[12 December] Connected devices and SaMD are transforming MedTech, but with innovation comes responsibility. Cybersecurity isn’t simply a checkbox, but your products lifeline.
In readiness for the application of the new Article 10a requirements under the EU MDR and IVDR (Regulation 2024/1860), and following on from the recently published Q&A document, MDCG have now published the associated reporting form (with an optional annex for reporting multiple devices in one report). The report form follows a similar style to the vigilance report templates. Where the report is to be sent to is a matter for each member state/competent authority. Whether there will be a single reference list like with vigilance, it is unclear at this stage. The report also suffers from a few design glitches, multiple choice fields when it should be single choice and vice versa.
Reduction of administrative obligations of stakeholders;
Centralisation of system management functions to the EMA;
Foreseeable and balanced certification procedures;
Taking into account specific needs for medical devices intended for specific patient populations;
Assuring a special pathway for innovations.
During the broadcasted session, speakers from France, the Commission, Germany, Belgium, Greece, the Czech Republic, Denmark, Portugal and Sweden all voiced their views on the need for reform. Whilst none of the speakers opposed the need to reform, there were concerns raised about the rush for knee-jerk reactions without properly taking stock of the current implementation issues to ensure that the same mistakes are not repeated. Similarly there appeared to be agreement on the need to improve the oversight and governance of the regulatory framework (e.g. improving the consistency and predictability across notified bodies) but opinions were split on whether that responsibility should be given in totality to the EMA or any other centralized organization. What does it all mean? That some form of change is coming but when and what is still to be decided. We can probably expect some specific actions in the short to near-term during 2025 (e.g. definitive pathways for novel technologies perhaps).
MedTech Europe were quick to respond to the EPSCO meeting, publishing yet another statement on the necessary reforms of MDR/IVDR. In the statement, MedTech Europe repeat their position that they fully support the call for reform, and are advocating for measures that reduce bureaucracy, increase efficiency, support innovation, and ensure effective governance. Specifically they are urging the European Commission and Member States to act swiftly, and implement solutions with sufficient legal weight to:
— Significantly reduce certification time and costs;
— Streamline assessment processes for device updates and innovations;
— Create an accelerated pathway for breakthrough technologies;
— Remove the limited validity of certificates and adopt a lifecycle approach;
— Deliver on the goals of MDCG 2022-14 (structured dialogue, leveraging evidence, reduce technical documentation sampling burden…);
— Promote digital solutions like electronic Instructions for Use (eIFU);
— Support global regulatory convergence, such as through the Medical Device Single Audit Program (MDSAP).
The European Union Agency for Cybersecurity (ENISA) published their 2024 Report on the State of the Cybersecurity in the Union. The report makes various recommendations including the strengthening of the cybersecurity workforce, harmonizing EU frameworks and policies for cybersecurity, and the recognition of sector specific requirements.
The FDA have published the 2024 report on Risks and Benefits to health of non-device software functions. Reports from previous years can be found here. These reports are published every 2 years and review the risks and benefits associated with software functions that are excluded from the Federal Food, Drug and Cosmetic Act. These functions are summarised by the FDA as:
— administrative support of a health care facility;
— maintaining or encouraging a healthy lifestyle and unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition;
— serving as electronic patient records when not intended to interpret or analyze patient records;
— transferring, storing, converting formats, or displaying data; or (unless interpreting or analyzing a clinical test or other device data, providing certain types of limited clinical decision support to a health care provider.
The FDA have published the November 2024 GUDID trends to summarise the rate of new GUDID accounts, the types of devices registered and the locations of the ‘labelers’.
The FDA have published the final guidance to provide recommendations for predetermined change control plans (PCCPs) tailored to artificial intelligence (AI)-enabled devices. The recommendations in this guidance are intended to support iterative improvement through modifications to AI-enabled devices while continuing to provide a reasonable assurance of device safety and effectiveness. This guidance recommends that a PCCP describe the planned device modifications, the associated methodology to develop, validate, and implement those modifications, and an assessment of the impact of those modifications. FDA reviews the PCCP as part of a marketing submission for an AI-enabled device to ensure the continued safety and effectiveness of the device without necessitating additional marketing submissions for implementing each modification described in the PCCP. The recommendations in this guidance apply to AI-enabled devices, including the device constituent part of device-led combination products, reviewed through the 510(k), De Novo, and PMA pathways. Changes of note from the draft version of the guidance include advice on how to manage the iterative nature of the PCCP and inclusion of examples in the appendices. The FDA are holding a webinar on 14th January 2025 to answer questions about the final guidance.
Rest of World
ISO TC 210/WG 1 have published a paper, "ISO 13485-2016 Users survey - White paper on the results", outlining some of the results from the global survey that ran from late 2023 up to January 2024. There were over 1600 responses to the survey, with approximately ⅔ of the respondents coming from organizations identifying as the legal manufacturer. The survey allowed the respondents to provide feedback on ISO 13485:2016 either by selecting predefined choices, or using free text fields. Some of the key highlights from the survey were:
— ~90% of users were very, or somewhat, satisfied with the content and use of ISO 13485:2016
— Users of ISO 13485:2016 are able to comply and align with other management system standards (e.g. ISO 9001, ISO 14001)
— The stability of ISO 13485:2016 and its compatibility to global regulatory for medical devices
Independent of their answers on how satisfied they were with the standard, respondents were also able to provide specific comments on each clause of the standard. Over 600 comments were submitted, which ISO TC 210/WG1 have reviewed to determine whether there is a need for technical changes to ISO 13485:2016. There were many requests for ISO 13485 to be updated to reflect the specific requirements of specific national or regional legislation (e.g. the EU MDR), but this is out of the scope for an ISO management system standard. There were a lot of requests for more specific requirements for certain technologies (e.g. software as a medical device) or certain organization types (e.g. those with virtual offices), as well as calls for further guidance on how to implement the existing requirements. It was clear from the responses that awareness of the existing guidance on the implementation of ISO 13485:2016 was low (see ISO 13485:2016 - Medical devices - A practical guide), in part due to it not being a typical ISO standard format. ISO TC210/WG1 recognised that further guidance on specific areas would be beneficial and in a format that should be more visible and accessible for organisations. Therefore a New Work Item Proposal (NWIP) is underway, which if/when approved will eventually lead to updated guidance in an ISO standard format (e.g. TS or TR).
The WHO published their 2024 report on infection prevention and control. Whilst not aimed specifically at medical device manufacturers, the report highlights the burden of health care-associated infections (HAIs) and antimicrobial resistance (AMR) and the related harm to both patients and health care workers in care settings. The report also presents an updated global situation analysis of the implementation of infection prevention and control programmes at national and local levels.
— ISO 13404-1:2024 Prosthetics and orthotics — External orthoses and orthotic components — Part 1: Uses, functions, classification and description of lower limb orthoses;
— ISO 7944:2024 Optics and photonics — Reference wavelengths;
— ISO/TR 11797:2024 Ophthalmic optics – Spectacle lenses – Power and prism measurements;
— ISO 12870:2024 Ophthalmic optics — Spectacle frames — Requirements and test methods;
— ISO 16971-1:2024 Ophthalmic instruments — Optical coherence tomographs — Part 1: Optical coherence tomographs for the posterior segment of the human eye;
— ISO 19045-2:2024 Ophthalmic optics — Contact lens care products — Part 2: Method for evaluating disinfecting efficacy by contact lens care products using trophozoites of Acanthamoeba species as the challenge organisms;
— ISO 13695:2024 Optics and photonics — Lasers and laser-related equipment — Test methods for the spectral characteristics of lasers;
— ISO 14880-2:2024 Optics and photonics — Microlens arrays — Part 2: Test methods for wavefront aberrations;
— ISO 14880-3:2024 Optics and photonics — Microlens arrays — Part 3: Test methods for optical properties other than wavefront aberrations;
— ISO 14880-4:2024 Optics and photonics — Microlens arrays — Part 4: Test methods for geometrical properties;
— ISO 11199- 2:2021/Amd 1:2024 Assistive products for walking manipulated by both arms — Requirements and test methods — Part 2: Rollators — Amendment 1: Removal of brake requirements;
— ISO 15883-2:2024 Washer-disinfectors — Part 2: Requirements and tests for washer-disinfectors employing thermal disinfection for critical and semi-critical medical devices;
— ISO 15883-3:2024 Washer-disinfectors — Part 3: Requirements and tests for washer-disinfectors employing thermal disinfection for human waste containers;
— ISO 80369-20:2024 Small-bore connectors for liquids and gases in healthcare applications — Part 20: Common test methods;
— ISO 5649:2024 Medical laboratories — Concepts and specifications for the design, development, implementation and use of laboratory-developed tests;
— ISO/TS 7552-1:2024 Molecular in vitro diagnostic examinations — Specifications for pre-examination processes for circulating tumour cells (CTCs) in venous whole blood — Part 1: Isolated RNA;
— ISO/TS 7552-2:2024 Molecular in vitro diagnostic examinations — Specifications for pre-examination processes for circulating tumour cells (CTCs) in venous whole blood — Part 2: Isolated DNA
— ISO/TS 7552-3:2024 Molecular in vitro diagnostic examinations — Specifications for pre-examination processes for circulating tumour cells (CTCs) in venous whole blood — Part 3: Preparations for analytical CTC staining;
— ISO/TS 16766:2024 Manufacturers’ considerations for in vitro diagnostic medical devices in a public health emergency;
— ISO 21474-3:2024 In vitro diagnostic medical devices — Multiplex molecular testing for nucleic acids — Part 3: Interpretation and reports;
— ISO 4962:2024 Nanotechnologies — In vitro acute nanoparticle phototoxicity assay;
— ISO 24480:2024 Biotechnology — Validation of database used for nucleotide sequence evaluation.
