Author: Brandon Miller

Medical Device Cybersecurity

Posted on by Brandon Miller

For medical device manufacturers, technology can be a double-edged sword. The innovative technologies that elevate the quality of life for patients can also be used to potentially undermine the organization using the device. The consequences can affect the device itself if we do not implement good IoT cybersecurity and FDA cybersecurity protocols. At Regulatory Compliance Associates®, we offer a wide variety of services for medical device security to help ensure that your product is protected from cyber-attacks.

 

With a well-planned design, along with full visibility of product development and the supply chain, RCA can help strengthen your device’s cybersecurity posture throughout. We partner with medical device companies for the entire life cycle, including from the development of your product to the regulatory submission to your notified body.

 

Cybersecurity Medical Device Services

 

  • Supporting cybersecurity aspects of design control using secure design principles for the entire Product Lifecycle.
  • Performing Gap analyses on your device’s current cyber resilience.
  • Utilizing threat risk modeling to identify potential vulnerabilities or the absence of appropriate safeguards for future threats. 
  • Generation of regulatory submission documentation per the FDA’s cybersecurity guidance, as well as the EUMDR MDCG 2019-16 cybersecurity guidance.
  • Perform a cyber risk analysis to manage confidentiality, integrity, and availability and reduce attack surface area.
  • Create a software bill of material for purchased components of the product to better manage vulnerabilities.
  • Independent 3rd party validation of cybersecurity requirements.
  • Analysis and evaluation of current ISO 14971 risk management procedures.

 

Trustworthy Medical Device Cybersecurity

 

  • Contains hardware, software, and/or programmable logic that is based on FDA cybersecurity guidance and regulatory standards.
  • Provides a reasonable level of availability, reliability, and correct operation.
  • Is reasonably suited to performing its intended functions.
  • Adheres to generally accepted security procedures.

 

Cybersecurity Medical Device Best Practices

 

  • Identify assets, threats, and vulnerabilities.
  • Assess the impact of threats and vulnerabilities on the device’s safety and performance.
  • Assess the likelihood of a threat as well as the likelihood of a vulnerability being exploited.
  • Determine security risk levels and suitable mitigation strategies.
  • Evaluate residual security risk and risk acceptance criteria.

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. You may also email us at [email protected].

How Brexit is Impacting Medical Device Companies

Posted on by Brandon Miller

Medical Device Regulations Changes coming with Brexit.

Listen to this highlight from RCA Radio where Seyed Khorashahi breaks down the UK’s Medical Device Regulations resulting from Brexit and choosing not to join the EU MDR.

 

 

Listen to the entire episode where we go over Brexit and all of the important things happening in the Medical Device industry here.

Looking for help adhering to the New Brexit Regulations? Contact Us Now →

Changes with Brexit

The UK will not be transitioning to the EU MDR or IVDR and will be staying with MDD, AIMD, and IVDD. They plan on making changes in the future as necessary for the UK market.

 

CE Marking

The MHRA will recognize the CE Mark for devices until June 30th, 2023. This applies to products CE marked under the

  • MDD, IVDD, AIMDD, and as well as MDR and IVDR.
  • Class I and General IVD manufacturers can continue to self declare.

 

Conformity Assessment Marking (UK CA)

  • UK Notified Bodies will become UK approved bodies starting January 1st, 2021
  • Device Manufactures can use UK approved bodies for UK CA marking starting on January 1st, 2021
  • UK CA marking will be mandatory on July 1st, 2023

 

MHRA Registration Requirement Dates

 

  • May 1st, 2021
    • Class III medical devices & IVD list A devices
    • Class II b implantable devices
  • September 1st, 2021
    • Class II b non-implantable and II a & IVD list b products
  • September 1st, 2022
    • Class I medical devices and general IVDs

 

UK Responsible Person

Manufactures without a presence in the UK will need a UK responsible person which can be an individual or company similar to EU authorized representative.

 

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. You may also email us at [email protected].

 

In-Vitro Diagnostic Devices Regulation (IVDR)

Posted on by Brandon Miller

The application date of May 26, 2022, for the EU In-Vitro Diagnostic Medical Devices Regulation (2017/746) (IVDR) has created a huge challenge for IVD medical device firms planning to introduce or continue to market their IVD products to any of the European Union Member States. 

 

One of the biggest changes from IVDD to IVDR is the move from list-based IVD device classifications to a rule-based IVD medical device classification resulting in 4 new device classes: class A (lowest risk) to class D (highest risk), where class B, C, and D would require Notified Body involvement.

 

Need help with your transition to the EU IVDR? Contact Us Now →

 

“The combination of major changes to the IVDR device classification resulting in 3-fold increase in IVD medical devices requiring notified body involvement and lack of adequate IVDR designated notified bodies has created a huge bottle neck to getting ready for the EU IVDR by the application date of the EU IVDR.” says Seyed Khorashahi, Executive Vice President of Medical Device and CTO of Regulatory Compliance Associates Inc.® (“RCA”).

 

This change alone would result in a huge number of medical devices requiring Notified Body involvement. It is estimated this quantity of medical device products will increase from 20% under MDD to approximately 80% under IVDR.  As of this writing, there are only 4 IVDR designated Notified Bodies, which visibly increases the number of goods our clients must submit. 

 

 “Right now, we’re partnering with global clients that have both a small and sizable product portfolio of In-Vitro Diagnostic Devices, and they are at different stages in their IVDR implementation efforts,” says Lisa Michels, General Counsel for Regulatory Compliance Associates® Inc. (RCA). “Proactive strategic planning and effective resource allocation are critical for the timely execution and implementation of a comprehensive IVDR Implementation Plan. IVDR manufacturers must consider and prepare for potential delays such as scheduling bottlenecks for Notified Body Conformity Assessment activities, which may directly or indirectly impact their planned commercialization efforts for existing and/or new IVDR products. IVDR manufacturers must establish contingency plans to mitigate some of these potential challenges in this new regulatory environment under the EU IVDR since all IVDR manufacturers are facing the same task.”

 

Additional nuances from IVDD to IVDR are based on a medical device lifecycle approach and include:

 

  • Requirements for medical device manufacturers to establish and demonstrate effective quality management systems (QMS)
  • More stringent requirements for clinical evidence demonstrating conformity.
  • New requirements for post-market performance monitoring and reporting
  • Greater supply chain oversight and device traceability, including giving the notified bodies discretionary authority to supplier audits and subcontractor compliance.

 

The transition from IVDD to IVDR can be a time-consuming process, and many companies are still in the process of regulatory transition. 

 

“It’s time-sensitive because our clients are learning how to deal with their current notified body, and if they are still the correct partner to work with” continued Khorashahi. “We initially start with a strategic approach to plan their regulatory strategy of current IVD medical devices in the field and their IVDD certificate expiration date to prioritize the products that need immediate attention. “Each of the IVD medical devices has to be reclassified according to the new IVDR device classification rules.”

 

If you are a small to medium size company and have not already started your transition, now may be the opportune time to engage with a strategic partner like RCA to prepare for the IVDR deadline.

 

“Timely compliance to the IVDR requires a dedicated team of subject matter experts to properly implement and execute the compliance deliverables as laid out in your IVDR Implementation Plan” continued Michels. “These deliverables may require extensive updates to a manufacturer’s existing Quality Management System (QMS), technical documentation, and/or establishing or enhancing a manufacturer’s body of objective evidence of clinical performance validation with a defined blueprint to address the product lifecycle.”

 

Your organization has a better chance of a successful transition by engaging subject matter experts like RCA who have an intimate familiarity with the planning and implementation of IVDR.

 

“Our experts can help you identify the intended purpose and the inherent risks associate with your devices, determine the device classification, and help create technical documentation in compliance with IVD regulation 2017/746.:es” Khorashahi divulges.

 

More robust procedures for post-market surveillance and post-market performance follow up must be put in place to successfully transition.

 

“RCA has the subject matter expertise, experience, and dedicated resources available to assist our clients with the seemingly daunting task of ensuring timely IVDR compliance prior to the fast-approaching deadline. Our proven capability is what clients find to be of most value in the selection and utilization of a regulatory compliance consulting firm like RCA.” replied Michels.

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. You may also email us at [email protected].

FDA Medical Device Guidance

Posted on by Brandon Miller

The FDA Center for Devices and Radiological Health (CDRH) recently published new guidance for medical device priorities in 2023. The FDA CDRH guidance looks to evolve away from the COVID-19 pandemic and transition toward digital health, medical device software and regulated software as a medical device (SaMD).

 

Cybersecurity for Medical Devices

 

Among topics the FDA guidance considers “A-List” priorities is cybersecurity for medical devices. Two initial priorities of the FDA guidance will include a deeper study of quality system (QMS) considerations and premarket submission (PMA) content.

 

Additional FDA software guidance was published earlier this year (September 2022) that described how software functions meet the definition of a medical device and risks to the public. The change industry should keep an eye on is FDA product specific guidance that applies to regulating software development that impacts risk to patient safety.

 

Quality Management System

 

Quality management system regulation currently falls under 21 CFR 820, so it will be interesting to see how new updates are developed based on discussion with industry. Every medical device manufacturer is required to have a compliant QMS system that includes the necessary QMS documentation for regulatory approval.

 

As digital healthcare integrates the physician-patient relationship, FDA continues to scrutinize device software functions and healthcare mobile apps. Lastly, these insights may provide additfeedback on software functions not subject to FDA regulatory requirements relevant to a QMS audit.

 

Remanufacturing Medical Devices

 

FDA is taking a deeper look at reusable medical devices and how preventive maintenance increases the life of a medical device. Currently, there are separate regulations for both industry manufacturers and 3rd party service companies. FDA will look to clarify the differences between “servicing” and “remanufacturing”, and the impact on medical device safety for either. This will likely impact the regulatory responsibilities of companies who perform these activities for health care providers.

 

Premarket Authorization (PMA)

 

Software as a medical device continues to grow across the health care industry. Updated premarket authorization guidance will focus on software devices with consideration to how the software is delivered to the end user. This can include factory-installed healthcare software or platforms installed by a third-party vendor.

 

Equally important, new information is anticipated for different types of firmware and software-based control of medical devices. Industry employees should also anticipate greater clarity for stand-alone software applications and general purpose computers. Leadership at FDA has included subtle hints that accessories to medical devices that include software may also be included in future FDA guidance for industry.

 

COVID-19 Emergency Use Authorization (EUA)

 

There has been discussion around the 180-day timeline proposed for notice of ending a medical device EUA due to COVID-19. Final guidance should be available in 2023 that provides more detail about on the appropriate transition period. FDA is considering industry recommendations that avoid disruptions to product shortage and supply chain.

 

Further, consideration is also being given to medical device manufacturer and healthcare providers to adjust from policies adopted during the public health emergency (PHE). For example, an EUA issued under section 564 of the FD&C Act will remain in effect. Primary changes will be based on if FDA chooses to revoke the EUA because the criteria for issuance is no longer met. 

 

Voluntary Improvement Program

 

FDA and the Medical Device Innovation Consortium (MDIC) continue to advance their pilot program launched in 2018. Select medical device manufacturing sites were chosen to review key business processes using a series of integrated best practices. The Capability Maturity Model Integration (CMMI) Institute certified select team to conduct and review quality system maturity of these sites.

 

Additionally, 2023 will likely bring even more data surrounding the MDIC program. This could include public info for industry about continuous improvement through quarterly check-in progress with participating medical device companies. The program is designed to report industry baseline metrics after the check-in and monitor operational excellence.

 

Breakthrough Devices Program

 

New information from FDA will arrive in 2023 for updates to the Breakthrough Devices Program. Early updates suggest the guidance will clarify how the program may be more applicable to certain devices than others. FDA breakthrough designation often benefits populations that are more likely to be impacted by health care disparities. New clarity may include breakthrough therapy designations and how medical device companies can educatee sponsors to submit for proposed indications of use. 

 

Finally, an important facet of the breakthrough devices program is the type of evidence needed for FDA approval. Clarity should help to determine whether a device is reasonably expected to increase the treatment or diagnosis efficacy. Moreover, early indications suggest that the intended use of the device, technology and features, and the available standard of care alternatives will all play a role.

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. You may also email us at [email protected].

Audit & Internal Control

Posted on by Brandon Miller

While audits are not being conducted in the same way they were before the global pandemic, they continue to take place. New procedures adopted to deal with the coronavirus outbreak may have the unintended consequence of creating compliance gaps. An audit will identify these gaps so that you can address the issue. Understanding how the audit process has changed and what you may need to do differently can help your company navigate more smoothly.

 

Internal Control: What Processes Will Change?

 

Advance planning and proactive execution of your plan will put your company on track to conduct and complete internal, supplier and due diligence audits. Many of the processes you’re used to will change. Here’s how to prepare.

 

Auditboard: Did you Complete Advance Work?

 

You can complete some tasks off-site and in advance, such as reviewing standard operating procedures and the auditboard. You can also conduct teleconferences in advance to discuss any questions that will come up, or email ahead of time to find answers.

 

Certified Internal Auditor: Did you Hire an Expert?

 

Apply social distancing to the audit process by using video to substitute for certified internal auditor in-person visits when you can. Live streaming allows the certified internal auditor to view a facility instead of going there and possibly introducing new germs into the environment. Whenever possible, avoid walking around your employees during this process.

 

Acknowledge that the situation is not ideal. Giving auditors firsthand experience in your plant is preferable, but for the time being, it’s not always practical. Discuss what will happen to the tapes after the audit is over too so that your management team stays on the same page regarding disposal or preservation.

 

Audit Office: Are you Prepared for Virtual Interviews?

 

Interviews play a critical role in the audit process, and they will continue to serve auditors’ interests. Migrate audit office interviews to a virtual platform, and use teleconferencing apps to schedule and conduct them.

 

Audit Report: Increase the Transparency

 

The world has changed in a very short time due to the pandemic. This has led companies like yours to adopt new policies to curb the potential spread of COVID-19 or other infectious conditions. An audit offers the perfect opportunity to reexamine the audit report and increase the transparency of results. More departments and individuals should receive leeway to report deviations they see in the production process. Clarify your expectations for reporting in all aspects of production, including:

 

  • Manufacturing operations
  • Quality control
  • Compliance assurance
  • Supplier quality

 

Internal Control: Are you Building Trust?

 

Building trust with employees within a new internal control structure will put you on the path toward solving any audit issues uncovered. The goal of giving the public a reliable supply of needed products will become an achievable aim as a result. Continuing the audit process and running it smoothly is critical to public health. Companies must continue to uphold the supply chain for essential resources so that people receive the provisions they need.

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. You may also email us at [email protected].

Biocompatibility Testing

Posted on by Brandon Miller

 

In this soundbite from RCA Radio, Dr. Helin Raagel and Dr. Matthew Jorgensen from Nelson Labs explain biocompatibility testing. This includes the risk-based biocompatibility evaluation that medical devices go through before they receive regulatory approval.

 

This biocompatibility risk-based approach evaluates the risk of the device through consideration of the device’s cytotoxicity, irritation, and sensitization. 

  • Cytotoxicity – Will the device kill or harm the cells it comes in contact with?
  • Irritation – Will the device make contact with the patient and cause skin irritation? (Redness and/or Swelling)
  • Sensitization – Will the device cause an allergic reaction?

 

Listen to the full episode “Intro to Pre-Clinical Testing and Biocompatibility” now!

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. You may also email us at [email protected].