On 22 May 2023, Irdeto and QBD Group sat down to discuss the developments of the medical device regulatory landscape. This is the transcribed interview that details the answers given by both parties when questioned by a single facilitator.
Pieter, Ozlem, thank you for joining us today. Could you please introduce yourselves and your company?
Pieter: Certainly. I’m Pieter Smits, project manager at QBD Group. We are a one-stop shop for life science companies supporting them throughout the life cycle of their products from initial idea to reaching the patient. Our services include the creation and maintenance of quality management systems, process and equipment validations, IT system implementations, software validation, quality control testing in our lab, regulatory support, and more.
Ozlem: Hello, I’m Ozlem Budakli. I hold the position of Irdeto’s Connected Health Quality Manager. My background is in biomedical engineering, and before joining Irdeto, I worked as a medical device auditor in a notified body. Irdeto, a leader in digital platform cybersecurity, initially gained momentum in the entertainment industry, protecting video content. It has diversified into the Internet of Things (IoT) space and our know-how and technology portfolio allow us to offer a wide range of solutions for Medical Device Manufacturers (MDMs) to build secure devices. My role involves overseeing our quality management system and ensuring compliance of our solutions with current regulatory requirements.
To set the context, at what point and for what reasons do your clients usually reach out to you?
Pieter: Clients usually approach us during the pre-submission phase, although we engage with them at various stages. This could involve new device development, expansion to new markets, Medical Device Regulation (MDR) resubmission for previously certified devices, or addressing issues from initial certifications. We also receive post-market inquiries, such as creating post-market surveillance reports and analyzing collected data.
Ozlem: Irdeto specializes in cybersecurity, and clients often seek our expertise when they are preparing submissions or receiving feedback from regulators on cybersecurity deficiencies. Their needs vary. Some clients need assistance in understanding requirements, and others in designing cybersecurity procedures, and implementing specialized security controls. We increasingly see MedTech’s asking for full gap assessments to fully understand where they missed the mark. In the pre-market stage, we are often asked for advisory services such as pen testing, threat modeling, and software architecture reviews.
What recommendations do you have for MDMs to navigate the regulations? Where should they begin?
Ozlem: When I started, the sheer volume of regulations seemed overwhelming. However, I found that there are commonalities and overlaps among the requirements. I suggest that MDMs find subject matter experts, read primary guidance documents, and conduct gap analyses.
Pieter: I agree. Seeking expert guidance and allocating resources effectively are crucial steps. MDMs can focus on device development and manufacturing while relying on regulatory experts to ensure compliance.
Are there specific guidelines or documents you recommend to clients for insights?
Pieter: Certainly. ISO 13485 and IEC 62304 are fundamental documents. However, beyond regulations, understanding the concept of ‘state-of-the-art’ mentioned in the MDR can be challenging. Notified Bodies’ interpretations can vary due to the evolving nature of the concept itself.
Ozlem: In the realm of cybersecurity, starting with foundational guidance documents published by Medical Device Coordination Group (MDCG), under MDR Europe, and the Federal Drug Administration (FDA) in the US, is the first important step. Among all the documentation standards that MDR and FDA refer to, I find the International Medical Device Regulator’s Forum (IMDRF)’s guidance particularly helpful, as they offer a clear perspective and often hands-on approach to how each requirement can be put into practice.
Could you elaborate on the concept of state-of-the-art, required under MDR, and how clients interpret it?
Pieter: In my view, the concept of state-of-the-art is both a blessing and a curse. It is dynamic by itself, allowing for requirements to evolve over time. There were 21 new guidance issued by the MDCG group last year, just to take an example. All of these, as much as any other published by reference working groups around the globe should be considered by MDMs to follow the state-of-the-art approach.
Ozlem: Regulators introduced the state-of-the-art concept to keep up with rapid changes in technology. Although the terminology of most guidance documents is not clear on whether to take their recommendations as “shall” or “should” statements, I advise MDMs to comply as closely as possible, as regulators have all the legitimacy to enforce them during the conformity assessment process.
How have regulators evolved in handling cybersecurity compliance? What does this mean for manufacturers?
Ozlem: In the past, cybersecurity was often considered a ‘nice to have’ feature. However, it has now become a necessity. Manufacturers often receive nonconformities related to cybersecurity during the certification of their conformity assessment process. The recent FDA guidance includes a checklist for Refuse to Accept submissions, indicating increased scrutiny. Additionally, financial sanctions for non-compliance are being introduced, such as in the Network Information Security (NIS2) Directive, an EU-wide legislation aimed at protecting against cyber threats.
Pieter: Indeed, the focus on cybersecurity and risk management has increased due to the transition from the Medical Device Directive (MDD) to MDR. Under the MDR Rule 11, a new software-specific classification rule, almost all Software as a Medical Device (SaMD) has been pushed into a risk class IIa or IIb. This means that a lot more software came into the scope of notified bodies, which wasn’t the case before. There is new scrutiny, more specifically, regarding the Software of Unknown Provenance (SOUP).
It’s a bit of a side note, but could you clarify which devices fall under the category requiring cybersecurity monitoring/documentation?
Ozlem: Certainly, it’s a crucial point to clarify because there’s often confusion about this topic. While regulations still vary from one region to the next, it is clear that regulators intend to consider all active devices as subject to cybersecurity compliance, regardless of their connectivity interfaces.
Let’s shift to the topic of post-market activities, as we see increasing regulations on this side of the Total Product Life Cycle (TPLC). What emerging topics do you observe here?
Ozlem: Post-market activities are really significant for cybersecurity. Especially with the release of NIS2 Directive, information sharing between stakeholders became much more important. MDMs are responsible for maintaining device security throughout their presence in the market. This involves tracking vulnerabilities through published Common Vulnerabilities and Exposures (CVEs), assessing against their devices, adopting coordinated vulnerability disclosure plans, ensuring regular patching, and sharing security information with stakeholders.
Pieter: The keyword when it comes to post-market activities is anticipation. Our role at QBD is to ensure that manufacturers are well-anticipated during the pre-market stage. We help clients define the activities thoroughly in their Quality Management System (QMS) and establish processes for data recording. Effective post-market activities involve proactive planning.
Thank you both for your insights. To conclude, what trends and new topics do you anticipate?
Pieter: Besides cybersecurity, I’m not going to surprise anyone by saying that another major development on the horizon is the Artificial Intelligence (AI) Act, expected to come into effect soon. This regulation will impact the CE marking of SaMDs incorporating AI resulting in additional requirements for those specific devices to comply with.
Ozlem: Absolutely. AI is gaining prominence in medical devices. Additionally, protecting AI-based software against cybersecurity threats will become crucial. There is a lack of understanding and a lack of solutions on this topic. I expect to see a lot of evolutions here.