New SDK Release: Build secure medical apps faster with our tools for EHRs, devices, and patient-doctor solutions. Explore CardinalSDK

Back to blog

A Beginner`s Guide to EU Medical Device Regulation

post illustration

Introduction

The European Union (EU) Medical Device Regulation (MDR) is a comprehensive regulatory framework that governs the development, manufacturing, and distribution of medical devices within the EU market.

For developers and manufacturers of medical devices, compliance with the MDR is crucial to ensure safety, efficacy, and market access. This guide aims to provide developers with a clear understanding of the EU MDR and practical steps to navigate its complexities.

Understanding the EU MDR

Background

When exploring the EU MDR, it’s imperative to trace its origins and the compelling motivations that led to its implementation.

The transition from the long-standing Medical Device Directive (MDD) to the MDR represents a significant paradigm shift in European medical device regulation. The MDD, which was first introduced in the 1990s, governed the medical device industry for several decades.

However, as technology advanced and new challenges emerged in the healthcare sector, it became apparent that an updated and more rigorous regulatory framework was necessary to ensure patient safety, enhance product transparency, and adapt to the evolving landscape of medical technology.

The EU MDR, born out of these imperatives, serves as a crucial milestone in harmonizing and strengthening medical device regulations across the European Union.

Scope

The scope of the EU MDR is broad and encompasses a wide range of medical devices and in vitro diagnostic devices (IVDs). Understanding this scope is essential to determine whether a specific product falls under its jurisdiction.

Medical devices regulated by the MDR encompass instruments, apparatus, appliances, software, materials, or other articles intended to be used for medical purposes. These can range from simple devices like thermometers to complex equipment like MRI machines.

On the other hand, in vitro diagnostic devices (IVDs) are products used to examine specimens derived from the human body, such as blood or tissue, for diagnostic or monitoring purposes. This distinction is vital because IVDs have their own set of specific regulations under the MDR.

Key Definitions

In order to navigate the intricate landscape of the EU MDR effectively, it’s crucial to acquaint oneself with a set of pivotal definitions integral to the regulation’s framework:

  • Manufacturer: The entity responsible for designing, producing, and placing a medical device or IVD on the market. This can be a company or an individual.
  • Authorized Representative: An entity appointed by a manufacturer who takes on certain responsibilities on their behalf, especially for manufacturers located outside the EU.
  • Notified Body: An independent organization designated by EU member states to assess the conformity of medical devices with the MDR. They play a crucial role in the certification process.
  • Unique Device Identifier (UDI): A unique alphanumeric code assigned to each medical device to ensure traceability and facilitate the monitoring of devices throughout their lifecycle. This system enhances post-market surveillance and recalls, contributing to greater patient safety.

In summary, a thorough grasp of the EU MDR necessitates not only an understanding of its historical context but also a keen awareness of its scope and key definitions.

This knowledge equips stakeholders, including manufacturers, regulatory authorities, and healthcare professionals, to navigate the regulatory landscape effectively, ensuring the safe and effective use of medical devices within the European Union.

Classification and Conformity Assessment

Classify Your Device

One of the initial and pivotal steps in the regulatory journey of medical devices within the European Union under the Medical Device Regulation (MDR) involves classifying your device accurately.

This classification process, defined in Annex VIII of the MDR, is integral to ensuring that each device is subject to the appropriate level of scrutiny and conformity assessment. The classification hinges on the potential risks associated with the device and its intended use.

Essentially, the MDR classifies medical devices into four main classes: Class I, Class IIa, Class IIb, and Class III, with Class III devices representing the highest level of risk.

Classifying your device correctly is a task that requires a deep understanding of its intended purpose, characteristics, and potential impacts on patients and users. It entails considering factors such as invasiveness, duration of contact with the human body, and the nature of the device’s technology.

Once you’ve successfully determined the appropriate class for your device, you’ll be able to proceed with the subsequent steps in the regulatory process.

Conformity Assessment Route

Following the device classification, the next critical milestone is identifying the appropriate conformity assessment route outlined in the MDR. The conformity assessment process serves as a means to evaluate the device’s compliance with the regulatory requirements, ensuring its safety and efficacy.

The EU MDR offers different conformity assessment routes, primarily detailed in Annexes II, III, and IV, which vary in terms of rigor and complexity. The choice of route is directly linked to the device’s classification and the level of risk it poses to patients and users.

Here’s a simplified breakdown:

  • Annex II (Full Quality Assurance): Devices in higher-risk classes, such as Class III or certain Class IIb devices, typically follow this route. It involves a comprehensive assessment of the manufacturer’s quality management system and may require the involvement of a Notified Body.
  • Annex III (Production Quality Assurance): Devices of lower risk classes, like Class IIa, may undergo this route. Manufacturers need to maintain a quality management system and ensure compliance with essential requirements, often with the involvement of a Notified Body.
  • Annex IV (Product Quality Assurance): Devices in the lowest risk class, Class I, or those with a sufficiently low level of risk, can typically opt for this route. Manufacturers self-certify their compliance with essential requirements and do not usually require Notified Body involvement.

Selecting the correct conformity assessment route is crucial as it influences the depth of scrutiny and the resources needed to attain regulatory compliance. Navigating these complexities demands a comprehensive understanding of your device’s classification and the regulatory landscape, ensuring that you follow the most appropriate path toward bringing your medical device to market in the European Union.

Ultimately, proper classification and conformity assessment are vital steps to ensure patient safety and the successful entry of your device into this important market.

Quality Management Systems

Implement ISO 13485

With medical device regulation and manufacturing, adherence to high-quality standards is paramount to safeguarding both the patient and the reputation of the manufacturer. ISO 13485, an internationally recognized standard for quality management systems specifically tailored for the medical device industry, is the main framework that helps achieve this objective.

Compliance with ISO 13485 signifies a commitment to a comprehensive set of quality management principles encompassing every aspect of medical device development, production, and distribution.

This standard emphasizes a meticulous focus on risk management, traceability, documentation, and process control. Implementing ISO 13485 requirements involves establishing and maintaining a quality management system that not only meets regulatory expectations but also fosters a culture of continuous improvement.

Under ISO 13485, manufacturers are guided through the creation of a quality management system that covers design and development, production, installation, and servicing. This holistic approach ensures that quality is not just an end goal but a foundational element woven into every stage of the product lifecycle.

Adhering to ISO 13485 facilitates compliance with European regulations and serves as a global passport, opening doors to international markets by demonstrating a commitment to the highest quality and safety standards.

Post-Market Surveillance

Beyond the initial stages of device development and regulatory clearance, the responsibility for ensuring a device’s safety and efficacy extends into its entire lifecycle. Post-market surveillance (PMS) is the cornerstone of this ongoing commitment to monitoring and improving device performance in real-world settings.

A robust PMS system involves collecting, analyzing, and evaluating data on how the device performs once it’s in the hands of healthcare professionals and patients. This process serves several critical purposes:

  • Identifying Safety Concerns: PMS helps in the early detection of potential safety issues or adverse events associated with the device, allowing manufacturers to take prompt corrective actions.
  • Evaluating Device Effectiveness: By gathering data on the device’s clinical performance, manufacturers can assess whether it meets its intended purpose and if any improvements are needed.
  • Continuous Improvement: The insights gained from PMS data can inform product enhancements, updates, and innovations, contributing to the evolution of safer and more effective devices.
  • Regulatory Compliance: A robust PMS system is a regulatory requirement under the EU MDR and is crucial for demonstrating ongoing compliance with safety and performance standards.

To establish an effective PMS system, manufacturers should define clear processes for data collection, reporting, and analysis.

Additionally, they should maintain open lines of communication with healthcare providers and end-users to gather valuable feedback. By integrating PMS into their quality management systems, manufacturers can ensure that their devices not only meet initial regulatory requirements but continue to meet safety and performance expectations throughout their lifecycle, ultimately enhancing patient safety and trust in their products.

Clinical Evaluation and Evidence

Clinical Evaluation

Clinical evaluation of a medical device is a process that forms the backbone of demonstrating its safety and performance. This process involves systematically assessing clinical data derived from various sources, like clinical trials, post-market surveillance, and scientific literature. It is needed to establish the device’s conformity with regulatory requirements and its ability to deliver the intended clinical benefits.

A thorough clinical evaluation serves several key purposes:

  • Risk Assessment: It helps identify and evaluate potential risks associated with the device and assess whether the benefits outweigh these risks, a fundamental consideration for regulatory compliance.
  • Performance Assessment: Clinical data is used to evaluate the device’s performance, including its clinical efficacy, accuracy, and reliability in diagnosing, treating, or monitoring medical conditions.
  • Documentation of Clinical Evidence: The findings from the clinical evaluation must be documented and made available for regulatory scrutiny. This documentation forms a crucial part of the Technical Documentation required under the EU MDR.
  • Continuous Monitoring: Clinical evaluation is not a one-time process. It should be ongoing, with periodic updates to reflect new data, emerging safety concerns, and evolving clinical practices.

Ensuring the success of a clinical evaluation requires a well-defined and scientifically sound methodology, rigorous data analysis, and expert input. To execute this process effectively, it’s important to assemble a multidisciplinary team, including clinicians, statisticians, regulatory affairs professionals, and medical writers.

Clinical Investigations

Clinical investigations, often referred to as clinical trials, are an integral component of the clinical evaluation process and are typically required for certain medical devices. These investigations involve the deliberate and systematic study of a device’s safety and performance in human subjects under controlled conditions.

Clinical investigations are typically mandated for higher-risk medical devices or those with novel technologies, where clinical data from similar devices is insufficient to establish safety and performance. The decision to conduct clinical investigations depends on various factors, such as the device classification, intended use, and potential risks.

Planning and conducting clinical investigations requires adherence to rigorous scientific and ethical principles:

  • Protocol Development: A well-defined study protocol outlining the objectives, methods, patient population, endpoints, and statistical analyses is crucial. This protocol should align with regulatory requirements and ethical standards.
  • Ethical Considerations: It is crucial to obtain informed consent from study participants and ensure their rights and safety are protected. Ethical review boards play a vital role in this process.
  • Data Collection and Analysis: Rigorous data collection, monitoring, and statistical analysis are essential to generate robust clinical evidence.
  • Regulatory Reporting: Regulatory authorities must be informed of the progress and outcomes of clinical investigations in accordance with their requirements.
  • Post-Investigation Analysis: The results of clinical investigations inform the clinical evaluation and should be integrated into the overall evidence package.

This way, clinical evaluation and evidence generation are integral components of ensuring the safety and efficacy of medical devices. A well-executed clinical evaluation, supported by clinical investigations when necessary, not only demonstrates compliance with regulatory requirements but also fosters confidence among healthcare professionals, regulatory authorities, and patients in the device’s performance and safety.

Technical Documentation

Technical Documentation Preparation

Technical documentation is the cornerstone of medical device regulatory compliance. It provides a comprehensive record of your device’s design, development, performance, and safety. Preparing this documentation requires attention to detail and adherence to regulatory standards.

The technical file or design dossier serves as a repository of information that demonstrates the conformity of your device with the requirements of the European Medical Device Regulation (MDR). It should encompass a wide array of data and documents, including:

  • Device Description
  • Risk Assessment
  • Design and Manufacturing Information
  • Clinical Data
  • Labeling and Instructions for Use
  • Quality Management System
  • Notified Body Certificates (if applicable)

The process of preparing technical documentation requires interdisciplinary collaboration between engineers, regulatory experts, quality assurance professionals, and clinical specialists. It should be approached as a dynamic and living document that evolves as the device matures, incorporating updated information and addressing any changes or improvements made over time.

Essential Requirements

Meeting the essential requirements outlined in Annex I of the MDR is a must for medical device manufacturers. These requirements set the fundamental safety and performance criteria the devices must meet to be placed on the European market.

Annex I covers a wide range of aspects, including but not limited to:

  • Biological Safety: Ensuring the device is biocompatible and will not cause harm when in contact with the human body.
  • Clinical Performance: Demonstrating that the device performs its intended purpose effectively and accurately.
  • Electromagnetic Compatibility: Ensuring that the device does not interfere with other devices or systems and is not susceptible to interference.
  • Software Validation: Validating the software used in the device to ensure it operates correctly and safely.
  • Sterilization and Microbial Control: If applicable, it can demonstrate the device is appropriately sterilized and maintained free from harmful microorganisms.
  • Materials and Chemical Composition: Detailing the materials used in the device and ensuring they are safe for their intended use.

Adhering to these essential requirements requires testing, risk assessment, and documentation. Manufacturers should also be prepared for ongoing assessment and verification of their devices’ compliance throughout their lifecycle.

This way, technical documentation and adherence to essential requirements are crucial in the regulatory journey of medical devices in the EU. The documentation not only helps manufacturers achieve regulatory compliance but also instills confidence in the safety and performance of their devices among healthcare professionals, regulatory authorities, and patients.

Notified Bodies

Select a Notified Body

One of the pivotal steps in navigating the regulatory landscape for medical devices in the European Union is the selection of a Notified Body. Notified Bodies are independent organizations designated and authorized by EU member states to assess the conformity of medical devices with the European Medical Device Regulation (MDR). Their role is to ensure that devices meet the safety and performance standards required for market entry within the EU.

The choice of a Notified Body should be considered, as it significantly impacts the regulatory journey and the success of your device in the European market.

Key factors to consider when selecting a Notified Body include:

  • Expertise and Experience: Ensure the Notified Body has experience in assessing devices similar to yours in terms of classification and technology. Their expertise in your device’s specific domain is crucial.
  • Accreditation and Designation: Verify that the Notified Body is accredited and designated by the relevant national authority. This ensures their competence and authority to perform conformity assessments.
  • Capacity and Resources: Consider the Notified Body’s capacity to handle your assessment within the required timeframes. Overburdened Notified Bodies may cause delays in the regulatory process.
  • Communication and Collaboration: Assess their communication practices and willingness to collaborate with your team. Clear communication is essential for a smooth conformity assessment process.

Interaction with Notified Bodies

Notified Bodies are critical in assessing your device’s compliance with the MDR and ensuring its safety and performance. Their responsibilities include:

  • Conformity Assessment: Notified Bodies conduct the required conformity assessments based on the risk classification of your device. This may involve reviewing technical documentation, conducting on-site audits, and assessing the quality management system.
  • Certification: If your device meets the MDR’s requirements, the Notified Body issues a certificate attesting to its conformity. This certificate, often referred to as a CE certificate, is a key milestone in the regulatory process.
  • Ongoing Surveillance: Notified Bodies maintain surveillance over certified devices, ensuring they continue to meet regulatory requirements throughout their lifecycle.
  • Post-Market Surveillance: They monitor the performance of devices on the market, including investigating adverse events and ensuring timely corrective actions if issues arise.

Manufacturers should be prepared to provide comprehensive technical documentation, respond to inquiries, and facilitate any necessary assessments or audits. Collaborating closely with the Notified Body can streamline the regulatory process and help ensure a successful path to market entry in the European Union.

Unique Device Identification (UDI)

UDI Requirements

The Unique Device Identification (UDI) system is a critical component of modern medical device regulation aimed at improving device traceability, post-market surveillance, and overall patient safety. Complying with UDI requirements is not only a regulatory necessity but also a means to bolster transparency and accountability within the medical device industry.

UDI Requirements encompass several key components:

  • UDI Issuing Agency: Manufacturers must obtain a UDI from an authorized UDI Issuing Agency responsible for issuing and managing UDI codes. These agencies are often designated by regulatory authorities.
  • Device Identifier (DI): The DI is a unique code specific to each version or model of a device. It distinguishes one device from another and allows for precise identification.
  • Production Identifier (PI): The PI provides information about the device’s manufacturing lot, serial number, and expiration date, if applicable. It aids in tracking the device’s production history and traceability.
  • UDI Database Submission: Manufacturers are typically required to submit UDI information to a central database, which is accessible to regulatory authorities, healthcare providers, and other stakeholders. This database plays a pivotal role in post-market surveillance, recalls, and monitoring device performance.

Compliance with UDI requirements ensures that devices can be traced back to their source, making it easier to identify and address safety concerns or quality issues promptly. It also facilitates more efficient recalls, reducing the potential impact on patients and healthcare providers.

Labeling and Packaging

Correctly displaying UDI information on your device’s labeling and packaging is critical to compliance with UDI requirements. The labeling and packaging of medical devices serve as the primary means for communicating essential information to healthcare professionals and end-users.

Ensuring compliance includes:

  • Label Design: Design labels that prominently display the UDI, including the DI and PI, in a clear, legible, and standardized format. This information should be easily accessible and understandable to users.
  • Label Placement: Ensure the UDI is placed on the device in a location that is easily visible and won’t degrade or become unreadable during use or storage.
  • Packaging Integration: Integrate UDI information on the device’s packaging, if applicable, to enhance traceability even before the package is opened.
  • Barcoding: Many UDIs are represented as barcodes for quick and accurate scanning. Ensure that barcodes conform to recognized standards to facilitate data capture.
  • Language and Symbols: Consider international language and symbol standards to accommodate a global audience.

Proper UDI labeling and packaging not only contribute to regulatory compliance but also support safe and effective device use. It enables healthcare professionals to quickly identify and access critical device information, reducing the risk of errors and ensuring the device is used as intended.

Post-Market Obligations

Vigilance and Reporting

Post-market obligations are designed to detect and address any issues or adverse events that may arise during real-world use. Comprehending your responsibilities in this regard is crucial for regulatory compliance and patient safety.

Adverse Event Reporting: Manufacturers are typically required to establish a robust system for collecting, documenting, and analyzing adverse events associated with their devices. This includes any unexpected or undesirable events or incidents that occur during device use and may harm patients or users. Timely and accurate reporting of adverse events is essential and often mandated by regulatory authorities.

Incident Reporting: In addition to adverse events, incidents related to device malfunction, labeling errors, or other issues must be documented and reported. Incidents may not always result in patient harm but still warrant investigation and corrective actions to prevent recurrence.

Understanding the specific reporting requirements and timelines in your region and adhering to them diligently is crucial. Failure to report adverse events or incidents can have serious consequences, including regulatory penalties and damage to your device’s reputation.

Market Surveillance

Market surveillance is an ongoing process of monitoring a device’s performance once it’s in the hands of healthcare professionals and patients. It involves gathering and analyzing data on how the device is being used, its clinical outcomes, and any trends or patterns related to its safety and effectiveness.

It includes:

  • Data Collection and Analysis: Establish mechanisms for collecting and analyzing data from various sources, including post-market clinical studies, user feedback, complaint databases, and adverse event reports.
  • Trend Analysis: Conduct trend analysis to detect patterns or anomalies in device performance or safety. Monitoring trends can provide early warning signs of issues that require further investigation.
  • Corrective and Preventive Actions: If market surveillance identifies safety or performance issues, take swift corrective actions. This may involve issuing recalls, updating labeling or instructions, and implementing design changes.
  • Communication: Maintain open and transparent communication with regulatory authorities, healthcare professionals, and end users. Timely reporting and information sharing foster trust and demonstrate a commitment to patient safety.

Post-market obligations are essential for safeguarding patients and users of medical devices. It allows manufacturers to adapt and improve devices based on real-world data, ultimately enhancing their safety and performance and fostering trust among stakeholders.

Transition from MDD to MDR

Timelines and Deadlines

The transition from the Medical Device Directive (MDD) to the Medical Device Regulation (MDR) represents a significant shift in the regulatory landscape for medical devices in the European Union. Manufacturers, regulatory affairs professionals, and stakeholders must be well-versed in the transition timelines and adhere to critical deadlines to ensure regulatory compliance and market access.

Transition Timelines: The MDR officially came into force on May 26, 2021, replacing the MDD. However, the transition period allowed for a gradual shift, during which devices could still be placed on the market under MDD provisions. Recently, the EU extended the EU MDR transition periods for devices transitioning to the EU MDR from 26 May 2024 to:

  • 26 May 2026 for class III implantable custom-made devices
  • 31 December 2027 for class III and implantable class IIb devices
  • 31 December 2028 for non-implantable class IIb and lower-risk devices
  • 31 December 2028 for class I devices that are a higher class under the MDR.

Planning: Manufacturers must establish clear timelines for updating technical documentation, conducting necessary assessments, and engaging with Notified Bodies or competent authorities as required.

Impact Assessment: A thorough impact assessment is necessary to identify how the MDR’s requirements differ from the MDD and how these changes will affect your devices. This assessment should encompass aspects such as clinical data requirements, labeling and UDI, risk classification, and conformity assessment routes. It may reveal the need for additional clinical studies, updated quality management systems, or changes in labeling and packaging.

Legacy Devices

Legacy devices, those that were placed on the market under the MDD prior to the MDR’s full application, pose a unique set of challenges during the transition.

Documentation Update: Manufacturers of legacy devices must review and update their technical documentation to align with MDR requirements. This includes addressing changes in risk classification, conformity assessment routes, and clinical data expectations.

Considerations for Legacy Devices: Manufacturers should carefully consider the classification of their legacy devices under the MDR, as this may impact the level of scrutiny and the conformity assessment route required. Some legacy devices may need to undergo additional assessments, while others may benefit from transitional provisions.

Post-Market Surveillance: Manufacturers should also establish robust post-market surveillance systems for legacy devices to monitor their performance and safety in accordance with MDR requirements.

All in all, the transition from MDD to MDR demands meticulous planning, compliance with timelines, and a thorough understanding of the regulatory changes. Manufacturers must be proactive in updating technical documentation and ensuring the ongoing regulatory compliance of both new and legacy devices. A smooth transition ensures continued access to the European market and maintains patient safety and trust in medical devices.

Involvement of Authorized Representatives and Importers

Roles and Responsibilities

Authorized Representatives (ARs): Authorized Representatives play a crucial role in the regulatory landscape of medical devices in the European Union, particularly for manufacturers based outside the EU. Understanding their roles and responsibilities is vital for a seamless and compliant market entry.

Key Responsibilities of ARs are:

  • Legal Presence: ARs serve as the legal presence of non-EU manufacturers within the EU. They are responsible for ensuring that the manufacturer’s devices meet EU regulatory requirements
  • Communication: ARs facilitate communication between the manufacturer and regulatory authorities, including reporting adverse events and providing information upon request.
  • Technical Documentation: They must have access to the technical documentation of the devices they represent and be prepared to provide it to authorities if required.
  • Registration: ARs are often responsible for registering devices with relevant authorities, which is a prerequisite for market access.
  • Post-Market Surveillance: ARs may be involved in post-market surveillance activities, including reporting and addressing safety concerns.

Importers

Importers also play a critical role in ensuring the safety and compliance of medical devices entering the EU market. Their responsibilities extend beyond merely bringing products into the EU.

Key Responsibilities of Importers:

  • Verification of Compliance: Importers must ensure that the devices they import conform to EU regulations, including labeling, documentation, and conformity assessment.
  • Record Keeping: They are required to maintain records of devices they import and the associated documentation. These records should be accessible to authorities upon request.
  • Notifying Incidents: Importers are obligated to notify authorities and the manufacturer if they believe a device they’ve imported poses a risk to patients or users. This is a crucial aspect of post-market surveillance.
  • Cooperation with Authorities: Importers must cooperate with competent authorities during market surveillance activities and investigations.
  • Labeling and UDI: Ensuring that devices bear the correct labeling, including the Unique Device Identifier (UDI), and that this information is accurately transferred to the EU label and packaging.

The involvement of Authorized Representatives and Importers is instrumental in navigating the complex regulatory landscape of the EU for medical devices. It’s important to note that the roles and responsibilities of Authorized Representatives and Importers can vary depending on the specific device, its classification, and the regulatory framework of the EU member state in which they operate. Manufacturers, ARs, and Importers should establish clear agreements and communication channels to ensure a harmonized approach to regulatory compliance.

Digital Health and Software as Medical Devices

The advent of digital health technologies and the recognition of software as medical devices are revolutionizing the healthcare landscape. Understanding and adapting to these trends is essential for both manufacturers and regulators.

Digital Health Ecosystem: Digital health encompasses a broad spectrum of technologies, including mobile health apps, wearable devices, telemedicine platforms, and remote monitoring systems. Manufacturers are increasingly developing and integrating these technologies into medical devices to enhance patient care and monitoring.

Regulatory Framework: Regulatory agencies, such as the European Medicines Agency (EMA) in the EU and the FDA in the United States, have been actively evolving to accommodate the unique challenges posed by digital health and software as medical devices.

Data Privacy and Security: As digital health devices collect and transmit sensitive patient data, stringent data protection and cybersecurity measures are paramount. Ensuring the confidentiality, integrity, and availability of patient information is an ongoing challenge that manufacturers and regulators must address.

Artificial Intelligence and Machine Learning

Artificial intelligence (AI) and machine learning (ML) are poised to transform healthcare by enhancing diagnostics, treatment planning, and predictive analytics. However, they introduce novel regulatory complexities.

Complex Algorithms: AI and ML algorithms can be highly complex and may “learn” and adapt over time. This dynamic nature poses challenges in terms of pre-market assessment and ongoing monitoring.

Data Integrity: The quality and diversity of training data are critical for AI and ML model performance. Ensuring data integrity and representativeness is challenging, especially in healthcare, where data privacy is paramount.

Regulatory Adaptation: Regulatory authorities are actively working on adapting guidelines and frameworks to accommodate AI and ML technologies. Manufacturers need to stay informed about evolving regulatory requirements.

Ethical Considerations: AI in healthcare also brings ethical questions, including issues related to bias in algorithms, transparency, and accountability.

Cybersecurity and Data Protection

With the increasing connectivity of medical devices, cybersecurity and data protection have emerged as major concerns. Ensuring the security of patient data and device functionality is a top priority.

Vulnerabilities: Medical devices are susceptible to cyberattacks that can compromise patient safety and privacy. Manufacturers must implement robust cybersecurity measures to protect against such threats.

Regulatory Expectations: Regulatory agencies are increasingly focusing on cybersecurity requirements for medical devices. Manufacturers must incorporate cybersecurity into their design and development processes to meet these expectations.

Interoperability: As healthcare systems become more interconnected, ensuring the interoperability of devices while maintaining security is a challenge. Standardization efforts are underway to address this issue.

Patient Trust: Maintaining patient trust is essential. Data breaches or device vulnerabilities can erode confidence in medical devices and digital health technologies. Manufacturers must be proactive in addressing cybersecurity concerns.

Of course, these trends bring new challenges regarding regulation, data security, and ethical considerations. Manufacturers, regulators, and healthcare stakeholders must work collaboratively to harness the potential of these technologies while safeguarding patient safety and privacy.

Conclusion

This Beginner’s Guide to EU Medical Device Regulation is a vital and all-encompassing resource crafted with the specific purpose of empowering developers, manufacturers, and all stakeholders operating within the dynamic realm of the medical device industry. It equips its readers with the knowledge and tools they require to not only meet but also master the intricacies of EU Medical Device Regulation.

At its core, this guide is a compass, helping you navigate the maze of regulatory landscape of the European Union. With this guide in hand, you are poised not only to meet the challenges of the EU MDR but to thrive in an environment where safety, efficacy, and innovation converge if you’re dedicated to contributing to the continuous improvement of healthcare and making a lasting impact on the lives of patients across Europe.

Looking to launch your medical device prototype? Try iCure for free.

Back

En savoir plus?

ou passez sur notre instagram icon ou linkedin icon pour nous dire bonjour =)

Conditions d'utilisation du site iCure

www.iCure.com

1. PRÉAMBULE

ICure SA est incorporée à Genève, Suisse, avec un bureau enregistré à Rue de la Fontaine 7, 1211 Genève, Suisse, inscrite au registre du commerce sous le numéro CHE-270.492.477 ('iCure').

Ces Conditions d'Utilisation du Site iCure (“Conditions”) constituent un accord légalement contraignant conclu entre vous, que ce soit à titre personnel ou pour le compte d'une entité ('vous') et iCure SA ('nous', 'notre'), concernant votre accès et utilisation du site web https://www.icure.com ainsi que toute autre forme de média, canal médiatique, site web mobile ou application mobile associée, liée ou autrement connectée à celui-ci (collectivement, le 'Site Web').

Lorsque vous acceptez, ces Conditions forment un accord légalement contraignant entre vous et iCure. Si vous concluez ces Conditions au nom d'une entité, comme votre employeur ou l'entreprise pour laquelle vous travaillez, vous déclarez que vous avez l'autorité légale pour lier cette entité.

VEUILLEZ LIRE ATTENTIVEMENT CES CONDITIONS. EN VOUS INSCRIVANT, ACCÉDANT, NAVIGANT ET/OU UTILISANT AUTREMENT L'ICURE, VOUS RECONNAISSEZ QUE VOUS AVEZ LU, COMPRIS ET ACCEPTEZ D'ÊTRE LIÉ PAR CES CONDITIONS. SI VOUS N'ACCEPTEZ PAS D'ÊTRE LIÉ PAR CES CONDITIONS, N'ACCÉDEZ PAS, NE NAVIGUEZ PAS ET N'UTILISEZ PAS AUTREMENT LE SITE WEB ICURE.

iCure peut, à sa seule discrétion, choisir de suspendre ou de mettre fin à l'accès à, ou à l'utilisation de l'iCure à quiconque viole ces Conditions.

Tous les utilisateurs qui sont mineurs dans la juridiction où ils résident (généralement âgés de moins de 18 ans) doivent avoir la permission de, et être directement supervisés par, leur parent ou tuteur pour utiliser le Site Web. Si vous êtes mineur, vous devez faire lire et accepter ces Conditions d'Utilisation à votre parent ou tuteur avant d'utiliser le Site Web.

La langue originale de ces Conditions d'utilisation est l'anglais. En cas d'autres traductions fournies par iCure, la version anglaise prévaudra.

2. DROITS DE PROPRIÉTÉ INTELLECTUELLE

Le contenu de la documentation indiquée sur ce site Web nous appartient. Toutes les marques, contenus concernant iCure ne peuvent pas être copiés, reproduits, agrégés, republiés, téléchargés, postés, affichés publiquement, encodés, traduits, transmis, distribués, vendus, licenciés, ou autrement exploités à des fins commerciales quelconques, sans notre autorisation écrite préalable expresse.

Pourvu que vous soyez éligible pour utiliser le Site Web, vous êtes accordé une licence limitée pour accéder et utiliser le Site Web et pour télécharger ou imprimer une copie de toute portion du Contenu auquel vous avez correctement accédé uniquement pour votre usage personnel, non commercial. Nous réservons tous les droits non expressément accordés à vous dans et pour le Site Web, le Contenu et les Marques.

3. REPRÉSENTATIONS DE L'UTILISATEUR

En utilisant le Site Web, vous déclarez et garantissez que:

  1. Toutes les informations d'inscription que vous soumettez seront vraies, exactes, actuelles et complètes ; vous maintiendrez l'exactitude de ces informations et mettrez à jour rapidement ces informations d'inscription si nécessaire.
  2. Vous avez la capacité légale, et vous acceptez de vous conformer à ces Conditions d'Utilisation.
  3. Vous n'avez pas moins de 13 ans.
  4. Vous n'êtes pas mineur dans la juridiction où vous résidez, ou si mineur, vous avez reçu l'autorisation parentale pour utiliser le Site Web.
  5. Vous n'accéderez pas au Site Web par des moyens automatisés ou non humains, que ce soit par un robot, un script ou autrement.
  6. Vous n'utiliserez pas le Site Web à des fins illégales ou non autorisées.
  7. Votre utilisation du Site Web ne violera aucune loi ou réglementation applicable.

4. ACTIVITÉS INTERDITES

Vous ne pouvez pas accéder ou utiliser le Site Web à d'autres fins que celles pour lesquelles nous rendons le Site Web disponible. Le Site Web ne peut pas être utilisé en lien avec des entreprises commerciales sauf celles qui sont spécifiquement endossées ou approuvées entre vous et iCure.

En tant qu'utilisateur du Site Web, vous acceptez de ne pas:

  1. Publier du matériel du Site Web dans d'autres médias.
  2. Vendre, sous-licencier et/ou commercialiser autrement tout matériel du Site Web.
  3. Effectuer publiquement et/ou montrer tout matériel du Site Web.
  4. Utiliser ce Site Web de manière à être ou devenir préjudiciable à ce Site Web.
  5. Utiliser ce Site Web de manière à impacter l'accès des utilisateurs à ce Site Web.
  6. Utiliser ce Site Web contrairement aux lois et réglementations applicables, ou de manière à causer un dommage au Site Web, ou à toute personne ou entité commerciale.
  7. Engager dans tout minage de données, collecte de données, extraction de données, ou toute autre activité similaire en relation avec ce Site Web.
  8. Utiliser ce Site Web pour engager dans toute publicité ou marketing.

5. AUCUNE GARANTIE

Ce Site Web est fourni 'tel quel', avec tous ses défauts, et iCure n'exprime aucune représentation ou garantie, de quelque nature que ce soit liée à ce Site Web ou aux matériels contenus sur ce Site Web. De plus, rien de ce qui est contenu sur ce Site Web ne doit être interprété comme un conseil.

6. LIMITATION DE RESPONSABILITÉ

En aucun cas, iCure, ni aucun de ses dirigeants, directeurs et employés, ne seront tenus responsables de quoi que ce soit découlant de ou de quelque manière que ce soit lié à votre utilisation de ce Site Web, que cette responsabilité soit dans le cadre de ce contrat. iCure, y compris ses dirigeants, directeurs et employés ne seront pas tenus responsables pour toute responsabilité indirecte, conséquente ou spéciale découlant de ou de quelque manière que ce soit liée à votre utilisation de ce Site Web.

7. INDEMNISATION

Vous indemnisez pleinement iCure contre toutes responsabilités, coûts, demandes, causes d'action, dommages et dépenses survenant de quelque manière que ce soit liée à votre violation de l'une des dispositions de ces Conditions.

8. DIVISIBILITÉ

Si une disposition de ces Conditions est jugée invalide en vertu de toute loi applicable, ces dispositions seront supprimées sans affecter les dispositions restantes.

9. VARIATION DES TERMES

iCure est autorisé à réviser ces Conditions à tout moment comme il le juge bon, et en utilisant ce Site Web, vous êtes censé revoir ces Conditions régulièrement.

10. CESSION

iCure est autorisé à céder, transférer et sous-traiter ses droits et/ou obligations sous ces Conditions sans aucune notification. Cependant, vous n'êtes pas autorisé à céder, transférer ou sous-traiter aucun de vos droits et/ou obligations sous ces Conditions.

11. ACCORD COMPLET

Ces Conditions constituent l'accord complet entre iCure et vous concernant votre utilisation de ce Site Web et supplantent tous les accords et comprendements antérieurs.

12. DROIT APPLICABLE & JURIDICTION

Ces Conditions seront régies et interprétées conformément aux lois de la Suisse, sans tenir compte de ses dispositions sur les conflits de lois.

Les parties tenteront de résoudre le problème à l'amiable lors de négociations mutuelles. En cas de règlement non amiable trouvé entre les parties, le Tribunal de Genève sera compétent.

13. CONFIDENTIALITÉ

Veuillez vous référer à notre Politique de Confidentialité et Avis sur les Cookies pour les données que nous avons collectées à partir du formulaire de contact et du cookie Matomo.

ATTRIBUTION D'IMAGE

Dans le développement de notre site web, nous avons intégré diverses icônes pour améliorer l'attrait visuel et transmettre efficacement les informations. Nous exprimons notre sincère gratitude aux designers talentueux et contributeurs qui ont généreusement partagé leur travail avec la communauté. Ci-dessous une reconnaissance des ressources que nous avons utilisées:

SVG Repo: Un dépôt d'icônes SVG. Nous avons intégré leurs icônes dans notre site web. Spécifiquement:

  1. Travail de l'auteur vmware, Key Badged SVG Vector sous Licence MIT
  2. Travail de l'auteur Twitter, Cloud SVG Vector sous Licence MIT
  3. Travail de l'auteur Garuda Technology, Node Js SVG Vector et React SVG Vector sous Licence MIT

Merci aux auteurs qui ont contribué au: SVGRepo, Unsplash, communauté Maxipanels.

iCure présente des logos de divers produits, bibliothèques, technologies et cadres avec lesquels notre projet interagit. Il est important de noter que iCure ne détient aucun droit propriétaire sur ces logos ou les produits qu'ils représentent.

iCure SA

Contact: contact@icure.com

Dernière mise à jour: 20 février 2024.

Politique en matière de sécurité de l'information

www.iCure.com

1. Introduction

L'univers iCure est construit sur la confiance. Garantir la confidentialité des données qui nous sont confiées est notre priorité absolue.

La Politique de Sécurité de l'Information d'iCure résume le concept de sécurité qui imprègne chaque activité et respecte les exigences de la norme ISO 27001:2013 pour la sécurité de l'information, afin que nous assurions la sécurité des données que iCure et ses clients gèrent.

Chaque employé, contractant, consultant, fournisseur et client d'iCure est lié par notre Politique de Sécurité de l'Information.

2. Notre Politique

iCure s'engage à protéger la confidentialité, l'intégrité et la disponibilité du service qu'elle fournit et des données qu'elle gère. iCure considère également comme un aspect fondamental de la sécurité la protection de la vie privée de ses employés, partenaires, fournisseurs, clients et de leurs clients.

iCure respecte toutes les lois et réglementations applicables concernant la protection des actifs d'information et s'engage volontairement à respecter les dispositions de la norme ISO 27001:2013.

3. Définitions de la Sécurité de l'Information

La confidentialité fait référence à la capacité d'iCure de protéger les informations contre la divulgation. Les attaques, telles que la reconnaissance réseau, les violations de bases de données ou les écoutes électroniques ou la divulgation involontaire d'informations due à de mauvaises pratiques.

L'intégrité concerne la garantie que les informations ne sont pas altérées pendant ou après leur soumission. L'intégrité des données peut être compromise accidentellement ou intentionnellement, en évitant la détection d'intrusion ou en modifiant les configurations de fichiers pour permettre un accès non désiré.

La disponibilité exige que les organisations disposent de systèmes, de réseaux et d'applications opérationnels pour garantir l'accès des utilisateurs autorisés aux informations sans aucune interruption ou attente. La nature des données qui nous sont confiées nécessite une disponibilité supérieure à la moyenne.

La vie privée est le droit des individus de contrôler la collecte, l'utilisation et la divulgation de leurs informations personnelles. Nos politiques de confidentialité sont basées sur le RGPD (https://gdpr-info.eu/) et peuvent être renforcées par des exigences supplémentaires de clients spécifiques ou de domaines juridiques.

4. Évaluation des Risques

Les principales menaces auxquelles iCure est confrontée en tant qu'entreprise sont :

  1. Vol de données ;
  2. Suppression de données ;
  3. Attaques par déni de service ;
  4. Logiciels malveillants ;
  5. Chantage et extorsion.

En tant que fournisseurs d'une solution utilisée par des développeurs actifs dans le domaine de la santé, nous devons également anticiper les risques de :

  1. Attaques sur les données de nos clients, qui pourraient entraîner des dommages sociaux importants et une perte de confiance dans notre solution ;
  2. Abus de notre solution par des clients mal intentionnés, pouvant affecter la qualité du service fourni au reste de nos clients.

La motivation des attaquants dans ces derniers cas peut aller du gain financier aux motivations politiques ou idéologiques.

Un dernier risque est lié à la nature des données de santé que nous traitons. Nous devons nous assurer que les données que nous gérons ne sont pas utilisées à des fins autres que celles pour lesquelles elles ont été collectées :

Une donnée collectée auprès d'un patient dans le cadre d'une consultation médicale ne doit pas être accessible à des tiers, même pas à une agence gouvernementale.

5. Gestion des Risques

Les principaux principes que nous appliquons pour gérer les risques auxquels nous sommes confrontés sont :

  1. Confidentialité par conception : Toutes les données sensibles sont chiffrées de bout en bout avant d'être stockées dans nos bases de données. Nous n'avons aucun accès aux données que nous stockons. Seuls les clients de nos clients peuvent déchiffrer les données que nous stockons.
  2. Anonymisation par conception : Les informations de santé qui doivent être stockées non chiffrées sont toujours anonymisées en utilisant un schéma de chiffrement de bout en bout. Cela signifie que le lien entre les informations de santé et les informations administratives doit être chiffré.

Ces deux principes nous permettent de minimiser les risques de vol de données, de chantage, d'extorsion et de contrainte par une agence gouvernementale.

  1. Réplicas en temps réel multiples, avec basculement automatique : Nous utilisons une architecture de base de données distribuée pour garantir que nos données sont disponibles en tout temps. Nous utilisons une architecture maître-maître, chaque donnée est répliquée au moins 3 fois. Des instantanés sont pris chaque jour pour garantir que nous pouvons restaurer les données en cas d'événement de suppression malveillante.
  2. Rotations automatiques de mots de passe : aucun mot de passe ne peut être utilisé pendant plus de 48 heures. Les mots de passe sont automatiquement changés toutes les 24 heures. En cas de fuite de mot de passe, nous pouvons limiter la fenêtre d'opportunité pour une attaque.

Ces deux principes nous permettent de minimiser les risques de suppression de données, d'attaques par déni de service et de logiciels malveillants.

  1. Minimisation de la surface d'attaque : nous déployons nos systèmes de la manière la plus minimale possible. Nous exposons uniquement les services réseau strictement nécessaires.
  2. Gestion stricte des dépendances : nous utilisons uniquement des logiciels open-source qui sont régulièrement mis à jour et audités par la communauté. Nous privilégions les logiciels et fournisseurs de gestion des dépendances qui minimisent le risque d'empoisonnement de la chaîne d'approvisionnement.

Ces deux principes permettent à iCure de minimiser les risques d'intrusion par exploitation de vulnérabilité ou attaques de la chaîne d'approvisionnement, deux risques qui pourraient conduire au vol ou à la suppression de données.

6. Informations Complémentaires

Cette politique est valide à partir du 10 novembre 2022. Pour plus d'informations, veuillez nous contacter à privacy@icure.com

Mentions légales

iCure SA

Place de la Bourse-aux-Fleurs 2, Case postale 45, 1022 Chavannes-près-Renenss, Suisse

CHE-270.492.477

cookie

Ce site utilise des cookies

Nous utilisons uniquement une application de cookie à des fins de recherche interne visant à améliorer notre service pour tous les utilisateurs. Cette application s'appelle Matomo (conseillée par les institutions européennes et la CNIL), elle stocke les informations en Europe, de manière anonymisée et pour une durée limitée. Pour plus de détails, veuillez consulter notre Politique sur les Données Personnelles et .

Politique en matière de qualité

www.iCure.com

Chez iCure SA, nous nous engageons à l'excellence dans tous les aspects de notre travail. Notre politique de qualité est conçue pour fournir un cadre permettant de mesurer et d'améliorer nos performances au sein du SMQ.

1. Objectif de l'Organisation

L'objectif du SMQ est d'assurer une qualité constante dans la conception, le développement, la production, l'installation et la livraison de solutions de traitement des données, de sécurité, d'archivage, de support technique et de protection pour les logiciels de dispositifs médicaux, tout en s'assurant de répondre aux exigences des clients et réglementaires. Ce document s'applique à toute la documentation et aux activités au sein du SMQ. Les utilisateurs de ce document sont les membres de l'équipe de direction d'iCure impliqués dans les processus couverts par le périmètre.

2. Conformité et Efficacité

Nous nous engageons à respecter toutes les exigences réglementaires et légales applicables, y compris les normes ISO 13485: 2016 et ISO 27001:2013. Nous nous efforçons de maintenir et d'améliorer continuellement l'efficacité de notre système de gestion de la qualité.

3. Objectifs de Qualité

Nos objectifs de qualité sont définis dans le cadre de cette politique et tels que définis par notre cycle de vie de développement logiciel et sont régulièrement révisés pour s'assurer qu'ils sont alignés avec nos objectifs commerciaux. Ces objectifs servent de repères pour mesurer nos performances et guider nos processus décisionnels.

4. Communication

Nous assurons que notre politique de qualité est communiquée et comprise à tous les niveaux de l'organisation. Nous encourageons chaque membre de notre équipe à respecter ces normes dans leur travail quotidien, qu'ils soient employés, contractants, consultants, fournisseurs, clients ou toute autre personne impliquée dans la construction de notre logiciel de gestion de données médicales.

5. Pertinence Continue

Nous révisons régulièrement notre politique de qualité pour nous assurer qu'elle reste adaptée à notre organisation. Cela inclut la prise en compte des nouvelles exigences réglementaires, des retours des clients et des changements dans notre environnement commercial. En adhérant à cette politique, nous visons à améliorer la satisfaction client, à améliorer nos performances et à contribuer à l'avancement de la technologie médicale.

iCure SA

Contact : contact@icure.com

Dernière mise à jour : 17 avril 2024