Regulatory non-compliance can cost medical device companies millions in fines and fees in the event of a product recall or investigation. Specifically, to maintain regulatory compliance, medical device companies must keep device history records (DHR) — for example, as defined in ISO 13485 — alongside documentation about development and production.
For traceability purposes, medical device vendors are required to readily answer questions related to device usage. If they can answer these questions with immediacy (for example, the US Code of Federal Regulations, 21 CFR 821, requires 10 days), they will hopefully avoid regulatory punitive measures. They need to answer the following:
- WHICH version do/did they use?
- WHEN was the version installed, and when do/did they use it?
If a company cannot answer these questions within the required time frame, they will likely be deemed non-compliant.
However, there’s good news if the medical device is software-driven: A software entitlement management system (EMS) can be used to trace the data about which version and when it was used, and therefore play a significant role in providing the necessary information for the Device History Record.
Case Study
A longstanding public European medical device producer began selling their device with embedded software but didn’t have a means of tracking the complete history. Then came the unfortunate need for a product recall. This spelled trouble for this company. With an incomplete DHR, they were unable to reach out to users and alert them about the recall.
The consequence: $800M in fines and fees for the compliance investigation and compensation payouts. The company didn’t even know if some of the devices were still actively in use. If they had had a record-keeping mechanism in place, they would not have taken a $800M hit to their bottom line. Today, they are using their now-implemented Thales Sentinel Entitlement Management System to avoid such a loss in the future.
How an Entitlement Management System Helps MedTech Compliance
An Entitlement Management System (EMS) is used to provide licenses and entitle features and capabilities. For MedTech device software providers, an EMS can help avoid non-compliance fines in the following ways:
1. Encryption
A proven licensing and entitlement platform provides cryptographically secure, tamper-proof license keys which prevent malicious hacking of the medical device and its software. This helps to enforce the exact behavior of the device which is expected by the manufacturer.
2. Audit Trails of Maintenance
An EMS compiles a detailed audit trail about user roles and records who accessed or changed information and when. This data is crucial for investigations in case of a suspected breach and is a responsible way to demonstrate compliance efforts to regulatory agencies.
3. Product Cataloging
MedTech companies need to record information about device architecture, such as hardware or electrical components, assemblies, the kind of rubber tubes and so on. Should there be a need for a recall, or a fix, problematic products and devices can be identified by Unique Device Identifiers (UDIs), requested by both the European Union Medical Device Regulations (MDR) and the US FDA, which also provide databases for these UDIs.
Referencing the devices’ UDIs from the EMS entitlements or product catalog can be used to quickly identify the devices in question, notify the users, and mark them for CAPA (corrective or preventive action).
4. Enforcing Compliance-Specific Features
An EMS can also be configured to limit access to functionalities that might violate regulations. For example, an EMS in combination with a software licensing system can restrict access to features for marketing or data sharing that is non-compliant or manage feature sets by location to comply with regulations by region.
5. Version Control and Compliance Updates
An EMS can easily manage different software versions and ensure authorized users are only accessing compliant versions. This is especially helpful when updates are made to address security vulnerabilities or to incorporate changes required by evolving regulations.
Summary
An Entitlement Management System is a powerful tool for MedTech device regulatory compliance. It allows software providers to proactively manage access and feature functionalities and reduce the possibility of hefty financial penalties for non-compliance and resultant brand reputation damage. In conclusion, choosing the right EMS can help mitigate the risk of regulatory non-compliance for medical device software providers.