Often, the last thing first-time and even serial entrepreneurs think about is how the result of their passionate, innovative imagination is going to stand up to product testing and regulatory compliance requirements, such as efficacy and usability evaluations. Yet, it is impossible to introduce a medical product without such steps.
As an American medical device startup, the issue you face is how is to make your device not just effective at what it does, but also compliant with the myriad of local and international standards and regulations required in order to legally sell the product.
The compliance puzzle has many pieces. Above and beyond the stringent requirements for the medical function of the products, medical device manufactures also have to deal with product safety, electromagnetic and/or radio frequency interference (EMI/RFI) issues, environmental regulations (WEEE/RoHS), cyber security and other requirements.
Pre-Compliance and You: Planning for Success
Suitability of components and materials, compliance with technical standards and fitness for use and manufacturability are just a few of the points that must be considered by the manufacturers during the design and development stages. Most start-up manufacturers lack their own testing capabilities, and few, if any, possess up-to-date knowledge of international regulations, yet they are still legally responsible for ensuring that their products comply with all legislation or import regulations.
Fortunately, start-up medical device manufacturers have a resource they can draw upon: independent testing laboratories, which should be engaged early in the product development process. (See Figure 1)
There are a number of very good reasons why a start-up medical device manufacturer should strongly consider precompliance engagement with a qualified testing laboratory. First is the dynamic, ever-changing nature of the regulatory environment. Keeping up with the changes and knowing their downstream implications incredibly challenging for any organization other than a registrar, let alone a busy entrepreneur. Secondly, partnering with an independent laboratory means the results will be unbiased, and more akin to what the actual certification tests will be. Often such evaluations in the early design phase can identify and help eliminate non-compliances issues to provide significant cost and time savings.
The Riddle of Product Safety
Most of us take product safety as a given. We hardly ever consider that the cool new gadget in the office or kitchen might damage property, cause injury or even death. We are confident that our products are manufactured in such a way that they will not set fire to our homes or electrocute us as we brew coffee, blow-dry hair, or send an email. Why do we have such confidence? The answer lies in product safety standards.
For medical devices, the standards are even more stringent than consumer products. A medical device makes physical or electrical contact with a patient, transfers energy to or from the patient and/or detects such energy transfer to or from a patient. Because such a device is used for diagnosing or treating patients or monitoring patients, higher expectations are placed on its safety and operability. A medical device is expected to not only perform as intended, but it must be safe to patients, healthcare providers, medical personnel, and other device operators. (See Standard IEC 60601-1 for Medical Electrical Equipment, Part 1, below)
Whether in the US, Asia, or Europe, manufacturers must not only build their products to comply with the local or international safety regulations but must also have their products approved or certified by an independent third party laboratory.
To make this less cumbersome to all parties, the IECEE Certification Body (CB) Scheme was developed. The CB Scheme became the first truly international system for mutual acceptance of test reports and certificates dealing with the safety of electrical and electronic components, equipment, and products. It is a multilateral agreement among participating countries and certification organizations.
The FDA’s Role
While the CB Scheme may, at first glance, simplify the certification process—manufacturers only have to test and certify for electrical safety once to gain access to 65 countries—the evolving market has added new complications.
For example, the U.S. Food and Drug Administration (FDA) is responsible for protecting the public health by assuring the safety, efficacy, and security of medical devices. The scope of the FDA’s regulatory authority is very broad: it currently covers more than 1,700 distinct types of medical devices. Each of these devices is assigned to one of three regulatory classes based on the level of control necessary to assure the safety and effectiveness of the device.
For medical products there are additional requirements. According to Section 510(k) of the Food, Drug and Cosmetic Act in the United States, the FDA requires device manufacturers to notify them of their intent to market a medical device at least 90 days in advance. This is known as Premarket Notification, also called PMN or 510(k). Specifically, medical device manufacturers are required to submit a premarket notification if they intend to introduce a device into commercial distribution for the first time or reintroduce a device that will be significantly changed or modified to the extent that its safety or effectiveness could be affected. Such change or modification could relate to the design, material, chemical composition, energy source, manufacturing process, or intended use.
Today’s Devices and Cyber Security
The FDA has also weighed in on cybersecurity concerns in today’s medical devices. Because this is an ever present and ongoing issue, a robust cybersecurity posture is necessarily part of a device’s initial market assessment and approval by the FDA. The FDA focuses distinctly on the steps that companies must take to ensure that their device not only delivers data securely, but that it stays secure throughout the product lifespan. (See Figure 2)
One security methodology emphasized by the FDA is the use of iterative threat modeling: the systematic assessment of risks, threats, and mitigations surrounding a device. Now, the FDA is promoting the concept of iterative and comprehensive threat modeling as a leading practice in its post-market assessment management guidelines.
Key to this process is the monitoring of external cybersecurity information sources for collaborative identification and detection of device vulnerabilities and risk.
In conjunction with the Premarket guidelines released in October of 2014, the FDA is covering the complete gamut of product development and maintenance. It is not enough to simply assess the medical device itself for security vulnerabilities prior to its launch. Iterative threat modeling, vulnerability assessment and sharing, and internal control processes become key parts of the cybersecurity framework around medical devices—both before and after their market launch. Actionable Threat Intelligence and coordination around data sharing models are valuable components of the exercise.
Speaking of threats and risks, there are two ways to think about risk management in regards to product manufacturing: one can look at it as a business concern, or as a product concern.
Examining risk management as a business concern means all responsible parties within your company need to know where the buck ultimately stops, who has responsibility if something goes wrong, and, in most cases, this rests firmly at the top. This means that the CEO must make risk management a priority, and then give everyone the right and the directive to point out where risks lie, whether it is in the supply chain, the manufacturing processes, or management. Another way to think about this would be to answer the question, “Who is responsible if X, Y, or Z fails, and why?”
One can also look at risk management from a product standpoint. In this case, you must be proactive instead of reactive. You know how your device is supposed to operate under optimal conditions. Product risk analysis will look at what could potentially happen in worst-case scenarios in order to build preventive failsafes into the product before any such scenario could happen.
Both methods of examining risk in order to minimize undesirable effects require a verification review or quality system assessment by a qualified auditor/expert. Self-reporting product risk management is not accepted as legitimate. A company cannot just self-declare their risk is appropriate and start to market their devices. Rather, in order to gain certification, the risk management (of both management and product- related aspects) needs to be assessed under the quality management system principles—such as ISO 13485—by professionals. (See Figure 3)
Putting All the Compliance Pieces Together
When launching a new product, everyone on the startup team strives to do so on time and on budget. If regulatory compliance is not considered at the early design stage, it could become an obstacle instead of a means to assure quality and safety. Too often, compliance matters are an afterthought, only considered when a product is complete or near-complete, and it may or may not have been designed to the regulations of a target market. Considering compliance and involving a regulatory service provider during the R&D phase will help avoid costly compliance oversights.
If a new product fails safety tests at the laboratory because of regulatory oversight, the startup team may need to redesign the product partially or completely. A manufacturer is not going to know if their product fails or passes until the lab performs the test. If the product fails, it will either need a jury-rigged solution paired with hopes that it will not compromise the product’s performance, safety, or cost aspects, or it will need to go back to the drawing board for a redesign. This scenario can be disastrous for a start-up company trying to get a product off the ground on a limited budget.
However, if the product design takes the above areas of concern into consideration, either through pre-tests or consultations with a lab, a startup will not only have a well-designed product for its target market(s), but will also be confident that the compliance step of the product development cycle will not throw a wrench into the launch schedule and budget.
The evolving market, technological, regulatory, and ecological drivers make the overall certification process rather complicated. In order to successfully navigate the complex regulatory environment, today’s medical device startups are strongly advised to enlist the services of an accredited Nationally Recognized Testing Laboratory (NRTL) in the earliest possible stages of product development. These certifying bodies have the skills and experience needed to ensure the finished product will be allowed on the open market, and will bear certification marks attesting to this fact.
There are many certification marks out there and they can certify any number of things: from the region of origin to materials of construction. Certifications verified by an independent third party carry more credibility with both regulators and consumers. These products are allowed to bear the marks of the particular certification body that tested the product, inspected the factory where the final assembly of the product takes place, and performed random sample tests and surveillance to assure ongoing compliance.
This article was written by Uwe Meyer, Business Field Manager - Medical Test, at TÜV Rheinland, Newtown, CT. for more information, Click Here .
Standard IEC 60601-1 for Medical Electrical Equipment, Part 1
The Standard IEC 60601-1 for Medical Electrical Equipment, Part 1: General Requirements for Basic Safety And Essential Performance addresses the following hazards that may result in a noncompliance rating for a product if it is properly applied:
- Electric shock: Does your product have sufficient protection or isolation not to cause an electric shock hazard to an ordinary user, service person or to a patient?
- Excessive (Energy) Output Hazard: Are there sufficient precautions to reduce exposure caused by inaccuracy of operating data or the accidental high setting of an output?
- Mechanical hazards: Is your product designed to avoid the contact with sharp edges, rotating parts, or pinch points if not specifically used for its intended application?
- Excessive temperatures: Are components getting too hot to create a hazard?
- Radiation Hazards: Is your product designed to reduce the risk of X-radiation, microwave radiation, laser-, LED-, IR-, UV radiation, or other visible electromagnetic radiation?
- Fire and Other Hazards: Is there exposure to excessive temperatures, liquid spillage, or pressure vessels; are human errors and other potential hazards properly covered?
For safety evaluations, all safety-relevant components are evaluated for suitability of electrical rating, construction requirements and other necessary approvals. The choice of a suitable standard or combination of standards depends on the type of equipment and is determined on a case by case basis. For medical products there are many collateral and Part-2 standards of the IEC60601-series to choose from. If a product is strictly intended for laboratory use without any patient contact, then IEC 61010-1 may need to be considered.