In this work, it was found that regulatory conformance has highlighted significance in medical technology, the safety and effectiveness of which affect patients directly. To reach safety and effectiveness goals, the quality and product management systems of manufacturers are strongly regulated. In EU, the essential regulations are MDR and IVDR and in USA, 21 CFR. The most important standards related to medical software product management include ISO 16142-1, IEC 62304, IEC 62366-1, IEC 82304-1, ISO 14971, IEC/TR 80002-1 and ISO 13485, and to quality management, ISO 13485, FDA QSR and ISO 14971. It was concluded that the size and organization of the company, target markets as well as the product or products that the company manufactures affect how quality and product management should be organized in companies.
From a business strategic perspective, it was found that regulation affects market ac-cess, the choice of sales and distribution strategies and the efficiency of R&D processes, and thus, the competitiveness of companies. Regarding financing, the regulatory status, such as existing marketing authorizations and product risk class, and the regulatory com-petence of the team are reviewed closely by potential investors, making regulation rele-vant to financing of especially start-up companies.
In the empirical part, 22 proposals of improvement for the processes of the case com-pany were identified. Further, three larger themes were detected from the proposals: the need for more structure and consistency, the need for training and education on regula-tory and other requirements and processes, and the need for continuous optimization and improvement of processes. In addition to the individual proposals, these themes should be regarded in the company on a general level. Also other processes than the ones in this study should be considered from the viewpoint of these themes.
The themes should be considered in also other companies with similar characteristics or a similar situation. They may be worthwhile for example when evaluating and updating processes. Similarly, the discovered linkages between strategy and regulation are rele-vant to start-up and also more established companies. For other operators in the Finnish medical technology sector, such as interest organizations, regulatory authorities and even customers, it can be recommended to take the themes and the strategic linkages into account by supporting companies through for example organizing training and edu-cation. Researching the sector, it is beneficial per se to understand that these kinds of themes affect the performance of companies.
REFERENCES
AAMI (2020) Standards and Technical Documents. Available (accessed on 26.11.2020):
https://www.aami.org/standards/what-are-standards
ANVISA (2020a) Brazilian Health Regulatory Agency (Anvisa). Available (accessed on 6.11.2020): https://www.gov.br/anvisa/pt-br/english
ANVISA (2020b) Regulation of products. Available (accessed on 6.11.2020):
https://www.gov.br/anvisa/pt-br/english/regulation-of-products
ANVISA (2020c) Medical devices. Available (accessed on 6.11.2020):
https://www.gov.br/anvisa/pt-br/english/regulation-of-products/medical-devices
ANSI (2020a) Webstore: AAMI TIR57:2016. Available (accessed on 26.11.2020):
https://webstore.ansi.org/Standards/AAMI/AAMITIR572016
ANSI (2020b) Webstore: AAMI TIR45:2012 (R2018). Available (accessed on 26.11.2020): https://webstore.ansi.org/Standards/AAMI/AAMITIR452012R2018
Baird, P. & Cobbaert, K. (2020) Medical Device White Paper Series. Software as a med-ical device – A comparison of the EU’s approach with the US’s approach. BSI.
Cheng, M. (2003) Medical device regulations global overview and guiding principles.
World Health Organization. Available (accessed on 12.10.2020): https://ebookcen-tral.proquest.com/lib/tampere/reader.action?docID=284726
Clinical investigation of medical devices for human subjects — Good clinical practice.
(2020) International Organization for Standardization. ISO 14155:2020. Available (ac-cessed on 4.12.2020): https://www.iso.org/standard/71690.html
Commission Implementing Decision (EU) 2020/437 of 24 March 2020 on the harmonised standards for medical devices drafted in support of Council Directive 93/42/EEC. (2020) Official Journal of the European Union, OJ L 901, pp. 1-24. Available (accessed on 23.4.2021): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uris-erv:OJ.LI.2020.090.01.0001.01.ENG&toc=OJ:L:2020:090I:TOC#document1
De Maria, C., Di Pietro, L., Díaz Lantada, A. Madete, J., Makobore, P.N., Mridha, M., Ravizza, A., Torop, J., Ahluwalia, A. (2018) Safe innovation: On medical device legisla-tion in Europe and Africa. Health policy and technology. 7 (2), 156–165. Available (ac-cessed on 10.11.2020): https://doi.org/10.1016/j.hlpt.2018.01.012
Disior (2020) Disior – Diagnosis and treatment through true 3D vision. Available (ac-cessed on 24.3.2021): https://www.disior.com
Erkkilä, J., Clinical and Product Management Director, Planmed Oy (2021) Interview on 25.1.2021
European Commission (2020a) Medical Devices - Sector: New Regulations. Available (accessed on 15.10.2020): https://ec.europa.eu/health/md_sector/new_regulations_en European Commission (2020b) Internal Market, Industry, Entrepreneurship and SMEs – Single market and standards: Notified bodies. Available (accessed on 20.10.2020):
https://ec.europa.eu/growth/single-market/goods/building-blocks/notified-bodies_en European Commission (2021a) Medical Devices - Sector: Overview. Available (ac-cessed on 20.4.2021): https://ec.europa.eu/health/md_sector/overview_en
FDA (2016) Postmarket Management of Cybersecurity in Medical Devices – Guidance for Industry and Food and Drug Administration Staff. Available (accessed on 10.12.2020): https://www.fda.gov/media/95862/download
FDA (2017) What are examples of Software as a Medical Device? Available (accessed on 26.3.2021): https://www.fda.gov/medical-devices/software-medical-device-samd/what-are-examples-software-medical-device
FDA (2018a) How to Register and List. Available (accessed on 4.11.2020):
https://www.fda.gov/medical-devices/device-registration-and-listing/how-register-and-list
FDA (2018b) Postmarket Requirements (Devices). Available (accessed on 4.11.2020):
https://www.fda.gov/medical-devices/device-advice-comprehensive-regulatory-assis-tance/postmarket-requirements-devices
FDA (2019a) Premarket Approval (PMA). Available (accessed on 30.10.2020):
https://www.fda.gov/medical-devices/premarket-submissions/premarket-approval-pma FDA (2019b) Investigational Device Exemption (IDE). Available (accessed on 3.11.2020): https://www.fda.gov/medical-devices/how-study-and-market-your-device/in-vestigational-device-exemption-ide
FDA (2019c) Requests for Feedback and Meetings for Medical Device Submissions: The Q-Submission Program – Guidance for Industry and Food and Drug Administration Staff.
Available (accessed on 3.11.2020): https://www.fda.gov/media/114034/download FDA (2019d) Content of a 510(k). Available (accessed on 4.11.2020):
https://www.fda.gov/medical-devices/premarket-notification-510k/content-510k
FDA (2020a) Digital Health Software Precertification (Pre-Cert) Program. Available (ac-cessed on 27.10.2020): https://www.fda.gov/medical-devices/digital-health-center-ex-cellence/digital-health-software-precertification-pre-cert-program
FDA (2020b) Premarket Notification 510(k). Available (accessed on 30.10.2020):
https://www.fda.gov/medical-devices/premarket-submissions/premarket-notification-510k
FDA (2020c) PMA Application Contents. Available (accessed on 4.11.2020):
https://www.fda.gov/medical-devices/premarket-approval-pma/pma-application-con-tents
FDA (2020d) Cybersecurity. Available (accessed on 10.12.2020):
https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity FDA (2020e) Medical Device Single Audit Program. Available (accessed on 15.12.2020):
https://www.fda.gov/medical-devices/cdrh-international-programs/medical-device-sin-gle-audit-program-mdsap
FDA CDRH (2020) CDRH Offices. Available (accessed on 28.10.2020):
https://www.fda.gov/about-fda/center-devices-and-radiological-health/cdrh-offices Fiedler, B. A. (2017) Managing medical devices within a regulatory framework. Amster-dam, Netherlands: Elsevier. Available (accessed on 24.11.2020): https://app-knovel- com.libproxy.tuni.fi/web/toc.v/cid:kpMMDRF003/viewerType:toc//root_slug:managing-medical-devices/url_slug:reframing-product-life?issue_id=kpMMDRF003&hierarchy=
Fimea (2020) Lääkinnälliset laitteet. Available (accessed on 20.10.2020):
https://www.fimea.fi/laakinnalliset_laitteet
Food and Drugs. Code of Federal Regulations Title 21. (2020) Available (accessed on
2.12.2020):
https://www.ecfr.gov/cgi-bin/text- idx?SID=991e9bf47949aee3c94aac85f908b1e6&mc=true&tpl=/ecfrbrowse/Ti-tle21/21tab_02.tpl
Green, C. H. (2012) Get financing now: How to navigate through bankers, investors, and alternative sources for the capital your business needs. 1st edition. New York: McGraw-Hill. Available (accessed on 21.4.2021): https://learning.oreilly.com/library/view/get-fi-nancing-now/9780071780315/
Grönlund M., Raitoharju, R., Ranti, T., Seppälä, K. & Ståhlberg, T. (2017) Suomen terveysteknologia-alan nykytila ja haasteet. Tekes. Available (accessed 3.12.2020):
https://www.businessfinland.fi/globalassets/julkaisut/suomen_terveysteknologia-alan_nykytila_ja_haasteet.pdf
Health software and health IT systems safety, effectiveness and security — Part 5-1:
Security — Activities in the product life cycle. (2021) International Electrotechnical Com-mission. IEC/DIS 81001-5-1. Available (accessed on 21.4.2021):
https://www.iso.org/obp/ui/#!iso:std:76097:en
Health software — Part 1: General requirements for product safety. (2016) International Electrotechnical Commission. IEC 82304-1:2016. Available (accessed on 25.11.2020):
https://www.iso.org/obp/ui/#iso:std:iec:82304:-1:ed-1:v1:en
Healthtech Finland (2018) Terveyttä ja kasvua teknologialla – Terveysteknologian vuosi 2018. Available (accessed on 26.3.2021): https://healthtech.teknolo-giateollisuus.fi/sites/healthtech/files/terveysteknologian_vuosi_2018.pdf
Hrgarek, N. (2012) Certification and regulatory challenges in medical device software development. Proceedings of the 4th International Workshop on Software Engineering in Health Care. 4 June 2012 IEEE Press. pp. 40–43. Available (accessed on 27.11.2020): https://ieeexplore-ieee-org.libproxy.tuni.fi/document/6227011
IMDRF (2020a) About IMDRF. Available (accessed on 11.11.2020): http://www.im-drf.org/about/about.asp
IMDRF (2020b) Work items. Available (accessed on 11.11.2020): http://www.im-drf.org/workitems/work.asp
Johnson, G., Scholes, K., Whittington, R. (2008) Exploring corporate strategy: text &
cases. 8th edition. Harlow: Prentice Hall. Available (accessed on 11.3.2021):
https://ebookcentral.proquest.com/lib/tampere/detail.action?docID=5139483
Karsikas, J., Investment Director, Suomen Teollisuussijoitus Oy (2020) Interview on 11.12.2020
Kittlaus, H., Clough, P.N. (2009) Software Product Management and Pricing: Key Suc-cess Factors for Software Organizations. Berlin, Heidelberg: Springer Berlin / Heidel-berg. Available (accessed on 24.11.2020): https://link-springer-com.lib-proxy.tuni.fi/book/10.1007%2F978-3-540-76987-3#toc
Linders, P. (2020) Setting Standards: ISO 13485: Challenges in Achieving High-Level Structure Compliance. Biomedical instrumentation & technology. 54 (1), 68–70. Availa-ble (accessed on 17.11.2020): http://dx.doi.org.libproxy.tuni.fi/10.2345/0899-8205-54.1.68
Mas, J. & Hsueh, B. (2017) An Investor Perspective on Forming and Funding your Med-ical Device Start-Up. Techniques in vascular and interventional radiology. 20 (2), 101–
108. Available (accessed on 11.12.2020): https://www-sciencedirect-com.lib-proxy.tuni.fi/science/article/pii/S1089251617300148?via%3Dihub
MDCG (2019) MDCG 2019-16 Guidance on Cybersecurity for medical devices. Available (accessed on 10.12.2020): https://ec.europa.eu/health/sites/health/files/md_sec-tor/docs/md_cybersecurity_en.pdf
Medical devices – Application of risk management to medical devices. (2019) Interna-tional Organization for Standardization. ISO 14971:2019. Available (accessed on 20.11.2020): https://www.iso.org/obp/ui/#iso:std:iso:14971:ed-3:v1:en
Medical devices — Part 1: Application of usability engineering to medical devices. (2015) International Electrotechnical Commission. IEC 62366-1:2015. Available (accessed on 25.11.2020): https://www.iso.org/obp/ui/#iso:std:iec:62366:-1:ed-1:v1:en
Medical devices — Quality management systems — Guidance on the application of ISO 13485:2003. (2004) International Organization for Standardization. ISO/TR 14969:2004.
Available (accessed on 1.12.2020): https://www.iso.org/obp/ui/#iso:std:iso:tr:14969:ed-1:v1:en
Medical devices – Quality management systems – Requirements for regulatory pur-poses. (2016) International Organization for Standardization. ISO 13485:2016. Available (accessed on 17.11.2020): https://www.iso.org/obp/ui#iso:std:iso:13485:ed-3:v1:en Medical devices — Recognized essential principles of safety and performance of medi-cal devices — Part 1: General essential principles and additional specific essential prin-ciples for all non-IVD medical devices and guidance on the selection of standards. (2016) International Organization for Standardization. ISO 16142-1:2016. Available (accessed on 26.11.2020): https://www.iso.org/obp/ui/#iso:std:iso:16142:-1:ed-1:v1:en
Medical device software — Part 1: Guidance on the application of ISO 14971 to medical device software. (2009) International Electrotechnical Commission. IEC/TR
80002-1:2009. Available (accessed on 26.11.2020):
https://www.iso.org/obp/ui/#iso:std:iec:tr:80002:-1:ed-1:v1:en
Medical device software — Software life cycle processes. (2006) International Electro-technical Commission. IEC 62304:2006. Available (accessed on 25.11.2020):
https://www.iso.org/obp/ui/#iso:std:iec:62304:ed-1:v1:en
Medical device software — Software life cycle processes — Amendment 1. (2015) Inter-national Electrotechnical Commission. IEC 62304:2006/AMD 1:2015. Available (ac-cessed on 21.4.2021): https://www.iso.org/obp/ui/#iso:std:iec:62304:ed-1:v1:amd:1:v2:en,fr
MedTech Europe (2020) MedTech Europe’s Facts and Figures 2020. Available (ac-cessed on 3.12.2020): https://www.medtecheurope.org/wp-content/up-loads/2020/05/The-European-Medical-Technology-Industry-in-figures-2020.pdf
Mäkelä, J., Chief Investment Analyst, Springvest Oy (2021) Interview on 8.3.2021 NMPA (2019) Main Responsibilities of the National Medical Products Administration.
Available (accessed on 5.11.2020): http://english.nmpa.gov.cn/2019-07/18/c_377587.htm
Owens, B. (2016) Stronger rules needed for medical device cybersecurity. The Lancet (British edition). 387 (10026), 1364–1364. Available (accessed on 10.12.2020):
https://www-sciencedirect-com.libproxy.tuni.fi/science/arti-cle/pii/S0140673616301209?via%3Dihub
Pommelin, P. (2017) The survival guide to EU medical device regulations. Helsinki, Fin-land: BoD - Books on Demand
Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC. Official Journal of the European Union, L 117, 5 May 2017, Available (ac-cessed on 2.12.2020): https://eur-lex.europa.eu/legal-con-tent/EN/TXT/?uri=OJ:L:2017:117:TOC
SAHPRA (2020) Medical devices. Available (accessed on 10.11.2020): https://www.sa-hpra.org.za/medical-devices/
Salmi, J., Chief Executive Officer, Sontek Ventures Oy (2020) Interview on 11.12.2020 SFS (2016) Terveydenhuollon tuotteiden laadunhallintajärjestelmän vaatimukset kuvaava standardi on uudistettu. Available (accessed on 16.11.2020):
https://sales.sfs.fi/fi/index/tuoteuutiset/terveydenhuollonlaitteidenlaatustandardiesitel-laan6.6.2016.html.stx
Sower, V. (2010) Essentials of Quality with Cases and Experiential Exercises.
Chichester: Wiley. pp. 4–11
Ståhlberg, T. (2015) Terveydenhuollon laitteiden lakisääteiset määräykset kansainvälisillä markkinoilla – Suomi ja EU fokuksessa. Tekes. Available (accessed on 12.10.2020): https://www.businessfinland.fi/globalassets/julkaisut/terveydenhu-ollon_laitteiden_lakisaateiset_maaraykset_opas.pdf
TGA (2020) Who we are & what we do. Available (accessed on 6.11.2020):
https://www.tga.gov.au/who-we-are-what-we-do
Thomas, J. (2016) Strategic Management. 1st edition. Pearson Education India. Availa-ble (accessed on 3.12.2020): https://learning.oreilly.com/library/view/strategic-manage-ment/9789389588064/xhtml/08_Chapter01.xhtml#ch1
Tukes (2020a) CE marking. Available (accessed on 19.10.2020): https://tukes.fi/en/prod-ucts-and-services/ce-marking
Tukes (2020b) EU Declaration of Conformity. Available (accessed on 22.10.2020):
https://tukes.fi/en/products-and-services/products-compliance-with-requirements/eu-declaration-of-conformity
Valvira (2019) Lääkinnällisten laitteiden valvonta siirtyy Valvirasta Fimeaan. Available (accessed on 20.10.2020): https://www.valvira.fi/-/laakinnallisten-laitteiden-valvonta-si-irtyy-valvirasta-fimeaan
White, W. I. (2018) Excellence beyond compliance: establishing a medical device quality system. 1st edition. Boca Raton: Taylor & Francis. Available (accessed on 30.11.2020):
https://learning.oreilly.com/library/view/excellence-beyond-compli-ance/9781351032568/
WHO (2017a) Global atlas of medical devices. World Health Organization. pp. 10-37.
Available (accessed on 12.10.2020): https://www.who.int/medical_devices/publica-tions/global_atlas_meddev2017/en/
WHO (2017b) WHO Global Model Regulatory Framework for Medical Devices including in vitro diagnostic medical devices. World Health Organization. pp. 5-7 Available (ac-cessed on 14.10.2020): https://www.who.int/medical_devices/publica-tions/global_model_regulatory_framework_meddev/en/
WHO (2020) World health statistics 2020 – Monitoring health for the sustainable devel-opment goals. World Health Organization. pp. vii. Available (accessed on 25.3.2021):
https://apps.who.int/iris/bitstream/handle/10665/332070/9789240005105-eng.pdf Zhang, W., Liu, R., Chatwin, C. (2016) Marketing authorization of medical devices in China. Journal of commercial biotechnology. 22 (1). Available (accessed on 6.11.2020):
http://dx.doi.org.libproxy.tuni.fi/10.5912/jcb720
APPENDIX A
Process description summaries
SW = software SRS = software requirements specification IFU = instructions for use SVD = software version description
RMG = risk management SOUP = software of unknown provenance OTS = off-the-shelf software GUI = graphical user interface
mgmt = management CRM = customer relationship management UDI = unique device identification QMS = quality management system
Software development process
Process stage Key activities Required documentation Development
planning
Defining
Processes used in the develop-ment
analysis Defining SW requirements
Risk analysis and existing SW and system requirements
de-sign Requirements transformed into
a SW architecture SW architecture document Detailed design SW architecture refined into
SW units SW design description
Unit acceptance criteria defined
Unit verification process
Units integrated into SW and verified
Integrated SW tested with doc-umented testing content
Integration test procedures veri-fied
Regression tests conducted
Integration and system test report
System testing Set of tests established, tests performed
Integration and system test report
Anomalies entered into SW res-olution process
Regression testing after changes
Software system testing verified SW release Labeling, IFU
re-views Done throughout design devel-opment
Design review report Development
transfer Commercial release reviewed and approved
Process stage Key activities Required documentation Software
mainte-nance plan Defining
Criteria for determining if feed-back indicates a problem
Use of SW risk management, configuration management and problem resolution processes
Procedures to evaluate and im-plement upgrades etc.
im-plementation Software development and problem resolution processes used for modifications
According to SW develop-ment process
Software risk management process
Process stage Key activities Required documentation General
require-ments for RMG system
Management: policy for risk ac-ceptability, generally accepted state of the art and known stakeholder concerns, reviews
Appropriate personnel qualifica-tion records maintained
RMG plan covering the whole software life cycle established Risk analysis Risks analyzed for each identi-fied hazard and hazardous
Risk evaluation Risks evaluated based on prob-ability of occurrence and sever-ity of harm
Risk management file
Risk control Risk control measures ana-lyzed and implemented
Risk control measure effective-ness verified
Residual risk evaluated based on RMG plan criteria
Benefit-risk analysis for non-ac-ceptable residual risks
Management of risks arising from risk control measures
Overall residual risk evaluated compared to benefits, against criteria for acceptability of over-all residual risk
Contributions of all risks to-gether considered
Risk management report
Risk
manage-ment review Review of risk management process
Checking that overall residual risk is acceptable
Checking that methods to col-lect production and
Collected data reviewed for rel-evance to safety, to reanalyze risks
RMG file reviewed, need for re-assessment of risks determined
SW (including SOUP and OTS if applicable) analyzed for con-tributions to hazardous situa-tions
Risk control measures for each potential cause of SW contrib-uting to a hazardous situation
These risk control measures verified, evaluated for new sources of hazardous situations
Traceability of SW hazards documented
After SW changes, modification analyzed for potential causes
OTS(/SOUP) SW residual risk analysis
Probability and severity of haz-ard leading to harm evaluated
Threats and vulnerabilities identified
Assets of the product identified and loss of each asset exam-ined for adverse impacts
Security risks evaluated for the need of security risk reduction
No reduction required -> ra-tionale with a re-evaluation trig-ger documented
Security risk controls are veri-fied, in place and to be imple-mented for future unknown se-curity risks
Residual risk re-evaluated
Benefit-risk analysis
Effects of security risk control measures evaluated for new threats, vulnerabilities and com-promised assets, hazards and hazardous situations
Before commercial release, a security risk management
risks and control measures reevaluated if needed Product realization process
Process stage Key activities Required documentation Planning of
CEO, sales team review pro-posal requests: notice in 48 hrs, written proposal in 5 working days, follow-up until proposal closed
-> Agreement approved by mgmt sent to the client
CFO responsible for storing agreements, invoicing
de-velopment SW lifecycle model: SW devel-opment process – Purchasing COO responsible for
purchas-ing procedures, records of plier performance, seeking sup-pliers, supplier evaluation
Monitoring and reevaluation of suppliers
Relevant purchasing docu-ments and records maintained for traceability (COO)
Purchase recipient verifies that the purchase complies with
Documented as part of product documentation
Installation staff verify that products to be installed con-form to labelling requirements
Customer training to all users
Records maintained data recorded in CRM by sales and applications manager
Number of active licenses re-viewed in mgmt review meet-ings
Property belonging to custom-ers/external provides
Mixing between different SW versions controlled
Limited access to executable files of core algorithms
Customers informed about in-stallation environment changes Validation of processes for produc-tion and service provision
Availability of service monitored
Installation, verification of
Mgmt ensures installations and their verifications, support activ-ities & customer training are performed by qualified person-nel
Corrective action if planned production and service results are not achieved
SW used in production and ser-vice provision validated
QMS processes monitoring and measurement
Control of moni-toring and meas-urement equip-ment
Parameters to be monitored and measured defined when operational procedures become established and measurable data is available in useful quan-tities
Automatic SW testing system under development
Measuring equipment verified, adjusted and readjusted (rec-orded) and safeguarded from result-invalidating adjustments
QMS SW validation for these SW
Records of control of moni-toring and measuring equipment