Posts Tagged Regulatory

Risk management requirements for post-market surveillance for medical devices

Risk management requirements for post-market surveillance for medical devices

Risk management requirements for post-market surveillance for medical devices

 Risk management requirements for post-market surveillance for medical devices

Medical Device Regulation: what is it about?

The EU’s Medical Device Regulation (MDR) is a hot topic in healthcare and a major concern for companies since 2017. It was officially published on 5th May 2017 and came into effect on 25 May 2017. The MDR is supposed to replace the current EU documents, Medical Device Directive (93/42/EEC) and Directive on active implantable medical devices (90/385/EEC).

Manufacturers of currently approved medical devices are given a transitional period of 3 years, till the 26th of May 2020, during which they have to reorganize the operations to meet the requirements of the MDR. However, certain devices that meet special requirements can be granted permission to extend the transition period till the 26th of May 2024.

Post-market surveillance: what’s new

Articles 82 through 86 and Annex III of the EU MDR describe the requirements for a post-market surveillance system (PMS), making PMS mandatory, and those manufacturers who want to remain in compliance with new MDR are obliged to re-organize the PMS system and Vigilance System following the new requirement.

The PMS process is the collection and analysis of the data that comes from the various sources according to Annex III and is carried out according to a PMS plan for each product. There are various purposes for which this data can be used, such as:

  • Update of the benefit-risk determination and improvement of the risk management;
  • Update of the design and manufacturing information, the instructions for use and the labeling;
  • Update of the clinical evaluation;
  • Update of the summary of safety and clinical performance;
  • Identification of needs for preventive, corrective or field safety corrective action;
  • Identification of options to improve the usability, performance and safety of the device;
  • Contribution to the post-market surveillance of other devices (when relevant);
  • Detection and reporting of trends.

Risk management requirements for post-market surveillance for medical devices

With PMS becoming a duty for medical device manufacturers, the effective risk management system becomes a priority as well as one of the three basic elements that ensure compliance and safety, alongside with PMS and clinical evaluation (see Image 1).

According to the MDR, manufacturers are expected to provide evidence of a risk management plan created for the whole lifecycle of products. Such plans should be used for tracking and reducing any potential hazards and ensuring the safety of the devices.

The MDR references to the following risk-related key notions:

  • Risk is defined in Article 2 as “the combination of the probability of occurrence of harm and the severity of that harm”;
  • Benefit-Risk Determination is defined in Article 2 as “the analysis of all assessments of benefit and risk of possible relevance for the use of the device for the intended purpose, when used in accordance with the intended purpose given by the manufacturer”;
  • General obligations are defined in Article 10 in the following way: “Manufacturers shall establish, document, implement and maintain a system for risk management as described in Section 3 of Annex I”;
  • The Quality Management Systems shall address the following matter – “risk management as set out in in Section 3 of Annex I”[1]

Risk Management for Medical Devices

The following requirements by the MDR should be addressed in order to ensure compliance and correct benefit/risk management:

  • establish and document a risk management plan for each device;
  • identify and analyse the known and foreseeable hazards associated with each device;
  • estimate and evaluate the risks associated with, and occurring during, the intended use and during
  • reasonably foreseeable misuse;
  • eliminate or control the risks referred to in point (c) in accordance with the requirements of Section 4;
  • evaluate the impact of information from the production phase and, in particular, from the post-market
  • surveillance system, on hazards and the frequency of occurrence thereof, on estimates of their associated risks, as well as on the overall risk, benefit-risk ratio and risk acceptability;
  • Amend control measures if necessary.

What else is there to keep in mind?

In 2019, a new ISO 14155:2018 draft will be published and will contain changes on pre- and post-market clinical investigations for medical devices. It is expected that the new, third revision will contain more explicit and thorough indications on risk management. Additionally, it will be closely tied to the risk management requirements outlined in ISO 14971.

Other significant changes in the new ISO 14155:2018 draft include:

  • Guidance on clinical quality management, clinical investigation audits and ethics committees
  • Risk-based monitoring requirements
  • Registration of clinical investigations in publicly accessible databases
  • Clarifications on how ISO 14155 requirements apply to each stage of clinical development
  • Annexes relating ISO 14155 to the European Medical Devices Regulation, and to the Medical Devices Directive (MDD) and Active Implantable Medical Devices Directive (AIMDD).

Useful Medical Device Regulation terminology

  • MDR – Medical Device Regulation
  • PMS – Post Market Surveillance
  • PIP- Poly Implant Prosthesis
  • MDD – Medical Device Directive
  • FDA – Food and Drug Administration
  • PMCF- Post Market Clinical Follow-up
  • CER – Clinical Evaluation Report
  • RM – Risk Management
  • PSUR- Periodic Safety Updated Report
  • PMSR – Post Market Surveillance Report
  • SSCP – Summary on Safety and Clinical Performances
  • SAE – Serious Adverse Event
  • IFU – Instruction For Users

Are you looking for technological solutions to facilitate clinical trials and adverse events management for your Medical Device products? Arithmos offers such solutions as Symphony, flexible and easy to set up EDC system, and Argus BluePrint, pre-validated and pre-configured version of Oracle Safety, that ensure compliance and security of the processes for Medical Device companies. Arithmos, alongside its sister company seQure Life Sciences, can also support companies in a consultative way by making sense of the MDR and analyzing a company’s needs in terms of quality assurance and regulatory compliance. We can support with an initial gap analysis and risk assessment regarding the MDR.

Contact us to learn more about our Medical Device solutions.

[1] BSI: MDR – Risk and Clinical Requirements

It’s Data Protection Day!

Data protection Day 2019

Data protection Day 2019

It’s Data Protection Day!

Did you know that January 28th is Data Protection Day? The Council of Europe launched this commemorative day in 2007, and two years later, the USA joined the initiative. We fully support this initiative, and as a technology company that operates in the Life Sciences sector, we recognize this important day by sharing six facts about data privacy in the healthcare sector.

Fact #1

The most significant and recent data privacy law is probably the EU General Data Protection Regulation, better known as GDPR. It is a set of more than 250 pages approved by the European Parliament, the Council of the European Union and the European Commission. The GDPR has replaced the previous Data Protection Directive 95/46/EC from 1995 and has introduced cohesive rules for ensuring that the EU population is aware of how their personal data is handled.

Fact #2

In regards to health data, GDPR defines three types of data that require special protection: data concerning health, genetic data, and biometric data.[1]

Fact #3

Back in 2017, 54% of healthcare professionals thought that the responsibility for getting medical records from one healthcare facility to another lied with healthcare professionals/facilities. However, the responsibility should lie with both patients and professionals/facilities (57%).[2] We wonder: how did the situation change in the last year and half?

Fact #4

In the USA, privacy and security of health data is governed by Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. They set the requirements for limits on how health information can be used and shared with others and how it should be kept secure with administrative, technical, and physical safeguards.

Fact #5

Speaking of American legislation, in 2018, American Congress attempted to enact a bill that could align 42 CFR Part 2’s standards with HIPAA. The draft legislation would have permitted providers to share information about patients subject to 42 CFR Part 2 for the purpose of treatment, payment, and operations.

Fact #6

Even though the notion of data privacy is often linked to the notion of security, security is not always sufficient to ensure privacy. Privacy can be defined as the ability to protect sensitive information about personally identifiable health care information, while security can be described as the protection against unauthorized access, with some including explicit mention of integrity and availability.[3]

There are many ways to ensure the security of health data, and one of them is opting for a partner that has implemented best practices in this area including internationally recognized certifications, such as ISO 27001. ISO 27001 is the most famous standard in the family providing requirements for an information security management system (ISMS). It guarantees, that a company maintains the confidentiality, integrity, and availability of personal health and patient data and information.

If you want to learn more about importance of ISO 27001 in healthcare sector, we invite you to have a look at this material.

We in Arithmos take great pride in honoring data privacy and security, and ensure that all our products and internal processes are compliant. We are also ISO 27001 certified, and we are thrilled to say that we have confirmed this status with a re-certification in December 2018.

Want to know more about privacy and security in the healthcare sector? Send your questions at!  

[1] General Data Protection Regulation

[2] Future Health Index 2017

[3] Karim Abouelmehdi, Abderrahim Beni-Hessane, Hayat Khaloufi: Big healthcare data: preserving security and privacy

[EVENT] Arithmos @PhV Day | Rome | 7 November

PhV Day 2018 Rome

PhV Day 2018 Rome

Arithmos @PhV Day | Rome | 7 November

As technological experts in Pharmacovigilance and Drug Safety, we market leaders in understanding the global challenges of pharmacovigilance operations and adapting them to local market needs and regulations. This means, of course, attending main industry events, such as PhV Day. Arithmos is excited to confirm its presence at PhV Day Italian edition on the 7th of November in Rome!

This event brings together safety experts from the pharmaceutical and healthcare industries, so we are looking forward to meeting professionals from pharma and medical devices companies, biotech, Regulatory Authorities, and academic research centers.

This year is a year of changes with Brexit, GDPR and technological advances that are continuously revolutionizing the pharmacovigilance field and the choice of a safety system and its implementation. The PhV Day will embrace these hot topics with the following agenda:

  • Brexit;
  • Reduced functionality of RNF;
  • EU General Data Protection Regulation (GDPR);
  • Regulation (EU) No 536/2014 on clinical trials on medicinal products for human use;
  • Evolution in the digital era;
  • Global quality system aimed at patient security;
  • Product quality and data integrity.

Technology and Pharmacovigilance

Arithmos at PhV Day will showcase its key pharmacovigilance solution – Argus Blueprint. Argus Blueprint is a pre-configured and fully validated solution for fast deployment of Oracle Argus Safety that allows companies to implement or change Pharmacovigilance systems in the most accurate, timely and cost-effective manner. An updated Pharmacovigilance system is extremely important now in light of the GDPR and patient security requirements that are aimed at ensuring certain level of security of data management. It is also part of a bigger process of digital transformation happening in Pharmacogivilance nowadays.

Are you running a discontinued or outdated Pharmacovigilance system? Make sure you stop by at our stand at PhV Day to discuss how you can enhance your security and migrate to a safer system because companies in Life Sciences risk security breaches and non-compliance issues if they do not migrate to more up-to-date Pharmacovigilance systems.

Do you want to meet us and talk about choosing the right pharmacovigilance system and safety of your data? Our Business Development Manager Anna Bottura will be representing Arithmos at PhV Day in Rome, so make sure you book an appointment with her by sending us a meeting request.

See you in Rome!





Why Should Pharma Companies Include Clinical Trial Oversight in Their Strategy?

Arithmos Clinical Trial Oversight Blog post

Why Should Pharma Companies Include Clinical Trial Oversight in Their Strategy?

The ICH-GCP update which came into effect on June 14, 2017 had among its main elements the “Clinical Trial Oversight” topic.
The E6 R2 revision reminds principal investigators of their crucial role 3 activities performed at their clinical sites: delegation, conduct and oversight. The latter plays now a larger role: sponsors are responsible for a way more insightful oversight, including each and every duty performed by external companies included in their outsourcing strategy. Furthermore, a more comprehensive risk-based approach is required with the aim of preventing systematic errors rather than correcting already occurred issues.

Since clinical trial oversight is gaining every day more relevance in life sciences global environment, pharmaceutical companies are slowly understanding its value and looking for different strategies to successfully adopt a clinical trial oversight solution.

In the following infographic, Arithmos Life Sciences IT experts have summarized the why pharma companies should include a clinical trial oversight strategy analyzing both internal and external needs; leading to a 3 steps guide for a successful Clinical Trial Oversight implementation.

Arithmos Clinical Trial Oversight

To download the Infographic click here.

Are you ICH GCP E6 R2 compliant?

Have a chat with our experts to know how we can support you throughout the whole clinical trial oversight requirements identification and implementation processes

ICH GCP E6 (R2) – Are pharma companies ready to ensure Clinical Trial Oversight?

Are Pharma Companies ready to ensure clincia trial oversight

ICH GCP E6 (R2) – Are pharma companies ready to ensure Clinical Trial Oversight?


It’s been more than a year since the ICH GCP E6(R2) addendum became effective. The reasons which brought the Authorities to update the ICH GCP regulation are clear: on one side the increasing complexity, scale and overall costs of the clinical trials, on the other the strong shift from a paper-based clinical trial process to an electronic data capture and management one. Among the phases mentioned in the addendum (clinical trials design, conduct, oversight, recording and reporting) the oversight is gaining each day more relevance:

  • Are projects performing as planned?
  • Are partners respecting quality agreement?
  • Are the documents produced by partners enough and effective?

Pharmaceutical and Biotech companies are required to implement a more structured and comprehensive monitoring of their projects. In particular, the addendum focuses on the relationship between sponsors and CROs, as stated in the addendum to article 5.2.2.:

The sponsor should ensure oversight of any trial-related duties and functions carried out on its behalf, including trial-related duties and functions that are subcontracted to another party by the sponsor’s contracted CRO(s)”.

What is Clinical Trial Oversight?

A set of processes put in place by the Sponsor and the CRO aimed at providing the former with an updated, constant overview on CRO’s performances, deliverables and results.

What is Clinical Trial Oversight Objective?

Enhance a more transparent and efficient communication about projects’ status, timelines and results between Sponsors and CROs ensuring global alignment   

But, if for Sponsor CROs’ oversight is considered to be a #1 priority, it is also true that most of companies find it extremely difficult to design and implement a shared and efficient set of processes to reach this goal. As the GCP states, digital transformation in Life Sciences industry led to enormous changes, representing at the same time a great opportunity and a challenging reorganization. Thanks to IT innovations, information, data and documents can be now collected, organized and shared in a more efficient and cost-effective way. The other side of the coin is that these disruptive modifications are not often included in a comprehensive digital strategy, leading to a lack of integration of the different applications utilized by the company’s departments. What does this mean?

  • Resources devoted to the download and the up-load of data from one application to another;
  • Compliance issues related to the System Validation of the different platforms (CSV);
  • Great increase of the risk of human mistakes due to data manipulation;
  • Risk of out-dated reports for the management team;
  • Delays in activities with a significant impact on the study budget.

As it has been widely discussed in the last months, the ICH GCP E6 (R2) put the need of a Risk-Based Quality Management System under the spotlight. In fact the Addendum 5.0 states:

The sponsor should implement a system to manage quality throughout all stages of the trial process. […] The methods used to assure and control the quality of the trial should be proportionate to the risks inherent in the trial and the importance of the information collected.”

Companies are therefore required to implement a risk-based QMS to support each phase of the whole trial. The adoption of a Clinical Trial Oversight allows real-time monitoring of specific compliance and processes KPIs, identified during the risk analysis phase. This embraces the philosophy introduced by the ICH E6 addendum encouraging the use of improved and more efficient approaches/ tools to clinical trial oversight in order to avoid unnecessary complexity, procedures, and data collection.

It is clear: clinical trial oversight represents a mandatory requirement both from a regulatory perspective and from a strategic management point of view. The path towards the successful implementation of such a widespread improvement cannot be considered easy, but 3 main steps that every Sponsor should follow in order to ease the process have been identified:

  1. Requirements Analysis

    As a first step, it is fundamental to create a detailed map of the stakeholders (internal or external) involved in every activity, their responsibilities, tasks, data produced and of course, IT applications utilized. This analysis will help in the identification of the specific Sponsor’s requirements;

  2. Oversight Model Evaluation

    Having a clear overview of the requirements, it is now time to evaluate the multiple ways an Oversight process and consequently system can be designed and implemented. Is it better to introduce a horizontal global application? Would a central integrated projects management and control cockpit be the best choice? In this phase these questions will find and answer;

  3. Oversight System Implementation

    Requirements have been identified, alternatives evaluated and the best solution was found. Sponsor and CROs approach now the final phase: the pragmatic creation of a more connected and integrated environment where it is possible for the Sponsor to examine data, monitor activities and have a real-time overview of CRO’s performances.

As stated in the previous paragraphs, these 3 macro phases involve several actors performing multiple processes, for this reason, the role played by Quality Assurance Department is crucial. Ensuring a streamline risk-based QA Management system (Standard Operating Procedures, Quality Manuals, Policies…) throughout all stages of the trial process allows Sponsors to meet regulatory requirements avoiding compliance pitfalls.


Is your company compliant with Clinical Trial Oversight GCP?

We at Arithmos have developed a comprehensive approach for Clinical Trial Oversight Management: from requirements analysis to the vendor selection and implementation of the solution. In collaboration with its strategic partners, Arithmos also provides complete support in the re-organization of Quality Systems using the Risk-Based Approach. Would you like more info on this topic? Just send us an email!

GDPR, what it is, what does it change and what do you risk if you are not compliant

GDPR Information

GDPR, what it is, what changes and what do you risk if you are not compliant

Less than 3 months separate us from the moment the GDPR will become effective. It is therefore fundamental for companies to better understand what actually GDPR is and which consequences it will imply in their daily routine, especially in Life Sciences, industry characterized by an incredible amount of sensitive data.

What Actually is EU General Data Protection Regulation (EU GDPR)?

The EU General Data Protection Regulation is a set of more than 250 pages approved by the European Parliament, the Council of the European Union and the European Commission. The GDPR will replace the previous Data Protection Directive 95/46/EC from 1995. It is easy to understand, due to the technological innovation and the huge shift to a data-driven approach, why an update was more than necessary.

If you are asking yourself why should you be interested in GDPR, well, consider that it will imply a greater boost for compliance: fines up to €20M or 4% of global turnover.

What are the GDPR main objectives?

As stated in the homepage of the website, “The EU General Data Protection Regulation (GDPR) […]  was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”

The GDPR objectives are therefore 3:

  1. Increase homogeneity of data privacy laws in the Euro area, this might be directed especially to those organization working in multiple countries;
  2. Ensure that EU population is conscious of the data organizations obtain about them and how they will be used;
  3. Deeply reorganize the way companies collect, manage, analyze and share data.

Despite the different actors involved it is easy to spot the global comprehensive pattern that lays under the  New Privacy Regulation: these pages concern the rights of the individuals over the personal data, explaining how they can be obtained, what can or can not be done with them and how the organization must guarantee their protection.

What is Personal Data?

The Article 4 provides a wide definition of Personal Data which include:

  • Name, address and unique identifying numbers (IP address, cookie strings…);
  • Demographics—age, gender, income…;
  • Behavioral data — web searches chronology, purchase history…;
  • Social data—your friends’ list, emails, messages…;
  • Sensor data—biometrics, health tracking devices…;
  • User-generated content — videos, photos, blogs or comments.

Concerning only personal data, the GDPR do not consider anonymized data, there is although a big BUT: if data, even anonymized ones, can somehow lead to an individual (for example by the combination of different data sources), then this information is defined as personal.

The actors involved in the GDPR

Who is or What constitutes a Data Subject?

GDPR defines the data subject as a natural person, which could therefore, be your customer, employee or, concerning clinical trials, your patient.

Who is or What constitutes a Data Controller?

The Data Controller a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”  It has therefore to be considered the company at the beginning of the data request workflow.

In Life Sciences industry it can be identified with the sponsor, the Academic Institution or the Contract Research Organization (CRO).

Who is or What constitutes a Data Processor?

The Data Processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” Those entities who actually handle the personal data under the mandate of the controller, for example, IT companies that manage or administrate a client’s database.

The Geography of The GDPR: Which are the Controllers and Processors involved?

One of the biggest changes introduced by the GDPR is the extension of the regulatory jurisdiction. In fact, if any one of the following 3 conditions is met, than the entity must be GDPR compliant:

  • The data controller is based in the EU (regardless of whether the processing takes place in the Union or not);
  • The data processor operating is based in the EU (regardless of whether the processing takes place in the Union or not);
  • The data subject is based in the European Union.

In other words, if you or any link of the chain is or passes through the European Union, than it is required GDPR compliance (sponsors, CROs, patients participating in the trials are all involved).

Why is Consent the Key of GDPR?

As stated on, there has been a great increase in the conditions for consent in order to prevent companies to use “long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form” including the purpose for data processing attached to that consent.

Consent is only valid when actively given, this means no pre-ticked checkboxes are accepted. The subject must be also able to withdraw the consent at any time.

How Does GDPR Empowers EU citizens?

As stated in the previous paragraphs, the Regulation introduces a brand new set of rights for the data subjects to enhance information management. These include:

  • Access & modification: Subjects must be able to access their data and modify it.
  • Right to erasure: Subjects can request the cancellation of their data when it is no longer necessary for their original purpose.
  • Portability: subjects must be able to request and have from the controllers all personal data they obtained, in a portable format.

What Do You Risk If you are not GDPR Compliant?

The GDPR penalty section is extremely clear, the paragraph 6 of Article 83 states: Non-compliance […] shall, […], be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover […], whichever is higher”. This represents the maximum fine that can be imposed and it applies to the most serious infringements: lack of sufficient customer consent to process data or violating the core of Privacy by Design concepts.

Concerning compliance, a few words must be spent on the controversial breach notification: GDPR requires companies to communicate to the Data Protection Supervisor if a breach has occurred within 72 hours from the event, which, as stated by Richard Stiennon on Forbes, means that you have 3 days to:

  1. Determine what happened.
  2. Put in controls to stop it from happening again.
  3. Figure out how to communicate it.

Of course, the path to compliance is no easy duty, a comprehensive plan involving many different departments must be put in place in order to ensure an efficient deployment before May 25th. Life Sciences companies, be they pharmaceutical companies, biotech, CROs or Research centers must include in their strategy all the possible means to prevent personal data from being used in the wrong way, especially if concerning their patients’ identity.

Sources & Further Info

Project Portfolio, Program and Multi-project Management

Project Management Blog Post_Marco Sampietro
Read more

Which business model in a fast changing world for pharmacovigilance solutions?

Read more

Does your Clinical Technology Provider Have ISO 27001 Certification?

Read more

5 Reasons Why Clinical Research Needs a PPM Platform

Clinical Trial Management PPM

Read more

Page 1 of 212

Follow us on Twitter