Category: IVD & MDR NEWS

Wellness vs IVD medical device – Navigating the blurred line between these sectors

In recent years there has been a surge in companies providing biological wellness data to health and fitness enthusiasts eager to improve their health and performance. These can range from wearable devices such as smart watches measuring heart rates to mail-order kits analysing biological samples.

Advances in technology mean larger and more complex data streams can be analysed and presented in a user-friendly way which means more companies have become interested in this space. But the distinction between the wellness and IVD medical device is becoming increasingly blurred. Products are sometimes unintentionally entering the medical and in-vitro diagnostic space, opening them up to the demands of the applicable regulatory requirements. 

So, how can the line between a wellness device and an IVD medical device be defined?

As a manufacturer, the first step in classifying your product is to determine a clear intended purpose and user. If it has a medical purpose, then your product is a medical device. 

The EU In-Vitro Diagnostic Regulation (IVDR) ((EU) 2017/746) defines IVD medical devices as devices used to examine specimens derived from the human body to provide information on one or more of the following:

a) concerning a physiological or pathological process or state, 

b) concerning congenital physical or mental impairments, 

c) concerning the predisposition to a medical condition or a disease, 

d) to determine the safety and compatibility with potential recipients, 

e) to predict treatment response or reactions,

f)  to define or monitoring therapeutic measures

The device can be a reagent, reagent product, calibrator, control material, kit, instrument, apparatus, piece of equipment, software or system and used alone or in combination with other medical devices.

---

It is important that as a manufacturer you highly consider your intended purpose and ensure that you do not stray into an area that could be considered to have a medical purpose if you want to remain within the wellness area. It is not sufficient to write disclaimers such as ‘this product is not a medical device’ to diminish any regulatory responsibilities if the device is in fact a medical device as per the definition.

The FDA have published guidance on its definition of a general wellness product. It states that a general wellness product has to have:

1) an intended use that relates to maintaining or encouraging a general state of health or a healthy activity, or

2) an intended use that relates the role of healthy lifestyle with helping to reduce the risk or impact of certain chronic diseases or conditions and where it is well understood and accepted that healthy lifestyle choices may play an important role in health outcomes for the disease or condition.

The examples that it shares can show that the same device can be considered wellness or a medical device depending on what you determine the intended purpose to be. If the manufacturer claims their product “promotes or maintain a healthy weight, encourage healthy eating, or assist with weight loss goals” this could be considered wellness, however if the manufacturer claims that a product “will treat or diagnose obesity” then it has a medical purpose and would fall under the medical device regulations.

Therefore, it is important to ensure that any information supplied with your product, or any marketing, does not contradict your intended purpose. Article 7 of the IVDR states that you cannot make any claims in any of your labelling or advertising that may mislead your user or patient. So it is worth carefully considering the language used on your website, avoiding the use of common medical terminology when describing your product and making sure that you do not make any statements implying a medical purpose if you want to remain in the wellness area.

With specific reference to software, the US Federal Food, Drug & Cosmetic Act specifically excludes ‘Software that is intended for maintaining or encouraging a healthy lifestyle and is unrelated to the diagnosis, cure, mitigation, prevention or treatment of disease is not a medical device.’

A few software examples:

1) If the software is just presenting data from an existing IVD system that is already regulated, the software is managing IVD data, but it is not an IVD medical device. For example, presenting data from an IVD device that takes a measurement and says you have cancer.

2) If that software then has an additional capability to alter the data with extra information and say, for example, the patient has breast cancer, then the software is now a medical device.

Ultimately, the classification decision making process is a risk-based one. Is the information provided by the device provided simply to encourage people to lead healthier lives or is the information guiding a clinician to make medical decisions? The patient and their clinician are trusting the information to be correct and therefore the device will need to comply with regulatory requirements. You can find more info here regarding regulatory requirements including individual rules for specific country registration

It is also helpful to look at any competitor devices/similar devices to see how they’ve been classified. If a notified body has deemed them to be a medical device, then yours is also likely to be a medical device. There is a MDCG guidance Manual on borderline and classification for medical devices under Regulation (EU) 2017/745 on medical devices and Regulation (EU) 2017/746 on in vitro diagnostic medical devices which is being updated as these decisions are being made and is therefore worth consulting regularly.

---

Of course, this does not mean that best practices can’t be or shouldn’t be followed by manufacturers of wellness devices, but the level of regulatory scrutiny is lower. Manufacturers of wellness products still have responsibilities to ensure that their products are safe for their customers.

If you are developing a tool or product that you would like to determine as a wellness product, or worried about the product falling under Medical regulations, or if you are just not sure either way, you can book a call with the IVDeology team and we’d happily discuss your product, its intended use, and with pathway to go with your product, and support you through that process – click here to put some time into our diary with a friendly team member

The MHRA announced yesterday 19th September 2023 some fantastic news for medical device and diagnostics manufacturers; the IDAP program. The Innovative Devices Access Pathway (IDAP) program is designed to accelerate the development of medical devices and their integration that are both cost effective and safe for patients and end users. 

This initiative is to bring new technologies and solutions to the National Health Service (NHS) to help with medical needs that are not currently being met. Not only that, but this would improve and increase patient access to innovative and transformative medical devices by providing an integrated and enhanced regulatory and access pathway to developers. 

---

Successful applicants will receive non-financial support from a team of experts to develop a product specific Target Development Profile (TDP) roadmap. The TDP roadmap will define Regulatory and Access touchpoints across the product development, which could include;

– Quality management system (QMS) support

– System navigation

– Fast track clinical investigation

– Advice with scientific partners

– Product realisation and adoption from the HTA (Health technology assessments)

– NHS adoption

– Exceptional use authorisations from the MHRA where applicable 

---

The IDAP is open to UK and international commercial and non-commercial developers with new health technology solutions and will choose 8 products to proceed. All size companies that fit the below applicant list can take part: 

– Product must be a medical device and/or diagnostic tool

– Must have legal entity to market their product in the UK (IVDeology can help with becoming your UKRP – click here for more info)

– Early stage companies must demonstrate proof of concept evidenced by data from a near final prototype of the product 

– Applicants must have the intention to market their product in the UK and obtain regulatory authorisation (IVDeology can support on this – click here)

– Applicants must have UK clinical investigations sites lined up

– Applicants must commit to working with IDAP to create target developments profiles

– The technologies must be able to demonstrate evidence of ISO13485 certification (IVDeology can support with QMS implementation – find out more here)

---

Pilot launch: 19th September
Pilot outcomes: December 2023
Profile engagements: Jan 2024

Follow the link here to start your application process – and we wish you all the best of luck!

Recently we have seen updates from the MHRA (medicines and healthcare regulations authority) appointing new notified bodies for the MDR (medical device regulation), supporting faster certification of safe and effective medical devices for healthcare professionals and the public.

These include:

– TÜV SÜD

– Intertek 

– TÜV Rheinland 

TÜV Rheinland UK has also been designated to assess and certify general medical devices as well as in-vitro diagnostics (IVD’s).

This almost doubles the number of notified bodies meaning more availability for appointments of bodies for product registrations.

TÜV SÜD becoming a UKAB (UK approved body) also means they can simultaneously provide UKCA and CE marking certifications for medical device manufacturers, this can and will reduce the time it takes to market across Europe and hopefully also save money. 

If you are looking to get in a position where your devices are compliant and ready for submission from a regulatory and/or Quality standpoint, you can see our Regulatory Submission Support page here, which includes UKCA marking, and our Quality management systems support page here 

You can see the full publication on the UK GOV website here 

Long awaited news from the #MHRA regarding #CE marking for Medical devices – previously it was communicated that there would be an indefinite recognition of CE marking. The update was lacking on clarity for which specific products this was relevant to.

However, (yesterday) on the 1st August, confirmation that this does NOT apply to Medical Devices or IVD’s

A quick refresher:
– Medical devices with a CE mark under the #MDD can be placed on the UK market until June 30th 2028 or until certification expires
– Medical devices with a CE mark under the #MDR can be placed on the UK market until June 30th 2030 or until the expiratory on the certificate

-IVD Medical Devices compliant with the EU IVD devices directive (EU IVDD) can be placed on the UK market June 30th 2030 or until the expiratory of the certificate

This is a refreshing and long awaited update for the clarity of the CE marking for those manufacturing devices. If you’d like to discuss CE marking and/or UKCA marking, please get in touch and our friendly team will respond.

The new Draft Statutory Instrument for Medical Devices (Post Market Surveillance) has been published on the WTO website this afternoon (SI/SR Template (wto.org)).

Our first initial review for IVDs from a quick read this afternoon is the following:

• Post market surveillance is required for the whole of the “PMS period” – this is the time from the device first being placed on market, until the end of life of the last device placed on market.
• The Vigilance reporting timelines are the same as IVDR – 15 days for serious incident, 2 days for serious public health threats & 10 days for death or unanticipated serious deterioration in a person’s state of health.
• Field Safety Notices, where required, have to be provided to all known users of the device and published on the manufacturer’s website
• Post market surveillance plans are required
• Post market surveillance reports are required every 3 years for General IVDs (or Class A or B devices under IVDR)
• Periodic Safety Update Reports are required every year for Annex II IVDs (or Class C or D devices under IVDR) and have to be provided to approved bodies for review.
• PMS documentation has similar requirements to the IVDR and has to be retained for the “PMS period” or 10 years whichever is longer.

Overall, our first impression is that this is very similar to the requirements in the IVDR which is very welcome news for the industry.

The world of IVDeology can be all consuming some times, with so much change, opportunity for growth and learning new things it can be hard to find the time to recharge the batteries. 

Since the creation of the company by myself and Nancy in 2018,  it has always been difficult to fully get away from the day to day running of the business, and the work phone is never too far from your hand (I am sure all small business owners often face this same dilemma). However we have build a truly awesome team around us, bringing positivity, togetherness and excellent IVD knowledge to run, organise and manage the running of the company, So last week I had a full week off, sailing in my Dinghy at the Wilsonian Sailing Club on the river Medway in the South East of the UK where I live.

During the week we, had the benefit of a great coach, some super safety boats keeping watch and keeping us safe, and some lovely weather to help us enjoy the week. 

Having an old wooden boat, I did have some complications, bits and bobs fell off or snapped during the week and I had to make some running repairs – check out my previous blog on boat maintenance and boat repairs, and how this can be related to a Quality Management System.

(See the above patch up job fixing a hole in the rear of my boat (the transom port without the flap… which fell off, when the mainsheet snapped!))

I have only been sailing for a year, and I still have enormous fear and anxiety whenever I step in the boat. It is much easier for me not to try, or find excuses why I can’t go out it in. But similar to running a business, if you never try, you never learn something new, and you never succeed.

And I had a truly great time!

So on reflection of the week, I am hugely grateful for the folk at the sailing club for supporting me, teaching me new things about sailing – but also for my great IVDeology family who I can trust to run the company smoothly in my absence.

5 key learning points:

• Be positive and you can achieve great things 
• Trust your team, they are better than you can ever believe they can be
• Take some time out for yourself
• Preventative boat maintenance is key
• Gorilla Tape fixes everything – including holes in a hull of a boat

Happy Sailing all!

Last month the TGA, the competent authority in Australis has issued an update on the  Transition to new manufacturer evidence for IVD medical devices (tga.gov.au). This document explains the new requirements for manufacturers to demonstrate that they meet the requirements for IVD in Australia.

Typically, the use of CE marking has been used to demonstrate compliance to the TGA requirements, and the EU declaration of Conformity, along with an ISO 13485 certificate. However, with the transition to the IVDR, the TGA are requiring new evidence to be provided.  

For new devices, an alternative to an ISO 13485 certificate is required, namely an MDSAP certificate covering ISO 13485 requirements. They will also be accepting IVDD certificates with existing ISO 13485 certificates during, and aligned to the IVDR transition dates.

Summary of TGA cut-off dates

The annual MedTech Summit was held this year in Brussels. The IVD stream provides 2 days of focused content relevent to the IVD Industry, strongly focusing on the EU IVDR. I was fortunate to present a session on Intended Purpose under the IVDR, something that is very critical to the transition to IVDR. Anyone who has listened to me present previously knows that I strongly recommend a good, early understanding of the Intended Purpose of the device.

In an attempt to summarise the discussions over the last 2 days, I have three main take away messages:

---

See IVDR as a positive opportunity

Since the IVDR was first published, the industry had widespread concern with the problems the industry would face to get ready for the higher compliance. Delays in infrastructure, including a slower update of Notified Bodies to support the process, resulted in additional transitional timelines for class B, C and D devices. 

Feedback from a number of Notified Bodies now suggest that they are all open for new applications, and they have the resource to support manufacturers for conformity assessments. It is the manufacturers themselves who are not ready for the application process. While it is understandable that external political, economic and practical factors are delaying manufacturers readiness to IVDR, there is no better time to push forward with the process. While some elements still need to be addressed (EUDAMED, EURLs), on the whole, the industry has enough knowledge, guidance and resource to successfully implement IVDR. 

So if you haven’t started, don’t delay, start the process! You can get through it. NBs have the time and capacity (for now) to support you through the process. We know that this capacity will be taken up from 2024 as we get nearer the deadlines: so get ahead of the crowd – there is no better time to make a start!

---

Make the best effort you can on your technical documentation

All devices will need to have an new or updated series of technical documentation to be ready for IVDR, irrespective of class. From the discussions, the message is clear. Closely follow Annex I, II, III and guidance provided by the NBs as best you can. Really take on board the principles of Clear, Organised, Unambiguous, and Readily Searchable when building your documents. 

There is a correlation between the time and effort building your technical documentation, including your analytical and clinical data, and the successful outcome and time taken for the conformity assessment. The better you prepare the higher a chance of success.

---

Make UKCA work for your business goals

Hopefully you will have seen the update from the MHRA on the timelines for UKCA marking. More will be coming in the months ahead as we gear up to the new MDR2002 (UKCA). However, up until June 2025, manufacturers placing new devices on the UK market can benefit from the existing MDR requirements based on the IVDD. The majority of devices remain self-declared (except high risk devices, and self-tests), so while you still need to meet the safety and performance requirements of the UK regulation, this remains a quicker and cheaper route to market compared to the EU, FDA (and UK beyond 2025). Once your devices are placed on market, you will have 5 years to build up your QMS and Technical Documentation to meet the new UKCA requirements.

For SMEs especially, this would allow devices to be on market, producing revenue quicker, and in an important market, while you continue to develop and grow your regulatory compliance. But you don’t have long, now is the time to start this process!

---

Overall, being at events like MedTech Summit, it reminds me how great our industry is. The effort, positivity and willingness to make a better healthcare system for patients is truly remarkable, keep up the great work people, we can and will overcome!!

For further information or further insights on UKCA or IVDR, or how IVDeology can help you with your regulatory goals, please contact [email protected] to book a call with me.

The MHRA have provided a further update to the implementation of the future regulation of IVDs in Great Britain on the 16th June 2023. This follows on from earlier updates pushing back the timelines for UKCA marking for IVDs.

Here are the key timelines for placing IVDs on market in Great Britain:

---

When using CE marking

• In Vitro Diagnostic Medical devices (IVDs) compliant with the EU in vitro diagnostic medical devices directive (EU IVDD) can be placed on the Great Britain market up until the expiry of certificate, or 30 June 2030. This is only applicable for devices where a declaration of conformity has been drawn up prior to 26 May 2022
• IVDs compliant with the EU in vitro diagnostic medical devices regulation (EU IVDR) can be placed on the Great Britain market up until the 30 June 2030.

For devices continuing to utilise the IVD Directive certification (IVDD List A, List B or Self-test devices): while in practise, the 30 June 2030 offers a long lead-time, in reality this is dependent on the expiry of your CE certification. Article 110 of the IVDR states that IVDD CE certificates can be used up to their expiry or until 27 May 2025. Beyond that date, devices which have an IVDD Certificate can not be placed on market in either the UK or EU.

General IVDs under the IVD Directive, for which the conformity assessment did not require a notified body, can only be placed on the Great Britain market if the involvement of a notified body would be required under the IVDR (Class A Sterile, B, C, D) up until 30 June 2030, taking into account the IVDR transition dates applicable for each device class.

What are the deadlines for EU IVDR (2017/746/EU)?

The transition dates are as follows:

26 May 2022 – Class A, New devices

26 May 2025 – Class D devices

26 May 2026 – Class C devices

26 May 2027 – Class B, Class C Sterile

This has been explained in an info graphic by the MHRA.

---

When using UKCA Marking

Devices can now be placed on the UK market under a UKCA. Currently, this can be completed under the existing MDR2002 (similar to the EU IVD Directive). From the 26 May 2025, all new devices placed on market under UKCA will be required to meet the new regulatory framework, which is due to be published later this year.

It is expected that devices placed on market under the UKCA before 25 May 2025, must comply with the new regulatory framework from 30 June 2030.

The transition process above gives the industry an opportunity to benefit from the use of the existing UK MDR (IVDD) framework, where general devices can continue to use self-declaration before the deadline (707 days to go!!) While progress can be made on compliance to EU IVDR.

---

Further Updates

Further information will be provided regarding Post Market Surveillance requirements (expected in the next 3-6 months) and the full draft regulation at the end of 2023 – early 2024.

We encourage IVD manufacturers to review their device portfolios, classification and certification against the timelines above, and start preparing for the transitional process. IVDeology are currently supporting a number of international companies through the IVDR and UKCA transition. For more information on how we can support you, book a call with Casey or e-mail [email protected].

Information Security and Quality Management Systems (ISO 27001 and ISO 13485) : How can they be integrated? 

---

By Fiona Beardwell, Regulatory Specialist and Linda Garrod, QMS specialist

ISO 27001 details the requirements for establishing, implementing and maintaining an information security management system (ISMS) for managing and protecting company information including personally identifiable information. Those medical device companies seeking to work with government organisations, like the NHS, quickly discover the expectation for some form of Information Management and Cyber security system. ISO 27001 certification is one way to fulfil these expectations, and the principles covered by ISO 27001 are closely aligned with the NHS digital toolkit/data security requirements. 

As many medical devices now include a software element or are software-only devices (known as SaMD – software as a medical device), information security has become increasingly important to manufacturers. Furthermore, tightened privacy laws across the globe place additional responsibilities on manufacturers to protect patient data and prevent cyber-attacks which could result in patient harm. Rather than having separate and disjointed management systems for information security (ISO 27001) and Quality Management System for medical devices (ISO 13485), having one holistic system established within the organisation, ideally during the Design and Development, will support creation of safe and secure medical devices and supporting systems. Both standards apply a risk based approach to the Management System.

ISO 13485 applies risk in the context of risk to safety and performance of the medical device. For ISO 27001, risk and opportunities are key inputs into the planning of the Management system from a prospective of achieving ISMS intended outcomes, reducing undesired effects and aiding determination of the Annex A controls to be applied. Therefore, I would recommend approaching information security risks and medical device risk management separately. Where the information security risks relate to an SaMD or onboard software of a physical medical device, relevant elements of the information security risks shall become an input to the ISO 14971 risk assessment process. ISO 27001 and ISO 13485 apply the same core management system principles of Plan, Do, Check, Act and following this approach aids designing standardised approaches to processes.. 

So, for those looking to start your ISMS & QMS journey, the first key steps falls within the Plan phase, where you;

• Identify all the applicable industry standards and regulatory requirements relevant to your device, systems and the information involved.

• Identify your interested parties including patients, users, customers, suppliers and regulators and their requirements/expectations. 

• Identifying your existing business systems, resources, organisational competencies and infrastructure needs 

Pulling all these elements together and identifying any conflicting requirements allows you to devise a clear plan for creation of your managements system, as well as your quality and information security objectives, which will drive your future activities. Commented [LG1]: Might be worth including global privacy laws as another reason for info security and an increase in cyber attacks

The ‘Do’ phase can be the longest and most intense part of any management system implementation as you create meaningful policies and procedures, designed with the user in mind, guiding your team through the processes needed to consistently generate the desired output, support production of safe devices, securely manage data and utilise a risk based approach to all activities. While it may be optimal to create a holistic management system from the start that doesn’t mean, if you already have an established ISO 13485 QMS, that incorporating the requirements of ISO 27001 is impossible. In fact in many areas the requirements can be built into your existing ISO 13485 procedures and simply complemented with additional policies and procedures where appropriate. 

Where your management system contains requirements from multiple sources, your ISO 13485 mandated Quality Manual is an excellent place to explain the applicable regulations and the interactions of the processes. I would recommend providing an overview in the opening sections of the manual, including where possible a visual depiction of the interacting QMS and ISMS processes, and then providing additional detail on the specifics of the Information Security Management System at the end of the manual. This structure will help to provide top level clarity of the interacting processes with easy access to further information where required. This can be particularly useful in certification audits to easily explain the elements relevant to each standard. The ‘Check’ and ‘Act’ phases of both standards ensure security of processes and data, safety of devices and continual improvement of the management system. Internal audits are a feature of both standards and allow for reflection on the processes implemented and potential opportunities to improve. A good management system is never done; it should always grow and adapt as the risks and requirements within the field in which it operates evolve. Elements such as change control, management review, nonconformity and corrective action can drive continual improvement, which is crucial to all Management Systems.

ISO 27001 confers a number of benefits to your organisation:

1) Compliance – provides a framework to comply with regulations regarding data protection, privacy and IT governance and contractual obligations. 

2) Gives you a marketing edge to differentiate your company from competitors. 

3) Reduces expenses cause by incidents. Preventing incidents in the first place saves money in the long run. 

4) Strengthens your organisation by defining responsibilities and processes. 

So If you need any help with integrating ISO 27001 into your company, or even want to begin implementing your QMS as a starting point, then please contact us here and Casey will point you in the right direction