Bringing a regulated AI medical device to market — the 5 common compliance pitfalls that impede development

Author(s):

  • Vanessa Lucien, Manager, Quality Assurance & Regulatory Affairs Manager at Imagia 

 

When you consider the wealth of data that exists in healthcare — from imagery to insurance claims to test results to clinical experiments, and everything in between —, the industry seems overdue for artificial intelligence solutions. Reams of essentially pre-labelled data exist on which you could train models that would revolutionize our approach to patient care by accelerating discoveries and diagnoses, personalizing treatment plans, and generally improving patient outcomes.

However, developing an AI solution for a clinical setting introduces significant constraints on the product development process in the form of regulatory frameworks. Regulatory compliance exists to ensure a device is safe and performs well: the patient’s wellbeing and safety is its only concern.

No matter how noble your intentions, no matter the quality of your algorithms: if your product and its development do not meet the stringent requirements of regulatory compliance, you will simply not be able to offer your device in clinical settings. Note that algorithms are treated as Software as a Medical Devices, which are folded into Regulated Medical Devices.

After more than 10 years in quality assurance and regulatory affairs, I’ve identified the five most common mistakes I’ve observed when organizations attempt to develop what’s known as a regulated medical device. If you can avoid these, you’ll be well on your way towards regulatory compliance.

1. Failing to define ‘intended use’ early and precisely

As you flesh out your brand new idea, you should put considerable thought into defining what is known as ‘intended use’.

When developing healthcare devices, ‘intended use’ is what you claim the device you plan to develop will do. Broadly speaking, anything that purports to diagnose, prevent or treat a disease or medical condition, or support a clinician in doing so, will be considered a regulated medical device.

Once you’ve determined that the algorithm you will be developing does indeed constitute a regulated medical device, the nuances, wording and specificity of your intended use are pivotal: they determine what kind of regulated medical device you’re designing and, therefore, the regulatory framework you will have to adhere to.

In a healthcare setting, your device’s regulatory framework has an impact on how you will develop your solution starting on Day 0. The regulatory framework will determine the quality management system (QMS), the processes, and the best practices you must adhere to throughout the product’s entire life cycle, from discovery to postmarket surveillance.

You might promise your investors that your algorithm can do everything, but for the purposes of regulatory compliance, you want to be as exacting as possible.

Too often, organizations start designing their products before setting their intended use in stone. Defining intended use too late — or adjusting it midcourse — will engender significant delays, extra costs, and increased man hours as you attempt to retroactively apply the proper regulatory framework.

2. Failing to identify geographical markets early and precisely

Similarly, during your discovery phase, you should put considerable thought in determining where you ultimately hope to market your device.

Countries and regions have differing standards for compliance certification that are evaluated by local regulators. Selecting myriad markets will have a considerable impact on how you can develop your solution. And, as we saw earlier, since regulatory frameworks must be implemented at the start of product development, you should identify your target markets early.

One way to cover a lot of international ground is to become ISO 13485 certified, to operate your QMS at that standard, or to outsource your QMS to an ISO 13485-certified supplier. And note that while ISO 13485 is similar to ISO 9001 quality management certification, they are not interchangeable; ISO 9001 certification is insufficient for devices that will be used in clinical settings.

Still, being ISO certified is no guarantee that your device will be recognized as compliant in all geographical markets. It’s your responsibility to research requirements in all geographies and ensure they are adhered to, and documented, from Day 0.

Identifying a new market down the road is a mistake that will lead to production delays and increased costs. And, on the other hand, developing within the regulatory frameworks of markets you won’t tap into will constrain production without adding value.

3. Neglecting risk management activities

Regulatory compliance is about protecting patients from harm. It makes sense then that, to achieve compliance, you absolutely must identify every single risk your regulated medical device might pose to a patient’s health and safety.

A successful Risk Management Program should be drawn early, be rigorously detailed, and be revised frequently throughout a regulated medical device’s life cycle. Done properly, the assessment will reduce development iteration, as well as broaden your understanding of the solution you are developing.

An excellent starting point in your analysis is the combo of ISO 14971 (Medical devices – Application of risk management to medical devices) documentation and ISO/TR 24971, its companion document. Taken together, they will guide you in identifying and mitigating the device’s possible hazardous consequences while you are still in development. You must also determine the probability, the severity of each hazard, as well as show that you are mitigating those risks throughout the product’s life cycle.

A thorough understanding of ISO 14971 could become a project’s lifeline; risk management should be at the heart of any regulated medical device’s design, development, documentation, and compliance submission.

One of the most devastating mistakes you can commit on your road to compliance is cutting corners when you conduct your Medical Device Risk Assessment, or leaving it to the end of development when you are producing your compliance application.

4. Underestimating QMS and documentation maintenance

Maintaining your quality management system (QMS) and producing technical documentation absolutely do not end once your regulated medical device is finally on the market.

You will have set yourself up for success if you conceived and designed your QMS and documentation properly from Day 0, of course; it will be easier to ensure that the device’s file is accurate, up to date and up to present-day standards. This will be a boon when auditors come knocking.

Not only are your ISO certifications, if you hold them, subject to recertification every three years, and not only can those certifications be audited at any time, but regulatory agencies in any market you serve can certainly conduct unannounced audits throughout the device life cycle.

Auditors might, for instance, want evidence that you are tracking your device’s use, and that it continues to match its stated intended use — which could be of particular interest for manufacturers who need to push software updates. See point 1 above about reflecting deeply on your device’s intended use.

Then again, auditors might want to verify that you are not only recording customer complaints, but following up on them with appropriate testing and, if applicable, applying revisions to your risk assessment, and updates to your technical documentation. See point 3 above about being rigorous and thorough in your risk assessment.

And still, auditors might want to make sure that you are staying current in their market. As a very real example, legislation introduced by the European Commission in 2017 (new MDR) became applicable to all regulated medical devices in the European Union in May 2021. It is incumbent on manufacturers to be aware of the new regulations, prepare for them, and ensure their devices remain demonstrably compliant lest they lose their certification. See point 2 above about thoughtfully selecting your markets.

These are just some examples of post-market surveillance you should be conducting and integrating into your QMS and documentation.

While meeting regulatory compliance requirements is a significant achievement, it by no means signals the end of your efforts. If you fail to maintain your quality management system and your supporting documentation — if you fail to remain compliant in your market — you not only risk losing your certification, you could put patients’ health at risk.

5. Overlooking internal and external areas of expertise

When you’re designing a regulated medical device — and perhaps in particular when it involves new technology — you are doing yourself a grave disservice if you do not solicit the input of experts from just about every function you can consider.

You’ll obviously want to be in close contact with the people who will be using your device, for instance clinicians or researchers. They will be standing between the device and the patient; they’ll be able to give their on-the-ground feedback about how they work, what they see, how their patients behave, and any number of other factors that might highlight risks and uses you hadn’t considered.

Your key opinion leaders and subject matter experts will give you insight into the disease or medical condition you seek to diagnose, prevent or treat. They’ll be able to help you define the problem and give you feedback on expected outcomes.

They can highlight issues specific to training models and building software solutions: details about software interoperability, data governance, patient privacy, and more will be pivotal in your risk management activities, for instance.

Even your internal business development and marketing teams can help you determine if your intended use actually addresses a real need and, if so, in which markets. The competitive landscapes they’ll draw could help you determine the regulatory pathways you should follow. They’ll also be the ones who’ll be able to confirm whether this is an avenue worth pursuing from a strategic standpoint.

And in some cases, you’ll have to reach out to third parties, which is where you’re at risk of making the secondary mistake of selecting the wrong supplier. In “regular” product development, choosing the wrong supplier can slow you down or compromise the quality in the development of your product. In regulated medical device development, choosing the wrong supplier could also cost you your compliance: when you submit for approval, you’ll have to include the qualifications of your suppliers since you are responsible for the product once it is approved to market. A good starting point is seeking third parties that are ISO 13485 compliant.

Successfully developing a regulated medical device does not boil down to hiring a compliance engineer, QA (quality assurance) and RA (regulatory affairs) manager. Their proficiency is essential, but insufficient to reflect the full breadth of the insights and consequences of new technologies. If you leave out the wrong stakeholder, you jeopardize your product’s development, outcomes and compliance.

Imagia is your trusted, qualified partner

At Imagia, we offer services, solutions and expertise at every step of the design and development of an AI-backed, regulated medical device.

When you work with us, you get access to our remarkable base of subject matter experts, key opinion leaders, devs and engineers, whose knowledge and insights will broaden your understanding of your device and regulatory compliance, as well as anticipate challenges that only our experience can safeguard against.

Our wholly owned subsidiary Imagia Healthcare has been ISO 13485 certified since 2009, which means that you can trust us to supply you with solutions and expertise that will allow you to pursue your regulatory compliance, while staying focused on what matters: improving patient outcomes.

Related posts

How we developed an AI-driven discovery platform that transforms real-world healthcare data into clinically actionable insights

How we developed an AI-driven discovery platform that transforms real-world healthcare data into clinically actionable insights

It seems self-evident that healthcare research could gain tremendous value from using artificial intelligence to derive insights and solutio

...
Read more
How AI could improve lung cancer screening—and help to save lives

How AI could improve lung cancer screening—and help to save lives

Lung cancer is the deadliest cancer in Canada—and the world. Every year, lung cancer kills more than 20,000 Canadians. Of those who receiv

...
Read more
Application of Homomorphic Encryption in Medical Imaging

Application of Homomorphic Encryption in Medical Imaging

A technical 20-page report for next-generation data governance models. Authors: Francis Dutil, Alexandre See, Lisa Di Jorio and Florent Chan

...
Read more