Insights & Intelligence for Regulatory Leaders

What is EU MDR?

The EU regulation 2017/745 on medical devices, or EU MDR, was a major update to medical device regulations introduced in 2017. The MDR replaces the previous EU Medical Device Directive (MDD), and is designed to modernize the EU regulatory system to better address the current needs of the market and new technologies. Devices that received a CE mark under MDD are allowed to continue to market in the EU, but will need to be recertified under MDR by a Notified Body before 2024.

The main objective of the new regulation is to strengthen protection against risks posed by medical devices and to update regulations to properly account for new technologies. Major themes of the MDR include:

• Expanded focus on regulating the entire lifecycle of a medical device
• Greater emphasis on clinical data
• Increased oversight of notified bodies

Major differences between EU MDR and MDD

The MDR is four times the size of the MDD and has an increased focus on device safety (the word safety appears 290 times in the MDR, but only 40 times in the MDD). Medical device manufacturers have found that they need to update clinical data, technical documentation, and labeling for all devices; and medical devices above class I need to be recertified by a notified body under MDR. For these reasons, companies may re-evaluate their portfolios and remove older devices from the market that don’t have adequate clinical information or yield insufficient sales to justify recertification.

Labeling (UDI and EUDAMED)

The EU MDR represents a major overhaul of medical device labeling requirements. Under the MDR, device manufacturers need to place a unique device identifier (UDI) on all devices marketed in the EU. The UDI is comprised of a UDI device identifier (‘UDI-DI’) specific to a manufacturer and a device and a UDI production identifier (‘UDI-PI’) that identifies device production characteristics. Note that there are exceptions for custom and investigational devices. In addition, UDI information must be uploaded to the new European Database on Medical Devices (EUDAMED). Together, UDI and EUDAMED are designed to allow for greater traceability and transparency of marketed devices, including improved incident reporting, field safety corrective actions, and monitoring by competent authorities. The goal is to reduce medical errors and make it more difficult for falsified devices to reach the market. 

EUDAMED registration is not yet required, and changes to the specific data requirements of the database are expected. While manufacturers can enroll their device in the EUDAMED database, once that is done it must be maintained for the device. Some companies are choosing to wait until EUDAMED data requirements are finalized.

Classification rules

The MDR includes 22 classification rules, including four new rules and many updates to existing rules. Manufacturers need to verify classifications of existing devices under MDR, and may find that some devices need to be “up-classified,” resulting in more stringent regulatory requirements. Rule 11, in particular, requires the attention of any manufacturer with a device that includes software. Software that plays a part in decision-making or patient monitoring will move from a Class I to a Class IIa device. For additional information, read our recent post on Software as a Medical Device.

In addition, there are devices which were not in scope of the MDD, but are classified as medical devices under the MDR. These include products “without an intended medical purpose,” such as contact lenses.

General safety and performance requirements

MDD “Essential Requirements” have been replaced with “General Safety and Performance Requirements” in the MDR. There are 23 requirements, many of which are new, that device manufacturers will need to demonstrate conformance to. These rules place significant emphasis on risk management and “are a set of product characteristics, which are considered by the European authorities as being essential to ensuring that any new device will be safe and perform as intended throughout its life.”

Clinical evidence

New to the EU MDR is a requirement that every medical device must include sufficient clinical evidence to demonstrate compliance, dependent on the device class. This new requirement will have a significant impact on manufacturers selling existing devices without readily available clinical data. 

Post-market surveillance system

MDR establishes new requirements for a post-market surveillance (PMS) system to be an integral part of the manufacturer’s Quality Management System (QMS). Post-market surveillance programs should be designed to proactively monitor safety and performance of a device, and to report any defects or issues appropriately, with all serious incidents being reported within 15 days. In addition to the many new PMS outputs, manufacturers of class IIa, IIb, and III devices are required to prepare a Periodic Safety Update Report for each device.

Person responsible for regulatory compliance (PRRC)

Under the MDR, a manufacturer needs to assign a single, qualified individual to be responsible for ensuring conformity to regulatory requirements. In addition, each Authorized Representative has to have its own PRRC. 

Risk management and quality management systems

Risk management and quality controls should be in place throughout the lifecycle of the device. EN ISO 14971:2019 and EN ISO 13485:2016+A11:2021 are aligned with MDR requirements for risk management and QMS. Note that the QMS necessarily includes post-market surveillance and clinical evaluation plans.

Monitoring of notified bodies

The MDR introduced significant changes to the role and the oversight of notified bodies. The addition of post-market surveillance activities, technical documentation requirements  and increased clinical requirements have placed a larger burden on the notified bodies that perform conformity assessments, which include quality system audits and technical documentation reviews. There is currently a shortage of notified bodies accredited under MDR and the industry is carefully watching for any additional extensions of MDR deadlines.

EU MDR timeline and deadlines

The MDR was published on April 5, 2017. Medical devices can currently obtain certification under MDR, but not all devices will be required to be certified under MDR until May 25, 2024.

Becoming compliant with EU MDR

Compliance with the EU MDR, EU 2017/745, requires medical device manufacturers to demonstrate that their device is designed, manufactured, and tracked according to the regulation’s requirements. Manufacturers must focus on three overall components when pursuing approval to market a medical device in the EU.

• Quality management system: A medical device must be developed with an appropriate QMS in place to ensure that a device meets its intended purpose through proper controls around design, manufacturing, and post-market surveillance.
• Clinical evidence: MDR requirements for clinical evidence are higher for most devices than in the MDD. All medical devices must demonstrate safety and efficacy for the device’s intended purpose, along with benefit-risk analysis supported by appropriate clinical evidence.
• Regulatory systems and process: The EU MDR requires more extensive processes and documentation than the MDD around quality systems, post-market surveillance tracking, risk management, on-going clinical evaluation reports, technical documentation, and more.

For more information on the EU MDR and IVDR requirements, read our Ultimate guide to the EU MDR/IVDR unique device identifier (UDI) system and Ultimate guide to the EU MDR GSPR - general safety and performance requirements.

What is ISO 13485?

ISO 13485:2016 defines quality management system (QMS) requirements for organizations producing medical devices. Based on ISO 9001, the ISO 13485 standard is a stand-alone document with specific requirements for medical device manufacturers, including a greater focus on risk management and additional documentation requirements.  

Note that this standard is based on ISO 9001:2008, not the more recent ISO 9001:2015, because of the focus on customer satisfaction and continuous improvement in the newer ISO standard. 

Globally, ISO 13485 is the most common regulatory standard addressing quality management systems for medical devices. The standard is focused on QMS effectiveness and meeting regulatory and customer requirements. For a good source of additional information, and step-by-step implementation guidance, see ISO 13485:2016 – Medical devices – A practical guide, published by the committee that drafted the standard.

Where is ISO 13485 compliance required?

Compliance with ISO 13485 is required of most medical devices by all European Union members, UK, Canada, Japan, Australia, and many other countries. ISO 13485 is the quality standard accepted as the basis for CE marking in the EU.  Medical devices marketed in the United States, however, must meet the requirements of the FDA’s Quality System Regulation (QSR), which is sometimes referred to as Current Good Manufacturing Practice (CGMP).

An audit of an organization’s QMS by an independent certifying body or registrar is required to demonstrate compliance with the ISO 13485  standard.

ISO 13485 vs FDA QSR

While the QSR and ISO 13485 are structured differently, they have no conflicting requirements. Currently, companies who are marketing a medical device in the U.S. and in other markets, will need to comply with both ISO 13485 and the FDA’s QSR, as defined in 21 CFR 820. 

However, the FDA is moving towards harmonizing these standards and on February 23, 2022 issued a proposed rule to amend the QSR to align more closely with the international consensus standard for Quality Management Systems, primarily by incorporating reference to the ISO 13485 standard. The FDA has published FAQ’s about the proposed rule.

On September 9, 2021, the European standardization bodies CEN and CENELEC published the 2021 amendment, EN ISO 13485:2016+A11:2021, “Medical devices. Quality management systems . Requirements for regulatory purposes”, featuring new annexes ZA and ZB that link the requirements of the Medical Device Regulation (MDR, EU 2017/745) and the In Vitro Diagnostics Regulation (IVDR, EU 2017/746), respectively, to specific clauses of the standard. Note that  EN ISO 13485 is a parallel standard issued by the European Union, which is identical in its requirements to the ISO 13485 international standard, with the exception of the new annexes.

ISO 13485 requirements

ISO 13485 contains eight sections. This article focuses on the last five sections as the first three are introductory, and include scope, definitions, and other general information.

Quality Management System (Clause 4)

• General requirements: General requirements set forth the overarching requirements for the implementation of a quality management system, including an adherence to the standard and the commitment to having written procedures around documentation and risk management—along with the assurance that those procedures are being followed.
• Documentation requirements: ISO 13485 documentation requirements include the creation of a quality manual, or its equivalent. In addition, this clause specifies unique record requirements for medical device manufacturers, including; product specifications and guidance on intended use, a document control plan that ensures document integrity, and a record control plan that ensures the security and authenticity of the data in the system.

Management Responsibility (Clause 5)

ISO 13485 details specific responsibilities that must be demonstrated by the management team of the organization implementing this standard. In general, Management must ensure that the organization is committed to the quality policy by:

• Focusing on the end user and ensuring that they have the tools they need to adhere to the standard.
• Ensuring that all rules are followed during the manufacturing process.
• Communicating to employees the importance of quality policies and procedures, and affirming Management's commitment to the system.
• Delegating authority as necessary to ensure the implementation of and adherence to the quality plan.
• Performing periodic reviews of the quality system and implementing any necessary improvements (Management Review).

Resource Management (Clause 6)

An organization’s top management must provide the necessary resources to ensure compliance with ISO 13485. It is not enough to put a quality system in place, it must be supported throughout the organization. Management must allow the proper resources to be assigned to quality system activities by providing proper personnel, infrastructure, tools and equipment, succession planning, and risk aversion planning. 

Product Realization (Clause 7)

The process of developing a new product includes everything from the original conceptualization through design and implementation. This clause of ISO 13485 places importance on communication and processes throughout the entire product life cycle. An organization with a strong quality system in place will have processes that detail how they capture initial ideas and requirements, plan and develop the product, and monitor customer use.

Measurement, Analysis, and Improvement (Clause 8)

ISO 13485 also stresses the importance of following your product once it is released by tracking customer feedback and then monitoring and measuring product performance by:

• Managing complaints.
• Making appropriate notifications and reports to regulatory authorities.
• Identifying and addressing any nonconforming products.
• Continually monitoring product performance and working to improve processes.

The importance of ISO 13485

ISO 13485 is the international standard for quality management systems within the medical device industry. Implementing this standard is not only required for market entry in the EU and other countries, but provides a solid foundation for quality throughout your product’s full life cycle.

Additional information on Rimsys standards management can be found here.

‍

Prioritize the needs of your regulatory team

Regulatory affairs teams are responsible for highly critical components of a medtech company’s success, including:

• Market Entry: Meeting go-to-market goals by ensuring accurate, timely market registrations and approvals.
• Regulatory Integrity: Protecting a product’s market position by maintaining regulatory compliance within an ever-changing regulatory landscape.
• Post-market Compliance: Ensuring compliance with post-market surveillance and reporting requirements specific to each market and each device classification.
  

Your regulatory team should be focused on positioning your products for success in every market you enter.  But, did you know that regulatory professionals spend between 30% and  50% of their time looking for the data that they need to do their jobs?  This is because many regulatory teams are still using spreadsheets or manually pulling together data from eQMS, PLM, ERP, and other disjointed systems to track the information they need to ensure compliance across markets.

RIM systems compared to eQMS systems

Regulatory Information Management (RIM) systems provide a platform purpose-built for regulatory teams.  There are quality systems that provide some regulatory functionality, such as tracking  product registrations and even supporting the creation of submission documents.  However, these systems fall far-short of providing holistic regulatory management functionality.  While functionality can vary among eQMS and RIM systems, RIM systems tend to offer the following features above and beyond what you will find in eQMS modules:

Standards management

International standards play a critical role in regulatory affairs. Regulatory teams need to track which standards are relevant to their products, and link them to product records and/or technical documentation. Any changes to standards can be captured, and impacts to products can be identified automatically.  A good RIM system will flag regulatory changes, identify the affected products, and track updates and approvals as needed.

Essential principles management

As more countries and regions around the world adopt Essential principles or GSPR requirements, the regulatory burden of creating and maintaining complex technical files grows. In addition to tracking international standards, RIM systems can fully digitize essential principles/GSPR tables,  and allow users to link them to relevant standards and products.  This structure allows regulatory teams to easily author, and, more importantly, make automatic bulk updates to tables when standards or product details change. 

UDI management

Another growing regulatory burden is the proliferation of UDI requirements. UDI has traditionally been considered a labeling or supply chain concern, but the growing number of country requirements mean that UDI data management is a key component of getting any product to market. RIM systems can manage country-specific UDI data alongside products, registrations, certificates, and other regulatory documents, allowing regulatory teams to ensure that UDI information is correct and up to date. 

Regulatory Intelligence

One of the reasons that regulatory teams spend so much time looking for information is that it’s simply hard to find trustworthy regulatory intelligence. Some RIM systems provide a regulatory intelligence database along with their digitization and automation capabilities. This means that regulatory teams have access to quality (well-translated) information, and can use it directly within their processes.

RIM Integrations

RIM systems are also built to integrate with eQMS, PLM, and ERP systems providing a strong regulatory framework across the company, including:

• The ability to use product ‘selling status’ in the RIM system to control the ability to market and sell the product in the company’s ERP system (on a product-by-product and country-by-country basis).
• Ensuring consistent and up-to-date SKU lists between product submissions being created in RIM systems and product development being tracked in PLM systems.
• Triggering regulatory impact assessments when quality records are updated in the eQMS .
• Providing consistency in regulated data among manufacturing, engineering, and regulatory data.
  

Why you want best-of-breed software: The “all-in-one” myth

Much of the software developed today is designed with integration in mind, and API integrations make it possible to create direct, customized links between separate systems. The days when system integrations meant custom code, batch imports, and clumsy (sometimes unreliable) data synchronization are gone. 

This means that organizations can, and should, choose the right software for each task or team. The ability of your regulatory team to work effectively and efficiently is critical to the success of your product market launches, regulatory submissions, and the on-going management of each product in each market. Don’t make them settle for functionality in another team’s system - give them software designed specifically for their needs!

“Best-of-breed,” purpose-built software for each team not only gives everyone in your organization the tools they need to be most productive and successful, but minimizes the costs and risks associated with customizing systems to do something they were not meant to do.

To learn more about RIM tools, read the Rimsys Benefits data sheet.

What is 21 CFR Part 11?  

21 CFR Part 11 refers to the federal regulation that address electronic records and electronic signatures associated with FDA requirements. This single, relatively small, part of the Code of Federal Regulations is extremely significant for companies with FDA-regulated products because it impacts every document signature, electronic file, and FDA submission. Codified in 1997, interpretations of this FDA-issued regulation continue to be debated and re-evaluated as the technology supporting electronic records and signatures changes. In this article, we’ll discuss the regulation and generally accepted interpretations.

Note that discussions and statements in this document are our observations only and should not be taken as fact. You can refer directly to the regulation here.

Part 11: General Provisions

The General Provisions section of 21CFR11 addresses the scope of the regulation, when and how it should be implemented, and defines some of the key terms used. It states that the purpose of Part 11 is to define the criteria under which electronic records, electronic signatures, and handwritten signatures attached to electronic records are equivalent to, and as reliable as, handwritten signatures on paper documents.

Fundamentally, any record that is maintained, used, or submitted under any FDA records regulation is subject to Part 11, and the FDA will accept electronic records in lieu of paper records if an organization can prove that their records and systems meet the Part 11 requirements.

The General Provisions subpart also sets forth a number of definitions, and we’ve listed the ones that are most significant to our discussion here:

• Closed System: A computer system or software whose access is controlled by the same people who are responsible for the information stored in the system. Because the opposite of a closed system, and “open system,” is subject to additional scrutiny be sure that you are able to thoroughly explain and provide documentation for a decision to classify your system as a “closed system.”  
• Open System: A computer system or software whose access is not controlled by the same people who are responsible for the information stored in the system.
• Digital Signature: An electronic signature created in a manner that can be verified, ensures the identity of the signer, and maintains the integrity of the document and signature. This often involves the use of cryptography and/or biometric data.
• Electronic Signature: Symbols that represent a legally binding equivalent to an individual’s handwritten signature (as adopted and authorized by the signer).
  

Part 11: Electronic Records

The Electronic Records section sets forth the requirements for administration of closed and open electronic record-keeping systems, then discusses signature manifestations and requirements for establishing a link between signatures and records.

Part 11 defines a “closed system” as any computer system in which the users controlling access to the system are the same people who are responsible for the data in the system. Today, most systems can be classified as closed systems, but take special care to document control procedures around software that is hosted offsite or classified as a SaaS solution.  

This section of the regulation deals with the controls that need to be in place for all applicable electronic record systems by defining:

• Procedures to ensure that all electronic records are authentic, have integrity, and can ensure confidentiality (where that is appropriate).
• Validation requirements for systems that maintain electronic records to ensure that all records are accurate, reliable, and that the system performs consistently according to regulatory requirements.
• Audit trail requirements for all regulated records to ensure a complete history of all changes to records are maintained.
• Controls around system access and document signatures.
  

Part 11: Electronic Signatures

The Electronic Signatures section defines the components of electronic signatures and the required controls and procedures necessary for using them.

In general, an organization must be able to demonstrate that electronic signatures:

• Are unique to each individual, and that the individual assigned an electronic signature has had their identity and level of authorization verified.
• Must be based either on biometric data (such as fingerprints) or made up of two distinct pieces (ie: a User ID and password)
• Require appropriate controls to ensure that they are verified periodically, cannot be used by someone other than the intended user, and are immediately deactivated if compromised in any way.
  

Practical application of 21CFR Part 11 for regulatory affairs professionals

21 CFR Part 11 is a critical regulation, and one that can be open to interpretation. Below, we cover some of the key areas that should be of concern for RA professionals. This is an overview of key areas only, and should not be taken as complete instruction or guidance for 21CFR part 11 compliance.

System compliance and validation

Any system that you are using to store electronic records that fall under FDA regulations needs to be compliant with Part 11. This includes everything from spreadsheets to full-featured RIM and document management systems.  

Software vendors will often document how their systems are developed to be compliant, and may even support system validation during implementation - but it is ultimately the responsibility of the user organization to ensure that their systems and processes are compliant with Part 11.  System validation is the process of documenting that your system meets all of the Part 11 requirements.  Software vendors can support this process by ensuring that their systems are built on a highly secured infrastructure that can be demonstrated and proven.  

The Rimsys system was built from the ground up to meet the stringent requirements of not only 21 CFR Part 11, but other industry standards and good practices guidelines (GxP).  We have put in place a rigorous validation program, built by industry experts and supported by a secure and well-documented infrastructure. For more information, visit the Rimsys Security and Privacy page.

Audit trails

Audit trails are the required system logs that track the who, when, and what of every change made to data that falls under Part 11. Audit trails should be generated and time-stamped by the system, with no ability for users to change that information. Audit trails serve two purposes under 21 CFR Part 11:

• To demonstrate that documented policies and procedures are being followed, including that only users with the appropriate authority are managing data.
• To prove that data retention policies are being adhered to (see below).

At any time, you should be able to view the history of any record, from a Design History File to a submission document, in order to determine what changes have been made, when they were made, and by whom.

Record retention

21 CFR Part 11 specifies that electronic records must be protected and readily available throughout the defined record retention period. Additionally, 21 CFR Part 820 specifies that records related to the quality, manufacturer, regulatory submissions, or any other data that falls under FDA regulation, should be maintained for the life of the medical device and for a minimum of two years from the date of first commercial distribution.  This is often referred to as “cradle to grave” tracking.

This means that regulatory professionals need to not only be aware of their company’s record retention policy, but need to ensure that any system being used to track regulatory submissions or other data subject to audit meets Part 11 and Part 820 requirements. Note that record retention requirements apply also to paper records where they are the source document.

Electronic and digital signatures

An important piece of 21 CFR Part 11 is its definition of electronic and digital signatures. “Electronic signature” is used to define any set of symbols that are used in place of a handwritten signature, whereas a “digital signature” is an electronic signature based on methods that ensure the identity of the signer where the integrity of the data can be verified. A digital signature can be based on biometric data (such as fingerprints) or secure user IDs and passwords that are controlled to ensure only one authorized user can use the signature.  

As a regulatory affairs professional, you should ensure that:

• Everyone on your team who needs to sign documents has their own unique digital signature and understands the importance of protecting it. Sharing of electronic credentials is a common FDA audit observation. Also ensure that users who are not required to sign documents have appropriate access to data to discourage other users from sharing login credentials with them.
• You are following your company’s policies concerning electronic signature audits so that passwords remain updated and strong and signatures are revoked when a user leaves or changes positions.
• You immediately report any possible loss, theft, or sharing of user credentials or devices that generate identification codes.
  

While 21 CFR Part 11 is usually considered more of a “quality regulation,” it is important that regulatory teams within medical device organizations fully understand this regulation and its compliance implications.  To learn more about the regulations, click below to read our regulatory brief.

Medical device manufacturers around the world are facing an ever changing and increasingly demanding regulatory environment. This growing complexity is driving a renewed focus on digital transformation within the medtech industry, leading companies to reevaluate, expand, and update current systems.  Ensuring that your company has the right software in place to implement strong processes and controls around product development, product quality, and regulatory compliance is critical. Relying on an eQMS, PLM, or RIM system that isn’t purpose-built for your needs is likely to provide inconsistent levels of functionality across your organization, and also lead to potential compliance issues.  

For example, an ERP system with a configure-to-order or strong engineering focus may provide a core PLM functionality, but only a small quality module that was added late to the product. In this case, your quality and regulatory teams could be left to build custom functionality or work in spreadsheets outside of the system. To ensure that everyone in your company has the functionality they need, consider best-in-breed software for each team - including the engineering and product development, quality, and regulatory teams. Today’s technology is built with integration in mind, and there are strong reasons for integrating your PLM, eQMS, and RIM systems.

In this article, we will provide an overview of PLM, eQMS, and RIM systems - their core capabilities, strengths, and what to consider if your company is a medical device manufacturer looking to add or update software systems.

PLM for medical device manufacturers

Product Lifecycle Management (PLM) systems are typically used by product development and engineering teams to optimize resources, shorten product development time, and manage a product throughout all phases of its life. The primary functions of a PLM system include:

• Change management (ECN and ECO control)
• Product history and revision management
• Configuration management
  

A PLM system for a medical device manufacturer is used to mange each product’s design history file (DHF) and device master record (DMR). The PLM system will store bills of material for each revision of the product, and can therefore be integrated to a core ERP system to ensure that production adheres to the approved design.

PLM systems manage the workflow around product changes, typically including both Engineering Change Notices (ECN) and Engineering Change Orders (ECO). Change requests and execution, including reviews and approvals, can therefore be managed through one system. Medical device manufacturers may have issues, however, tracking product changes not related to the device components themselves, such as labeling changes. While it is certainly possible to track non-product changes within the BOMs of a product in PLM or ERP systems, many medical device manufacturers may move the ECN process to their eQMS system, and manage product-based ECO’s in the PLM system.

eQMS for medical device manufacturers

Quality Management Systems are built around strictly controlled workflows and closed-loop processes. Unlike a PLM system, an eQMS (Enterprise Quality Management System) system is not product-focused, it is process-focused.  Some of the items that an eQMS provides centralized control for, include:

• Document control
• Non-conformance tracking
• CAPA management
• Risk management
• Supplier quality control

A strong eQMS system allows medical device manufacturers to establish quality controls from supplier to customer, and is critical for meeting the requirements of 21CFR Part 11, 21CFR Part 820, and other quality and electronic records regulations.

According to Qualio, a leading provider of eQMS systems for the life sciences industry, there are 5 Indispensable Features of Enterprise Quality Management Software:

• Company-specific features unique to your requirements - that align with the needs of your team and your processes, so that you don’t need to spend significant effort customizing and configuring the system.
• Ability to integrate processes - in order to integrate with data and processes from other systems (such as PLM and RIM systems).
• Flexible and expandable - allowing the system to grow with your company as you need new features and functionality.
• In-depth reporting capabilities - to give your teams visibility into the data they need to make effective decisions every day.
• Meets compliance standards - to make audits and compliance as easy to manage as possible.
  

RIM systems for medical device manufacturers

Regulatory Information Management (RIM) systems facilitate and automate regulatory activities. Regulatory affairs professionals are responsible for managing increasingly complex regulatory requirements, often across many markets.  This means that RA professionals spend more than 50% of their time looking for data needed to complete regulatory submissions and ensure compliance with updated regulations. RIM systems centralize, organize, and manage all regulatory information, while automating and streamlining the regulatory processes around it.  It is also worth noting that the first RIM systems were designed for the pharmaceutical industry, and did not meet the needs of medical device RA teams.  RIM systems specific to the medical device industry have more recently come to market to address the needs of medtech RA teams and the increasingly complex devices and regulatory landscape they work with.

The key capabilities of a medical device RIM system:

• Product and registration management is the most central piece of functionality in any RIM system. RIM systems are product-focused (as are almost all RA activities) and enable detailed product information to be centralized and tracked, including registration and selling status by market.
• Regulatory submissions are an important and time-consuming responsibility for RA professionals. RIM systems can provide country-specific submission templates, integrate to product and quality information in PLM and eQMS systems, and allow you to manage the workflow around creating a submission document - not to mention the assembly of the final submission package.
• Regulatory intelligence is provided in some RIM systems, and solves a major challenge faced by RA teams.  Regulatory requirements not only differ across markets, but can change frequently.  A RIM system with a regulatory intelligence component delivers up-to-date, market-specific regulation information, along with monitoring to alert your RA team of changes.
• Essential principles and standards management supports the creation and maintenance of technical files, and GSPR/Essential principles checklists. This significantly reduces the time it takes RA teams to document when standards or product details change.
• UDI and label management may be handled separately from other regulatory activities in your organization, but integrating them within a single RIM system can simplify data collection and management, and electronic submissions to government databases.
• Project management capabilities are important in any RIM system, enabling the management of tasks, requests, and approvals around regulatory activities.  RIM systems provide the traceability that regulatory teams need by keeping a detailed history of every project task, update, and approval.
• Reports and dashboards available in a RIM system provide RA teams with the information they need to understand how long regulatory submission and other processes typically take, product and market-specific registration information, and other insights that pull from the large amount of data stored in your RIM system, allowing your RA team to function as efficiently as possible!
  

Do medical device manufacturers need PLM, eQMS, and RIM?

We might be a bit biased, but we feel strongly that the answer to this question is “Yes.” Why? Because product development teams are expected to release new products more quickly than ever, quality teams need to ensure company-wide process meet multiple quality standards, and regulatory teams are facing an increasingly complex and quickly changing regulatory landscape. Each of these teams needs functionality built specifically for them to ensure that they are as efficient and effective as possible. Delaying a product launch, failing a quality inspection, or missing a regulatory submission deadline are not acceptable outcomes. Combine this with the fact that today’s systems are truly built with integration in mind - so that information can be shared, not duplicated, across systems.  Learn more about the system that Rimsys integrates with.

If you are interested in learning more about RIM systems - read our RIM Buyer’s Guide for MedTech Companies.  ‍

And if you are interested in learning more about the Rimsys RIM system - schedule a personalized demo to see the product for yourself!

What is software as a medical device (SaMD)?

As the pace of technological innovation continues to increase, the definition of what constitutes a medical device also continues to evolve as countries update regulations.  In 2013, the International Medical Device Regulators Forum (IMDRF) created the Software as a Medical Device working group. Currently chaired by the U.S. FDA, the working group is chartered with developing guidance that encourages innovation while assuring safe and effective products. While SaMD is regulated differently in different countries, this article will focus on the many similarities, and some differences, between the FDA regulations in the U.S. and the MDR regulations in the EU.

In general, medical device software falls into 3 different categories:

• Software as a Medical Device (SaMD): The IMDRF defines SaMD as “software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.” We list specific examples below, but typically the software classified as SaMD isdesigned to run on generally available hardware, such as Windows computers or mobile devices, or online in the “cloud”. While they may be utilizing data from another medical device, SaMD performs its function independently of any medical equipment or hardware.  
• Software in a Medical Device: Sometimes referred to as SiMD, Software in a medical device cannot operate separately from its device, or perform its primary function without the device. For example, the software used to program and run an MRI machine would be useless without the MRI machine. Software in this category is regulated together, and as part of, the whole device.
• Software as an Accessory to a Medical Device: Similarly to Software in a Medical Device, software in this category cannot fulfill a medical purpose on their own. In some cases, a manufacturer may be able to bundle or embed the software in the medical device (making it SiMD) and/or also sell the software separately, making it an accessory.
  

Similarly, in Europe, the European Commission’s Medical Device Group (MDCG) defines Medical Device Software (MDSW) as a having its own intended purpose. Software which controls a medical device or is otherwise part of a medical device and does not serve a separate medical purpose does not qualify as MDSW, but is regulated by the MDR.

Software in the SaMD category is both a medical device AND software - with relevant regulatory and quality considerations that are specific and unique to each category, yet which must work in tandem. For example, software development best-practices, referenced by the IMDRF SaMD working group, call for iterative feedback loops allowing for quick turnaround of feature requests and bug fixes. While the ability to provide the latest technology and features to the market is an important advantage with SaMD, it does not supersede applicable medical device regulations governing patient safety and efficacy.  

Examples of software as a medical device (SaMD)

Because SaMD software, by definition, is capable of running independently of any specific medical device or hardware, there is a relatively clear line between Software as a Medical Device and other medical software:

SaMD regulatory overview and framework

Why does SaMD have independent regulatory considerations?

Over the past decade, the IMDRF, FDA, and other regulatory bodies have worked to better align regulations with the quickly evolving capabilities and nature of digital devices. Software-only devices (SaMD) generate unique opportunities and considerations:

Because SaMD software typically runs on publicly available hardware:

• SaMD software must not only be designed to work on specific platforms (usually multiple), but must also be tested and updated frequently as new hardware and operating systems become available.  
• Agile software development methodologies can provide an environment in which fast product feedback loops are supported within the required regulatory framework.

Because SaMD software can be made readily available to the general public, or specific patient groups, using their own devices:

• SaMD software can generate faster user/patient feedback - both for medical professionals and for the device manufacturer. Given this environment, regulatory bodies generally want to enable the market to safely take advantage of new innovations as quickly as possible.
• Product testing needs to take into account the unique and varied environments in which the software may be used, potentially in environments the product is not intended for. The software developer cannot control updates to operating systems or internet browsers, other software that may be running on a user’s device, or the ability for the user to potentially share software or data with others.
• The advantages of quickly delivering product fixes and updates need to be measured against potentially introducing new, possibly misunderstood or unwanted features, to all users at once.  

SaMD and MDSW risk-based categories

As with all medical devices, the FDA and European MDR classify SaMD and MDSW, respectively, based on the potential impact to patient or public health. The SaMD categorization framework from the IMDRF is an effort “to introduce a foundational approach, harmonized vocabulary, and general and specific considerations, for manufacturers, regulators, and users alike to address the unique challenges associated with the use of SaMD...” This framework provides guidance only for today’s medical software developers, as well as regulatory bodies, such as the FDA. The chart below lists these risk categories by the state of the healthcare situation or condition and by the significance of the information provided by the SAMD:

SaMD categories

‍‍SaMD Category I:  

SaMD Category I software can provide information for both Serious and Non-Serious health conditions or diseases. Software dealing with serious conditions can be classified in Category I only if it is providing information to inform, not drive, clinical management and is of low impact. Otherwise, Category I SaMD software provides information related to non-serious diseases or health conditions.

Example: Software that collects exercise-related data, such as heart rate, number of steps, and distance walked. If the information is stored and/or transmitted for use by a qualified professional the software is considered to be in Category I, as long as the information is not used by the software to make treatment recommendations directly to the patient or healthcare provider.‍

SaMD Category II:‍

SaMD software in Category II may be used to provide information relevant to a non-serious, serious, or critical healthcare condition or disease, depending on the significance of the information it provides to the healthcare decision. Software that is used to treat or diagnose a health condition is only classified in Category II for non-serious health conditions. Software that provides information regarding serious or critical health conditions or diseases will be classified in Category II only if it provides information to drive or inform, respectively, clinical management decisions (as opposed to providing treatment or diagnosis recommendations directly).‍

Example: SaMD that monitors a diabetic patient’s carbohydrate intake and blood glucose level to calculate recommended insulin dose.‍

SaMD Category III:

SaMD software that provides information to treat or diagnose serious conditions - or which drives clinical management for a critical condition - is classified in Category III.‍

Example: SaMD that analyzes individual data from at-risk populations for a specific type of cancer, and is used to develop preventative intervention strategies. ‍

SaMD Category IV:

SaMD Category IV software provides information used to treat or diagnose a critical health condition and is considered to be very high impact.‍

Example: SaMD that evaluates images of skin lesions in order to determine malignancy.  ‍

For SaMD intended to be used in multiple healthcare situations, the software will be categorized at the highest category according to the SaMD definition statement. ‍

SaMD within the FDA and MDR regulatory framework

The graph below relates SaMD categories with FDA medical device classes, and further identifies where an independent review is recommended by the FDA. For additional information see Software as a Medical Device (SaMD): Clinical Evaluation.  Guidance for Industry and Food and Drug Administration Staff.‍

Note that FDA regulatory classifications more closely align with the IMDF’s SaMD categories than do those defined by under the European MDR. In the U.S., a device is classified by identifying similar, predicate devices. The simpler 510(k) pre-market submission can be used if a manufacturer can show that their device is substantially equivalent to a Class I or II device. With few exceptions, devices that are Class III are subject to the more rigorous Pre-Market Authorization (PMA) process.  Devices where no substantial equivalent can be shown are subject to to the PMA or De Novo regulatory submissions processes.  The De Novo process was implemented in 2010 to provide a pathway for novel devices with lower risk profiles.

Medical Device Software is classified by the European Commission’s Medical Device Coordination Group (MDCG) into Class I, II, or III. For devices falling under the IVDR, the MDR defines four classes using letters; A, B, C, and D.

In the EU, a rules-based framework is used to classify devices. MDSW classification is relatively complex, using a series of 22 “waterfalling” rules with yes/no questions that lead to a final classification of each device. While we won’t go into detail in this article on each of the rules, Rule 11 does deserve discussion. (You can read the Guidance on Classification of Software for MDR and IVDR here).

The MDR’s “rule 11” regarding MDSW classification was released in 2017. This rule  states, in part, that “Software intended to provide information which is used to take decisions with diagnosis or therapeutic purposes is classified as class IIa.” The rule then provides 2 exceptions that increase the MDSW classification in cases where the decisions could cause “a serious deterioration of a person’s state of health or a surgical intervention” (class IIb), or could cause “death or an irreversible deterioration of a person’s state of health” (class III).

As a result of this rule, very few MDSW products can be classified as Class I, meaning that the majority of MDSW is subject to conformity assessments by a Notified Body. Medical software manufacturers marketing their product in Europe should therefore not rely on previous product classifications as a guide.

The future of regulatory approval for software as a medical device (SaMD)

The FDA recently released a new draft guidance document addressing the Content of Premarket Submissions for Device Software Functions. This is a major update of the 2005 guidance on pre-market submissions for software in medical devices and is also long overdue, given the pace of change in the software industry (the FDA originally committed to delivering this update in their fiscal year 2019 as part of the MDUFA IV agreement). This guidance sets out requirements for all pre-market submissions, including 510(k), DeNovo, and PMA submissions.

The recent draft document provides additional guidance around the documentation required for premarket submissions. It defines an “enhanced” level of documentation required for software that is a Class III device, combination product, Blood Establishment Computer software, or when the failure of the software would present probable risk of death or serious injury.  

Staying on top of medical device classifications

Classifying a medical device and gaining regulatory clearance can be a complex process, especially if the device contains software or other emerging technology where some regulatory bodies may be further along than others in developing applicable regulations. For additional information about some of the common pathways to market for new products in the U.S., read our Beginner’s Guide to the FDA 510(k) and Beginner’s Guide to the FDA De Novo Classification Process.

Interested in learning how Rimsys can automate your submission process? Request a custom demo of our RIM platform.