DEVICE DEVELOPMENT – Mapping the Regulatory Strategy to Better Navigate Electronic Drug Delivery Device Development for Patient Safety & Security


Along with technology advancement in the medical industry, the behaviors and needs of different stakeholders also evolve. As a matter of fact, there is a clear interest in electronic drug delivery devices for a wide range of reasons. Patients need smart, interactive, and automated devices to help them administer their treatment on a regular basis in the home setting, without the need of other peoples’ assistance. Indeed, it is without a doubt there is a strong digital adoption by patients as they want to become more independent. Moreover, through drug delivery digitalization, patients may have the opportunity to significantly improve their treatment adherence, which has become one of the major issues in self-administration today. For instance, patients’ adherence in glaucoma treatment can be as low as 37%.1 Nevertheless, through digital reminders, some studies show that patient adherence can be multiplied by three.2 In addition, as there is an increase in the number of new molecules, there is an obvious need of advanced delivery systems to help patients administer their drugs in the most convenient way possible. As a matter of fact, newly developed molecules, such as biologics and formulations with high viscosity, can require specific administration conditions. Consequently, the electronics are increasingly used to obtain this specific condition. Taking wearables as an example, these devices are developed to help patients inject viscous formulations that require time-consuming drug administration. This situation thus explains why industrial players continue innovating in digitalized health solutions.

Different Evolving Standards & FDA Guidance for Hardware
Different healthcare stakeholders will be able to benefit from the emerging trend of electronic drug delivery devices. Patients may improve their quality of life as they can better monitor their chronic diseases. In addition, both healthcare providers and caregivers may also have the possibility to check their patients’ adherence and compliance to optimize treatment efficacy. Researchers have a high interest in monitoring patient behavior to obtain more reliable data, particularly in the case of clinical trials. At last, the data that will be generated by the electronic devices will help pharmaceutical companies and payers to also access better quality of statistical analysis on patient behavior. Moreover, this may help them to better adapt their solutions to the real needs of the patients.


In spite of the fact that electronic devices offer real added value and opportunities, there is a slower adoption of this innovation trend than expected due to various factors: one of them being the exigent and thorough regulatory requirements that have to be completely well interpreted. In fact, the regulatory requirement for electronic device development can be split into three categories, namely concerning mechanical, hardware and software, human factors, and cybersecurity.


Regarding these aspects, IEC 60601-1 series of standards – including Collateral Standards, Particular Standards, and National Deviations – have to be taken into account as these may impact the development of the Medical Electrical Equipment (MEE). Indeed, the most important standard when developing an MEE is the General IEC 60601-1 for electrical safety and essential performance published by the International Electrotechnical Commissions.

Different Evolving Standards & FDA Guidance for Software

On the other hand, if the embedded software provides support for basic safety or essential performance or its failure may lead to an unacceptable risk, section 14 of the IEC 60601-1 about Programmable Electronic Medical Systems and the IEC 62304 will be needed to design the software in the MEE. The IEC 62304 is all about software process lifecycle, and it elaborates the requirement as well as necessary documentations for software development based on three safety classes. The second edition of this standard will normally be published in 2020. In addition, the FDA has provided some different guidance that is highly recommended. For instance, we can list guidance on general principles of Software Validation (Issued in January 2002); guidance for the Content of Premarket Submissions for Software Contained in Medical Devices (Issued in May 2005), and guidance on Off-the-Shelf Software Use in Medical Devices (Issued in September 2019).


As mentioned earlier, depending on the targeted markets, national deviations of IEC 60601-1 Standards may exist that might lead to the variation of the recognized standard version. Therefore, it is more than crucial to consider this country deviation in electronic device development and conduct testing as early as possible to help reach the targeted markets. Nonetheless, most major countries, such as the US, Canada, and European Union, recognize the general IEC standards. They may also have some modifications, by removing or adding requirements, which are specifically related to their regulation or national standards. For example, the US recognizes the National Deviation of IEC 60601-1, which is known as the ANSI AAMI ES60601-1 (More information regarding the CDRH’s consensus standards can be found on the FDA website). For instance, while speaking about the differences, the US version requires different leakage current limit, flammability rating requirement for enclosure material, and different certification requirement for critical component, etc. In order to avoid bad surprises in the product development and wasting time during different dossier submissions, CB Scheme test reports are recommended. Developed by the IEC System of Conformity Assessment Schemes for Electrotechnical Equipment and Components, it is the world’s first international system for mutual acceptance of test reports and certificates dealing with safety of electrical and electronic components equipment and products. (More information regarding the CB Scheme can be found on the website). This will make sure the device conforms to the distinct targeted markets and regulation exigence.


To ensure the usability of an electronic device, human factor and usability studies have to be conducted according to different standards and applicable guidance. This study highlights the interaction between the device and the users. In light of this, there are a few evolving standards, such as the IEC 62366-1 on the application of usability engineering to medical devices and FDA guidance on Applying Human Factors and Usability Engineering to Medical Devices. Moreover, these standards must be taken into account for such studies. Nonetheless, the innovators often make typical mistakes. In fact, they might poorly conduct Human Factors Validation Tests by having test scenarios that are not linked to the critical tasks, or they have no subjective data related to the performance. In addition, the human factors validation tests (Summative) requires at least 15 participants per user group, thus having insufficient numbers of test participants may question the reliability and the viability of the generated data. Most importantly, keep in mind that Human Factors Engineering (HFE) reports should be found easily in the dossier submission as the authority might challenge and create hurdles when the materials are not correctly structured in the right format.

Workflow for Human Factors/Usability Engineering Activities

Click image to enlarge

Normally, the workflow for HFE and usability engineering (UE) activities consist of planning, research and design, tests, and ultimately reporting. The objective of these activities is to provide detailed results in an HFE/UE report, which is supposed to be compliant to the FDA requirement while also proving electro-medical device conformity to the technical standards. As a matter of fact, the most critical step is to list and carry out the research and design activities. Moreover, there are six main axes that have to be considered to meet the regulatory prerequisites:

1. To ensure full understanding of the device users, the user profile analysis must be done based on the intended use and user characteristics provided in section 5.1 of the FDA guidance. It can list physical size, strength, literacy, and language skills, etc.

2. Furthermore, the use environment analysis will guarantee the understanding of the device usage environment as the healthcare setting differs from the homecare environment. The device use environment characteristics are provided in section 5.2 of the FDA guidance.

3. In addition, lighting level, noise level, etc can be listed. Also, by investigating logged incidents and putting user at risk on comparable systems through known problem analysis, there is room to develop better risk mitigation as well as to better understand how to avoid problems in a practical example and concrete situation.

4. To analyze the consequences of use error, the use-related hazard analysis can be done by performing a Use-Related Hazard Analysis based on the Fault Tree Analysis.

5. Also, in regard to establishing the device specification, the user interface (UI) analysis and specification must be held to assess the existing UI and standard.

6. Last but not least, the residual use-related risk should include the analysis of use errors, close calls, assistance, and any difficulties identified during formative and summative studies. In the final analysis, these six axes become the essential elements to bringing patient-focused design solutions.


To ensure data security in developing electro-medical devices, there are some evolving standards and guidances that have to be integrated in the design process. Taking a step back to software development, the software lifecycle is regulated by IEC 62304 as mentioned earlier. Also, IEC82304-1 plays a role in the validation of health software used on smartphones or computers (Stand-Alone Software). In light of this, the FDA guidance previously mentioned acts as a crucial and fundamental element for the design steps. And through risk management, we will have a clear understanding of the security risks and also identify some hazardous situations that might occur on the safety of the user and patient. Eventually, we may picture the mitigations of the identified risks for data security and ultimately perceive the impacts on the patient/user safety. Most important, a highly secured device will be guaranteed through obtaining certifications of the software based on the recognized UL standards, such as UL2900-1 for general requirement for soft cybersecurity network-connectable products and UL2900-2-1 for particular requirement for network connectable components of healthcare and wellness system.

Speaking of cybersecurity guidelines, the FDA, Health Canada, TGA (Australia), ANSM (France), MDCG (Medical Device Coordination Group in Europe), and IMDRF (International Medical Device Regulators Forum) provide guidance on premarket and post-market to help manufacturers address cybersecurity issues. In the pre-market phase, authorities recognized more consensus standards for conformity and provide the application of the standard TIR57 on Principles for medical device security Risk management, which therefore reinforce the relation between safety and security risk management. They also share the information on how to implement National Institute of Standards and Technologies (NIST) cybersecurity network (identify, protect, detect, respond, and recover). In addition, regulators also recommend device labeling and gives further information on additional required documentation on cybersecurity. On the other hand, in the post-market phase, authorities focus more on the life cycle aspects in which the core of this topic is to implement a proactive and comprehensive security risk management program. As an example, the FDA emphasizes NIST framework application, communication of vulnerabilities and limits, post market surveillance process, and deployment of software updates to avoid cybersecurity issues.

Based on these guidances and standards, a general cybersecurity plan has to be elaborated according to the device being developed. First, there is a need to clarify the clinical context, such as the intended use of the device. Next, we have to define the cybersecurity activities during the device life cycle, be it in the design, manufacturing, distribution, usage, or even withdrawal. After knowing all the activities, there is a need to define the cybersecurity study and risk security management around availability, integrity, and confidentiality. In addition to define the verification strategy, there is a need to plan the tests for the identified mitigations whose results can be explained in the cybersecurity report. This documentation will become a key element for certification. At the end of the day, through post-market review and surveillance strategy, we will be able to identify the problems encountered to develop an improvement plan. Bear in mind the FDA welcomes possible modifications and changes in the post-market review and planning with the objective of improving the cybersecurity for the patients.


In accordance with the growing interest toward the electronics in drug delivery devices that offer real added values in comparison to mechanical devices, it is absolutely crucial to understand the regulatory requirement thoroughly from the beginning of product development. Patient safety has to be the priority while patient security must be the key driver of the electro-medical devices’ development. That being said, innovators must therefore anticipate the problems that may occur in the future by bearing in mind the entire regulatory requirement starting from mechanical, hardware and software, human factors, and ultimately cybersecurity. To cater to the regulatory exigence, it is important to de-risk through well-designed and meticulous steps of activities that may eventually prevent hurdles during dossier submission to authorities. In view of this, Nemera understands the significance of regulatory requirement and has a clear respect to the related standards and guidances to ensure smooth product development and submission process.


  1. Yeaw J, Benner J, Walt J, Sian S, Smith D. Comparing Adherence and Persistence Across 6 Chronic Medication Classes. Journal of Managed Care Pharmacy. 2009;15(9):728-740.
  2. Helen L. Figge I. Electronic Tools to Measure and Enhance Medication Adherence. 2011.

 To view this issue and all back issues online, please visit

Ahmed Mallek is a Regulatory and Compliance Project Manager at Nemera, responsible for the quality department to guarantee conformity and compliance of Nemera’s electronic projects. Prior to Nemera, he worked as a Regulatory Specialist in the medical device industry and Biomedical Technician in a hospital. After he graduated from Institut supérieur d’ingénieurs de Franche-Comté, he worked as a Quality and Regulatory Engineer for electro-medical device companies, including X-Ray tables, Infusion Pump Systems, and Cryogenic devices. Hadrien Gremillet is a Senior Marketing Analyst at Nemera, responsible for the company’s electronic strategic project. Prior to Nemera, he spent 3 years as an entrepreneur in the mobile internet sector and 3 years as a consultant at McKinsey. He graduated from Ecole des Mines de Saint Etienne and ESSEC business school.

Hadrien Gremillet is a Senior Marketing Analyst at Nemera, responsible for the company’s electronic strategic project. Prior to Nemera, he spent 3 years as an entrepreneur in the mobile internet sector and 3 years as a consultant at McKinsey. He graduated from Ecole des Mines de Saint Etienne and ESSEC business school.

Audrey Chandra is a Global Category Manager at Nemera. She believes the ease of use of the device plays an important role toward patient quality of life. She is in charge of identifying the pain points and the unmet needs of patients, and also accompanying product development in parallel. She joined Nemera in 2019 and graduated from Faculty of Medicine in Indonesia. She pursued her Master studies in Strategy and Business Development in Toulouse School of Management, France.