Blog Series Part 3: Rules and Regulations of Medical Device Product Development
When I started working for companies that built medical devices, I was completely unaware of the legal and regulatory aspects of product development. I thought the values and principles of healthcare guide this process — empathy, ethics, and professionalism. But just like in any other industry, commercial interests can be quite dominant, and often take precedent over all other domains, opening room for significant errors and liabilities in the products placed onto the market.
In some industries, the consequences may not be so dramatic, but in healthcare, we can expose patients to significant harm when interacting with products and services we build or provide.
To prevent this from happening, this space is guided by two broad sets of regulations that every medical device manufacturer has to follow:
- Regulations on how to build a medical device — Whether it is hardware and/or software, every manufacturer must adhere to a wide range of regulations that cover the manufacturing process and its documentation, analysis of risk, etc. For all countries in the European Union, the famous “medical device regulations” (known as MDR) that will be implemented in May 2021 and will replace the old “medical device directive” (MDD), is one of the most important documents to read for all startups and companies that are aiming to sell their products in the EU. The FDA has its own set of regulations that govern medical device manufacturing and market approval in the US. China, Brazil, UAE, Australia, Canada, and perhaps a few other countries have their own rules and regulations that are more or less similar to those imposed in the EU or the US.
- Regulations on data privacy and security — By now, you have probably heard the word “GDPR” (standing for General Data Protection Regulation) at some point, denoting a set of regulations developed by the EU to ensure safety and security of data that is acquired from individuals. Health-related data are one of the most sensitive forms of personal information, and the list of companies who can profit from them is not short. For this reason, rigorous standards about ownership, archiving, storage, processing, and controlling the data must be met when building and selling medical devices.
Both of these guidelines must be thoroughly reviewed before you start actually start building your product becauseof several reasons:
- The intended use and level of associated risk (among other things) dictate the classification of your product. I will write a detailed article on what “intended use” is because it is the single most important thing your company and product have to define early in the process. More often than not, this is done late in the process, and its change (or absence) may cause irreversible damage to your strategy and timelines, sometimes ending in complete catastrophe.
- The countries in which you want to sell your device will dictate your entire regulatory strategy and the manufacturing process. The documentation you need to create throughout the process of development may significantly differ if you are trying to sell your product in the US, in Brazil, or in China. Ensuring compliance with any of the required processes and their documentation is impossible to do retrospectively, so there is little room for corrections in those last few weeks or months.
- Compliance to regulations will ensure quality of your product (and company). Regulations are often considered as barriers of innovation, something to tick off and just focus on the “important stuff” — these assumptions are simply wrong. The regulations are there to help companies ensure patient safety while solving their particular problems.
For both sets of guidelines to be appropriately followed and implemented, each medical device company must have:
- A regulatory consultant — in charge of steering the product development process and ensure compliance with regulations.
- A data protection officer (DPO) — ensure proper setup of data infrastructure and legal documentation surrounding data security.
How does the world of regulations affect each of the areas I mentioned in my first article of the series?
Clinical — Depending on the classification of the device and its intended use, the clinicians have a task to generate evidence and prove that the device you are building is, among many things, safe to use and “does what it is supposed to do — fulfill its intended use”(again, the intended use comes up). This may range from simple in-house testing to a prospective clinical validation in a hospital setting with a full ethics committee and medical authority approval, such as the MHRA in the UK, or BfArM in Germany.
Commercial & Business — Timelines, delivery of the product, and funding required all depend on the regulatory requirements your product needs to comply with. Getting a medical device to market, particularly those that are higher up the classification ladder, is not something that can be done quickly. This has to be clearly and transparently laid out to the upper management and ensure realistic expectations.
Company Relationships —It is safe to say that the work on regulatory compliance can be stressful at times — creating and signing off specifications, documenting all of the work, and adapting to client/market feedback are just some of the activities that various people from different teams have to participate in. Creating and maintaining a healthy relationship, both within a product team and horizontally with the manager/commercial teams, is equally important as all the work that goes into the medical device development.
Technology — Whether it’s the materials used for creating a hardware device, or the cloud infrastructure for software as medical devices (known as SaMDs) they all have to abide by rules and regulations. The latter particularly focuses on the flow of data and access to it — this is where your DPO plays a massive role. Don’t even think about doing this yourself, there are significant legal liabilities involved in data misuse or breach. Penalites include up to 4% of all company revenue or up to 20 Million EUR! Plus, all of the work needs to be meticulously documented, and it is better to get acquainted with that early on — it might be subjected to an audit!
Innovation — As we mentioned previously, regulations may seem as limitations to innovation and use of new technologies, particularly to commercial/executive teams. Quite the opposite. In my opinion, if read and interpreted properly, regulations can actually help you focus on the problems you are trying to solve and guide you to the best use of your technology. Ever since I started listening to Dr. James Somauroo’s “HS HealthTech” podcast, the recurring mantra of being “problem-led vs. solution-driven” helped me solidify the fact that the problem you are trying to solve will dictate how will you solve it, not the other way around.
Customer Feedback — According to regulations, you have to set up a plan on how will you obtain feedback and complaints from your users, but most importantly, how will you identify any potential misuse or deficient product behaviour. As one regulatory consultant said to me years ago: “It is fairly easy once the product is in the market. You just listen to your customers and users, and iterate based on their feedback.” This is so true, but setting up that process takes proactive effort.
Why is this important for clinicians to know? Because of our background, and the fact we inherently put patient safety first, the regulations surrounding medical devices will not come as a burden to clinicians and medical professionals in this space. It will come as a relief, as a confirmation that there are also other people who share the same values as us, which is why I think we often have the best relationships with our colleagues from the regulatory space. In fact, we will often be the (only) voice of support of reg consultants, and our job as clinicians is to be the bridge between the commercial goals and our regulatory activities. For DPOs, we must help them in ensuring our policies around data acquisition and use are in accordance with data privacy and security regulations — this too requires effort to be set up.
In most articles and podcasts, you will read or hear about companies who embrace regulations, and the ones who don’t — as clinicians, we must do everything we can to put our teammates and managers in a position to be the former.