Industry professionals who spoke with Medical Product Outsourcing about the broad topics of regulatory requirements and validation emphatically stressed the importance of complete, well-written documentation of the procedures and processes they have in place to assure compliance with the requirements of not only regulatory agencies such as the U.S. Food and Drug Administration (FDA), but also of their OEM customers.
“The general rule of thumb is, if it wasn’t documented it never happened. The focus has always been on records, but even more so now,” according to Josh Monesmith, quality manager for Micropulse Inc., a Columbia City, Ind.-based contract manufacturer focused almost exclusively on orthopedics.
Caitríona Conneely, quality assurance and regulatory affairs manager at Proxy Biomedical Limited in Galway, Ireland, said her company’s systems and procedures are centered on a design control process that is “applied to all product design/development and manufacturing process development in compliance with 21 CFR Part 820 and ISO 13485.” She said the design and development process, which is dictated by established quality system procedures, “is key to our ODM (original design manufacturer) and OEM service.”
Joel Gorski, Ph.D., director of R&D and validation services in the Northwood, Ohio, offices of NAMSA, a global medical research organization, said it works best to include the various subject-matter experts from the outset of a project because “you’re defining the project and developing the outline for what it is that you hope to accomplish in terms of developing your specific medical product, including the various departments and disciplines—regulatory, quality, manufacturing, etc. A well-laid-out plan from the beginning serves one well throughout the development process.”
Applying Systems & Procedures
Asked about systems and procedures used to help document the design and/or manufacturing history, Gorski said, “The first thoughts that come to mind, of course, are the requirements to follow Quality System Regulations (QSRs), as defined in the code of federal regulations. That’ll be a requirement for U.S. manufacturers, and also for companies elsewhere around the world that want to submit to the FDA for clearance to bring products to the U.S. marketplace.
In combination with following the QSRs, it’s very common for companies also to be ISO 13485-compliant for the design and manufacture of medical products, as this is a requirement for some other regulators around the world, such as Europe.
He added that design controls provide the umbrella for the various steps that a medical device manufacturer should consider when developing a product, including the documentation in and the maintenance of a design history file.
“So at the end of a development process you have this design history file that provides the paper trail of the complete development effort,” Gorski said. “It’s best to start with as good an outline as you can at the outset of your development effort, envisioning all the needs you’ll have to bring your device to market, and of course, the devil is in the details—the more sophisticated your device, the more detail you’re going to have from the outset.”
Monesmith said Micropulse uses an enterprise resource planning system that allows the company to create job-specific routing, creating a plan for each part.
“We gather cross-functional teams so they can collaboratively agree on the most efficient, effective and appropriate methods to manufacture the product, focused on meeting the customer’s requirements,” he said.
Monesmith described a process the company calls “job travelers,” which accompany each order throughout the entire product realization process and ultimately become part of the device history record. “That way, we have evidence that we followed the approved path and can show that to regulators as they ask about device master records in that regard,” he said.
Conneely said Proxy’s design control process is modeled on the Stage-Gate System, a conceptual and operational roadmap for moving a new product project from idea to launch.
“It follows six stages that are conceptually sequential, but are, in real life, highly iterative and sometimes concurrent,” she explained. “With quality system procedures pointing the way, all inputs and outputs are documented and approved through the quality system change control process and a record of all activity at each stage is recorded and collected in a design history file.”
Mike Gosmeyer, chief compliance officer at Pierceton, Ind.-based Paragon Medical Inc., noted that because Paragon primarily is a contract manufacturer, “from a design standpoint, design controls and the requirements around design controls typically reside with our clients. While we do have procedures that apply when needed, that is an area typically held by our customers. Our procedures focus on the manufacturing side. We develop our own procedures and processes, and those are documented to control the manufacturing processes.”
Cranking Up Requirements
Asked what the FDA and other regulatory agencies are looking for and how that has changed in recent years, Micropulse’s Monesmith said, “The focus has always been on records, but even more so now. Records are going to be your defense as regulators determine whether you’re compliant or not compliant with the regulations. I will say that over the past several years I’ve noticed an increase in the scrutiny on CAPA (corrective and preventive action) processes, complaint handling, and also
validation processes and procedures.”
Monesmith said that one of the proof points that the agency has really stepped up its emphasis on documentation efforts overall is that in 2012, “lack of/inadequate CAPA procedures were the most common citation by the FDA for medical devices.”
Conneely said two key areas where Proxy Biomedical has observed changes in recent years are risk management and, more recently, clinical research.
“Risk management has developed into a central activity in the development of medical devices. FDA and other regulatory agencies now expect risk management to be applied at all stages of the product life cycle, from development, manufacturing and through to post-market surveillance,” she said. “Risk management was once considered a marginal activity, mostly done toward the start of product development. We see regulatory authorities moving away from a reliance on compliance with risk management standards such as ISO 14971 alone and toward product acceptance criteria that are based on the level of risk that the device poses to the patient/end-user.”
According to Gorski, “There’s an expectation to have thorough documentation covering the important aspects of your device. If you have a surface-contact device, the documentation does not have to be as thorough as when you have an implantable device that’s going to be in the patient the rest of his or her lifetime. Everything follows from the level of sophistication of your device.” He noted sophisticated devices will receive “a lot more” scrutiny and have more biocompatibility testing necessary than the less-sophisticated devices.
“That level of sophistication is reflected in the documentation that you’ll have,” he said. “ISO 13485, for example, provides guidance on a comprehensive management system for the design and manufacture of medical devices.”
Gorski noted that there needs to be appropriate review and approval steps at various points along the development path.
“You’ll want to have that identified and in place before you start,” he said. “If you’re a startup and you don’t have it, what do you do? Well, then you’ll want to consider hiring an expert to help you get that in place so you have a framework to follow as you develop your new device.”
Conneely said Proxy Biomedical has seen more focus on clinical data requirements in recent years for Class II devices from FDA and other regulatory agencies such as Health Canada and with Notified Bodies in Europe.
“With a global increase of adverse events for different types and classes of devices and heightened public and media awareness regarding device recalls, it seems that demonstrating substantial equivalence and clinical literature reviews may no longer be sufficient to gain approval for what were traditionally low- to medium-class devices,” she said, adding that a “very big” change in the European Union and elsewhere in recent years has been in the attention paid to materials safety.
“We’re also seeing the same requirements from Canada, and California also has some requirements that are unique to that state,” she explained. “There’s a big focus in Europe on having material hazards assessments completed on all elements of the product, including packaging and secondary packaging as well as the device itself. We’re almost having to demonstrate the same level of environmental safety for the packaging as we do the product. So as well as patient hazards, environmental hazards have to be considered now. It’s very much a big change in that regard.”
“There is something specific that is changing in the way FDA is enforcing things now, and it does go along the lines of supplier controls,” said Gosmeyer. “The agency has released new changes in the law, regulating what contract manufacturers and contract sterilizers have to do. In the past, if you were strictly a contract manufacturer, you were not required to register your facility with the FDA, but that has changed now, so contract manufacturers now must register yearly with the FDA, and they also must list all the products they produce for their OEMs. That’s a big change for the industry.”
He noted that from the regulatory standpoint it seems as if the industry is moving toward a reality where there isn’t much distinction between a contract manufacturer and an OEM.
“That registration piece is one example of that, where regulatory requirements are not unique to an OEM,” he said. “The obligation and cost that goes with managing your contract manufacturing organization is just as strict as it is with an OEM. We’re increasing our regulatory requirements while still being expected to provide cost savings and leaning out our processes. That can be a difficult equation for us.”
Focus on Management, Validation Systems
Contract manufacturers are getting a constant earful from their customers when it comes to risk management and validation matters, experts noted.
“They’re definitely looking to see more formally documented risk management records, and they want to see clearly established action and mitigation limits,” said Monesmith. “Some of the more common requirements include PFMEA (Process Failure Mode Effects Analysis), control plans, MSA (measurement systems analysis) studies and capability studies. Those are becoming more frequently required and requested. In addition, there are validation requirements which are becoming much more extensive as related to what the industry would call special processes and also software and manufacturing equipment. The validation requirements extend to our subcontractors as well. It doesn’t just stop with us.”
Conneely noted that expectations from her company’s customers have “ramped up.”
“Customers no longer want to know if you have a risk management system. They want to know how effective your risk management is,” she said. “They want to see risk management driving both an effective and efficient verification/validation process—be it design and/or process qualification. Customers want to see risk management and validation inherently linked so that ‘risk’ determines validation requirements, levels of testing and sample plans.”
From the contract manufacturer perspective, Gorski said, there is a trend toward using more risk assessment today than in the past.
“I think the regulatory agencies are more open to this approach,” he said. “For example, the U.S. FDA doesn’t require chemical material characterization; however, other regulators around the world expect that (ISO 10993-18), as that’s where you analyze your device and its components to determine what their composition is and then, based on the composition, you can perform risk assessments. You can assess the risk of those components becoming bioavailable such as in an implant placed into the patient for the rest of his or her life. What’s the risk to the patient? Toxicological risk assessment is being used more widely these days—call it ‘paper toxicology.’ You might be able to avoid doing some animal studies if appropriate risk assessments have been performed. The risk assessments are submitted with the rest of your documentation to the regulatory agency to support your position.”
There’s also the ISO 14971 application of risk management standard, which is best considered early on in the process, according to Gorski. “This risk analysis should be dependent upon what your device is, where it is used, how long it’s used, etc.,” he said. “Some risk analysis can be done fairly easily and quickly, and some risk analysis on, say, devices that are controlled with software, can be very complicated.”
He added that they “are very dependent upon which regulator you get reviewing your submission as to the level of scrutiny they’re giving your analysis and assessments, and the level of detail that they expect to see in support of the safety and efficacy of a given device that you want to bring to market.
You like to think that there is sound, scientific logic being applied in submissions, but sometimes it’s the luck of the draw, because not every person—be it a regulator or a person within a device company—is going to approach an issue the same way, and whether they have the necessary subject-matter expertise is a critical issue to ensure that the safety and efficacy of a given device has been addressed satisfactorily.”
Gosmeyer said that as a contract manufacturer, the company has less exposure to the FDA, but that doesn’t mean it is free from exposure completely.
“Based on what our clients are asking, the FDA has a lot more focus on validation activities from what I’m seeing in what our clients are looking for from us as a supplier to them,” Gosmeyer said. “The FDA is making it very clear to the OEMs that they’re responsible for their supply chain. That’s always been the case, but how they enforce things now is probably much tighter around the supply chain than previously. It may have been that the OEMs once thought there was a little buffer for them if there was an issue in the supply chain, but that no longer is the case. The FDA now fully expects that anything related to the supply chain is the full responsibility of the OEM.”
Procedures Support Processes
MPO asked Monesmith about the procedures that support Micropulse’s risk management and validation processes and whether there are tricks of the trade that make validation adherence work more smoothly across the board.
“It’s a given that you have to have approved procedures and processes for both of those activities, validation and risk management,” he said. “But a clear advantage is to have orderly documentation. Having good, clear, concise, orderly, well-written documentation makes the whole process of determining compliance much easier on regulators and customers’ audits—and on internal audits as well. A well-written, systematic protocol provides an easy-to-follow roadmap of the required validation phases. And you have to have well-written instructions to maintain validated states as well.”
The risk management part is dynamic, Monesmith said.
“It’s required that your risk management processes and documentation are updated as you move through the product realization process,” he said. “That’s a big one right now. You don’t just set that up at the beginning and forget about it. Risk management needs to be updated as risks occur, and then we also look at it on the backside, after the job is done. When we’re doing our post-production analysis, we’re looking for what kind of risks that were not identified up-front actually came to fruition, as well as, which ones did we mitigate? So that’s a big part of the risk management process as well.”
Conneely said Proxy Biomedical has an established set of procedures for risk management (product and process), plus a comprehensive suite of design qualification and process validation procedures.
“As an OEM, we work closely with our customers to develop risk documents—such as FMEAs—for each component or device and process. Their input into the risk analysis is key, as often it is the design owner that can dictate the clinical end effect of a failure mode. Validation protocols are developed based on the risk outcome and in accordance with the governing procedures.”
She noted that for some projects, “customers have requested that we apply their risk management process and develop protocols/reports to their procedures; and this we can accommodate once we complete the necessary training to their procedures.”
“There always are novel new technologies coming out, so something that has been tried and testing in the past might be a basis for consideration, but sometimes what has been used in the past does not work with something new, so then you have to be creative,” Gorski said. “I guess one could argue in either direction—tried and tested can be useful, or tried and tested might not be appropriate, based on new features and benefits of a different device. But certainly you need a basis to start from and you need to determine if what you’ve done in the past is going to be useful with the current and future projects you’re going to be working on.”
Gosmeyer said that both risk management and validation are growing in importance. “We’re hearing that quite a bit from our customers,” he said. “When we get audited by our customers and just through our normal interactions with them, validation is a common area that we’re hearing about from all our customers right now. They want to look at our processes and make sure that the processes that we use mirror what the customers’ validation processes are, so that’s an area we hear about quite a bit.” He said his company has “very clear” documented procedures outlining the validation process and procedures used.
Gosmeyer said one of the things Paragon does that is not required but helps the company to manage the process is to create validation steering committees at each manufacturing site, to help review policy and make sure procedures and policies are meeting all the requirements, not only of the regulatory bodies but also of customers. “We have a wide variety of customers, and each has its own take on validation, so you have to balance your procedures among all your customers to make sure you’re compliant not only with the requirements but also with each customer’s unique applications of those requirements,” he said. “The steering committees help us do that, as well as help
set priorities.”
Conneely said she doesn’t think of her company’s processes and procedures in terms of “tricks of the trade.” She said it’s more a matter of “smarter and leaner thinking.”
Jim Stommen, retired editor of industry publication Medical Device Daily, is a freelance writer focusing on the medical product sector.