The long-awaited Medical Device Regulation (MDR) date of application became a reality on 26th May. The transformation from the former medical devices directives creates major changes for many manufacturers – especially those whose products are stand-alone software or contain a software component.
In addition to many minor updates and additions, one of the most significant changes regarding software is the new MDR classification Rule 11. Among other details, Rule 11 states that software intended to provide information used to make decisions with diagnosis or therapeutic purposes is classified as class IIa. As a result, even those low-risk software devices are now lifted to at least class IIa, or even higher, depending on the potential impact they may cause.
The main practical consequence of the up-classification is that the software products (above class I) require a conformity assessment performed by a third party, i.e., a notified body. For many software manufacturers, this is the first time they have had to co-operate with external regulatory authorities. The manufacturer’s quality system is audited during the certification process, and the product’s technical documentation is reviewed. It is essential to note that the added scrutiny of the certification process requires additional resources and time.
A significant change in the device or processes – a threat or a possibility?
To smoothen the transition to MDR, the grace period allows specific medical devices to be placed on the market or put into service after the date of application of the MDR under certain conditions until 26th May 2024. The concept of significant change must be well understood to utilise the grace period efficiently. The manufacturers are not allowed to make significant changes to the devices or related processes during the period without an MDR certificate. As a result, it is essential that the QMS’s change management process has taken this into account, and the processes can identify potential changes that would exceed the criteria for the significant change.
The worst thing manufacturers can do – assuming that they have plans to introduce new features into their products at some point in time – is to use this grace period for ignoring or forgetting the MDR requirements. Therefore, it is crucial to keep working with MDR implementation to avoid unpleasant situations in the future. It is also essential to note that several new MDR requirements are valid even if the MDR certification process has not started.
Focus on the things you can influence
There has been quite a lot of public discussion about notified body resources, and indeed some are struggling with the new requirements and increased resource needs. Unfortunately, as a result, we have already experienced some delays in their answers to new certification project queries. Nevertheless, the best thing manufacturers can do now is to focus on what they can best influence.
Working towards meeting all the MDR requirements shortens the process for certification and enables product sales to start faster. However, the new requirements are also new for notified bodies, and co-operation processes between them and manufacturers might not yet be streamlined to be as smooth as possible. As a result, iterations can take a lot of time. While all the minimum MDR requirements should have been implemented by the date of application, now it is time for manufacturers to work even harder. One concrete tip – if not yet done – is to get ISO 13485 certified. Getting early feedback about QMS processes can be extremely valuable before meeting a notified body for the first time.
Trending: artificial intelligence and cybersecurity
AI is a hot topic for medical software manufacturers. However, unlike the new and concrete requirements related to, for example, post-market surveillance and vigilance activities, AI-related requirements are not explicitly spelled out in the MDR. Therefore, manufacturers must build their AI compliance around the concept of state-of-the-art. As Solita’s medical device, Oravizio, utilises AI, we have been working hard with this challenge. It has been a tricky road, as there are no direct or easy answers.
The other trending topic is cybersecurity. Traditionally, while risk management has focused on safety-related risks, more emphasis is now required on security risks. One good starting point is to read the whitepaper that we wrote earlier this year. Another concrete action to take is to get familiar with the current MDGC guidance on cybersecurity for medical devices (MDCG 2019-16) and forthcoming standard IEC 81001-5-1. We expect that the standard will become an essential part of a manufacturer’s toolbox because it is included in the EU Commission’s harmonisation plans.
In Solita, we have been busy adopting RegOps with the new Regulation. Ensuring agile software development together with the tightening legislation is a challenging combination. This work never ends, but with a few iterations already completed, we are continually closer to the goal of automating everything we can in a regulated software development environment. Our experts are happy to harness our know-how to help others reach the next level of RegOps in their daily life.