Can medical device regulations keep pace with technological advancements?


Chris Occleshaw, international product recall consultant, Sedgwick brand protection questions if imminent medical device regulations, and those that follow, will be fit for purpose.

stoatphoto Shutterstock

In the past several years, the European medical device industry has championed innovation as a driver of growth, supported by both private and public investments. Advancements in modern technology such as new software, the increasing connectivity of medical devices, and the use of artificial intelligence (AI) for healthcare applications have been key to helping move the industry.

While these advancements in medical device technology will ultimately be beneficial for patient health and safety, the rapid pace of innovation has posed a challenge for regulatory authorities. Many regulatory bodies are already working to modernise rules for a digitised medical device industry, but with technology moving so quickly, those revisions may be outdated before the ink has even dried on final approvals.

A significant number of new medical device regulations targeting modern issues like cybersecurity and AI were introduced in 2022. Both the European Commission and the UK’s Medicines and Healthcare products Regulatory Agency (MHRA) issued guidance and proposals for new legislation. However, as the first several months of 2023 have shown us, new technologies like natural language AI could have broad implications across industries that could render existing or proposed regulations inadequate.

Key regulatory developments

In the European Union, the Commission focused on cybersecurity, recognising the threat to patient safety should there be a breach of a connected medical device.

Adopted in November 2022, the Directive (EU) 2022/2555, commonly known as the NIS2 Directive, establishes measures for a high common level of cybersecurity across the EU. It builds on lessons learned from the original NIS Directive and sets out more specific rules, aiming to harmonise cybersecurity requirements and the implementation of cybersecurity measures across EU member states. The Directive establishes minimum rules for a member state’s regulatory framework and introduces a size-cap rule as the general guideline to identify which entities would be covered under the Directive. This means all medium- and large-sized entities in the relevant sectors will fall within the scope of NIS2.

A key change in the NIS2 Directive is its expanded scope, which now covers manufacturers of medical devices and in vitro diagnostic (IVD) medical devices. Most medical device manufacturers are classified as “important” entities, while a subset of devices that are considered “critical during a public health emergency” qualify as “essential” entities that are subject to stricter supervisory measures.

Any manufacturer that is deemed “important” or “essential” in any sector must adopt measures related to risk analysis, conduct regular risk assessments, and implement crisis management plans. These measures are highly recommended for any industry that manufactures products for the European market that may be subject to recall or remediation. However, the new obligations under NIS2 will require manufacturers to take this additional step instead of it being simply a best practice.

The Commission also introduced two proposals related to AI, the AI Act and the AI Liability Directive, which would apply to all industries. This may create confusion for the medical device industry due to overlap and conflict with the Regulation (EU) 2017/745 on medical devices (MDR) and the Regulation (EU) 2017/746 on in vitro diagnostic medical devices (IVDR), which were both recently updated. Should the AI Act be approved, medical device manufacturers may find themselves having to undergo multiple certification procedures and to comply with slightly different post-market surveillance requirements to adhere to the rules of both the AI Act and the MDR or IVDR.

While the EU MDR and IVDR outline specific regulations for software as a medical device (SaMD) that will be applicable starting as soon as 2026, the UK has recently set out to establish its own regulatory framework for these devices. The MHRA released its Guidance on “Software and AI as a Medical Device Change Programme – Roadmap” in October 2022. The publication outlines several works packages and deliverables the MHRA will release to develop a future regulatory framework. The key changes as outlined in the Roadmap include defining what qualifies as SaMD, refining classification rules for SaMD, clarifying premarket requirements, strengthening post-market surveillance systems, improving cybersecurity of SaMD, ensuring the safety of AI as a medical device (AIaMD), and considering human interpretability for AIaMD.

The UK is expected to release the first formal legislation on SaMD and AIaMD in 2024, but the MHRA will be busy in the intervening period. Announced at the beginning of 2023, the UK will soon be releasing a legislative framework to establish its own modern medical devices regulation. After Brexit, the UK reverted to the Medical Devices Regulations 2002, which implemented 1990s EU legislation and is predictably outdated with modern technology advancements.

All of these proposed regulations will certainly move the EU and UK forward in terms of creating a modern regulatory regime for the medical device industry that aligns with current technology and the risks it poses. However, as we’ve already seen with the continued delays to the MDR transition period, drafting, approving, and implementing new regulatory frameworks of the scale needed to meet current innovations and technology is a multi-year process. This raises the concern of whether new regulations will be able to keep pace with the rapid technological advancements, or whether a new model of regulation is needed to address the constantly evolving market and the need for greater flexibility in regulating the industry.

Looking forward

The next several years will mark a period of change as regulators catch up with medical device innovations and manufacturers work to comply with a range of new rules and laws. Whether those regulations will be able to keep pace with new developments in medical device technology will be a question for the future. However, it is clear that technology will remain a top concern for manufacturers and regulators alike. For example, as reported in the Sedgwick brand protection 2022 State of the Nation European Recall Index report, software was the leading cause of recall activity in 2022, overtaking quality concerns, which had been the most common cause of recall for the previous two years. With devices becoming increasingly connected and regulations introducing new requirements for manufacturers, this increased focus on software is likely to continue.

Even as technology continues to quickly advance with new AI tools like ChatGPT and others, medical device companies should be wary about adopting an “early leader” mindset. While it is worth exploring how these technologies can be used in the medical device industry, companies should be slow to integrate them as regulatory authorities are still determining their shortcomings and the negative impact they may have on users – whatever their use may be.

These advances also bring new considerations from a recall and remediation perspective. Recalling a physical product is very different than knowing how to handle the recall of a SaMD application that has been downloaded in multiple countries on users’ mobile devices.

While we want to encourage innovation, it is also important that medical device companies get their cybersecurity, information technology, and data privacy experts involved in the research and development process early on to help avoid issues down the road.

We have also already seen several countries and authorities act to prohibit the use of these advanced technologies. From a risk and compliance standpoint, medical device manufacturers are already busy aligning their operations with the many changes in the MDR and IVDR regulations. Adding more burdens to that with unproven AI technologies and other innovations can be tricky.

Back to topbutton