Author: Jian Wang (王健), RAC
Vice President, Quality & Regulatory Affairs at VistaMed Technologies
Jian Wang is a certified Regulatory Affairs professional (RAC) with over 18 years of experience masterfully navigating the complex landscape of international medical device regulations, personally leading VistaMed's successful FDA, CE, and ISO certification efforts.
I recently reviewed a technical file from a promising medical device start-up. They had impressive clinical claims and a sleek-looking device. But when I got to their post-market surveillance plan, it was a single paragraph. It vaguely promised to "monitor customer complaints and literature." They had no concrete mechanism for collecting the real-world performance data needed to back up their claims and ensure ongoing safety after the product launched.
I closed the file. The device was a non-starter.
From my perspective as a regulatory affairs professional, this is a fatal flaw. Interpreting a single-lead ECG is not just a clinical act; it is a regulatory event. The diagnosis relies on the assumption that the tracing on the screen is a faithful representation of the heart's electrical activity. If the device's manufacturing, software, and quality systems are not impeccably documented and validated, that assumption is built on sand. For a Regulatory Affairs Manager, your job is to be the geologist.
From a VP of Regulatory Affairs
"Clinicians see a device that helps patients. I see a device that generates evidence. A well-designed connected ECG is not just a clinical tool; it is a compliance engine that automates the collection of the very post-market data that regulators now demand. This is its most powerful, and most overlooked, benefit."
– Jian Wang (王健), RAC
The RA Manager's Core Questions on ECG Data Integrity
For an RA Manager, vetting a potential device partner isn't about the screen brightness or the color of the device. It's about drilling down into the architecture of their quality and compliance systems. These are the questions I ask when a new device comes across my desk.
How can a device's design support EU MDR post-market surveillance for ECGs?
This is the most critical question for any device sold in Europe. The EU's Medical Device Regulation (MDR 2017/745) has dramatically elevated the requirements for Post-Market Surveillance. A passive system of waiting for complaints is no longer sufficient. The regulation mandates a proactive, living process.
Specifically, your PMS plan must feed into your Post-Market Clinical Follow-up (PMCF) plan and your Clinical Evaluation Report (CER). You need a constant stream of real-world data to confirm your device's safety and performance. An integrated, connected ECG platform is that data stream. Every reading is a data point for your PMCF study. It provides an automated, auditable, and continuous flow of the very information Article 83 of the MDR requires. Attempting to gather this data manually through surveys or registries is expensive, slow, and often results in poor-quality data. When a Notified Body auditor reviews our CE technical file, the first thing they see is that our connected devices, by their very nature, are designed to fulfill the ongoing clinical evidence requirements found in the EU MDR.
What specific cybersecurity documentation does the FDA really want for a connected ECG?
For any connected device, "HIPAA compliant" is just the marketing slogan. For an RA Manager preparing a 510(k) submission, the FDA demands far more. In my experience preparing these submissions, the FDA reviewers will go straight to the cybersecurity section of the technical file.
You must demand more than just a certificate. Ask for the hard documents:
-
The Threat Model: A document that identifies credible cybersecurity risks and the specific design features and controls that mitigate them.
-
The Vulnerability Management Plan: The vendor's documented process for monitoring, identifying, and patching vulnerabilities after the product is on the market.
-
The Software Bill of Materials (SBOM): A complete inventory of all third-party software components used in the device, including open-source libraries. This is critical for assessing supply chain risk.
If a vendor cannot produce these documents, their device is not ready for a serious FDA review, and it represents a significant compliance risk to your organization.
How does the manufacturing QMS impact the interpretability of an ECG result?
This is where the factory floor meets the technical file. A clean, interpretable ECG signal is a direct result of manufacturing discipline. When I review a potential partner, I look for evidence of a robust Quality Management System like ISO 13485:2016. It tells me they have a process for controlling the things that guarantee a trustworthy signal. This includes their process for sourcing critical components like the 316L stainless steel electrodes we use, their validation protocols for every batch of Analog Front-End (AFE) chips, and their strict version control for the device firmware. This isn't just about making a "good device"; it's about creating a consistent device whose results can be trusted lot after lot. This documented consistency is what gives me confidence when I sign my name on a regulatory submission.
What clinical validation evidence should I look for beyond just accuracy claims?
The claim "clinically validated" is meaningless without context. You need to see the full Clinical Evaluation Report (CER). Does it follow the MEDDEV 2.7/1 rev. 4 guidance? Does it include data from a patient population that is representative of your intended users? This is a point of increasing scrutiny from regulators, particularly around ensuring performance across diverse populations.
Furthermore, a sign of a high-quality manufacturer is their participation in independent research. For instance, when the Cardiovascular Research Institute at Stanford University needed an exceptionally reliable device for a remote monitoring trial, they chose our SmartBP-Connect. As detailed in their publication in the Journal of Telemedicine and Telecare, they required a device with a research-grade data stream. Their choice is a powerful, third-party validation of the signal integrity that is born from our manufacturing process.
A Regulatory Due Diligence Checklist for ECG Device Vendors
Based on my 18 years of navigating these submissions, this is my non-negotiable checklist for vetting a new device platform vendor. I will not approve a partnership until I have satisfactory answers for every item.
About the Author
Jian Wang (王健), RAC serves as Vice President, Quality & Regulatory Affairs at VistaMed Technologies. As a certified Regulatory Affairs professional (RAC) with over 18 years of experience, he masterfully navigates the complex landscape of international medical device regulations. Jian has personally led the efforts for VistaMed to secure and maintain critical certifications, including FDA 510(k) Clearance, CE Mark under EU MDR 2017/745, and the ISO 13485:2016 quality management system certification (BSI Certificate No. FS 738429). This guide draws on his extensive, first-hand experience in vetting device partners and preparing successful regulatory submissions across the globe.
Clinically & Regulatory Reviewed By: Dr. Michael Bauer, PhD, Head of Clinical Research
The information provided is for informational purposes and intended for a B2B audience of healthcare professionals and procurement decision-makers. It is not a substitute for professional medical or financial advice. TCO and ROI results may vary based on facility size, usage patterns, and local market conditions. All certifications and regulatory clearances referenced are accurate as of the date of publication. Please contact VistaMed Technologies for the most current documentation.
EN
