Guideline IT Security
On November 21, the Johner Institute, together with TÜV SÜD, TÜV Nord, and with the support of Dr. Heidenreich (Siemens), published a guideline on IT security specifically for medical device manufacturers.
The “regulatory affairs” section comprises over 200 tasks that need to be completed during the development and approval of medical devices.
Here, you will find an overview of the most essential content so that you can get your device approved quickly.
Content
On this page, you will find articles on the following topics:
- What regulatory affairs is
- Regulatory requirements
- Authorization and documentation
- Authorities, institutions, and associations
- Further topics of regulatory affairs
1. What regulatory affairs is
Regulatory affairs comprises the processes and activities that ensure that medical devices meet the regulatory requirements of the countries where they are sold. This includes
- obtaining the necessary approvals from the regulatory authorities,
- compliance with applicable regulations and standards, and
- maintaining conformity throughout the entire product life cycle until decommissioning.
The tasks of regulatory affairs also include monitoring changes to regulations and standards and communicating these changes to stakeholders within the company to ensure continuous compliance.
Regulatory affairs thus plays a crucial role in ensuring that medical devices are safe, effective, and comply with legal requirements.
Further information
Refer also to the article on regulatory affairs managers’ tasks, competencies, and earning potential. This includes the task of developing a regulatory strategy.
2. Regulatory requirements
a) Germany
| Laws | Medical Devices Law (no longer valid)
Medical Devices Implementation Act MPDG |
| National regulations | Medical Device Operator Ordinance (Medizinprodukte-Betreiberverordnung – MPBetreibV)
Medical Device User Notification and Information Ordinance (Medizinprodukte-Anwendermelde- und Informationsverordnung – MPAMIV) |
b) Europe
| EU directives (only for existing devices) | Medical Device Directive (MDD, 93/42/EEC) and its essential requirements |
| EU regulations | Medical Device Regulation MDR
In-Vitro Diagnostics Regulation (IVDR) General Data Protection Regulation (GDPR) AI Regulation (planned) EU AI Act |
| EU guidelines | Overview of MDCG documents
Examples
|
| Harmonized standards | Overview of harmonized standards. You will find further articles on specific standards and their implementation (also) in these categories:
|
c) USA
| Laws | Food, Drug & Cosmetic Act (FD&C)
Administrative Laws (21 CFR)
|
| General information | Request for Information: How the FDA helps with classification
FDA eCopy Program FDA Warning Letters and FDA Form 483 (Form 483) Software Change: What the FDA expects from you |
| Approval procedure | FDA updates “Refuse to Accept Policy” for 510(k)
The FDA Pre-Submission Program The FDA Software Precertification (Pre-Cert) Pilot Program FDA’s De Novo Program Level of Concern: What the FDA wants to achieve with this program Special 510(k): When the FDA will allow this “shortcut” Breakthrough Devices Program of the FDA |
| Requirements | FDA Human Factors Guidances
The FDA QSIT: Quality System Inspection Technique The FDA Benefit-Risk Guidance Recognized Consensus Standards of the FDA Guidance ‘Interoperable Medical Devices’ |
d) Other markets
| see section 3.a) |
3. Approval and documentation
a) Approval
| Approval of medical devices (overview) Please also note the presentation describing the path to the CE mark as well as the articles “7 steps to a medical device” and “Approval of IVDs.“ |
| Conformity assessment procedure (assessing conformity with statutory requirements) |
| Approval in China |
| Approval China FDA / NMPA |
| Approval in Brazil |
| Approval in Japan |
| Approval Saudi Arabia (SFDA) |
| Approval South Korea |
Find more information on international approval
b) Qualification and classification (How should my device be classified?)
| Qualification as a medical device (medical device yes/no). This also includes the distinction between medicinal products and medical devices, as well as the special case of combination products. |
| Classification according to MDR Class I, IIa, IIb, III or IVDR Class A, B, C and D |
| Qualification and classification of software as a medical device |
| Classification of devices as accessories and as commodity/trade goods |
c) Technical documentation (What do I need to document for each device?)
| Technical documentation (overview) |
| Intended purpose (the foundation document) |
| Instructions for use |
| Clinical evaluation of medical devices according to MEDDEV 2.7/1 rev. 4 |
| Risk management files: risk policy, risk management plan, risk analysis, risk management report |
| Usability file |
| Software file, e.g., software requirements specification, software architecture, software tests, software release. Please also note the special features of medical apps (mobile medical apps). |
| Verification and validation of medical devices |
| Unique Device Identification |
d) Quality management (What should your company fulfill?)
Quality management is not usually the responsibility of regulatory affairs. Nevertheless, we have listed some important articles for you.
| Steps to a certified QM system |
| Audits (especially of quality management systems) |
| Systems for Post-Market Surveillance and PMCF (Post-Market Clinical Follow-up) and vigilance |
e) Regulatory Roles
There are several expert articles on regulatory roles:
- EU-Representative (EU-REP)
- Person responsible for regulatory compliance (PRRC)
- Quality management representative / deputy
- Regulatory Affairs manager
- Distributor
- Importer
4. Authorities, institutions, and associations
a) Germany
| Federal Institute for Drugs and Medical Devices (BfArM – Bundesamt für Arzneimittel und Medizinprodukte) |
| German Institute for Medical Informatics (DIMDI – Deutsches Institut für medizinische Informatik); has since been integrated into the BfArM |
| DAkkS, the German accreditation body |
| State authorities: Regional councils, trade supervisory offices, governments |
b) Europe
| Notified bodies |
| NBOG: Notified Body Operations Group |
| MDCG: Medical Device Coordination Group |
c) International
| IMDRF: International Medical Device Regulators Forum |
5. Regulatory affairs: Further topics
The tasks of Regulatory Affairs also include finding and eliminating deviations and non-conformities. The (emergency) elimination is called remediation.
Note the advantages and disadvantages of Regulatory Information Management Systems (RIMS) and their role in manufacturers’ digital transformation.
Part of the tasks of regulatory affairs is regulatory intelligence.
Do you still have questions, for example, about the approval of your devices? Then, take advantage of our free micro-consulting service.
If you would like support in developing and “approving” your medical devices in compliance with the law, contact us right away. The Johner Institute team will be happy to help!
Recognized consensus standards of the FDA
The FDA offers manufacturers the opportunity to use so-called recognized consensus standards for the approval of their devices. The US authority has published a “guidance” document on these consensus standards, presented in this article. It also describes the requirements for using the standards and the advantages for manufacturers, but also points out typical mistakes.
DetailsEU General Data Protection Regulation GDPR
The EU General Data Protection Regulation must be complied with starting at 25 May 2018, at the latest. Many companies, amongst them also medical device manufacturer and operators such as hospitals, are not adequately prepared. This article gives you a review of the main concepts and requirements of the General Data Protection Regulation and examines…
DetailsRetention periods
Medical device manufacturers are obliged to observe and comply with legal retention periods for documents and records. This article provides an overview of the regulatory requirements for the retention periods for the various document classes.
DetailsIVD software manufacturers take note
This article describes the requirements of the in vitro diagnostic medical device regulation (IVDR) for software development and documentation. The requirements apply to software that is part of an IVD (embedded software) and to software that is an IVD itself (“standalone” software). This article also compares the software requirements of the MDR and the IVDR.
DetailsUnannounced audits by notified bodies
Unannounced audits are random sampling checks of the quality management systems by notified bodies with the aim of Initial experience with unannounced audits is now available.
DetailsHealth Breach Notification Rule
The Health Breach Notification Rule defines when health records providers have to report which security issues to whom, within what time frame and in what form. This article provides a brief overview of the requirements of the US Federal Trace Commission (FTC).
Federal Trade Commission FTC: for medical device manufacturers?
The Federal Trade Commission (FTC) is an US agency that aims to ensure compliance with competition law and consumer protection. This article explains the circumstances that require you (e.g., as a medical device manufacturer) to comply with the FTC requirements and the specifics of these requirements. The case of Lumosity shows how radically the FTC…
DetailsFDA MAUDE database: Input for risk management
The FDA MAUDE database provides information on the “Manufacturer and User Facility Device Experience.” It thus corresponds roughly to the database used by the BfArM to publish manufacturer reports on risks.
Regulatory affairs: Service provider, company, individual – liability for mistakes
Many people ask about the liability of individuals, management, and the company. After all, it is not only the Medical Devices Regulations that impose fines and imprisonment. The question of liability also arises for development service providers.
