Breast implants scandal: does the CE Mark malfunction?
Breast implants are technically far from software and one may say they don’t have anything in common. Yes, they do, when software is part of a medical device, they are both subject to the regulation of the 93/42 CE directive.
Is it possible to have a massive injury of people with software, like the one we discovered with the breast implants scandal?
To understand how this happened, let us begin with a brief history of the CE mark.
The CE mark stems from the construction of the European Union in the middle of the 80’s. The main idea at that time was to harmonize the regulations and the technical standards recognized by the members of the EU. The European Commission, a kind of government of the EU, decided what it called the « New Approach ». This perfect technocratic euro-jargon stands for :
- the integration of the unified market of the EU,
- the generalization of safety rules for the products placed on the market,
- the creation of agencies to verify the compliance of manufacturers / distributors to the safety rules.
Whereas the integration of the market was done at the political level, the generalization of safety rules was operated at a more technical level. The safety rules were declined in each industrial sector in the famously named “essential requirements”. It was an immense work. Safety rules were defined for almost all sectors in 20 directives: toys, electrical devices, gas devices, leisure boats …
The European Commission decided that private agencies would have the role to give the certification to any company of a member state and asked each member state to create these agencies at the national level. It gave birth to the “notified bodies”, which are officially delegated by the member states to give the certifications to the industrials. There are a few hundreds of notified bodies in the European Union.
The CE mark was invented to prove that industrial products passed the certification and to let them freely cross the borders inside the unified European market. Any product with the CE mark can be sold anywhere in the European Union.
In the sector of medical devices, these political choices were carved in 1993 in the marble of the famous 93/42 CE directive. There were a few amendments since then, the most important being the 2007/47 directive. But the three big principles enumerated above are still intact. Yet, there are national regulations agencies in each countries but their power really decreased and is constrained by the framework of the European directive.
From the point of view of medical devices manufacturers, this political will brought immense benefits. Instead of adhering to the regulations of each country like before the 80’s, one has now to adhere “only” to one harmonized regulation, the 93/42 CE directive and has the right to choose any notified body it wishes, to audit its products. For instance, a French company designs and sells a medical device. It may choose a German notified body to get the certification. Once it has the CE mark, it is authorized to sell its products in any EU country, from Finland to Malta.
In the case of the breast implants, manufactured and sold by the French company PIP (Poly Implant Protheses), it seems that it passed the certification audits. Or if it didn’t pass it, it continued all the same to sell its fraudulent products. One could conclude that all the process and the organization set up by the European Union to post the CE mark on products is not safe enough. One weakness of the process is that notified bodies don’t have enough power to inspect the manufacturers. Audits are often limited to the inspection of design documentation, production processes, reports of any types. This kind of audit is not strict enough, when you have dishonest people in front of you.
I don’t want to argue more about this case. It is now in the court and I don’t have any more relevant information to write anything more about it. The court will determine the responsibilities. Yet, with no doubt this scandal discredits the CE mark.
Software, so what?
In the light of my own experience of CE mark in the field of software, I think that the present situation is not strict enough. Whereas there are no less that five guidances about software on the FDA website (list at the bottom), this is the nothingness in the field of the CE mark That’s why I prefer to rely on FDA guidances, when I want to have information about what I should do to prove that software is safe.
I exaggerate; there are a few documents about CE mark for software (see here). The main source of information is the IEC 62304 standard, which has a version harmonized by the EU. If one adheres to this standard, then it is a priori assumed that its software design is compliant with the essential requirements of the 93/42 directive.
However, in my own opinion, the IEC 62304 is not strict enough, especially with software of class A. According to this standard, it is not mandatory to document the design and tests about software, which belongs to this class. See §5.4, §5.6 and §5.7 of the standard. Amazing, isn’t it? That’s why I think it is necessary to do a little more than what is in the requirements of this standard. Your software belongs to class A? Do tests with high-level scenarios even if they’re not required. It belongs to class B? Do a detailed design, even if it’s not required. It belongs to class C? Do static analysis, monte carlo simulations, stress tests, even if they’re not required. You could argue that I could interpret the standard more strictly. Well, it’s not explicitly written. So …. Of course, it’s not mandatory to do everything I mentioned. There is an optimal point, where the safety is good (the overall residual risk is acceptable) and the cost to reach this level is acceptable too. The limit will always be set by the trade-off between safety and the cost of the device.
The role of the notified bodies
Okay, we are tough; we do everything that could be done about software development and maintenance to reach the optimal point of safety – cost ratio. This is the role of the notified body to verify that we actually have reached that point. Alas, I can bet that almost notified bodies don’t have the time to assess correctly the level of safety of software. An audit is a complex and expensive task. In my own experience, auditors focus primarily on processes of the company, design of manufactured products is left on a secondary plan. That’s “normal”, the same principles are applied from one company to another. It is possible to assess the various processes defined by various companies, to verify if they adhere to the standards or regulations. But it’s not possible to assess the design of the products of every company. An auditor may be specialized in software and have the skills to assess the design of software. But I think he doesn’t have enough time to verify every step of the development of software. Moreover, if software is embedded in a device, the auditor may focus its attention on electric hardware, sterilization, biocompatibility and risk assessment of the whole device. He may have a quick look at software design documentation but he will never verify if a static analysis or a code review report is correct.
Changing the process?
I don’t incriminate the notified bodies. They do the job, which they are mandated for. I just want to point out the weaknesses of the actual process of certification in the EU. Fortunately, 99,99% of medical devices manufacturers adhere to the regulations and do their job correctly. The process should to be changed for the 0,01%. Reacting to the scandal, politicians assert that it is urgent. Wait and see.
Here are the five FDA guidances about software I mentioned in this article. I don't post the links as the FDA may change their location on its website,
- General Principles of Software Validation; Final Guidance for Industry and FDA Staff aka GPSV, Document issued on: January 11, 2002
- Guidance for Industry, FDA Reviewers and Compliance on Off-The-Shelf Software Use in Medical Devices, Document issued on: September 9, 1999
- Guidance for Industry - Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software, Document issued on: January 14, 2005
- Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices, Document issued on: May 11, 2005
- Draft Guidance for Industry and Food and Drug Administration Staff - Mobile Medical Applications, Document issued on: July 21, 2011