Development of medical software used in hospitals may seem tilted toward large technology firms, but that doesn’t mean smaller software developers have no chance in this market. A new guidance from the Medical Device Coordination Group (MDCG) clarifies that software as a medical device (SaMD) product can operate under a limited amount of regulatory oversight when deployed only in a single healthcare entity, which gives smaller developers an opportunity to gain a foothold in the European Union (EU) while they add to their to-market capabilities.
MDCG 2023-1 applies to devices regulated under the Medical Device Regulation (MDR) and the In Vitro Diagnostic Regulation (IVDR) and is responsive to Article 5(5) of both regulations. This part of the EU regulation states that with the exception of the relevant general safety and performance requirements, the regulation does not apply to these in-house devices and diagnostics so long as the product is not transferred to another legal entity. Several other stipulations also apply, including:
- That the device be manufactured/developed under an appropriate quality management system (QMS);
- That the health facility document that an equivalent device is not commercially available;
- That the facility document and make available to competent authorities (CAs) the justification for the manufacture, modification, and use of the device or diagnostic; and
- That the facility document the manufacturing process with sufficient detail to allow the CA to discern whether general safety and performance requirements are met.
The facility must also review experience gained from the clinical use of the device and take any necessary corrective actions, according to Article 5(5), but many of the general safety and performance requirements appear in Chapter II of Annex I of the MDR. This includes requirements for biocompatibility testing and a range of other requirements related to device hardware, which suggests that the path for SaMD is less onerous by a substantial margin.
Issues with Harmonization Drove Guidance Development
MDCG stated that the guidance was prompted by a need to harmonize the application of Article 5(5) by national CAs, although there is no elaboration on this point. We would advise our clients that custom-made devices are not within the scope of Article 5(5), which is the subject of an MDCG guidance that can be found here.
One of the essential features of MDCG 2023-1 is the description of the use of a device as an in-house device. Use within a single health institution can occur on the premises or be delivered remotely (electronically). The guidance lists several examples, such as when a health institution develops an in-house medical device software that is used onsite by healthcare professionals. However, the in-house exemption from the full requirements of the MDR (or the IVDR) is lost if that software can be accessed by patients for entry of data from outside that healthcare establishment when that information is used by healthcare professionals.
Another key element of the MDCG guidance is the discussion of the legal entity that makes use of the in-house exception. A single hospital can be a legal entity unto itself but can also house multiple legal entities. Conversely, a legal entity can be a hospital group comprised of several hospitals, so the contract developer must understand precisely how the client is legally organized. MDCG stated that the national CA may be a good resource for establishing how a legal entity is defined in that nation, a critical piece of information for developers.
Beware the Recently Updated ISO Standard
The MDCG guidance lists several features of a basic QMS system that is required under the in-hospital policy, including a publicly available declaration of conformance with the general safety and performance requirements of the MDR or the IVDR. While ISO 13485 may be the default QMS framework for any products thus developed under the MDR, the MDCG guidance highlights the potential for EN ISO 15189 for any in-house products developed under the IVDR. We would advise clients that this standard was updated last year after 10 years, and so there may be important new content in the updated edition, although each EU member nation may have requirements other than or in addition to ISO 15189.
Developers and hospitals must document that the needs of the target patient group(s) cannot be met at a given level of performance by an equivalent device that is already on the market. The guidance offers several examples of qualifications for an in-house device, including:
- A specific (unique) device type;
- A specific level of performance for the device;
- An IVD that serves the same function as an authorized IVD, but for a population that is not in the approved product labeling; and
- An IVD that combines the analyses of two or more legally marketed IVDs and does so to reduce the need for painful specimen collection for biopsies.
The healthcare institution should document its search to determine whether a commercially available alternative is on the market, as well as the justification for undertaking in-house development. That process of tracking commercially available products must continue and be documented, and in-house use may have to be forsaken in favor of the commercially available product should one become available.
Among the other questions of definitions in the MDCG guidance is the limitation on devices produced at an “industrial scale,” a term that is not defined in either the MDR or the IVDR. That term is not synonymous with the term “mass produced,” but problematically, the MDCG guidance suggests that there is considerable leeway as to how the term is interpreted. Among the factors to take into consideration are the volume of production, any related manufacturing processes, and “commercial aspects.” This aspect of in-house production/utilization should be tracked carefully in order to avoid conflict with a CA.