Often, the last thing first-time and even serial entrepreneurs think about is how the result of their passionate, innovative imagination is going to stand up to product testing and regulatory compliance requirements, such as efficacy and usability evaluations. Yet, it is impossible to introduce a medical product without such steps.
As an American medical device startup, the issue you face is how is to make your device not just effective at what it does, but also compliant with the myriad of local and international standards and regulations required in order to legally sell the product.
The compliance puzzle has many pieces. Above and beyond the stringent requirements for the medical function of the products, medical device manufactures also have to deal with product safety, electromagnetic and/or radio frequency interference (EMI/RFI) issues, environmental regulations (WEEE/RoHS), cyber security and other requirements.
Pre-Compliance and You: Planning for Success
Suitability of components and materials, compliance with technical standards and fitness for use and manufacturability are just a few of the points that must be considered by the manufacturers during the design and development stages. Most start-up manufacturers lack their own testing capabilities, and few, if any, possess up-to-date knowledge of international regulations, yet they are still legally responsible for ensuring that their products comply with all legislation or import regulations.
Fortunately, start-up medical device manufacturers have a resource they can draw upon: independent testing laboratories, which should be engaged early in the product development process. (See Figure 1)
There are a number of very good reasons why a start-up medical device manufacturer should strongly consider precompliance engagement with a qualified testing laboratory. First is the dynamic, ever-changing nature of the regulatory environment. Keeping up with the changes and knowing their downstream implications incredibly challenging for any organization other than a registrar, let alone a busy entrepreneur. Secondly, partnering with an independent laboratory means the results will be unbiased, and more akin to what the actual certification tests will be. Often such evaluations in the early design phase can identify and help eliminate non-compliances issues to provide significant cost and time savings.
The Riddle of Product Safety
Most of us take product safety as a given. We hardly ever consider that the cool new gadget in the office or kitchen might damage property, cause injury or even death. We are confident that our products are manufactured in such a way that they will not set fire to our homes or electrocute us as we brew coffee, blow-dry hair, or send an email. Why do we have such confidence? The answer lies in product safety standards.
For medical devices, the standards are even more stringent than consumer products. A medical device makes physical or electrical contact with a patient, transfers energy to or from the patient and/or detects such energy transfer to or from a patient. Because such a device is used for diagnosing or treating patients or monitoring patients, higher expectations are placed on its safety and operability. A medical device is expected to not only perform as intended, but it must be safe to patients, healthcare providers, medical personnel, and other device operators. (See Standard IEC 60601-1 for Medical Electrical Equipment, Part 1, below)
Whether in the US, Asia, or Europe, manufacturers must not only build their products to comply with the local or international safety regulations but must also have their products approved or certified by an independent third party laboratory.
To make this less cumbersome to all parties, the IECEE Certification Body (CB) Scheme was developed. The CB Scheme became the first truly international system for mutual acceptance of test reports and certificates dealing with the safety of electrical and electronic components, equipment, and products. It is a multilateral agreement among participating countries and certification organizations.
The FDA’s Role
While the CB Scheme may, at first glance, simplify the certification process—manufacturers only have to test and certify for electrical safety once to gain access to 65 countries—the evolving market has added new complications.
For example, the U.S. Food and Drug Administration (FDA) is responsible for protecting the public health by assuring the safety, efficacy, and security of medical devices. The scope of the FDA’s regulatory authority is very broad: it currently covers more than 1,700 distinct types of medical devices. Each of these devices is assigned to one of three regulatory classes based on the level of control necessary to assure the safety and effectiveness of the device.
For medical products there are additional requirements. According to Section 510(k) of the Food, Drug and Cosmetic Act in the United States, the FDA requires device manufacturers to notify them of their intent to market a medical device at least 90 days in advance. This is known as Premarket Notification, also called PMN or 510(k). Specifically, medical device manufacturers are required to submit a premarket notification if they intend to introduce a device into commercial distribution for the first time or reintroduce a device that will be significantly changed or modified to the extent that its safety or effectiveness could be affected. Such change or modification could relate to the design, material, chemical composition, energy source, manufacturing process, or intended use.
Today’s Devices and Cyber Security
The FDA has also weighed in on cybersecurity concerns in today’s medical devices. Because this is an ever present and ongoing issue, a robust cybersecurity posture is necessarily part of a device’s initial market assessment and approval by the FDA. The FDA focuses distinctly on the steps that companies must take to ensure that their device not only delivers data securely, but that it stays secure throughout the product lifespan. (See Figure 2)
One security methodology emphasized by the FDA is the use of iterative threat modeling: the systematic assessment of risks, threats, and mitigations surrounding a device. Now, the FDA is promoting the concept of iterative and comprehensive threat modeling as a leading practice in its post-market assessment management guidelines.
Key to this process is the monitoring of external cybersecurity information sources for collaborative identification and detection of device vulnerabilities and risk.