James A. Dunning, Principal, QPC Services LLC11.26.18
Time seems to have passed more quickly for me this year than at any other period in my life. I’m still not sure why, but one contributing factor could be the volume and gravity of regulatory changes that have been looming on the horizon. This is the time of year when I like to take a step back to focus—or refocus, rather—on what lies ahead. Some of the specific regulatory changes that have significantly impacted many medical device companies already or will affect them in the near future include the European Medical Device Regulations (MDR)—(EU) 2017/745; the In Vitro Device Regulation (IVDR); the Medical Device Single Audit Program (MDSAP); and ISO 13485:2016 revision.
Medical Device Regulation
Regulatory requirements for medical devices in the European Union have remained fairly constant since the mid 1990s, but this is no longer the case. The MDR is the new rule that replaces the European Union’s Medical Device Directive (MDD). Healthcare companies have until the end of May 2020 to transition to this new decree. The new MDR is significantly different than its predecessor. Compliance with the MDR will be much more difficult than it has been in the past—since there is no “grandfathering” for existing products, all manufacturers will need to review their current devices against the regulation’s requirements. Manufacturers that want an assessment against the new MDR will need to apply to a Notified Body for the evaluation. Though it might seem like a long way off, organizations should start preparing now for the MDR.
Key changes included in the new MDR are:
Like the MDR, the new In Vitro Device Regulation (IVDR) transition period ends in May 2022 as well. The changes in the IVDR are significant, because the existing In Vitro Device Directive was written for a relatively young industry. The new Regulation addresses some of the challenges posed by the Directive, including a new rule-based classification system for products, superseding the current list-based approach. This makes the Regulation more practical by allowing it to remain relevant to an innovative and growing industry. However, it also will require a far larger number of IVD manufacturers to seek notified body certification for their products because classification rules will now be applied to all in vitro diagnostics, as opposed to those restricted to exclusive lists. Under the IVD Directive, 90 percent of the industry could self-certify, but with the Regulation, up to 90 percent of the industry will require Notified Body certification. The IVDR places a much greater focus on clinical evaluation, and increased control over the wider supply chain.
The Medical Device Single Audit Program
The International Medical Device Regulators Forum has created a harmonized approach to auditing and monitoring medical device manufacturing. This new approach is designed to improve the safety and oversight of medical device manufacturing on an international scale. As a result, the Medical Device Single Audit Program (MDSAP), was established. The MDSAP has a sequential approach. The audit sequence contains four primary processes (Management; Measurement, Analysis, and Improvement; Design and Development; and Production and Service Controls), an enabling process (Purchasing), and two supporting processes (Device Marketing Authorization and Facility Registration, and Medical Device Adverse Events and Advisory Notice Reporting). The primary processes are built on a foundation of risk management requirements. Each MDSAP process area includes audit objectives and a series of tasks that auditors use to determine ISO 13485 compliance (the current 13485:2003 standard expires on March 1, 2019, at which time the 2016 revision becomes effective) and the applicable regulatory requirements of the countries participating in the program—Australia, Brazil, Canada, Japan, and the United States. Official MDSAP observers are the World Health Organization, the Medicines and Healthcare Products Regulatory Agency, and the Health Products Regulatory Authority; these agencies’ participation give a hint of the MDSAP’s potential growth.
The MDSAP’s initial pilot phase began in January 2014. The pilot phase is over, and the program’s implementation is now occurring. Health Canada, for instance, is requiring medtech manufacturers to transition to the MDSAP in order to maintain compliance with the quality management system (QMS) requirements of the Canadian Medical Devices Regulations. As of Jan. 1, 2019, only MDSAP certificates will be accepted in Canada. Also, the U.S. Food and Drug Administration (FDA) has confirmed that it will accept the MDSAP audit report as a substitute for routine agency inspections. Reviews conducted “For Cause” or “Compliance Follow-up” by FDA will not be affected by this program; the MDSAP will not apply to any necessary pre-approval or post-approval inspections for FDA premarket approval applications. (Editor’s Note: For more details on the MDSAP and ISO 13485:2016 certification deadlines, read MPO’s Year in Review feature on page 42).
ISO 13485:2016
Medtech companies that have not yet been certified to the new ISO 13485:2016 standard may not receive their accreditation by the March 1, 2019, deadline because demand is exceeding supply. Simply stated: There are not enough registrars to provide certification services. I expect to be contacted momentarily by companies that are in serious jeopardy of missing the certification deadline, and quite frankly, I’m not sure how I’ll advise them. I have never witnessed a situation like this before, though procrastination is partly at fault here (companies have had three years to get certified to the updated standard). Nevertheless, the dilemma sometimes keeps me up at night. Companies that hope to achieve ISO 13485:2016 certification by the deadline must act immediately and make arrangements (if possible) with a registrar. Finding a registrar with the bandwidth to certify an application by the deadline will be challenging, however.
Since I don’t want to end this section on a sour note, I’d like to highlight some of the good things about ISO 13485:2016. This list is not intended to be comprehensive, but it does focus on some of the most significant changes in the revised standard. Those changes include:
Risk
The ISO 13485:2016 standard expects companies to apply a “risk based approach” to its QMS processes. ISO 13485:2003 expected firms to think about risk, but only during product realization (in section 7). But now, organizations are expected to apply risk management methods and techniques to all QMS processes, including outsourced practices. For example, for purchased products, ISO 13485:2016 requires companies to consider the risk associated with a purchased product, formulate an action plan for unanticipated product changes, and determine whether the changes affect the medical device or the product realization process.
Medical Device File
While both ISO 13485:2003 and ISO 13485:2016 expect companies to establish a special file for each type of medical device, the 2016 revision clarifies exactly what this means. Organizations are now expected to include a description of each medical device or family of devices and to include all associated specifications, procedures, and records.
Training
While the 13485:2003 standard focused on the need to identify product requirements specified by customers and regulatory bodies, ISO 13485:2016 requires companies to also think about product safety and performance; it also commands manufacturers to consider the associated training needs of product users and to verify that regulatory requirements will be met and user training will be available before products are supplied to customers.
Servicing
The servicing section in ISO 13485:2016 has also changed. Besides documenting its servicing procedures and reference materials, companies also are now expected to analyze servicing records in order to identify servicing complaints and improvement opportunities.
There is so much more to these regulations that I have left out (it’s impossible to comprehensively summarize all the changes in 1,600 words). My intent was not to cover all of the upcoming changes, but rather to highlight those I believe are the most important. I attended the 2018 MPO Summit, where the near-term regulatory changes were described as a perfect storm. This is a very good and accurate description of what the medtech industry is currently facing. I hope companies are fully prepared for these changes, but if not, perhaps this column can help them initiate the necessary actions to get ready as quickly as possible. The train is racing down the track. We can stop it; we all just have to get on board.
James A. “Jim” Dunning’s consulting career began in 2001. He has provided quality and regulatory consulting services for various companies ranging from Fortune 500 medical device firms to startups. Dunning’s passion, however, lies with startups and small companies, especially those in regulatory distress. He has amassed significant experience in preparing 510(k) applications, developing complete Quality Management Systems, providing Quality System Training, and advising on quality, business, and leadership issues. Dunning is a senior member of the American Society for Quality (ASQ) and a member of the Regulatory Affairs Professional Society (RAPS). He can be reached at jdunning@qpcservices.com.
Medical Device Regulation
Regulatory requirements for medical devices in the European Union have remained fairly constant since the mid 1990s, but this is no longer the case. The MDR is the new rule that replaces the European Union’s Medical Device Directive (MDD). Healthcare companies have until the end of May 2020 to transition to this new decree. The new MDR is significantly different than its predecessor. Compliance with the MDR will be much more difficult than it has been in the past—since there is no “grandfathering” for existing products, all manufacturers will need to review their current devices against the regulation’s requirements. Manufacturers that want an assessment against the new MDR will need to apply to a Notified Body for the evaluation. Though it might seem like a long way off, organizations should start preparing now for the MDR.
Key changes included in the new MDR are:
- A wider scope of regulated medical devices
- At least one person responsible for regulatory compliance
- Definition of common specifications
- More stringent clinical evidence and documentation
- Increased focus on identification and traceability
- Unannounced factory audits
- Increased Notified Body authority and/or involvement
- More rigorous vigilance and market surveillance
Like the MDR, the new In Vitro Device Regulation (IVDR) transition period ends in May 2022 as well. The changes in the IVDR are significant, because the existing In Vitro Device Directive was written for a relatively young industry. The new Regulation addresses some of the challenges posed by the Directive, including a new rule-based classification system for products, superseding the current list-based approach. This makes the Regulation more practical by allowing it to remain relevant to an innovative and growing industry. However, it also will require a far larger number of IVD manufacturers to seek notified body certification for their products because classification rules will now be applied to all in vitro diagnostics, as opposed to those restricted to exclusive lists. Under the IVD Directive, 90 percent of the industry could self-certify, but with the Regulation, up to 90 percent of the industry will require Notified Body certification. The IVDR places a much greater focus on clinical evaluation, and increased control over the wider supply chain.
The Medical Device Single Audit Program
The International Medical Device Regulators Forum has created a harmonized approach to auditing and monitoring medical device manufacturing. This new approach is designed to improve the safety and oversight of medical device manufacturing on an international scale. As a result, the Medical Device Single Audit Program (MDSAP), was established. The MDSAP has a sequential approach. The audit sequence contains four primary processes (Management; Measurement, Analysis, and Improvement; Design and Development; and Production and Service Controls), an enabling process (Purchasing), and two supporting processes (Device Marketing Authorization and Facility Registration, and Medical Device Adverse Events and Advisory Notice Reporting). The primary processes are built on a foundation of risk management requirements. Each MDSAP process area includes audit objectives and a series of tasks that auditors use to determine ISO 13485 compliance (the current 13485:2003 standard expires on March 1, 2019, at which time the 2016 revision becomes effective) and the applicable regulatory requirements of the countries participating in the program—Australia, Brazil, Canada, Japan, and the United States. Official MDSAP observers are the World Health Organization, the Medicines and Healthcare Products Regulatory Agency, and the Health Products Regulatory Authority; these agencies’ participation give a hint of the MDSAP’s potential growth.
The MDSAP’s initial pilot phase began in January 2014. The pilot phase is over, and the program’s implementation is now occurring. Health Canada, for instance, is requiring medtech manufacturers to transition to the MDSAP in order to maintain compliance with the quality management system (QMS) requirements of the Canadian Medical Devices Regulations. As of Jan. 1, 2019, only MDSAP certificates will be accepted in Canada. Also, the U.S. Food and Drug Administration (FDA) has confirmed that it will accept the MDSAP audit report as a substitute for routine agency inspections. Reviews conducted “For Cause” or “Compliance Follow-up” by FDA will not be affected by this program; the MDSAP will not apply to any necessary pre-approval or post-approval inspections for FDA premarket approval applications. (Editor’s Note: For more details on the MDSAP and ISO 13485:2016 certification deadlines, read MPO’s Year in Review feature on page 42).
ISO 13485:2016
Medtech companies that have not yet been certified to the new ISO 13485:2016 standard may not receive their accreditation by the March 1, 2019, deadline because demand is exceeding supply. Simply stated: There are not enough registrars to provide certification services. I expect to be contacted momentarily by companies that are in serious jeopardy of missing the certification deadline, and quite frankly, I’m not sure how I’ll advise them. I have never witnessed a situation like this before, though procrastination is partly at fault here (companies have had three years to get certified to the updated standard). Nevertheless, the dilemma sometimes keeps me up at night. Companies that hope to achieve ISO 13485:2016 certification by the deadline must act immediately and make arrangements (if possible) with a registrar. Finding a registrar with the bandwidth to certify an application by the deadline will be challenging, however.
Since I don’t want to end this section on a sour note, I’d like to highlight some of the good things about ISO 13485:2016. This list is not intended to be comprehensive, but it does focus on some of the most significant changes in the revised standard. Those changes include:
Risk
The ISO 13485:2016 standard expects companies to apply a “risk based approach” to its QMS processes. ISO 13485:2003 expected firms to think about risk, but only during product realization (in section 7). But now, organizations are expected to apply risk management methods and techniques to all QMS processes, including outsourced practices. For example, for purchased products, ISO 13485:2016 requires companies to consider the risk associated with a purchased product, formulate an action plan for unanticipated product changes, and determine whether the changes affect the medical device or the product realization process.
Medical Device File
While both ISO 13485:2003 and ISO 13485:2016 expect companies to establish a special file for each type of medical device, the 2016 revision clarifies exactly what this means. Organizations are now expected to include a description of each medical device or family of devices and to include all associated specifications, procedures, and records.
Training
While the 13485:2003 standard focused on the need to identify product requirements specified by customers and regulatory bodies, ISO 13485:2016 requires companies to also think about product safety and performance; it also commands manufacturers to consider the associated training needs of product users and to verify that regulatory requirements will be met and user training will be available before products are supplied to customers.
Servicing
The servicing section in ISO 13485:2016 has also changed. Besides documenting its servicing procedures and reference materials, companies also are now expected to analyze servicing records in order to identify servicing complaints and improvement opportunities.
There is so much more to these regulations that I have left out (it’s impossible to comprehensively summarize all the changes in 1,600 words). My intent was not to cover all of the upcoming changes, but rather to highlight those I believe are the most important. I attended the 2018 MPO Summit, where the near-term regulatory changes were described as a perfect storm. This is a very good and accurate description of what the medtech industry is currently facing. I hope companies are fully prepared for these changes, but if not, perhaps this column can help them initiate the necessary actions to get ready as quickly as possible. The train is racing down the track. We can stop it; we all just have to get on board.
James A. “Jim” Dunning’s consulting career began in 2001. He has provided quality and regulatory consulting services for various companies ranging from Fortune 500 medical device firms to startups. Dunning’s passion, however, lies with startups and small companies, especially those in regulatory distress. He has amassed significant experience in preparing 510(k) applications, developing complete Quality Management Systems, providing Quality System Training, and advising on quality, business, and leadership issues. Dunning is a senior member of the American Society for Quality (ASQ) and a member of the Regulatory Affairs Professional Society (RAPS). He can be reached at jdunning@qpcservices.com.