Implementing an eIFU solution in your company has major implications on your QMS. Notified Bodies will review how you handled the process. This article explains what you can expect.
In Europe, manufacturers of certain categories of medical devices (MDs), such as implantable MDs, and in vitro diagnostics (IVDs) for professional laboratory use can replace the paper instructions for use (IFU) by an electronic version (eIFU). For MDs the conditions and requirements have been published in regulation 207/2012. For IVDs, a guidance document was published in MEDDEV 2.14/3 (2017).
eIFU embedded in software or built in an instrument are not in the scope of this article.
It is often crucial for safety that users have access to the correct IFU when they need it. Therefore, it is logical that eIFU solutions are subject to strict requirements. Consequently, Notified Bodies will verify how a manufacturer has designed and implemented their eIFU solution in agreement with the requirements.
To Notified Bodies the implementation of an eIFU solution is a significant change to the quality management system (QMS). Manufacturers must submit a change application and provide evidence of a correct implementation in the change application or during an audit.
The Notified body will look at the labelling, at the design, verification and validation of the website, and the changes to the QMS.
In a previous article in this series, I focused on the importance of defining user requirements, functional specifications, and the verification and validation of the web platform. The application of design control or software validation principles in ISO13485 or more specifically the design and software life cycle management according to EN/IEC 62304 is meaningful, if not necessary.
The Notified Body expect manufacturers to define user requirements and go through the process all the way to validation and document the different steps. The user requirements and functional specifications must clearly address the different requirements from regulation 207/2012 and MEDDEV 2.14/3 respectively.
I refer to the above-mentioned article as a reference where you can find more details on the design of an eIFU solution. However, risk management deserves special attention as an important source of input. Manufacturers must assess the risks caused by the absence of a paper copy in the packaging of the device. The Notified Body will definitely review the risk assessment, the mitigating actions, and the justification for the acceptability of risk. In addition, the Notified Body will verify whether post-market surveillance activities pay attention to risk associated with eIFU.
A system to provide a paper copy of the IFU to users without access to the internet or preferring to receive a paper copy for other reasons represents a risk mitigation. The regulations stipulate that this must be done within a timeframe determined in the risk assessment, but not later than 7 days, and free of charge. The availability of a Europe-wide or worldwide system of free telephone numbers is appropriate in this context, and in case of IVD it is even a requirement.
Ensuring that the user has access to the correct version of an eIFU is essential for a safe and effective eIFU solution. The Notified Bodies will verify how the manufacturer leads the user to the correct eIFU. The regulations themselves specify that this information must be available on the device or on its packaging, and the most efficient way to meet this regulation is to include a URL to the eIFU platform on the label in combination with a symbol.
A unique identifier for the IFU and, if relevant, for its version is a key element for the correct functioning of the eIFU solution. Manufacturers and providers of eIFU solutions have been using different identifiers. The European Commission (EC) recently invited feedback on a draft regulation, which will replace regulation 207/2012. It proposes the basic UDI-DI and UDI-DI as the unique identifiers. Although it looks like an obvious choice at first sight, further analysis demonstrates that they are not always suitable as sole unique identifiers for the IFU.
The Notified Body will verify whether all the labeling requirements are met. This includes not only the label and the IFU, but also the process that the manufacturer has established to communicate changes in the IFU to the users.
Careful analysis of the direct and indirect regulatory requirements for eIFU solutions is necessary to picture the complete impact of the implementation of eIFU on various QMS processes and procedures. The implementation of an eIFU solution will result in significant cost savings, but time and resources will initially have to be dedicated to a well-managed change project.
The Notified Body will verify the effectiveness of that change project. It will check changes to the procedures for the management of eIFU and label content, for inventory management of labeling, the packaging process, the logistical process, and the impact on the enterprise resource planning (ERP) system. It will also ensure that new procedures for the management of the web platform itself have been created and are effective. Last but not least, the Notified Body will assess the measures for ensuring the security of the web platform.
The implementation of an eIFU solution is a significant change to a QMS and subject to Notified Body approval. Notified Bodies will carefully review the change application and ensure that all the regulatory requirements are adequately addressed.
Preparing a compliant and effective eIFU solution involves a significant amount of work. The workload can be considerably reduced by choosing an outsourced compliant solution, designed by an ISO13485 certified supplier in agreement with EN62304 principles and hosted under an ISO27001 certified information security management system.