The changing regulatory environment has become one of the biggest challenges for the medical devices industry. What’s driving the increase in new regulations?
Regulation of the medical device industry is on the rise, due to a demand for better and safer products by end users and industry stakeholders. As a result, QA/RA professionals and senior managers now cite “changing regulatory environment” as one of their greatest challenges, as the regulatory approval process becomes more difficult in developed markets like the U.S. and European Union as well as emerging markets.
In the past, product quality was centered on compliance with regulatory standards prior to launch. The FDA evaluated manufacturers’ quality, and approved products for launch on the basis of compliance with the regulations governing those products.
Due to highly publicized product recalls, regulatory bodies are now concerned about safety and effectiveness throughout a product’s lifecycle and not simply compliance with standards at the time of approval. As a result, they are scrutinizing quality systems including design controls, risk management plans and traceability, which has had a direct impact on the amount of time and resources invested in getting product approvals.
Unique device identification number now required
Legislation mandating a Unique Device Identification (UDI) number for most medical devices marketed in the U.S. is one example of a change introduced by the FDA. To comply with the UDI regulation, manufacturers must now assign each a device a unique identifier that can be read by machines as well as people. In addition, manufacturers now have to populate a database called the Global Unique Device Identification Database (GUDID) with device attribute data.
Manufacturers are also expected to reference the UDI when reporting adverse events or product recalls, according to compliance deadlines that have been determined based on device classifications. The UDI ensures that the devices are identifiable and secure at all points in the supply chain, and also offers protection against counterfeiting. Patients and providers welcome the introduction of the UDI, as it provides a means of proper identification and selection of a device, which could otherwise have life-threatening consequences.
Unfortunately for device manufacturers, compliance deadlines have meant increased work and expense. Part of the effort and cost is in creating a new label for the device, which provides the UDI in either a barcode or on a RFID tag. The UDI has to identify the specific device model as well as capture other details like production batch or lot, serial number and date of manufacture. Reporting device attributes in the GUDID database adds another layer of complexity and cost, as does the need for manufacturers to update policies, procedures and IT systems to demonstrate effective use of the UDI in their reports and documentation.
Device connectivity leads to cybersecurity risks
Technology convergence allows medical devices to connect to the Internet, hospital networks and to other medical devices, which makes them vulnerable to cybersecurity threats that could potentially impact the device’s safety and effectiveness. While these innovative technologies improve quality of care and enhance the ability of health care providers to treat patients, there is a need to balance patient safety and use of technology.
The FDA has now issued guidelines to device manufacturers and health care providers to address cybersecurity threats. The FDA is recommending that medical device manufacturers and health care facilities take steps to ensure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to medical devices and hospital networks.
The FDA has released a guidance document on how manufacturers should address cybersecurity in their pre-market submissions as well as how they should address cybersecurity issues related to products that use off-the-shelf software. Prompt reporting of adverse events can help the FDA identify and better understand the risks associated with medical devices. Manufacturers and health care providers are expected to comply with the Medical Device Reporting (MDR) regulations by filing a voluntary report through MedWatch, the FDA Safety Information and Adverse Event Reporting program, in the event of a cybersecurity event.
European oversight becomes more aggressive
On the international front, the European Commission is introducing sweeping changes to medical device regulations in place since the 1990s. Notified Bodies, organizations that can review technical files and grant the CE (European Compliance) mark for medical devices, will now be subject to increased scrutiny for competence. The new directive will include stricter norms for presenting clinical performance data for evaluation of the device. Manufacturers of high-risk devices, which would previously get CE mark approval based on similarity to a predicate device and by presenting existing clinical data, will now have to invest resources in conducting separate clinical trials for their devices.
An oversight group will be allowed to have a second look at the technical file reviewed by a Notified Body, prior to CE marking approval. For high-risk devices, the group can ask for additional information and clinical testing results, potentially delaying the submission and approval process.
Notified Bodies also can undertake unannounced audits of device manufacturers, which could mean even higher costs for manufacturers. Manufacturers of in-vitro devices (IVDs), will experience the most significant changes as nearly 80 percent of these products will have Notified Body involvement in the approval process, as compared to 20 percent in the past.
Reclassifications now necessitate additional review and approval
A few devices are now likely to be reclassified to a different category, requiring review and approval of all design changes. This was not the case earlier, when only major design changes required review and approval. Manufacturers will also be required to update device technical files, declarations of conformity and labeling. The new format for labeling will include UDI, leading to significant changes in device labeling for all classifications. Another major change is the emphasis on conducting clinical evaluation throughout the lifecycle of the medical device; development phase, initial CE marking phase and post-market phase.
These changes are expected to increase costs and delay device introductions in the EU markets, which has previously experienced faster approval times compared to the rest of the world.
Safer, better products on the horizon
It is clear that the changing regulatory landscape will affect manufacturers' profit margins and may lead to an increase in average selling prices. Product launch times will most certainly get extended. The EU market, which often provided a faster route to market for newer technologies, will not remain as attractive due to the tightened norms. At the same time, though, these changes will lead to safer and better quality products eventually protecting manufacturers from large-scale losses due to device recalls or manufacturing changes. Increased post-marketing surveillance data will also allow monitoring of the effectiveness of a product in its approved clinical setting and enable efficient adoption of health technologies in the future.