Author: Carrie Hetrick | Date: February 18, 2021
With the EU’s new medical device software (MDSW) requirements, the guidance related to qualification, classification, clinical evaluation and cybersecurity present challenges for software as a medical device (SaMD) manufacturers. Approaches to MDSW under the EU Medical Device Regulation (MDR) 2017/745 and In Vitro Diagnostic Regulation (IVDR) 2017/746 are much stricter than other regulations and require a deeper dive.
The Regulatory Affairs Professionals Society details these changes in Medical Device Software Under the EU MDR. Here is a synopsis of their findings to help you navigate the process.
Qualification is the activity that determines whether the MDSW is covered under the MDR. To that end, MDCG 2019-11 offers a qualification workflow that takes manufacturers through the following questions:
Classification determines the risk class of a medical device. Software under the MDR is an active device and must follow active device classification rules. The final classification will be determined by the highest classification of the MSDW after all classification rules are applied.
To avoid being assigned a classification that is too high, follow MDR Annex VIII Rule 3.3 and MDCG 2019-11 guidance, which is based on International Medical Device Regulators Forum (IMDRF) recommendations. For example, according to this guidance, because most software has an indirect influence on treatment or diagnosis, the classification should be lower. And any software that drives a medical device or influences its use should be assigned the same risk class as the device itself.
The most recent clinical evaluation guidance (MEDDEV 2.7.1 rev 4) was not written with MDSW in mind. Yet governing bodies expect clinical evaluations to follow the guidance, using the Clinical Evaluation Assessment Report (CEAR) template for the review. Therefore, manufacturers should have solid understanding of the CEAR, keeping in mind the following omissions from MEDDEV which create critical gaps for MDR requirements:
According to the MDR, clinical evidence is based on a very strict definition of clinical data from an original or equivalent device, with clinical data coming mainly from clinical investigations (and not from post-market surveillance clinical data). To help MSDW manufacturers navigate the regulation, the Medical Device Coordination Group (MDCG) created a suite of documents that offer guidance specific to:
Note, both MDR and MDSW clinical evaluations are required.
With the recent prevalence of ransomware attacks on hospitals around the world, MDCG 2019-16 guidance on cybersecurity was developed to protect MDSW—and updated guidance is expected soon. The guidance also requires that manufacturers inform the hospital asset owner and system integrator on how the MDSW can be protected.
Manufacturers are strongly encouraged to carefully study the MDCG guidance for the MDR, as it contains solutions for common problems, plus additional requirements for acquiring the MDR CE mark. If you have any questions or are looking for additional information about the new EU medical device software requirements, contact our regulatory team.
October 7, 2013
February 18, 2021
November 23, 2020