The Impact of Regulations on Medical Device Design

1
The Impact of Regulations onMedical Device Design

• Richard C. Fries, PE, CRE
• Manager, Reliability Engineering
• Datex-Ohmeda
• Madison, Wisconsin

2
Extra Activities for Regulated Industries

• Develop and maintain a Quality System
• Product Documentation
• Design History File
• Technical File
• Product submissions
• Testing certifications
• Extra time for
• Submissions
• Answer questions from regulators
• Re-submissions
• Audits

3
The Typical Road to Market for a Non-Medical
Device

• Generate a new idea for a product
• Design the product
• Test the product
• Manufacture the product
• Ship the product

4
The Typical Road to Market for a Medical Device

• Generate a new idea for a product
• Design the product
• Test the product
• Submit data to the regulatory agency
• Wait
• Manufacture the product
• Ship the product

5
Timing of Product Development

• Establish a window of opportunity to sell the
  product
• Determine the amount of time to manufacture the
  product
• Determine the amount of time for regulatory
  approval
• Determine the amount of time to test the product
• Determine the amount of time to design the
  product
• Determine the amount of time to specify the
  product
• Start the development cycle

6
Types of Regulations

• Process
• ISO 9000 family
• Audits by Notified Bodies
• Product
• Food and Drug Administration (FDA)
• Medical Device Directive (MDD)
• Individual country requirements (Canada,
  Australia, Japan, Russia)
• City of Los Angeles
• Other standards required for certain products
• Environmental standards

7
Process Regulations

• Basis for product regulations
• Requires the company to show an experienced
  quality system in place
• ISO 9000 family used as the gold standard
• For companies with design capabilities, ISO 9001
  is the foundation
• For medical device companies, ISO 13485 is
  beginning to be accepted

8
ISO 9001

• Management responsibility
• Quality system
• Contract review
• Design control
• Document and data control
• Purchasing
• Control of customer supplied product
• Product identification and traceability
• Process control
• Inspection and testing

9
ISO 9001

• Control of inspection, measuring, and test
  equipment Inspection and test status
• Control of non-conforming product
• Corrective and preventive action
• Handling, storage, packaging, preservation, and
  delivery
• Control of quality records
• Internal quality audits
• Training
• Servicing
• Statistical techniques

10
Design Control

• Design and development planning
• Organizational and technical interfaces
• Design input
• Design output
• Design review
• Verification
• Validation
• Design changes

11
Product Regulations

• United States
• FDA
• Europe
• Medical Device Directive
• Other Countries
• Australia
• Canada
• Japan
• Russia

12
Food and Drug Administration

• Quality system
• Testing to prove the safety and efficacy of your
  product
• Submission material dependent on the type of
  product you are making
• Particular attention to software
• MDRs
• Recalls
• Audits

13
Food and Drug Administration

• Safety and efficacy
• Requirement verification
• Risk analysis
• Environmental testing
• Clinical testing

14
Food and Drug Administration

• Submissions
• Class I Little regulation
• Class II 510(k)
• Class III PMA

15
FDA 2004 User Fees

• Large business
• 510(k) 3,480
• PMA 206,811
• 180 day supplement 44,464
• Real-time supplement 14,890

16
FDA 2004 User Fees

• Small business
• 510(k) 2,784
• PMA 78,588
• 180 day supplement 16,896
• Real-time supplement 5,658

17
Food and Drug Administration

• Software
• Based on an bad experience in
• Canada
• FDA doesnt understand it
• Therefore, they over-regulate it
• All current regulations are in draft form
• Software in a device is the same level as the
  device
• Excess documentation required
• Auditors free to regulate according to their own
  principles

18
Food and Drug Administration

• MDRs and Recalls
• MDR a report sent to the FDA detailing the
  circumstances of your device killing or causing
  serious injury to a patient
• The FDA also gets a report from the hospital or
  clinic where the situation occurred
• Recall a detailed plan for making design
  changes in all your devices currently in the
  field

19
Food and Drug Administration

• Audits
• General
• Triggered by submissions
• Triggered by field failures
• Triggered by unsolicited information

20
Medical Device Directive

• Required for selling a product in Europe
• Product must contain a CE mark
• Must have a quality system
• Product must meet a list of essential
  requirements
• Certificates for all testing

21
Medical Device Directive Process

• Analyze the device to determine which directive
  is applicable
• Identify the applicable Essentials Requirements
  List
• Identify any corresponding Harmonized standards
• Confirm that the device meets the Essential
  requirements/Harmonized Standards and document
  the evidence
• Classify the device

22
Medical Device Directive Process

• Decide on the appropriate conformity assessment
  procedure
• Identify and choose a notified body
• Obtain conformity certifications for the device
• Establish a Declaration of Conformity
• Apply for the CE mark

23
Medical Device Directive

• Three directives
• Active Implantable Medical Devices Directive
  (AIMDD)
• Medical Devices Directive (MDD)
• In Vitro Diagnostic Medical Devices Directive
  (IVDMDD)

24
Essentials Requirements List
25
Declaration of Conformance

• Every device, other than a custom-made or
  clinical investigation device, must be covered by
  a declaration of conformity
• Document that states you have met all the
  essential requirements for your device
• Must include the serial numbers or batch numbers
  of the products it covers
• Signed by a member of Senior Management

26
The CE Mark
XXXX
27
Difference Between FDA and MDD

• FDA
• A submission must be sent to the FDA for each
  product to be marketed
• Must wait for approval
• MDD
• A company may qualify for self-certification to
  MDD for their products. These are checked during
  scheduled audits.

28
Other Product Regulations

• Countries
• Japan
• Australia
• China
• Russia
• Type of Device
• Alarms
• Software
• Environmental
• EMC
• Temperature/Humidity
• Shipping

29
Audits

• 1-4 people in your spaces for 3 days to several
  months

30
Audits

• Will cover in detail your process and products
• Auditors will dig-in in they find the hint of a
  problem
• Major discrepancies will shut you down until they
  are fixed
• Legal and/or punitive steps may be taken

31
Newest of the Regulations

• HIPAA
• Health Insurance Portability and Accountability
  Act
• Main components are Privacy and Security

32
Protected Health Information (PHI)

• PHI is health Information that
• 1) is created or received by a health care
  provider, health plan, employer, or health care
  clearinghouse, and
• 2) relates to the past, present, or future
  physical or mental health or condition of an
  individual, the provisions of health care to an
  individual, or the past, present, or future
  payment for the provision of health care to an
  individual, and i) that identifies the
  individual or ii) with respect to which there is
  a reasonable basis to believe the information
  can be used to identify the individual.

33
Protected Health Information (PHI)

• Any health information that can be identified to
  a person
• It includes information about treatment and care
• PHI can include
• Name
• Dates
• Record number
• Social security number
• Full face photo
• Any other unique identifying information

34
De-Identification

• Patient information from which identifiers have
  been deleted, redacted, or blocked, so that
  remaining information cannot reasonably be used
  to identify a person. Identifiers to be deleted
  include
• Name
• Social security number
• Address
• Telephone number
• Birth date
• Admission date
• FAX numbers
• E-mail addresses
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certification/license numbers
• Full face photos.

35
Civil Penalties for Non-Compliance

• 100 for each violation
• Total of 25,000 for all violations of an
  identical requirement in a calendar year

36
Criminal Penalties for Wrongful
Obtainment/Disclosure of PHI

• Not more than 50,000 and/or not more than 1 year
  impisonment
• Not more than 100,000 and/or not more than 5
  years imprisonment if the offense is under false
  pretenses
• Not more than 250,000 and/or not more than 10
  years imprisonment for the intent to sell, use
  for commercial advantage, personal gain, or
  malicious harm Protected Health Information

37
HIPAA Philosophy

• What I see here,
• What I hear here,
• When I leave here,
• Remains here!