Monitoring recent medical device quality and regulatory reforms
by Kamala Kodihally Nanjundeshaiah
Never in the history of medical device quality and regulatory (Q&R) activities have so many changes happened at the same time. For example, consider the timeline in Figure 1, which shows the implementation of quality management system (QMS) ISO 13485:2016, European Union Medical Device Regulation (MDR)/In Vitro Diagnostic Regulation (IVDR) and the reinforcement of the Medical Device Single Audit Program (MDSAP)
The industry is going through much-needed reforms. Some organizations exploited the gaps and loopholes in standards and regulations to their benefits, which led to many high-profile adverse events like faulty breast implants and non-certified replacement hips. Hence, there was an urgent need for improvement in standards, processes and procedures.
The next three years are going to be crucial for medical device organizations. They must understand these proposed changes, implement them successfully and plan to sustain them. Canada is on the frontline in leading this transformation with the implementation of ISO 13485:2016 and MDSAP.
When organizations are investing a lot of resources and effort in meeting these requirements and being compliant, how are these reforms going to help the organizations—whether in terms of producing safe and quality products, streamlining activities or releasing products faster to the market? This article highlights the improvements in standards and regulations, which ultimately can shape a better world.
ISO 13485 specifies requirements for a QMS in which an organization must demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. ISO 13485 requirements apply to all organizations regardless of their size and type, and includes their suppliers. Just consider:
- Even though the ISO 13485:2016 QMS structure hasn’t changed (it’s still based on the ISO 9001:2008 structure), it includes all the major changes and improvements from ISO 9001:2015. For example:
- Risk-based thinking is at the core of the standard. The concepts of risk and opportunity are integrated throughout the QMS and product life cycle.
- It emphasizes regulatory requirements.
- It enhances customer satisfaction and continual improvements.
- One objective of the working group that developed the new standard was to ensure ISO 13485 would better support the global alignment of regulatory requirements for medical devices.
- The new revision is more flexible. There is an option to exclude clauses six through eight if they don’t apply to the organization.
- Special emphasis is given to ensure that outputs are suitable for manufacturing before they become official production specifications (similar to Part 21 Code of Federal Regulations Title 820, design history file and device master record requirements).
- There are additional requirements in design and development, consideration of usability, use of standards, verification and validation, traceability, storage and handling to strengthen the complete product life cycle.
- There are criteria for evaluation and selection of suppliers, including performance and risk. The extent of verification is based on risk and supplier evaluation, and linkage to change control. Records of supplier evaluation, selection and monitoring must be maintained.
- There are requirements to protect the user’s confidential health information.
- Post-market surveillance and complaint handling requirements are reinforced through feedback procedures, input to risk management and the improvement process.
- There is emphasis of management commitment to support and implement a robust and effective QMS.
- Implementation of unique device identification (UDI), based on international guidance, is mandatory, which provides better traceability throughout the product life cycle.
The European Union’s Medical Device Directive (MDD) 93/42/European Economic Community (EEC), 90/385/EEC (active implantable medical devices) and 98/79/EC (in vitro diagnostic devices) have been superseded and combined into two new regulations: MDR and IVDR.
The MDR combines the existing medical devices and active implantable medical devices directives. MDR is not just an improved version of directives, it’s also a stronger and larger set of regulatory requirements to obtain Conformité Européenne (CE) certification. The new MDR is set to establish a robust, transparent, predictable and sustainable regulatory framework for medical devices.
The EU has gone a step further from ensuring safety and efficacy of a device to maintaining state-of-the-art devices status. Using EU-recognized standards and common specifications, advanced design and manufacturing technologies are on par with competitors’ products. Among the highlights include:
- The classification of the device is based on duration of use—whether it’s invasive or an active device—and the criticality of the device, per MDR Annex VIII. For example, a device coming in contact with the heart, central circulatory system and central nervous system is classified as a Class III.
- MDR Annex I, which was earlier called “essential requirements,” is now “general safety and performance requirements.” Product should be designed to ensure safety, reliability and performance in line with its intended use. Requirements are enhanced to cover safety, risks, chemical, physical and biological properties, radiation, labelling, software, cyber security and data protection.
- Requirements of technical documentation for design, manufacturing, clinical and post-market surveillance are now covered in MDR Annexes II and III. These documents will be reviewed thoroughly by the auditor and should be presented in a clear, organized, readily searchable and unambiguous manner. The authorized representative should have access to these documents. The post-market surveillance technical documentation includes plans, serious incidents, safety corrective actions, relevant specialist or technical literature, periodic safety update report and more.
- The UDI system should significantly enhance the effectiveness of the post-market safety-related activities. It also should help to reduce medical errors and fight against falsified devices.
- The information for user provides greater transparency of information on the benefits for patients, residual risks, warnings and a thorough assessment of overall risk and benefit.
- The European Databank on Medical Devices (EUDAMED) is a new feature and essential for the functioning of the MDR. Registration of economic operators, device registration and UDI, certificate status, clinical investigations and performance studies, vigilance and post-market surveillance data will be uploaded into EUDAMED. The database will be accessible to the regulatory authority, auditor, manufacturer and general public. There will be greater transparency through EUDAMED.
- Conformity assessment to place a product in the market is based on the type of device. Depending on the type of device, QMS, technical documentation and clinical evidence, more will be assessed. For high-risk products (Class III and Class IIb devices), additional procedures must be followed and the notified bodies must consult the commission and expert panel known as the extra scrutiny pathway.
- The organization must employ a person responsible for regulatory compliance. If the organization is small, a consultant must be available permanently and continuously at the organization’s disposal.
- Requirements of clinical evaluation, post-market clinical follow-up and clinical investigation are strengthened. The MDR describes respective requirements in several articles and comprehensive annexes. Enforced standards for substantially equivalency are in three contexts: clinical, technical and biological. The manufacturer should have access to these data to claim equivalency.
- The timeframe for reporting serious incidents and field safety corrective actions has been tightened.
- The EU commission is entitled to release common specifications if it determines that existing standards are lacking or insufficient.
The MDSAP is a program that allows conducting and using a single regulatory audit of a medical device manufacturer’s QMS that satisfies the requirements of multiple regulatory jurisdictions. The MDSAP is an international coalition to improve medical device safety and oversight. It promotes more efficient and flexible use of regulatory resources through work-sharing and mutual acceptance among regulators, while respecting the sovereignty of each authority. It also will reduce the number of audits and inspections by regulatory authorities. Participating countries include:
- United States: U.S. Food and Drug Administration (FDA).
- Canada: Health Canada.
- Brazil: Agência Nacional de Vigilância Sanitária
- Australia: Therapeutic Goods Administration.
- Japan: Ministry of Health, Labor and Welfare.
There are some exceptions to MDSAP. For example, inspection conducted “for cause” or “compliance follow-up” by the FDA will not be affected by the MDSAP. Also, the MDSAP would not apply to preapproval or post-approval inspections for premarket approval (PMA) applications or to decisions under section 513 (f)(5) of Act (21 U.S.C 360c(f)(5)) concerning the classification of a device. Other observations include:
- MDSAP is an integrated and simplified audit approach to access the global market. It reduces the overall number of audits or inspections and optimizes the time and resources expended on audit activities.
- MDSAP is a structured and systematic audit approach. The flow of the audit can’t be changed or eliminate any section. It’s a holistic audit approach.
- The auditors have greater accountability and responsibility. There will be more frequent interactions between the audit office and manufacturer. The audit team must include technical and subject matter experts.
- Audit anomalies or nonconformances are graded using a well-defined nonconformity grading matrix. The grading range is from one to five (four or five is considered major, and one to three is considered minor). A nonconformity grading score is based on the QMS’s impact on the product (direct or indirect) and occurrences (first time or repeated). More than one or two major nonconformances can trigger an unannounced future audit.
- The timeline and cost for the audit is defined. Each process is divided into tasks. Each task is estimated to take an average of 30 minutes. The cost of an audit is expected to be 30% more than a traditional audit.
- The timeline for post-audit activity completion is defined. If there are major nonconformances, the auditors must inform the regulatory authorities within five days. The organization must submit the correction and corrective action plan within 15 days and implementation evidences within 30 days. If the audit goes as planned, the auditor is expected to provide an audit report within 45 days.
Process-based audit model
MDSAP is a process-based audit approach (see Figure 2). There are four primary processes: two supporting processes and a purchasing and risk management process. Every audit will commence and end with management participation. Following the conventional approach, a management representative is responsible for ensuring that the requirements of the QMS have been effectively defined, documented, implemented and maintained.
Change for the better
Change can be difficult, but in this case, it’s for the better. Thorough understanding of the new standards, an elaborate, strategic approach to tactical planning, and a systematic implementation under proper guidance will lead organizations to successful adoption of these reforms.
Kamala Kodihally Nanjundeshaiah is a quality and regulatory consultant based in Winnipeg, Manitoba. She holds a bachelor’s engineering degree with specialties in electronics and communication from the University Visvesvaraya College of Engineering in Bangalore, India. She is a senior ASQ member and an ASQ-certified quality engineer and quality auditor.