In early 2019, we saw more and more pharmaceutical companies approaching us, wanting to use our platform for Digital Therapeutics. We decided to expand our medical device capabilities and implement an ISO 13485-compliant Quality Management System (QMS), which was certified earlier this year.

Since embarking on the DTx journey, our (and my) view of ISO certification has drastically changed. In this post, I want to share why we no longer view ISO 13485 as a formality or a purely regulatory requirement, but rather as a tactical framework for putting patient safety first. Secondly, I want to share the learnings that make me believe that entering digital therapeutics without ISO 13485 certification means an unacceptable business risk. But let’s start with a brief recap.

Recap: Digital Therapeutics Definitions and Regulation

A. What are Digital Therapeutics?

Digital Therapeutics (DTx) are patient-facing software applications that help patients treat, prevent, or manage a disease and that have a proven clinical benefit. For example, Digital Therapeutics can support patients in self-managing symptoms and thereby improve their quality of life and other clinical endpoints.

‘Standalone Digital Therapeutics’ deliver their impact for a specific group of patients irrespective of other treatments. ‘Around-the-pill Digital Therapeutics’ deliver a superior clinical benefit compared to standalone use of a particular medication.

B. Are Digital Therapeutics Medical Device Software?

By definition, Digital Therapeutics have an intended purpose of being therapeutic. Thereby, under Chapter 1 / Article 2 of Europe’s Medical Device Regulation, they classify as Medical Devices:

While there may be borderline cases, overall Digital Therapeutics clearly qualify as Medical Device Software. Accordingly, DTx manufacturers are (rightly) obliged to actively manage patient safety along the entire lifecycle of a DTx.

Learnings from implementing a QMS for the sake of DTx patient safety, not regulation

At smartpatient, we believe that meeting Medical Device Regulation standards is not about overhead or ticking boxes, but all about patient safety. From this angle, key concepts baked into any medical device regulation are almost common-sense:

• Risk Management: Systematically assess potential safety risks during product design and post-launch and mitigate with adequate measures
• Quality Management: Ensure that quality is controlled and documented along the product’s lifecycle, e.g. that standards are followed, personnel is qualified, and maintenance activities are planned
• Post-Market Surveillance: After launch, systematically identify and keep track of known risks to patient safety, and identify and report potential new ones

A Quality Management System provides the framework and the processes for baking these concepts into the everyday routines of product development, operations, and maintenance. The QMS defines the standards to be followed and requires rigid documentation and record-keeping.

If applied, sub-optimal processes are frustrating and waste resources. If not applied, the QMS is non-compliant.

Key objectives for our QMS were compliance with ISO 13485, minimum overhead for our agile processes, 100% digital documentation and signature processes, and modularity to easily support regulatory environment beyond Europe’s MDR and American FDA requirements (our initial geographic scope).

Out of many learnings from our QMS implementation, two are standing out:
(1) It takes time and resources to get QMS processes right to, in particular, minimize overhead and interruption of proven processes.
(2) It takes always more time than you think until everyone understands the link between the QMS and the overarching goal of patient safety.

Without ISO certification, a QMS may not be worth a dime

In the digital health space, there are quite some companies operating Class 1 medical devices, most of them not being ISO 13485 certified. What may sound like a good starting point for DTx development can easily be the exact opposite. Let me explain.

The arrival of MDR, which postponed by a year to spring 2021 because of COVID-19, changes the classification of medical device software: Almost any software that is Class 1 under today’s regulation, will be Class 2a or higher under MDR. This brings about two challenges for companies operating Class 1 devices:

1. The certification challenge: Any medical device needs a declaration of conformity with regulatory requirements. For Class 1 devices, this is a self-assessment by the manufacturer. For Class 2+ devices, a notified body needs to review the medical device’s technical documentation and declare conformity. Simply speaking, ISO 13485 certification is a pre-requisite for a notified body even looking at the technical documentation.
2. The legacy challenge: ISO 13485 is not device-specific, but applies to all medical devices of a given manufacturer. For companies operating Class 1 devices today, this means that during their ISO audit, their legacy products will be audited, too. They essentially have to retrofit 13485-compliant documentation standards to their existing devices. From experience, this seems challenging: If you have not documented your risk assessment or the qualification of team members in a standards-compliant way, how would you do this ex-post? The alternative is to entirely abandon existing devices and to rebuild from scratch.

The upshot may seem counterintuitive at first:

An existing Class 1 device by no means indicates that a manufacturer has the capabilities for bringing a DTx to market under MDR.

On the contrary, existing Class 1 devices may rather be a liability than an asset when it comes to getting certified for ISO 13485.

Don’t embark on DTx development without ISO 13485

Delivering to the promise of ‘digital medicines’, Digital Therapeutics are one of the hottest areas in digital health. The analogy to medicines also brings about a similarly high importance of patient safety and quality management. From a business perspective, ISO 13485 not being in place seems like an unacceptable risk for embarking on DTx development:

1. ISO 13485 is effectively required for getting a device to market under MDR
2. Implementing ISO 13485 takes time, resource, expertise, and diligence to not create ‘debt’ in terms of documentation and overhead in later phases of a DTx’s lifecycle
3. As large parts of a medical device’s technical documentation are written before actual software development, processes and standards need to be clear from the start to avoid the effort and risk of a potential later retrofitting.

At smartpatient, we operate MyTherapy, the Operating System for Digital Therapeutics. We combine the user acceptance of the world’s fastest-growing disease management app with the possibility to run medical-device-grade partner modules, developed and controlled under our ISO 13485-certified Quality Management System. If you also want to benefit from our engagement, regulatory compliance, and time-to-market, don’t hesitate to reach out.