myBrain Technologies’s eye on Medical Device Regulation.
With Sophie Colliot,
Chief Quality Director at myBrain Technologies.
Nowadays, everyone is aware of the importance of new technologies in all sectors of society,
and particularly AI systems. If there is one
sector in which AI systems are creating a major upheaval, it is the health and Medical Devices (MD) sector.
Although AI-based systems are growing considerably, they are still relatively new and their functioning is still not well known by users, hence a certain scepticism about the performance and safety of these devices.
The role of regulations, which have recently evolved, is to ensure the safety of users in
order to reassure them and thus facilitate the adoption of these technologies. The difficulties faced by manufacturers to bring their Medical Devices to market, while complying with the
new regulatory requirements, can legitimately worry these players. However, there are strategies that can help them acquire the necessary certification to bring their products
Indeed, with the aim of reinforcing health safety and harmonizing the application of the rules within the European Union, an in-depth revision of the regulations led to the publication in the Official Journal of the European Union, on May 5, 2017, of a new regulation specific to medical devices (MDR 2017/745).
This regulation has been in application since
May 26, 2021, the date having been postponed by one year by decision of the European Parliament in the context of the COVID-19
The implementation of MDR 2017/745 results
in the invalidity of certificates issued under
the Directives as of May 27, 2024 and the end
of placing in service or making available of MD placed on the market under these directives.
To understand the difficulties of its application
by manufacturers and to find solutions, we interviewed Sophie Colliot, Chief Quality Officer at myBrain Technologies.
Interviewer (I): To begin, can you tell us who is affected by the arrival of AI systems in the Medical Devices sector?
Sophie Colliot (SC): Hello. Three categories of users are affected by this upheaval.
- Healthcare professionals, who are increasingly using new solutions to improve the management of their patients.
- Patients, who are looking for more innovative solutions that are effective, without side effects and at a lower cost.
- Healthy individuals, who are increasingly concerned about their health status and seek continuous improvement of their physical or cognitive performance in an increasingly competitive environment.
I: What is new in the Medical Device Regulation (MDR) 2017/745 compared to the previous directive?
Recall that the MDR 2017/745 aims to harmonize the legislation of EU Member States and strengthen certain requirements, with the purpose of providing patients with safer and better performing MDs. It replaces the European Directive 93/42/EEC.
Among the major changes, we can mention, without being exhaustive:
- The missions of the PRRC (Person Responsible for Regulatory Compliance).
- Clinical evaluation, and in particular clinical investigations and the concept of equivalence.
- The EUDAMED database.
- The Unique Device Identification (UDI).
- The rules for classifying MDs, which are evolving and becoming stricter.
- A list of non-medical MDs in the annex to the regulation.
- Reinforcement of vigilance and post-market surveillance.
I: How did you react to the European Parliament’s decision to postpone the implementation of the MDR 2017/745 by one year?
SC: In essence, this decision is welcome, but it was taken at the last moment: one month before the initially planned date of application.
This delay was essential in order not to endanger the Medical Device sector in Europe. It would have been better to anticipate it more.
As far as our company is concerned, this delay had no impact on the development of our MDs, because at that time we had no MDs on the market certified according to the European directive. The transitional period did not apply to us. At that point, our MDs were still in the development phase. We focused on the certification of our company to ISO 13485: 2016, which we successfully achieved.
I: What is your observation today of the implementation of the MDR 2017/745?
SC: Unfortunately, MD stakeholders are now making the sad observation that this postponement is not sufficient and has not had the positive impact that was expected, namely a better preparation of manufacturers and Notified Bodies (NBs).
Faced with new and more stringent regulatory requirements and structural flaws in the implementation of the MDR 2017/745, there is still a significant risk that some manufacturers will be forced to withdraw their MD from the market. This could have deleterious effects on patient care. Difficulties can also be expected for manufacturers who have not yet placed their MD on the market, as the certification period is an extremely long process. Finally, they may also decide to target other markets, more accessible than Europe.
Therefore, there will probably be specific issues with the MDR 2017/745 that will at some point lead to end-of-development, or end-of-life, decisions to discontinue MDs. This could result in unavailability of MDs to hospitals, practitioners, and therefore patients.
In our case, our market access strategy has enabled us to overcome these difficulties.
I: What are the difficulties encountered in the implementation of MDR 2017/745 and how did you overcome them?
SC: First difficulty. The high demand from MD manufacturers to obtain a CE mark contract has created an ever-growing queue at the NBs’ door. Indeed, the new classification rules and the extension of the definition of MDs are causing a considerable increase in the number of MDs of class higher than I awaiting evaluation by a NB. As a result, NBs find themselves overburdened and unable to respond to manufacturers in a timely manner, even refusing CE mark applications. Finally, it should be noted that the notification of Notified Bodies had to be brought in line with the MDR 2017/745, which in itself created an additional bottleneck.
To overcome this first difficulty, we chose to first certify our QMS, according to ISO 13485, by an already Notified Body to then have more chances to be prioritized for CE marking by this same NB. I think we have a much better control of our certification schedule than other manufacturers.
Second difficulty. The Medical Device Coordination Group (MDCG) guides are not all published during the application of MDR 2017/745, despite the fact that a publication schedule is regularly updated.
We have therefore set up a reinforced normative and regulatory watch procedure, with a PRRC appointment in the first actions, in order to be always up to date with regulatory news.
Third difficulty. The list of harmonized standards according to MDR 2017/745 is far from being finalized.
We have chosen to develop our MDs according to the most recent state of the art. The choice of whether or not to use a standard is up to us as manufacturers, except when the regulations explicitly require it. This is the case, for example, for the symbols, colors and structure of the UDI. MDCG 2021-5 is reassuring that the use of standards is and remains voluntary, and that it is not possible to impose the use of a specific standard in the conformity assessment of a product.
Fourth difficulty. The amendments to the Public Health Code to adapt to the MDR 2017/745 regulation.
We have been particularly attentive to the draft ordinances of the CSP, especially on vigilance and clinical investigations. European countries have until the summer of 2022 to bring their national laws into line with the European regulations (i.e. MDR, drugs and IVDR – In-Vitro Diagnostic Regulation). Pending these updates, the MDR 2017/745 governs clinical studies of Medical Devices.
In addition to these difficulties, there are those specific to the health crisis and the crisis in Ukraine. Like most manufacturers, we had to control the purchase of our raw materials, which were out of stock, and adapt to the sharp rise in prices without ever compromising the safety and performance of our MDs.
The entire Medical Device industry is overcoming these major challenges. MedTech Europe and many European medical technology associations have called for proper implementation of the MDR. Indeed, they warn of the major risks of supply disruptions for patients and the disappearance of companies.
In response to this call on the difficulties faced by manufacturers and NBs, the European Commission published on June 13, 2022 a position paper: Notice to manufacturers to ensure timely compliance with MDR requirements (MDCG 11-2022). The MDCG reminds manufacturers that their devices must be MDR compliant from the end of the transition period and that from that date onwards, Medical Devices that are not MDR certified will no longer have access to the EU market. Manufacturers should also take into account that notified bodies designated under the regulation may not be able to assess all relevant dossiers in the early months of 2024. The guide, which has been heavily criticized by industry stakeholders since its publication, concludes that it is essential that all manufacturers adjust their systems and finalize the transition to the MDR. This is done by addressing a Notified Body and submitting complete and compliant applications as soon as possible and well before the end of the transition period to ensure timely compliance with the MDR.
I: If you were to make changes to the regulation of MDs to ensure the continued marketing of MDs in Europe, what would they be?
SC: Class I software devices, according to the European directive, become class IIa in the vast majority of cases. The clinical evaluation for these MDs is an indispensable but very cumbersome process. It would therefore make more sense to do the following.
On the one hand, lighten the clinical evaluation procedure by extending the scope of application of section 61, paragraph 10, of the MDR to all low-risk software.
On the other hand, revise the classification rule for software systems, based on:
- The risk levels of AI systems, according to the European Commission’s AI Regulation proposal.
- The classification of software, according to ISO 62304.
- The Food and Drug Administration’s (FDA) FDA’s Level of Concern software classification rules.
This would allow software manufacturers to self-certify their product rather than having to have their MD evaluated by NBs. Finally, this would allow for a smoother marketing of MDs in Europe, whether it be:
- For low risk AI systems.
- For class A or Low Level of Concern software.
- For software whose function is indirectly related to diagnostic assistance, treatment assistance, and/or for software whose function is surveillance related to low risk use cases.
I: What advice would you give to all manufacturers affected by MDR 2017/745?
SC: To anticipate the CE marking budget upstream and to overestimate it in case of additional unplanned audits. Also, to think about the scope of CE marking of their MD (modular or global system) and to anticipate the risks in relation to regulatory changes. And this before initiating the certification process and engaging in discussions with the NB to finalize and confirm the CE marking strategy.
Indeed, during the long marking procedure (between 18 and 24 months), it is very difficult to make changes/optimizations to MDs without impacting the current contract and the marking deadline. Nevertheless, a notification of change during a marking process is possible.
It is then better to perform a QMS audit according to ISO 13485: 2016 before the evaluation of the technical file to be prepared for all eventualities. I would also advise manufacturers to develop certain innovations and approve them on other markets before integrating them into CE marked Medical Devices, following a notification of change. The technical documentation for MDs covered by the initial MDR certification should be ready and available at the beginning of the certification process.
I: Why and how did you become a data protection officer?
SC: There are several reasons. First of all, data protection is a core concern for myBrain Technologies. Secondly, although the appointment of a Data Protection Officer (DPO) is recommended by the authorities, it is sometimes mandatory, which is our case. Indeed, our core activities require the collection of sensitive data (i.e. EEG data). In addition, I had been monitoring regulatory developments in my business for several years.
My role as a Chief Quality Officer also has many points in common with that of a DPO: these are cross-functional support jobs with missions of management, support, advice, listening, traceability and control. As a volunteer, I was naturally appointed DPO. A mission letter was drawn up to avoid any conflict of interest with the other missions entrusted to me, and a declaration to the CNIL was made to formalize my new status.
Thus, through my role as DPO, I ensure daily compliance of data processing and processing projects implemented by the company myBrain Technologies.
I: What are the workstreams you have put in place to ensure compliance with the regulatory requirements for personal data?
SC: There are 6 main steps recommended by the CNIL to comply with the GDPR. We have implemented them step by step: the appointment of a DPO, the mapping of processing, the prioritization of actions, risk management, the organization of procedures and processes, and finally, documentation.
The quality approach has helped us a lot to comply with the requirements of the GDPR. myBrain Technologies maintains and continuously improves a certified QMS according to the technical and organizational standard ISO 13485. This guarantees the safety and performance of the MDs to access the medical market in 2023. I think that there is a real added value in integrating the personal data compliance approach with the quality approach in health, which have many points in common in their operation. myBrain Technologies centralizes and pools resources by creating a management system that aims to take into account, in a coherent and global way, the requirements on the following themes: quality in health (safety, performance), security of the information system, protection of personal data. The QMS is based on tools, a method, an organization and a policy. It provides confidence as well as proof of continuous monitoring of regulatory compliance, within recognized and certified practices.
So, in a non-exhaustive way, the compliance actions implemented within the framework of the QMS in order to meet the requirements of the regulations, and in particular of the GDPR are the following:
- Keeping a register of personal data processing.
- Contractualization of the obligations of subcontractors.
- Implementation of technical and organizational security measures.
- Management of requests for the rights of individuals under Articles 12 to 22 of the GDPR.
- Implementation of procedures for notifying the CNIL in the event of a personal data breach.
- Carrying out impact analyses for all personal data processing likely to infringe on the rights and freedoms of individuals or meeting the criteria set out by the CNIL.
- Implementation of the concept of Privacy by Design through compliance management for each project.
I: Finally, how do you feel about the future of the Medical Device industry?
SC: I think that the difficulties we are facing could cause, in a few years, a real break in the European regulatory system to revitalise the MD market in Europe, and could get closer to the American model and its 510k equivalence system.
But I remain optimistic about the future of this sector. I have always had an interest in innovative Medical Devices and the associated regulatory and normative context. The market developments, the technological prowess and the benefits brought by these technologies in recent years only reinforce this.
Get in touch
We are glad you are interested in reaching out to us. Whether you have a question about our products or want to give us feedback, we are here to help.