Medical Devices are regulated worldwide, this is to ensure that they meet the minimum safety requirements specified by regions or nations in terms of patient safety. In the USA Medica Devices are regulated in laws provided within the CFR Title 21 (Code of Federal Regulations), these are checked and governed by the FDA (Food and Drug Administration). Within the European Union these laws are provided within the Medical Device Regulation EU 2017/745 for medical devices and In Vitro Diagnostic Regulation EU 2017/746 for In Vitro Diagnostic devices, each member state of the European Union has its own regulatory authority (similar to the FDA in the USA) who are responsible for governing medical devices within their jurisdiction. Other countries such as the UK (MHRA) and Japan (PMDA) also have their own laws and governing authorities who oversee the conformity of medical devices within their nations.
Due to there being multiple regulations and authorities involved in what is determined to be minimum safety requirements for medical devices international forums and groups have been set up for many years to try and harmonise medical device regulation worldwide so that manufacturers work to a common set of requirements and proof of safety that meets the requirements of all countries and systems.
The GHTF (Global Harmonised Task Force) was conceived in 1992 and was an informal grouping that was formed to respond to the growing need for the international harmonisation of regulations in medical devices. The members of the GHTF include government and industry officials from the European Union, Japan, Canada, Australia, and the United States. These representatives working with medical device manufacturers and other organisations related to medical devices try to harmonise global approaches to the safety, efficacy, clinical performance, and quality of medical devices with the goal of protecting public health, promoting innovation, and facilitating international trade. The GHTF was replaced with the International Medical Device Regulators Forum (IMDRF) which continues the work of the GHTF.
One way harmonisation of safety has been developed is through the use and acceptance of international standards. The use of standards ensures that medical devices meet agreed minimum levels of safety which are accepted within the regulations of the major medical device markets in the world. Here are some examples of medical device related standards that are accepted internationally.
Standards required to be used for all medical device types:
- ISO 14971 - Medical devices. Application of risk management to medical devices
- ISO 20417 - Medical devices. Information to be supplied by the manufacturer
- ISO 15223 - Medical devices. Symbols to be used with information to be supplied by the manufacturer - General requirements
- ISO 13485 – Medical devices. Quality management systems. Requirements for regulatory purposes
- ISO 62366 - Medical devices - Application of usability engineering to medical devices
Standards which cover medical devices containing software or software as a standalone medical device:
- ISO 62304 – Medical device software. Software life-cycle processes
ISO 60601-1 series – Medical electrical equipment. General requirements for safety - Collateral standard. Safety requirements for medical electrical systems
- ISO 60601-2 series - Medical electrical equipment - Particular requirements for the basic safety and essential performance of magnetic resonance equipment for medical diagnosis
Biological Evaluation for patient contacting devices:
ISO 10993 series – Biological evaluation of medical devices - Evaluation and testing within a risk management process
Sterilised medical devices:
ISO 11135 - Sterilization of health care products. Ethylene oxide - Requirements for development, validation and routine control of a sterilization process for medical devices
- ISO 11137 - Sterilization of health care products - Radiation - Requirements for development, validation and routine control of a sterilization process for medical devices
- ISO 17665 - Sterilization of health care products - Moist heat - Requirements for the development, validation and routine control of a sterilization process for medical devices
- ISO 11607-1 - Packaging for terminally sterilized medical devices - Requirements for materials, sterile barrier systems and packaging systems
- ISO 11607-2 - Packaging for terminally sterilized medical devices - Validation requirements for forming, sealing and assembly processes
Specific Standards for Specific Equipment:
- ISO 60601-2-24 - Medical electrical equipment - Particular requirements for the basic safety and essential performance of infusion pumps and controllers
- ISO 3826-4 - Plastics collapsible containers for human blood and blood components - Aphaeresis blood bag systems with integrated features
There are hundreds of different standards which apply to different groups or to specific medical devices.
Definition of a medical device
When a product is being developed it is important to identify if it could fall under the definition of a medical device based on the claims that are being made about the product, and/or its intended use, application, environment of use etc.
This is the critical first step a developer of a medical device must evaluate. Within the regulations that govern medical devices there is usually a definition of what a medical device is. For example, in the EU Medical Device Regulation EU 2017/745 defines a medical device as follows:
‘medical device’ means any instrument, apparatus, appliance, software, implant, reagent, material or other article intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the following specific medical purposes:
- diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease,
- diagnosis, monitoring, treatment, alleviation of, or compensation for, an injury or disability,
- investigation, replacement or modification of the anatomy or of a physiological or pathological process or state,
- providing information by means of in vitro examination of specimens derived from the human body, including organ, blood and tissue donations,
and which does not achieve its principal intended action by pharmacological, immunological or metabolic means, in or on the human body, but which may be assisted in its function by such means. The following products shall also be deemed to be medical devices:
- devices for the control or support of conception;
- products specifically intended for the cleaning, disinfection or sterilisation of devices as referred to in Article 1(4) and of those referred to in the first paragraph of this point.
The IVDR 2017/746 also has a definition of what an IVD device is defined as. Within the UK these are determined by the UK Medical Device regulations 2002.
Classification of a medical device
Medical device classification determines the regulatory process a medical device must go down to be able to be sold within the marketplaces of the relevant applicable regulated jurisdictions.
Medical Devices are classed based on the risk they pose to patient safety. Classification falls within three classification numbers; class I, class II or class III. Class I devices are considered to be of low risk, class II devices as medium risk and class III as the highest risk devices.
Classification determines the amount of regulatory scrutiny there is to review all of the performance and safety data generated by the developers and manufactures of medical devices.
In the USA there is a classification database which is used to identify definitions of currently approved or exempt medical devices to determine whether the product being developed based on its intended use would fall under that device classification, following the requirements for those devices such as a 510(k) submission or would need to be submitted as a new medical device for review by the FDA as a PMA submission.
Many class I devices in the USA are exempt from a formal submission to the FDA, these devices can usually be placed on the USA market providing they are registered, and the correct technical documentation provided.
Some class I and nearly all class II and class III devices are required to submit what is called a 510(k), the 510(k) process is the regulatory approval process where the FDA examines all the technical data required for medical devices to demonstrate compliance to a similar device already placed on the USA market. Once the FDA has approved that the device meets all the safety requirements of that type of device the device may be placed on the USA market and the manufacturer registered as a medical device manufacture in the USA.
New Medical Devices which do not fit within the classification of a previously approved medical device must undergo submission via a PMA (Pre-Market Approval) submission programme.
In Europe once the device has been determined as a medical device, the device needs to classified. Within the European and UK medical device classification system there are Class I devices, Class Is (sterile), class Im (measuring), class Ir (reusable), class IIa, class IIb and class III devices, again like within the USA system these are based on the level of risk, with class I being lower risk and class III being the highest risk.
Within the MDR 2017/745 there are 21 classification rules. Devices based on their clinical intended use must be fitted within one of the classification rules. If multiple rules apply, the rule with the highest classification will apply to the medical device.
Device classification will determine which regulatory pathway for being able to place the device on the market must be taken. For class I medical devices the manufacturer must conform to all of the regulatory requirements set out within Annex I, II and III of the regulations and draw up a signed declaration of conformity, place the CE mark on the medical device and its associated packaging and instructions for use/labelling. They must register with a member states regulatory authority as a medical device manufacturer and also register the devices on the EUDAMED system.
Manufacturers of Class Is, Im, IIa, IIb and class III medical devices must engage with a Notified Body (competent authority approved agencies/organisations that issue CE mark certificates or in the case of the UK, UKCA mark certificates which allow medical device manufacturers to place their devices on the market). Manufacturers of medical devices other than class I devices must also register with a member states regulatory authority as a medical device manufacturer and also register the devices on the EUDAMED system.
General Safety and Performance Requirements
Within the USA system the CFR title 21 (Code of Federal Regulations) will identify which standards and requirements are needed to demonstrate conformity for a particular medical device. Unless it is a new medical device undergoing a PMA in which case the manufacturer will need to identify which standards maybe applicable with guidance sort from the FDA if necessary.
In the EU system within the regulation under Annex I of both the MDR and IVDR are a list of regulatory requirements which are needed to demonstrate conformity for medical devices. The manufacturer/developer must go through each clause of Annex I to identify which are applicable to the medical device and which are not, with a justification of why non-applicable once have been identified as such.
For each applicable clause the manufacturer must demonstrate how conformity will be achieved, this is mostly in the form of using harmonised or consensus standards, as discussed within the standards section of this blog.
Design and Development Plan
Planning for the design and development of a medical device is a requirement of regulatory systems. All manufacturers of Medical Devices are required to maintain a Quality Management System, in the USA this is determined under the CFR Title 21 part 820. Within the European Union it is placed within demonstrating certificated compliance with international standard EN ISO 13485. The USA has recently indicated that they will also use the ISO 13485 standard for the requirements of manufacturers being compliant for QMS purposes.
Within the QMS requirements of the standard, manufacturers are to perform Design and Development inline with the requirements set out within the standard. Design and Development planning should cover as a minimum the following:
- the design and development stages;
- the review(s) needed at each design and development stage;
- the verification, validation, and design transfer activities that are appropriate at each design and development stage;
- the responsibilities and authorities for design and development;
- the methods to ensure traceability of design and development outputs to design and development inputs;
- the resources needed, including necessary competence of personnel.
Design and Development Process
Design processes are indicated within ISO 13485 and as a minimum should cover the following:
- functional, performance, usability and safety requirements, according to the intended use;
- applicable regulatory requirements and standards;
- applicable output(s) of risk management;
- as appropriate, information derived from previous similar designs;
- other requirements essential for design and development of the product and processes.
- meet the input requirements for design and development;
- provide appropriate information for purchasing, production and service provision;
- contain or reference product acceptance criteria;
- specify the characteristics of the product that are essential for its safe and proper use.
Design and Development Review:
At suitable stages, systematic reviews of design and development shall be performed in accordance
with planned and documented arrangements to:
- evaluate the ability of the results of design and development to meet requirements;
- identify and propose necessary actions.
Participants in such reviews shall include representatives of functions concerned with the design and development stage being reviewed, as well as other specialist personnel.
Design and Development Verification:
Design and development verification shall be performed in accordance with planned and documented arrangements to ensure that the design and development outputs have met the design and development input requirements.
The organization shall document verification plans that include methods, acceptance criteria and, as
appropriate, statistical techniques with rationale for sample size.
If the intended use requires that the medical device be connected to, or have an interface with, other medical device(s), verification shall include confirmation that the design outputs meet design inputs when so connected or interfaced.
Design and development validation shall be performed in accordance with planned and documented arrangements to ensure that the resulting product is capable of meeting the requirements for the specified application or intended use.
The organization shall document validation plans that include methods, acceptance criteria and, as appropriate, statistical techniques with rationale for sample size.
Design validation shall be conducted on representative product. Representative product includes initial production units, batches or their equivalents. The rationale for the choice of product used for validation shall be recorded.
As part of design and development validation, the organization shall perform clinical evaluations or performance evaluations of the medical device in accordance with applicable regulatory requirements. A medical device used for clinical evaluation or performance evaluation is not considered to be released for use to the customer.
If the intended use requires that the medical device be connected to, or have an interface with, other medical device(s), validation shall include confirmation that the requirements for the specified application or intended use have been met when so connected or interfaced.
Validation shall be completed prior to release for use of the product to the customer.
Design and Development Transfer:
The organization shall document procedures for transfer of design and development outputs to manufacturing. These procedures shall ensure that design and development outputs are verified as suitable for manufacturing before becoming final production specifications and that production capability can meet product requirements.
Control of Design and Development changes:
The organization shall document procedures to control design and development changes. The organization shall determine the significance of the change to function, performance, usability, safety and applicable regulatory requirements for the medical device and its intended use.
Design and development changes shall be identified. Before implementation, the changes shall be:
- validated, as appropriate;
The review of design and development changes shall include evaluation of the effect of the changes on constituent parts and product in process or already delivered, inputs or outputs of risk management and product realization processes.
Risk Management is the overriding factor in the development of medical devices. Risk management should be applied as per international standard ISO 14971. Risk should be evaluated at every phase of the design and development of a medical device and then continue throughout the life cycle of the medical device via post market surveillance and obsolescence, with the data being captured within the risk management file.
Risk Management Plan
Risk management activities are required to be planned in accordance with ISO 14971. Each medical device should have its own risk management plan in accordance with the risk management process. The plan should sit within the risk management file.
As a minimum the risk management plan should consider the following:
- the scope of the planned risk management activities, identifying and describing the medical device and the life cycle phases for which each element of the plan is applicable;
- assignment of responsibilities and authorities;
- requirements for review of risk management activities;
- criteria for risk acceptability, based on the manufacturer’s policy for determining acceptable risk, including criteria for accepting risks when the probability of occurrence of harm cannot be estimated;
- a method to evaluate the overall residual risk, and criteria for acceptability of the overall residual risk based on the manufacturer’s policy for determining acceptable risk;
- activities for verification of the implementation and effectiveness of risk control measures; and
- activities related to collection and review of relevant production and post-production information.
Risk Identification should occur at the beginning of the design and development process and at each stage of the design and development process thereafter. The purpose of risk identification is to understand all of the possible known risks and foreseeable risks associated with the device and its use, these should also include all possible user error risks or device misuse risks.
These should be analysed for their likely frequency of happening and the likely severity should they happen. This is usually done by giving each identified risk a risk score, such as 1-5 for likelihood of occurrence and 1-5 for severity (with 1 being low and 5 being high), these scores are then multiplied to give the risk score.
The group leading the risk management should establish what is considered to be an acceptable risk score (green), what is a moderate risk score (amber) and what is a high risk score (red).
Identified risks need to be mitigated to as “low as practically possible” according to the requirements of ISO 14971. Risk control measures should ensure that they have either fully mitigated and therefore removed the risk, reduced the risk to an acceptable level or be considered to be a residual risk where no mitigation is possible, residual risks are usually unavoidable risks which are highlighted to the user via warnings on the labelling and/or the instructions for use.
Mitigation controls can include the use of standards. For example, a device which has patient contact and has been sterilised using ethylene oxide. The risk would be that ethylene oxide residuals maybe left on the device post sterilisation and packaging, which could come into contact with the user. Ethylene Oxide is known to cause irritation, organ damage, mutagenicity and carcinogenicity in human and animals, and reproductive effects in animals.
The risk control measure would be to ensure that the ethylene oxide sterilisation process has been followed in accordance with ISO 11135 - Sterilization of health care products, and that testing has been carried out on the final finished post sterilised device in accordance with ISO 10993-7 - Biological evaluation of medical devices - Ethylene oxide sterilization residuals, and the test results evaluated as part of the Biological Evaluation Report by an expert toxicologist inline with the requirements of ISO 10993-1 Biological evaluation of medical devices - Evaluation and testing within a risk management process.
The risk should then be scored again based on the control measure.
All of the risks then be evaluated to ensure that the risk control measure has reduced the risk to an acceptable level or an acceptable residual risk.
Once all risks have been evaluated, they should be reviewed overall to establish if the benefit of using the medical device outweighs the consequences of the risks that the device could cause.
Proof of concept
Proof of concept testing or feasibility testing is used to demonstrate that critical design features of a developed concept will function as intended. This is early design testing or testing of prototype models. This is not part of clinical evaluation or clinical studies.
A full and detailed record of design and development must be kept as part of the design history. This should be kept with the device technical documentation and sit within the QMS.