The Impact of Regulations onMedical Device Design

Richard C. Fries, PE, CRE

Manager, Reliability Engineering

Datex-Ohmeda

Madison, Wisconsin

Extra Activities for Regulated Industries

Develop and maintain a Quality System Product Documentation

Design History File Technical File

Product submissions Testing certifications Extra time for:

Submissions Answer questions from regulators Re-submissions

Audits

The Typical Road to Market for a Non-Medical Device

Generate a new idea for a product Design the product Test the product Manufacture the product Ship the product

The Typical Road to Market for a Medical Device

Generate a new idea for a product Design the product Test the product Submit data to the regulatory agency Wait Manufacture the product Ship the product

Timing of Product Development

Establish a window of opportunity to sell the product Determine the amount of time to manufacture the

product Determine the amount of time for regulatory approval Determine the amount of time to test the product Determine the amount of time to design the product Determine the amount of time to specify the product Start the development cycle

Types of Regulations

Process ISO 9000 family Audits by Notified Bodies

Product Food and Drug Administration (FDA)

Medical Device Directive (MDD)

Individual country requirements (Canada, Australia, Japan, Russia)

City of Los Angeles

Other standards required for certain products

Environmental standards

Process Regulations

Basis for product regulations Requires the company to show an experienced

quality system in place ISO 9000 family used as the gold standard For companies with design capabilities, ISO

9001 is the foundation For medical device companies, ISO 13485 is

beginning to be accepted

ISO 9001

Management responsibility Quality system Contract review Design control Document and data control Purchasing Control of customer supplied product Product identification and traceability Process control Inspection and testing

ISO 9001

Control of inspection, measuring, and test equipment Inspection and test status

Control of non-conforming product Corrective and preventive action Handling, storage, packaging, preservation, and delivery Control of quality records Internal quality audits Training Servicing Statistical techniques

Design Control

Design and development planning Organizational and technical interfaces Design input Design output Design review Verification Validation Design changes

Product Regulations

United States FDA

Europe Medical Device Directive

Other Countries Australia Canada Japan Russia

Food and Drug Administration

Quality system Testing to prove the safety and efficacy of your

product Submission material dependent on the type of

product you are making Particular attention to software MDRs Recalls Audits

Food and Drug Administration

Safety and efficacy:

Requirement verification

Risk analysis

Environmental testing

Clinical testing

Food and Drug Administration

Submissions:

Class I Little regulation

Class II 510(k)

Class III PMA

FDA 2004 User Fees

Large business:

510(k) $ 3,480

PMA $206,811 180 day supplement $ 44,464 Real-time supplement $ 14,890

FDA 2004 User Fees

Small business:

510(k) $ 2,784

PMA $ 78,588 180 day supplement $ 16,896 Real-time supplement $ 5,658

Food and Drug Administration

Software: Based on an bad experience in

Canada FDA doesn’t understand it Therefore, they over-regulate it All current regulations are in draft form Software in a device is the same level as the device Excess documentation required Auditors free to regulate according to their own principles

Food and Drug Administration

MDRs and Recalls: MDR: a report sent to the FDA detailing the

circumstances of your device killing or causing serious injury to a patient The FDA also gets a report from the hospital or clinic

where the situation occurred

Recall: a detailed plan for making design changes in all your devices currently in the field

Food and Drug Administration

Audits:

General

Triggered by submissions

Triggered by field failures

Triggered by unsolicited information

Medical Device Directive

Required for selling a product in Europe Product must contain a CE mark Must have a quality system Product must meet a list of essential

requirements Certificates for all testing

Medical Device Directive Process

Analyze the device to determine which directive is applicable

Identify the applicable Essentials Requirements List

Identify any corresponding Harmonized standards

Confirm that the device meets the Essential requirements/Harmonized Standards and document the evidence

Classify the device

Medical Device Directive Process

Decide on the appropriate conformity assessment procedure

Identify and choose a notified body Obtain conformity certifications for the device Establish a Declaration of Conformity Apply for the CE mark

Medical Device Directive

Three directives:

Active Implantable Medical Devices Directive (AIMDD)

Medical Devices Directive (MDD)

In Vitro Diagnostic Medical Devices Directive (IVDMDD)

Essentials Requirements List

Essential Requirement A or N/a Standards Activity Test Clause Pass/Fail Document Location1. The device must be designedand manufactured in such a waythat when used under theconditions and for the purposesintended, they will notcompromise the clinicalcondition or the safety ofpatients, users, and whereapplicable, other persons. Therisks associated with devicesmust be reduced to an acceptablelevel compatible with a highlevel of protection for health andsafety.

A Internal Risk analysis

Safety review

Design History File

Design History File

2. The solutions adopted by themanufacturer for the design andconstruction of the devices mustcomply with safety principlesand also take into account thegenerally acknowledged state ofthe art.

A Internal Specificationreviews

Design reviews

Safety review

Design History File

Design History File

Design History File

Declaration of Conformance

Every device, other than a custom-made or clinical investigation device, must be covered by a declaration of conformity

Document that states you have met all the essential requirements for your device

Must include the serial numbers or batch numbers of the products it covers

Signed by a member of Senior Management

The CE Mark

XXXX

Difference Between FDA and MDD

FDA: A submission must be sent to the FDA for each

product to be marketed Must wait for approval

MDD: A company may qualify for self-certification to

MDD for their products. These are checked during scheduled audits.

Other Product Regulations

Countries Japan Australia China Russia

Type of Device Alarms Software

Environmental EMC Temperature/Humidity Shipping

Audits

1-4 people in your spaces for 3 days to several months

Audits

Will cover in detail your process and products Auditors will “dig-in” in they find the hint of a

problem Major discrepancies will shut you down until

they are fixed Legal and/or punitive steps may be taken

Newest of the Regulations

HIPAA

Health Insurance Portability and Accountability Act

Main components are Privacy and Security

Protected Health Information (PHI)

PHI is health Information that:

1) is created or received by a health care provider, health plan, employer, or health care clearinghouse, and

2) relates to the past, present, or future physical or mental health or condition of an individual, the provisions of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and i) that

identifies the individual or ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Protected Health Information (PHI)

Any health information that can be identified to a person

It includes information about treatment and care

PHI can include: Name Dates Record number Social security number Full face photo Any other unique identifying information

De-Identification

Patient information from which identifiers have been deleted, redacted, or blocked, so that remaining information cannot reasonably be used to identify a person. Identifiers to be deleted include:

Name Social security number Address Telephone number Birth date Admission date FAX numbers E-mail addresses Medical record numbers Health plan beneficiary numbers Account numbers Certification/license numbers Full face photos.

Civil Penalties for Non-Compliance

$100 for each violation

Total of $25,000 for all violations of an identical requirement in a calendar year

Criminal Penalties for Wrongful Obtainment/Disclosure of PHI

Not more than $50,000 and/or not more than 1 year impisonment

Not more than $100,000 and/or not more than 5 years imprisonment if the offense is “under false pretenses”

Not more than $250,000 and/or not more than 10 years imprisonment for the intent to sell, use for commercial advantage, personal gain, or malicious harm Protected Health Information

HIPAA Philosophy

What I see here,

What I hear here,

When I leave here,

Remains here!