding functional unit or persons with appropriate expertise must replace them.
2.3.2 Creation, Review, and Approval of Documents • Creation: The creation and control of quality-relevant specification documents must be described in a standard operating procedure (SOP). • Review and approval: Documents must be reviewed and approved before they are used. Typical roles in the creation and release of documents are: • The creator is a specialist/person (in exceptional cases, there may also be several persons) from the department concerned (e.g., R&D, production, purchasing, HR, QA . . .) or from a project team. The creator is responsible for the content and the scope of the document. • Usually, the reviewers of the document come from the affected areas and departments. They check the document for feasibility and correctness of content as well as for compliance with the applicable regulations for the area of activity for which they are responsible. The reviewer from the quality
J. Harer and J. Schro¨ttner
82
department checks the document for compliance with all regulations. Furthermore, he/she ensures the following points: • Are the approvers and investigators of the document correctly chosen? • Is the scope correctly defined? • Is a version history available? • Are the references to other standard documents correct? • Are terms and abbreviations correct? • Is the general plausibility of the document present? • Is system conformity provided? • The approver validates the document with his/her signature and puts it into effect. Normally the approver is a department or project manager. For very small companies, it is often difficult to assign the tasks related to document control to different persons. However, the minimum requirement is the “4 eyes principle,” which must be observed in any case. This means that at least the creator and the approver are different persons or, if they are identical, the reviewer has to be a second and independent person. If an employee is absent, his/her officially designated representative signs in accordance with the documented regulations. The name of the original person must be crossed out by the representative, and the name of the person representing must be added in plain writing (Fig. 4). • Modification of documents: Changes in documents must also be reviewed and approved by the same person(s) (responsibilities/functions) who reviewed and approved the previous version(s), or by person(s) having the required background. The modifications made must be traceable, typically described in the first chapter of the document. All approved versions of a document must be retained in accordance with archiving guidelines. Default documents that are product-related are subject to the product change process. Verification documents may only be changed if they are incorrect or incomplete. • Identification: Documents must be uniquely identifiable. To ensure this, each page of a document should contain a document number (or other unique identifier), the version or date, and the designation “page X of Y.” Modifications in a document result in a new version of the document. It is to be ensured that the date
Fig. 4 Correct procedure if alternative person is signing a document
Quality Management Requirements in Compliance with European Regulations
83
format is clearly assignable. Ideally, the format dd-mmm-yyyy (e.g., 01-Oct-2022) is used to avoid any confusion between day, month, and year. • Referencing: References between documents must be unique and present on all documents concerned. Unambiguous assignment between referenced documents can be achieved by specifying the title, document ID, or other unique characteristic features of the document, the version number (if necessary), or the release date and filing location (if useful and not apparent from other information). An unambiguous assignment between the main document and referenced documents can be achieved by specifying a unique feature of the enclosure in the main document, e.g., version number for software tests, serial number of the device, etc. The completeness of referenced documents should be easily verifiable. • Templates: If a document is based on a quality-relevant template, the identification (e.g., document number) of this particular version, which includes the template, must be visible on the document (Fig. 5). • Archiving and retention: Archiving and retention periods must be defined for all controlled documents (especially verification documents). As a basic rule for the minimum retention period of a document, the following rule of thumb can be assumed: minimum retention period ¼ defined service life of the device/product + two years (for possible complaint processing and inspection evidence). If, e.g., a diagnostic test kit is marketed for eight years and the maximum period of use is three years from production, then this results in the following minimum retention period for: a) Development documents: Time to product release 8 + 3 + 2 ¼ 13 years from product release/start of serial production. b) Production records test kits: 3 + 2 ¼ 5 years. c) Complaint reports: 2 years (Complaint statistics and trends are usually subject to much longer retention periods). In reality, retention periods of ten years have become established, a period, which can also be significantly extended for various reasons (e.g., protection of intellectual property). All documents must be protected from destruction or modification within the retention period. Therefore, quality-relevant paper documents and records are to be stored in fire-, water- and burglar-proof cabinets or rooms. Suitable backup Document-Nr.
Created by:
Risk Management Review
RM-42-01-00-07 Version-Nr.
John Halmo Approval date:
7.0
01.Jan.2022
RM-42-01-00-07 Risk Management Review © 2020 Medical device Corp. Ltd. - Graz - Austria
Fig. 5 Correct layout of a QM-controlled template
Page 1 of 3
84
J. Harer and J. Schro¨ttner
procedures must be provided for electronic data. Electronic data should only be stored on storage media, which are suitable for the intended storage period. Commercially available CDs/DVDs, for example, are not suitable for storage periods of more than ten years. In the case of electronic data, ensure that it can also be read on a future hardware and software platform. Otherwise, the corresponding IT systems must be archived as well. It has to be guaranteed that all quality-relevant documents and data may be accessed within reasonably short periods (so-called inspection submission period). Considering possible cyber-attacks and protection of personal data have to be integral part of a safe and compliant document management system (ISO/IEC 27001:2013, Information security management systems; EU 2016/679, General Data Protection Regulation, April 2016). With the introduction of the new EU regulations, extended minimum retention periods of relevant documents of ten years and, in the case of implantable devices, of 15 years become applicable (see, among others, MDR 2017/745 Annex IX Section 8 and IVDR 2017/746 Annex IX Section 7).
2.3.3 Original and Copy The original document is the file that bears the original signature. This is the manual signature in the case of paper documents or the electronic signature in a validated electronic document management system (see also chapter ▶ “Integrated Qualification of Manufacturing Systems for Medical Devices”). In a GxP-relevant environment, copies should only be used as specification documents for quality-relevant processes or as a basis for quality-relevant decisions, if it was ensured that they match the currently valid original. This could be guaranteed by appropriate automatic imprinting (e.g., provided with print date and the note “only valid on the day of printing” or with a stamp “valid copy”). It is also possible to link the original file and the output medium accordingly (e.g., file is stored on a “read-only” and access-protected storage medium and can only be accessed via a controlled web-based tool.). If an electronic copy instead of the original paper document (e.g., batch records) should be archived, it must be specified in advance, how exactly this is to be done. (Not only the scan-process but also checks, which have to be performed, need to be defined.) At least a random comparison of the paper/electronic document must be carried out by an appropriately trained person, so that the electronic document may be recognized as equivalent by an authority. After the original document was scanned and archived electronically, it should be destroyed. 2.3.4 Dealing with Corrections in Documents As a general rule, all documents must be protected against manipulation and destruction and all changes must be clearly traceable. Therefore, it is important to note the following: • Paper and ink must be of resistant material. Thermal paper, for example, is not a resistant material. It is recommended to make a copy of critical documents (e.g., printouts of measurement results on thermal transfer paper).
Quality Management Requirements in Compliance with European Regulations
85
Fig. 6 Change of records – example for “Dos and Don’ts”
• Blank fields in templates must either be filled in or crossed out so that no subsequent entries are possible. • For handwritten entries or signatures, a writing instrument with durable writing must be used (e.g., ballpoint pen, but no pencil or pen with water-soluble ink). It is best to use the font color blue so that originals can be easily distinguished from copies. • Errors (e.g., misspellings) should be crossed out on the paper document so that they remain legible. Tippex, erasing, pasting over, overwriting, and the like are prohibited. • All entries must be marked with visa (abbreviation) and date; if necessary, the reason for the correction should also be noted (Fig. 6).
2.3.5 Control of External Documents The procedure for the control of documents must also include the proceeding with external documents. Documents of external origin are defined as necessary for the organization for planning and operating the quality management system. They are called external documents because persons outside the organization determine their actuality or release. Typical examples are laws, regulations, guidelines, standards, but also data sheets of components used or specifications from suppliers. It must be ensured that these documents are clearly identified, and their distribution is managed.
3
Conclusions
A quality management system is mandatory for all medical device manufacturers under MDR 2017/745 and IVDR 2017/746. A quality management system should focus on reproducible product and service performance and guided troubleshooting mechanisms. A basis for the implementation of a QM system is the standard EN ISO 13485:2016. This standard describes an overall management system for the design, manufacture, and distribution of medical devices. Not all, but a large number of the requirements of the regulations are reflected in this standard. Apart from management responsibilities, management of human resources and infrastructure, especially product realization and document management, must be considered. In the development phase of a product, actions should focus on evaluation, verification, and validation of the product design. In addition, risk management plays an important role. The MDR 2017/745 and IVDR 2017/746, as well as the EN ISO 13485 require a risk management process according to the EN ISO 14971 standard. The requirements for documentation have increased significantly in the EU regulations. In the
86
J. Harer and J. Schro¨ttner
future, more objections in this area are to be expected from the Notified Bodies, especially concerning technical documentation. Finally, it has to be mentioned that compliance with the EN ISO 13485 standard requirements does not automatically result in compliance with all requirements of the MDR 2017/745 and IVDR 2017/ 746. Differences between the requirements in ISO 13485 and the EU regulations must be identified and thoroughly analyzed, just as appropriate measures have to be taken to fill the relevant gaps.
References European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2013) EN 60601–1:2006+A1:2013 Medical electrical equipment, Part 1: General requirements for basic safety and essential performance European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2015a) EN ISO 9001:2015 Quality management systems – Requirements European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2015b) EN 61010-1:2010+A1:2019 Safety requirements for electrical equipment for measurement, control, and laboratory use Part 1: General requirements European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2016a) EN ISO 13485:2016 Medical devices – Quality management systems – Requirements for regulatory purposes European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2016b) EN 62304:2016 – medical device software – software life cycle processes European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2019) EN ISO 14971:2019 Medical devices – application of risk management to medical devices European Foundation for Quality Management (EFQM) (2021) The EFQM excellence model retrieved from 26 Aug 2022: https://www.efqm.org/efqm-model/ European Parliament and European Council (1990) Council directive 90/385/EEC of 20 July 1990 concerning active implantable medical devices. Off J Eur Communities. L189 European Parliament and European Council (1993) Council directive 93/42/EEC of 14 June 1993 concerning medical devices. Off J Eur Communities L169:1–43 European Parliament and European Council (1998) Council directive 98/79/EC of 27 Oct. 1998 concerning in vitro diagnostic medical devices. Off J Eur Communities L331 European Parliament and European Council (2016) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Retrieved from 26 Aug 2022: https://eur-lex.europa.eu/legal-content/de/TXT/?uri¼CELEX%3A32016R0679 European Parliament and European Council (2017a) Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 concerning medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 9s0/385/EEC and 93/42/EEC. Off Eur Union L117:1–175. Retrieved from 26 Aug 2022: https://ec.europa.eu/growth/single-market/european-standards/harmonised-stan dards/medical-devices_en European Parliament and European Council (2017b) Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU. Off Eur Union L117:
Quality Management Requirements in Compliance with European Regulations
87
176–332. Retrieved from 26 Aug 2022: https://ec.europa.eu/growth/single-market/europeanstandards/harmonised-standards/iv-diagnostic-medical-devices_en IMDRF (2013) UDI guidance – Unique Device Identification (UDI) of medical devices, IMDRF/ WG/N7FINAL:2013, December 2013. Retrieved from 26 Aug 2022: https://www.imdrf.org/ sites/default/files/docs/imdrf/final/technical/imdrf-tech-131209-udi-guidance-140901.pdf International Organization for Standardization (ISO) (2013) ISO/IEC 27001:2013, Information technology – security techniques – information security management systems – requirements. Retrieved from 26 Aug 2022: https://www.iso.org/standard/54534.html International Organization for Standardization (ISO) (2020) ISO/TR 24971:2020, Medical devices – guidance on the application of ISO 14971, 2020-06. Available from 26 Aug 2022: https://www. iso.org/standard/74437.html U.S. Food and Drug Administration (FDA) (2013) Unique Device Identification, Doc. 2013– 23059, 24.09.2013. Retrieved from 26 Aug 2022: http://www.fda.gov/udi/ U.S. Food and Drug Administration (FDA) (2022a) FDA data dashboard. Retrieved from 10 Aug 2022: https://datadashboard.fda.gov/ora/index.htm U.S. Food and Drug Administration (FDA) (2022b) Code of Federal Regulation 21 CFR Part 820 quality system regulation. Retrieved from 26 Aug 2022: https://www.accessdata.fda.gov/ scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart¼820
Risk Management for Medical Devices in Compliance with EN ISO 14971 Brigitte Gu¨bitz and Udo Klinger
Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Risk Management Process for Medical Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Fundamentals and Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Risk Management Process According to EN ISO 14971 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Risk Management Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4 Knowledge-Based Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5 Risk Management Software Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
90 91 91 92 104 117 118 118 119
Abstract
As a medical device manufacturer, one is often confronted with questions regarding the correct application of risk management for medical devices. For example, it is important to know from the outset which regulations or legal bases apply to risk management. For the implementation of the risk management process, it is important to know which phases it has to go through and which methods and tools are helpful in the implementation. And, of course, it is also important to know which documents have to be created and which prerequisites have to be fulfilled in order to be able to perform a risk assessment, for example. To answer these questions, this chapter highlights the relevant regulations and laws for risk management in the development and manufacturing of medical devices. Furthermore, the risk management process in the life cycle of a medical device is presented, and the procedure for its implementation is outlined. In addition, the individual elements of the risk management process are described B. Gübitz (*) VTU Engineering GmbH, Raaba-Grambach, Austria e-mail: [email protected] U. Klinger Graz, Austria © Springer Nature Switzerland AG 2023 C. Baumgartner et al. (eds.), Medical Devices and In Vitro Diagnostics, Reference Series in Biomedical Engineering, https://doi.org/10.1007/978-3-031-22091-3_6
89
B. Gu¨bitz and U. Klinger
90
and discussed in detail. All documents that are considered as evidence of the establishment of a complete risk management process are presented, and their necessary content is shown. The most commonly used risk management methods, such as fault tree analysis, Ishikawa diagram, and failure mode and effects analysis, are described, and the strengths and weaknesses of these methods are discussed. Finally, the use of knowledge-based software systems for risk management is discussed, as these software systems are increasingly coming into focus to enable knowledge management in risk management. Abbreviations
AIMDD ALARP CEN/CENELEC
EN EU FDA FMEA FMECA FTA GHTF GMP HACCP HAZOP ICH IEC ISO IVDD IVDR MDD MDR RA REXS RM RPN
1
Active Implantable Medical Device Directive As low as reasonably practicable European Committee for Standardization (CEN) and European Committee for Electrotechnical Standardization (CENELEC) European norm European Union Food and Drug Administration Failure mode and effects analysis Failure modes, effects, and criticality analysis Fault tree analysis Global Harmonization Task Force Good manufacturing practice Hazard analysis and critical control points Hazard and operability study International Conference on Harmonisation International Electrotechnical Commission International Organization for Standardization In Vitro Diagnostic Medical Device Directive In Vitro Diagnostic Medical Device Regulation Medical Devices Directive Medical Device Regulation Risk assessment Risk expert system Risk management Risk priority number
Introduction
Risk management is a central tool in the realization of medical devices, on the one hand to ensure the quality of the developed and manufactured devices and on the other hand to guarantee conformity with regulatory requirements.
Risk Management for Medical Devices in Compliance with EN ISO 14971
91
The systematic handling of risks passes through various phases in the life cycle of a medical device – risk management is therefore a life cycle concept (Rempe 2021). Therefore, the aim of risk management is to evaluate devices and processes with regard to their criticality over the product life cycle and, based on this, to develop appropriate measures for risk control and risk minimization. In this way, the quality of the devices and processes can be increased. In addition, only the measures that are really necessary for risk control are identified, which can lead to a reduction in costs or resources in the case of corrective and preventive measures, for example. The following chapter describes the legal basis and the requirements for the risk management process for medical devices. The individual phases of the risk management process and the documents to be created are explained in general terms. Furthermore, possible methods for implementing the risk management process are presented.
2
Risk Management Process for Medical Devices
2.1
Fundamentals and Regulations
For medical device manufacturers, the establishment of a risk management process is required in the national medical device laws as well as in the European regulations (MDR 2017/745 for medical devices and IVDR 2017/746 for in vitro diagnostic devices), which have come into effect since 2017. These new regulations replace the previously applicable directives of the Council of the European Communities (MDD 93/42/EEC, AIMDD 90/385/ECC, and IVDD 98/79/EC) and address the topic of risk management in more detail than the previous regulations. The essential part of both regulations is the “general safety and performance requirements” set out in Annex I, which manufacturers and distributors of medical devices must fulfil. The general safety and performance requirements also emphasize patient safety and user safety, as defined, for example, in Requirement 1 in Annex I (from MDR 2017/745 and IVDR 2017/746): “Devices shall achieve the performance intended by their manufacturer and shall be designed and manufactured in such a way that, during normal conditions of use, they are suitable for their intended purpose. They shall be safe and effective and shall not compromise the clinical condition or the safety of patients, or the safety and health of users or, where applicable, other persons, provided that any risks which may be associated with their use constitute acceptable risks when weighed against the benefits to the patient and are compatible with a high level of protection of health and safety, taking into account the generally acknowledged state of the art.” EU regulations and national medical device laws require the application of risk management as an essential part in the development and manufacturing phase of medical devices. EN ISO 13485 (CEN/CENELEC 2016) explicitly requires a documented risk management process in Chap. 7, “Product Realization”:
92
B. Gu¨bitz and U. Klinger
• 7.1 Product realization planning: “The organization shall document one or more processes for risk management in product realization. Records of risk management activities shall be maintained . . . Further information can be found in EN ISO 14971” (CEN/CENELEC 2016). • 7.3.3 Design and development inputs: “Inputs relating to product requirements shall be determined and records maintained. These inputs shall include ... (c) applicable output(s) of risk management ...” (CEN/CENELEC 2016). The international standard EN ISO 14971 “Application of Risk Management to Medical Devices” (CEN/CENELEC 2019) is a harmonized standard under the mentioned EU directives and under the EU regulations. Therefore, this standard is considered as a recognized standard for medical device manufacturers for the correct application of risk management. The EN ISO 14971 standard describes the procedure for implementing a risk management process for medical device manufacturers. All phases of the product life cycle have to be considered. The implementation of risk management for medical devices is also described in more detail in further guidelines and guidance documents, for example, the international accepted guideline from the Global Harmonization Task Force (GHTF) on risk management (GHTF 2005). Risk management processes from related areas – e.g., the pharmaceutical sector – can also provide valuable supplements to the EN ISO 14971 standard. For example, the harmonized GMP guideline ICH Q9 Quality Risk Management describes implementation options that can be applied specifically to the manufacture of medical devices (ICH 2023). The EN ISO 14971 is current valid in the version EN ISO 14971:2019. Compared to the most recent version EN ISO 14971:2012, the annexes have been restructured. Many of these annexes have now been moved to the new standard ISO/TR 24971: 2020 (CEN/CENELEC 2020), which is currently available as a Technical Report. The ISO/TR 24971 is recommended as a practicable guide for the implementation of the risk management process.
2.2
Risk Management Process According to EN ISO 14971
The use of medical devices always involves certain risks for patients and users. For this reason, medical devices must be developed, manufactured, and used in such a way that the residual risk for the patient or user is minimized or the benefits of use outweigh the risks. Only a high level of product safety and product quality can ensure a high level of patient or user safety. For this reason, a medical device manufacturer is obliged to establish a risk management process throughout the entire product life cycle. Risk assessments for medical devices generally consider the suitability of the device to be placed on the market for its intended purpose, focusing on safety for
Risk Management for Medical Devices in Compliance with EN ISO 14971
93
patients, users, and third parties but also addressing effects on the environment or property. In order to establish a risk management process, it is necessary, on the one hand, to know the legal basis and requirements for the risk management process and, on the other hand, to implement the requirements in a practical manner. The EN ISO 14971 standard describes a risk management process with the following elements: • • • • •
Risk analysis. Risk assessment. Risk control. Evaluation of residual risk. Evaluation of information from production and postproduction phases (e.g., transport, storage, installation, use of the device, maintenance, repair, modifications to the device, decommissioning and disposal).
Figure 1 shows a schematic representation of the risk management process according to EN ISO 14971. The individual elements of the risk management process are considered in more detail in the following chapters. Since the risk management process in EN ISO 14971 is primarily focused on development, any requirements for the implementation of the risk management process in the further phases of the product life cycle are described in more detail in the corresponding chapters of this book.
1. Risk Analysis • Intended use and identification of characteristics related to safety • Identification of hazards • Estimation of risks
4. Production and postproduction information
Risk Assessment
2. Risk Evaluation
3. Risk Control 4. Evaluation of acceptance of overall residual risk
• Measures for risk reduction • Residual risk evaluation • Risk-benefit analysis
Risk Management Report
Fig. 1 Presentation of the risk management process according to EN ISO 14971
94
B. Gu¨bitz and U. Klinger
2.2.1 Risk Analysis A risk analysis (RA) for medical devices is defined as the systematic use of available information to identify hazards and assess risks. This includes the investigation of different effects of events that may cause hazardous situations and damage (CEN/CENELEC 2019). This definition already shows that it is necessary to explain the different terms used in the risk analysis process in more detail, as confusion of the terminology could often lead to incorrect analyses or misinterpretation: • Harm: Physical injury or damage to human health or damage to property or the environment. • Hazard: Potential source of harm. • Hazardous situation: Circumstances in which people, properties, or the environment is exposed to one or more hazard(s). • Risk: Combination of the probability of occurrence of a harm and the severity of that harm, where severity is defined as the measure of the potential impact of a hazard. Intended Purpose and Identification of Security Features The process of risk analysis defines that in the first step the intended purpose and all qualitative and quantitative characteristics of the medical device as well as the context of use that may be related to the safety of the medical device are determined and analyzed. For this purpose, the standard ISO/TR 24971 (CEN/CENELEC 2020) provides assistance in Annexes A and H. Identification of Hazards The second step of risk analysis involves the structured identification of hazards that could lead to harm to patients, users, or other persons. Hazards are to be identified under both normal and foreseeable misuse of the medical device. Good assistance is given in Table C.1 in Annex C of EN ISO 14971. This table contains examples of hazards that fall into the groups of: • Energetic hazards. • Biological and chemical hazards. • Performance-related hazards. In addition, various methods of risk management or failure analysis serve as sources of information to identify potential hazards (e.g., FMEA or FTA, see Sects 2.3.2).
Risk Management for Medical Devices in Compliance with EN ISO 14971
Root cause
Further causes
Hazard
Hazardous situation
95
Harm
Fig. 2 Chain of events until damage. (Johner et al. 2011)
When identifying hazards, the differentiation of hazard and hazardous situation is essential for the assessment of risks associated with the use of the device. Figure 2 (Johner et al. 2011) provides a good understanding of this. “The hazard situation results from a chain of events (chain of causes), where the last cause before the hazardous situation is the hazard” (Johner et al. 2011, p. 68). Especially for the assessment of risks, it is important to assess the hazardous situation that can lead to harm, not just the hazards themselves. The following two definitions serve as an explanation: “Medical devices only cause harm if a sequence of events occurs that results in a hazardous situation which then causes or leads to harm. Sequences of events can include a chronological series of causes and effects, as well as combinations of concurrent events. A hazardous situation occurs when people, property or the environment are exposed to one or more hazards” (ISO/TR 24971 (CEN/CENELEC 2020), Sect. 5.4.2). “Understanding how hazards progress to hazardous situations is critical for estimating the probability of occurrence and severity of harm that could result. An objective of the process is to compile a comprehensive set of hazardous situations. [. . .] The manufacturer must determine what constitutes a hazard in order to comply with the particular analysis” (EN ISO 14971 (CEN/CENELEC 2019), Annex C). Assessment of Risks for Each Hazardous Situation In order to assess a risk based on a hazard or the resulting hazardous situation, the severity associated with the harm and the probability of the harm occurring for patients, users, and third parties must be determined or estimated. The ISO 14971 standard defines the combination of the probability and severity of harm as risk. The probability of the occurrence of harm is obtained by combining the probability that a hazardous situation will result from a hazard with the probability that a harm will result from the hazardous situation. In risk analyses, it is often discussed that the probability of occurrence of a failure is high, and therefore the probability rating is also set high. However, it is not considered that the hazard situation must also be taken into account and the overall assessment must be based on the probability of the occurrence of the harm. Figure 3 shows this relationship: the probability P1 must be combined with the probability P2 to determine the probability of the occurrence of harm (from EN ISO 14971:2012 (CEN/CENELEC 2012)). For the assessment of harms, first of all, it should be considered, “What are possible maximum and minimum relevant harms?,” in order to get a reasonable classification and gradation of severity. Possible harms are, for example:
B. Gu¨bitz and U. Klinger
96
Hazard
P1
Sequence of events
Hazardous situation
P2
Harm
Severity of harm
Probability of occurence of harm
Risk
P1 x P2
Fig. 3 Relationship between hazard, hazardous situation, harm, and risk (CEN/CENELEC 2012)
• • • • •
Death. Permanent disability. Reduction in life expectancy. Impairment of a body function. Inconvenience/discomfort.
In addition, characteristics such as “reversible damage,” “irreversible damage,” “medical intervention required,” etc. should also be considered for the classification of severity into different categories. Binary decision criteria facilitate the classification in the analysis. It is important to note that the manufacturer is responsible for the definition of possible harm and the categorization into different severity categories and must do this according to the intended purpose of the medical device. For the categorization of severity and probability of occurrence of harm, the classification tables are given as an example (see Tables 1 and 2). The number of levels should not be too high, since the classification of qualitative level descriptions is often not clearly assignable or cannot be reproduced. A gradation between three and five seems to be target-oriented and sufficient. It is also important that classification criteria are formulated in a meaningful way. For
Risk Management for Medical Devices in Compliance with EN ISO 14971
97
Table 1 Rating table for the severity of harms S S1 S2 S3 S4 S5
Severity of harm (Qualitative measure) Negligible Inconvenience or temporary discomfort Low Results in temporary injury or disability that does not require medical intervention Serious Results in injury or disability that requires medical intervention Critical Results in permanent disability or life-threatening injury Catastrophic Leads to death of the patient or user
Table 2 Evaluation table for the probability of occurrence of the harm P P1
P2 P3 P4 P5
Probability of occurrence of the harm (Qualitative measure) Unlikely, theoretically conceivable Theoretically conceivable, practically basically impossible, similar cases have not been observed in practice in the past Rare, hardly imaginable Has been observed in the past with similar devices, but deems as an exception Occasional, conceivable Could occur at irregular intervals, no longer deem exceptional Probable Will occur under certain circumstances, but not systematically Frequent Will occur at regular intervals, systematic occurrence
example, for the probability of occurrence, the qualitative criterion “Unlikely” can be described quantitatively as follows: Unlikely ¼ “the damage occurs less frequently than once a year” or somewhat weaker “the damage has never occurred with comparable devices.”
2.2.2 Risk Assessment Risk assessment is defined by the EN ISO 14971 standard as “the process of comparing the assessed risk with given risk criteria to determine the acceptability of the risk.” Since a risk is to be considered as a combination of the extent of harm and probability, a matrix is well suited as a form of representation. It should be possible to assign each combination of the two factors to a specific risk rating. The division into two areas is prescribed in the standard, i.e., a distinction must be made between acceptable and unacceptable risks: • Acceptable risk ¼ low risk. • Unacceptable risk ¼ high risk.
B. Gu¨bitz and U. Klinger
98
Nevertheless, risk mitigation measures must be introduced on a mandatory basis for unacceptable and acceptable risks. In some cases, one also uses a third classification, i.e., a further subdivision of the acceptable range into two groups: Risks that nearly exceed the acceptability criterion should be treated separately, and therefore risk mitigation measures should be applied to reduce these risks to the lowest achievable level, considering the state of the art, the benefits of acceptability of the risk, and the practicality of further mitigation. This third level of risk assessment is often referred to as medium risk. Medium risks fall into the so-called ALARP (as low as reasonably practicable) range. “This means setting measures to reduce a risk so that the remaining residual risk is not unacceptably high and the cost of any further risk reduction measure is disproportionate to the further reduction in risk achieved” (Preis 2009), p. 74). This passage was originally present in the EN ISO 14971:2000 standard, but was removed because this had led to misunderstandings in practical application and contradicted the directives requiring reduction to as far as possible. Figure 4 shows an example of a risk assessment matrix in three areas. Based on this matrix, it can be seen that the assessment of risks is distributed asymmetrically – to the extent that the severity of harm has a higher weighting than the probability. For example, the combination of the highest severity and the lowest probability is classified as a medium risk, whereas in the opposite case this is only classified as a low risk. This classification appears to make sense for medical devices, since more emphasis is to be placed on the impact of hazards and the associated potential harm than for devices of other types of use. What seems surprising here is the example of a risk assessment matrix shown in EN ISO 14971:2012 (Annex D, p. 49) (see Fig. 5) – this is essentially how it has been adopted in ISO/TR 24971:2020, Fig. C.1: Catastrophic harm that is unlikely to occur is seen as an acceptable risk, and in comparison, negligible harm that is likely to occur is classified as an unacceptable risk. This classification is difficult to understand.
2.2.3
Risk Control
Risk Control Options The manufacturer shall define one or more risk control measures suitable to mitigate the risk(s) to an acceptable level. The following hierarchy of measures is defined for risk mitigation: 1. Constructive measures (integrated safety through design adaptation). 2. Protective measures (in the device itself or in the manufacturing process). 3. Information for safety (directly on the medical device or in the accompanying documentation). Hierarchy of measures means that mitigation measures must be implemented in exactly this order. First, the manufacturer must try to implement design adjustments
Risk Management for Medical Devices in Compliance with EN ISO 14971
99
Probability of occurrence of harm
Frequent
Probable
Occasional
Remote
Catastrophic
Critical
Serious
Minor
Negligible
Improbable
Severity level
Legend:
unacceptable risk
investigate further risk reduction
insignificant risk Fig. 4 Example of a five-by-five risk assessment matrix (EN ISO 14971:2012 (CEN/CENELEC 2012), Annex D)
to the device. Only if these adjustments cannot contribute sufficiently to risk reduction, protective measures in the device, such as sensors for monitoring, or testing measures in the manufacturing process must be implemented. For the weakest measure deems a written warning on the device (labelling) or in the instructions for use. It is important not to mix up the terms “information for safety” and “disclosure of residual risks.” The former has the aim of minimizing the risks by giving instructions to the users (changing a behavior), and the latter has the aim of raising awareness of existing risks (see ISO/TR 24971 (CEN/CENELEC 2020)).
B. Gu¨bitz and U. Klinger
100
Qualitative Severity levels Negligible
Minor
R1
R2
Serious
Critical
Catastrophic
R5
R6
Semi-quant itati ve probabili ty l evels
Frequent
Probable
Occasional
R4
Remote R3
Improbable
Legend
Unacceptable risk
Negligible risk
Fig. 5 Example of a semiquantitative matrix for risk assessment (ISO/TR 24971:2020 (CEN/CENELEC 2020), Fig. C.1
Constructive measures can either eliminate particular hazards, reduce the probability of the occurrence of hazards, or reduce the severity of a hazard. Protective measures or information can ultimately only reduce the probability of the occurrence of hazards. Examples of measures in all three categories are given in Table 6 of ISO/TR 24971 (CEN/CENELEC 2020) and are intended to provide guidance to manufacturers on how risk mitigation measures should be defined. It is helpful to prepare predefined risk mitigation measures for specific devices or device groups with similar intended use and make them available to the risk analysis teams. These contain information on typical hazards and the appropriate mitigation measures (already successfully implemented for similar devices) that should be defined and implemented. Implementation of Risk Control Measures The defined risk control measures must be implemented accordingly, e.g., as part of product development. It is useful to integrate these measures into the requirements management process (see also chapter ▶ “Medical Device Development”), so that corresponding requirements or specifications are derived from the control measures. This ensures that the risk management process is not carried out separately from the
Risk Management for Medical Devices in Compliance with EN ISO 14971
101
requirements management and design and development process, but that these processes interact via well-defined interfaces. After the implementation of the risk control measures, each individual measure implementation must be verified, i.e., confirmation must be provided that the measures have been successfully implemented according to their definition. Furthermore, the effectiveness of each measure must subsequently also be verified, i.e., confirmation that the measure definitely reduces the risk. The evidence can be given with application of the product itself, or a preliminary product (prototype), or also by data evaluations, simulations, etc. In general, it should be noted that after each definition of control measures, it must be assessed whether new hazards and risks could arise as a result of these measures. If so, they must be included in the risk management process, and it must be proceed as described above. Residual Risk Evaluation After successful implementation of the risk control measures, a new risk assessment must be carried out in accordance with Sect. 2.2.2. If it turns out that the risk is still not acceptable, further measures must be taken, and the risk must be reassessed until the remaining residual risk is acceptable. For residual risks that have been assessed as acceptable, the manufacturer must decide which residual risks are to be disclosed and which information is to be included in the customer documentation. Risk-Benefit Analysis There are some cases where the risk associated with a medical device exceeds the manufacturer’s criteria for acceptable risk. If the residual risk is assessed as unacceptable using the established evaluation criteria and further risk control measures are not feasible, the manufacturer may collect and evaluate data and literature to determine whether the medical benefits of the intended purpose outweigh the residual risk. If this evidence does not support the conclusion that the medical benefit outweighs the residual risk, the risk remains as unacceptable. If the medical benefit outweighs the residual risk, the manufacturer is able to place his medical device on the market (CEN/CENELEC 2019). However, it is important for users to be appropriately informed of significant residual risks and the benefits resulting from the device.
2.2.4 Evaluation of the Overall Residual Risk After a manufacturer has identified and assessed all conceivable risks as part of the risk management process, implemented and verified appropriate mitigation measures, and assessed their residual risks, it is necessary to examine all residual risks again and carry out an overall risk assessment. This involves deciding whether the combined effects of all the individual residual risks are acceptable and whether the device can be placed on the market. It is nevertheless possible that the overall residual risk exceeds the manufacturer’s criteria for acceptability of the risk, although the individual residual risks do not.
102
B. Gu¨bitz and U. Klinger
Chapter 8 of ISO/TR 24971 (CEN/CENELEC 2019) provides useful assistance on how to assess the overall residual risk. Possible approaches include the consideration of the benefits in relation to the intended use of the medical device or the comparison to similar medical devices. It should also be assessed whether several individual risks are close to the acceptability limit and may need to be examined further. Furthermore, the instructions for use should be assessed comprehensively, whether the information relating to hazards is easy to find and the information is consistent, or whether the instructions for use are too difficult to read. Further information can be obtained from usability tests or clinical studies that have been carried out, as to whether hazardous situations could have arisen during these studies, or whether users or patients have been exposed to hazards. The decision to release the product is again based on a risk-benefit assessment and must finally be documented accordingly and communicated to the customer with the information provided with the product.
2.2.5 Product Monitoring After the device has been released for manufacturing and placing on the market, the so-called product monitoring phase begins. The EN ISO 14971 standard refers to the collection of “Information from production and post-production phases.” In the course of risk assessment, it can happen that risks have been incorrectly assessed or measures are not having the desired effect. Therefore, monitoring the effectiveness of risk measures takes an important role in the risk management process. The medical device manufacturer must establish a procedure for evaluating information from production and postproduction phases (market monitoring). The following should be considered: • Are there new hazards that have not yet been identified? • Have any hazards arisen as a result of failures that have occurred in the practice? In order to decide whether • The original assessments are still valid. • The overall risks are still acceptable. In the event of new hazards or a change in the risk assessment, the risk management process must generally be reviewed and, if necessary, revised. Usually, devices are adapted during the marketing phase, i.e., improvements are incorporated, or product enhancements take place. When changes are introduced, it is necessary to check whether new risk aspects need to be considered that had not previously been considered or whether any problems have now become known but were originally assessed differently. Furthermore, it must be determined whether new potential hazards or hazardous situations could arise as a result of the introduction of new features or functions of the device.
Risk Management for Medical Devices in Compliance with EN ISO 14971
103
This means that the risk management process must be maintained throughout the entire life cycle. The process steps of risk analysis, risk assessment, risk control, and risk acceptance must be carried out again and again in repetitive cycles in order to continuously ensure safety for patients, users, and third parties.
2.2.6 Documents of the Risk Management Process Medical device manufacturers are obliged to document the entire risk management process in accordance with the requirements of international regulations and national laws. For all process steps, the EN ISO 14971 standard specifies requirements what has to be documented. In the following, the documents are listed, which are considered as evidence of an established risk management process. Risk Management File The so-called risk management file contains all documents required and generated in the risk management process. The term “file” is used here to refer to the sum of all individual documents, which are actually understood as a bundled unit. This means that the documents should not exist in distributed filing or documentation management systems, but are available in bundled form. However, this risk management file may also include references to other files of the manufacturers’ documentation that have the required risk management documents made available in a reasonable amount of time. The risk management file essentially includes a risk management plan, the sum of diverse risk analysis records, all risk assessments, evidence of the implementation of risk mitigation measures, verification of these, and assessments of the acceptability of the overall residual risk in a corresponding risk management report. Risk Management Plan The risk management plan is a comprehensive document (or collection of documents) that must include all risk management activities. The plan must include the following minimum requirements: • Description of the medical device and the life cycle phases that this device goes through to clarify the scope of risk management. The life cycle phases are typically the design and development phase, manufacturing, distribution, operation of the device according to its intended use, through to decommissioning at the end of the device’s life time. • Establishing responsibilities and authorization of personnel involved. This typically includes the designation of a risk manager, specialists, and experts who will be involved in the analysis and assessment activities, persons who will conduct reviews, and also personnel who will be in charge of verification and effectiveness testing of mitigation measures. • Criteria for the acceptance of risks, based on the manufacturer’s quality policy for defining acceptable risks. This means that criteria for the acceptance of risks must be established by defining corresponding ranges for acceptable and non-acceptable risks in a risk matrix (combination of severity and likelihood)
B. Gu¨bitz and U. Klinger
104
(see Sect. 2.2.2). If similar devices or similar categories of medical devices are developed again and again, it makes sense to establish the criteria for accepting risks as part of the quality management system, e.g., in a risk management standard operating procedure. This ensures that the standardized criteria are applied to every development project. • Verification activities. This includes all activities to confirm the successful implementation of the risk mitigation measures and also to confirm the effectiveness of the implemented measures. The risk management plan must describe how these activities will be performed. • Product monitoring procedures: Obtaining information from the manufacturing process and postproduction phases generally involves evaluations of defects or customer feedback. These evaluations are generally to be carried out in accordance with established procedures, so reference can also be made to these standard operating procedures in the risk management plan. Risk Analysis Records All risk analyses performed must be documented; this includes the identified characteristics related to the safety of the product, the hazards and hazardous situations identified, and the assessment of risks for each hazardous situation. The risk assessments (acceptable and unacceptable risks) resulting from the assessment of severity and probability, as well as the determination of mitigation measures, are usually also part of this documentation. Usually, templates in the form of tables or proprietary risk management tools (software tools) are used that enable the complete documentation of risk analysis, assessment, definition and verification of mitigation measures, and final evaluation to be mapped. Risk Management Report The risk management report is a final summary of risk management prior to the launch of the device. This report includes information on the full implementation of the activities defined in the risk management plan (up to the time of product launch) as well as an overall risk acceptance and confirmation that appropriate methods and procedures exist to obtain relevant information from production and postproduction phases. The overall risk acceptance describes the sum of all identified risks; the individual risk assessments and, if applicable, the risk-benefit analysis; and the associated strategy for how the residual risk information must be communicated to the users of the device.
2.3
Risk Management Methods
Before describing the individual risk management (RM) methods in more detail, it should be noted that there is not only one method for all areas of risk management (e.g., risk identification, risk assessment, risk control). Some risk management methods focus on the identification of risks – such as the fault tree analysis [FTA]
Risk Management for Medical Devices in Compliance with EN ISO 14971
105
(see also Sect. 2.3.2). With other methods, additionally a risk assessment can be performed (e.g., failure mode and effects analysis [FMEA]; see also Sect. 2.3.2). For the implementation of a risk management process, the medical device manufacturer is generally free to choose which risk management methods to use. Nevertheless, it makes sense to specify and/or restrict the risk management methods to be used in a company, in order to make the results from the risk management process comparable and to reduce training efforts. In many cases, it also makes sense to combine the individual methods (see also Sect. 2.3.2). In the following, the most commonly used methods for risk management are described and discussed specifically for use in the medical device sector.
2.3.1 Prerequisites Before Implementation In order to successfully implement a risk management method, the following prerequisites have to be fulfilled: • • • •
Definition of the risk management team. Definition of the scope of a risk analysis. Determination of the acceptance criteria. Acquisition of necessary knowledge.
Definition of the Risk Management Team Risk analyses/assessments should generally be performed by an interdisciplinary team (International Electrotechnical Commission (IEC) 2018). This risk management team should be composed of experts from all areas that may have an influence on the quality and safety of the medical device as well as the compliance of the device with regulatory requirements. It is also helpful if the risk management team includes persons with experience in performing risk analyses or if the risk analysis is led by a moderator. The moderator should generally not be part of the project/area for which the risk analysis is being conducted, so that objectivity is ensured. However, it is helpful if the moderator has expertise in the analyzed areas in addition to knowledge of the risk analysis methodology. Before conducting the risk analysis, all members of the risk management team – including external team members like suppliers – should be trained on the risk management methodology used. This can be recorded either in the risk analysis itself or in appropriate training protocols. Risk analyses must be checked and approved by previously defined people. For this purpose, the risk analysis team – creator, reviewer(s), approver, etc. – should be predefined and also documented in the risk analysis document. Furthermore, all participants in a risk analysis should also be documented. In order to speed up risk analysis, it is helpful to define the following responsibilities in advance:
106
B. Gu¨bitz and U. Klinger
• Who is responsible for the definition of the probabilities of occurrence of a failure/cause. • Who is responsible for the assessment of the severity of a damage. For example, the assessment of the severity of a damage could be defined by the “development,” while the definition of probability of occurrence is the responsibility of “engineering.” In order to ensure the implementation of risk-reducing measures, the person responsible for implementation and for monitoring implementation should be named in the risk analysis for each measure. Definition of the Scope of a Risk Analysis Before performing the risk analyses, the areas, devices, processes, and/or production facilities to be analyzed should be clearly defined, including their boundaries/ interfaces. Technical drawings – e.g., process flow diagrams or piping and instrumentation diagrams – showing these boundaries/interfaces should be available during the risk analyses for the whole team, to help the team to get a better overview. Determination of Acceptance Criteria Before performing a risk analysis, it should be clearly defined which criteria are to be used for the acceptance of risk. Acceptance criteria are not specified in regulations (see Sect. 2.1) and have to be defined by the company/institution in charge of the risk analysis. Section 2.2.1. Assessment of Risks for Each Hazardous Situation provides examples for the categorizing of the severity of damage and the probability of occurrence of a failure/cause. In Sect. 2.2.2. the risk assessment matrix is discussed as an assessment tool for risk acceptance. In the failure mode and effects analysis (see Sect. 2.3.2), the risk priority number (RPN) is described for risk acceptance. Acquisition of Necessary Knowledge In order to be able to carry out a risk analysis/assessment correctly, the necessary knowledge of the facts and the regulatory area must be available. On the one hand, this can be done by experienced members of the risk analysis team; on the other hand, it often makes sense to check whether risk analyses/assessments of similar problems are already available. For example, results from research and development (R&D) risk assessments should be considered in subsequent project phases (e.g., in risk analyses for production facilities). Literature searches can also provide important insights. Since risk knowledge must be available over the entire life cycle of a medical device – from development through production to product monitoring – the use of knowledge-based risk management software systems is increasingly coming into focus. The advantages and disadvantages of these systems are discussed in more detail in Sect. 2.5.
Risk Management for Medical Devices in Compliance with EN ISO 14971
107
Fig. 6 Process mapping Initiation
Action 1
Action 2
Decision
NO
Action 3
YES Result
Another way of obtaining appropriate knowledge about a process is to use process mapping (International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use (ICH 2006)). In a process map, the entire process and its substeps are represented graphically, e.g., as a flowchart (Fig. 6). This simple representation allows connections between activities, interfaces, feedback loops, or alternative paths to be clearly shown. Process maps can thus help to understand and analyze complex processes in order to identify existing risks.
2.3.2 Commonly Used Risk Management Methods The literature describes a variety of methods that can be used in risk management (International Electrotechnical Commission (IEC 2018; Maier 2021; IEC 2006)). The most commonly used methods in the medical device sector are described below: • Failure mode and effects analysis (FMEA). • Fault tree analysis (FTA). • Ishikawa diagram (fishbone diagram, cause-and-effect diagram). Other methods are, for example: • The HACCP method (hazard analysis and critical control points), which is widely used in the food sector in particular (FDA 2004). • The HAZOP method (hazard and operability study), which is widely used for safety analyses (IEC 2001).
B. Gu¨bitz and U. Klinger
108 Table 3 Classification of risk management methods Graphical methods
Tabular methods
Examples: Ishikawa diagram Fault tree analysis Examples: FMEA (failure mode and effect analysis) HACCP (hazard analysis and critical control points) HAZOP (hazard and operability study)
In general, risk management methods can be divided into graphical or tabular methods (see Table 3). Graphical methods are well suited for the analysis of simple processes and for retrospective failure analysis. However, they can quickly become confusing for complex processes. They are easy to learn and simple to perform and are used to quickly find failures, causes, and their consequences. However, graphical methods generally do not include the risk assessment and risk control step. Therefore, for a comprehensive implementation of a risk management process, they must be combined with other risk management methods. Tabular methods are used, among other things, for identifying and analyzing potential risks, evaluating them, and defining preventing risk measures. In the case of complex processes, these methods can be extended as required, and additional information can be added. For example, by inserting an additional column for the user requirements in the FMEA table, a continuous traceability of the requirements through the risk analysis to the mitigating action can be easily implemented. In practice, especially during the first step in the risk management process – the risk identification – it has proven useful to combine graphical and tabular methods. By using, e.g., the Ishikawa diagram, failures, causes, and their resulting consequences can be identified more quickly an extensively, which are then transferred to an FMEA. The risk assessment and the definition of risk reduction measures are then carried out there. Failure Mode and Effects Analysis The failure mode and effects analysis (FMEA) provides a systematic method for identifying failure modes together with their causes and effects on the item or process. The goal of the FMEA is to identify how items or processes might fail to perform their function, so that any required measures could be identified. In an FMEA failure modes can be prioritized to support decisions for further actions. When the risk assessment includes at least the severity of the consequences, the FMEA is defined as failure modes, effects, and criticality analysis (FMECA) (IEC 2018). In practice, the term FMECA is rarely used. In most cases, the term FMEA is used instead, which will be also the case in the following text. Figure 7 shows the difference between the definitions from Sect. 2.2.1 and the FMEA terminology.
Risk Management for Medical Devices in Compliance with EN ISO 14971
109
The FMEA is used for preventive avoidance of failures and can be used over the complete life cycle of a medical device. Therefore, in the medical device sector, it is probably the most frequently used method in risk management, as it covers the process steps of risk identification, risk assessment, risk evaluation, and risk control. The FMEA can be used, for example, in the following areas: • • • •
In the development of medical devices and their production facilities. In the qualification of production facilities or validation of processes. For safety risk analyses. For change control processes.
FMEA uses structured tables to handle and document the following phases in the risk management process (see Fig. 8):
Risk analyses in general: Cause Chain
Hazard
Hazard situation
Harm
Failure
Effect
FMEA: Cause
Fig. 7 Difference between risk analysis terminology and FMEA terminology
Effect
Severity (S)
Failure
Cause(s)
Occurrence probability (O)
Detectability (D)
Calculation of Risk Priority Number: RPN = O x S x D
RPN £ Limit
Fig. 8 FMEA process
No
Determination of Mitigating Measures
B. Gu¨bitz and U. Klinger
110
• • • •
Phase 1: Risk identification. Phase 2: Risk Assessment. Phase 3: Risk Evaluation. Phase 4: Risk control by determination of measures for risk reduction.
The FMEA process is shown in Fig. 8. Further details to the FMEA process can be found in chapter ▶ “How to Implement a Risk-Based and Life-Cycle Approach for Commissioning and Qualification.” In the first step of the FMEA – the risk identification – all possible risks that could have a negative impact on the safety and quality of a medical device should be identified. The goal of the risk identification step is therefore to systematically identify possible failure modes, their causes, and possible effects. So this step is about the questions: “What could go wrong?” “What are the causes?” “What could be the consequences/effects?” In order to focus clearly on safety and product quality in this step, it makes sense to start with the effect rather than the failure when identifying risks. In this way, only the failures and causes that can have a negative impact on product quality and safety are identified. On the one hand, this increases efficiency in this step, and on the other hand, the desired focus of the FMEA on quality and safety is easily achieved. It should also be mentioned here that it is not always expedient to identify all causes and sub-causes – i.e., the entire chain of causes. Here is an example for risk identification: • The following risk was identified in the FMEA: Failure: “The temperature to be maintained in a system cannot be measured with the built-in sensor.” Cause: “The sensor is defective.” Effect: “The product cannot be manufactured in the desired quality.” In this case, it is not necessarily important to know why the sensor is defective – therefore, it is not necessary to determine further sub-causes. In the second step of the FMEA – the risk assessment – failure, cause, and effect are liked with the following factors: • The occurrence probability (O) of a failure due to its causes. • The severity of the effect (S) related to the product quality to be manufactured. • The detection probability (or detectability) (D) of the failure/cause in the equipment/system. Since FMEA is a quantitative risk analysis, numerical values are assigned to calculate the RPN in the next step of the FMEA – the risk evaluation: RPN ¼ O S D:
Risk Management for Medical Devices in Compliance with EN ISO 14971
111
It is the responsibility of the manufacturer to establish the numerical values for S, O, and D and the limits for RPN to quantify the acceptable risk. The number of possible values for O, D, and S should not be too high – it has proven useful to use up to five levels for this (see Fig. 9). It is also important to note that O and D have opposite value scales: • The higher the detectability, the lower the numerical value for D. • The higher the probability of occurrence, the higher the numerical value for O. The limit/threshold of the RPN can be defined as the maximum value of the RPN that can be reached and at which a risk is still considered acceptable. The result of the risk evaluation step is thus a quantitative estimation of a risk – the risk priority number (RPN). The RPN offers an intuitive approach to risk classification: the higher the RPN value, the higher the risk. However, the use of thresholds for risk evaluation has a clear disadvantage: risks can have the same RPN number but not the same impact on the product quality and thus not the same risk level. To better take this into account, the matrix position (as displayed in Fig. 9) is often used to determine the risk level. Furthermore, the RPN is also a characteristic of the acceptable residual risk. If a risk is classified as too high, i.e., if the RPN is above a predefined limit, control measures must be taken to reduce the residual risk to an acceptable level in the next step of the FMEA – the risk control step. Here is an example for risk assessment, evaluation, and control: • Severity of the effect, “The product cannot be manufactured in the desired quality,” is rated as: S ¼ 3. • Occurrence probability of the cause, “The sensor is defective,” is rated as: O ¼ 4. • Detection probability of the failure, “The temperature to be maintained in a system cannot be measured with the built-in sensor,” is rated as: D ¼ 2. • RPN ¼24 (limit was defined as 8). The calculated RPN is therefore above the predefined limit of the RPN as well as in the red sector of the matrix position according to Fig. 9. For this reason mitigating measures have to be taken.
Fig. 9 Example of the matrix position. (©VTU/REXS)
112
B. Gu¨bitz and U. Klinger
As a measure, regular maintenance of the sensor can be defined here, for example, to reduce the probability of occurrence. To increase the detectability, an alarm can be defined, e.g., when the sensor fails. After the definition of the measures: • On the one hand, a new assessment and evaluation of the risk must be carried out, taking into account the new measures. If the risk could be sufficiently reduced by the measures (RPN < limit; matrix position in the green range), no further measures need to be taken, and the residual risk is considered to be sufficiently controlled. • On the other hand, new risks that could arise from the new measures must be identified. As shown above, the FMEA has as advantage, that is, the phases risk identification, risk assessment, risk evaluation, and risk control can be carried out in one method. Therefore, it is also a widely used method in the field of medical devices. For further details on the application of the FMEA, see chapter ▶ “How to Implement a Risk-Based and Life-Cycle Approach for Commissioning and Qualification.” Other tabular methods are the HACCP method and the HAZOP method. Both methods are generally rarely used in the medical device sector but will be briefly described here. HACCP This method is mainly use in the food industry. The FDA defines HACCP as “a management system in which food safety is addressed through the analysis and control of biological, chemical, and physical hazards from raw material production, procurement and handling, to manufacturing, distribution and consumption of the finished product” (FDA 1997). Nevertheless, HACCP can also be used in the GMP-regulated pharma and medical device industry. An example of the HAACP concept can be found, e.g., in the ICHQ9 briefing pack of the International Conference on Harmonisation (ICH 2006). There, HACCP is described as “a systematic, proactive, and preventive method for assuring product quality, reliability, and safety.” Before performing an HACCP, the risk management team must be defined and trained (see also Sect. 3.2.1). In addition, the process itself must be known to the risk management team. Therefore, e.g., a process flow diagram should be available, to provide overview of the individual steps of the process. The HACCP method is mainly used to determine the “critical control points” of a process/of an equipment and to define measures to control them. An example of an HACCP used for evaluating a tablet manufacturing process is shown in Fig. 10. The HACCP table shown in Fig. 10 should only be considered as an example and can be supplemented by additional columns – e.g., for the justification of the hazard. However, the structure of the HACCP method must be defined, e.g., in a standard operating procedure for risk management, and the RA team must be trained in the HACCP method before it is implemented.
Risk Management for Medical Devices in Compliance with EN ISO 14971
No.
1
Process Step / Equipment
Tableting / tablet press
113
CCP Potential Hazard
Monitoring system
Corrective Actions
Documentation
In process control of tablet weight
Discard tablets (100% weight control)
Documentation of analytical data in batch records
(Yes / No)
Composition of the tablets do not meet the specification
Yes
Fig. 10 Example of an HACCP table
As shown in Fig. 10, the first step of an HACCP is the hazard analysis. In this step all possible hazards that may occur in a process step for the product to be manufactured are identified, and appropriate countermeasures to avoid these hazards are determined. According to the FDA, the “purpose of the hazard analysis is to develop a list of hazards which are of such significance that they are reasonably likely to cause injury or illness if not effectively controlled” (FDA 1997). The next step is to determine the critical control points (CCPs). For example, a control point is considered critical if it poses a risk to the consumer of the product (e.g., the patient). Decision trees are often used for this evaluation step – examples can be found in Appendices E and F of the FDA’s “HACCP Principles & Application Guidelines” (FDA 1997). Finally, a monitoring system must be defined for all CCPs and limits must be set. Additional corrective actions must be defined in the event that these limits are exceeded. Finally, it must be determined where the results of the monitoring activities or the corrective actions must be documented. In the GMP-regulated pharmaceutical and medical device industries, the HACCP concept focuses on analyzing hazards that affect product quality. To identify safety hazards, the HAZOP method is used in many cases. HAZOP The HAZOP is widely used in the chemical process industry to assess and evaluate safety risks and to define preventive measures to control them. In this method, so-called guide words (e.g., more, too high, too low) are used to evaluate the risks in a structured way. The guide words are applied, for example, to all process parameters in order to determine the possible failure modes (hazards). An example of an HAZOP is shown in Fig. 11. Fault Tree Analysis Fault tree analysis (FTA) is a graphical and simple method for systematically determining all possible causes of a failure, starting with the failure itself. It is mainly used when complex interrelationships are to be investigated and presented. FTA can be applied prospectively and retrospectively wherever the causes of a defect have to be searched for in a structured and documented manner. This is, for example: • In case of deviations. • In the event of complaints. • For the development of control strategies or monitoring programs.
B. Gu¨bitz and U. Klinger
114
The FTA is a top-down method. Starting from a top event (failure), the possible causes are determined and graphically displayed. A typical fault tree diagram is shown in Fig. 12. Typical causes are, for example: • Technical misconduct. • Human error. • External influences. Starting with the top event, causes are defined until no new causes can be found. The fault tree diagram knows two main groups of symbols:
Fig. 11 Example of an HAZOP table. (©VTU/REXS)
Failure
Operator gets into the machine with his hand
why?
OR
AND
Roller gap too large
Missing protection grid
OR
because
why?
Rollers not moved together
Permissible gap not complied with
Fig. 12 Example of a fault tree analysis
OR
because
Risk Management for Medical Devices in Compliance with EN ISO 14971
115
• Events. • Logical connections (gates). All determined causes are graphically displayed in a fault tree diagram as “events” and can be linked with the logical operators: • AND [&]. • OR [ 1]). As shown in Fig. 12, the top event is normally represented in the form of a rectangle. A rectangle also indicates that there are other causes for an overlying event (cause). If no underlying causes can be found, this is displayed in the form of a circle. Causes represented in the form of diamonds have not yet been examined in detail. Since FTA is a graphical method, connections and interfaces can also be easily represented. In combination with the FMEA, the FTA can be used to easily identify all associated causes to a failure. Subsequently, the FMEA is used to analyze the corresponding effects, to evaluate the risks, and to define the necessary mitigation actions to reduce the risk. In principle, fault trees can also be evaluated numerically and thus used for risk assessment. To do this, however, the probabilities of occurrence of the individual events must be known. Ishikawa Diagram The Ishikawa diagram is also called cause-effect diagram or fishbone diagram. Like the FTA, it is a graphical and simple method to systematically determine all possible causes starting from a problem (failure mode). The classical cause-effect diagram is used to identify and clearly present causes that can lead to a specific failure (as shown in Fig. 13). Causes Cause categories
Problem
man
Cause 1 Cause 2
machine
Cause 3 Sub-Cause 1
Causes / cause-chains
Cause categories
failure
material
method
Fig. 13 Example of a classical Ishikawa diagram
milieu (environment)
B. Gu¨bitz and U. Klinger
116
To create a classical Ishikawa diagram, the first step is to enter the “problem” responsible for the failure at the tip of the horizontal arrow. Then, the main influencing variables (cause categories) have to be defined. Frequently used cause categories are, for example, the following “8 Ms”: material, machine, method, man, management, milieu, measurement, and money. In order to be able to identify the influence on product quality, at least the following “5 Ms” should be defined in the GMP-relevant area: material, machine, method, man, and milieu (environment). In some cases – e.g., when using an Ishikawa diagram for a risk assessment as part of the qualification of a plant – “measurement” should also be included. The reason is that in this case, in-process and end-process controls are in place to mitigate the risk to the final product. Based on the problem shown at the right end of the “fishbone,” the possible causes are then determined using the specified “Ms.” If further sub-causes are present, these can be represented in further branches, resulting in ever finer branching. When using Ishikawa diagrams for risk assessments to ensure the “quality” of medical devices (GMP focus), the following should be considered: • The entire risk chain consists of the failure, the cause(s), and the resulting effect (as shown in Fig. 7). For this reason, Ishikawa diagrams must be extended to include the effect in this case (as shown in Fig. 14). • In order to control a risk, it is usually not necessary to identify all sub-causes. • In the GMP area, only the quality-relevant effects are the focus of the risk assessments. If one adds the “effect” to the classic Ishikawa diagram (as shown in Fig. 14), this extended Ishikawa diagram is a good method for determining GMP risk, since the whole risk can be represented by using this graphical method. Then, the Ishikawa Causes Cause categories
Problem
man
Cause 1 Cause 2
machine
Cause 3 Sub-Cause 1
Causes / cause-chains
Cause categories
failure
material
Consequence
method
milieu (environment)
Ishikawa (classic) Ishikawa (extended) for combination with FMEA
Fig. 14 Example of an extended Ishikawa diagram. (©VTU/REXS)
effect
Risk Management for Medical Devices in Compliance with EN ISO 14971
117
diagram is well suited to be used in combination with other risk management methods, like the FMEA.
2.4
Knowledge-Based Risk Management
For medical devices, the implementation of a quality risk management process over the entire product life cycle – from development to application – is required by law (Fig. 15). As shown schematically in Fig. 15, numerous risk assessments have to be carried out in the life cycle of a medical device, depending on the life cycle phases. Risk analyses in a company often show strong similarities. The knowledge or experience available in “former risk analyses” could be used to perform risk analyses much more efficiently, quickly, and cost-effectively. But who still knows where the old risk analyses were stored and whether their contents are sufficient for the new problem? Therefore, the topic of automated risk management is becoming increasingly important. However, simple software tools are mostly used to create risk analyses, e.g., MS Word/Excel or simple databases. From a knowledge management perspective, these tools are implicit. This means that they make it very difficult to reuse, analyze, and share risk knowledge that has been painstakingly developed. For this reason, it is also necessary in the medical device sector to consider how risk knowledge can be made available quickly and comprehensively throughout the entire life cycle of a medical device. For this reason, the use of knowledge-based risk management software systems is increasingly coming into focus. RA Transport
RA Maintenance
RA monitoring
RA Validation RA …
RA ….. RA Comm. & Qualification
RA Design
RA …..
RA Process
RA Toxicology RA Safety RA Control strategy RA …..
RA Transfer
Fig. 15 Risk analyses over the life cycle of a medical device. (©VTU)
B. Gu¨bitz and U. Klinger
118
2.5
Risk Management Software Systems
Modern risk management software systems must not only make it possible to create risk analyses, but they must also above all support the automatic transfer of knowledge between the risk experts in the company over the complete life cycle of a medical device, so that it is avoided that risks are simply forgotten or incorrectly assessed. By using risk management software systems, risk experts should be supported by the system with automatic suggestions when creating risk analyses. If, for example, the creator of a risk analysis wants to know which quality-relevant risks he must consider for a medical device in development, an innovative risk management software system must be able to show the expert, for example, all failures/consequences/causes for the medical device or similar medical devices that have already been entered into the system in other risk analyses. Also in risk assessment, evaluation, and control, the risk expert should be able to query suggestions based on data already in the system, so that the quality and uniformity of risk analyses can be increased, which of course brings advantages during audits and inspections. Since the FMEA and Ishikawa diagram methods have established themselves as standard methods in the medical device sector, software systems for risk management should at least support these methods. However, since the regulatory basis regarding risk management does not specify FMEA structure and contents (e.g., defined forms) and companies implement these methods differently, it is imperative that software tools are flexible enough to add, for example, user-defined columns in FMEA input screens. One of the main requirements for risk management software systems in the GMP area is certainly also that the risk analyses created can be either printed out in the appropriate form or signed electronically. Interfaces to other systems – e.g., document management systems – should be supported by the system, and an audit trail should at least be implemented for document release process. The use of innovative risk management software systems can prevent risk knowledge that has already been identified from being lost. Innovative risk management software systems can make risk knowledge about the life cycle of a medical device available throughout the company, in a well-structured way and at any time. One disadvantage of risk management software systems is certainly the additional time required to implement and maintain such systems. However, if one compares this disadvantage with the advantages, it can be made up for within a few months in most companies by the time saved in creating risk analyses alone.
3
Conclusions
Risk management is a mandatory activity for medical device manufacturers in Europe and is required in the European regulations MDR 2017/745 for medical devices and IVDR 2017/746 for in vitro diagnostic devices or in corresponding national laws.
Risk Management for Medical Devices in Compliance with EN ISO 14971
119
To assist, the international standard EN ISO 14971 has been developed to provide manufacturers with good guidance on how to establish risk management within the company. The fundamental phases of the risk management process according to EN ISO 14971 are risk analysis, risk assessment, risk control, and product monitoring. All these phases do not end with the release of the device on the market, but have to be run through again and again in a cycle over the entire life of the product. For the comprehensible proof about an established risk management process towards authorities, corresponding documents have to be created, which have to be collected in the risk management file. These are the risk management plan, the risk analysis records including the risk assessments, the evidence of the implementation of the risk mitigation measures, and their verification. The final step is the risk management report, which includes a summary of the activities performed and an acceptance of the overall residual risk of the medical device. Widely used methods for performing risk analysis or supporting risk management include failure mode and effect analysis, fault tree analysis, and the Ishikawa diagram. These methods provide a structured approach while offering an efficient way to create the required risk management documents.
References CEN/CENELEC (2012) European Committee for Standardization and European Committee for Electrotechnical Standardization (CEN/CENELEC): EN ISO 14971:2012 medical devices – application of risk management to medical devices CEN/CENELEC (2016) European Committee for Standardization and European Committee for Electrotechnical Standardization (CEN/CENELEC): EN ISO 13485:2016 medical devices – quality management systems – requirements for regulatory purposes CEN/CENELEC (2019) European Committee for Standardization and European Committee for Electrotechnical Standardization (CEN/CENELEC): EN ISO 14971:2019 medical devices – application of risk management to medical devices CEN/CENELEC (2020) European Committee for Standardization and European Committee for Electrotechnical Standardization (CEN/CENELEC): CEN ISO/TR 24971:2020 medical devices – guidance on the application of ISO 14971 European Parliament and of the Council: Council Directive 90/385/EEC relating to active implantable medical devices – AI-MDD, Official Journal L 189, P. 0017–0036 from 20.07.1990. Retrieved on September 01, 2022a., from EUR-Lex – 31990L0385 – EN – EUR-Lex (europa.eu) European Parliament and of the Council: Council Directive 93/42/EEC concerning medical devices – MDD, Official Journal L 169, P. 0001–0043 from 12.07.1993. Retrieved on September 01, 2022b, from EUR-Lex – 31993L0042 – EN – EUR-Lex (europa.eu) European Parliament and of the Council: Directive 98/79/EC on in vitro diagnostic medical devices – IVDD, Official Journal L 331, P. 0001–0037 from 07.12.1998. Retrieved on September 01, 2022c., from EUR-Lex – 31998L0079 – EN – EUR-Lex (europa.eu) European Parliament and of the Council: Regulation (EU) 2017/745: Regulation on medical devices – MDR, Version from 05.04.2017. Retrieved on September 01, 2022 from EUR-Lex – 32017R0745 – EN – EUR-Lex (europa.eu) European Parliament and of the Council: Regulation (EU) 2017/746: Regulation on in vitro diagnostic medical devices – IVDR, Version from 05.04.2017. Retrieved on September 01, 2022 from, EUR-Lex – 32017R0746 – EN – EUR-Lex (europa.eu)
120
B. Gu¨bitz and U. Klinger
Global Harmonization Task Force (GHTF): Implementation of risk management principles and activities within a Quality Management System (SG3/N15R8/2005) (2005) Retrieved on September 01, 2022, from http://www.imdrf.org/docs/ghtf/final/sg3/technical-docs/ghtf-sg3n15r8-risk-management-principles-qms-050520.pdf International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH): ICH Harmonised guideline – quality risk management Q9 (R1) – final version adopted on 18 January (2023) Retrieved on February 14, 2023, from https://database.ich.org/ sites/default/files/ICH_Q9%28R1%29_Guideline_Step4_2023_0126_0.pdf International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH): ICHQ9 briefing pack (2006) Retrieved on February 15, 2023 from https://ich.org/ page/q9-briefing-pack International Electrotechnical Commission (IEC): International Standard 61882, first edition: Hazard and operability studies (HAZOP studies) – application guide (2001) International Electrotechnical Commission (IEC): International Standard 61025, second edition: Fault tree analysis (FTA) (2006) International Electrotechnical Commission (IEC): International Standard IEC 60812:2018 Failure modes and effects analysis (FMEA and FMECA) (2018) Johner C, Hölzer-Klüpfel M, Wittorf S (2011) Basiswissen Medizinische Software. dpunkt Maier M (2021) Methoden und Instrumente des Qualitätsrisikomanagements. In: GMP-Berater (AL60), Kapitel 19.D.6; GMP Verlag Maas & Peithner Preis R (2009) Methoden der Risikoanalyse in der Technik. TÜV Austria Akademie Rempe P (2021) Anforderungen an Qualitätsrisikomanagement aus Behördensicht. In: GMP-Berater (AL59), Kapitel 19.A; GMP Verlag Maas & Peithner U. S. Food and Drug Administration (FDA): National Advisory Committee on Microbiological Criteria for Foods; HACCP Principles & Application Guidelines (1997) Retrieved on February 02, 2023 from https://www.fda.gov/food/hazard-analysis-critical-control-point-haccp/haccpprinciples-application-guidelines U. S. Food and Drug Administration (FDA): Guidance for Industry: Juice Hazard Analysis Critical Control Point Hazards and Controls Guidance, First Edition (2004). Retrieved on September 01 2022 https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guid ance-industry-juice-hazard-analysis-critical-control-point-hazards-and-controls-guidance-first
Medical Device Development Peter S. Mu¨llner and Udo Klinger
Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Regulatory Requirements for Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 EU Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Design Control According to the FDA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Key Points of Product Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Start of Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Design and Development Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Design Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4 Design Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5 Design Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.6 Approval for Commercialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Development Phases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Procedure According to a Development Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Design and Development Phases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Processes for Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Project Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Quality Assurance in the Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Subprocesses in the Development Process and Their Connections . . . . . . . . . . . . . . . . . . 5.4 Supporting Development Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
122 123 123 123 123 125 125 126 126 127 128 128 128 129 138 138 143 144 152 155 155
Abstract
This chapter gives you an overview of essential points to be considered during the development phase in the life cycle of a medical device. The chapter begins with an introduction of regulatory requirements from a European and US P. S. Müllner (*) Wien, Austria e-mail: [email protected] U. Klinger Graz, Austria © Springer Nature Switzerland AG 2023 C. Baumgartner et al. (eds.), Medical Devices and In Vitro Diagnostics, Reference Series in Biomedical Engineering, https://doi.org/10.1007/978-3-031-22091-3_13
121
P. S. Mu¨llner and U. Klinger
122
perspective, covering the relevant international requirements during development. This is followed by a conceptional development model with user needs, design input, design output, and verification and validation through to the finished device, accompanied by project management and quality assurance. The reader will find not only some basic thoughts for the most common development models, but also some notes highlighting essential points in each phase. In addition, the reader will also find some considerations on processes in the development phase as well as on effort allocation of resources during the development. Some supporting processes to the development process are also mentioned to give a holistic picture of what to consider when developing a medical device.
1
Introduction
Why do development projects always take longer than planned – or desired? Have actual customer needs and requirements been misunderstood? Is it due to unclear formulations or objectives, are different interests to be reconciled? Did the project managers plan too optimistically or would they not get their project budget approved if they make honest statements about the true effort? Was the planning too superficial, so that the coordination of the involved and affected team members does not work? Were vacations, training, absences, or illnesses forgotten in the planning? Was an incorrect schedule not corrected in a timely manner, or were changes communicated unclearly? Have you ever calculated the cost of delay? All these questions arise during the product development process and must be carefully addressed. Usually, it is not a single reason, but a combination of the aforementioned reasons and causes that are responsible for schedule delays and budget overruns and often lead to undesirable repetitions of development phases. But how can accurate measures be created to prevent delays, in order to guarantee ideal development progress? This chapter attempts to find a satisfactory answer to this question. An important prerequisite for a goal-oriented development process is the early definition of the intended use of the medical device in order to consistently pursue the product requirements derived from it. This is because the more goal-oriented the development process is, the less the project runs the risk of being delayed. The development strategy shall be aligned with this. Quality requirements for the device to be developed must be considered from the very beginning in order to avoid expensive rework or reengineering, thus saving trouble for customers and the entire organization. This can also minimize the overall development costs. The effort required for development, preparation for manufacturing, and marketing must be carefully planned for all those involved in a development project. And this planning can only be realistic if all requirements – from customers and all other stakeholders – have been clearly elicited and defined. The project management ensures this.
Medical Device Development
123
One of these requirements is the definition of the target markets. The legal requirements for the device to be developed are derived from the definition of the markets. This also results in requirements for processes and procedures that must be observed during product development and design transfer. This chapter therefore first describes these prerequisites before going into the detailed development processes.
2
Regulatory Requirements for Development
2.1
EU Regulations
The General Safety and Performance Requirements (GSPR) according to the regulations MDR 2017/745 (2017a) and IVDR 2017/746 (2017b) represent the primary product-specific requirements. They have to be examined and analyzed in detail for each individual case at the beginning of development. In addition, if you are using harmonized standards for the evidence of the GSPR then you should take a look also at the Annex Z of the corresponding applicable standard. Keep also in mind that additional EU regulations might be applicable to your device. Therefore, a careful assessment must be performed to determine whether other directives or regulations, such as RoHS (Restriction of Hazardous Substances in Electrical and Electronic Equipment), WEEE (Waste Electrical and Electronic Equipment), ECO-Design Directive, Machinery Directive, or RED (Radio Equipment Directive), are applicable to the device in addition to the relevant medical device regulation.
2.2
Design Control According to the FDA
Although the FDA’s Design Control regulation (FDA 2012) is only about two “DIN – A4” pages long and the requirements therein can be considered as clear and understandable, full compliance with it is difficult in practice, as proven by the frequent complaints during audits or even worse in the resulting of getting warning letters. The reason for this is likely to be the generic descriptive nature of the Anglo-American legislation, which can be sometime interpreted in a wide way. The focus is on the intended use of the device, its safety and performance, the absence of defects, and the fulfillment of patient and user needs.
3
Key Points of Product Development
If milestones and development phases in a development project are designed in accordance with the design control requirements of the FDA (FDA 2012), then you gain two advantages: On the one hand, you automatically follow the legal
P. S. Mu¨llner and U. Klinger
124
requirements for the process; on the other hand, you follow best practices. They are logically comprehensible in their basic elements. The European Regulations (MDR 2017/745 and IVDR 2017/746) require almost equivalent deliverables in their General Safety and Performance Requirements. In contrast to the process orientation required in the USA, the focus in Europe is on compliance with GSPR supported by applicable harmonized standards and, where appropriate, other “Common Specifications.” By adopting the FDA’s nomenclature for the essential key points of development in the project and process descriptions, project management cannot go far wrong, provided that the individual regulations are interpreted and executed correctly and completely. It must be taken into account that, according to the FDA, process descriptions for product development shall be made available in writing (i.e., documented procedures) and exactly be followed. In any case, avoid deviations between described and practiced processes. It is advisable, if necessary, to adapt the process descriptions to the actual practice and to justify changes. Not only the primary development process must be described with development phases, checkpoints, and reviews, but also seemingly insignificant aspects such as the handling of ambiguous, conflicting, or incomplete requirements must be defined. It should be mentioned that the quality management standard for medical devices (CENELEC 2016) provides equivalent requirements for the key points of product development and further harmonization is already in prospect. The development process with its key points and phases is shown in simplified form in Fig. 1. In practice, a feasibility phase usually has to be included in the initial phase; especially for complex system projects, individual phases can be divided into subphases. During development, the risk management or usability process must be followed (see chapter “Risk Management for Medical Devices in Compliance with EN ISO 14971”).
Product Idea, Basic Requirements
Project Start
Requirement Analysis Detail Elaboration Design Concepts Project Planning
Design Input
Realization Design Verification
Design Output
Risk Management Usability
Fig. 1 Simplified development process
Design Transfer Design Valididation
Product Release
Medical Device Development
3.1
125
Start of Project
Even if the term project start is not used in the FDA nomenclature, it makes sense to carry out such an official start for a project. After all, the responsible must provide a project budget and designate a project manager for the development project. When selecting an individual for project management, emphasis should be placed on the personal qualities required for this leadership role. The project manager must possess not only leadership qualities, technical knowledge, and/or experience in at least one of the fields needed in the project, but also overview knowledge in the other fields involved. The more basic or specialized technical knowledge is available, the less expertise needs to be sourced externally for plan development or other tasks. The expertise of the project members must be included in any case. In most cases, a smaller budget for detailed project planning, preliminary clarifications, and feasibility studies is approved first, and the total budget for the project is approved only after positive feasibility assessments. The aim of this preliminary clarification phase is to concretize the objectives and requirements, which are initially often only roughly defined, to describe the boundary conditions to these requirements, to check the technical feasibility of the device with its product specifications, and to assess it as achievable. Even in this preliminary phase, documentation of the results obtained from feasibility studies is essential if unnecessary redundant work is to be prevented in the later course of the project. It is therefore very important that the questions for feasibility studies are carefully chosen and that expected boundary conditions are already taken into account in this phase. The higher the degree of innovation of the device to be developed, the more useful it is to further subdivide the project process in the initial phase and to schedule additional checkpoints with reviews and describe their goals. The feasibility analysis in particular will require a longer period of time in such a project because no realistic project plan can be created without a clear realization concept. It is often observed that in projects and in organizations the boundary between research and development (the actual start of design control) is not exactly defined, but development starts definitely at that moment when a systematic approach with commercial interest is chosen.
3.2
Design and Development Planning
A detailed plan of the individual development activities with the associated responsibilities must be prepared, considering interfaces and dependencies, if these are relevant for the design input and the subsequent development process. As required by the FDA for all plans, the project and development plan must also be verifiably reviewed by a competent person, then approved and, if necessary, updated as the project progresses. The revised plan must again be reviewed and approved.
P. S. Mu¨llner and U. Klinger
126
After each phase of development, the plan for subsequent phases shall be reviewed and updated. The content itself must be in accordance with the standards and regulations, which is pretty clear. But you also need to think about the interconnections between the plan and already existing standardized predefinitions in your development work procedures. You should not overregulate yourself.
3.3
Design Input
Design input can be described by the following phrase: “We know exactly what needs to be developed, how to realize the device, and at what date the device will be ready for commercialization.” Therefore, with design input, the following outcomes must be present and confirmed by an expert review: • A project plan leading up to the release of the device is available that allows a resource and budget estimate over the entire project to be sufficiently accurate (+/ 10%). At least the following project phase is planned precisely. • The intended purpose of the device is elaborated – i.e., the essence of the sum of customer requirements – is fully supported by target specifications, clear and testable product requirements with acceptance criteria are described, which contain the requirements and needs of the customers, the standards and laws to be complied with, the organization (marketing, sales, service, and production), and quality requirements. Contradictions between individual originally formulated requirements and ambiguities are eliminated and manageable. • An implementation concept is available which, in the opinion of external experts, makes the product requirements highly likely to be realized and the product risks are acceptable. • A process description for change management is available: How do you handle changes to requirements and specifications, plans, design concepts, realization descriptions, verification and validation documents, etc., how are they communicated, documented, reviewed, and approved, and when do risk assessments need to be performed for the changes?
3.4
Design Output
For design output, the specifications actually achieved with the finished device are compared with the requirements and specifications desired for design input, taking into account the previously defined acceptance criteria and boundary conditions. Deviations are evaluated and either accepted by the stakeholders or declined if specifications or properties essential for the intended use are not achieved. The procedure including the deliverables and responsibilities for the release of this milestone is to be defined in advance as part of the development process.
Medical Device Development
127
One important outcome of the design output is the evidence that requirements from design input are met demonstrated by test reports and other verification documents. In addition to the detailed test results, the test reports should contain a summary of the individual tests performed and a final evaluation of results. The review of the design output and its approval shall be documented and be part of the Design History File (DHF). Tests for design output must be carried out on prototypes or final devices that have already been produced with defined and (at least preliminary) approved manufacturing processes. The test plans shall specify in advance how many products are to be subjected to each test, and the decision for selection shall be documented and justified (established statistical procedures shall be used). The methods used in the tests must be selected in such a way that the test results are relevant to the specific properties and cannot be falsified by other influences such as environmental conditions. The validation of the device, that means the acceptance and evaluation of performance and usability by the user or customer, is usually performed after the design output. However, it can be helpful to include individual properties that are particularly important for the functioning of the device in the tests for the design output. In the US regulations, there is also the term: “Essential Design Output” defined (FDA 2012). This is a bundle of Design Output documents which are “essential” for the fulfillment of the proper device functioning (FDA 2012) and can include a wide variety of document types. For faster retrieval during an inspection, the attribute “EDO” could be added to the respective documents.
3.5
Design Reviews
Design reviews (acc. Design and development review in EN ISO 13485 (CEN/CENELEC 2016)), of the results of the individual development stages by independent external experts, should be carried out recommending at least at “Design Input,” “Design Output,” and “Design Transfer,” and for the final stage “Launch decision.” In complex projects, such reviews can be held at additional defined project stages during the development process. The entire review process must be defined in process descriptions. When involving experts for reviews, consideration must be given to the areas of expertise that are to be assessed. Criteria for a successfully completed review are the achievement of the objectives of the respective project stage, the existence of the associated documentation, and the acceptance of these by reviewers and stakeholders in the case of deviations. The resolution of minor deviations can be tracked in an action list for further rework in the upcoming design phase. Major issues shall be promptly addressed and corrected. The Design History File must contain the scope of the review, the project stage, selection of experts, reviewed documents, results of the review, and reviewers (with date and signature).
P. S. Mu¨llner and U. Klinger
128
3.6
Approval for Commercialization
After positive completion of design verification, that means the confirmation that all product specifications including the standards to be complied with are met, the design validation of the device can be started. This confirms and provides evidence that the requirements and needs from the customer and user’s point of view are fulfilled under the conditions for the intended purpose of the device. Once the validation of the device, the production equipment, and the manufacturing processes have been completed, the finalized documentation must be checked and approved. The Design History File, which includes the entire development history with project plans, product requirements, explanation of the operation, description and justification of design choices, all test plans, test reports, all review results, validation results, and proof of conformity, shall be reviewed and prepared for inspection by the authorities. The Device Master Record (DMR), which contains all manufacturing documents, needs to be reviewed and approved. User and service manuals and marketing documentation must be completed and released. All of these items are dependent on the specific organization. Project management should be aware that these activities must also be included in their planning. Particularly in the case after development of new products, it is useful to conduct an additional review after a period of 6 to 12 month after product launch where customer experience with the device is available. Problems, errors, and suggestions for improvement can be analyzed in the sense of continuous improvement for further product maintenance.
4
Development Phases
4.1
Procedure According to a Development Model
Most development models such as the waterfall model (Fig. 2) or the V-model (Fig. 3) have their origins in software development. The individual elements represent phases or key points in the development process. The results of one phase mostly represent binding specifications for the following phase. Such models can also be applied well to system development, i.e., when there are several fields of expertise to be coordinated, but they must be extended and supplemented by the dependencies of the individual development parts on each other. If, in the case of fundamental new developments, the requirements for the device and the use cases are not fully described at the start of development and final requirements can only be defined with the aid of development patterns in several runs, it makes sense to proceed according to the spiral model (Boehm 1988), at least until the system description is complete (Fig. 4). This model was designed by Boehm as early as 1986 for the development of complex software systems. Simpler projects,
Medical Device Development
129
Review
User Needs
Design Input
Design Process
Verification
Design Output
Medical Device
Validation Fig. 2 Waterfall model of the FDA
such as the development of successor products or updates, are better planned according to the V-model or the waterfall model. There is no clear recommendation to use a certain type of model according to the standards or regulations, but it makes sense to state the approach clearly and how the chosen terminology and deliverables fit to the corresponding regulatory requirements. There should be a clear trace within the Design History File. In any case, the project management and the team should agree on a model as part of the development strategy and follow it consistently. Mixed forms can be useful after precise limitation and description. But also, agile methods, like Scrum or Kanban or other scaled agile frameworks which are used mainly within software developments, are increasingly being used in hardware or system engineering. See also the chapter “Software as a Medical Device in Europe.”
4.2
Design and Development Phases
In the literature, there are hardly any descriptions of how to develop a new device, apart from the description of individual processes. It is often left to the creativity of the development team to create a successful new device based on a few requirements or even representations of how they envision a device (from a comparison with a
P. S. Mu¨llner and U. Klinger
130
Product Requirements
Design Validation
Product Specifcations
Design Verification
System Component Specifications
Sub System Specification
Unit Specification
Produkt/ System
System Components
Design Verification
Subsystem Verification
Unit Verification
Sub Systems
Units
Realization, Implementation
Fig. 3 V-model with the example of software
competitor). Experienced development teams can deal with this problem, often write requirements and functional specifications themselves, use solutions and parts generated for a previously developed device, and thus have approaches for realization. But what if the experience is not available or a completely new device has to be developed? In the following sections, an attempt is made to find an answer to this question.
4.2.1 Analysis Phase In the first phase of product development, the product idea from the technical and economic point of view should be proven for feasibility. Once the product idea/ vision is available, the associated customer requirements with their corresponding use cases are to be elaborated. These requirement specifications shall be defined including their boundary conditions, if applicable. They can be further detailed if necessary. The following categories of requirements shall be considered: • • • •
Customers and user needs (these can be different). Regulatory requirements (depending on individual markets). Business requirements (marketing aspects). Organizational requirements.
Medical Device Development
131
Costs
1. Goals, Alternatives and Boundaries (Functional Analysis)
2. Evaluation of alternatives, Risk Analysis, Risk Mititgation
Release of next Cycle Refinement and Improvement of Solutions
1. Requirement plan
Design
Coding
4. PlanIng of next Cycle
Integration
Test Release
3. Design, Implementation and Test of Prototypes (last cycle corresponds to the waterfall model)
Fig. 4 Boehm spiral model
• Technical requirements. • Manufacturing and logistics input. • Quality goals. The feasibility must be ensured by means of a project risk analysis over the entire product life cycle with regard to • Technical feasibility with the achievement of the required specifications through the elaborated concept for the system architecture. • Economic success and marketing considering the recognition of favorable opportunities. • Acceptance of product risk, considering the design concept (with a product risk analysis, risks potentially associated with the use of the device must be identified, in addition to risks that could arise from the chosen design). • Manufacturing technologies (and availability of purchased components). With the final planning phase, it must be verified whether the device can be made available by the development in the desired time frame. The prerequisite for this is the given technical feasibility with the help of a draft for the system architecture.
P. S. Mu¨llner and U. Klinger
132
4.2.2 Design and System Architecture The first step in creating the design (deriving the design concept and system architecture) is to derive all the necessary functions from requirements and use cases that the planned device has to fulfill. In a next step, these functions are assigned to functional units. In this process, a functional unit can provide one specific or several functions, or only a partial function, as shown schematically in Fig. 5. Upon completion of this step, it is checked that the functions can be completely and adequately fulfilled with the selected allocation. This is followed by a check to ensure that all the requirements and desired specifications of the future device can be met and that they are suitable for the intended applications. The principle of design input – defining the requirements and specifications for the device – must also be applied to system components and modules, if necessary. Specifications and subspecifications must also be described for these so that the design output for all components and parts can be demonstrated in the later course of development. With the aid of suitable methods (e.g., the FMEA method; for details, see chapter “Risk Management for Medical Devices in Compliance with EN ISO 14971”), it must be checked whether the selected allocation of functions into functional units has undesirable side effects that could lead to an obstructive overall function (see Fig. 6, arrow e). It is likely that several design runs are required before a promising concept is achieved. Where appropriate, it may be useful to carry out physical feasibility studies to make the best choice. In any case, further development steps should not be started until the concept has been approved unconditionally by all involved disciplines. Finally, the design for the individual functional units can be prepared.
Function A Functional Unit I Function B
Function C Functional Unit II Function D
Function E
Functional Unit III Function F Fig. 5 Allocation of individual functions to functional units
Medical Device Development
133
Stakeholder und Customer Requirements /Needs a
Priliminary Product Requirements
b
Product Requirement Spezifications
Acceptance Test (Validation)
j
System Test (Verification)
h
System c Tests
FMEAs e
Sub System Spezifications
g
Integration/ Modul-Test
f
d Unit Spezifications
Unit Test
Design Functional Unit 1
Functional Unit 2 Functional Unit 3
Fig. 6 Extended V-model with a representation of multiple functional units
Note that the individual concepts, together with their advantages and disadvantages, shall be carefully documented. On the one hand, the concept description is a (regulatory required) part of the basic documentation, and on the other hand, in the event of problems and resulting concept changes, the elaborated knowledge can be referred to, thus avoiding redundant work. Usually, the top-down strategy is used to develop the design of the system architecture via the functionalities and thus to conceptualize the design of the individual functional units. If the realization of a specific function has to go to the limit of feasibility for reasons of limited technology availability, it is recommended to focus the development strategy on this specific function. In such a case, the boundary conditions for this function dominate the overall design, and the other functional units must take these boundary conditions into account as far as possible. However, the original intended purpose and the customer and user’s need for the device must not be disregarded under any circumstances.
134
P. S. Mu¨llner and U. Klinger
A continuous review of the chain requirements – specifications – subspecifications up to the final design has to ensure the complete achievement of the specifications and requirements in this phase. This approach is clearly illustrated in the extended V-Modell by the feedback to the previous level (see Fig. 6, arrows a to d). The goal of this phase is a precise description of the functional units, considering the interfaces and mutual requirements on the part of the corresponding functional units. FMEAs or other analysis methods are used to determine the mutual dependencies and constraints between the modules/functional units (see Fig. 6, arrow e). Example: Software and sensor technology. Biosensors often exhibit non-ideal characteristics such as drift or memory effects. In an analyzer for the measurement of biosignals, such effects often prevent the direct achievement of specifications with regard to accuracy and correctness. Software can be used to correct such errors by, for example, continuously recording the signal waveform and considering the previous waveform of the sensor signal. With such measures, accuracy and reproducibility can be improved to the desired specifications, even though the algorithm of such a correction function requires careful validation. In the software, however, the continuous storage of the sensor signal waveform must be considered as an additional requirement. Another example is the temperature sensitivity of pressure sensors. An additional temperature sensor with sufficient accuracy allows compensation of this non-ideal property, but it requires consideration of this “additional function” in the entire system on the part of the hardware, the design, and the software. These examples demonstrate how important it is to capture and consider the mutual requirements of functional units in the concept phase. If it turns out only at a later stage of development, e.g., after system verification, that the acceptable tolerance for correctness/accuracy has not been reached, this means a long series of changes and thus delays in the completion of the project.
4.2.3 Detail Design Detail design refers to the conversion of the concepts assigned to the individual functional units and overall system requirements into a detailed concept. This is where the functional analysis of all components and parts that are to be used in the realization takes place. What other functions and properties do they have, are there any undesirable properties that need to be compensated or eliminated? If there is a risk that the detailed design of a module will bring “surprises,” i.e., new prerequisites/requirements for other modules, work should not continue on the realization phase until these questions have been clarified. Only when the detailed design has been determined can the overall design be confirmed and regarded as a binding specification for the further development steps. At the same time, this step
Medical Device Development
135
defines the allocation of all requirements/specifications and subspecifications to the individual functional units and thus the definition of responsibilities.
4.2.4 Realization Phase If the design has been carefully prepared and described, the realization can be left to the specialists; after all, the detailed requirements are clear specification documents for the functional units and modules. Usually, the developers of a module also have to test the fulfillment of the detailed specifications by appropriate functional or unit tests. The testing of those detailed requirements that were provided by other subjects and can only be verified together with them must be left to the subsequent system test for verification. However, it makes sense to check these in advance by means of a simulation. If problems arise during implementation in achieving subspecifications, the entire team is to be informed and an alternative solution is to be sought jointly. 4.2.5 Design Verification Design verification means the review of the specifications of a device or system defined for design input, considering the defined boundary and environmental conditions, by means of suitable tests and measurement methods according to a predefined test plan. The choice of a suitable measurement method must ensure that the individual specifications and properties can be specifically determined without falsification by undesirable parameters or effects. When selecting the test specimens, care must be taken to exclude influences due to manufacturing-related tolerances. For design verification, the process descriptions for design output verification must be available and must govern the selection of test methods, including the selection of the number of test items, and the content of test plans and test records. The unit tests are usually performed by the respective development group as white-box tests (identification of error-causing components); the subspecifications are mostly checked with black-box tests (function-oriented testing) (see Fig. 6, arrow g). Attention must also be paid to the tests for the interaction of the individual functional units with the mutual dependencies and specifications (see Fig. 6, tests f). Verification of the system specifications cannot begin until the system has been assembled from all system components, i.e., until it has been demonstrated that all individual system components meet their detailed specifications. These tests also include confirmation of conformity to standards, i.e., the tests for electrical and mechanical safety and for transport and storage (see Fig. 6, arrow h). If the testing of a specification of the overall system is conclusive by testing one or a few assembled modules (e.g., hardware and software), it may be used as verification, and the justification for this should be documented. Start creating the test plans and the design of the test cases as soon as the product specifications are available. This enables the clear definition of the specifications and, above all, their testability to be checked at an early stage and, if necessary, the formulation of the requirements to be corrected.
136
P. S. Mu¨llner and U. Klinger
The verification team can start work (planning, test concept creation, test plan creation, test tool development, test method etc.) as soon as system architecture and the requirements specifications are available. After changes to the device, all tests would have to be repeated, as the changes could have an influence on the specifications. If it can be proven that a modification is highly unlikely to have an influence on the test result, the original test result can still be considered valid. This must be documented. In most cases, certain relevant tests are repeated after each modification, similar to how this is handled for software with regression tests.
4.2.6 Design Transfer Design Transfer means that the design is translated to production specifications, i.e., creating and designing manufacturing methods for stable serial production processes, which shall be suitable for the expected production quantities. Depending on the type and planned quantity of the device, Design Transfer may require a longer period of time. In most cases (exceptions could be made for electronic modules), testing and design verification shall be repeated with the serial produced parts, so these are also part of the Design Transfer. The Design Transfer including the development of serial production equipment, tools, auxiliaries, and manufacturing documentation can start when the prototypes created in development can be shown to meet the specifications described during design input. Therefore, it can often be useful to start feasibility studies for production processes earlier. The FDA and also the EN ISO 13485 demand a process description for the Design Transfer. These must ensure that the design of the device is correctly transferred to serial production. Project- or product-specific instructions are preferred over generic Design Transfer descriptions. Design Transfer also includes the production of pilot series to prove mastery of the production process for the intended production quantity or batch size. These specimens from these pilot series should be used to perform design validation of the device. The Design Transfer is concluded with a review in which the operational responsibility confirms the production processes under the desired and agreed boundary conditions (quantity, yield, and quality criteria). Therefore, during this review, attention should be paid to: • Completeness and adequacy of production instructions (FDA uses the term production specifications) • Compliance of pilot series with design input requirements specifications • Approval of all production and manufacturing instructions • Release of production tools and auxiliaries (including validation of these) Remark: The development of a production plant or a tool for serial production mostly represents a separate project. The procedure is similar to product
Medical Device Development
137
development and starts with the definition of the requirements. After analysis, design, and realization, the specifications must therefore be tested and the usability of the plant must be validated by testing the requirements (see also chapter “GMP-Compliant Design for Medical Device Manufacturing Plant”).
4.2.7 Design Validation Design validation is understood to be the validation by testing that a device is suitable for the specified intended purpose in practice. In a narrower sense, usability and customer needs in the real ambient environment under conditions that are likely to occur during use are to be validated by suitable methods. These methods shall be selected in such a way that correctness and accuracy of the parameters can be determined as well as the usability, safety, and performance are ensured by the elimination of possible uncertainties and acquisition errors. In most cases, the level of education, training, and experience of future users must also be considered. Possible misuse and incorrect operation shall therefore also be taken into account in the design validation tests, especially if residual risks (from the product risk analysis) could not be sufficiently reduced by design measures (CEN/CENELEC 2015). In the V-Modell, design validation is represented by the uppermost horizontal arrow between requirements and acceptance test (see Fig. 6, arrow j). A process description shall also be available for design validation. For this validation, product samples from released production lots shall be used. A sufficient number of product samples shall be used so that fluctuations due to manufacturing tolerances are covered and negligible. Design validation is performed according to a predefined validation plan and can only be performed with the finished device (or equivalent) after design verification has been completed successfully. During design validation, it is important to ensure that the whole system is covered, including additional software, designated accessories, and the instructions manual. After changes to the device or one of its system components, the entire validation might be performed again. Only if it can be proven that a given change – such as the elimination of errors – cannot have a negative impact on further functions of the device, the new design validation can be omitted in whole or in part. In most cases, however, a basic test will have to be performed. This has also to be documented.
4.2.8 Design History Not only the FDA but also the European regulations require the recording of the development history and the development results. While the FDA requires a Design History File – the recording of the path to the development results – the European regulations describe practically equivalent documentation requirements in the General Safety and Performance Requirements (GSPR) or also in the EN ISO 13485: 2016, Chap. 4.2.3 (CEN/CENELEC 2016) – Medical Device File. Specifically, documentation is required on:
P. S. Mu¨llner and U. Klinger
138
• • • • • • • • • •
•
• • • • • •
Intended use of the device (description of the intended use/purpose) Requirements and their detailing with specifications and subspecifications Development and project plan (with responsibilities) Realization concepts Design description and functionality Design drawings, calculations, calculation basis, schematics, and source codes Manufacturing descriptions (process descriptions) Test plans for design verification and design validation Evidence of compliance with all product specifications and characteristics, under consideration of the expected, defined conditions of use, environmental influences, and the life span/consumption period (including transport and storage) For devices with measurement function(s), evidence of stability, reproducibility, and adequate accuracy, also under the influence of standardized environmental conditions (such as temperature, pressure, electromagnetic compatibility, etc.) and after transport Evidence that the device with accessories and consumables is safe for patients, users, and third parties (product risk analysis and evidence of elimination or reduction of potential risks, considering transport, storage, cleaning, decontamination, and disposal) Evidence of safety for users, patients, and third parties against electrical, mechanical, thermal threats and radiation and after the occurrence of conceivable failures and consequential failures Results on design validation List of norms/standards to be complied with and the verification documents for them Environmental compatibility of the device, materials used, including packaging and accessories Proof of suitability for disinfection/sterilization, biocompatibility (if relevant) Label and description of the device with accessories and consumables
Changes (to the documents and/or concepts listed) must be traceable and justified. The valid documentation status must be clearly recognizable for each system part; see also chapter “Quality Management Requirements in Compliance with European Regulations.”
5
Processes for Development
5.1
Project Management
In a development project, project management plays the role of the subordinate and comprehensive framework process. The purpose of project management is to record, define, coordinate, and monitor all activities, tasks, and resources for product development under given requirements and boundary conditions.
Medical Device Development
139
In the literature, one can find a lot about project management methods (Gottesdiener 2005; IMPA 2022; Rational 2011; PMI 2022), and furthermore, one can find valuable information in the Internet, among others, from the PMI and IMPA (Project Management Institute, International Project Management Association), about models, structures, and techniques for project management. The most detailed descriptions, instructions, and methods for project management are probably available for software projects (Rational 2011; IPMA 2022; PMI 2022; Scrum 2022). In contrast, the literature for system projects, i.e., multidisciplinary projects, is sparse. The most likely place to find suggestions for approaches is in certain standards, such as in ISO/IEC 15504 (ISO/IEC 2004), although this standard is also primarily focused on software development. In addition, also a Medical SPICE model was derived and can be found in VDI 5702 Blatt 1 (MedSpice 2017). Therefore, only the essential elements for development projects, which are indispensable for the approval of medical devices and ensure an efficient development process, will be discussed here. Software is a subdiscipline in this context. In the beginning, there is the product idea, which is usually picked up by a stakeholder or by marketing. A project manager, a person responsible, must then be defined to initiate the next steps. The following step is the concretization of the intended use/intended purpose and the definition of the boundary conditions under which the device will be applied, operated, and should function. This important step involves the formulation of the objective for the project. The requirements are then detailed as part of the requirements of management process.
5.1.1 Project Management As a Superordinate Process Project management is responsible for the entire organization of a development project, from picking up the product idea to releasing the device for marketing. The activities required for the successful development of a device (or service) must be coordinated. Therefore, the project management process can be considered as the overall main process (ISO/IEC 2004). The responsibility of project management starts with the appointment of the project lead and ends (at the earliest) with the release of the device for marketing and the discharge of the project lead. The first process to be initiated is requirements management, i.e., the detailed description of the desired characteristics of the device together with the intended use. For this purpose, all needs and wishes must be collected and detailed with additional explanations and constraints. Subsequently, the collected needs and wishes shall be analyzed and scrutinized with the help of specialists and supplemented with business objectives, quality objectives, and general requirements such as regulations and standards. Only after a collection of rough requirements is available, the necessary resources can be compiled and initial implementation concepts can be developed with them. In an iterative process, inconsistencies and conflicts of requirements shall be eliminated and the description of requirements shall be improved. Therefore, the next task of the project management is the composition of the team: Which and how many capacities from different areas of expertise are
140
P. S. Mu¨llner and U. Klinger
required in the individual project phases to ensure the realization of the project in the desired, agreed time? (DPM 2022). Considering existing boundary conditions and circumstances within the organization, all further activities are to be identified, listed, and initiated at the appropriate times. These activities include planning, requirements and risk management, design for system architecture, detailed design, engineering, verification of system components and the overall system, design validation, and transfer to production. Planning of documentation for the entire development and change and configuration management are further prerequisites for careful project execution. Particular attention must be paid to any feasibility analyses that may be required; they could stand in the way of rapid project progress or even prevent it. The progress of the work, together with the resources used, is to be monitored and compared with the established plan, and in the event of deviations, appropriate corrective measures are to be initiated and checked for their effectiveness. The level of detail for planning depends on the type and complexity of the project and can be supported by an open project risk analysis: For example, in a new development project, the requirements analysis will be much more extensive and will usually run in multiple cycles. In a “successor” project, on the other hand, the new, additional requirements will predominantly have to be examined with regard to potential conflicts with existing requirements.
5.1.2 Tasks of the Project Lead The tasks of the project lead are to be derived from the subprocesses. The following results must be ensured over the course of the project: • The scope and nature of all work to be done are defined, and the necessary resources are derived from this. • Definition of the development strategy (e.g., development model, procedural strategy, and a concept for the sequence of work). • The achievement of the project goals under the given boundary conditions and constraints are evaluated, and potential risks in the project process are assessed. The risks are classified as acceptable together with the clients. • The interfaces and dependencies (in terms of time and content) between the project sections and the subprocesses are described. If applicable, the interfaces to other projects and organizational units are also described and monitored. • Project plan: Plans for the execution and processing of the work to be done have been developed, considering the interdependencies of results, agreed with the project team, and put into effect. • Responsibilities for all occurring activities, coordination functions, and processes (see Sec. 2) are defined, and these works are also integrated into the project plan. • Work progress is continuously monitored by comparison with the plan and reported to the clients in an agreed manner. Activities to correct deviations from the plan are initiated. The causes of deviations are identified, and measures are initiated against a repeated occurrence of such problems if there is a threat that project goals cannot be achieved.
Medical Device Development
141
• Cooperation and communication within the project team are ensured; potential conflicts have been eliminated.
5.1.3 Feasibility Evaluation of the Project Boundary conditions that are part of evaluating the feasibility of a project include: • Available time for development, taking into account the total time to market. • Available budget resources. • Human resources: existing competence, i.e., education, experience, training, knowledge, and the number of existing project employees with their availability at the desired time in the project process; competence that must be recruited or built up through training and further education; and competence that must be obtained externally by purchasing development services. • The infrastructure: Development tools, including a documentation and project communication platform, the spatial situation must also be considered, e.g., the availability of a project room. • Communication within the team. • Are all stakeholders aware of their interests in the project and future devices, have all decision-makers given their clear commitment to the project, and are there any conflicting opinions that could delay or even prevent the project?. • Review the legal possibilities for market approval in the intended target markets. • Ultimately, it must be possible to assess all medium to higher project risks as low risks after implementing appropriate mitigation measures. A diligent project lead reviews and updates the project risk analysis as the project environment changes, at least for major checkpoints. Stakeholders must be involved in any modifications that could jeopardize project progress. Note that during the project risk analysis, all project team members should take the opportunity to express their concerns about the successful course of the project from their point of view. The project lead should be an attentive listener and not ignore the critical voices.
5.1.4 The Project Plan The task for the creation of a project plan could be formulated in a simplified way as follows: “Who does what when, and how are these tasks interdependent?” Each responsible project team member must also be clear about the “how” of the realization before they give their approval to the project plan, which means that there must be an underlying concept for each work item in the plan. The plan must contain a detailed allocation of personnel resources to the individual activities; it is also important to additionally anchor responsibilities to the individual tasks. For the linking of the individual tasks, necessary preliminary work and the existence of results or interim results, which can usually only be worked out during the course of the project, must be considered. The limited availability of project participants must not be forgotten – they too must be able to take vacation once in a while; further education and training must be
142
P. S. Mu¨llner and U. Klinger
scheduled. Absences due to illness cannot be planned, but a planned additional week of “unavailability” per year seems realistic. The timely delivery of results from external development partners and suppliers can be well anchored in the project plan with the help of checkpoints so that the progress of work with external parties can be well monitored. A project plan can only be considered binding and realistic if the full commitment and approval of all participants and stakeholders to the plan are confirmed.
5.1.5 Review and Control of Project Progress The easiest way to do this is to make a consistent comparison of the target and actual state with the plan. At the same time, it can be used to assess whether the plan is coherent and realistic. In the case of inconsistencies, it should be reviewed or revised if it turns out that fundamental assumptions do not apply or no longer apply. Closely related are the progress report to the client(s), stakeholders, and the project team, which are distributed at regular intervals (1–3 months, depending on the overall project duration). Results or partial results must be highlighted accordingly. However, nonachievements should also be openly communicated, but at the same time, it is recommended to elaborate remedial, mitigating, or corrective actions taken and communicate them to all stakeholders. Cost control shall not be missing from the project progress report; it is also part of the continuous monitoring of the achievement of the project objectives. Project reviews after completion of major project sections and checkpoints need to be scheduled (also by the authorities). 5.1.6 Project Completion Review After the project is completed, a review should be conducted with the goal of “What did we learn from the project, what do we need to do better in future projects, and how can we do it better?” (as known as Lessons Learned). This allows experiences gained in the project to be shared with other project teams. Established processes (e.g., not only communication platforms, documentation systems, but also plans and forms) can be reused – often with only minor adjustments. At the same time, process descriptions and work instructions shall be improved and updated if necessary. Such reviews are mandatory from the perspective of a QM system as well as according to the quality standard (CEN/CENELEC 2016) in terms of the continuous improvement process. Remark: Avoid assigning blame during the project completion review. If conflicts need to be resolved, the help of an external mediator is recommended. An additional review may be conducted after field experience is available, particularly for new products, to define further product improvements.
Medical Device Development
5.2
143
Quality Assurance in the Development
Quality shall be developed alongside the device (see also Quality by Design in GMP); quality control over just a few parameters before delivery to the customer is not sufficient to achieve acceptable product quality. The prerequisite for achieving the expected product quality is the clear description and documentation of the product properties. It can be assumed that every product developer is interested in a well-functioning device. Nevertheless, there is sometimes an apparent conflict between the employees in the quality department and the development department. This probably results from the different objectives of the two units. Quality management is processoriented and has to insist on rules and regulations, development has to be creative, and some developers feel restricted by rules. Therefore, tact is required when selecting the person or persons who will assume the role of quality assurance during the development of a device. Establishing quality assurance during product development must be a primary goal for the project lead and stakeholders if rework of the finished device or documentation is to be avoided. Quality assurance shall ensure that potential inspections by authorities can be completed with positive results. The tasks of (design) quality assurance in a project include: • Comparison of the actual processes with the existing process descriptions and initiation of the necessary updates in case of deviations • Ensuring compliance with the defined processes through reviews • Advising development and assisting in the creation of process descriptions and work instructions When creating work instructions and process descriptions, it is important to find a compromise between generic instructions and precise descriptions. The former is easier to comply with, but carry the threat of an insufficiently regulated process. Precise descriptions, on the other hand, carry the threat that they cannot always be complied with or that maintenance is very costly. In practice, generic descriptions supplemented by project-specific instructions have proven their worth. • Ensuring that project documentation is kept up-to-date throughout the entire course of the project • Conducting reviews of the project documentation with regard to comprehensibility, clarity, traceability, and compliance with documentation rules • Ensuring that reviews are carried out at the planned project stages (milestones) and on an occasion-related basis, preparing milestone reports on the status of quality assurance • Advising the project team on the definition of quality objectives in the project (e.g., frequency of change) and assisting in meeting these objectives
144
P. S. Mu¨llner and U. Klinger
• Ensuring the definition of quality objectives for the device and monitoring the verification of these • Performing audits and formal reviews of the Design History File (DHF)/Medical Device File and the Device Master Record (DMR) • Interface with production quality assurance and test planning to ensure the use of statistical methods in subsequent production testing using trending Example: Quality property “product shelf-life” of a device. The individual parts must be calculated with regard to their lifetime and the design must be suitable for the defined lifetime. Among other things, high temperatures must be avoided for electronic power elements.
5.3
Subprocesses in the Development Process and Their Connections
Tasks are to be derived from the individual subprocesses, which are to be considered in the project planning. Depending on the type and size of the project, the individual processes must be considered in varying depths, which determines the amount of work required. Project management and the team must define the associated tasks in detail. As an example of the relationships between the individual processes, Fig. 7 shows the relationships between requirements management and other subprocesses. In the same way, the relationships can be illustrated for other subprocesses.
5.3.1 Overview and Timing Effects Figure 8 depicts the subprocesses to be considered with their work priorities over the course of the project similar to (Rational 2011). The project phases are shown in the graphic as having the same length; in reality, the length of the individual phases will depend on the complexity and size of the project. 5.3.2 Requirements Management Requirements management describes the acquisition, collection, and documentation of product requirements with the associated boundary conditions. The result of this process is the description of the objective for the project with the formulation of the product vision. From the needs and requirements of the customers and users, clear, unambiguous, measurable, and testable requirements shall then be described, which are subject to different weightings. The source, weighting, and selection of the individual product requirements shall be adequately documented. The next step is the refinement and derivation of functional and nonfunctional requirements into subspecifications. Then the analysis of mutual dependencies of specifications and subspecifications shall be performed. The handling of changes and the regulation of conflicts between individual requirements/specifications are part of the requirements management process and shall be described.
Medical Device Development
145
Product Risk Management
Process Development and Design Transfer
Project Documentation Partner Management
Configuration Management
User / Costumer Interface
Project Management
Quality Assurance
Requirements Management
Change Management
Project Risk Management
Requirements Management
System Validation
Design System Architecture
System Verification
System Integration Test
Design Control
Electronic Design Mechanical Design Software Development
Sensor Actuator System Engineering
}
{
Electronic Test Mechanical Test Software Test Test Sensor Actuator Unit Test
Modul Test
Modul Design
System Detailed Design
Fig. 7 Example of connection between requirements management and other development subprocesses
The further detailing of the requirements down to the subspecifications and further represents the objective for the work of the project team. Therefore, the consistent operation of this process is of great importance for future project success with targeted development. The project management shall define responsibilities for this process and verify the results of the process using reviews or other appropriate means. The focus of work for requirements management is at the beginning of the project in the preliminary clarification and analysis phase (see Fig. 8). After that, updates, reviews, and perhaps approvals are required. When collecting product requirements/specifications, the following shall be considered: • Product-specific requirements and intended use/purpose • Legal requirements (standards, common specifications, safety, and performance requirements . . .) • Environmental requirements • Stakeholder requirements (e.g., quantities, profit expectation)
P. S. Mu¨llner and U. Klinger
146
Pre Analysis
Design Analysis
Realisation
Design Verification
Design Transfer
Design Validation
Requirement Management
Risk Management
Requirement Analysis
Design Concept System Arch.
Modul Design
Implementation
System Integration
Verification
Design Transfer
Validation
Change & Configuration Management
Documentation Effort
Training & Knowledge Generation
Fig. 8 Resource requirements of various subprocesses during the entire development process
• Quality requirements • Requirements of production, sales, and service
Medical Device Development
147
To ensure the necessary results of the process, the following boundary conditions must be guaranteed: • Communication with the customers/persons who defined the customer requirements shall be maintained for the necessary period of time to be able to clear up ambiguities or conflicts and/or consider changed customer requirements or needs. • Change management for the requirements is established. • Monitoring for changes in customer requirements is established. • Monitoring for the availability of new technologies that could change customer requirements is established. For project management, development management, and financial control, there will be requirements regarding orderly, clear, and verifiable project progress. These have nothing to do with requirements management but should not be forgotten as part of project management. These include, for example, the reusability of results or cost tracking. There is also extensive literature on the subject of requirements management (Rational 2011).
5.3.3 Risk Management This process is dealt with in detail in the chapter “Risk Management for Medical Devices in Compliance with EN ISO 14971,” so only the link to requirements management is mentioned here. This process describes the identification, analysis, processing, and ongoing monitoring of product risks. The aim of risk management is to ensure the safety and performance of the device in its intended use for patients, users, and third parties (e.g., cleaning personnel, service, and disposal). For the development of a medical device, it is mandatory to perform a product risk analysis according to the standard EN ISO 14971 (CEN/CENELEC 2019). However, this process is also useful for the development of other devices in order to minimize potential errors during use – also considering foreseeable misuse. A considerable part of risks is already covered by testing according to safety standards (e.g., EN 60601-1, EN IEC 61010-1) and in other applicable standards. The product-specific risks that could arise from the design or during use shall in any case be recorded by means of separate risk analysis and subsequently minimized primarily by improvements to the design. The remaining residual risks must be communicated; in the case of a medical device, the benefits of use must outweigh the risks. Risks can also be dealt with in requirements management in the same way as product requirements. For this purpose, the points should be reformulated “positively.” This simplifies implementation, but the reference to the risk analysis must be retained. The focus of the work for risk management (see Fig. 8) is in the analysis phase. But also in the realization phase, work has to be performed with FMEAs or other risk analysis methods (see chapter “Risk Management for Medical Devices in Compliance with EN ISO 14971” and EN ISO 14971 (CEN/CENELEC 2019)), which are
148
P. S. Mu¨llner and U. Klinger
part of risk management. During the later phases, reviews and documentation updates are required as necessary. Another essential part of risk management is project risk analysis. All impediments that could prevent project success should be recorded, evaluated, mitigation measures must be taken, and their effectiveness should be verified. Project risks shall be pursued for economic reasons; they are not a legal requirement. Not only product risks, but also project risks can change during the project, so it is insufficient to perform a project risk analysis only at the beginning of the project. If, for example, many test cases are assessed negatively during the testing of prototypes, this can mean that the selected realization concept is unsuitable and thus the success of the project is at risk.
5.3.4 Requirements Analysis The first step after a catalog of customer needs and stakeholder requirements and product risks is available; it is the transformation of these into technical system requirements that enable a design of the planned system. This step is often described as transformation from customer needs (customer requirements) to requirements specifications. During this process, the existing requirements are reviewed, evaluated, prioritized, and analyzed for their impact on costs and their technical feasibility with respect to the intended use in the real environment. Interrelationships between individual requirements shall be established and conflicts between them be eliminated. The result of this work is often a list of functional and nonfunctional technical specifications and properties of the system to be realized. These shall be testable and, if possible, defined numerically already with tolerance fields. Reference and dependencies of the system specifications to the original requirements shall be documented. When analyzing customer requirements, it can happen that individual requirements are seen as utopian or unrealistic. Maybe these are exactly the requirements that can distinguish a new device from its competitor on the market. This balance must be found during the analysis. When incorporating product risks into the list of requirements, a rating scale should be used that considers the view of what is technically feasible (for its mastery) versus the benefits that the device will bring for its intended purpose. During the preparation of the system specifications, one or more possible realization concepts and/or a future system architecture are considered. For this purpose, conducting of feasibility studies can be helpful. The focus of work starts after the product requirement specifications are available (see Fig. 8). 5.3.5 Conceptual System Design Section 4.2.2 describes the procedure for creating the design and system architecture. The result of this subprocess shall be an overall concept that ensures that all system specifications and their tolerance limits are achieved. The specifications and
Medical Device Development
149
properties were divided among individual system components, and their interfaces, interaction, and mutual dependencies were considered and mastered. Several possible solutions are evaluated with regard to their advantages and disadvantages after defining appropriate selection criteria, and the most suitable variant is selected. The production of experimental samples (design models) or even prototypes for performing test series are often useful to confirm the selection of a specific design variant. But the following points must be clarified beforehand: • The system architecture is selected from various solution approaches on a wellfounded basis after evaluation of the defined selection criteria. • The system is divided into individual components so that a technically sensible, feasible, and cost-optimized overall solution is available. • The system (requirements) specifications are fully assigned to the individual system components (modules) or to the overall system. • Interfaces to each other and requirements of the individual system components (e.g., hardware to software and vice versa) are considered and described in such a way that a module test can be performed individually, and as completely as possible and reasonable. • System and module specifications are documented, communicated, and approved by all affected areas; a controlled change process is established together with a suitable communication method. The focus of the work is the finalizing of the requirements and specifications (see Fig. 8).
5.3.6 Module Design Module design refers to the transformation of the specifications defined by the system architecture into the module level. The following results are available: • An implementation concept has been worked out for the individual system components/modules that ensures complete fulfillment of the module specifications and the interface specifications to the other modules. • A test concept for checking the module and interface specifications has been prepared. • The relationships and dependencies of the individual module specifications on the agreed customer requirements/needs have been comprehensibly established. • Module and interface specifications have been mutually verified and approved. • Risks for the implementation of individual specifications have been defined, and improvement measures are initiated – if necessary also through other modules. The focus of the work is on creating the system architecture (see Fig. 8).
5.3.7 Implementation Implementation means the realization of the specifications into the technical solutions. All concepts, principles, and calculations of biosensors, reagents, calculations
150
P. S. Mu¨llner and U. Klinger
for dimensioning mechanical or electronic hardware with worst-case or statistical methods, load calculations, software concepts, measurement technology concepts, etc. shall be documented, and in case of changes, the affected documents must be updated. During development, it often happens that assumptions have to be made for further detailed specifications of modules in order to be able to achieve specifications for the overall system/product. These assumptions can only be confirmed by tests after realization. The reasons for these assumptions should be documented. Example: The specification of an IVD Device for the accuracy or also the permissible standard deviation of a measured value for a parameter is defined in the requirements, e.g. 2% of the value. At the beginning of the design phase, it is difficult to predict how the proportions of this permissible total error are distributed among the sensor, its drift, the calibration and measurement method, the signal conditioning, and other influencing system components. Initially, only assumptions can be made about this and the actual error proportions can only be determined after the completed individual components have been checked in detail. Test concepts for the verification of module specifications must be available at this time at the latest, and tests of functional modules must be successfully completed before interconnection during system integration. If a design error is detected during the initial review of a module and shall be corrected by a design change, this should not be done without review and approval by other module developers who may be affected. It is part of the culture of open communication that errors are not considered as such, but as problems that need to be solved.
5.3.8 System Integration The purpose of system integration is to assemble the individual system components to prove that the specifications and requirements for the overall system are met. The prerequisite is the successful completed verification of the system components with proof that the requirement specifications for the individual system components are met. First of all, a strategy for integration and interconnection must be created with the goal that the system components and their interfaces can be tested in terms of the system design/architecture. A regression test strategy shall be created for changes to any of the system components. Work priorities (see Fig. 8) for system integration are the creation of their own verifiable system components and modules, and during the analysis phase, interfaces between the system components and modules and the division of tasks among them must be coordinated. At the end of the realization phase, the focus on system interconnection and complete system testing begins.
Medical Device Development
151
5.3.9 Verification Process descriptions are required for carrying out the verification. These must regulate: • Responsibilities for verification and the preparation of test plans, protocols, reports, and corresponding approvals • Contents of verification plans, test plans, and test procedures with the description of boundary conditions and acceptance criteria • Use of various verification strategies (e.g., testing, code review, measurement, observation, and simulation) • Documentation of observations and/or deviations during test execution • Criteria for the repetition of test series • Conditions for repetition of individual test steps after introduction of corrections of previously detected deviations from expected test results • Description of test methods and, if necessary, their method validation • Use of testing – or measuring equipment or utilities • Rules for test coverage (when is a single test sufficient to prove a specification and when are multiple tests required?) • Validity rules for the acceptance of test results of system components for the overall system Test plans and procedures shall be prepared and available before tests are carried out. This is the only way to ensure that the tests are processed consistently and efficiently. Traceability from the requirements and requirement specifications to the test cases with the test results must be ensured, as also the completeness of the testing of all specifications. This also includes the evidence for the usability and the stability and quality properties of the device or system. Verification activities can start with the creation of test plans and test strategies when the specifications have been derived from the requirements. This has the advantage that inconsistencies in the formulation can be eliminated at an early stage and the testability of the specifications is assured (see also the activity shown in Fig. 8 at the end of the preliminary clarification phase up to the analysis phase). A successfully completed verification for the entire device or system is a prerequisite for starting product validation activities.
5.3.10 Design Transfer Process Objective and principle of the Design Transfer are described in Sect. 4.2.6, so only the planning and the relationship to the other processes are discussed here. The prerequisite for a reasonable start of the Design Transfer is the positive result and conclusion of the verification of the development prototype. This shall be already considered when planning the Design Transfer to avoid expensive changes of production machines and systems. However, it can also be useful to carry out feasibility studies for production processes in advance in order to develop suitable
P. S. Mu¨llner and U. Klinger
152
and stable processes for the planned number of units. These are represented by the activity area in Fig. 8 at the end of the predesign phase. The planning shall consider: • • • • •
Development of the production processes Development of production equipment, production tools, and other tools Preparation of production documentation (production specifications) Production of the pilot series(es) Validation of the production equipment, production tools, utilities, and production processes • Verification of the product specifications with the pilot series • Final review and any further reviews of products and processes that may be required Product design validation shall be performed with specimens from the pilot series.
5.3.11 Design Validation Process The purpose and principle of design validation have already been described in Sect. 4.2.7, so only the planning and the relationship to the other processes are discussed here. Design validation is the last step to be performed before the device is released for commercialization. When planning the design validation, the customer requirements shall be analyzed and the questions for the tests for validation formulated on this basis (see also the activities in the preclarification phase shown in Fig. 8). The analysis of customer requirements should always be carried out at a very early stage of the project; after all, the customer requirements are defined from the very beginning. For perfect usability, it is recommended to conduct preliminary tests with potential customers using prototypes or parts of prototypes (e.g., the user interface) and to use the feedback to gather early feedback and to optimize the design (EN 62366-1, CEN/CENELEC 2015). The final design validation tests can be at least partially combined with the clinical studies at the user site. Early involvement with clarification of the availability of (potential) customers and users should be planned. Stakeholder requirements from the organization (i.e., management, marketing, and finance) are often only verifiable in the course of the commercialization phase.
5.4
Supporting Development Processes
5.4.1 Change and Configuration Management Changes during the course of a project cannot be avoided; they may be necessary for a wide variety of reasons: new requirements from marketing, replacement or modification of materials, parts or components, and software changes due to, for example, the introduction of a new operating system or an update. But also changes within the manufacturing process, or changes to process specifications if problems occur during implementation can trigger a change. Therefor a documented update is
Medical Device Development
153
essential in any case. A traceable identification system is required to show which part was changed, when, how, and why, and which tests were performed with which hardware revision or software version. Furthermore, for traceable proof of system requirement specifications, it is necessary that all components and system parts are interconnected in a controlled manner with their status labeled. In order to be able to detect negative effects of the modification of components on the overall function or a specification of the system, it shall therefore be ensured that all tests of system specifications are performed on clearly identified versions of system components. It shall be ensured that • The individual system parts and components specified by the system architecture are identified and named. • The status and change status of all system parts and components are clearly labeled and documented, and each change and the change history are traceable. • Tested combinations of system parts or components are clearly identifiable, and their test status is documented. • Reasons for changes to individual versions of system parts or components are documented. • Changes to components are traceable and clearly described by their documentation status. In individual cases, it must be decided – with justification – which tests of properties or specifications shall be repeated after a change or modification of several components. The focus for these activities (Fig. 8) starts in the analysis phase and lasts until the completion of verification.
5.4.2 Documentation and Document Management For development staff, documentation is often an unpopular activity. Work on plans, concepts, and their updates are often postponed, especially if the effect of a change cannot yet be foreseen. It must therefore be the highest priority for project and development management to raise awareness that every activity and every result shall be documented. Unsuccessful implementations should also be described, to avoid that unsuccessful concept will be repeated – perhaps with new employees. However, it can also happen that a former unsuccessful concept appears in a different light as a result of new findings, new materials, or manufacturing technologies. In this case in particular, it is extremely valuable to have detailed documentation of the original path including all boundary conditions. However, it shall also be understood that for subsequent product maintenance, e.g., taking a material or component out of service, changes can only be made quickly and efficiently if its properties, specifications, and conditions of use are known and described. Keeping documentation up to date is therefore a prerequisite for the feasibility of product maintenance, and this viewpoint is also held by the authorities. For example, the FDA deems “What is not documented does not exist” and considers undocumented changes to be a serious violation of regulations. It also requires process
154
P. S. Mu¨llner and U. Klinger
descriptions or work instructions for handling documents, as also shown in chapter “Quality Management Requirements in Compliance with European Regulations.” Note that development documentation must be sufficiently detailed to enable external technical personnel to understand the documentation in a reasonable amount of time without further explanation and to be able to make changes to correct problems. Quality assurance shall therefore pay particular attention to the correct handling of documentation. The use of a document management system suitable for the organization and the project size is recommended; such systems are available on the market. Within a development project, documentation requirements shall be agreed upon between the project lead and the team. The requirements for the documentation and communication platform shall also be defined (responsibilities are shown in italics): • Availability of a document management system (organization) • Availability of a communication platform compatible with the document management system (project lead) • Definition of types and hierarchies of (development) documentation (project lead) • Definition of responsibilities for creation, labeling, review, approval, and distribution for each type and level of documents (project lead) • Documentation of development results and filing in the document management system (team) • Updating documents in case of changes as agreed in the team and announcing them after implementation via the communication platform (team) The elements of development and project documentation are the Design History File and the Device Master Record.
5.4.3 Training and Knowledge Management “Not always reinventing the wheel” is the motivation for training and knowledge management. Usable documentation from previous development projects is a prerequisite if the acquired knowledge is to be used repeatedly and thus save expensive development time. Another argument is the protection of the acquired knowledge by patents. After all, the development documentation is the clear proof of novel inventions. Conversely, however, patent searches must not be forgotten in order to avoid infringement of third-party patents. On the one hand, the effort for training and further education has to be planned for the availability of the team members for the actual project work; on the other hand, they are an important instrument to prepare newly available employees for their tasks in the team. Especially in the early project phase and during the transitions from one project phase to the next, the training of the project team on the planned tools such as
Medical Device Development
155
project, test and document management, etc. must be done consistently. Therefore, the focus for training is usually at the beginning of the project and during transitions to new project phases (see Fig. 8).
6
Conclusion
The diverse and complex legal requirements for medical devices demand careful and structured planning and procedures by project management when developing a complex system. The central thread for a system product development is presented on the basis of project phases: Starting with the product idea with the intended use/intended purpose, from which the requirements and specifications are formulated and detailed, realization concepts are to be worked out; these are selected with the help of feasibility studies. The development steps that finally lead to the elaboration of the solution are explained. After realization, the specifications are to be checked and the suitability for use is to be proven. High demands are placed for the project lead: The technical coordination of a team usually composed of different technical disciplines requires leadership ability. In addition, the ability to plan ahead, appropriately assess and consider project risks, and observe the tasks from the subprocesses are prerequisites for successful project management. The subprocesses to be observed for efficient development progress and the tasks derived from them are explained and supplemented with lists or examples. The importance of careful and complete documentation of the entire development history is illustrated, not only for compliance with legal requirements but also for orderly Design Transfer to production and subsequent efficient product maintenance.
References Boehm BW (1988) A spiral model for software development and enhancement. In: ACM SIGSOFT software engineering notes, vol 21. IEEE DPM – The digital project manager (2022) Website. Retrieved from https://thedigitalpro jectmanager.com/what-is-resource-planning-why-is-it-necessary/ European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2015) EN 62366-1:2015 Medical devices Part 1: Application of usability engineering to medical devices European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2016) EN ISO 13485:2016 Medical devices – Quality management systems – Requirements for regulatory purposes European Committee for Standardization (CEN), European Committee for Electro technical Standardization (CENELEC) (2019) EN ISO 14971:2019 Medical devices – Application of risk management to medical devices European Parliament and European Council (2017a) Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 concerning medical devices, amending Directive
156
P. S. Mu¨llner and U. Klinger
2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 9s0/385/EEC and 93/42/EEC. Off J Eur Union L 117:1–175 European Parliament and European Council (2017b) Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU. Off J Eur Union L 117: 176–332 Gottesdiener E (2005) The software requirements memory Jogger: a pocket guide to help software and business teams develop and manage requirements (Memory Jogger). GOAL/QPC, Methuen IPMA International Project Management Association IPMA (2022) Website. Retrieved from https://www.ipma.world/ International Organization for Standardization (ISO), International Electrotechnical Commission (IEC) (2004) ISO/IEC 15504:2004 – Information technology – Process assessment Medical device software – Medical SPICE Process assessment model (2017) Website. Retrieved from https://www.vdi.de/en/home/vdi-standards/details/vdi-5702-blatt-1-medizinprodukte-soft ware-medical-spice-prozessassessmentmodell Project Management Institute (PMI) (2022) Website. Retrieved from https://www.pmi.org/ Rational (2011) Rational Software White Paper TP026B, Rational Unified Process Best Practices for Software Development Teams Scrum.org (2022) Website. Retrieved from https://www.scrum.org/resources/what-is-scrum U.S. Food and Drug Administration (FDA) (2012) Code of Federal Regulations Title 21, Volume 1, 820.30, Subpart C. Retrieved from: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/ cfrsearch.cfm?fr¼820.30
Safety Requirements for Medical Devices in Compliance with European Standards Robert Neubauer, Jo¨rg Schro¨ttner, and Christian Baumgartner
Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Aspects of the Safety Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Parameters Deviating from Basic Safety Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Development and Production Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Scope of Safety Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Reaching the “State of the Art” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4 Safety Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5 Influence on the Accompanying Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.6 Influence on the Mechanical Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.7 Influence on the Electrical Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Technical Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Safety Influence Due to Aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Materials Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Safety Requirements for IVD Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Safety Aspects Under Normal Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.5 Safety Aspects Under Single Fault Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.6 Normative Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Technical Safety Inspections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Design Testing to Clarify Fundamental Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Special Tests and Basic Safety Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Type Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4 Research of Safety Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.5 Structure and Requirements of EN 60601-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
158 160 160 160 162 163 163 165 165 165 166 167 168 170 172 175 176 179 179 180 180 180 182 184 185
R. Neubauer (*) · J. Schröttner · C. Baumgartner Institute of Health Care Engineering with European Testing Center of Medical Devices, Graz University of Technology, Graz, Austria e-mail: [email protected]; [email protected]; [email protected] © Springer Nature Switzerland AG 2023 C. Baumgartner et al. (eds.), Medical Devices and In Vitro Diagnostics, Reference Series in Biomedical Engineering, https://doi.org/10.1007/978-3-031-22091-3_4
157
158
R. Neubauer et al.
Abstract
Medical and laboratory devices are developed to support physicians and specialists in daily clinical routine or emergency situations. The safety aspect of medical devices is usually not perceived by the user, but it is just as important as the application aspect. This fact is taken into account by the Medical Device and In Vitro Diagnostic Regulations MDR 2017/745 and IVDR 2017/746, and European standards, which require the development of medical equipment according to the state of the art in the safety concept of the devices. For developers of medical and laboratory devices and instruments, it is a challenge to find a good compromise between the requirements of the applicable standards, the user requirements, and the increasing price pressure of the market. This chapter addresses basic questions from manufacturers and developers, such as what level of safety must be implemented in devices to comply with the state of the art and how it can be achieved. It also provides a brief overview of the safety requirements of the medical device regulations, with a focus on single fault conditions and the philosophy of integrated safety, together with an attempt to identify possible ways of proving conformity with these requirements. Selected examples from applicable product standards for medical electrical and laboratory equipment are used to provide a better understanding of how these requirements can be implemented in practice.
1
Introduction
In the early days of medical technology, the main focus was on the development and manufacture of medical devices. The primary concern in this was the functionality of the devices. As a result of incidents in daily practice, however, it quickly became clear that the safety of patients and users is equally important and had to be considered accordingly. Awareness of the importance of regulating safety measures as well as the performance parameters of a device through standards has gradually grown in past decades. The EN 60601-1 (CEN/CENELEC 2013), the main standard for safety requirements for medical electrical equipment, is a good example for this development. While the first two editions (edition 1 published in 1977, and edition 2 published in 1990) focused mainly on electrical and mechanical safety aspects, the requirements in the third edition were expanded to include aspects such as biocompatibility, usability, programmable electrical systems, and the integration of a risk management system. These additions are also reflected in the number of pages of the standard. In 1977, the first edition comprised about 100 pages. Since then, the page count has increased to 430 pages. This process is still ongoing; topics that have not played a role in recent years such as cyber security, environmental protection, resource consumption (e.g., power consumption of a laboratory or
Safety Requirements for Medical Devices in Compliance with European Standards
159
Fig. 1 Historical development of the topics covered in EN 60601-1. EMC stands for electromagnetic compatibility
medical electrical device), or artificial intelligence have become increasingly important (Fig. 1). In Europe, safety technology has now been a part of everyday life for some 40 years. Safety aspects must be taken into account at every stage in a device life cycle. They must be incorporated into the product design during prototype development, series production, or as user feedback from the post market surveillance phase. However, the reality in companies is often quite different. Young companies and start-ups developing medical devices for the first time in particular tend to neglect critical safety aspects and focus primarily on the performance and design of the product. This can subsequently lead to serious problems during the product testing (type testing, type-examination) required for approval of the medical device. An example would be a incompatibility with the required air clearances and creepage distances on the motherboard, which usually results in redesign of the entire device. Another example would be an enclosure that fails to withstand mechanical strength tests, which may require reworking of the injection mold of the enclosure (Fig. 2).
160
R. Neubauer et al.
Fig. 2 A power supply enclosure that does not comply with the requirements of EN 60601-1 (mechanical safety requirement: ball pressure test)
2
Aspects of the Safety Concept
From the safety perspective, bringing medical devices to market that are 100% safe for the patient and user would be desirable. However, this goal of perfection belongs more to theory than practice, since the intended use of high-risk medical devices alone, as well as special indications or performance parameters of the devices, such as current flowing through the patient’s body, the intensity of the infrared radiation, or the delivery rate of an infusion pump, inevitably bring a risk potential that can at best be reduced but not eliminated. This problem can be illustrated by the example of a surgical laser. Laser radiation is the greatest risk here, especially from the power density. Reducing the output power to harmless levels would reduce the risk of injury from reflections or accidental contact with the laser beam. This would also impair the function to such an extent that the device would no longer be suitable for the intended surgical use.
3
Parameters Deviating from Basic Safety Requirements
3.1
Development and Production Costs
Proving conformity with the required safety standards is an intensive and demanding process that can increase development and production costs significantly, as safetyrelated components and modules in a device are a significant cost factor. A typical example is the medical multiple socket outlet with protection against unauthorized plugging and unplugging. While commercially available power strips are offered cheaply in hardware stores, medical multiple socket outlets are significantly more expensive, depending on the design (see Fig. 3). In order to meet the requirements of
Safety Requirements for Medical Devices in Compliance with European Standards
161
Fig. 3 A medical multiple socket outlet with protection against unauthorized plugging and unplugging compared with a commercially available power strip
the applicable standards, there are many other reasons that lead to higher development and production costs, such as lower production quantities or the use of higherquality components. Apart from higher development and production cost, other areas are also affected by the following safety requirements:
3.1.1 Device Design and Dimensions The device design and its dimensions are influenced by safety-related aspects, as the additional components require space. Warning lights, warning signs and labels, and control elements (e.g., emergency stop buttons) must be mounted on the device so that they are clearly visible and accessible. Device dimensions increase because safety distances between different circuits (e.g., between the voltage power supply circuit and the patient circuit) must be taken into account. In addition, the weight of the device may also increase, e.g., due to the use of an isolating transformer so that the permissible leakage currents are not exceeded. The resulting increase in user and patient safety may, in turn, have an adverse effect on the usability and design of the device. 3.1.2 Usability The use of key switches, security checks, double confirmations, access restrictions, protection wear, and similar demand time and patience from the users. Special care should be taken to ensure that the equipment remains user-friendly despite safety measures. In this case, user training plays an essential role. It should convey to the operator the need for and benefits of the safety measures, otherwise the user will not perceive them as meaningful protection against the hazards posed by the device and may not use them.
162
3.2
R. Neubauer et al.
Scope of Safety Measures
As mentioned earlier, safety technology is a balancing act. Device function, usability, patient safety and user safety, and development costs should be balanced. Achieving this is challenge (see Fig. 4), as a compromise in the effort-safety ratio must be found based on the device type and its risk potential. Regulations and standards are a reliable source to help the developer achieve an acceptable level of safety. The Medical Device Directive 93/42/EEC (European Parliament and European Council 1993), which was repealed in 2021, first provided guidance on the safety requirements for medical devices. When this document was introduced, it was already required that the devices must take into account the state of the art and practice at the time of design to meet the essential requirements. The Medical Device Regulation MDR 2017/745 (European Parliament and European Council 2017a), which replaced the Medical Device Directive 93/42/EEC, formulates similar, but more precise, requirements. Item 1 in Annex I, Chap. I of the MDR 2017/745 reads verbatim: “Devices shall achieve the performance intended by their manufacturer and shall be designed and manufactured in such a way that, during normal conditions of use, they are suitable for their intended purpose. They shall be safe and effective and shall not compromise the clinical condition or the safety of patients, or the safety and health of users or, where applicable, other persons,
Fig. 4 Consensus on the effort-safety relationship
Safety Requirements for Medical Devices in Compliance with European Standards
163
provided that any risks which may be associated with their use constitute acceptable risks when weighed against the benefits to the patient and are compatible with a high level of protection of health and safety, taking into account the generally acknowledged state of the art.”
3.3
Reaching the “State of the Art”
What “state of the art” means for a medical device is not easy to define. This can best be answered by reference to some additional information from the Medical Device Regulation 2017/745. Article 8 “Use of harmonized standards” states that “devices that are in conformity with the relevant harmonised standards shall be presumed to be in conformity with the requirements of this Regulation” and is an accepted approach of showing that the device or equipment is state of the art. This proof can be provided, for example, by a technical safety test, a so-called type test at an accredited testing body. Such independent testing bodies or other experts can assist the manufacturer in selecting the standards applicable to its product and confirm conformity with the standards specified by the manufacturer. An updated list of harmonized standards can be found on the website of the European Commission (European Commission). See also “Commission Implementing Decision (EU) 2021/1182 of 16 July 2021 on the harmonised standards for medical devices drafted in support of Regulation (EU) 2017/745 of the European Parliament and of the Council,” (European Parliament and European Council, 2021b). In addition, a comparison with similar products on the market can support the evidence that the device complies with the state of the art.
3.4
Safety Principles
Additional safety-related principles are defined in Annex I, Chap. I, Items 2–9 General Safety and Performance Requirements, General Requirements of the Medical Device Regulation MDR 2017/745 (European Parliament and European Council 2017a), and Items 2–8 for the IVDR 2017/746 (European Parliament and European Council 2017b) which are summarized here in abbreviated form: • The requirement in this Annex to reduce risks as far as possible means the reduction of risks as far as possible without adversely affecting the benefit-risk ratio (the risk for patients, users, or third parties, arising from the intended purpose of a device must be acceptable in comparison to the benefit resulting from the application). • Manufacturers shall establish, implement, document, and maintain a risk management system (see chapter “Risk Management for Medical Devices in Compliance with EN ISO 14971”). • Risk control measures adopted by manufacturers for the design and manufacture of the devices shall conform to safety principles, taking account of the generally
164
R. Neubauer et al.
acknowledged state of the art. To reduce risks, manufacturers shall manage risks so that the residual risk associated with each hazard as well as the overall residual risk is judged acceptable (the design must comply with the principle of integrated safety). • The characteristics and performance of a device shall not be adversely affected to such a degree that the health or safety of the patient or the user and, where applicable, of other persons are compromised during the lifetime of the device, as indicated by the manufacturer, when the device is subjected to the stresses which can occur during normal conditions of use and has been properly maintained in accordance with the manufacturer’s instructions. • Devices shall be designed, manufactured, and packaged in such a way that their characteristics and performance during their intended use are not adversely affected during transport and storage, for example, through temperature and humidity fluctuations, taking account of the instructions and information provided by the manufacturer. • All known and foreseeable risks, and any undesirable side-effects, shall be minimized and be acceptable when weighed against the evaluated benefits to the patient and/or user arising from the performance of the device as achieved during normal conditions of use. The requirement for an acceptable benefit-risk ratio requires the manufacturer to compare the risk to the patient and operator resulting from the use of the device with the resulting benefit to the patient. For example, in appendectomy, the surgical procedure results in a scar caused by the surgical instrument. This damage to the skin is considered acceptable because of the benefit to the patient. If the same scar would be caused by a procedure to determine a physiological parameter that can also be measured noninvasively, the benefit-risk assessment would be negative. This fundamental requirement of an acceptable benefit-risk ratio is met by the manufacturer’s introduction of a risk management system in accordance with the EN ISO 14971 (CEN/CENELEC 2019). Its essential component is the benefit-risk determinations with regard to the specific, residual, and overall risk. Another aspect of the general safety and performance requirements addresses the risk posed by the user of the medical device, as many accidents involving medical devices are due to operator error. For example, according to a study by the Medicines and Healthcare products Regulatory Agency (MHRA) (MHRA 2013), 21% of reported incidents involving infusion pumps are due to user errors. These user errors are partly the result of poor device usability. The EN 60601-1-6 (CEN/CENELEC 2015b), which refers to EN 62366-1 (CEN/CENELEC 2015d) in several areas, provides valuable guidance for assessing the usability of a device and for creating the so-called usability file required by EN 60601-1. Safety standards, such as the EN 60601-1, go a step further and require that not only user errors, but also reasonably foreseeable misuse must be taken into account.
Safety Requirements for Medical Devices in Compliance with European Standards
165
This does not mean that the manufacturer must consider all conceivable and unintended uses of his product. The manufacturer is obligated, however, to consider realistic situations of misuse of its product and in no case to encourage them. The user (lay person, professional, etc.) and the patient population considered in the usability file thus have a direct influence on the electrical and mechanical design of the device, as well as on the content of the accompanying documentation and instructions for use.
3.5
Influence on the Accompanying Documentation
This issue is also addressed in standards when the expected user group differs from the educated and adequately trained medical personnel, and is taken into account by the design and language of the instructions for use. For example, a lay person is assumed to have a level of knowledge equivalent to 8 years of education (see EN 60601-1-11 (CEN/CENELEC 2015a)). The instructions for use must thus be written in a form and language that allows this person to easily follow and understand them. Furthermore, the active use of supporting graphics and avoidance of any foreign words are strongly recommended.
3.6
Influence on the Mechanical Design
An implemented mechanical protection measure may be entirely sufficient for one user group, but altogether ineffective for another. In the EN 60601-1 standards series, a test finger corresponding to the dimensions of an average adult finger is used to test accessibility to hazardous parts. However, in the EN 60601-1-11 (CEN/CENELEC 2015a), the replica of a child’s finger is used because the presence of unattended children is to be expected in a home environment. This anatomical adaption of the test instrument means a significant reduction in the permissible gap and slot sizes (e.g., ventilation slots) on the enclosure of the device (Fig. 5). The purpose of this reduction in size is to make hazardous parts inside the device (e.g., mains voltage, mechanically moving parts) inaccessible from the outside, even for little fingers of small children.
3.7
Influence on the Electrical Design
For electro-medical devices with applied parts, the electrical design depends on whether the user or the patient or both can touch the applied part through which a leakage current can flow. The EN 60601-1 distinguishes between patient and operator safety. In previous editions of the standard, this separation was not made and the same safety measures for patient and operator were considered; the third
166
R. Neubauer et al.
Fig. 5 Size comparison between a “normal” test finger and that of a “child” test finger
edition of the EN 60601-1 accepts operator safety concepts that, for example, meet the requirements of the IEC 62368-1 (Audio/video, information and communication technology equipment – Part 1: Safety requirements) (IEC 2018a). The safety level for the patient, on the other hand, is even higher. This is because patients may have impaired responsiveness, be unconscious, or have a reduced body impedance. These considerations are reflected in the standards that specify the test equipment for measuring leakage currents. In the EN 61010-1 (CEN/CENELEC 2015c), the measurement device (see Annex A, Fig. A.1 to A.3) includes a 2 kΩ resistor to mimic the total body impedance for a hand-to-hand current path that is not exceeded by 95% of the adult population (see table 1 in IEC 60479-1, Effects of current on human beings and livestock – Part 1: General aspects) (IEC 2018b). This body impedance resistor is reduced to 1 kΩ in the device used in the EN 60601-1 (Fig. 6) to account for the fact that the patient may have a reduced or no skin impedance (e.g., during surgery). This reduction leads to higher leakage currents in the measurement device according to the EN 60601-1 and to an earlier exceeding of the permitted leakage currents at the same voltage drop, resulting in higher insulation requirements for patient circuits.
4
Technical Requirements
In addition to these fundamental requirements, the new MDR 2017/745 and IVDR 2017/746 set out a number of further rules. These concern the technical design of the products with regard to user and patient safety. Some of these important requirements are discussed in more detail below.
Safety Requirements for Medical Devices in Compliance with European Standards
167
Fig. 6 A leakage current-measuring device with adjusted body impedance (Left: EN 60601 R2 ¼ 1 kΩ; Right: EN 61010-1 R1 + R2 ¼ 2 kΩ)
4.1
Safety Influence Due to Aging
In general, medical devices must be designed in such a way that there is no change in the level of safety throughout the device lifetime. This requirement refers to the fact that laboratory and medical device properties and safety concepts can be changed or affected by specific factors. The first step in addressing this risk is to determine the expected lifetime of the device. This determination is also a mandatory requirement of the EN 60601-1 (see Item 4.4) and should be stated in the risk management file of the device. For sterile products, it is possible to specify an expiration date. Note that sterility can only be guaranteed over a limited period of time. Nonreusable products, on the other hand, must be labeled for single-use only. Abrasion and aging of the devices are also factors that should not to be underestimated when ensuring a lifetime safety concept; moving parts in particular are subject to natural wear. This includes, for example, a V-belt drive for a motor, the control knob for selecting a dispensing quantity or the membrane keypad, which can break due to constant mechanical stress caused by frequent finger pressure. The leakage of rubber seals and the breakage of vibration dampers for engines and drives are good examples for the need to consider the aging of materials in this context. Figure 7 shows typical wear cases that can be attributed to material aging and mechanical stress. Changes to the dimensions of wear parts can delay the occurrence of the problem but cannot permanently eliminate it. One way of maintaining safety over the expected lifetime of a device is to carry out periodic safety checks, starting with the daily visual inspection by the user before the device is put into operation and continuing with technical safety and metrological checks at regular intervals. The
168
R. Neubauer et al.
Fig. 7 Application parts damaged by wear (suction electrode, membrane keypad)
responsibility for carrying out these inspections lies with the operating organization. The scope and minimal inspection interval are regulated, for example, in the national Medical Devices Act and in the corresponding Medical Device Operator Ordinance, and are primarily based on the potential risk posed by the product. The manufacturer alone has full knowledge about his product and therefore bears the essential responsibility in this case. He must provide precise information on the scope of the periodic inspection, which must be specified in the instructions for use or in the technical manual. These specifications are an essential source of information for the service technician who must perform the safety inspection. They must contain information on the inspection interval, the inspection and replacement of wear parts, and the performance of measurements of safety-relevant parameters and their permissible limit values. The exact contents of this information can be found in the applicable device standards, e.g., the EN 60601-1 and the EN 62353 (CEN/CENELEC 2014).
4.2
Materials Used
The materials used in medical devices must meet special requirements. According to the Medical Device Regulation MDR 2017/745, toxicity and flammability must be evaluated by the manufacturer when selecting materials for equipment and accessories.
4.2.1 Toxicity and Biocompatibility Information on the toxicity of materials can be obtained directly from the data sheets provided by the manufacturer of these materials. The only way to prove conformity with this requirement is through toxicological testing in an accredited laboratory, if it is not possible to obtain the necessary information, or if the material used is a combination of several raw materials where it is unclear whether the combination of these materials will result in toxic effects. A good example of a mixture of
Safety Requirements for Medical Devices in Compliance with European Standards
169
materials with possible toxic effects is the substance resulting from the fusion of plastic granulate used for molded equipment enclosures and the additive used to achieve the desired color of the housing. When selecting materials, biocompatibility also plays an important role, in addition to toxicity, as proof of biocompatibility is required by several standards (e.g., EN 60601-1, Item 11.7). Biocompatibility assessments are required if the material is to come into contact with the patient or user during its intended use. The biocompatibility requirement applies primarily not only to materials of implantable devices and applied parts, but also to patient leads, hand-held actuators, or protective devices such as laser safety eye wear. Important factors to consider here include estimating the extent of potential expected biological effects and determining the scope of the biocompatibility assessment, the average duration of use, the type of application, and the degree of invasiveness are. Suitable proof of biocompatibility is provided not only by test reports in accordance with the ISO 10993 series (ISO 2009), but also, for example, Oeko-Tex certificates or extensive market research without contradictions provided proof that the material is already in medical technology use for similar applications.
4.2.2 Flammability To assess the flammability of the material used, it must be demonstrated that its ignition temperature is sufficiently high compared to the temperatures to which the material is exposed during its intended use or inside the device. These temperatures can be determined by taking measurements with temperature sensors placed at the identified “hot spots.” These points of interest can be detected during overview measurements using an infrared camera (see Fig. 8). The consideration of single fault cases is often disregarded when calculating the maximum temperature to which the assessed material is exposed. In particular, power-consuming components and motors can reach extremely high temperatures in the event of a single fault (e.g., short cut or overload). This heat source can, in turn, easily cause ignition inside the device. The main standards EN 60601-1 (Items 11,13) and EN 61010-1 (Item 9) offer different approaches for preventing ignition inside a device. The most common approach is to simulate single faults and implement corrective actions to prevent the spread of a fire. Limiting the energy used in electric circuits and containing the fire are other ways to deal with this source of hazard (see Fig. 9). The accumulation of fire-promoting substances such as disinfectants or oxygen is another aspect that must be taken into account when minimizing ignition possibilities in a device. Foams used to dampen vibrations or engine noise can also be a cause of fire. Flammable substances such as gases (e.g., oxygen) or liquids (e.g., disinfectants) can accumulate in the voids of the foam and may cause ignition if the concentration of these substances reaches a critical level. In this case, there is a higher risk for laboratory devices than for medical devices, as they are designed for operation without constant monitoring, e.g., at weekends, so that a possible ignition is only detected at a late stage.
170
R. Neubauer et al.
Fig. 8 Infrared image to identify heat sources (“hot spots”) in the device
4.3
Safety Requirements for IVD Devices
The EN 61010-2-101 specifies in particular the safety requirements for IVD devices, including IVD self-tests. The focus is on the risks associated with exposure to hazardous chemicals, aerosol vapors, radiation, and flammable liquids, which are addressed by specific design, labeling, and documentation requirements. A risk assessment must be performed and documented according to the requirements of EN ISO 14971 for hazards not covered by the general and specific standards of the EN 61010 series. Relevant information for manufacturers is provided by the ISO 16142-2 “Medical devices – Recognized essential principles of safety and performance of medical devices – Part 2: General essential principles and additional specific essential principles for all IVD medical devices and guidance on the selection of standards” which identifies and describes the general essential principles of safety and performance that apply to all medical devices, including IVD medical devices, as well as the additional essential principles of safety and performance which need to be considered especially during the design and manufacturing process of IVD medical devices. Examples of relevant standards include EN ISO 11137, EN ISO 11138, EN ISO 11140 (sterilization of health care products – radiation, biological indicators, and chemical indicators), EN ISO 11737 (sterilization of medical devices – microbiological methods), EN ISO 11607 (packaging for terminally sterilized medical devices), EN ISO 18113 (in vitro diagnostic medical devices – information supplied by the manufacturer (labeling)), EN ISO 23640 (in vitro diagnostic medical devices – evaluation of stability of in vitro diagnostic reagents), and EN ISO 14644
Safety Requirements for Medical Devices in Compliance with European Standards
171
Fig. 9 Flow chart of different methods for preventing the spread of fire based on Fig. 11 in EN 61010-1
(cleanrooms and associated controlled environments) if required (see also European Parliament and European Council 2021c).
4.3.1
Protection of Persons from Exposure to Biological Agents When Working with IVDs The protection of persons against risks to their health and safety, arising from exposure to biological agents at work, is the subject of the EU directive 2000/54/ EC (European Parliament and European Council 2000). According to Article 3, the nature, extent, and duration of persons’ exposure must be determined for each activity in which there may be a risk of exposure to biological agents, in order to enable an assessment to be made of the risk to persons’ health or safety on the basis of the hazards posed by all hazardous biological agents and to determine the measures to be taken. An assessment must be conducted on the basis of all available information including:
172
R. Neubauer et al.
(a) Classification of biological agents which are or may be a hazard to human health (b) Recommendations from a competent authority which indicate that the biological agent should be controlled (c) Information on diseases which may be contracted as a result of the work of the personnel (d) Potential allergenic or toxigenic effects as a result of the work of the persons (e) Knowledge of a disease from which a person is found to be suffering and which has a direct connection with his work The assessment must be renewed periodically and, in any case, whenever there is a change in the conditions that may affect persons’ exposure to biological agents. As a consequence, the risk of exposure must be reduced to as low a level as necessary in order to protect adequately the health and safety of the personnel concerned according to a list of measures summarized in Article 6. More detailed information can be found in the directive.
4.4
Safety Aspects Under Normal Conditions
Medical devices must be safe for their intended purpose under normal conditions. The requirements of the MDR 2017/45 and IVDR 2017/746 that products on the market and used for their intended purpose can be considered fundamentally safe, when their intended purpose is not associated with a hazard, must be a matter of course for the user of medical devices. In principle, hazards can be accepted if these result from the required function of the medical device, as in the case of a highfrequency surgical device. These hazards are unacceptable, however, if the user is endangered as a result of insufficient insulation. Various approaches are possible to minimize identified safety risks (resulting from performed risk analysis, standard requirements, etc.). These corrective measures are associated with varying levels of effort and cost. The MDR 2017/745 and IVDR 2017/746 (Annex I, Chap. I, Item 4) call for a rigorous and consistent approach to the solution processes for risk minimization, in line with the principles of integrated safety. The integrated safety principle offers three risk minimization methods (Fig. 10). The basic principle for the choice of solution stated in the regulations is as follows: direct safety before indirect safety before indicative safety!
4.4.1 Direct Safety Measures This term refers to all measures (mostly constructive measures, see Fig. 11) that act independently of each other and serve to eliminate or minimize the identified risks. Properly implemented, these corrective measures exhibit the greatest efficiency. They protect without the involvement of users, patients, or third parties and are therefore considered the preferred protective measure. A major advantage of these protective measures is that their effectiveness can be verified and, if necessary, modified during the product development phase. Once installed, they work almost reliably. In software-based applications, this concept can be implemented by
Safety Requirements for Medical Devices in Compliance with European Standards
173
Fig. 10 Principles of integrated safety
Fig. 11 Examples of constructive safety measures (insulation, isolating modules on PCBs)
so-called checksum control algorithms. Factors that can lead to a loss of the protective function in constructive measures are abrasion, aging, or simply defects in components. The loss of this protective effect can be detected at an early stage by regularly performed safety checks. Constructive solutions, however, can also entail disadvantages for the device design. The use of additional components (e.g., isolating modules that separate the patient circuit from the mains circuit), thicker insulation, stronger mechanically resistant housings, or strain relief for power supply cords, to name a few examples, increase the manufacturing effort and also frequently the device dimensions, since these measures require additional space.
174
R. Neubauer et al.
If the need for a constructive measure is identified after the development process has been completed, the subsequent implementation can quickly become costintensive. If such measures affect the design of the housing, mechanical parts, or the PCBs, a design change to the product is usually unavoidable. For this reason, it is of utmost importance that safety aspects are considered and integrated at every stage of the product development process and not applied only to a finished product. Direct safety measures are the best way to prevent hazards, but they are not always applicable. Hazards often result from physical requirements that are absolutely necessary for the intended use of the device such as radiation in X-ray devices, mechanical forces occurring in therapy devices, or high therapy currents in stimulation equipment. In these cases, there must be possibilities other than constructive safety measures to reduce the risk.
4.4.2 Indirect Safety Measures If a hazard cannot be eliminated by design for the reasons stated in section “Direct safety measures,” indirect safety provides an alternative. This principle covers all protective measures that do not reduce the risk posed by the device itself, but attempt to protect patients, users, and third parties from this hazard by additional means. These measures include, for example, protective equipment (safety goggles, protective suits), access restrictions (key switches, passwords, and ID cards), and monitoring devices (light barriers, emergency STOP buttons) (Fig. 12). The great advantage of these measures is that if necessary, they can usually be implemented with relative ease even after the development process has been completed. Their effectiveness, however, is highly dependent on the user. An emergency STOP button implemented in the device circuit can only fulfill its function if it is actuated at the critical moment. Only its installation in the device does not constitute a protective function. The same applies to protective equipment. If the user, for example, does not wear the correct laser safety goggles (depending on the wavelength, laser power, etc.), eye damage may result. User information and training are critical factors in increasing the effectiveness of this principle. The manufacturer has the responsibility to inform the user about risks and the correct application of safety measures. This can be done through the
Fig. 12 Examples of indirect safety measures (protective eye wear, emergency switch)
Safety Requirements for Medical Devices in Compliance with European Standards
175
Fig. 13 Examples of indicative safety measures (warning sign)
instructions for use, but also, depending on the complexity of the device, through user training. In this context, the medical devices operator organization also plays an essential role. The organization must identify and instruct all persons who need to be trained, and must also ensure that new employees receive follow-up training. Only when this is done can the indirect safety measures be effective and lead to risk minimization.
4.4.3 Indicative Safety Measures Indicative safety is the weakest safety measures form. To achieve a higher level of safety, it should be used in combination with direct or indirect safety measures (e.g., a warning sign for dangerous laser radiation in combination with protective eyewear). Indicative safety is provided by instructions in the user manual and often by warning signs and notices that can be attached to the device (Fig. 13). Care should be taken to use internationally standardized symbols (e.g., from ISO 7010 (ISO 2020)). The relevant standards for devices contain illustrations of the required warning symbols. Warning labels and signs must meet special requirements for their legibility and durability. According to the EN 60601-1/2006+A1/2013, Item 7.1.2, the labels and signs must still be legible from a distance of 1 meter for users with normal vision. Durability tests usually ensure that the markings remain legible after treatment with various substances. Treatments with solvents or alcohol, for example, simulate disinfection processes on the device. When examining the usability, do not forget to check the enclosed safety instructions for their usefulness. Too many warnings on the device can have a negative effect; the overstrained user may ignore them. Warning signs that cannot be recognized from the user’ position are also unsuitable for minimizing risks.
4.5
Safety Aspects Under Single Fault Condition
Medical devices must have the same safety level in the event of a single fault as under normal conditions. A single fault must not lead to a risk for the patient, the
176
R. Neubauer et al.
user, or third parties. The question “When does a risk or a hazardous situation occur?” is thus of great importance. For example, if a motor reaches excessive winding temperatures under normal conditions, which represents a fire hazard that should not be underestimated. A builtin power control can help prevent these excessive temperatures. However, there must be a second, independent method of controlling the single fault condition if this power control fails, such as using a thermal fuse. If the hazardous situation is reached only under a fault condition, when an excessive device current is drawn, this situation can be controlled by a single measure using a fuse. The simultaneous occurrence of two independent fault conditions need not be considered. For example, the failure of a basic insulated wire touching a metallic enclosure and the interruption of the protective conductor connection of this enclosure part at the same time need not be considered in risk management. The problem is that the single faults must be detected before the occurrence of another single fault cancels the safety measure. Single faults that lead to loss of function or trigger a safety measure (e.g., residual current circuit breakers, circuit breakers) are quickly detected and removed. The breakage of a double insulation layer, on the other hand, is only detected by visual inspection if the outer insulation layer is affected. Other deviations in the insulation quality are only detected during safety testing if the measured values exceed the specified limit values. When controlling the single fault condition, special attention must be paid to subsequent faults. The reconstruction of these fault situations initially gives the impression that they are caused by the occurrence of two independent faults. On closer inspection, these situations often turn out to be consequential faults. They result from inadequate fault protection, e.g., when a monitor falls to the floor despite a wall mount and catch chain (the catch chain is installed as a single fault protection in case the wall mount fails). However, if the catch chain is not sized for the mass of the monitor, it would break and cannot prevent the single fault condition. The breakage of the catch chain due to undersizing thus cannot be considered as a second independent fault but is considered as a consequential fault. Figure 14 shows a design example of how single fault cases can be handled. All essential functions for safety-relevant features are controlled here by two processors, so that if the main processor fails, the control processor continues to work and takes over safety-relevant functions and vice versa.
4.6
Normative Requirements
The safety requirements specified in the regulations are very general, as the preceding examples show. In the product standards for medical devices harmonized with the MDR 2017/45, these requirements are specified in more detail and adapted to the functions and hazards of the individual medical devices. These specific standards (the so-called collateral standards, Part 2 of EN-60601-1) also specify important
Safety Requirements for Medical Devices in Compliance with European Standards
177
Fig. 14 Block diagram of an infusion pump: two processors (main and control processor) are used for safety-relevant tasks to compensate single fault cases
device-related risk classifications. Special requirements are derived from these device-related risks, such as additional information in the instructions for use not specified in the EN 60601-1 or certain types of permissible applied parts for patient circuit separation (e.g., only applied parts of type BF or CF are permissible for ECG-devices). In many collateral standards, risk combinations that are generally considered single fault conditions in the EN 60601-1 are classified as normal conditions because they can occur during normal use of the devices. Typical examples would be the spillage of liquids when using water-sponge electrodes of an electrical stimulator or short-circuiting of patient connections such as adhesive electrodes of an automated external defibrillator during the resuscitation process. When risks are classified as a “normal condition” or a “single fault condition,” however, this has a significant impact on product development. While the single fault condition must be controlled by a single protective measure, the risk that is considered a “normal condition” must be controlled by two independent measures. Researching the standards applicable to the device is therefore important preliminary work for the development process, since important product-specific requirements can be derived from the collateral standards. The following principles, derived from the EN 60601 and EN 61010 series of standards and the EN ISO 14971, apply generally to all medical and laboratory (IVD) equipment. Therefore, they should be taken into account during development: 1. 2. 3. 4.
All possible single fault cases can occur. All identified risks must be evaluated. Everything that is accessible without the use of a tool is considered touchable. Insufficient insulation, protective conductors, or insufficient air clearances and creepage distances are considered not to be present.
178
R. Neubauer et al.
5. Patients and operators are considered to be well-grounded to earth. 6. Patients are not protected according to their skin resistance (applies not for IVDs). Item 1: The determination of the probability of occurrence is a permissible and useful way within the risk management process and is recommended by the EN ISO 14971 standard. Complete neglect of an identified risk because it is assumed that it can never occur or has occurred in the past in the intended use is not permissible. Item 2: If a potential hazard is identified in the risk analysis or if a risk constellation according to the standard exists for the device, it must be minimized using the integrated safety method. For the definition of integrated safety, see Sect. 4.5. Item 3: The question arises as to what is to be considered a tool. The definition of terms in the EN 60601-1 provides clarity: “Any object that can be used to tighten or untighten fastening appliances or to make adjustments.” This means that a coin (e.g., to open the battery compartment lock) is considered a tool; a human body part such as a finger nail is not. If a battery compartment (fuse holder, junction box, etc.) can be opened by hand without a tool, anything in that compartment or area is considered touchable. This can be a problem if the battery is connected directly to the patient circuit, which is designed as a BF or CF applied part, and thus inadvertently comes into contact with parts that are considered to be connected to ground (Fig. 15). Item 4: Insufficient insulation not dimensioned to withstand the electrical strength test for the expected operating voltage, excessively short air or creepage distances, or
Fig. 15 Accidental grounding of the patient circuit (see position of test finger), as the battery compartment can be opened without the use of a tool
Safety Requirements for Medical Devices in Compliance with European Standards
179
protective conductors that cannot carry the expected short-circuit current in single fault conditions are considered to be nonexistent. If the dimensioning of a protective component does not comply with the standard requirements, it is considered ineffective and must be disregarded in a safety-related consideration. There is no such thing as “partial” protection. The evaluation of the safety measure is a binary decision (yes/no) on the requirements of the applicable standards. Item 5: This safety assumption results in the need to take into account an electrical current flowing through the patient or operator from any circuit connected to ground when the operator comes into contact with the circuit. For this reason, most patient circuits that make an electrical connection to the patient must be isolated from ground (applied type BF, CF). Item 6: The consequences arising from this requirement are discussed in the section “Aspects of the safety concept.” Note that for laboratory equipment, skin resistance is taken into account for leakage current measurements.
5
Technical Safety Inspections
Demonstrating conformity with the essential safety requirements means that the manufacturer must prove that his device meets the requirements of the applicable harmonized standards. This is usually done in the technical documentation of the medical equipment, which is required by the MDR 2017/745 as one of the main issues for conformity assessment (see Annex II, Chap. 4). “Offering evidence of conformity with each harmonised standard, CS or other method applied to demonstrate conformity with the general safety and performance requirements,” required by the regulation, can be done in different ways. The manufacturer can prove the effectiveness of safety concepts or solutions by conformity to a harmonized standard by authorizing a testing laboratory to perform a safety-related test of the developed product. Different levels of product testing are distinguished, which can be selected by the manufacturer.
5.1
Design Testing to Clarify Fundamental Questions
In order to enable design changes in good time, use of accompanying tests/checks from the device design start phase is highly advisable. Basic questions must be clarified, such as “can protection class II be used if functional ground connection is required for EMC reasons” or “is the separation between primary and secondary
180
R. Neubauer et al.
circuit sufficient if the manufacturer of the power supply can only provide a test report according to the EN 62368-1?”
5.2
Special Tests and Basic Safety Testing
More detailed aspects can be investigated after the proof-of-concept phase has been successfully passed and a functional prototype has been built. At this stage of development, the manufacturers must evaluate the medical use of their device – usually for high-risk devices – with clinical trials. The manufacturer must demonstrate that the device does not pose a risk to the operator or study participants to gain approval for clinical trials by an ethics committee. At this stage, however, the device would not pass a regular type testing because it is still a prototype under development. One option is thus to perform a basic safety test in a testing laboratory to confirm that the basic safety requirements for the applicable standards have been met for leakage currents, separation requirements, creepage distances, and air clearances. Other aspects, such as the completeness of the instructions for use or the usability file, which are also referred to in these standards, are not usually examined, as these issues may change with the outcome of the clinical trial.
5.3
Type Testing
Finally, type testing should be performed at the end of the development process to ensure that all applicable standard requirements for the device are fulfilled in detail. The main focus should be on commissioning an accredited testing laboratory to carry out the necessary tests, as only accredited reports or certificates are accepted by notified bodies and authorities. However, before the test sample including the technical documentation can be submitted to the accredited testing laboratory, certain steps are necessary to avoid a major setback in device development during this safety-related testing. These tasks are described in the following section using examples, with a focus on the safetyrelated development process.
5.4
Research of Safety Requirements
The first step is to identify the relevant European regulations and directives. These documents can be found on the EU law website and downloaded free of charge. Documents for medical devices include the MDR 2017/745, for laboratory and IVD devices the IVDR 2017/746, in particular the Directive 2014/35 “Related to electrical equipment designed for use within certain voltage limits” (European Parliament and European Council 2014a).
Safety Requirements for Medical Devices in Compliance with European Standards
181
In addition, it should be noted that other directives may also apply to the product. An example is the Machinery Directive 2006/42/EC (European Parliament and European Council 2006), which applies to medical devices with mechanically driven parts according to Article 1(12) of the MDR 2017/745. Other directives that may also apply are: Directive 2014/53/EU for the supply of radio equipment on the market when wireless data transmission components are used in the medical device (European Parliament and European Council 2014b), Directive 2011/65/EU for the restriction of the use of certain hazardous substances in electrical and electronic equipment (RoHS) (European Parliament and European Council 2011). In addition, EU regulations (e.g., Regulation (EU) 2021/2226 on electronic user instructions for medical devices) or national regulations can provide important guidance (European Parliament and European Council 2021a). Once the applicable regulations, directives, guidelines, and national laws have been determined, the real work begins in determining which parts of the requirements are applicable to the device. For this proof, the research of the applicable harmonized standards is mandatory. For each regulation or directive, there is a list of harmonized standards that can be downloaded from the website of the European Commission (European Commission). One standard that must always be applied to electrical medical devices is the EN 60601-1. Part 1 represents the main standard, which concerns fundamental requirements that all devices must meet. In addition, it must be checked whether a specific standard (Parts 2 of the EN 60601) exists for the device. This search can be conducted on the websites of the national standards committees. In addition, if the device contains safety-relevant software, the EN 62304 (CEN/CENELEC 2016) and the EN ISO 14971 for the required risk management must be taken into account. Whether the identified standards are applicable to the device being developed can be found in the “Scope” chapter, which usually follows the introductory chapter of the standard. Attention should be paid to ensuring that the latest edition of the standard is used for development. Certainty is usually provided by the cover sheet of the standard, on which the chronological reference of the present edition of the standard to the IEC edition is established. An important date the manufacturer must observe is included in the foreword to the standard. The date of withdrawal (DOW) indicates the date from which the new standard alone is valid. The previous version is still valid until this date. Experience shows that the DOW is usually set 3 years after the date of publication (DOP) of the new version of the standard. This transition period was chosen to give manufacturers sufficient time to adapt the product to the new requirements. Figure 16 gives an overview of possible sources for requirements of medical electrical equipment
182
R. Neubauer et al.
Fig. 16 Overview of possible sources for medical electrical equipment requirements
5.5
Structure and Requirements of EN 60601-1
To get a better understanding of which aspects are required, the contents and test criteria of the EN 60601-1 are examined in more detail (see summary in Table 1). The first relevant chapter (Chap. 4, General requirements for safety) deals with additional requirements for the risk management, which should comply with EN ISO 14971. In risk assessment, the EN 60601 series distinguishes between identified and not identified hazards. Unidentified hazards must be addressed in the risk management process of the device, and the residual risks must be evaluated to determine whether they are acceptable or not. For risks identified in the standard with specified acceptance criteria, proof of compliance with these requirements suggests a reduction of the hazard to an acceptable level. Alternative risk control measures to those required by the standard are also permitted, but the manufacturer must demonstrate that the results of these measures are equivalent. This chapter also requires the definition of the essential performance of the medical device. These essential performances are clinical functions that are necessary for the intended use or safety and are not related to essential safety requirements, but the absence of which would result in an unacceptable risk. Finally, this chapter also addresses requirements for single fault conditions and the acceptability of components (e.g., components with high integrity features). The test specifications essential for type tests, such as number of samples, supply voltages, or humidity preconditioning are described in Chap. 5. This preconditioning should simulate the most unfavorable environmental conditions before leakage current and dielectric strength tests are performed. The test sample is stored for 48 h or 168 h, depending on the IP-classification, in a climate chamber containing air with a relative humidity of 93% and a temperature in the range of 20–30 C. In this part, the determination of accessible parts that may pose a hazard is also carried out using test fingers and hooks with specified test forces up to 30 N.
Safety Requirements for Medical Devices in Compliance with European Standards Table 1 Summary of the contents of EN 60601-1
EN 60601-1 Chapter 4 5 6 7 8 9 10–13 14 15 16
183
Contents Risk management, essential performances Test specifications for type tests, accessible parts Classification Labeling, instructions for use Protection against electrical hazards Mechanical hazards Single fault conditions, spread of fire Programmable electrical medical systems Special requirements Medical systems
Chapter 6 deals with the device classification in connection with safety classes, whereby only devices of safety class I and II and devices with internal powered equipment are permitted. The protection against harmful ingress of water or particulate matter and the operating mode are also part of this chapter. Chapter 7 is dedicated to the requirements for labeling and instructions for use and contains requirements for the usability process, such as the legibility of inscriptions under the intended conditions of use or the durability of the labels with regard to the disinfection process. The most relevant tests for protection against electrical hazards are summarized in Chap. 8, such as leakage current measurements, dielectric strength testing, and determination of creepage distances and air clearances, including permissible limits. The subject of mechanical hazards is addressed in Chap. 9, where requirements for trapping zones or emergency stop devices are denoted. The following chapters (10–13) deal with output and performance parameters and the evaluation of single fault conditions such as spread of fire or hazards due to motor overload. Additional requirements for programmable electrical medical systems can be found in Chap. 14. These complement the requirements according to the EN 62304 in topics such as risk management or verification and validation of the software. Special components such as batteries or transformers for mains-power separation and mechanical stability of enclosures are selectively addressed in Chap. 15. The final Chap. 16 deals with the special requirements for medical systems. Particular attention is paid to the leakage currents resulting from the combination of several devices and to the hazards arising from the use of multiple socket outlets. Although the topics of the accuracy of initial values, hazardous situations, and fault conditions (single faults) are only briefly addressed in the EN 60601-1, more detailed requirements can be found in the corresponding Parts 2, specific to the device under test. The following is a brief overview of commonly used standards (excerpt) that may be useful in determining which standards apply to the equipment being developed:
184
R. Neubauer et al.
EN 60601-1 EN 60601-2-X EN 60601-1-2 EN 60601-1-6 EN 60601-1-8 EN 60601-1-9 EN 60601-1-10 EN 60601-1-11 EN 60601-1-12 EN 61010-1 EN 61010-2-X EN 61326-2EN ISO 14971 EN 62304 ISO 10993 EN ISO 15223-1 EN 62353
6
Medical electrical equipment (general) Medical electrical equipment (type-specific) Electromagnetic compatibility (EMC) Usability (EN 62366) Alarm systems Environmentally conscious design Development of physiologic closed-loop controllers Home healthcare environment Use in the emergency medical services environment Safety requirements for electrical equipment for measurement, control, and laboratory use Laboratory electrical equipment (type-specific) EMC requirements for in vitro diagnostic (IVD) medical equipment Risk management for medical devices Medical device software Evaluation of the biocompatibility of medical devices to manage biological risk (series) Symbols and markings for medical devices Recurrent test
Conclusion
The development of medical and laboratory equipment is a demanding process, which results in a product with a high safety standard when correctly carried out. The advantages for the manufacturer lie in a well-structured and traceable technical documentation and in legal certainty in the event of an incident. Patients and operators can rely on both the safety of the device, even in the event of single fault condition, and also on a proven clinical benefit. This chapter discussed the basic safety principles and concepts and solutions for their implementation, supplemented by illustrative examples that guide the manufacturer through the design and development process of a medical device. The concept of integrated safety provides risk mitigation opportunities that play a key role in this process. One important standard that must be applied to electrical medical devices is the EN 60601-1, or the EN 61010-1 for laboratory equipment, which addresses fundamental requirements that all devices must meet. To prove conformity with the required standards and regulations, special tests and basic safety testing are required, which should be carried out by accredited testing bodies. Over the next decade, the requirements for medical device and IVD developers will continue to increase as various topics, such as cyber security, are incorporated into the relevant regulations and standards to take medical device safety to the next level. A continuous review of the current standards and guidelines is therefore
Safety Requirements for Medical Devices in Compliance with European Standards
185
essential to be well-prepared for the constantly increasing safety requirements in the future.
References European Commission. Harmonised standards. Retrieved from https://ec.europa.eu/growth/singlemarket/european-standards/harmonised-standards_en European Committee for Electrotechnical Standardization (CENELEC), International Organization for Standardization (ISO) (2020) EN ISO 7010-1:2020 Graphical symbols – safety colours and safety signs – registered safety signs European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2013) EN 60601-1:2006+A1:2013 Medical electrical equipment, Part 1: general requirements for basic safety and essential performance European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2014) EN 62353:2014 Medical electrical equipment – recurrent test and test after repair of medical electrical equipment European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2015a) EN 60601-1-11:2015 Medical electrical equipment. Part 1-11: general requirements for basic safety and essential performance – collateral standard: requirements for medical electrical equipment and medical electrical systems used in the home healthcare environment European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2015b) EN 60601-1-6:2010+A1:2015 Medical electrical equipment. Part 1–6: general requirements for basic safety and essential performance – collateral standard: usability European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2015c) EN 61010-1:2010+A1:2019 Safety requirements for electrical equipment for measurement, control, and laboratory use Part 1: general requirements European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2015d) EN 62366-1:2015 Medical devices Part 1: application of usability engineering to medical devices European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2016) EN 62304:2016 – medical device software – software life cycle processes European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) (2019) EN ISO 14971:2019 Medical devices – application of risk management to medical devices European Parliament and European Council (1993) Council Directive 93/42/EEC of 14 June 1993 concerning medical devices. Official Journal of the European Communities. L 169:1–43 European Parliament and European Council (2000) Directive 2000/54/EC of the European Parliament and of the Council of 18 September 2000 on the protection of workers from risks related to exposure to biological agents at work (seventh individual directive within the meaning of Article 16(1) of Directive 89/391/EEC). Official Journal of the European Communities. L 262:21–45 European Parliament and European Council (2006) Directive 2006/42/EC on machinery, and amending Directive 95/16/EC. Official Journal of the European Union. L 157:24–86 European Parliament and European Council (2011) Directive 2011/65/EU on the restriction of the use of certain hazardous substances in electrical and electronic equipment. Official Journal of the European Union. L 174:88–110 European Parliament and European Council (2014a) Directive 2014/35/EU on the harmonisation of the laws of the Member States relating to the making available on the market of electrical
186
R. Neubauer et al.
equipment designed for use within certain voltage limits. Official Journal of the European Union. L 96:357–374 European Parliament and European Council (2014b) Directive 2014/53/EU on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC. Official Journal of the European Union. L 153:62–106 European Parliament and European Council (2017a) Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 concerning medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 9s0/385/EEC and 93/42/EEC. Official Journal of the European Union. L 117:1–175 European Parliament and European Council (2017b) Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU. Official Journal of the European Union. L 117:176–332 European Parliament and European Council (2021a) Commission Implementing Regulation (EU) 2021/2226 laying down rules for the application of Regulation (EU) 2017/745 of the European Parliament and of the Council as regards electronic instructions for use of medical devices. Official Journal of the European Union. L 448:32–38 European Parliament and European Council (2021b) Commission Implementing Decision (EU) 2021/1182 of 16 July 2021 on the harmonised standards for medical devices drafted in support of Regulation (EU) 2017/745 of the European Parliament and of the Council. Official Journal of the European Union. L 256:100–102 European Parliament and European Council (2021c) Commission Implementing Decision (EU) 2021/1195 of 19 July 2021 on the harmonised standards for in vitro diagnostic medical devices drafted in support of Regulation (EU) 2017/746 of the European Parliament and of the Council. Official Journal of the European Union. L 258:50–52 International Electrical Commission (IEC) (2018a) IEC 62368-1:2018 Audio/video, information and communication technology equipment – part 1: safety requirements International Electrical Commission (IEC) (2018b) IEC 60479-1:2018 Effects of current on human beings and livestock – part 1: general aspects International Organization for Standardization (ISO) (2009) ISO 10993-1:2009 Biological evaluation of medical devices – part 1: evaluation and testing within a risk management process International Organization for Standardization (ISO) (2017) ISO 16142-2:2017 Medical devices – recognized essential principles of safety and performance of medical devices – part 2: general essential principles and additional specific essential principles for all IVD medical devices and guidance on the selection of standards Medicines and Healthcare products Regulatory Agency (MHRA) (2013) Infusion systems
Software as Medical Device in Europe Sara Stoppacher and Peter S. Mu¨llner
Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 Classification of Medical Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Safety Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Main Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Risk Management in Software Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Tool Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Principles in Software Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4 Software Development Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5 Analysis of the Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6 Software Architectural Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.7 Detail Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.8 Implementation and Verification of the Software Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.9 Software Integration and Integration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.10 Testing and Release of the Software System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.11 Software Maintenance Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.12 Software Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.13 Problem Solving Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.14 Agility in Software Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.15 IT Security for Software in Medical Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.16 IT Security Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.17 General Data Protection Regulation (GDPR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.18 AI and Machine Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.19 Approaches from the FDA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.20 Digital Health Application (DiGa) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
188 190 192 193 193 195 196 197 197 198 198 199 199 199 200 200 202 202 204 206 207 207 209 210
S. Stoppacher (*) Dedalus HealthCare GesmbH, Graz, Austria e-mail: [email protected] P. S. Müllner (*) Wien, Austria e-mail: [email protected] © Springer Nature Switzerland AG 2023 C. Baumgartner et al. (eds.), Medical Devices and In Vitro Diagnostics, Reference Series in Biomedical Engineering, https://doi.org/10.1007/978-3-031-22091-3_2
187
S. Stoppacher and P. S. Mu¨llner
188
3 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 4 Cross-References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Abstract
Software as a medical device (SaMD) has attracted enormous attention in recent years as safety requirements have dramatically increased due to the MDR 2017/ 745 (2017a) and the IVDR 2017/746 (2017b), as well as other standards relevant to the approval process. This chapter firstly provides an overview of well-known challenges in the approval process of software as a medical device, and secondly suggests methods to meet all requirements. Topics such as the software lifecycle, the continuously growing importance related to IT security, and hot topics such as agile software development, artificial intelligence, and machine learning are addressed, and recommendations are given on how to meet the regulatory requirements. In addition to relevant documentation requirements, this survey provides guidance on the most important future developments of IT standards in Europe. Finally, further relevant topics are addressed, such as the European Data Protection Regulation or digital health applications on prescription and how, perhaps, the European approach could benefit from FDA approaches. This chapter provides a comprehensive overview on relevant requirements for software as a medical device and includes valuable practical tips as well as references to guidelines and relevant standards to be considered, thus guiding the reader smoothly through the approval process.
1
Introduction
Nowadays, almost all medical devices include software components, making software essentially the heart of the matter, and that is exactly why we should pay more attention to this topic. Increasingly sophisticated and intelligent algorithms not only increase innovativeness but also generate a high efficiency level. Since the Medical Device Regulation (MDR 2017/745) (2017a) and In-vitro-Diagnostic Regulation (IVDR 2017/746) (2017b) were published, software manufacturers in particular have been challenged to pursue approval in Europe. In addition to an expanded definition of software as a medical device, Classification Rule 11 made life more difficult for many small and medium-sized enterprises (SMEs). Software and applications (apps) rarely fall into class I, since almost all medical software is intended to provide information used to make decisions for diagnostic or therapeutic purposes, resulting in a correspondingly high regulatory burden. However, topics such as agile software development in accordance with the requirements of the MDR or the US Design Controls are becoming increasingly important, as it is the growing desire for clarity on topics such as artificial intelligence and machine learning, including digital health applications in the field of telemedicine. Software must be designed in accordance with Regulation (EU) 2017/745 MDR (2017a) and Regulation (EU) 2017/746 IVDR (2017b) to ensure repeatability, reliability, and performance according to the intended use assigned according to
Software as Medical Device in Europe
189
Medical Device Coordination Group (MDCG) 2019-11 (MDCG 2019). Proof of safety and security and proof of performance ((MDR 2017/745 2017a, Annex I, Chap. 2, Sections 17.1 and 17.2) are required for software and must be developed in accordance with state-of-the-art technology, whereby the following principles shall apply: • • • •
Software lifecycle Risk management IT security Verification and validation
The regulatory basis for the development of software as an integral part of a medical device or as a stand-alone medical device (SaMD – Software as Medical Device) is the EN 62304 (CEN/CENELEC 2006) standard based on the IEC 62304 (the EN 62304 standard is based on AAMI SW68 [2001], which is derived from IEC 12207 [1995]): “Medical devices – Software – Software life cycle processes.” This is a minimum requirement description of the essential development and maintenance process and their supporting processes such as risk management, configuration management, and software problem resolution process. The main idea and justification for the standard is that the more carefully software development and maintenance processes are perceived, the lower the probability of errors and defects will be. However, standards rarely come alone, because while risk management is an essential part of EN 62304 and imposes traceability provisions and various test specifications on software and systems, EN 62304 also contains references to EN ISO 14971 (CEN/CENELEC 2019a), which is specifically dedicated to risk management. Traceability is another key issue in EN ISO 14971. Furthermore, EN 62304 requires a QM system and recommends EN ISO 13485 (CEN/CENELEC 2016). Doing so means that validation procedures must be defined for the software used within the QM system. Any software tools used in the QM system or in the development process need to be validated according to the risk-based approach as well. The normative and regulatory requirements for medical software are, therefore, in line with the interaction between the MDR 2017/745 (2017a), IVDR 2017/746,
MDR 2017/745 IVDR 2017/746 aim: IT security
Software Life Cycle EN 62304
QM Systems EN ISO 13485 requires
requires
Fig. 1 Interaction among normative software requirements
Risk Management EN ISO 14971 requires
S. Stoppacher and P. S. Mu¨llner
190
(2017b), EN 62304, EN ISO 14971 as well as EN ISO 13485, see Fig. 1. Note that all regulatory requirements for medical devices, such as technical documentation, essential safety and performance requirements, or management of a UDI, pertain to software as defined. This chapter focuses on the principles relating to software previously listed. In addition to the general requirements for the software life cycle, the following sections will provide an overview on the regulatory documentation requirements defined in EN 62304. In this chapter, we also address the approach of artificial intelligence and machine learning. The regulatory requirements are often very difficult to implement, especially for AI/ML-based software, as no concrete specifications are yet available by the legislature. It is therefore important to establish transparency, as this innovative and efficient approach is becoming increasingly important in almost all areas of medicine. In addition, we further address typical issues in the field of IT security along with a glimpse of how regulatory requirements in the field of medical software will develop in the future.
1.1
Classification of Medical Software
As mentioned in the introduction, the MDR classification guidelines for medical software have certainly not made life any easier for entrepreneurs. Rule 11 in Chap. III within Annex VIII of the MDR 2017/745 (2017a) leads to almost all medical software being classified in a higher risk class than before. The decisive basis for a correct classification is the intended purpose. The decision tree in Fig. 2 is Software intended to provide information which is used to take decisions with diagnosis or therapeutic purposes is classified as class IIa, except if such decisions have an impact that may cause:
YES
NO
death or an irreversible deterioration of a person's state of health
YES
Risk Class III
serious deterioration of a person's state of health or a surgical intervention
NO
Risk Class IIb
YES
Software for controlling vital parameters: Do parameter changes lead to immediate danger for the patient?
NO
Risk Class IIa
YES
Fig. 2 Risk classification of medical software
Is the software intended for the control of physiological processes?
NO
Risk Class I
Software as Medical Device in Europe
191
supposed to assist in classifying software into risk classes. Furthermore, we highly recommend to follow the flow-chart guide provided by the European Commission to check if a manufacturer’s software counts a medical device according to an MDCG guidance document (MDCG 2021). Software that is used purely for documentation purposes and for general well-being, rather than serving as a decision-making basis for further therapy and medication, does not count as a medical device. This includes, for example, lifestyle and wellness software. The focus of this chapter is to describe software as a medical device under the MDR. However, software can of course also count as an in vitro diagnostic medical device as it is intended to provide information about in vitro investigations involving specimens derived from the human body, including blood and tissue donations, or information about physiological, pathological processes or related procedures that affect the human health condition. In this context, we recommend the non-binding guidelines of the International Medical Device Regulators Forum (IMDRF), which assist manufacturers in placing their medical devices on the market. For software, for example, the IMDRF offers the following guidelines: • “Software as a Medical Device (SaMD): Clinical Evaluation” (IMDRF 2014b) • “Software as a Medical Device (SaMD): Application of Quality Management System” (IMDRF 2014c) • “Software as a Medical Device (SaMD): Possible Framework for Risk Categorization and Corresponding Considerations” (IMDRF 2014a) • “Software as a Medical Device (SaMD): Key Definitions” (IMDRF 2014d) The following section briefly presents the basic considerations for SaMD risk categorization according to the IMDRF framework, without going into too much detail. The classification scheme here is based on the guidance for “Possible Framework for Risk Categorization and Corresponding Considerations” (IMDRF 2014a). This guideline is intended to support manufacturers in the risk classification of their software. The framework distinguishes between four different levels of risk, with Level IV software having the greatest impact on patients and health, while Level I represents the smallest impact. Categorization has to be risk-based according to Table 1. In comparison to the MDR 2017/745 (2017a), the major difference is that the IMDRF framework is based on the patient’s current state of health, whereas the MDR 2017/745 (2017a) focuses on the severity of (consequential) damage caused. In conclusion, it should be noted that SaMDs need to be re-categorized after each change. In addition, we would like to point out a number of classification examples in both the MDCG 2019-11 Guidance on Qualification and Classification of Software in the EU Regulations MDR 2017/745 (2017a) and IVDR 2017/746 (2017b), and the IMDRF (IMDRF 2014) Guideline on categorizing the risk of software. MDR risk class I for medical device software does not fall into the IMDRF risk categories and therefore is not listed in Table 1. Note that while the IMDRF framework facilitates assignment to various risk classes, classification in MDR risk class I is rarely possible with current regulation.
S. Stoppacher and P. S. Mu¨llner
192 Table 1 Risk categorization according to IMDRF guideline
Health condition or the patient’s condition Critical Serious NonCritical
Importance of information provided by SaMD for healthcare decisions High Means Low The information provided The information The information by the software is used to provided by the provided by the make a diagnosis or software does not software is used to take determine further trigger immediate or an immediate action. treatment measures. timely actions IV (MDR III) III (MDR IIb) II (MDR IIa) III (MDR IIb) II (MDR IIa) I (MDR IIa) II (MDR IIa) I (MDR IIa) I (MDR IIa)
Fig. 3 Possible implementation of a software system with its software items and units
1.2
Software System Software Item
Software Item
Software Unit
Software Unit
Software Unit
Software Unit
Software Item
Software Item
Software Unit
Software Unit
Software Unit
Software Unit
Safety Classification
A key element within the EN 62304 standard is the safety classification for the software system and elements into three classes: • A: No injury or damage to health possible • B: No serious injury possible • C: Death or serious injury possible
1.2.1 Segmentation into Units Manufacturers are required to describe the software architecture before running through the software safety classification. Therefore, initially the device has to be divided into software items based on the system architecture until the level of detail of a so-called “unit” is reached, see Fig. 3. The term unit, which is used by default for an item that cannot be further subdivided, as no definition of an item being “further
Software as Medical Device in Europe
193
subdividable” exists, may not always be unambiguous. A “breaking down” to the individual units is not only required for the description of the system architecture, but also necessary for the unit verification for classes B and C (according to par. 5.5.5 of EN 62304). Note that different companies use different levels of detail. These units are to be classified according to the definition given above, assuming the worst case in terms of severity. If we follow the architecture back to the starting point, always considering the highest severity level, we finally obtain a system-level classification. It is reasonable to use the identified aspects such as severity, hazards, causes, or chains of causes to perform the risk analysis as well (according to EN ISO 14971 (CEN/CENELEC 2019a)). Finally, the software items and systems can be assigned to a security class. Example: An analyzer determines vital parameters to be monitored. The diagnostic results are then used by physicians as a basis for decision-making. After analyzing the architecture, several software systems are found to interact with each other, but, for example, those systems and parts of the software of the mentioned analyzer that contribute to the preparation and measurement of the (critical) parameters are to be classified as C. However, not all parts of the software will be classified in this highest class. If the device would measure other parameters not providing vital additional information, those software parts could be classified as A or B. A method commonly used in practice to reduce documentary effort is to consider non-safety-critical systems separately from safety-critical systems, e.g., by splitting them into subsystems – as far as the standard specifications allow (e.g., by implementing them separately on different systems). In theory, subsystems could then be categorized into different safety classes. Medical applications, on the other hand, are usually considered as a holistic unit. Therefore, the same security classification holds true for the entire system.
2
Main Requirements
2.1
Risk Management in Software Development
The risk management required by EN 62304 focuses on the severity and potential damage a software could cause. Therefore, the standard introduced the software (items) classification into security classes. To determine the safety class, the probability assumption of 100% applies. EN 62304 stipulates that any probabilities of malfunctions leading to hazards need to be assumed as 100%. For manufacturers, this means that they should expect failures to occur. Prior to 2015, the standard requirements caused much uncertainty among manufacturers since a 100% probability had to be assumed for the occurrence of hazards there as well. However, this has changed in the subsequent edition. For example, risk assessments according to EN ISO 14971 can be assumed with more realistic error probabilities than has been
S. Stoppacher and P. S. Mu¨llner
194
Cause
Sequence of events
Hazard
Fig. 4 Software as a causative agent leading to one or more hazardous situations via a sequence of events
the case for a long time. In summary, it is no longer just the classification into safety classes that is decisive, but also a realistic risk assessment. As already shown in Fig. 1, risk management plays a central role within the MDR 2017/745 (2017a) and IVDR 2017/746 (2017b). Conformity of risk management can be achieved, for example, through the harmonized standard EN ISO 14971. For a holistic overview on EN ISO 14971 requirements, we refer to the chapter ▶ “Risk Management for Medical Devices in Compliance with EN ISO 14971.” Hence, we dedicate this subchapter to the well-known obstacles associated with risk management in software development, such as risk assessment and the definition of “probabilities of occurrence.” In addition, we would like to address software testing. The various procedures that can be used to identify hazards are covered in the ▶ “Risk Management for Medical Devices in Compliance with EN ISO 14971” chapter as well. Estimating Probabilities of occurrence. Manufacturers tend to assume that software per se counts as a hazard in risk management, which is not the case. Software itself does not represent the actual hazard, but is merely connected via a chain of events, which ultimately leads to damage, see Fig. 4. Example: While the software imports a patient dataset, incorrect parameters are loaded into the software. This causes the physician to make an incorrect diagnosis based on the loaded patient dataset, and, as a result, to recommend an unsuitable therapy. Because there are always difficulties in estimating probabilities and severities in software risk analysis, EN ISO 14971 recommends relying on existing and relevant data collected from the field, if accessible and/or already available, which usually also provides the most realistic assumptions. Further possibilities for estimating the actual error probabilities are: • Testing for error conditions and/or • Literature research – e.g., what is the average number of errors per x lines of program code? For the complete testing of software, the FDA Guide General Principles of Software Validation (FDA 2022) recommends the use of Code Coverage. Code coverage can include a wide variety of measures, such as function coverage, statement coverage, branch coverage, decision coverage, condition coverage, state coverage, or parameter value coverage. Using these metrics will make it much easier for manufacturers to estimate probabilities. Likewise, it is a way to reduce the error probability of software to a very manageable level per use case.
Software as Medical Device in Europe
195
To cover a spectrum as broad as possible in the risk analysis, we recommend involving medical expertise in the risk analysis in addition to risk managers, development teams, and the test personnel involved. Developers alone cannot guarantee safe use on patients and the intended use by third parties. If a hazard leads to multiple risks, all cases must be included in the risk analysis documentation. Another possibility for estimating fault probabilities is the fault tree analysis (FTA) approach, in which causal chains are traced backwards: It is therefore possible to infer the probability of the software error (cause) from hazard probabilities. Finally, it is worth mentioning that manufacturers may consider adjusting the acceptance criteria. However, this is only recommended if it does not compromise safety. For practical purposes, the acceptance criteria are usually set very high. The aim of every manufacturer is to achieve low error probabilities in software. To minimize these probabilities, manufacturers need to ensure that their software is tested intensively and that any errors that occur are subsequently eliminated. Even highly estimated error probabilities can best be disproved in audits with meaningful test results. A reference to EN 61508-3 (CEN/CENELEC 2010) should be noted here as well, which is dedicated to the “Safety Level“of well-developed software. It should also be remembered that error lists must also be checked and evaluated for software of unknown provenance (SOUPs) that is used.
2.1.1 Documentation Requirements • Software risk management plan • Software risk analysis • Software risk classification • References to measures taken and implemented
2.2
Tool Validation
In addition to the risk-based approach for medical device software, we would like to explicitly point out that tools used both in the quality management (QM) system and in the development process, such as the development environment, need to be validated using a risk-based approach. For a holistic overview of the requirements for a QM system, we refer to the chapter ▶ “Quality Management Requirements in Compliance with European Regulations.” Since there are no specific requirements for tool validation in EN ISO 13485, the non-harmonized standard ISO/TR 80002-2 (ISO 2017) or Good Automated Manufacturing Practice GAMP 5 (ISPE 2008) can be used as guidelines and best practices. In addition, we recommend keeping a sitespecific summary list of software in use and its validation needs, as well as the status of validation, and keeping it updated on a daily basis.
2.2.1 Documentation Requirements Appropriate evidence per development or test tool. Mostly in the form of User Requirements Document (URS), Installation Qualification (IQ), Operational Qualification (OQ), Performance Qualification (PQ) documents.
S. Stoppacher and P. S. Mu¨llner
196
2.3
Principles in Software Development
The EN 62304 standard describes requirements for the software lifecycle process of medical devices. In addition to specifications on how processes and activities in the lifecycle must be implemented, the standard furthermore pays attention to how software should be developed and maintained. An increasingly important moment for the software life cycle are general quality properties for the system and the software, as described in ISO/IEC 25010:2011 (ISO/IEC 2011) for software quality model. Thus, for the system’s quality of use, it is necessary to define quality properties along with their attributes, which are crucial for the appliance: • • • • •
Effectiveness in use Suitability for the intended use Satisfaction (e.g. ease of use) Safety and risk avoidance Flexibility in use
Furthermore, depending on the use case, properties depending on the product quality are to be described and evaluated with attributes: • Suitability for use (completeness of the given functions for the intended use of the device and the correct execution) • Performance (e.g., response times, resource utilization) • Compatibility (e.g., compatibility with an operating system or other software) • Usability (e.g., availability, avoidance of user errors, understandability of a user interface) • Reliability (e.g., maturity or frequency of errors, availability, reusability after errors, fault tolerance) • Security • Maintainability (e.g., modularity, changeability, testability) • Portability (e.g., interchangeability) All applicable quality properties shall be defined as nonfunctional properties, as far as possible, in terms of value, and shall be tested or otherwise evaluated during design validation. Example: A numerical definition of effectiveness in use would be, for example, the number of keystrokes to invoke a frequently used function. A numerical definition of reliability might be that nine out of ten incorrect inputs must be recognized as errors and result in an error indication. A must in any development process is the assignment of safety classes already discussed in section “Safety Classification.” The higher the safety class rating, the more detailed the development and maintenance processes must be followed and documented, e.g. for: • Software development planning • Software requirements analysis
Software as Medical Device in Europe
197
• • • • • • •
Software architecture design Detail design Implementation and verification of software units Software integration and integration testing Testing of the software system Software releases Software maintenance planning – Analysis of problems and changes – Implementation of changes – Software risk analysis and risk management for changes – Risk control measures and verification of these • Software Configuration Management • Problem resolution process
2.4
Software Development Planning
A requirement for the implementation of medical software is the software development plan. This plan describes the implementation of a software and how it will be achieved. The aim is to consider the regulatory requirements at the beginning of a project within this plan and to minimize risks that could be caused by software. Again, the level of detail should be determined according to the risk. The software development plan not only supports structured implementation but also serves as a guide and communication tool for the development team. Note that it is not unusual to adapt these plans throughout the software development process. Hence, we are talking about a living document in this case. It is important that adaptations are appropriately argued and approved. The software development plan enables the project to be carried out in a controlled manner. Not only at the end of the project do the planned specifications need to be checked to ensure compliance but also during the project itself. Note that verification steps can be roughly mapped in the software development plan prior to their later specification in the respective test plans.
2.4.1 Documentation Requirements Software development plan
2.5
Analysis of the Software Requirements
No matter which security class a software has been classified in, manufacturers need to define software requirements related to the holistic software system (see Chap. 5.2 EN 62304). This documentation includes both functional and nonfunctional requirements: • Functionality and performance • Inputs and outputs of the software system
S. Stoppacher and P. S. Mu¨llner
198
• • • • • • • • • •
Interfaces between the software system and other systems Software controlled alarms, warnings, and user messages Data security Usability Data definition and database requirements Requirements for installation and acceptance of medical device software at the point of use and maintenance Methods of operation and maintenance User documentation Requirements for maintenance by the operator Regulatory requirements
2.5.1 Documentation Requirements Software requirements
2.6
Software Architectural Design
In contrast to the previous subchapter, the standard only requires documentation of the software architecture requirements for security classes B and C. This has to be done before implementation and relates to not only a description of the individual units but also a description of the interfaces. It should be noted that manufacturers must also specify performance and functional requirements for SOUPs. These can be lists, which are defined by dependencies, in which it is also recorded whether and how these are to be checked. Here, the level of detail of the requirements description depends on the security class. In the end, verification must ensure that the software architecture meets the documented requirements. We recommend using graphical Unified Modeling Language (UML) class diagrams within the software architectural requirements.
2.6.1 Documentation Requirements Software architecture
2.7
Detail Design
A detailed design description is provided at the level of the software units already described. It should be noted that the standard defines different requirements depending on the safety classification (see Section 5.4 of EN 62304). A possible subdivision of a holistic software system into its components and units is shown in Fig. 3. The detailed design must reveal the relationships of all interfaces between the units and external components as well as between the individual units. The development of a detailed design should enable correct implementation.
Software as Medical Device in Europe
199
2.7.1 Documentation Requirements Detail design description
2.8
Implementation and Verification of the Software Unit
According to the standard, verification is required for safety class B and C software units. This involves establishing a verification process, including methods and strategies, to be defined by the manufacturer. Conformance to the acceptance criteria defined by the manufacturer for software units needs to be ensured before integrating them into the higher-level software component. For example, with regard to the software component, one such criterion could be whether specified coding guidelines are met. Other acceptance criteria addressing mostly safety class C software units such as sequencing, boundary conditions, data flow, and the like are often required as well. Note, that acceptance criteria relating to the coding standard, for example, can be checked using code analysis tools.
2.8.1 Documentation Requirements • Verification of software units and results. • Verification of integrated software and results.
2.9
Software Integration and Integration Testing
Software systems together with all associated items and units must be integrated into the overall system in accordance with the documented integration plan. However, this must then be verified by appropriate unit tests and integration tests. The aim is to ensure the proper functioning of all interfaces. As required for Class B and C, regression tests are required to demonstrate that no standard deviations have been introduced into the integrated software. Documentary records shall allow for reproducibility of the tests. Any deviations detected in relation to the standard must subsequently follow the problem-solving process.
2.9.1 Documentation Requirements • Integration plan. • Integration tests. • Integration results. • pass/fail, • List of standard deviations.
2.10
Testing and Release of the Software System
Since verification only ascertains whether items were inserted as planned, a series of tests must ensure that the defined software requirements are also met. A series of
S. Stoppacher and P. S. Mu¨llner
200
tests are performed to ensure that all integrated items work properly. In addition to functionality testing of all interfaces, the tests involve abnormal conditions. All tests are aimed at ensuring that the specified inputs also provide the expected outputs. Once the software has been successfully verified, it can finally be released. The manufacturer must document both the released version and various deviations from standards. Any combination of tests consisting of the integration test (section Software Integration and Integration Testing) and the software system test is permissible. The same applies to combination tests that include multiple items.
2.10.1 Documentation Requirements • System tests. • System test results. • Release documentation.
2.11
Software Maintenance Planning
The standard further stipulates that a separate software maintenance plan must be developed for software maintenance. The aim of this plan is to define the software maintenance process in a similar way to the software development plan. The plan describes precisely how changes need to be addressed once releasing the software is complete. Essentially, every change has to pass the risk management process again. This includes checking for additional threats. Prior to any changes being made (Release process), a release is required. In special cases, both the authorities and the customers must be informed about various changes. We recommend automated regression testing to avoid accidentally creating new bugs when solving the actual problem. In addition, automation saves time and manpower. Note that a risk-based strategy is required here as well. Most commonly, two classes of changes are introduced as part of software maintenance. One class addresses the immediate rollout of hotfixes for safety-critical problems, the other class focuses on planned non-critical problem fixes in the software, usually quite comprehensive ones. In addition, it is necessary to consider any dependency on third-party vendors (e.g., for operating systems) and their software maintenance strategies present in SOUP.
2.11.1 Documentation Requirements • Maintenance plan. • Documentation of known errors. • Documentation of feedback. • Documentation of possible causes and consideration in the risk management file.
2.12
Software Configuration Management
Another aspect to be considered in the software development plan is software configuration management. Besides providing a software composition description,
Software as Medical Device in Europe
201
that plan contains details about items to be controlled and how. In particular, this relates to controlled documents. Furthermore, information on how changes and releases must be controlled and documented is included. In addition to the software, other items such as compiler versions and certain settings of the development environment might be controlled. Whenever multiple software versions are available, each of them must be identified by a unique label. For this purpose, we recommend using version numbers. To ensure that changes are documented and traceable, we recommend versioning tools for documenting changes and software releases (including SOUPs) as well as using document management systems. Finally, note that files need to be labeled with version number and file path. Example: Version numbers form the basis of a version management system. The following example shows a classic structure of such a version number, which is usually composed as shown in Fig. 5. Software of unknown provenance, so-called SOUPs, must be identified and methodically documented. Another important aspect of configuration management is the risk management of software changes. Such changes require a controlled approach: • Change requests. • Approval of change requests. • Implement changes. Generally, a change request does not have to be submitted until the development stage is completed. Prior to this, changes can usually be made without a request – as long as it was considered in the configuration management documentation. Strict compliance with change management is essential if the software has already been officially released. A sequential number is used to clearly identify change requests. Each request must clearly indicate which changes are involved. Post implementation, it is necessary to ensure the quality by testing the software. In particular, those parts that are directly or even indirectly affected from the change should be tested. Note that after every change it is necessary to reapply risk management in order to identify new potential risks and, if necessary, to adjust the safety class.
2.12.1 Documentation Requirements • Include software configuration management in software development plan. • Identification of SOUPs. 1.
2.
3.
-
0001 build number: Incremented for the last build of each revision. patch level: These are mostly bug fixes. minor release: Usually are functional extensions. major release: Are usually significant changes to the program.
Fig. 5 Software versioning
S. Stoppacher and P. S. Mu¨llner
202
2.13
Problem Solving Process
Problems identified during regression testing, for example, must be addressed by utilizing a problem-solving process developed by the manufacturer. However, part of this process is to determine causes by investigating the problems in more detail. Independently of the security class, authorities and customers might additionally be informed concerning the problem. With a final review, it is important to ensure that problems are effectively solved.
2.13.1 Documentation Requirements • Problem reports. • Audit documents.
2.14
Agility in Software Development
Agile software development has become extremely popular nowadays. This approach was originally established in order to facilitate enhanced software development. Therefore, frustration increases when medical device manufacturers try to reconcile the agile approach with the requirements of EN 62304. In this section, we outline a possibility to combine the normative documentation requirements and the SCRUM development approach. There are numerous advantages to agile software development; however, they are particularly convincing due to their incremental and cooperative character. By means of short cycles, so-called sprints, it is possible to immediately respond to errors. Lessons learned can be immediately incorporated into the subsequent sprint. Software functionality and efficiency grows with each completed sprint. Another very positive effect of the agile approach is that the focus is on communication both within the team and with the potential customer. Based on experience, it has an absolutely positive effect on the delivered software and documentation artifacts. Depending on the organizational structure and a company’s capabilities, various agile methodologies and implementations exist, along with a range of different terms for an identical artifact. Below, we will simply describe the theoretical construct based on scrum, without going into too much detail. Regarding artifact designations, we refer to the terms provided in the AAMI TIR 45 (AAMI 2012). The product requirements defined at the beginning of a project are usually sketchy and incomplete. Product owners are responsible for the corresponding specifications, which are then further refined in the so-called project backlog together with the potential customer, considering the framework conditions required for the medical device. Initial features and architectural approaches are then created in Release Planning, prior to detailed planning and implementation of increments and stories. At the bottom level, the backlog tasks to be implemented are then listed. Nowadays, a common practice is the assignment of EN 62304 activities to the individual artifacts specified in TIR 45 (AAMI 2012). Accordingly, all requirements
Software as Medical Device in Europe
203
Backlog Tasks
Product Backlog
Fig. 6 Agile software cycle according to scrum approach daily
Sprint
Product
from the standards chapter 5.1 to 5.7 need to be implemented for each story, the requirements from 5.1, 5.6, 5.7 for the increment, and the additional necessary software release for the releases. However, we will not go into detail because TIR 45 explicitly discusses it as a possible way of proceeding. In corresponding sprint cycles (typically 2 to 4 weeks long), the selected backlog tasks are tackled by development and test teams. Sprint backlogs should ideally be discussed in daily Scrum meetings. Appropriate dailies (short for daily stand-up meetings) ensure internal coordination during a sprint. The agile cycle is completed by sprint reviews or retrospectives, where performance characteristics of the final product are presented and discussions about experiences, problems, and optimization possibilities may take place. The basic sequence of such an agile software cycle is shown in Fig. 6. However, when it comes to practical application, the theoretical approach described above constantly faces difficulties. The reason for this usually lies in the interaction and assignment of artifacts between the V-model known from the standards and the documentation and review requirements known from EN 62304, as well as in the often ambiguously formulated “Definition of Done“in the agile world. The V model may serve as a documentation model under certain circumstances. Organizations historically grown or highly focused on hardware development tend to have a different understanding of artifact or documentation approvals. However, teams frequently become bogged down by a disproportionate number of signatures on documents without adding any value to the content. Additional non-electronic documents and their releases significantly delay projects. For this reason, we highly recommend keeping your signature releases on documents as lean as possible. Clarify with the document’s target addressees whether the content is suitable for their purposes. Ensure that the necessary content is included in the requirements of design reviews during retrospectives, even though the reviews are to be carried out at the completion of increments and releases. Try to create smart, fully digital, but validated solutions with high user acceptance! Finally, we recommend starting an agile project under the expert guidance of an agile coach. The organization usually needs to be very dynamic and adaptable.
204
2.15
S. Stoppacher and P. S. Mu¨llner
IT Security for Software in Medical Devices
The importance of security is emphasized in all areas of medical technology. No surprise in this respect, then, that IT security has also gained enormous importance in recent years, not just because of the growing number of cyberattacks in the healthcare sector. Today, many medical devices contain software in an increasingly complex form, and most of them even have bidirectional interfaces to forward results automatically in a targeted manner on the one hand, and to facilitate maintenance, service, and fault diagnosis on the other. However, realizing these features technically entails major risks which are not always fully considered during the design phase. Moreover, risk management plays an essential role in software development. The regulation imposes stricter requirements on network-capable devices. For example, manufacturers need to define minimum requirements for the IT infrastructure, as described in Annex I, Section 17.4 of the MDR 2017/745 (2017a). This covers hardware, IT network characteristics, IT security measures, and protection against unauthorized access. Among other things, a fundamental basis for IT security is represented by the General Data Protection Regulation (GDPR), aiming to protect personal data. Detailed information on the General Data Protection Regulation is discussed in Section General Data Protection Regulation (GDPR). In addition to the standards mentioned in the introduction, specifications for IT security can also be found in national regulations with which manufacturers need to comply. The FDA, for example, specifies IT security requirements in several guidance documents. Usually, the focus is on compliance with IT security objectives to be achieved when using medical, network-capable devices. The following CIA triad formulated by the German Federal Office for Information Security is widely used to describe compliance with IT security objectives (see also (U. S. Department for Health 2021), CIA triad according to Federal Office for Information Security (Federal Office for Information Security 2021; International Organization for Standardization 2021): • Confidentiality: protection and confidentiality of medical information (patient data) against unauthorized access, modification or destruction/deletion. • Integrity: integrity of data (completeness, accuracy, validity). • Availability: continuous availability of medical information at the intended, authorized locations (only at these). The CIA triad mentioned above not only refers to medical devices but to associated or affected system components such as accessories and consumables, as well as to the IT network incorporating the device. Therefore, early consideration must be given to the potential application environment in a device’s design phase. The product requirements need to include these exigencies. Any foreseeable misuse needs to be considered in addition, including intentional hacking into a network. However, measures against defects, blackouts, and other potential catastrophes need to be taken as well. As a result, the STRIDE approach (Microsoft Cooperation 2009) may assist in developing appropriate measures to protect medical devices from possible attacks from various sources.
Software as Medical Device in Europe
205
To ensure IT security throughout the entire product lifecycle, manufacturers need to integrate security measures during the development process. The aim is to achieve the greatest possible protection level against attacks. This approach is known as “security by design.“Regular testing procedures or protected authentication methods, for example, represent potential approaches. Either way, manufacturers should systematically proceed toward threat modeling procedures. Finding vulnerabilities and performing penetration testing in accordance with MDCG 2019-16 Section 3.7 should always remain the primary goal. Both vulnerability assessment and penetration testing are required in consideration of the MDR. With respect to product requirements, the specifications derived and detailed requirements will vary depending on the product. During the design phase, conditions need to be created to ensure IT security and data protection in consideration of all potential interfaces. As a result, the application of risk management is required (see chapter ▶ “Risk Management for Medical Devices in Compliance with EN ISO 14971”). Interaction between the software and the IT network causes cyber risks. Thus, whenever a device is integrated within an IT network, the entire network environment, including data transmission, needs to be addressed within the risk management process (see IEC 80001-x series). In fact, a network represents a constantly changing dynamic structure. Continuous risk management therefore requires the involvement of all parties (IT support, device manufacturer, and user organization) in reviewing the device to determine potential impact of any changes. The following interfaces must be taken into account: • • • •
User, local, and remote control. Service, affected organization, and manufacturer (e.g., firmware update). IT administrator. Other connected appliances or software such as laboratory information system (LIS)/hospital information system (HIS). • External storage devices are particularly critical in view of the risk that data could easily be copied and accessed in an uncontrolled manner, meaning any data access should be logged. Finding the right balance between patient safety and IT security is the manufacturer’s responsibility. Safety and security are pillars upon which the IT security construct is built. As described in the MDCG 2019-16 (MDCG 2019) guidance on cybersecurity for medical devices, safety and security cannot be separated. We recommend following the guidelines, since auditors are also known to refer to it. However, this is no surprise, considering that the MDCG frequently advises the European Commission. The IMDRF guideline “Principles and Practices for Medical Device Cybersecurity“(IMDRF 2020) should be mentioned at this point, as it is intended to facilitate the international harmonization of cybersecurity regulations for medical devices. It conveys important basic principles and best practices. The 2021 edition of IEC/TR 60601-4-5 (IEC 2021a) has emerged as a handful of standards specifying safety levels to meet medical device safety objectives (equivalent to the industry standard EN IEC 62443 (CEN/CENELEC 2019b)). This
S. Stoppacher and P. S. Mu¨llner
206
standard can further be used as a tool to define suitable measures for safety levels defined in risk management. The standard’s key elements consist of different types of security levels which can be classified as follows: • SL-T (Security Level – Target). • SL-C (Security Level – Capability). • SL-A (Security Level – Achieved). The security levels define the degree of resilience to cyber-attacks. The target security level (SL-T) is the security level that manufacturers wish to achieve for an IT network. A risk assessment needs to be performed to determine specified SL-T levels of the individual zones of a medical IT network. The SL-C level indicates whether the SL-T target can be met without compensating countermeasures if the appliance, component, or whatever, was properly installed. The SL-A security level represents the level actually achieved. The SL-A level achievement can be measured after a draft exists or even when the IT network is commissioned. Based on the assessment, a conclusion on how many of the initially set SL-T goals could actually be achieved might be obtained. The standard recommends using the level model shown in Fig. 7 for each of the defined levels. The greater the impact on (patient) safety, the higher the security level must be classified. The classification ranges from SL 0: No special requirements, up to SL 4: Protection against deliberate attacks using sophisticated means and high motivation. The focus is on risk management at all times. We recommend first determining which policies and guidelines are most appropriate for a manufacturer’s software, since comprehensive IT security requirements are challenging when deciding where to start.
2.16
IT Security Guidelines
In addition to the central guide MDCG 2019-16 and IEC 60601-4-5 published in 2021, we further recommend taking a look at the IEC 81000-5-1 standard (IEC Security level high
low
SL 0 low
SL 1
SL 2
SL 3
SL 4
high
Fig. 7 Level model of safety levels according to IEC 60601-4-5
Impact on (patient) safety
Software as Medical Device in Europe
207
2021b), which is currently still in the development stage. It deals with issues related to IT security principles, including definitions for health software and IT health systems and aspects of security and effectiveness standards. IEC 81000-5-1 and IEC/TR 60601-4-5 are likely to be the most important IT security standards at European level in the future. In addition, the Johner Institute, together with TÜV Süd, has developed a guideline on IT security (Johner 2021), with a focus on patient safety. This guideline is often used in a modified form by notified bodies (mainly in Germany).
2.17
General Data Protection Regulation (GDPR)
In Europe, the General Data Protection Regulation (GDPR) is the legal basis for ensuring the protection of personal data. The MDR 2017/745 (2017a) (Art. 110) also references the European General Data Protection Regulation and requires the protection of personal data. It contains numerous regulations that affect manufacturers and operators of medical devices (Johner 2021). Data protection is also one of the protection goals in IT security. Similar to the CIA triad formulated by the Federal Office for Information Security, the GDPR further defines requirements for confidentiality, integrity, and availability. In addition, EN ISO 13485 stipulates compliance with legal requirements on data security. Applicable measures are required to ensure adequate data protection such as Access controls, firewalls, antivirus programs, pseudonymization, and encryption. Various methods are available for pseudonymization, e.g., cryptographic methods (hashing, encryption, etc.). Here, pseudonyms are derived from the source data. Both manually and randomly generated pseudonyms, including a combination of both, can be found in practice. Once generated, the values are stored in a table (Johner 2021). Manufacturers have to ensure data safety and traceability of data processing. Therefore, compliance with the requirements of the General Data Protection Regulation needs to be integrated into the risk management system. Nevertheless, in the end, electronic data processing requires permission from the data subjects themselves
2.18
AI and Machine Learning
As previously mentioned in the introduction, artificial intelligence (AI) with a machine learning (ML) approach is gaining tremendous popularity, especially in medical device software. Manufacturers are constantly striving to innovate their software and create improvements in the healthcare sector. AI holds significance for the future of medical software and is likely to be found in almost all areas of medicine. For example, it is already being used successfully for diagnostic imaging and to predict the course of disease. However, there is a legitimate question as to
208
S. Stoppacher and P. S. Mu¨llner
whether AI-based software can even be approved as medical devices in accordance with the regulations. However, while conventional software is implemented throughout the development process ensuring their deterministic functionality to be well verified and validated at the end, artificial intelligence/machine learning (AI/ML) based software faces difficulties. In addition to first-failure safety, the requirements mentioned at the beginning, such as repeatability, reliability, and performance, still apply. However, those requirements are difficult to implement in practice for a simple reason: AI with a machine learning approach is based on completely different principles and procedural models (Eckhard et al. 2020). Within the development process, machine learning is used to develop an AI model based on inputs and outputs capable of probabilistic predictions using incoming data. Both the quality of the underlying data and the amount of data available for model development play an important role. Basically, two areas are distinguished today, namely classification (prediction of a category) and regression (prediction of a numerical value). Accordingly, AI/ML methods such as Support Vector Machine, Neural Networks, Decision Trees, Nearest Neighbor, or Linear and Logistic Regression are typically used in the medical device sector. As already indicated, model adaptation is characterized by continuous learning, further development over time, and the statistical quality criteria. Controversy may arise when comparing with the traditional standard-compliant software development according to EN 62304. Especially the use of identical terms with different meanings, such as verification and validation, both in the medical device community and in the AI environment is a continual source of confusion, essentially revolving around the meaning of “validation of machine learning algorithms.” Moreover, validating SOUP tools and ML libraries, which pose significant challenges in the approval and development phase, must not be underestimated. Such challenges continue throughout the entire product life cycle, whereby it is necessary to consider the corresponding release notes, bug fixes, or anomalies. Clinical evaluation and risk management pose an additional challenge which involves taking the risk-benefit ratio into account. The benefit is not an absolute value, but is rather based on the best available alternative, as defined accordingly. They are often referred to as the “state-of-the-art” method or the gold standard. Nevertheless, the comparison plus an absolute ratio measure is a non-trivial task. In order to better understand machine learning models and their algorithms, and to strengthen the certainty of results, the following levels prioritize questions contributing to increasing the interpretability of both the results and the model: 1. Technical level: validation of data quality, ML algorithm, and prediction quality. 2. Human level: Traceability and plausibility. This interpretability, in which a wide variety of stakeholders such as users, manufacturers, auditors, and reviewers have interests, especially during approval, is composed of explicability and transparency. Depending on the focus, a distinction is made between two types:Whereas in traditional AI algorithms the so-called white box approach applies, which is based on a transparent approach revealing both the
Software as Medical Device in Europe
209
underlying decision structures or logical structures as well as the data used, in AI/ML algorithms we often find the so-called black box approach. A fundamental problem associated with the black box approach is to backtrack delivered results to their roots in an explainable way (e.g., the characteristic that led to a certain decision by the model might not be clear). However, the model’s sophistication and complexity quickly overwhelm the human three-dimensional imagination. For more information on interpretability, we recommend referring to Chris Molnar: Interpretable Machine Learning (Molnar 2020). The entire industry at all levels is interested in the novelty and high dynamics of this topic. Correspondingly, the regulatory requirements are affected as well. We recommend reading Prof. Dr. Christian Johner’s blog, who has summarized a comprehensive overview (Johner 2021). Certification processes also require regulators to find new ways of dealing with these issues. In the USA in particular, this issue was addressed in advance.
2.19
Approaches from the FDA
While the European Union is still busy establishing regulatory requirements for the approval of AI/ML-based software, the Food and Drug Administration (FDA) has already anticipated and published early approaches and guidance documents to ensure safe and effective software features that improve the quality of patient care. The “Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan” (FDA 2021), as an overarching framework document, addresses the following five major components: 1. Tailored regulatory framework. • incl. guidance for SaMD that “learn” over time, 2. Support for good machine learning practices. 3. Patient-centric approach: transparency for users. 4. Methods for improving the performance and evaluation of AI/ML algorithms. 5. Establishment of pilot programs for real-world performance monitoring. In addition, the FDA has also recognized that their regulatory pathways need to be reconsidered with respect to AI/ML and potential changes of any kind in this context. Accordingly, this is addressed in the FDA’s discussion paper on artificial intelligence and machine learning (FDA 2019). There are no concrete guidelines available yet, which can often only be clarified in a direct exchange with the regulatory authorities. The Johner Institute provides valuable suggestions with its guidelines for the application of artificial intelligence (AI) to medical devices in Europe. The guide is accessible on the institute’s homepage (Johner 2021). Due to the highly dynamic nature of this topic, there is currently considerable regulatory uncertainty on all sides. Every manufacturer needs to keep up to date with the current regulatory framework and follow all the actions of interest groups and authorities carefully. Standardized procedures and methods will only become established over time as experience is gained.
S. Stoppacher and P. S. Mu¨llner
210
2.20
Digital Health Application (DiGa)
While in many parts of Europe “healthapps by prescription“are still future dreams, in Germany, digital health apps (DiGA) have already been established as a basis for the medical care process in 2020. The Digital Healthcare Act, launched in 2019, is the first law in Europe to provide a dedicated pathway for national reimbursement of digital apps. The Federal Ministry of Health has established regulatory requirements here with the implementation of the Digital Health Care Act (DVG) and the Digital Health Applications Ordinance (DIGAV). In order to count as a DiGa according to the DVG, in addition to a CE labeling of a medical device, the following characteristics need to be fulfilled (Johner 2021). The Digital Health Application... • ... is risk class I or IIa according to MDR 2017/745 (2017a) • ... is based on digital technologies, whereby the medical purpose is essentially achieved through the digital main function • ...supports the detection/monitoring/treatment/alleviation of disease/injury/ disability • ... is shared by the patient or the healthcare provider and patient. DiGa’s approval enables physicians and psychotherapists to prescribe digital health applications on a reimbursable basis. DiGas are listed in a publicly accessible directory, signifying transparency in particular. Telemedicine applications can be part of a Digital Health Application as well, if the core function is mainly based on digital technologies. The requirements for IT security and data protection are not neglected here either. While addressing health conditions and investing in strong healthcare systems, the pandemic highlighted the need for coordination among European countries to protect people’s health. Hence, the European Health Union aims to further improve human health measures at the EU level. One possible step in the right direction could be the EU4Health program. It is the EU’s health policy response to the COVID 19 pandemic. With EU4Health, the EU is investing a large amount of money in actions bringing added value at the EU level. One of these key objectives is to strengthen health systems, their resilience and resource efficiency by enhancing health data, digital tools, and services.
3
Conclusions
The European Regulation has caused quite a sensation among medical device manufacturers in recent years. In particular, manufacturers of medical device software are contending with the less dynamic requirements of the regulation and a series of recommended guidelines. Keeping track is difficult, although one obvious
Software as Medical Device in Europe
211
reason for the increasingly stringent regulations is that safety requirements are constantly emerging. By definition, software must be designed to ensure repeatability, reliability, and performance. State-of-the-art implementation needs to be carried out in compliance with the principles of the software life cycle, risk management, IT security, and, finally, verification and validation. Hence, it is no wonder that regulations and standards are mutually dependent and reliant on each other. For example, in addition to the fundamental goal of safety, the MDR 2017/745 (2017a) also specifically targets IT security. It requires a QM system and refers to EN ISO 13485, as well as EN 62304 for software lifecycle compliance and EN ISO 14971 for risk management. Likewise, the new regulation caused excitement when it came to classification. Hardly any software is classified as Class 1 according to the current wording, which is a major challenge, especially for SMEs. Intended purpose still forms the basis for classification, but rules on when a device belongs in particular risk classes have been tightened up considerably. The IMDRF’s “Framework for Risk Characterization” can be a great support to manufacturers in risk characterization. Note, however, that there is still a difference between the requirements of the MDR 2017/745 (2017a) and the IMDRF, namely that the IMDRF is based on the patient’s state of health, while the MDR 2017/745 (2017a) focuses on the severity of the damage caused. It is obvious that the higher the security classification, the higher the requirements for the level of detail and documentation will be. Moreover, tool validation used in QM/IT systems simply cannot be dispensed with. Here, it is worth referring to the non-harmonized ISO/TR 80002-2 standard or the GAMP 5 guide for support. Risk management is essential for the software development process. Another challenge for manufacturers involves estimating error probabilities when classifying the risks of software. For a long time, the probability of malfunctions leading to hazards had to be assumed to be 100%. Fortunately, this requirement has been relaxed somewhat since 2015. By substantiating the “more realistic” probabilities assumed by the manufacturer with meaningful test results, assumptions can be quickly substantiated in audits. Furthermore, data from the field, literature, and calculations can also be used to better estimate probabilities of occurrence. For testing, it is recommended to use code coverage with its various measures. Currently, the focus is also on IEC 81000-5-1 and IEC/TR 60601-4-5, which together will probably form the most important IT security standards at the European level in the future and are probably even capable of displacing directives of their kind immediately. EN 62304 represents the core when it comes to the principles to be implemented in software development. It specifies how processes and activities in the software lifecycle need to be implemented and how to go about developing and maintaining software. Throughout, we highlighted the normative documentation requirements in each phase and the tools available across the software development phases. These include, for example, the use of UML class diagrams in the design phase or the use of versioning tools in software configuration management is worthwhile. Agility has become an indispensable topic in software development. Considering all the requirements imposed on medical devices, software developers frequently
212
S. Stoppacher and P. S. Mu¨llner
reach their limits. Is it even possible to integrate agility approaches into the software development process? The answer is yes, but with limitations. The AAMI TIR 45 guide provides direction for software developers to integrate the agility approach into their software development. The V model, for example, favored by medical device manufacturers, could serve as a documentation model. Thus, applying the agile approach to software development of medical devices is not impossible, but it is often difficult to implement, especially in the start-up phase. It is therefore worth consulting an expert, especially at the beginning. Due to the continuous increase in cyberattacks, the requirements for IT security have also gained enormous importance in recent years. Security-by-design is the keyword, but again, risk management as it applies to IT security is essential. In order to achieve the IT security protection goals, such as confidentiality, integrity, and availability (CIA triad, Federal Office for Information Security), risk management should be given early consideration in the design development. For additional support on IT security, also check out the MDCG guide on cybersecurity and the IMDRF guide on “Principles and Practices for Medical Device Cybersecurity.” Furthermore, the latest edition of the IEC 60601-4-5 standard supports manufacturers in achieving safety and security protection goals, particularly by applying the defined security levels in order to achieve the protection goals. In the field of IT security, considerable importance is attached to ensuring the protection of patient data, so it is no surprise that this is linked to the requirements of the General Data Protection Regulation. Requirements relating to data protection cover all aspects of a medical device. In addition to IT security, the protection of personal data is playing an increasing role in areas of artificial intelligence and machine learning. Ultimately, any further data processing always requires permission from those affected, in addition to the anonymization of the data. Transparent algorithms, compliance with the General Data Protection Regulation, and efficiency achieved by the AI/ML approach are often difficult or even impossible to reconcile with the legal requirements for medical devices. Nevertheless, innovative solutions have become essential in many areas of medical devices, such as diagnostic imaging. The FDA presents a strong example, having released a draft guideline, an approach that allows both AI/ML approaches to be used in medical device development, while still meeting normative requirements. Similarly, the European Union needs to find a way to establish legal compliancy while also integrating innovative and efficient AI/ML approaches into medical devices. Unfortunately, some rigid legal requirements and increasingly dynamic software approaches in development are not always in line. In conclusion, however, the impossible only appears impossible at first glance. With the right roadmap, manufacturers will be able to integrate both innovative approaches such as agile software development and AI/ML-based approaches while still meeting regulatory requirements. Questions that some countries have already implemented, such as draft legislation in the field of artificial intelligence as well as health applications on prescription, will eventually become reality in other countries as well. Indeed, all the topics mentioned have become part of our everyday life. Legislators are challenged to work at full speed on corresponding specifications to avoid
Software as Medical Device in Europe
213
impeding motivated manufacturers any longer, because after all, it is the 2017a that requires medical devices to be developed in accordance with state-of-the-art technology.
4
Cross-References
▶ Quality Management Requirements in Compliance with European Regulations ▶ Risk Management for Medical Devices in Compliance with EN ISO 14971
References Association for the Advancement of Medical Instrumentation (AAMI) (2012) AAMI TIR45:2012 (R2018). Guidance on the use of AGILE practices in the development of medical device software Eckhard G, Vater C, Zimmer-Merkle S (2020) Black Boxes – Versiegelungskontexte und Öffnungsversuche: Interdisziplinäre Perspektiven De Gruyter. ISBN: 9783110701319 European Committee for Standardization (CEN/CENELEC 2010), European Committee for Electrotechnical Standardization (CENELEC) (2010) EN 61508–3:2010. Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 3: Software requirements European Committee for Standardization (CEN/CENELEC 2016), European Committee for Electrotechnical Standardization (CENELEC) (2016) EN ISO 13485:2016 Medical devices quality management systems – requirements for regulatory purposes European Committee for Standardization (CEN/CENELEC 2019a), European Committee for Electrotechnical Standardization (CENELEC) (2019a) EN ISO 14971:2019 Medical devices – application of risk management to medical devices European Parliament and European Council (MDR 2017/745). (2017a) Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 concerning medical devices, amending Directive 2001/83/EC, regulation (EC) No 178/2002 and Regulation (EC) No 1223/ 2009 and repealing Council Directives 9s0/385/EEC and 93/42/EEC. Official Journal of the European Union. L 117, 1–175 European Parliament and European Council (IVDR 2017/746). (2017b) Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing directive 98/79/EC and commission decision 2010/227/EU. Official Journal of the European Union. L 117, 176–332 European Committee for Standardization (CEN/CENELEC 2006), European Committee for Electrotechnical Standardization (CENELEC) (2006) EN 62304:2006 – Medical device software – Software life cycle processes European Committee for Standardization (CEN/CENELEC 2011), European Committee for Electrotechnical Standardization (CENELEC) (2011) (2010) EN 80001–1:2011 – application of risk management for IT-networks incorporating medical devices European Committee for Standardization (CEN/CENELEC 2019b), European Committee for Electrotechnical Standardization (CENELEC) (2019b) EN IEC 62443-3-3:2019. Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels Federal Office for Information Security (2021) IT-Grundschutz-Kompendium. Retrieved from: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_ gs_comp_2021.pdf?__blob¼publicationFile&v¼4
214
S. Stoppacher and P. S. Mu¨llner
General Data Protection Regulation (GDPR) (2016) Security of processing. Retrieved from: https:// gdpr-info.eu/art-32-gdpr/ International Electrotechnical Commission (IEC) (2021a) IEC/TR 60601-4-5:2021 Medical electrical equipment; Part 4-5 Guidance and interpretation; Safety related technical security specifications for medical devices International Electrotechnical Commission (IEC) (2021b) IEC 81001-5-1:2021 Health software and health IT systems safety, effectiveness and security — Part 5-1: Security — Activities in the product life cycle International Medical Device Regulators Forum (IMDRF) (2014a) Software as a medical device: possible framework for risk categorization and corresponding considerations. Retrieved from: http://www.imdrf.org/docs/imdrf/final/technical/imdrf-tech-140918-samd-framework-risk-cate gorization-141013.pdf International Medical Device Regulators Forum (IMDRF) (2014b) Software as a Medical Device (SaMD): clinical evaluation. Retrieved from: https://www.imdrf.org/sites/default/files/docs/ imdrf/final/technical/ imdrf-tech-170921-samd-n41-clinical-evaluation_1.pdf International Medical Device Regulators Forum (IMDRF) (2014c) Software as a Medical Device (SaMD): application of quality management system. Retrieved from: https://www.imdrf.org/ sites/default/files/docs/imdrf/final/technical/imdrf-tech-151002-samd-qms.pdf International Medical Device Regulators Forum (IMDRF) (2014d) Software as a Medical Device (SaMD): key definitions. Retrieved from: https://www.imdrf.org/sites/default/files/docs/imdrf/ final/technical/imdrf-tech-131209-samd-key-definitions-140901.pdf International Medical Device Regulators Forum (IMDRF) (2020) Principles and practices for medical device cybersecurity. Retrieved from: http://www.imdrf.org/docs/imdrf/final/techni cal/imdrf-tech-200318-pp-mdc-n60.pdf International Organization for Standardization (2021) ISO 81001-1:2021. Health software and health IT systems safety, effectiveness and security – Part 5-1: security – activities in the product life cycle International Organization for Standardization (ISO) (2017) ISO/TR 80002-2:2017-. Medical device software - part 2: validation of software for medical device quality systems International Organization for Standardization (ISO), International Electrotechnical Commission (IEC) (2011) ISO/IEC 25010:2011 – systems and software engineering – systems and software quality requirements and evaluation (SQuaRE) – system and software quality models International Society for Pharmaceutical Engineering (ISPE) (2008) GAMP 5 guide: compliant GxP computerized systems Johner Institut GmbH (2021). Retrieved from: https://www.johner-institute.com Medical Device Coordination Group (MDCG) (2019) Guidance on qualification and classification of Software in Regulation (EU) 2017/745 – MDR and Regulation (EU) 2017/746 – IVDR. Retrieved from: https://ec.europa.eu/docsroom/documents/37581 Medical Device Coordination Group (MDCG) (2021) Is your software a medical device? Retrieved from: https://ec.europa.eu/health/system/files/2021-03/md_mdcg_2021_mdsw_en_ 0.pdf Microsoft Cooperation (2009). Retrieved from: https://docs.microsoft.com/en-us/previousversions/commerce-server/ee823878(v¼cs.20) Molnar C (2020) Interpretable machine learning. A Guide for Making Black Box Models Explainable. ISBN 9780244768522 U. S. Department for Health @Human Services (2021) HIPAA & Code of Federal Regulations Title 45, Part 160, 162, 164. Retrieved from: https://www.hhs.gov/hipaa/for-professionals/index.html U.S. Food and Drug Administration (FDA) (2019) Proposed regulatory framework for modifications to Artificial Intelligence/Machine Learning (AI/ML) – Based Software as a Medical Device (SaMD). Retrieved from: https://www.fda.gov/media/122535/download U.S. Food and Drug Administration (FDA) (2021) Artificial Intelligence and Machine Learning (AI/ML) Software as a Medical Device Action Plan. 2021. Retrieved from: https://www.fda.
Software as Medical Device in Europe
215
gov/medicaldevices/software-medical-device-samd/artificial-intelligence-and-machine-learn ing-software-medicaldevice U.S. Food and Drug Administration (FDA) (2022) General principles of software validation; Final Guidance for Industry and FDA Staff. Retrieved from: https://www.fda.gov/files/medical% 20devices/published/General-Principles-of-Software-Validation%2D%2D-Final-Guidance-forIndustry-and-FDA-Staff.pdf
Clinical Evaluation and Clinical Investigations of Medical Devices Under the MDR Wolfgang Ecker
Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Clinical Evaluation of Medical Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Significance, Background, and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Clinical Benefit/Risk Determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 The Stages of the Clinical Evaluation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4 Special Situations and Scenarios in the Clinical Evaluation Process . . . . . . . . . . . . . . . . 2.5 Scientific Advice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6 Qualification and Selection of Clinical Evaluators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.7 Summary of Safety and Clinical Performance (SSCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.8 The (NB) Clinical Evaluation Assessment Report (CEAR) . . . . . . . . . . . . . . . . . . . . . . . . . 3 Clinical Investigation of Medical Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Background, Definitions, and Scope Within MDR 2017/745 . . . . . . . . . . . . . . . . . . . . . . . 3.2 Essential Aspects of Clinical Investigations Under the MDR 2017/745 . . . . . . . . . . . . 4 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
218 218 218 221 222 230 234 234 235 236 236 236 238 246 248
Abstract
EU-regulators had perceived significant deficits of important stakeholders, like notified bodies (NB) and manufacturers, in clinical evaluation of medical devices (MDs) in the field. This concerned a lack of clear-cut processes, including planning and reporting, and even a lack of sufficient clinical data based on clinical investigation of high-risk MDs, and also the long-term clinical assessment of high-risk devices, like implants needed specific regulatory attention. Regulators also saw a necessity of providing enhanced clinical infrastructure, like clinical device panels to the European scenery. The preceding Clinical trial regulation for pharmaceuticals (Regulation (EU) 2014/534) (CTR 2014) offered a possibility to harmonize the clinical W. Ecker (*) University of Applied Sciences Upper Austria for Medical Technology, Linz, Austria e-mail: [email protected] © Springer Nature Switzerland AG 2023 C. Baumgartner et al. (eds.), Medical Devices and In Vitro Diagnostics, Reference Series in Biomedical Engineering, https://doi.org/10.1007/978-3-031-22091-3_8
217
218
W. Ecker
research landscape in Europe and put clinical investigations of MDs under a similar regulatory regime as pharmaceuticals. The aim was to optimize administrative procedures for manufacturers, competent authorities, and ethics committees and to make combination studies easier. Apart from the regulatory changes, the new Medical Device Coordination Group (MDCG) would support the mere legal texts with useful, formally non-legally binding interpretative guidance which can hardly be ignored. Aside from the legal changes and the new interpretative documents, the European and Global standard EN ISO 14155 (CEN 2020; ISO 2020) will be a stable anchor to go into details of clinical investigations of MDs and especially to drafting the important documents required. Please note that all these documents are a living system and may be further developed and changes will have to be monitored.
1
Introduction
Under the General Safety and Performance Requirements (GSPR) of Annex I of MDR 2017/745, medical devices (MD) have to be safe and effective, must have a positive benefit/risk ratio, have to be state of the art, and any remaining residual risks and unintended side effects will have to be acceptable against the benefits achieved. Compliance with these requirements will have to be demonstrated by the manufacturer and clinical evaluation is an essential part of that demonstration. MDR 2017/ 745 therefore puts enormous weight on proper clinical evaluation of MDs. Clinical evaluation has to provide a proper clinical benefit/risk determination for any MD and is clearly seen as a central life-cycle process to be performed under the manufacturer’s obligatory QMS. This means clear objectives, stages, and documentation for a clear-cut life-cycle process and enhanced scrutiny by notified body and competent authorities throughout the life cycle of any MD. Clinical investigations aside from literature search and Post Market Clinical Follow-up (PMCF) will be the major source of valid clinical data to provide the necessary clinical evidence. MDR 2017/745 has now put these clinical investigations on a higher and more homogeneous level in Europe.
2
Clinical Evaluation of Medical Devices
2.1
Significance, Background, and Definitions
Improving clinical evaluation of MDs has been one of the main targets of MDR 2017/745 and is explicitly placed by it in Art. 10 as an active, planned, systematic life cycle process under the mandatory QMS of the manufacturer. Clinical evaluation is to be seen as a final validation of the medical device, after risk-managementguided technical and preclinical evaluation. It is also a mandatory part of the
Clinical Evaluation and Clinical Investigations of Medical Devices Under the MDR
219
Table 1 Specification of clinical benefit/risk determination of MDs, under MDR 2017/745 and MEDDEV 2.7/1. rev 4 (COM 2016) Qualitative/quantitative determination of clinical benefit(s) and clinical safety differentiated for: Clinical Kind/type of effects Clinical safety benefit(s) (incl. rest-risks and Extent, magnitude undesirable side-effects) Duration Frequency/probability in exactly defined target group(s)/indications In clinical evaluation of MDs, clinical benefit(s), and clinical safety will have to be determined at least qualitatively, but as far as possible quantitatively with regard to kind, extent, duration, and frequency of positive and negative effects in the intended target group
demonstration of compliance with the applicable general safety and performance requirements (GSPR) for MDs according to Annex I of MDR 2017/745. The MDR 2017/745 has been built on major achievements of the MEDDEV 2.7.1 rev. 4 (COM 2016), the European Commission (COM) guideline developed for the previous Medical Device Directive 93/42/EEC (MDD) and Directive 90/385/EEC on active implantable medical devices (AIMDD), see below. The increased emphasis on clinical aspects in the MDR is also reflected in the creation of an improved clinical infrastructure of the regulatory system with (clinical) expert panels and the preparation of product group-specific clinical guidelines as “Device Specific Guidances” (DSG) or in the form of implementing acts of the COM as Common Specifications (CS) for clinical investigation a/o clinical evaluation a/o PMCF of certain high-risk types or groups of MDs (Ecker et al. 2020). In terms of content, the MDR 2017/745 in the clinical area has benefited largely from the overlapping development of COM guidance MEDDEV 2.7/1 rev. 4: “Clinical Evaluation of Medical Devices” for the Medical Device Directives (COM 2016), thereby incorporating its essential viewpoints into the new regulation, in particular, its: • clear specification of the clinical benefit/risk determination (see Table 1) • sequence of (6) steps within the clinical evaluation process (see Fig. 1) Definitions (MDR 2017/745: Art. 2) “Clinical evaluation” means a systematic and planned process to continuously generate, collect, analyse and assess the clinical data pertaining to a device in order to verify the safety and performance, including clinical benefits, of the device when used as intended by the manufacturer. “Benefit-risk determination” means the analysis of all assessments of benefit and risk of possible relevance for the use of the device for the intended purpose, when used in accordance with the intended purpose given by the manufacturer. “Clinical evidence” means clinical data and clinical evaluation results pertaining to a device of a sufficient amount and quality to allow a qualified assessment of
220
W. Ecker
Stages of Clinical Evaluaon of MDs under MDR and MEDDEV 2.7.1 rev. 4
Clinical Evaluaon Plan [CEP]
Clinical Data
PMCF
Idenficaon + Generaon
Clinical Evaluaon Report [CER]
Appraisal
Analysis
Fig. 1 Clinical evaluation is a life-cycle process, to be performed in six defined stages/steps according to MDR 2017/745 and MEDDEV 2.7/1 rev.4 (COM 2016), beginning with the clinical evaluation plan, leading to a clinical evaluation report (CER) as the central document, to be updated over the life-cycle of the MD by Post Market Clinical Follow-up (PMCF)
whether the device is safe and achieves the intended clinical benefit(s), when used as intended by the manufacturer. “Clinical performance” means the ability of a device, resulting from any direct or indirect medical effects which stem from its technical or functional characteristics, including diagnostic characteristics, to achieve its intended purpose as claimed by the manufacturer, thereby leading to a clinical benefit for patients, when used as intended by the manufacturer. “Clinical benefit” means the positive impact of a device on the health of an individual, expressed in terms of a meaningful, measurable, patient-relevant clinical outcome(s), including outcome(s) related to diagnosis, or a positive impact on patient management or public health. “Clinical data” means information concerning safety or performance that is generated from the use of a device and is sourced from the following: • clinical investigation(s) of the device concerned, • clinical investigation(s) or other studies reported in scientific literature, of a device for which equivalence to the device in question can be demonstrated,
Clinical Evaluation and Clinical Investigations of Medical Devices Under the MDR
221
• reports published in peer-reviewed scientific literature on other clinical experience of either the device in question or a device for which equivalence to the device in question can be demonstrated, • clinically relevant information coming from post-market surveillance, in particular the post-market clinical follow-up.
2.2
Clinical Benefit/Risk Determination
Within the framework of the abovementioned clinical benefit/risk determination, the clinical benefits and clinical safety (including the clinical rest-risks and the undesirable side effects) must be specified and determined at least qualitatively and, as far as possible, quantitatively according to kind/type, extent/magnitude, duration, and probability/frequency of positive and negative effects in the target population(s). Likewise, the areas of application of the MD are to be precisely specified to target patient groups, indications, including diseases differentiated as far as possible according to type, severity, stages, courses, phases, symptoms, etc., and, if necessary, contraindications. The manufacturer must, on the basis of the intended purpose of the medical device as stated by him, in order to comply with the General Safety and Performance Requirements (GSPR) of Annex I of the MDR 2017/745, make his related claims explicit and demonstrate by sufficient clinical evidence for the medical device (MD) at any time: • Its safety and effectiveness, with the details necessary for the proper clinical benefit/risk determination, as mentioned above. • Acceptability of the clinical benefit/risk ratio compared to the currently recognized state of the art. • A high level of health protection and safety and that the MD does not jeopardize the clinical condition and safety of patients or the safety and health of users and, where applicable, third parties. • Any known and foreseeable risks and any undesirable side effects have been minimized and are acceptable when weighed against the achieved benefits of the MD. • Other requirements of Annex I may also be “candidates” for assessment by specific clinical data, e.g., the added value of ancillary pharmaceutical or (non-viable) biological components. The clinical evaluation must be thorough and objective (considers positive and negative results/clinical data). The depth and scope must be proportionate and appropriate to the MD (in relation to the type, class, intended use, characteristics and risks of the MD, and the manufacturer’s claims).
222
W. Ecker
Table 2 Stages 0–5 of clinical evaluation: corresponding sources within MDR 2017/745 and MEDDEV 2.7/1 rev. 4 (COM 2016) Corresponding sources within MDR 2017/745 and MEDDEV 2.7/1 rev. 4 (COM 2016) for the stages 0–5 of clinical evaluation MEDDEV 2.7/1 rev. Stage of clinical evaluation MDR 2017/745 4 (COM 2016) 0. Scoping and clinical Annex XIV.A.1. (a) Section 7 evaluation plan (CEP) 1. Identification and generation Art. 61 (4)–(6); Annex XIV. Section 8; App. A4; A5; of clinical data A.1. (b) and (d) 2. Appraisal Annex XIV.A.1. (c) Section 9; App. A6; 3. Analysis Annex XIV.A.1 (e) Section 10; App. A7; A8 4. Clinical Evaluation Report Art. 61 (12); Annex XIV.A.4 Section 11; App. A9–11 (CER) 5. PMCF Art. 61 (11); Annex XIV.B Section 6.2.3
2.3
The Stages of the Clinical Evaluation Process
MDR 2017/745 largely follows Revision 4 of the MEDDEV 2.7.1. (COM 2016) in the step-wise approach to clinical evaluation; however, it should be noted that in the MDR in the first step (stage 0 of the MEDDEV) the clinical evaluation plan and the clinical development plan are more clearly emphasized. Also more clearly presented in the MDR 2017/745 is the Post-Market Clinical Follow-up (PMCF) as a separate entity and work step, so that for the following presentation, in “organic” combination of MDR and MEDDEV, now the following six stages 0–5 of the clinical evaluation result (see Fig. 1). The references to the work stages 0–5 are presented for both the MDR and the MEDDEV in correspondence Table 2; the presentation of the contents in the MEDDEV is altogether much more detailed and thus particularly well suited for practical application, until updated guidance by the EU’s Medical Device Coordination Group (MDCG) on clinical evaluation will be available. New findings can lead to the fact that one must take up an earlier work stage again or that a complete rerun must be started again of clinical evaluation
2.3.1 Stage 0: Scoping and Clinical Evaluation Plan Here, the manufacturer must define the framework of the clinical evaluation in “scoping,” with its product- and application-related prerequisites, on which the clinical evaluation plan can then be built. Important elements of initial scoping are: • A clear description of the MD, its intended purpose, areas and settings of application and claims, including references to required accessories or combinations with other MDs or with other products; • The results of the risk management with regard to remaining clinical residual risks and any possible undesirable side effects (in each case after risk minimization);
Clinical Evaluation and Clinical Investigations of Medical Devices Under the MDR
223
• The presentation of any planned appeal to equivalence with a similar, sufficiently characterized MD (predicate device) from technical, biological, clinical, and data access points of view (see below). On this basis, the manufacturer sets up the clinical evaluation plan (CEP) with the following elements: • He determines the basic requirements for safety and performance according to Annex I, which are to be substantiated with relevant clinical data (see above). • On this basis, he makes an utmost clinical specification and operationalization of his clinical claims – in line with the above-mentioned clinical benefit/risk determination, to direct his literature search and his clinical investigations: – Parameters for clinical benefit(s), effectiveness, clinical performance(s), including the corresponding measurable, patient-relevant outcomes for determination of the kind, extent/magnitude, duration, and frequency of clinical benefits within the well-defined target groups. – Qualitative and quantitative parameters for the assessment of clinical safety, including residual risks and undesirable side effects, again for determination of kind, extent, duration, and frequency within the well-defined target groups. – The exact target groups and the precise scope of application, including indications and contraindications of the MD or an MD demonstrated as equivalent. • Criteria/outcomes for assessing the acceptability of the benefit/risk ratio of the MD compared to the medical state of the art in the field of application. • A Clinical Development Plan for the planned “escalation” of clinical investigations, from exploratory studies (such as first-in-man-; early and traditional feasibility-; pilot-; proof-of-concept studies) to confirmatory studies (pivotal studies) and PMCF studies, especially for complex, novel product developments. • A Post-Market Clinical Follow-up plan (PMCF plan) is also required here and needs to be prepared with particular care (see details below under stage 5, below). To search for measurable, patient-relevant outcomes on safety and effectiveness for literature searches and clinical investigation planning, look for: • Clinical investigation databases, where similar MDs or medical fields are already covered (also useful for possible benchmark with state of the art!): – www.clinicaltrials.gov US clinical trials database – http://apps.who.int/trialsearch/ WHO clinical trials platform • HTA or EbM (Health Technology Assessment and Evidence-based Medicine) databases: – http://onlinelibrary.wiley.com/cochranelibrary/search?searchRow. searchOptions.searchProducts¼clinicalTrialsDoi Cochrane library – https://www.crd.york.ac.uk/CRDWeb/ Center for Reviews and Dissemination of the University of York
224
W. Ecker
– h t t p s : / / e p r i n t s . a i h t a . a t / c g i / s e a r c h / s i m p l e ? s c r e e n ¼P u b li c % 3 A % 3AEPrintSearch&_action_search¼Suchen&q_merge¼ALL&q¼decision +support&order¼-date%2Fcreators_name%2Ftitle&_action_search¼Search Decision Support Documents of the Austrian Institute for HTA; very useful for medical devices as examples for literature search according to the PICO scheme, see below, – https://www.iqwig.de/de/projekte-ergebnisse/publikationen/iqwig-berichte. 1071.html Project reports of the German IQWIG, with many assessments on drugs but also medical devices, very useful as examples for literature search according to the PICO scheme; • For the search for validated surrogate endpoints see also: BEST (Biomarkers, EndpointS, and other Tools), a resource from FDA and NIH: https://www.ncbi. nlm.nih.gov/books/n/biomarkers/pdf/
2.3.2
Stage 1: Identification and Generation of Relevant Clinical Data Through Literature Searches and Manufacturer’s Own Clinical Data, Such as Clinical Investigations or PMCF/PMS Results According to the definition of “clinical data,” this is any safety or performance information obtained in the course of using a medical device and derived from the sources indicated therein. Important considerations for/elements of literature search would be: a) Literature search protocol (plan): Describes the concrete planning of the literature search with background, objectives, and methodology with justifications: Objectives • Questions arising from the clinical evaluation plan (level 0) • (clinical) questions arising from risk management A structured questioning technique for literature searches recognized in Health Technology Assessment (HTA) and Evidence-based Medicine (EbM) is based on the PICO scheme: • P Population(s) characterized by disease(s) or condition(s). • I Intervention(s) • C Comparator group(s)/control(s) • O Outcome(s)/endpoint(s) Methodology: Based on the concrete questions regarding the MD and its field of application or the current state of the art in the medical field of application, it has to be defined WHAT, WHERE (in which data sources and other sources (internet and others), HOW (e.g., with which search terms, time window, selection criteria for inclusion and exclusion, quality control during data extraction) to search and select clinical data for the MD transparently. Key sources are cited in the MEDDEV (like PubMed, Embase, Cochrane, etc.). The literature searches concern:
Clinical Evaluation and Clinical Investigations of Medical Devices Under the MDR
225
• The MD in question, or the MD demonstrated to be equivalent (see below) • The currently accepted state of the art in the relevant medical field as a benchmark. This comparison should enable a well-founded test of the acceptance of the benefit/risk ratio of MDs against the current state of the art. State of the art also includes: • Relevant clinical requirements for the MD and its application in harmonized standards, DSGs, CS • Systematic reviews, meta-analyses, HTA and EbM-assessments, epidemiological studies, reports on registry evaluations in the relevant medical field • Relevant current guidelines, consensus statements, treatment pathways, etc. of European, international, or national professional societies of high methodological quality • Benefit/risk profile of benchmark medical devices (with justification for their selection) b) Literature Search Report(s) This/these report(s) describe(s) in a completely comprehensible way the concrete execution of the literature search, especially how the abovementioned methodology was implemented, with possible deviations (including justification), in- and exclusions of data transparently executed and the results of the literature search. c) The full texts of the relevant studies/literature references are to be annexed. Any gaps provide important indications as to where further clinical investigations may have to be performed in accordance with the clinical evaluation plan or the clinical development plan or the PMCF plan.
2.3.3 Stage 2: Appraisal (Assessment/evaluation/weighting of the available clinical data) On the basis of the clinical data collected in stage 1, the following questions are primarily addressed here: • To what extent are the individual clinical data (studies, etc.) relevant for the MD (or equivalent MD) in question and its intended field of application? – Its effectiveness, clinical performance, and clinical benefit – Its clinical safety, clinically detectable residual risks, and undesirable side effects – The intended clinical indications (including target groups, indications, and contraindications)? • To what extent are the clinical data relevant to the medical state of the art in the field of application, so that the benefit/risk ratio of the MD can be compared with that of the current state of the art in the field of application and checked for acceptability? • What about the methodological and scientific quality of the individual clinical data? The aim here is to assess, on the basis of defined criteria, the extent to which reported outcomes on clinical benefit/performance or clinical safety
226
W. Ecker
could be attributable to the medical intervention with the MD or to confounders, bias, random error, inadequate reporting, etc. This includes the classic criteria for assessing the methodological and scientific quality of the individual clinical data, especially those criteria important for the assessment of clinical investigations, as mentioned in Annex XV of the MDR 2017/745 and in the harmonized standard EN ISO 14155 (EN 2020, ISO 2020). Here details of the clinical investigation plan (CIP) will be the target of scrutiny: e.g., sample size, power calculation, clinical relevance of endpoints, validity of surrogate endpoints, methodology of measurement of endpoints, adequacy of control groups, distribution of prognostic factors, blinding, randomization, adequacy of time spans of follow-up, etc. • Using the above criteria, how should each relevant clinical data be weighted according to its contribution to the clinical evaluation and evidence of the MD for effectiveness and safety? The value of the individual clinical data, both from the manufacturer’s own data and from the literature search, is to be determined – according to an appraisal plan that defines criteria for each of the above questions – these questions and their contributions to the clinical evidence for clinical performance/benefit as well as clinical safety of the MD are to be weighted. The highest weight is usually given to pivotal data based on well-conducted randomized controlled clinical trials (RCT’s) of the MD in the intended area of use. The MEDDEV recognizes (COM 2016) that for some MDs RCTs may not be practical and that other study designs or other sources of clinical data may be acceptable and arguable. It is also noted that especially for long-established technologies or low-risk products, qualitative (descriptive) rather than quantitative appraisal may be acceptable, but this should be justified in any case. Other clinical data must be evaluated and weighted to determine the current medical state of the art, to identify previously unknown hazards or adverse effects, or to determine the validity of surrogate endpoints.
2.3.4 Stage 3: Analysis of Clinical Data The clinical data evaluated and weighted in stage 2 must now be subjected to a comprehensive structured analysis of whether and to what extent the MD fulfills the relevant general safety and performance requirements of Annex I of the MDR 2017/ 745 when used as intended. These are first of all the general requirements in Annex I Part I for safety and effectiveness of the MD and the acceptance of the benefit/risk ratio compared to the recognized state of the art. Clinical benefit (clinical performance) and residual clinical risks (including undesirable side effects, in each case after minimization in terms of risk management) of the MD are in each case specified and determined according to • Nature/kind • Extent/magnitude
Clinical Evaluation and Clinical Investigations of Medical Devices Under the MDR
227
• Duration • Probability (probability/frequency in the target group) of positive or negative effects, and the benefit/risk ratio compared with the recognized state of the art for acceptance. Available clinical data must also be analyzed for consistency within the overall results of the clinical evaluation. Also to be included in the analysis stage: • The draft Summary of Safety and Clinical Performance (SSCP; according to MDR 2017/745: Art. 32, see below) • If applicable, implant information (MDR 2017/745: Art. 18) • Documentation for custom-made devices according to MDR 2017/745: Annex XIII.2 • The technical documentation (especially clinical part, MDR 2017/745: Annex II.6 and Annex III) • Submitted planned promotional materials (including homepages) In any case, the analysis should be performed against the background of the clinical data collected, evaluated, and weighted in stages 1 and 2 on the recognized state of clinical knowledge in the field of application. As a benchmark, it is also essential to take into account any relevant DSGs and CSs as well as harmonized standards with clinical requirements. The analysis will be based on qualitative and quantitative methods; for some long-established technologies and low-risk products, it may be necessary to rely primarily on qualitative (descriptive) methods; this must be justified in any case. In most cases, appropriate quantitative methods should be used as far as possible. Methodologically weak data (such as reports on individual patients) are normally not considered conclusive for safety and effectiveness. The analysis will primarily rely on pivotal clinical data, especially if these data are concordant, which supports their strength of evidence. In the case of discordant pivotal data, the weighting from stage 2 is particularly needed. The causes of discrepancies must be clarified. In the analysis, it must be kept in mind which MD (including its models, sizes, variants) and which different intended areas of use (purposes, target groups, and indications, if necessary including severity, stages, courses, etc. of diseases) must be covered in each case by the clinical evaluation and whether there are still evidence gaps (gap analysis)! The gaps indicate where there may still be a need for additional clinical investigations or special activities in the PMCF.
2.3.5 Stage 4: The Clinical Evaluation Report (CER) The Clinical Evaluation Report documents the clinical evaluation process with its work steps/stages and results and thus constitutes the clinical evidence for the MD and its intended purpose in a transparent, comprehensible manner.
228
W. Ecker
The MDR 2017/745 and the Medical Device Directives 93/42/EEC (MDD) and 90/385/EEC (AIMDD) as amended by Directive 2007/47/EG stipulate in principle that a CER is to be created; the details on structure and composition can be found in the MEDDEV 2.7/1 rev. 4 (COM 2016). The CER is subject to continuous updating by PMCF and is an essential part of the technical documentation according to MDR 2017/745: Annex II and III (PMCF). A possible structure of the CER is recommended in MEDDEV 2.7/1. rev. 4 (COM 2016), see Table 3 below.
2.3.6
Stage 5: Post-Market Clinical Follow-Up (PMCF) Including PMCF Plan and PMCF Evaluation Reports Active and systematic collection of clinical data must continue after the start of marketing in the continuous process of Post-Market Clinical Follow-up (PMCF) in order to be able to substantiate the clinical safety and effectiveness of medical devices with clinical evidence also in the long term over the lifetime of the MD. New results and findings from the broad clinical use of the MD – across a wide variety of different, often multimorbid patients, different users and different settings (e.g., use under a QMS) – need to be incorporated into an update of the clinical evaluation of the MD. PMCF should keep the clinical evaluation up-to-date over the life cycle of the medical device. PMCF is an essential part of the clinical evaluation and post market surveillance (PMS) and must be performed under the manufacturer’s mandatory QMS. Part B of Annex XIV of the MDR 2017/745 deals in detail with the PMCF, which must be based on a PMCF plan. Table 3 Possible structure of clinical evaluation report (CER) acc. to MEDDEV 2.7/1. rev. 4 (COM 2016) Possible structure of Clinical Evaluation Report (CER) acc. to MEDDEV 2.7/1. rev. 4 (COM 2016) 1. Executive summary 2. Scope and clinical evaluation plan (summary) 3. Clinical background; current knowledge; state of the art in medical field of application 4. Clinical data search/generation for MD and state of the art with justification); results of appraisal + analysis 5. Conclusions 6a. PMCF plan 6b. next milestones for clinical evaluation and PMCF reports 7. date and signatures of clinical evaluator(s) and manufacturer 8. Qualifications of clinical evaluator(s) 9. References: In general, all clinical data, results, and conclusions should be clearly referenced to appropriate sources, references, or reports, documents, etc. 10. Annexed documents (literature searches+full texts; clinical investigations docs; PMCF evaluation reports)
Clinical Evaluation and Clinical Investigations of Medical Devices Under the MDR
229
The PMCF Plan Objectives of the PMCF plan: i) Ongoing review of clinical safety and clinical benefits/performance over the life cycle of the MD ii) Identify previously unknown side effects and emergent risks, and monitor those side effects, risks, and contraindications already identified iii) Checking whether the benefit/risk ratio is still acceptable (also: possibly emergence of superior alternatives?) iv) Recognition of systematic and/or serious off-label use, in order to be able to initiate appropriate corrective and/or protective measures Minimum contents of the PMCF plan: • General methods of PMCF: Further pro-active collection of clinical experience, feedback from users and patients; further literature research, other sources, e.g., also from the field of vigilance systems with incident reports or safety measures in the product area in question. • Specific PMCF methods: PMCF studies, either as “continuation” of pre-CE studies or as PMCF studies with CE-marked MP on representative patient collectives. Systematic registry evaluations for implants (e.g., coronary stents, hip and knee implants) or medical procedures (e.g., laser procedures on the eye; interventional procedures) or specific diseases. Member States and the COM are obliged according to MDR 2017/745: Art. 108 to support the establishment and joint evaluation of such registries and databases in the interest of assessing the long-term performance and safety of MDs and traceability. Registry evaluations are also being pursued at the global level through the IMDRF. • For the various general and specific PMCF methods applied, a rationale should be provided in each case, also with regard to the specific objectives. • Reference to relevant DSG or CS for PMCF or relevant sections from harmonized standards. IMPORTANT: The Medical Device Coordination Group has provided its own guidance for the preparation of the PMCF plan: MDCG 2020-7: Guidance on PMCF plan template (MDCG 2020c). Post-market Clinical Follow-Up Evaluation Report (PMCF Evaluation Report) The proactive collection, assessment, analysis, and conclusions of PMCF data are each recorded in a PMCF Evaluation Report. The report with its analyses and conclusions will be used to update the CER, the risk management, and PMS. The report thus also becomes part of the Technical Documentation according to Annex II and III of the MDR 2017/745. The manufacturer must implement the conclusions of
230
W. Ecker
the PMCF Evaluation Report into preventive and/or corrective actions (CAPAs), if necessary. With regard to the frequency of the evaluation reports, an annual preparation is required for implants and class III MDs. Important: The EU Medical Device Coordination Group (MDCG) has provided a guidance on the PMCF Evaluation Reports: MDCG 2020-8: Guidance on PMCF evaluation report template (MDCG 2020d). The alleged non-applicability of PMCF to an MD would need proper justification by the manufacturer and acceptance by the NB. A justified, detailed schedule of PMCF activities will be necessary: (esp. analysis of PMCF data and preparation of PMCF Evaluation Reports). MDR 2017/745: Art. 61 (11) requires at least an annual update of the PMCF Evaluation Report for implants and Class III MDs; the MEDDEV requires at least an annual update if the MD has a significant risk or if it does not correspond to a wellestablished technology. Unless these conditions are met, an interval of 2–5 years is recommended in the MEDDEV, in each case with justification and in consultation with the NB.
2.4
Special Situations and Scenarios in the Clinical Evaluation Process
2.4.1 Demonstration of Equivalence to a Predicate Device MDR and MEDDEV are clearly limiting possibilities to claim equivalencies to a predicate device in order to assure proper clinical evaluation and especially clinical investigations of the MD in question. Three kinds of equivalence and data access to the predicate device have to be demonstrated simultaneously (MDR 2017/745, Annex XIV, Part A): • Technical equivalence: the device is of similar design; is used under similar conditions of use; has similar specifications and properties including physicochemical properties such as intensity of energy, tensile strength, viscosity, surface characteristics, wavelength, and software algorithms; uses similar deployment methods, where relevant; has similar principles of operation and critical performance requirements. • Biological equivalence: the device uses the same materials or substances in contact with the same human tissues or body fluids for a similar kind and duration of contact and similar release characteristics of substances, including degradation products and leachables. • Clinical equivalence: the device is used for the same clinical condition or purpose, including similar severity and stage of disease, at the same site in the body, in a similar population, including as regards age, anatomy, and physiology; has the same kind of user; has similar relevant critical performance in view of the expected clinical effect for a specific intended purpose. • Data access: It shall be clearly demonstrated that the manufacturer of the MD in question has sufficient levels of access to the data relating to the predicate device
Clinical Evaluation and Clinical Investigations of Medical Devices Under the MDR
231
with which it is claiming equivalence in order to justify their claims of equivalence. The characteristics listed above shall be similar to the extent that there would be no clinically significant difference in the safety and clinical performance of the device. Considerations of equivalence shall be based on proper scientific justification. MDCG has addressed equivalence in its guidance (MDCG 2020a). MDCG 20205: Guidance on clinical evaluation – Equivalence.
2.4.2 Well-Established Technologies (of Low Risk; WET) (Think of simple syringes, needles, infusion sets, tracheal tubes, etc.) Here one will often find all safety and performance aspects of this MD addressed in the associated (harmonized) standards. Based on the technical and preclinical evaluation, one can often work off these virtually complete safety and performance parameters as validated surrogate endpoints for clinical benefit and safety. Clinical data from the use of these products will mostly only be available on the basis of often decades of specific clinical experience in the context of a valid PMS/PMCF of the manufacturer for such products (see here Chap. VII.1 and Annex III or Annex XIV.B of the MDR 2017/745). These reliable PMS/PMCF data should also show that the low-risk product in question is still state of the art and by no means – for example, due to superior alternatives or other considerations – medically obsolete in the area of use or has a worse benefit/risk ratio in relation to the comparator products. Sufficient evidence of the clinical performance, benefit, and clinical safety of these low-risk products based on well-established low-risk technologies alone through technical and preclinical evaluation (and PMS/PMCF data) must in any case be provided on a case-by-case basis, be justified and accepted by the NB. For higher risk MDs, especially implants and class III products, the EU legislator has made it clear that clinical data based on clinical investigations are practically always required for the specific product, see below.
2.4.3 Class III and Implantable MDs Regardless of the results of the gap analysis, it should be noted that the MDR for implantable MDs and class III MDs mandatorily requires the performance of appropriate clinical investigations. Exceptions to this are strictly limited and only possible under the provisions given in MDR 2017/745: Art. 61 (4)–(7): (4). [MD demonstrated equivalent to other MD, designed by same manufacturer]: • The device has been designed by modifications of a device already marketed by the same manufacturer. • The modified device has been demonstrated by the manufacturer to be equivalent to the marketed device, in accordance with Section 3 of Annex XIV and this demonstration has been endorsed by the notified body.
232
W. Ecker
• The clinical evaluation of the marketed device is sufficient to demonstrate conformity of the modified device with the relevant safety and performance requirements. • In this case, the notified body shall check that the PMCF plan is appropriate and includes post market studies to demonstrate the safety and performance of the device. • In addition, clinical investigations need not be performed in the cases referred to in paragraph 6. (5). [MD demonstrated to be equivalent to an already marketed device not manufactured by same manufacturer], may also not have to perform a clinical investigation provided that the following conditions are fulfilled in addition to what is required above: • The two manufacturers have a contract in place that explicitly allows the manufacturer of the second device full access to the technical documentation on an ongoing basis. • The original clinical evaluation has been performed in compliance with the requirements of this Regulation [¼MDR 2017/745]. • The manufacturer of the second device provides clear evidence thereof to the notified body. (6). [The requirement to perform clinical investigations pursuant to paragraph 4 shall not apply to implantable devices and class III devices]: (a) which have been lawfully placed on the market or put into service in accordance with Directive 90/385/EEC or Directive 93/42/EEC and for which the clinical evaluation: • is based on sufficient clinical data, and • is in compliance with the relevant product-specific CS for the clinical evaluation of that kind of device, where such a CS is available; or (b) that are sutures, staples, dental fillings, dental braces, tooth crowns, screws, wedges, plates, wires, pins, clips or connectors for which the clinical evaluation is based on sufficient clinical data and is in compliance with the relevant product-specific CS, where such a CS is available. (7). Cases in which paragraph 4 is not applied by virtue of paragraph 6 shall be justified in the clinical evaluation report [CER] by the manufacturer and in the clinical evaluation assessment report [CEAR] by the notified body. The COM may amend the list of exceptions in 6.b) by delegated acts.
2.4.4 Breakthrough-Devices and Unmet Medical Needs In exceptional situations, where breakthrough-devices are expected to lead to a breakthrough in the treatment of serious diseases or the avoidance of deaths, which are without alternative under benefit/risk assessment, limited clinical data may be sufficient for a positive benefit/risk assessment under strict conditions. These cases must be adequately justified in the Clinical Evaluation Report (CER) and, in consultation with the NB, must have commitments and conditions that ensure a rapid gain of relevant clinical data through a stringent PMCF plan and allow for a rapid
Clinical Evaluation and Clinical Investigations of Medical Devices Under the MDR
233
update of the clinical evaluation towards “normality” of the clinical data situation. For such higher-risk products or for such MDs for rare diseases, the MEDDEV 2.7/ 1st Rev. 4 (COM 2016) recommends including all patients in PMCF studies. For follow-on products or me-too’s of these breakthrough products, the clinical knowledge base has already grown so that greater uncertainties in benefit/risk would hardly be justified.
2.4.5 Exceptions to the Need for Clinical Data The manufacturer may claim exceptions to the need for clinical data to meet the General Safety and Performance Requirements (GSPR) only with sufficient justification. This justification must be derived from the risk management and the detailed description of the biological interaction of the MD with the human body, the mode of operation of the MD and the specific claims for clinical performance and must demonstrate that nonclinical, technical, and preclinical evaluations are sufficient in the specific individual case to demonstrate compliance with the applicable GSPR without clinical data. However, this is intended by the EU legislator only as an absolute exception. This situation must be justified by the manufacturer in the CER, by the NB in its CEAR. 2.4.6 Clinical Evaluation of Software as a Medical Device (MDSW) A special feature is the clinical evaluation of Medical Device Software (MDSW) with its often diagnostic, predictive, and prognostic functions. Corresponding preliminary work had been done by the IMDRF with the guideline “Software as a Medical Device (SaMD) Clinical Evaluation.” MDCG guidance (MDCG 2020g) MDCG 2020-1 follows partly this global guideline; but it also remains responsive to the step-by-step approach of clinical evaluation outlined in MEDDEV 2.7.1 rev.4 (COM 2016) , with the sequence of Clinical Evaluation Plan, identification of relevant clinical data (through literature review, clinical investigations and other sources of valid clinical data, including PMCF data), assessment and analysis of these data, the Clinical Evaluation Report and subsequent PMCF for updates. The scientific methodology, just like its IMDRF predecessor cited above, however follows the concept of performance evaluation for IVDs with the important components: • Valid clinical association/scientific validity • Analytical/technical performance • Clinical performance: Valid clinical association/scientific validity would provide the (scientific) rationale why a particular output (based on defined inputs and algorithms of the MDSW) would serve a particular clinical benefit, to be specified. Usually this is based on basic research as a starting point and possibly on preliminary results of, e.g., (mainly) exploratory clinical investigations, expert opinions of medical societies, and scientific literature reviews. The analytical performance will have to address two main issues:
234
W. Ecker
1. Demonstrate the ability of the MDSW to accurately, reliably, reproducibly, and precisely generate the intended output from the input data. 2. The MDSW reliably, accurately, and consistently fulfills the intended purpose in real-world use under the conditions of usability, IT safety, and IT security in the contexts of the intended use environments and the intended users and target groups. Under point (1), important parameters of analytical performance will be those also used in the IVDR 2017/746: Annex I.II.9.1.(a): such as analytical sensitivity and specificity, accuracy, etc. Under point (2), parameters such as fitness for purpose in the intended use scenarios, generalizability, availability, confidentiality, integrity, reliability, and absence of cybersecurity vulnerabilities would apply. Clinical performance must demonstrate that users can consistently achieve clinically relevant benefits from the outcomes of MDSWs, based on predictable and reliable use of MDSWs in the intended target populations, operating conditions and conditions of use, including indications, contraindications, limitations, and warnings. Clinical performance must be specified according to the parameters, some of which are again specified in the IVDR 2017/746: Annex I.II.1.(b) for clinical performance like Clinical/diagnostic sensitivity and specificity, etc., complemented by usability aspects.
2.5
Scientific Advice
MDR 2017/745: Art. 61 (2) In the MDR, similar to the pharmaceutical sector, the possibility of “scientific advice“prior to conformity assessment has now been created. For MDs of class III and for active MDs of class IIb subject to the procedure according to Art. 54, the manufacturer may submit its clinical development plan and its proposals for clinical investigations to a consultation by an expert panel according to MDR 2017/745: Art. 106 (probably subject to a fee). The manufacturer must then take due account of the panel’s opinion and document this in the CER. On the other hand, however, no rights can be derived from scientific advice in the forthcoming conformity assessment procedure.
2.6
Qualification and Selection of Clinical Evaluators
MEDDEV 2.7/1.rev. 4 (COM 2016) specifies requirements for the professional qualifications, knowledge, and declarations of interest of clinical evaluators
Clinical Evaluation and Clinical Investigations of Medical Devices Under the MDR
235
(individuals or teams) to ensure an independent and competent clinical evaluation. The manufacturer must formulate requirements for clinical evaluators based on the nature, intended use, clinical benefits, and risks of the MD and its intended purpose, select its clinical evaluator(s) accordingly, and justify the selection in the CER toward the requirements below. Required knowledge and qualifications include: • General scientific knowledge (research methodology, specifically in clinical scientific information management and experience in literature search; experience in medical scientific writing and regulatory background) • Knowledge of the MD under evaluation and its medical application (technology and clinical application; diagnosis and management of clinical application situations; knowledge of medical alternatives and relevant treatment standards; medical specialty) • Professional qualification, training, and experience – Relevant academic degree+ > ¼ 5 years of documented professional experience. – 10 years of documented professional experience if no academic degree is required for area of assignment. Deviations should be documented and justified in each case. Clinical evaluators provide Declarations of Interest (DoI) to demonstrate their independence, which declare relevant financial and other interests of the evaluator and close family members for defined periods of time that could influence the outcome of the clinical evaluation. Typical contents of the DoI are: relevant employment relationships, intellectual property, or pediatric interests. Employment, Intellectual Property or Patents, Stocks, Scholarships, Grants, Participation in clinical investigations or preclinical evaluations, Funding for Travel and Accommodation; Lecture Fees; etc. The manufacturer should annex the DoI signed and dated by the manufacturer and the evaluator to the CER.
2.7
Summary of Safety and Clinical Performance (SSCP)
The MDR 2017/745 requires the manufacturer to provide a publicly available Summary of Safety and Clinical Performance (SSCP) for all implantable MDs and for Class III MDs that must be understandable to users and, if applicable, patients. The draft of this SSCP has to be submitted to the NB during the conformity assessment procedure. The NB validates the draft and uploads it to the EUDAMED database. The Instructions for Use of the MD must contain a link to this document in its current form. The summary report shall contain at least the following elements: • MD and manufacturer identification, including base UDI-DI and SRN • Intended purpose and indications, contraindications, and target groups
236
• • • • • •
W. Ecker
MD product description Possible diagnostic or therapeutic alternatives Reference to all harmonized standards and applied CS Summary of clinical evaluation and pertinent PMCF information Profile and training of intended users Potential residual risks and adverse effects, warnings, and precautions
IMPORTANT: The Medical Device Coordinating Group (MDCG) has provided guidance for the preparation of the SSCP: (MDCG 2019) MDCG-2019-9 Rev1: Summary of safety and clinical performance.
2.8
The (NB) Clinical Evaluation Assessment Report (CEAR)
It has been important to the EU legislator to raise the quality of assessments of the manufacturers’ clinical evaluation in the context of the conformity assessment to a high and homogeneous level and to make their results transparent. In addition to the relevant requirements in Chap. IV and Annex VII of the MDR 2017/745 on clinical assessment by the NBs, both conformity assessment modules Annex IX and Annex X now contain explicit requirements for the preparation of an NB’s Clinical Evaluation Assessment Report (CEAR). The MDCG has issued guidance on this topic: (MDCG 2020f) MDCG 2020-13: Clinical evaluation assessment report template.
3
Clinical Investigation of Medical Devices
3.1
Background, Definitions, and Scope Within MDR 2017/745
Clinical investigations, along with literature searches, are the primary source of reliable clinical data for manufacturers to establish clinical evidence for their MD. The need for and specificity of any clinical investigations must be guided by the manufacturer’s clinical evaluation, specifically their clinical evaluation plan and in turn their clinical development plan for the MD (see sub-chapter above); in addition, for high-risk products, regulatory obligations to conduct clinical investigations must also be considered. Depending on the stage of development and novelty of the MD or its technology, exploratory studies (e.g., first-in-man, pilot, proof of concept, or early and traditional feasibility studies) may be indicated in the clinical development plan to cautiously collect initial clinical data on safety and effectiveness; followed by confirmatory studies (e.g., pivotal studies) to generate decisive clinical data on safety and effectiveness of the MD for conformity assessment. Finally, as part of the PMCF, there are PMCF studies to evaluate long-term safety and effectiveness within then broader real-world use populations with perhaps more diverse co-morbidities or genetic constellations and associated side effect potentials.
Clinical Evaluation and Clinical Investigations of Medical Devices Under the MDR
237
The MDR primarily targets clinical investigations (exploratory or confirmatory studies, PMCF studies) that serve to generate clinical data for clinical evaluation in the context of conformity assessment, in order (MDR 2017/745, Art. 62): • to establish and verify that, under normal conditions of use, a device is designed, manufactured, and packaged in such a way that it is suitable for one or more of the specific purposes of the MD, and achieves the performance intended as specified by its manufacturer; • to establish and verify the clinical benefits of a device as specified by its manufacturer; • to establish and verify the clinical safety of the device and to determine any undesirable side effects, under normal conditions of use of the device, and assess whether they constitute acceptable risks when weighed against the benefits to be achieved by the device. The requirements of Articles 62 to 81 and Annex XV apply to these clinical investigations. According to Art. 82, certain parts of the requirements of Chap. VI also apply to clinical investigations of MDs that would not serve conformity assessment purposes, e.g. in academic studies. These concern especially the requirements for the protection of the trial subjects according to Art. 63–69, the mandatory consultation of the ethics committee, compliance with the applicable requirements of Annex I, and data protection. The Member State is required to lay down additional requirements (e.g., also risk-differentiated approval or non-rejection procedures for these clinical trials, specifically to ensure ethical, safety and scientific principles and to protect the trial subjects). See here always the corresponding national regulations! Definitions (MDR 2017/745, Art. 2) “Clinical investigation” means any systematic investigation involving one or more human subjects, undertaken to assess the safety or performance of a device; “Investigational device” means a device that is assessed in a clinical investigation; “Clinical investigation plan” means a document that describes the rationale, objectives, design, methodology, monitoring, statistical considerations, organization and conduct of a clinical investigation; “Sponsor” means any individual, company, institution or organisation which takes responsibility for the initiation, for the management and setting up of the financing of the clinical investigation; “Subject” means an individual who participates in a clinical investigation; “investigator” means an individual responsible for the conduct of a clinical investigation at a clinical investigation site; “Informed consent” means a subject’s free and voluntary expression of his or her willingness to participate in a particular clinical investigation, after having been informed of all aspects of the clinical investigation that are relevant to the subject’s decision to participate or, in the case of minors and of incapacitated subjects, an
238
W. Ecker
authorization or agreement from their legally designated representative to include them in the clinical investigation; “Ethics committee” means an independent body established in a Member State in accordance with the law of that Member State and empowered to give opinions for the purposes of this Regulation, taking into account the views of laypersons, in particular patients or patients’ organizations; “Adverse event” means any untoward medical occurrence, unintended disease or injury or any untoward clinical signs, including an abnormal laboratory finding, in subjects, users or other persons, in the context of a clinical investigation, whether or not related to the investigational device; “Serious adverse event” means any adverse event that led to any of the following: (i) death, (ii) serious deterioration in the health of the subject, that resulted in any of the following: (a) life-threatening illness or injury, (b) permanent impairment of a body structure or a body function, (c) hospitalization or prolongation of patient hospitalization, (d) medical or surgical intervention to prevent life-threatening illness or injury or permanent impairment to a body structure or a body function, (e) chronic disease, (iii) fetal distress, fetal death or a congenital physical or mental impairment or birth defect; “Device deficiency” means any inadequacy in the identity, quality, durability, reliability, safety or performance of an investigational device, including malfunction, use errors or inadequacy in information supplied by the manufacturer.
3.2 3.2.1
Essential Aspects of Clinical Investigations Under the MDR 2017/745
Investigational Medical Devices (IMDs) Must Meet the Applicable General Safety and Performance Requirements (GSPR); the Investigator’s Brochure (IB) Investigational Medical Devices (IMDs) must meet the applicable General Safety and Performance Requirements (GSPR) as specified in Annex I of MDR 2017/745. Where aspects of these are still subject to the clinical investigation in question, all precautions shall be taken to protect the health and safety of subjects, users, and others, under risk management with regard to these aspects. Relevant harmonized standards (see their Annexes Z) and common specifications (CS) with corresponding presumptions of conformity or suitable alternative solutions (e.g., state-of-the-art standards of ISO or IEC) will/may be the tools of choice to demonstrate necessary compliance with GSPR. The presentation of applicable GSPR and of compliance with these will best be done in a GSPR-matrix, e.g., the one presented in the Annex
Clinical Evaluation and Clinical Investigations of Medical Devices Under the MDR
239
of guidance MDCG 2021-8 (MDCG 2021b). This GSPR-matrix may also be used to prepare the technical documentation according to Annex II.4 of MDR 2017/745 and is also part of the investigator’s brochure (Annex XV.II.2.7.), see below. The Investigator’s Brochure (IB) will cover these above aspects of the clinical investigation, especially the data on the technical and preclinical evaluation and the clinical data available prior to the clinical investigation. The IB will also contain the exact description of the MD, its design, technology, history and manufacture, its intended purpose, use, necessary accessories, special components, storage, maintenance, servicing, hygiene measures, benefit-risk analysis, risk management, indications, possible undesirable side effects, contraindications, warnings, etc. Its structure is presented in the MDR 2017/745: Annex XV.II.2 and detailed in the (harmonized) standard EN ISO 14155 (CEN 2020; ISO 2020). The IB thus documents, that the investigational device is expected to be safe and effective according to Annex I of the MDR 2017/745 and that it is “ready” for this phase of experimental application to human subjects. Updates and new information to the IB must be promptly provided to the clinical investigator by the sponsor.
3.2.2
The Scientific Basis of the Clinical Investigation; the Clinical Investigation Plan (CIP) The scientific rationale for the clinical investigation is provided in the Clinical Investigation Plan (CIP). The “clinical investigation plan” means a document describing the rationale, objectives, design, methodology, monitoring, statistical considerations, organization, and conduct of a clinical trial. The structure of the CIP is described in the MDR 2017/745: Annex XV.II.3; the CIP is defined in detail in the (harmonized) standard EN ISO 14155 (CEN 2020; ISO 2020), which also represents the Good Clinical Practice (GCP) for the medical device sector. Among other things, the CIP is intended to demonstrate, from a scientific and statistical point of view, that the explicitly formulated, medically meaningful (test) hypotheses can be confirmed or refuted in a scientifically sound manner by the design of the specific clinical investigation. Core elements are the choice (and justification) of patient relevant, measurable outcomes/endpoints for clinical benefits and clinical safety (including clinical rest-risks and undesirable side effects) to be derived from the clinical evaluation plan. These outcomes will have to reflect kind, strength/magnitude, duration of positive and negative effects, and their probability within well-defined and representative target groups of the MD. Also included will be a description of the design type of clinical investigation to be performed (e.g., randomized, blinded or open-label, parallel groups or crossover, multicenter, international), the control group, or the comparator with rationale and justification for the choice. Other items on the scientific “menu” will be a description of the measures to be taken to minimize or avoid bias, such as randomization, concealment of allocation, blinding/masking, and management of potential confounding factors and the rationale and details of statistical design and analysis.
240
W. Ecker
Each clinical investigation includes, at the time points defined in the CIP (before, during, and after use of the investigational medical device [IMD]) cross-sectional assessments of the relevant clinical safety and clinical performance endpoints/outcomes of the study subjects and relevant data on the condition of the IMD. The collection forms for these are found in the Case Report Forms (CRF), often as part of the CIP.
3.2.3 Ethics, Organization, Documentation, Finance In addition, the CIP makes essential contributions to the ethical (e.g., information of subjects and consent; protection of trial subjects and, in particular, vulnerable groups) and organizational (e.g., role descriptions of clinical investigator, sponsor, and monitor; safety reporting; financing) design of the clinical trial and to its documentation (see below). The European legislator has taken advantage of the timely adoption of the regulations on clinical trials of medicinal products (CTR 2014), medical devices, and in vitro diagnostics to harmonize the regulatory clinical research landscape in Europe, which will also facilitate combination studies. This also applies to the basic ethical requirements (see specifically Articles 63 to 69 of the MDR 2017/745, such as the provisions and information materials for informed consent and the protection of vulnerable groups (incapacitated persons; minors; pregnant or breastfeeding women; clinical trials in emergencies), the compensation of damages, but also the mandatory consultation of an ethics committee, whose negative vote is binding for the member state in the procedure. In terms of objectives and content, this largely corresponds to the requirements of the Declaration of Helsinki of the World Medical Association. The sponsor documents compliance with ethical requirements, including informed consent materials in the CIP. Similarly, the role requirements for clinical investigator, sponsor, and monitor are clarified in the CIP. The structure of the CIP is defined in the MDR 2017/745: Annex XV.II.3; closer details can be found in the EN ISO 14155 (CEN 2020; ISO 2020) standard (Annex A), which also provides a clear overview of the required documentation for/about the clinical study, including the assignment of responsibilities. MDCG Guidance MDCG 2021-8: “Clinical investigation application/notification documents” (MDCG 2021b) may provide further assistance. Article 69 of the MDR 2017/745 contains basic regulations for compensation in clinical investigations, whereby the Member States are responsible for the detailed design and the sponsor is for the implementation of the relevant EU and national regulations. 3.2.4 Administrative Procedures for Clinical Investigations The MDR 2017/745 necessitates notification of the clinical investigation to EUDAMED (application with the documents according to MDR 2017/745, Annex XV.II.; the clinical investigation will receive a Union-wide unique single identification number, CIV-ID, see MDCG 2021-20 (MDCG 2021c); documents for application are detailed in MDCG 2021-8 [MDCG 2021b]). Public scrutiny of applications will be done jointly on work sharing between ethics committee and competent
Clinical Evaluation and Clinical Investigations of Medical Devices Under the MDR
241
authority according to the provision of the MS. Five administrative procedures will be possible (see Table 4 a) to e)): (a) The “classical” one-MS-procedure for high-risk-MDs; the application is assessed by each MS separately. (b) The “classical” one-MS-procedure for low-risk-MDs; the application is assessed by each MS separately. (c) The coordinated procedure (multi-state procedure) is initially voluntary (until May 27, 2027) for Member States, then mandatory at the sponsor’s request. Here the application will be validated and assessed under the lead of a coordinating MS (proposed by the sponsor, but finally determined by the concerned MSs); concerned MSs have an opt-out possibility against the (positive) decision proposed by the coordinating MS. (d) Substantial modification of a clinical investigation (see also MDCG 2021d) (e) Clinical investigation of CE-marked MDs. These procedures under the new MDR 2017/745 are presented in detail in Table 4 a) to e). However, always observe the corresponding national regulations! Clinical investigations initiated under the old directives prior to the date of application of MDR 2017/745 (prior to May 26, 2021) may continue under the directives, except for the reporting of serious adverse events and device deficiencies, which must be performed as of May 26, 2021, according to Art. 80 of the MDR 2017/745 (see below).
3.2.5
Treatment of Adverse Events in the Context of Clinical Investigations (MDR 2017/745: Art. 80) The sponsor must fully record: i) Adverse events (AEs) identified in the CIP as critical to the evaluation of the results of the clinical trial. ii) All serious adverse events (SAEs). iii) Any device deficiency (DD) that could have led to serious adverse events. iv) Any new findings related to the above events. In addition, the sponsor shall report through EUDAMED to all MS involved: i) Any serious adverse event that has a possible causal relationship with test product, comparator, or test method. ii) Any product defect that could have led to serious adverse events. iii) Any new findings related to the above two events. This covers not only events in the MS involved but also in third countries where this clinical investigation takes place according to the same CIP. In coordinated trials,
242
W. Ecker
Table 4 a) to e): Administrative procedures for clinical investigations, acc. to MDR 2017/745, Chap. VI a) to e): Procedures for clinical investigations acc. to MDR 2017/745, Chap. VI: (MS: Member State; IMD: investigational medical device; d: days; ext: may be extended by x d; CA Competent Authority of MS) a) Single-MS-procedure for high-risk IMDs (invasive IMDs of class IIa or IIb and IMDs of class III): each MS assesses and decides application alone. Procedure step Time limits in d days Description 1) Application by sponsor via Documentation acc. to Annex EUDAMED XV.II of MDR. Application generates Union-wide single identification number (CIV-ID), which must be used for all relevant communication concerning this clinical investigation 2) Validation of application