Medical devices include a wide range of products varying in complexity and application. Examples include tongue depressors, medical thermometers, and blood sugar meters.
The global market of medical devices reached roughly 209 billion US Dollar in 2006 and is expected to grow with an average annual rate of 6–9% through 2010.
European Union legal framework and definition
.Based on the “New Approach”, rules relating to the safety and performance of medical devices were harmonised in the EU in the 1990s. The “New Approach”, defined in a European Council Resolution of May 1985, represents an innovative way of technical harmonisation. It aims to remove technical barriers to trade and dispel the consequent uncertainty for economic operators allowing for the free movement of goods inside the EU.
The core legal framework consists of 3 directives:
- Directive 90/385/EEC regarding active implantable medical devices;
- Directive 93/42/EEC regarding medical devices;
- Directive 98/79/EC regarding in vitro diagnostic medical devices.
Directive 2007/47/ec defines a medical device as: “any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application, intended by the manufacturer to be used for human beings. Devices are to be used for the purpose of:
- Diagnosis, prevention, monitoring, treatment or alleviation of disease.
- Diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap.
- Investigation, replacement or modification of the anatomy or of a physiological process
- Control of conception
The government of each Member State is required to appoint a Competent Authority responsible for medical devices. The Competent Authority (CA) is a body with authority to act on behalf of the government of the Member State to ensure that the requirements of the Medical Device Directives are transposed into National Law and are applied. The Competent Authority reports to the Minister of Health in the Member State. • The Competent Authority in one Member State does not have jurisdiction in any other Member State, but they do exchange information and try to reach common positions.
In UK the Medicines and Healthcare products Regulatory Agency (MHRA) acts as a CA, in Italy it is the Ministero Salute (Ministry of Health)
Medical devices must not be mistaken with medicinal products. In the EU, all medical devices must be identified with the CE mark.
Definition in USA by the Food and Drug Administration
.Medical machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory that is:
- recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,
- intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease, in man or other animals, or
- intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.
>>> Medical Device Definition US FDA <<<
Definition in Canada by the Food and Drugs Act
.The term medical devices, as defined in the Food and Drugs Act, covers a wide range of health or medical instruments used in the treatment, mitigation, diagnosis or prevention of a disease or abnormal physical condition. Health Canada reviews medical devices to assess their safety, effectiveness and quality before being authorized for sale in Canada.
.The regulatory authorities recognize different classes of medical devices, based on their design complexity, their use characteristics, and their potential for harm if misused. Each country or region defines these categories in different ways. The authorities also recognize that some devices are provided in combination with drugs, and regulation of these combination products takes this factor into consideration.
.The Medical Devices Bureau of Health Canada has recognized four classes of medical devices based on the level of control necessary to assure the safety and effectiveness of the device. Class I devices present the lowest potential risk and do not require a licence. Class II devices require the manufacturer’s declaration of device safety and effectiveness, whereas Class III and IV devices present a greater potential risk and are subject to in-depth scrutiny. A guidance document for device classification is published by Health Canada .
Canadian classes of medical devices generally correspond to the European Council Directive 93/42/EEC (MDD) devices as follows: Class IV (Canada) generally corresponds to Class III (ECD), Class III (Canada) generally corresponds to Class IIb (ECD), Class II (Canada) generally corresponds to Class IIa (ECD), and Class I (Canada) generally corresponds to Class I (ECD) . Examples are surgical instruments (Class I); contact lenses, ultrasound scanners (Class II); orthopedic implants, hemodialysis machines (Class III); and cardiac pacemakers (Class IV) .
.The Food and Drug Administration has recognized three classes of medical devices based on the level of control necessary to assure the safety and effectiveness of the device. The classification procedures are described in the Code of Federal Regulations, Title 21, part 860 (usually known as 21 CFR 860).
Class I: General controls
.Class I devices are subject to the least regulatory control. Class I devices are subject to “General Controls” as are Class II and Class III devices. General controls include provisions that relate to adulteration; misbranding; device registration and listing; premarket notification; banned devices; notification, including repair, replacement, or refund; records and reports; restricted devices; and good manufacturing practices. Class I devices are not intended for use in supporting or sustaining life or to be of substantial importance in preventing impairment to human health, and they may not present a potential unreasonable risk of illness or injury. Most Class I devices are exempt from the premarket notification and/or good manufacturing practices regulation. Examples of Class I devices include elastic bandages, examination gloves, and hand-held surgical instruments.
Class II: General controls with special controls
.Class II devices are those for which general controls alone are insufficient to assure safety and effectiveness, and existing methods are available to provide such assurances. In addition to complying with general controls, Class II devices are also subject to special controls. A few Class II devices are exempt from the premarket notification. Special controls may include special labeling requirements, mandatory performance standards and postmarket surveillance. Devices in Class II are held to a higher level of assurance than Class I devices, and are designed to perform as indicated without causing injury or harm to patient or user. Examples of Class II devices include powered wheelchairs, infusion pumps, and surgical drapes.
Class III: General controls and premarket approval
.A Class III device is one for which insufficient information exists to assure safety and effectiveness solely through the general or special controls sufficient for Class I or Class II devices. Such a device needs premarket approval, a scientific review to ensure the device’s safety and effectiveness, in addition to the general controls of Class I. Class III devices are usually those that support or sustain human life, are of substantial importance in preventing impairment of human health, or which present a potential, unreasonable risk of illness or injury. Examples of Class III devices which currently require a premarket notification include implantable pacemaker, pulse generators, HIV diagnostic tests, automated external defibrillators, and endosseous implants.
European Union (EU) and European Free Trade Association (EFTA)
.The classification of medical devices in the European Union is outlined in Annex IX of the Council Directive 93/42/EEC. There are basically four classes, ranging from low risk to high risk.
- Class I (including Is & Im)
- Class IIa
- Class IIb
- Class III
The European classification depends on rules that involve the medical device’s duration of body contact, its invasive character, its use of an energy source, its effect on the central circulation or nervous system, its diagnostic impact or its incorporation of a medicinal product.
Certified medical devices should have the CE mark on the packaging, insert leaflets, etc.. These packagings should also show harmonised pictograms and EN standardised logos to indicate essential features such as instructions for use, expiry date, manufacturer, sterile, don’t reuse, etc.
.The classification of medical devices in Australia is outlined in section 41BD of the Therapeutic Goods Act 1989 and Regulation 3.2 of the Therapeutic Goods Regulations 2002, under control of the Therapeutic Goods Administration. Similarly to the EU classification, they rank in several categories, by order of increasing risk and associated required level of control; various rules exist in the regulation which allow for the device’s category to be identified 
Medical Devices Categories in Australia
|Classification||Level of Risk|
|Class I – measuring or Class I – supplied sterile or class IIa||Low – medium|
|Class IIb||Medium – high|
|Active implantable medical devices (AIMD)||High|
Medical devices incorporating RFID
.In 2004, the FDA authorized marketing of two different types of medical devices that incorporate radio-frequency identification, or RFID. The first type is the SurgiChip tag, an external surgical marker that is intended to minimize the likelihood of wrong-site, wrong-procedure and wrong-patient surgeries. The tag consists of a label with passive transponder, along with a printer, an encoder and a RFID reader. The tag is labeled and encoded with the patient’s name and the details of the planned surgery, and then placed in the patient’s chart. On the day of surgery, the adhesive-backed tag is placed on the patient’s body near the surgical site. In the operating room the tag is scanned and the information is verified with the patient’s chart. Just before surgery, the tag is removed and placed back in the chart.
The second type of RFID medical device is the implantable radiofrequency transponder system for patient identification and health information. One example of this type of medical device is the VeriChip, which includes a passive implanted transponder, inserter and scanner. The chip stores a unique electronic identification code that can be used to access patient identification and corresponding health information in a database. The chip itself does not store health information or a patient’s name.
Practical and information security considerations
.Companies developing RFID-containing medical devices must consider product development issues common to other medical devices that come into contact with the body, are implanted in the body, or use computer software. For example, as part of product development, a company must implement controls and conduct testing on issues such as product performance, sterility, adverse tissue reactions, migration of the implanted transponder, electromagnetic interference, and software validation.
Medical devices that use RFID technology to store, access, and/or transfer patient information also raise significant issues regarding information security. The FDA defines “information security” as the process of preventing the modification, misuse or denial of use, or the unauthorized use of that information. At its core, this means ensuring the privacy of patient information.
Four components of information security
.The FDA has recommended that a company’s specifications for implantable RFID-containing medical devices address the following four components of information security: confidentiality, integrity, availability and accountability (CIAA).
- Confidentiality means data and information are disclosed only to authorized persons, entities and processes at authorized times and in the authorized manner. This ensures that no unauthorized users have access to the information.
- Integrity means data and information are accurate and complete, and the accuracy and completeness are preserved. This ensures that the information is correct and has not been improperly modified.
- Availability means data, information and information systems are accessible and usable on a timely basis in the required manner. This ensures that the information will be available when needed.
- Accountability is the application of identification and authentication to ensure that the prescribed access process is followed by an authorized user.
Medical devices and technological security issues
.Medical devices such as pacemakers, insulin pumps, operating room monitors, defibrillators, surgical instruments including deep-brain stimulators are being made with the ability to transmit vital health information from a patient’s body to doctors and other professionals. Some of these devices can be remotely controlled by medical professionals. There has been concern about privacy and security issues around human error and technical glitches with this technology. While only a few studies have been done on the susceptibility of medical devices to hacking, there is a risk. In 2008, computer scientists proved that pacemakers and defibrillators can be hacked wirelessly through the use of radio hardware, an antenna and a personal computer These researchers showed that they could shut down a combination heart defibrillator and pacemaker and reprogram it to deliver potentially lethal shocks or run out its battery. Jay Radcliff, a security researcher interested in the security of medical devices, raises fears about the safety of these devices. He shared his concerns at the Black Hat security conference. Radcliff fears that the devices are vulnerable and has found that a lethal attack is possible against those with insulin pumps and glucose monitors. Some medical device makers downplay the threat from such attacks and argue that the demonstrated attacks have been performed by skilled security researchers and are unlikely to occur in the real world. At the same time, other makers have asked software security experts to investigate the safety of their devices. As recently as June 2011, security experts showed that by using readily available hardware and a user manual, a scientist could both tap into the information on the system of a wireless insulin pump in combination with a glucose monitor. With a PIN access code of the device, the scientist could wirelessly control the dosage of the insulin. Anand Raghunathan, a researcher in this study explains that medical devices are getting smaller and lighter so that they can be easily worn. The downside is that additional security features would put an extra strain on the battery and size and drive up prices. Dr. William Maisel offered some thoughts on the motivation to engage in this activity. Motivation to do this hacking might include acquisition of private information for financial gain or competitive advantage; damage to a device manufacturer’s reputation; sabotage; intent to inflict financial or personal injury or just satisfaction for the attacker. Researchers suggest a few safeguards. One would be to use rolling codes. Another solution is to use a technology called “body-coupled communication” that uses the human skin as a wave guide for wireless communication.
Standardization and regulatory concerns
.The ISO standards for medical devices are covered by ICS 11.100.20 and 11.040.01. The quality and risk management regarding the topic for regulatory purposes is convened by ISO 13485 and ISO 14971. ISO 13485:2003 is applicable to all providers and manufacturers of medical devices, components, contract services and distributors of medical devices. The standard is the basis for regulatory compliance in local markets, and most export markets. Further standards are IEC 60601-1, for electrical devices (mains-powered as well as battery powered) and IEC 62304 for medical software. The US FDA also published a series of guidances for industry regarding this topic against 21 CFR 820 Subchapter H—Medical Devices.
Starting in the late 1980s  the FDA increased its involvement in reviewing the development of medical device software. The precipitant for change was a radiation therapy device (Therac-25) that overdosed patients because of software coding errors. FDA is now focused on regulatory oversight on medical device software development process and system-level testing.
A 2011 study by Dr. Diana Zuckerman and Paul Brown of the National Research Center for Women and Families, and Dr. Steven Nissen of the Cleveland Clinic, published in the Archives of Internal Medicine, showed that most medical devices recalled in the last five years for “serious health problems or death” had been previously approved by the FDA using the less stringent, and cheaper, 510(k) process. In a few cases the devices had been deemed so low-risk that they did not need FDA regulation. Of the 113 devices recalled, 35 were for cardiovacular issues. This may lead to a reevaluation of FDA procedures and better oversight.
.Medical device packaging is highly regulated. Often medical devices and products are sterilized in the package. The sterility must be maintained throughout distribution to allow immediate use by physicians. A series of special packaging tests is used to measure the ability of the package to maintain sterility. Relevant standards include: ASTM D1585 – Guide for Integrity Testing of Porous Medical Packages, ASTM F2097 – Standard Guide for Design and Evaluation of Primary Flexible Packaging for Medical Products, EN 868 Packaging materials and systems for medical devices which are to be sterilized. General requirements and test methods, ISO 11607 Packaging for terminally sterilized medical devices, and others.
Package testing needs to conducted and documented to ensure that packages meet regulations and all end-use requirements. Manufacturing processes need to be controlled and validated to ensure consistent performance.
.The cleanliness of medical devices has come under greater scrutiny since 2000, when Sulzer Orthopedics recalled several thousand metal hip implants that contained a manufacturing residue. Based on this event, ASTM established a new task group (F04.15.17) for established test methods, guidance documents, and other standards to address cleanliness of medical devices. This task group has issued two standards for permanent implants to date: 1. ASTM F2459: Standard test method for extracting residue from metallic medical components and quantifying via gravimetric analysis 2. ASTM F2847: Standard Practice for Reporting and Assessment of Residues on Single Use Implants
In addition, the cleanliness of re-usable devices has led to a series of standards, including the following: 1. ASTM E2314: Standard Test Method for Determination of Effectiveness of Cleaning Processes for Reusable Medical Instruments Using a Microbiologic Method (Simulated Use Test) 2. ASTM D7225: Standard Guide for Blood Cleaning Efficiency of Detergents and Washer-Disinfectors.
The ASTM F04.15.17 task group is working on several new standards involving designing implants for cleaning, validation of cleanlines, and recipes for test soils to establish cleaning efficacy. Additionally, the FDA is establishing new guidelines for reprocessing reusable medical devices, such as orthoscopic shavers, endoscopes, and suction tubes.
- Medical & Biological Engineering & Computing
- Expert Review of Medical Devices
- Journal of Clinical Engineering 
A number of specialist University-based research institutes have been established such as the Medical Devices Center (MDC) at the University of Minnesota in the US, the Strathclyde Institute Of Medical Devices (SIMD) at the University of Strathclyde in Scotland and the Medical Device Research Institute (MDRI) at Flinders University in Australia.
Source ~ Wikipedia