With the help of our members, this thought-leadership series explores the acceleration of “digitalization” due to COVID-19 on both sides of the Atlantic, and across various industries. Today, we present Judith L. O’Grady, Partner at TROUTMAN PEPPER in Washington D.C.; along with Elisa Stefanini, Counsel at PORTOLANO CAVALLO in Milan, Italy. They will address: “The Medical Device Regulation in the EU and the United States and its impact on software as a medical device”.
1. The new Medical Device Regulation in the EU
On May 26, 2021, the Medical Device Regulation 745/2017 (“MDR”) became fully applicable in the European Union, establishing a new regulatory framework for the internal market for medical devices and replacing relevant national legislation (resulting from the transposition of Directive 93/42/EEC, the “Directive”). In contrast to directives, regulations are directly applicable and do not need to be transposed into national law: this should significantly reduce the risks of regulatory discrepancies across the EU market.
As of the application date, a transitional regime applies that allows devices complying with the Directive still to be placed on the EU market under certain conditions until May 26, 2024, at the latest.
In general, the MDR maintains all the requirements of the Directive while adding some new requirements concerning, among other things, transparency and post-market surveillance, classification rules, obligations for operators in the distribution chain (importers, distributors, and authorized representatives), and the like.
1.1 The impact of the MDR on software as medical device
Items that fall under software as medical device (“SaMD”) are particularly impacted by the new regulatory framework, as the MDR generally assigns a higher class of risk to SaMD than the Directive did.
In fact, according to the new classification rules provided by the MDR (Rule 11), software intended to provide information used to make decisions for diagnostic or therapeutic purposes or to monitor physiological processes is generally placed in Class IIa. However, when the decisions or the monitoring activity may, in theory, impact the user’s life or cause serious or irreversible deterioration of their health, the risk class is higher (IIb or III). All other software is classified as Class I. Conversely, software for general purposes, even when used in a healthcare setting, or software intended for life-style and well-being purposes is not a medical device. The qualification of software, either as a device or an accessory, is independent of the software’s location or the type of interconnection between the software and a device.
Therefore, under the MDR, most SaMD probably falls into Class IIa or higher, while under the Directive most software was classified as low risk and fell into Class I. The change described above has significant impact on the regulatory path to be followed when placing SaMD on the EU market. Indeed, the assessment of the safety and security of Class I devices, for the purposes of the CE marking, is the sole responsibility of their manufacturers, which draw up a declaration of conformity. Conversely, for devices in higher classes, the CE marking process requires certification from a third party (notified body) and is therefore longer and more expensive.
However, thanks to a later amendment to the MDR, a Class I medical device under the Directive that falls into a higher class of risk under the MDR may benefit from the transitional regime mentioned above (while Class I devices were originally excluded), on the condition that: (i) the device’s declaration of compliance was drafted by the manufacturer prior to May 26, 2021; (ii) the device continues to comply with the Directive; and (iii) there are no significant changes to its design or intended purpose.
The above means that if SaMD undergoes significant changes in design and intended purpose during the transitional period, it becomes subject to the MDR. This provision may turn out to be particularly difficult to apply to SaMD based on AI or ML algorithms, which continuously change during their life cycle.
1.2 The new obligations and responsibilities for distribution chain operators
Another very important piece of news about the MDR is that for the first time it introduces specific obligations and responsibilities on the part of importers, authorized representatives, and distributors, in addition to those already imposed on manufacturers.
For instance, importers of medical devices from outside the EU are responsible for ensuring that the devices they place on the market comply with the MDR and are registered in the dedicated EUDAMED database (not yet operational), and that the manufacturer has fulfilled its obligations. They also have the responsibility of informing manufacturers and authorized representatives in the event of complaints or reports of suspected incidents from healthcare professionals, patients, or users.
Authorized representatives in Europe—which must be appointed by each non-EU manufacturer—shall, inter alia, verify that the EU declaration of compliance and the relevant technical documentation have been drawn up and, where applicable, that an appropriate compliance assessment procedure has been carried out by the manufacturer. Interestingly, under the MDR an authorized representative is legally liable for defective devices jointly and severally with the manufacturer.
As for manufacturers, which are responsible for their devices once they are on the market, under the MDR for the first time they are required to have systems in place to cover their financial liability for harm caused by defective devices. Moreover, each manufacturer must name a person responsible for regulatory compliance.
The concrete applicability of the rules above to SaMD shall be carefully assessed, to adapt them to the peculiarities of medical devices that have no physical components and, thus, may have different modalities of distribution (e.g., entirely online).
2. FDA SaMD Requirements compared to MDR
FDA’s SaMD regulatory requirements closely resemble those developed by the MDR, with a few key caveats. Much like the MDR, FDA employs a benefit/risk-based approach when determining the regulatory classification of an SaMD product. In doing so, like the MDR, FDA relies more on the products’ intended uses (as evidenced by labeling and marketing claims) rather than the specific platform used. Namely, if a software function is intended for use in performing a medical device function (i.e. for diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease) it is a medical device, regardless of the platform on which it is run.
Depending on the product’s specifications and intended uses, software products can be classified as low, medium, or high risk for the end user. Depending on their regulatory risk, SaMD products, like any other medical device, may be classified in any of FDA’s three regulatory classes: class I (general controls), class II (special controls in addition to general controls), or class III (premarket approval). Each class implies an increasingly stringent regulatory framework. The following requirements apply to all medical devices, including SaMD products:
- Establishment registration, and Medical Device listing (21 CFR Part 807);
- Quality System (QS) regulation (21 CFR Part 820);
- Labeling Requirements (21 CFR Part 801);
- Medical Device Reporting Requirements (21 CFR Part 803);
- Premarket Notification Requirements (21 CFR Part 807); and
- Investigational Device Exemption (IDE) requirements for clinical studies of investigational devices (21 CFR Part 812)
With respect to SaMD products, the FDA provides one exception, however, for low-risk and “general wellness” products. Namely, FDA will not enforce the above-mentioned requirements for SaMD products that are low-risk and that help patients either self-manage their conditions without providing specific treatment suggestions; or automate simple tasks for health care providers. Regardless, FDA recommends that manufacturers of all medical software products that may meet the definition of a medical device follow FDA Quality System regulations in the design and development of their software products.
Similar to the new MDR requirements, initial importers of SaMD products must ensure that the devices they place on the market comply with FDA regulations, are registered and listed with the FDA, and that the manufacturer complies with basic regulatory requirements. Initial importers are also responsible for complying with registration, medical device tracking and reporting requirements. Additionally, foreign-based manufacturers must name a U.S. Agent when registering with the FDA. Much like Authorized Representatives in the MDR, U.S. Agents act as a nexus between the FDA and the foreign manufacturer, yet only have limited liability for any issues related to the devices imported by the manufacturer under their representation.
Despite its proactive efforts to keep regulations updated in the evolving healthcare technology space, FDA has recognized its regulatory view will need to be updated, particularly in terms of self-learning algorithms and A.I., as well as low-risk and general wellness devices.
- Judith L. O’Grady, Partner, TROUTMAN PEPPER | email@example.com
- Elisa Stefanini, Counsel, PORTOLANO CAVALLO | firstname.lastname@example.org
Stay tuned for more on this series! We hope you enjoy these Thought-Leadership pieces written by our members: Troutman Pepper LLP & Portolano Cavallo Studio Legale.