By Scott Thiel and Alexandros Charitou, Navigant
With a global digital health market — comprising health technology, mobile devices, software applications, and analytics — projected to swell from $71.4B in 2017 to $379B by 2024, a range of startup and long-established medtech, pharmaceutical, and IT companies are vying for market shares. The United States (US) commanded $30.5B worth of the global market in 2017, while Germany was the European Union’s (EU) leading digital health market.
Innovators targeting these two regions must not only have differentiating technologies, they must understand the regulatory ”rules of the road” — including, among other things, clarity whether their product is considered a regulated medical device, diagnostic, or combination product, an understanding of the requirements for wireless capability, and the sense to avoid common mistakes. Namely, they must keep pace with changing regulatory expectations in the same way they do with technology changes, exercising diligence in creating and following a prudent and effective regulatory strategy, while anticipating the potential need to shift course as industry drivers change.
Current Digital Health Regulation In The EU and US
Contrary to long-held belief, the US is not necessarily the more difficult path to market for some medical technologies, particularly digital health technologies. The EU may now present more obstacles for certain digital health technologies, because the United States is further ahead in defining and clarifying a regulatory approach to Software as a Medical Device (SaMD). Additionally, in recent years, the US has taken legislative and administrative action to reduce regulatory stringency for certain digital health technologies. These actions include:
- Reclassifying Medical Device Data Systems (MDDS) from Class III (subject to premarket approval) to Class I (subject to general controls) in 2011.
- Breaking the unofficial “accessory rule” chain for connected medical devices which, historically, were automatically assigned the same classification as the “parent” device. The rule change stipulates that, in a chain of interconnected devices, each device no longer is necessarily subject to the highest device classification in the chain — an untenable approach for interoperable systems.
- Applying enforcement discretion for certain types of software devices the FDA considered to have a low risk profile, which effectively reduced regulation of these products for the foreseeable future. For example, the FDA used enforcement discretion in its Mobile Medical App guidance in 2013 to reduce regulation on certain types of mobile medical software. The FDA provided documentary evidence separating the underlying smartphone platform from the app, and regulated only the app. Then, in 2015, the FDA used enforcement discretion to further reduce regulation on medical device data systems (MDDS), as well as some software involved with medical images to indicate these software devices were no longer actively regulated. Note: The changes in 2015 also led to an update to the Mobile Medical App guidance.
- Passing the 21st Century Cures Act which, under U.S. code §3060, removed certain SaMD from the official definition of a medical device, thus removing it from FDA jurisdiction.
Meanwhile, EU governing bodies have made it generally more difficult for certain digital medical technologies to gain market approval. Some of this heightened oversight came as a result of public furor in reaction to two cases of faulty medical technologies — one involving what became known as “rupture-prone” breast implants, made with industrial-grade silicone rather than medical-grade silicone, and the other involving metal-on-metal hip replacement implants alleged to have caused some patients to require additional surgeries.
In part, as a result of public outrage, the 28 EU Member States increased efforts to approve the Medical Device Regulation (MDR), as well as the In-Vitro Diagnostic Regulation (IVDR). The MDR and IVDR replace the Medical Device Directive (MDD) and In-Vitro Diagnostic Directive (IVDD), respectively.
On the plus side, the regulations bring additional consistency, because the various EU member countries have less flexibility in their adoption than they did under the directives. On the minus side, many software products regulated with a light touch under the MDD (e.g., Class I) could become more tightly regulated under the MDR (e.g., Class IIa, IIb, or even III).
Furthermore, the MDR enters fully into force in 2020, at which time all applicable products sold — or being developed for use — in the EU must comply. That means manufacturers must assess new and existing product changes against the regulation, update any testing, find a qualified Notified Body (a certification organization authorized to review the submissions on behalf of the European Commission through designation by their member country), and obtain approval to sell within the European Union (and thus the European Economic Area, which generally follows the European Union).
Compounding the complex EU process is the fact that the training and qualifications required to be a Notified Body entity have become more rigorous, which has resulted in fewer Notified Bodies serving the region. In other words, little time, guidance, or access to regulators exist for companies with new or existing technologies to apply and comply with the MDR.
Creating A Regulatory Strategy
No matter which global region a digital health company elects to launch in, they must be careful not to underestimate the expertise or rigor required to seek and gain approval to market their product. Digital health companies should avoid making common mistakes preparing for or responding to regulatory challenges, including:
- Lack of investment in resources toward regulatory strategy, especially a quality management system
- Lack of awareness, understanding, or knowledge of regulatory requirements
- Lack of commitment and attention to fulfilling regulatory requirements early, and as part of the product development process, especially from the technical team
- Trying to meet regulatory requirements after the fact, thereby being forced to backfill documentation and processes
It’s best for digital health companies to begin planning their regulatory strategy during product design concepting, and to allow at least eight to 10 months — ideally, 12-18 months — to build a quality management system, and to generate objective evidence showing a design meets regulatory expectations. Companies that begin addressing quality management system needs earlier are more likely to meet product launch and commercialization goals. They also gain several program advantages — including cost efficiencies, improved team collaboration and output, and more thorough, accurate, and relevant data — all while creating a strong foundation for a repeatable process for future innovations. Companies that start later will have additional costs in gap assessment and remediation efforts; in the worst cases, they’ll be forced to make design changes or perform significant re-testing.
While meeting regulatory requirements is never a one-size-fits-all process, due to variations in company make-up and regional jurisdictions, companies can anticipate several areas of overlap and be proactive in bolstering:
- Design specification requirements — Companies need a written record of design specifications that is traceable and testable, proving how the product was built, and that it is working as intended. Capturing changes to design specifications is especially challenging for SaMD when compared to traditional medical devices. Companies developing SaMD inevitably need to incorporate tools to aid them in capturing, monitoring, and tracing SaMD requirements from concept through testing. Tools already used to support agile software development often can be leveraged to meet the regulatory expectations, thus minimizing the impact to how a company already develops software.
- A risk-based program for postmarket reporting — Risk management is an ongoing process that supports the entire quality management system, not a “one and done” activity. The program should include, but not be limited to, vigilance, monitoring, and reporting to health authorities (e.g., the FDA and Notified Bodies). The program must flag and elevate for investigation any adverse events that caused, or potentially caused, injury or death to a patient involving the regulated product. Each regulatory oversight body has different reportability criteria, as well as specific formal processes, but each generally will require root cause analysis to find out why the adverse event happened, how it happened, and what can be done to prevent additional events.
For example, undergirding is a risk-management program to help identify and mitigate potential user or patient harm. This type of risk management tends to challenge companies new to medical device regulation, and especially those new to SaMD, because software developers generally are not responsible for — or unaccustomed to — identifying these kinds of potential hazards. Applying ISO 14971 also is challenging for newcomers, even with the help of the technical report IEC/TR 80002-1.
- Evidence — Companies need to generate clinical performance and safety evidence validating claims about their technology, as well as a program to provide ongoing proof. For example, if a company claims its SaMD is the easiest piece of software for a particular age group to use, the company needs to provide evidence that the software has been tested within that age group, and is defensibly the easiest for that age group to use. Note: In general, superlative claims like “easiest” should be avoided. The moment a new competitor product hits the market, the claim may no longer be supportable through previous testing, and re-testing will be needed.
Hardcopies — or, more specifically, static information sets — for a given version of a SaMD design are needed to share information with a health authority. However, the information can be held electronically until the point where the sharing is needed; if there is an audit at the company, the information can be shown to the auditor via the electronic system. One note of caution: any electronic system must be proven capable of supporting the need (i.e., validated), and have appropriate authorization and authentication controls in place.
- Cybersecurity and data privacy — Most regulatory bodies are building in concepts of, and thus requirements for, privacy and security by design. Digital health technology manufacturers need to consider these patient protections and design them into their products in the same way as other product features. Further, manufacturers must create a monitoring and triage process, including action and documentation plans, to promptly address (and shut down) any events in which a threat is realized. Realized and potential cybersecurity threats are part of the reason regulators are showing interest in and building requirements around designing protection into medical devices, including SaMD. For example, in 2017, several pacemaker models were voluntarily recalled due to a hacking threat.
Companies pursuing digital health technologies need to navigate complex and changing regulatory schemas across the United States and European Union, as well as the rest of the world. By addressing the four areas of common requirement, companies will be in a stronger position to secure authorization and maintain products on market.
Looking ahead, digital health companies eyeing these markets should anticipate continued changes in regulatory requirements as regulatory bodies react to changes in technologies and their application. As the flow of information continues to quicken, companies should anticipate more frequent regulatory changes, especially in reaction to any adverse events or in the wake of political and philosophical power shifts.
The best bet is to plan ahead: seek advice early in the design and commercial process from regulatory specialists; assess potential gaps and opportunities in relation to current legislation; put robust processes into place; and build a regulatory strategy in line with long-term business goals.
About The Authors
Scott Thiel, MBA, MT (ASCP), RAC, is a Director at Navigant, where he leads the digital health center of excellence in the life sciences group. Scott has over 30 years of experience in the medical device industry, with expertise including product development, software, and connectivity related to medical devices, regulatory affairs, compliance, and quality system creation and remediation. Scott has been trained as an ISO 13485 Lead Auditor and Medical Device Single Audit Program. Scott holds roles in a variety of industry organizations, including the Personal Connected Health Alliance.
Alexandros Charitou, MD FRCS MBA MTOPRA, Associate Director, is an experienced clinician and chest surgeon. He has 20+ years’ experience in healthcare and life sciences, in clinical roles, commercial, and regulatory strategic consulting. Alexandros provides advisory support in strategic commercial opportunity assessments, clinical advisory, medical affairs and regulatory strategy support for both medical technology and pharmaceutical companies. Alex is a subject matter expert on the EU MDR as it relates to medical software, as well as European Medical Device Commercial Strategy, Regulatory Affairs, Clinical is Development, Medical Technology and Pharmaceutical Products Due Diligence. Alexandros also an ISO13485 Lead Auditor.