Are you equipped to meet medical device regulatory needs today, and adjust for the changes of tomorrow?

FDA medical device regulation can be quite complex — and for good reason. There are many different laws, rules, and best practices that may affect your cloud-connected medical device today, and in the future. EU medical device regulation (MDR) adds another layer of complexity. Regulations across jurisdictions are likely to change as governments and other organizations expand their oversight. Additionally, as your medical device matures you may be impacted by existing rules that may not have previously applied.

Medical device regulation

The innate nature of medical devices is to improve the quality of life for its users, and in some cases, can even mean the difference between life or death.

For example, a connected medical device like an Automated External Defibrillator (AED) machine that sends live signals to medical professionals, must comply with strict medical device regulatory requirements because, in the event the device malfunctions, it could result in death of an individual who didn’t receive the medical attention needed during an emergency situation.

Regulation within the medical device industry also plays an important role in ensuring medical devices can legally be sold within the United States, or on a global scale. These regulatory needs can vary from country to country, so having a thorough, broad understanding can shape your pre-market regulatory strategy, assist with regulatory submissions, and ensure post-market compliance.

Regulatory considerations for Class II and III medical devices

It is important to research the type of regulatory requirements you will need to comply with for your medical device. 

For example, if you are building a Class II medical device with connectivity and are only using extracted data for historical purposes, with no medical decisions being made based on the data, your device may qualify as a Medical Device Data System (MDDS). 

Contrast that with a Class III medical device, such as a pacemaker, which must meet very stringent system verification and validation controls for the device’s connectivity and use, since the data output is critical for life-saving decisions.

Under U.S. and European law, collecting raw data and using that data to assist physicians with diagnosis or therapy decisions, is considered Clinical Decision Support (CDS) and meets the definition of a medical device. The requirements become far more stringent for how you collect data and the processes you need to have in place to do so.

It is beneficial for your medical device company to be familiar with the standards in other markets that you may want to enter as well. Just because a cloud infrastructure passes FDA rigor, it does not necessarily mean it is able to be marketed globally! This concern becomes more important when considering the security of the cloud platform (the actual application providing connectivity) hosted by the underlying infrastructure. 

Connected medical device regulatory standards

As it relates to medical device cloud connectivity, the below chart summarizes a handful of the most significant and relevant standards today. 

Understanding and documenting your pathway at an early stage is ideal. After that, simply be on the lookout for new rules that may apply to you. Your device’s cloud connectivity solution should be developed by an organization that has a deep understanding of, and practical experience with, these standards.

ISO Medical device standards

Standard Title Description
ISO 13485 Medical Devices – Quality Management Systems Defines how to operate your Quality Management System
21 CFR 820.30 FDA Quality System Regulation U.S. federal law; governs device design and development
IEC 62304 Medical Device Software – Software Lifecycle Processes Defines how to perform all aspects of device software development
ISO 14971 Application of Risk Management to Medical Devices Describes how to manage risk to ensure patient safety
ISO 27001 Information Security Management Outlines the management of data/ information security

ISO 13485 – Quality Management Systems

This set of requirements defines what is to be captured in your Quality Management System (QMS). These requirements set the rules by which you will need to document, store, and maintain many facets of your processes, including design controls, verification and validation, change logs, corrective actions, and more. 

Your QMS will play a central part within your company from the device’s initial design until its end of life. There are now several providers of online quality management systems that can significantly ease the burden of creating and maintaining your QMS.

21 CFR part 820 – FDA Quality System Regulation

This is the FDA’s design control mandate. Of all the standards listed here, this is the only one that is U.S. federal law, it is mandatory that a company adheres to 21 CFR 820.30. This law governs most Class II and Class III medical devices — and some Class I devices as well. 

To summarize its intention, these laws define how to document the design of your device, how it will be tested, design refinement, and the roles and responsibilities for all involved during the design effort. Adhering to this regulation will be a core part of your life as a medical device company.

IEC 62304 – Medical Device Software Lifecycle Processes

This standard is focused on the software development process and is applicable in both the U.S. and the EU. Essentially, it is a detailed implementation of the high-level objectives (laws) of 21 CFR 820.30. This standard defines how you will document the creation of your software including capturing requirements, architecture and design, verification testing, and commercial release. 

Before you begin writing a single line of code, it is important to be very familiar with this set of guidelines, because ignoring it can mean a lengthy and costly process down the road.

ISO 14971 – Application of Risk Management to Medical Devices

This standard provides the outline of the application of risk management for your medical device. In other words, it defines the safety methodologies related to the device and how you have ensured safety as your device interacts with a patient. It is applied to the mechanical, electrical, and software components of your device. This includes documenting how safety is ensured both in design as well as in production, and how the device will be maintained throughout its useful life.

There are various methods of risk analysis implementation; it is important to select one method and apply it to your device. The exercise of anticipating how your device will fail in the field and designing the device in ways to minimize those failure conditions will result in a better medical device and goes a long way to ensure patient safety.

ISO 27001 – Information Security Management

This regulation defines your cybersecurity infrastructure, maintenance, and documentation from a managerial perspective. Cybersecurity threats to connected medical device companies can be very serious. 

Medical device manufacturers must have well-defined and forward-looking practices in place to protect their patients’ data and their aggregated protected health information, as well as their device’s data, intellectual property, and financial data.

Connecting your medical device to a cloud

There are several important considerations on the path to connecting your medical device to the cloud. Hardware, software, security, and important regulatory considerations need to be taken into account as you plan your connected device infrastructure development. 

Building, operating, and maintaining a compliant medical device connectivity infrastructure can be very costly and time consuming. It is often more cost-effective to leverage a pre-existing platform (like the Galen Cloud™), than trying to address these ever-evolving regulatory requirements on your own.

The Galen Cloud™ has accelerated the time-to-market for dozens of medical device companies by providing the compliant solution needed for FDA approval. The Galen Data team is equipped with decades of experience in software and regulatory compliance, and are committed to device connectivity.

Galen Data’s platform allows companies to wirelessly collect, store, share, and quickly analyze patient data. Dashboards and alerts for the manufacturer, medical team, and patients, are also provided within the platform. The software platform is compliant to FDA, HIPAA, and CE Mark standards, and is ISO 13485:2016 certified.