EU Medical Device Regulation - Changes for software
We've seen in the previous article the revolution in the regulatory classification brought by the new rule 10a for standalone software.
Let's see now the other changes. These changes are relevant for all software: standalone, embedded, device or accessory.
They're not as big as the new rule 10a, but they will deserve a significant amount of man-hours and documentation.
Edit November 2019: rule 10a is named rule 11 in the final version of the MDR.
Unique Device Identification
The new MDR contains requirements on the UDI. Simply, these requirements are synchronized with those, which are ready applicable in the USA. Likewise, they add some specific requirements for software.
The optimistic way is to consider that both regulations agree on the content of UDI. But this is the optimistic way.
We have to take UDI for what it is: an information system. Fatally, there will be discrepancies between the EU and the USA: in specifications (the regulations), in implementation (the EUDAMED database), and in support (if we can talk about support).
There will be bugs in UDI.
The essential requirements are updated for software. The requirement #14.2 is the successor of requirement #12.1.bis of the directive. New criteria are introduced on:
- IT environment in #11.2,
- Interoperability in #11.5,
- Cybersecurity in #14.2,
- Mobile platforms in #14.3, and
- IT network and IT security in #14.3a.
While the software validation requirement in #14.2 has seen minor changes compared to the directive, the other requirements are brand new and are there to cover subjects, which were not be anticipated in the directive, even in the last update of 2007. These requirements are a regulatory catch-up, compared to the FDA's early oversight on these subjects.
If we look at the harmonized standards as methods of conformity to these requirements, IEC 62304 will be the most relevant standard. For 14.2, 14.3, 14.3a, and 11.2, IEC 62304 only has a requirement in section 5.2, to include software requirements on these subjects.
IEC 62366 is also a method of conformity for requirements 14.3.
IEC 82304-1 is still in draft. If it is harmonized, it will bring new requirements on the environment, interoperability, and validation. It will help begin compliant to 11.5, 14.3.a and 14.2 for the validation.
The few words included in 11.5, 14.1 and 14.3 add a lot: nowhere before we could find such requirements in the EU MD regulations.
There is no harmonized standard for cybersecurity. More generally, there are standards on IT security for hospital networks, medical communication in the IEC 80001-x series and other FDA-recognized standards. But there is no standard covering the lifecycle of software medical devices.
The only way to be compliant with cybersecurity requirements, is to rely on the existing FDA guidances on cybersecurity during design and during post-market surveillance.
The new essential requirements on software require new evidence of conformity, which current harmonized standards don't cover entirely. We can then expect IEC 82304-1 to be harmonized. It is less likely to see a new standard dealing exclusively with cybersecurity in medical devices. There's no such project in standardization committees.
Another solution could be that EU creates Common Technical Specifications on cybersecurity, as set out in article 7 of the MDR. But we have no clue on this process solely used for IVDs up to now and expanded to all MDs.
Edit November 2019:
See also the interpretation of rule 11 by the MDCG (Medical Device Coordination Group) in the final version of the MDR.