The regulatory landscape is changing, and a little gap was just plugged. Blink and you probably missed it.
Just last year we posted a blog article about the sin of CE Marking a digital health product as a Class I Medical Device without actually doing any of the underlying assurance work. Well, it turns out things have moved on a little since then.
The Medical Device Directive (and forthcoming Regulation) is the piece of EU Law which has historically governed Medical Devices certification. It calls for Manufacturers to adjust the extent of their assurance activities according to the level of risk the product presents. For those devices contributing the least risk of harm (Class I), a self-certification process is in place. And this (at least currently) covers the vast majority of software-based medical devices.
Procedurally, a CE Mark can be affixed by completing a simple online form and making a payment of around £100. This straight-forward application process might lead one to believe that Medical Device compliance is entirely trivial. But, hear this, when you affix the CE Mark you are legally declaring that you have met all of the relevant requirements of the Directive – and this is no small task. For many Manufacturers actually undertaking the compliance work and building the required Technical File can take 3-12 months of hard labour.
Interestingly if your digital health product is CE Marked, you are not routinely obliged to share any of your assurance work with your customers – or anyone else for that matter. Hold that thought. Suffice it to say that there are plenty of digital health suppliers out there whose Technical Files would be unlikely to stand up to the rigour of an audit or an inspection by a court. But given how often this happens, many are tempted to take that risk.
All of this changed in June 2018. An Information Standard Notice was issued by NHS Digital formally stating that Medical Devices must also now comply with DCB 0129. Now, one might argue that the change is no big deal, the Medical Device Risk Management Standard (ISO 14971) and DCB 0129 are so closely aligned that if you’ve done one, you’ve pretty much done the other. But here’s the rub, DCB 0129 requires that you share the output of that work with your customers. Digital health suppliers can no longer hide behind a CE Mark – from a risk management perspective, it’s full disclosure.
Every healthcare organisation implementing a CE Marked digital health system is now essentially put in the position of a regulator – they have a fundamental right to see the risk management file. Those suppliers who take clinical risk management seriously have an opportunity to shine and show the world the good work they’ve been doing. Those who have put risk management on a back burner will need to formalise things and be sure that they are truly DCB 0129 compliant.
So, what should you do?