Solving the trade secret dilemma of the technical file submitted under MDR

On 21 May this year, the requirements regarding quality assurance of medical device software became more rigorous when the Medical Device Regulation (2017/745; MDR) entered into force. The conformity assessment procedure under the MDR requires manufacturers of medical device software to establish and share a technical file with the notified body performing the assessment. The file must contain a specification of the technical function of the software. Manufacturers have expressed concerns regarding how to best balance the requirement of including technical documentation in the technical file in order to get their product approved, against the risk to their competitive advantage arising through disclosure of trade secrets.

IP protection for medical device software
As digital innovations continue to transform healthcare, medical device software, whether stand-alone, embedded or as an accessory to other medical devices, has become an essential tool for physicians in many medical fields. Software can be employed for several medical purposes,  including electronic prescription, support for clinical decisions and medical image analysis. Strategically, it is often beneficial for developers of medical device software to manage their intellectual assets relating to the software as trade secrets, due to the risk of reverse engineering and uncertain patent eligibility.

Gaining market approval for medical device software
Notified bodies are competent organisations designated by an EU Member State to perform conformity assessment procedures of medical devices before allowing them on the market. Almost all medical devices require the involvement of a notified body, although the level of involvement is determined on the basis of the risk classification of the medical device. A few medical devices in the lowest classification require no involvement whatsoever, while the highest classification requires close collaboration with the notified body. The task of the notified body includes assessing the manufacturer’s quality management system and evaluating the clinical relevance and evidence of the device based on the technical file and the clinical data gathered. The main objective of performing the conformity assessment by the notified body is to assess whether a product’s medical benefits outweigh the risks associated with the use. For this assessment, the technical documentation in the technical file is essential.

The dilemma of the technical file
The technical file must include a device description and specification. Even though sharing of information between manufacturer and notified body is subject to confidentiality undertakings as set forth in Article 109 of MDR¹, this aspect may be uncomfortable for manufacturers from the perspective of protecting their trade secrets. Manufacturers also have to consider how the technical file is used post-approval, as they will need to make the technical file available to other actors in the value chain, such as contract manufacturers, distributors and/or authorised representatives,  who are also obliged to demonstrate compliance with the requirements of MDR. When sharing the technical file with other actors in the value chain, it is essential for the manufacturer to establish non-disclosure agreements that protect the intellectual assets disclosed in the technical file. These non-disclosure agreements must also include provision for when the recipient of the file is obliged to re-distribute it further in the value chain, without the involvement of the manufacturer.

What details, then, of the technology must be revealed? The device description and specification must, according to Section 1.1 in Annex II of MDR, include “a general description of key functional elements”. What such a “general” description entails is not clarified, but in the case of software there should be no need to include (parts of) the source code or algorithms. There should instead be a description of what the purpose and functions of the device are – its intended use, what it does and how this is achieved. When describing the purpose and functions, it may also be helpful to illustrate the data flows, including data inputs, i.e. what the software will be measuring or targeting, as well as data outputs, i.e. what the intended results are.

Another of the challenges arises through the fact that each notified body may examine the technical documentation differently. Depending on the risk associated with the medical use of the software, the notified body may be more likely to ask for more detailed descriptions.

Please contact us if you need further legal advice on IP-protection of your medical software and MDR-compliance.

^{1. This confidentiality undertaking covers any “commercially confidential information and trade secrets of a natural or legal person, including intellectual property rights; unless disclosure is in the public interest”, Article 109.1(b) MDR.}