Featured
Rimsys Announces Rimsys AI to Eliminate Repetitive Tasks and Enhance Decision-Making for MedTech Regulatory Teams
Rimsys, the leading Regulatory Information Management (RIM) platform for the MedTech industry, today announced the launch of Rimsys AI, a suite of embedded artificial intelligence (AI) agents.
An overview of 21 CFR Part 820 - quality systems for medical device manufacturers
What is 21 CFR Part 820?
21 CFR 820 is the FDA federal regulation that pertains to quality systems for medical device manufacturers, and it is part of the agency’s set of Current Good Manufacturing Practices (CGMP) for industry. Also referred to as the FDA’s quality system regulation (QSR), the regulation defines design controls and quality processes at all stages of device development in order to ensure that all medical devices marketed in the United States are safe and effective.
21 CFR 820 consists of 15 subparts, which define quality system requirements for each stage and function within the medical device manufacturing process. We define each subpart below.
Federal regulations are organized as Title → Chapter → Subchapter → Part, which means that 21 CFR 820 is short-hand for:
21 CFR 820 vs ISO 13485
ISO 13485 is the de facto international quality system standard for medical device manufacturers, but this is not currently the standard in the United States. While Part 820 and ISO 13485 are structured differently, they have no conflicting requirements. Therefore, companies that are marketing medical devices in the U.S. and in other markets will need to comply with both ISO 13485 and the FDA’s QSR, as defined in 21 CFR 820.
However, the FDA is moving towards harmonizing these standards, and on February 23, 2022 issued a proposed rule to amend the QSR to align more closely with the international consensus standard for Quality Management Systems, primarily by incorporating reference to the ISO 13485 standard. The FDA has published FAQ’s about the proposed rule.
21 CFR Part 820 Requirements
Part 820: General Controls (subpart A)
The General Controls subpart contains three sections providing general information about the regulation, including the scope and applicability along with key definitions.
Scope
The regulation defines current good manufacturing practice (CGMP) requirements governing the methods, facilities, and controls used for the “design, manufacture, packaging, labeling, storage, installation, and servicing of all finished devices intended for human use." Specifically, this subpart defines:
- Applicability:
The requirements of this regulation are intended to ensure the safety and efficacy of all finished medical devices intended for human use that are manufactured in or imported into the United States. Manufacturers that are involved in some, but not all, manufacturing operations should comply with those requirements that are applicable to the functions they are performing.
Exceptions:
- This regulation does not apply to manufacturers of medical device components, but such manufacturers are encouraged to use this regulation as guidance.
- Class I medical devices are exempt from the Design Controls defined in this regulation, except for those listed in § 820.30(a)(2).
- Manufacturers of blood and blood components are not subject to this regulation but are subject to Biologics good manufacturing practices as defined in Subchapter F, Part 606 of the regulation.
Definitions
This section of the regulation contains definitions for a number of terms used throughout the document. The following are the major definitions related to quality records:
- Design history file (DHF): A compilation of records that describes the design history of a finished device.
- Design input: The physical and performance requirements of a device that are used as a basis for device design.
- Design output: The results of a design effort at each design phase and at the end of the total design effort. The finished design output is the basis for the device master record. The total finished design output consists of the device, its packaging and labeling, and the device master record.
- Device history record (DHR): A compilation of records containing the production history of a finished device.
- Device master record (DMR): A compilation of records containing the procedures and specifications for a finished device.
Quality System
The section of the regulation sets the basic requirement for a quality system by stating that “Each manufacturer shall establish and maintain a quality system that is appropriate for the specific medical device(s) designed or manufactured, and that meets the requirements of this part.”
The term “appropriate” is used throughout this regulation and can be open to interpretation. A manufacturer, however, should assume that all requirements are appropriate and applicable except in cases where non-implementation of the requirement can be shown to have no effect on the product's specified requirements or ability to carry out necessary corrective actions.
Quality system requirements (subpart B)
This section of the regulation defines the overall responsibilities and the resources required for the management of the quality system.
Management responsibilities
Executive management is responsible for establishing a quality policy and ensuring adequate resources to effectively maintain and manage the quality system. In addition, management is responsible for establishing a specific quality plan, consisting of relevant practices, resources, activities, and procedures.
Quality audit
Periodic audits of the quality system are required to be conducted by personnel not directly responsible for the activities being audited. The dates and results of each audit need to be documented, along with the results of the audit. It is expected that corrective actions and, when necessary, reaudits, be performed for any identified noncompliances.
Personnel
Manufacturers are responsible for assigning sufficient personnel with appropriate experience and training to perform all tasks required by the quality system plan.
Design controls (subpart C)
Manufacturers of all class II and class III medical devices, along with the specific class I devices listed in paragraph (a)(2) of this regulation, are required to establish design control procedures that ensure design requirements are met as specified.
Design controls shall define:
- Design and development planning - Plans that describe the design and development activities, and responsibilities for these activities and their implementation.
- Design input - Procedures that ensure design requirements are appropriate and address the intended use of the device.
- Design output - Procedures that document design output, including acceptance criteria, so that conformance to design input requirements can be adequately evaluated.
- Design review - Formal and documented reviews of the ensign results that include participation from representatives of all.
- Design verification - Procedures for verifying the device design that confirm that the design output meets the design input requirements.
- Design validation - Procedures for validating the device design, ensuring that devices conform to defined user needs and intended uses, and including testing of production units under actual or simulated conditions.
- Design transfer - Procedures to ensure that the device design is correctly translated into production specification.
- Design changes - Procedures for identifying, documenting, validating, and managing the verification and approval process of all design changes before they are implemented.
- Design history file - A design history file (DHF) is required for each type of device and should include or reference the records necessary to demonstrate that the design was developed in accordance with the approved design plan and device requirements.
Document controls (subpart D)
Medical device manufacturers are required to put in place document controls for all documents required in this regulation.
Document approval and distribution
One or more people must be assigned to review and approve documents prior to issuance. The approval must be documented, include a date and the signature of the approver, and be made available at all locations where applicable. Procedures must also be in place to ensure that obsolete documents are removed and/or prevented from being used.
Document changes
Similar to document approval procedures, changes to documents must be approved, reviewed, and documented. Records of all changes must be maintained.
Purchasing controls (subpart E)
To continue reading this Regulatory Brief, including a definition of the remaining subparts and a comparison of 21 CFR 820 to ISO 13485, please download the full brief.
CE marking guide for medical devices in the EU
This article is an excerpt from the CE marking guide for medical devices in the European Union.
Table of Contents
- What is CE marking?
- Why is CE marking important?
- CE marking responsibilities
- What countries require or accept CE marking?
- Which medical devices require a CE mark?
- Technical documentation
- What are the costs associated with CE marking?
- How do you apply the CE marking?
- CE mark and UDI
- Does the CE mark expire?
- Do I need to CE mark my software?
- Final steps
CE marking is a symbol that consists of “CE, “ which is the abbreviation of the French phrase "Conformité Européene" meaning "European Conformity". The term initially used to describe “CE” was "EC Mark" but it has officially been replaced by "CE marking" according to the EU Directive 93/68/EEC. CE marking is used in all EU official documents, although you will still see "EC Mark" being used in common language. If you are using EC Mark in your documentation, you should change that terminology to CE marking in the future.
The letters ‘CE’ appear on many products traded on the Single Market in all the member states of the European Union plus Iceland, Liechtenstein, Norway and Switzerland. Simply put, The CE mark is a mandatory compliance mark, informing the consumer that the product is compliant with all applicable EU directives and regulations where the CE mark is required.
The Single Market was established in 1993 and is still considered one of the most significant achievements of the European Union. The main goal was to ensure the movement of goods and services freely within all the member states and to establish high safety standards for consumers. The CE mark indicates that goods and services do not need to be verified when shipping into another member country. To further support this movement, in April 2011, the Single Market Act was established to boost growth and strengthen confidence in the economy even further.
CE marking is required for many types of products, not just medical devices. The CE symbol can be found on bicycle helmets, toys, laptop batteries, wheelchairs, construction equipment, gas appliances and cell phone chargers - to name a few. CE marking is required for products manufactured anywhere that are sold in the EU, and only for those products for which EU specifications exist and require CE marking. The CE marking signifies that the product has been found to meet the general safety and performance requirements (GSPRs) of the European health, safety and environmental protection legislation and allows the product to be sold in the EU.
Manufacturer responsibilities for CE marking
Medical device manufacturers are responsible for properly and legally CE marking products before they leave the warehouse.
Most Class II and III medical devices, along with IVDs and some Class I devices, require a conformity assessment performed by a Notified Body to ensure that all legislative requirements are met before it can be placed on the market. Manufacturers of most Class I devices can self assess conformity. This process needs to demonstrate that all the legislative requirements are met, including any testing and inspections, and that all necessary certifications are obtained.
The European Commission lists 6 steps that manufactures should follow to affix a CE marking to their devices:
- Identify the applicable directive(s) and harmonized standards - see EU standards for Medical Devices, In Vitro Diagnostic (IVD) devices, and Implantable Medical Devices.
- Verify product specific requirements using the essential principles identified in the above standards.
- Identify whether an independent conformity assessment by a Notified Body is necessary. Notified bodies will be required to verify compliance with relevant Essential Requirements for most medical devices classified as IIa, IIb, or III - along with sterile class I devices. See the Notified and Designated Organization (NANDO) database for available notified bodies.
- Test the product and check its conformity.
- Create and keep available the required technical documentation.
- Affix the CE marking and create the EU Declaration of Conformity.
Importer responsibilities for CE marking
If you are importing medical devices into the EU, it is your responsibility to review all the technical documentation and maintain a copy, or to make sure that it’s available to you upon request.
You should verify:
- That the device has been CE marked and that the EU declaration of conformity has been completed.
- That the manufacturer has designated and established an authorized representative.
- That the device is labeled appropriately and contains instructions for use (IFU).
- When applicable, that a UDI has been assigned to the product.
- Whether or not the product is registered in EUDAMED (registration is currently voluntary).
Take action:
- List your name and address on the device or packaging, in addition to the manufacturer’s information.
- Keep records of complaints, non-conformities, recalls, etc. on file.
- Report any noticed non-conformity or product complaints from end users to the manufacturer and authorized representative immediately.
- Maintain a copy of the EU declaration of conformity and any other relevant certificates.
Distributor responsibilities for CE marking
If you are a distributor, you are responsible for reviewing the technical documentation provided to you so that you can verify the product is safe to put on the local market. You must also be sure the product is labeled correctly with the CE marking symbol clearly visible. The technical file documentation contains all of the information that is necessary to show conformity of the product to the applicable requirements.
You should verify:
- That the device has been CE marked and that the EU declaration of conformity has been completed.
- That the device includes all the appropriate labeling, including instructions for use.
- That if imported, the importer has complied with all the EU regulations.
- When applicable, that a UDI has been assigned to the product.
Take action:
- Report any noticed non-conformity to the manufacturer, importer, and authorized representative immediately.
- If a product appears to be out of compliance to the regulations and could pose a serious risk, the information should be reported to the Competent Authority, and to the manufacturer, importer and authorized representative.
- Any complaints or reports from end users about the product should be reported to the manufacturer and, if necessary, to the importer and authorized representative.
Important note: If the importer or distributor markets the product under their own company name, then they become responsible for CE marketing, and take over that role from the manufacturer.
CE marking is mandatory when importing products into the European Union, which is part of the larger European Economic Area (EEA). The EEA Agreement, established in 1992 and made official in 1994, is an international agreement that enables the extension of the European Union’s single market to non-EU members. It consists of the 27 EU countries plus the four European Free Trade Association (EFTA) countries - Iceland, Liechtenstein, Norway and Switzerland. Today, the EFTA has 29 Free Trade Agreements (FTAs) with 40 countries and territories outside the EU. Because these countries operate in the single market, this allows free movement of goods and services across all of the EEA.
Source: European Environment Agency (EEA).
All medical devices sold in the EU require a CE mark. While a CE mark is not required for items such as chemicals and pharmaceuticals, it can be required for combination devices and medical device software. For these two situations, how do you know if your product requires a CE mark?
To continue reading this ebook, including an overview of CE mark costs, and the associated technical documentation/general safety and performance requirements (GSPRs) that manufacturers are required to maintain please register to download the full version
FDA consensus standards
FDA Standards and Conformity Assessment Program
The FDA Standards and Conformity Assessment Program (S-CAP) seeks to drive the “development, recognition, and appropriate use of voluntary consensus standards for medical devices, radiation-emitting products, and emerging technologies.” Conformity to relevant standards is voluntary, unless a standard is “incorporated by reference” directly into a regulation. However, demonstration of conformity with FDA-recognized standards in a premarket submission is encouraged by the agency and will streamline the review process.
According to the FDA, S-CAP is designed to:
- Produce and implement clear policies to promote the appropriate use of standards in regulatory processes.
- Anticipate the need for and leads the development of national and international consensus standards.
- Advance initiatives to enhance confidence in conformity assessment activities.
- Foster innovation and standardization in technologies that facilitate patient access to novel devices.
- Provide leadership in standards quality and utilization through outreach and global harmonization.
What is a voluntary consensus standard?
The FDA recognizes standards that medical device manufacturers may use to demonstrate that they have met a relevant requirement of the FD&C act. The FDA may recognize all or part of a standard established by an international Standards Development Organization (SDO). Not all standards recognized internationally are recognized by the FDA.
The most common SDO is the International Organization for Standardization (ISO), and some of the most recognized ISO standards for medical devices include:
- ISO 14971- Applications of risk management to medical devices
- ISO 10993 – Biologic evaluation of medical devices
- ISO 11137 – Sterilization of healthcare products
Note that ISO 13485 is not recognized by the FDA for use in standard market submissions, but it is recognized as a quality standard under the MDSAP program.
Some of the other recognized SDOs include:
- ANSI – American National Standards Institute
- ASQ – American Society for Quality
- IEC – International Electrotechnical Commission
In some cases, FDA consensus standards have an identical U.S. adoption, such as IEC 60601-2-47 and ANSI/AAMI/IEC 60601-2-47. For a full list of recognized standards, see the FDA’s Recognized Consensus Standards database (the “Standards Organization” field lists all SDOs).
Using consensus standards in premarket submissions
Demonstrating conformity with FDA-recognized standards can facilitate the premarket review process for:
- 510(k) submissions
- De Novo requests
- Investigational Device Exemption (IDE) applications
- Premarket Approval (PMA) applications
- Product Development Protocols (PDP)
- Humanitarian Device Exemption (HDE) applications
- Investigational New Drug (IND) applications
- Biologics License Application (BLA) for devices that are regulated by CBER as biological products
It is important to recognize that conformance to a recognized standard often satisfies only a portion of the requirements of a premarket submission. When using an FDA-recognized consensus standard, a manufacturer should submit a Declaration of Conformity (DOC) to the standard and list it in the CDRH Premarket Review Submission Cover Sheet (form FDA 3514). Elements of a Declaration of Conformity include:
- Name and address of the applicant/sponsor responsible for the DOC.
- Product/device identification, including product codes, device marketing name, model number, and any other unique product identification data specific to the DOC in question.
- Statement of conformity.
- A list of standards for which the DOC applies including, for each standard, the options selected, if any.
- The FDA recognition number for each standard.
- The date and place of issuance of the DOC.
- Signature, printed name, and function of the sponsor responsible for the DOC.
- Any limitation on the validity of the DOC (ex: how long the declaration is valid, what was tested, or concessions made about the testing outcomes).
Supplemental documentation requirements in support of a DOC
Supplemental documentation in support of a DOC is often required. Adherence to a standard may not be sufficient for the FDA to make a regulatory decision. The example used in the FDA’s guidance document, Appropriate Use of Voluntary Consensus Standards in Premarket Submissions for Medical Devices, is that of ISO 14971. ISO 14971, Application of risk management to medical devices, does not list all of the detailed acceptance criteria for necessary performance tests. According to this guidance, the following general principles should be followed when determining the need for supplemental documentation:
- When the consensus standard includes both a test method or test procedure with a single set of predefined acceptance criteria, FDA should generally not request data relating to the specific consensus standard in the DOC.
- When the consensus standard describes a test method or procedure, but does not include acceptance criteria, the submitter should provide an assessment of the results and how conformity was determined.
- When the consensus standard includes choices related to, for example, what is to be tested, which test methods to use, or acceptance criteria to assess conformity, the submitter should include an explanation for the choices and selections made.
Managing standards updates
When a consensus standard is replaced by a newly recognized standard, the older version is withdrawn following a transition period. That transition period is provided to allow submitters time to prepare to use a new version of the standard. During the transition period, the submitter may continue to use the old version of the standard, though a justification for use of the older version should be provided in instances where adherence with a new version would require significant questions to be addressed.
Transition periods will vary based on the scope of the change to the standard and can be found in the standard’s supplemental information sheet (SIS). When a standard changes during an active review of a premarket submission, the FDA will continue to review the submission based on the previous version of the standard.
Learn more about how Rimsys can help your regulatory team manage standards.
RIM for medtech vs. RIM for pharma
Regulatory affairs professionals at large medical device companies must manage heavy submission workloads, registrations for products currently on the market, and ever-changing regulatory requirements. Regulatory information management (RIM) systems have been available for some time, but only in the pharmaceutical industry. This means that many regulatory professionals in the medical device industry continue to rely on paper documents, spreadsheets, and other outdated tools and methods to manage their work.
Medtech RA teams who implement RIM systems built for the pharma industry do not have the functionality they need to manage the complex workflows associated with medical device submissions and registration maintenance. In fact, at Rimsys we have worked with a number of medical device manufacturers who moved away from their RIM pharma system without successfully implementing it.
What is RIM for the pharmaceutical industry?
RIM systems designed for the pharmaceutical industry (Pharma RIM) provide a centralized system for managing the drug approval process. Pharma RIM systems differ in their scope, but often handle processes from pre-registration through post-registration including the creation and management of dossiers for investigational New Drug (IND) and Clinical Trial Application (CTA) submissions.
Pharma RIM systems also provide content/document management capabilities, often tied to Master Data Management (MDM) functionality which provides for the storage, retrieval, and integration of the large amounts of data tracked by pharmaceutical companies. In addition, Pharma RIM systems can assist with electronic submissions of regulatory dossiers.
Why Pharma RIM doesn’t work for medical device manufacturers
On the surface, regulatory solutions for the pharmaceutical and medical device industries appear similar. Both industries are highly regulated, require controlled workflow and document management, and have complex market entrance requirements.
However, the regulatory requirements governing the development and marketing of a drug are very different from that of a medical device in the following areas:
Harmonization of regulatory requirements
Global harmonization of pharmaceutical guidelines, through the International Conference for Harmonisation (ICH), is much more complete than in the medical device industry. Regulatory professionals working in the medical device industry must manage market-specific device classification rules, submission regulations, reporting requirements, and more.
The harmonized requirements in the pharmaceutical industry mean that, while submissions need to be made to each market, they are largely the same.
Change management requirements
Medical devices typically have multiple versions, iterations, and packaging options that inherently make market submissions and registrations more difficult to manage than in the case of pharmaceuticals. In addition, a medical device may undergo changes as the result of a supplier change, software update, or a corrective action made to the manufacturing process or product (among other possible changes). In most markets, any change that has the potential to affect the safety or efficacy of a device must be reported. However, the reporting requirements, including timing and submission formats, vary with each market. RA professionals must understand and track every requirement in every market.
Updates to pharmaceutical products, such as labeling changes, are less common and the notification process is more streamlined because of globally harmonized processes.
Regulatory pathways and options
For many medical devices, the regulatory pathway is not always clear – leaving RA teams to determine the path most likely to succeed and, in some cases, most advantageous to obtaining clearance in additional markets. For example, a new device in the United States might achieve faster approval through the 510(k) process, but the manufacturer must reference a predicate device already on the market. Whether the FDA accepts the identified device as a predicate and whether a PMA process would provide the company a greater competitive advantage, are strategic questions for the RA team to answer.
Devices are classified based on different criteria in different countries, making it necessary to analyze the device classification separately for each market as well. If the device is software or a combination device, the approval process may differ from the typical device approval pathway in some countries, but not others. In some cases, multiple options are available, such as participation in the MDSAP program.
Product complexity
From a regulatory data standpoint, medical devices are significantly more complex than drug products. In a pharma RIM system, a new drug is set up in the same manner as existing drugs. For a medical device, there are many more data points that need to be tracked and standards that need to be identified based on such things as whether the device is sold sterile, contains electronic equipment, or includes software.
A medtech RIM system allows each device to be configured and tracked appropriately for each market.
What are medtech RIM systems?
Holistic RIM systems for medical device manufacturers enable users to create a single source of truth for all data associated with regulatory submissions and registration management. RIM systems are used by regulatory teams to digitize data and automate key processes across the organization.
Medtech RIM system functions are designed to support a range of regulatory activities across a product’s lifecycle. In addition to centralizing core regulatory data and managing regulatory registrations and certificates, RIM systems can also support:
- Submission planning, authoring, and assembly
- Market entrance requirements and pre-built submission templates
- Collaborative content authoring and project management
- UDI management
- Standards management
- Essential principles/GSPR management, including bulk updating
RIM systems are product-centric, structuring data around individual regulated products and their requirements, market by market. This means that RIM systems can track product-specific data and link standards with individual products to easily identify those affected by standards updates.
RIM for regulatory projects and processes
Digitization and automation of regulatory data are more critical as global regulations continue to change and become more complex. Getting a medical device to market is a difficult process, but RIM software cuts the time and costs associated with product registrations while providing tools essential for ensuring ongoing compliance. Choosing a RIM system designed specifically for the medtech industry will provide your RA team with the tools they need. To get your regulatory ducks in a row, only a RIM system will do!
To learn more about the Rimsys RIM system, talk to one of our experts today.
The role of regulatory affairs teams throughout the product lifecycle
The lifecycle of a medical device
The time from when a medical device enters the market to the time it leaves, and the business and regulatory processes associated with that journey, are referred to as a product lifecycle. Regulatory affairs (RA) professionals have responsibilities at each stage of the product lifecycle and will collaborate with most sections of the business on one or more activities. In this article, we discuss the regulatory responsibilities that are typical in a large, global medical device manufacturer.
Cross collaboration with RA across the globe
The Regulatory Affairs professional at the manufacturer often does not complete regulatory activities alone. Major medical manufacturers have RA employees stationed across the globe. The international RA employees or local distributor will provide insight into their country’s regulatory requirements and will often be the individuals that have direct contact with their country’s government agency.
For example: When a manufacturer is working on a Registration in China, the Regulatory Affairs Engineer in the U.S. may be on an 8pm call coordinating with a Regulatory Affairs Professional in China.
Manufacturing RA Responsibilities
- Provide details and information on the medical device.
- Assist in-country RA in providing manufacturing SME team support on governmental questions during submission review.
- Provide appropriate documentation from the SME teams to help complete the regulatory submission.
In-country RA Responsibilities
- Provide insight on the in-country medical device requirements.
- Identify Standards particular to the country.
- Manage in-country specific submission deliverables.
- Identify devices that need to be provided for in-country testing (if applicable).
Each major lifecycle stage – pre-market, market placement, and post-market – are discussed below.
Pre-market
Research and development
A new medical device begins with an idea for a product and an R&D process that will eventually include the quality and regulatory departments. Once designed, these devices are heavily tested to industry standards that are applicable to the device. Higher risk devices must also go through clinical trials before being brought to market. Information on compliance with standards and results from testing are included in the submission documents used to obtain market access.
Each department plays a role in ensuring that a device and all supporting information is ready to request market entrance.
Regulatory responsibilities
- Identify applicable standards that will apply to the new device.
- Collaborate with R&D to understand the functions of the new device.
- Identify the intended use of the device.
- Classify the device for major markets.
- Collaborate with in-country RA for any additional device testing.
R&D responsibilities
- Test the new device to the standards that regulatory tells them to or find a vendor that does that testing.
- Compile the testing reports.
Business role responsibilities
- Approve the financials for the R&D work.
- Have an initial scope of regions where the device would be sold.
Initial business case
In parallel to the R&D preparation, a business plan will be developed by the Sales and Marketing teams, along with the Product and Project Managers (“business” teams). The business plan will detail where a product will be distributed and sold. It is incredibly important for the regulatory team to have a full understanding of this plan as early as possible so that they can research regulatory requirements and develop a regulatory plan.
The initial business case is often a back-and-forth conversation between those developing the business plan and the manufacturing and regulatory teams. The business often asks and heavily relies on the regulatory professional to describe the submission processes per country, to note any particularly challenging country for registration, and to explain why there are more requirements in some markets.
Regulatory Responsibilities
- Notify the business of the cost of the submissions for all markets that the business intends to sell in (Market Access Submissions cost money).
- Notify the business of the cost of man-hours on a per-registration basis.
- Notify the business of the labeling costs.
- Translating the manual into multiple languages.
- Applying country-specific labeling on the package or on the device.
Business Responsibilities
- Make good financial decisions on go-to-market.
- Approve staffing resources for the regulatory activity.
- Create a priority for submission activity.
Regulatory Plan
The regulatory department creates a plan of how to gain market access based on the initial business case. For large expansive launches in many countries, a regulatory plan may need to consider over 100 country requirements, which often includes a phased approach to product launches.
Regulatory responsibilities are often split between the RA resources at the manufacturer and those that are in the country in which the device is being marketed. While they vary by company, responsibilities often look something like this:
Manufacturing RA responsibilities
- Draft the regulatory plan.
- Provide classification for country of origin and some major markets.
- Provide appropriate documentation from the SME teams to complete the regulatory submission.
In-country RA responsibilities
- Provide insight on the in-country medical device requirements.
- Classify the device per country standards.
- Identify in-country specific submission deliverables that need manufacturing SME support.
- Identify devices that need to be provided for in-country testing (if applicable).
- Provide timeline estimations for international submissions.
Initial pre-market submissions
In regulated markets, a company needs to “register” their device prior to shipping, selling or marketing a device in the country. These submissions often contain confidential business information and test reports that were identified as needed in the regulatory plan. Once the device is accepted, a certificate is given to the manufacturer allowing the product to be sold in that market.
Typically, manufacturers begin by registering in their country of origin and a small subset of highly marketable countries. This phase often includes the USA and EU. Once a majority of those submissions are completed, submissions to other markets are addressed in a phased approach. There can be multiple waves of these registrations, and the entire registration process can last for months. Registration projects also often overlap for the manufacturing regulatory professional.
Manufacturing regulatory responsibilities
- Provide appropriate documentation from the SME teams to complete the regulatory submission.
- Notify SME teams when support is needed.
- Coordinate and compilate SME answers to governmental questions.
- Update the business on the submission progress.
- Notify the business when the submission is complete.
SME teams responsibilities
- Provide adequate information about the device per the regulatory plan.
- Notify the manufacturing regulatory team of any governmental questions and ask for support when needed.
- Notify the manufacturing regulatory team of submission progress.
- Provide SME support to develop the submission and answer governmental questions.
Business responsibilities
- Provide funding for this activity.
Expansion to the rest of the globe
Once the initial launch is completed or near completion, submission activity now begins in every other market that the business approves to launch in. For large and expansive businesses, this launch can be over 100 countries, which can mean 100 regulatory product registrations.
Manufacturing regulatory responsibilities
- Provide appropriate device information to in-country RA for submission support.
- Notify SME teams when support is needed.
- Coordinate and compilate SME answers to governmental questions.
- Update the business on the submission progress.
- Notify the business when any submissions are complete.
In-country RA responsibilities
- Complete in-country submission deliverables.
- Identify standards particular to the country.
- Manage in-country specific submission deliverables.
- Identify devices that need to be provided for in-country testing (if applicable).
SME teams responsibilities
- Provide adequate information about the device per the regulatory plan.
- Provide SME support to develop the submission and answer governmental questions.
Marketing the device
Once a device is fully registered in the regulated country, it can be marketed. However, any marketing material that is created often goes through an additional legal and regulatory review as any inaccuracy can lead to fines for mislabeling the device.
Manufacturing regulatory responsibilities
- Coordinate with clinical to ensure claims are aligned.
- Review marketing content to ensure regulatory compliance.
- Notify the business when approvals are received so marketing knows when they can begin marketing the device in that country.
Marketing responsibilities
- Create drafted content which could be product sheets, social media posts, or presentations for conferences.
- Accept regulatory review of the marketing materials.
Market placement
Change management
Businesses add features and change medical devices all of the time. They may shift where the manufacturing facility is located, add an accessory, change a motor - all of these changes need to be assessed and submission may need to be done prior to market entry for those changes. These changes also need to be assessed on a global scale. The more countries that are involved, the more complex that process is.
For every change, a survey is often sent out to the in-country regulatory teams, and they are often responsible for completing that assessment for their country. These are typically called impact surveys. It is then up to the RA team at the manufacturer to compile those responses and to receive approval from the business to complete any additional submissions to governments that may be required.
R&D responsibilities
- R&D and project teams determine a change is needed.
- Notify the manufacturing regulatory team of the upcoming change.
Manufacturing regulatory responsibilities
- Fully understand the change that is coming from R&D.
In-country regulatory responsibilities
- In-country specialist completes the impact survey.
- Notify the manufacturing regulatory team if additional submission activity is needed, along with the timeline for that activity and the deliverables/support required.
Business responsibilities
- Approve the submission activity and finance it as needed.
Renewals
After the initial submission, most countries will require a renewal submission after a set number of years to keep the device in the market. It is critical that renewal dates are tracked and managed appropriately. Missed renewal dates may require several months to over a year of work to obtain market approval again. During that time, all sales of the product are stopped.
Manufacturing regulatory responsibilities
- Notify the business of upcoming renewals.
- Coordinate with in-country RA to provide documents and assist in the submission for the renewal.
- Coordinate SME support for governmental questions if needed.
In-country regulatory responsibilities
- Notify manufacturing regulatory in a timely manner when renewals are needed.
- Submit the renewal to the government authority.
Business responsibilities
- Approve the renewals.
Post-market
Audits
Governments and other regulatory bodies will often audit the medical device manufacturer to ensure that they are in compliance with current regulations.
Manufacturing regulatory responsibilities
- Gathering device marketing registration history and facility registration for a specific set of countries to be presented by the auditor.
- Familiarizing yourself with the registrations and recent regulatory work that has occurred in the country to be prepared for auditor's questions.
- Responding to auditors questions if you are on “Audit Duty”.
Quality department responsibilities
- Manage the facility tour.
- Be responsible for the majority of the Quality Management System (QMS).
Research and development
- Provide the subject matter expert (SME) with explanations of how testing was developed for the product and the outcomes of said testing.
Post-market surveillance and reporting
Manufacturers must have ways of accepting customer complaints. In certain cases, when the complaints relate to health and safety concerns pertaining to the device, the manufacturer may need to report these complaints to their government or other countries where the device is sold.
Correctional activities (recalls)
If a company finds a health and safety risk to their device, the company as a whole may need to gather all of the devices that are affected and either repair them or destroy them.
Obsolescence
Obsoleting a product is often a regulatory step and a submission step as well. There are many reasons to take a device out of a market; low sales, new requirements causing additional work that is not financially feasible, or new devices being available that are part of a newer generation that are safer for the user are a few reasons.
Business responsibilities
- Notify manufacturing RA and in-country marketing of the obsolescence of the device in the market.
Manufacturing RA responsibilities
- Notify in-Country RA of the obsolescence and expected date that the business will stop supporting the device in that market.
In-country RA responsibilities
- Submit obsolescence notification to the authority.
RIM vs ERP software for medical device companies
Regulatory affairs professionals at large medical device companies must manage heavy submission workloads, registrations for products currently on the market, and ever-changing regulatory requirements. Many RA teams are still relying on paper documents, spreadsheets, and other outdated tools and methods to complete this work, while others have taken steps toward digitization and automation of key processes.
Regulatory teams often struggle to find software tools designed specifically for their workflows. ERP (Enterprise Resource Planning) systems are sometimes used by RA teams to track product attributes, such as selling status and support/service history. ERP systems, however, are not designed to handle the complexities of regulatory workflows nor the type of data that needs to be securely managed within a medtech company.
What is ERP software?
Enterprise Resource Planning (ERP) software encompasses a wide range of systems that typically manage multiple sectors within an organization. Originally designed for manufacturers, ERP systems are now used by industries as varied as public utilities, wholesale distributors, service organizations, and retail companies.
ERP systems manage the data and workflows associated with almost every sector within an organization, including:
- Manufacturing
- Device identification/history
- Purchasing and sourcing
- Service delivery
- Finance
- Human resources
- Engineering
- Asset management
- Supply chain
- Customer management and sales
Modern ERP systems are designed to provide a single, integrated platform to manage the majority of functions within an organization. The trade-off, however, is that because functionality needs to meet the needs of a variety of organizations, it will often fall short in highly regulated industries that require very specific data, workflows, and controls.
What are RIM systems?
Regulatory information management (RIM) systems have been around for years in the pharmaceutical industry but are relatively new in the medical device industry. Holistic RIM systems enable users to create a single source of truth for all data associated with regulatory submissions and registration management. Think of a RIM system as an ERP system for regulatory teams that is used to digitize data and automate key processes across the organization.
Medtech RIM system functions are designed to support a range of regulatory activities across a product’s lifecycle. In addition to centralizing core regulatory data and managing regulatory registrations and certificates, RIM systems can also support:
- Submission planning, authoring, and assembly
- Collaborative content authoring and project management
- UDI management
- Standards management
- Essential principles/GSPR management, including bulk updating
RIM systems are product-centric, structuring data around individual regulated products and their requirements, market by market. This means that RIM systems can track product-specific data, such as UDI records, and link standards with individual products to easily identify products affected by standards updates and assess their impact.
Integrating ERP and RIM systems
The most common point of integration between ERP and RIM systems is an “available to sell” setting at the product level. Product information in a RIM system will include registration status for each country and an indication of whether the product can currently be marketed and sold there. It is critical that the ERP system restrict distribution and/or sale of a product automatically based on the selling status set by the regulatory team.
ERP systems will also often be integrated with Product Lifecycle Management (PLM) systems used by product development and manufacturing teams to manage product information and at every step of a product’s lifecycle, including product data, records, specifications, and configurations. ERP systems can also be integrated with eQMS (electronic quality management systems) and RIM systems to ensure coordination of risk management activities, product updates, and quality data between the regulatory, quality, development, and manufacturing teams. Ideally, your regulatory team is notified as early as possible of any planned updates or changes to a product that is in-market or pending market approval.
RIM for regulatory projects and processes
Digitization and automation of regulatory data are more critical as global regulations continue to change and become more complex. Getting a medical device to market is a difficult process, but RIM software cuts the time and costs associated with product registrations while providing tools essential for ensuring ongoing compliance. ERP systems are central to an organization’s operation, but their broad focus simply does not provide the detailed functionality needed by regulatory teams. Integrate your ERP system with a holistic RIM system to give your regulatory team the tools they need to bring your products to market successfully and to maintain compliance. To get your regulatory ducks in a row, only a RIM system will do!
To learn more about the Rimsys RIM system, talk to one of our experts today.
IEC 62304: Standard for medical device software
What is IEC 62304?
IEC 62304:2006 / AMD 1:2015 is the current version of the international standard that defines the software lifecycle processes for software used in medical devices. IEC 62304:2006 is considered a harmonized standard, meaning that it is recognized by the FDA and other regulatory agencies around the world.
Note that this standard applies both to Software as a Medical Device (SaMD) and Software in a Medical Device (SiMD).
How is IEC 62304:2006 organized?
There are 9 chapters in IEC 62304. The first 4 chapters define the scope of the standard as well as references, terms, and general requirements. The following 5 chapters are as follows:
- Chapter 5 – Software Development Process. This chapter is the most important to fully understand because it defines the software development planning process, including requirements analysis, design, testing, and release processes.
- Chapter 6 – Software Maintenance. This chapter defines the need for a software maintenance plan, including implementation of a maintenance plan and issue analysis procedures.
- Chapter 7 – Software Risk Management. Identification of hazardous situations, risk control, verification, and risk management procedures assume that an organization-level risk management plan is in place following the ISO 14971 standard.
- Chapter 8 – Software Configuration Management. This includes change control and configuration status tracking.
- Chapter 9 – Software Problem Resolution. This chapter addresses investigating and reporting on problems, change control processes, trend analysis, and resolution testing and verification.
IEC 62304:2006 software risk categories
IEC 62304:2006 defines three classes of risk for medical device software based on the risk of harm from a hazardous situation which the software could cause or to which it could contribute. As with risk management systems for other medical devices, the procedures, controls, and processes for medical device software should be appropriate for the level of risk posed by the software.
- Class A – No injury or damage to health is possible.
- Class B – Injury is possible, but not serious.
- Class C – Death or serious injury is possible.
Software development and maintenance processes in IEC 62304
The software development process, as defined in Chapter 5 of this standard, lays out 8 process steps.
- Software development planning (5.1)
- Software requirements analysis (5.2)
- Software architectural design (5.3)
- Software detailed design (5.4)
- Software unit implementation and verification (5.5)
- Software integration and integration testing (5.6)
- Software system testing (5.7)
- Software release (5.8)
IEC 62304 recommended documentation
In general, the following list of deliverables is typically needed to establish conformance with IEC 62304:2006:
- Software development plan - Define processes, deliverables, and development activities. The plan should include the Life Cycle Activities, Risk Management Plan, Documentation Plan, Configuration Management Plan, Change Control process, and Problem Resolution process.
- Software verification plan - Describe the software test plan. Include all verification activities, such as code review, unit test and integration test plans, and the final system software verification test plan.
- Software classification – Classify the software based on risk level as Class A, B, or C per definitions in the standard. Classification should also be established per market-specific requirements (ie: FDA Class I, II, or III).
- Software description – High-level description of the software function, intended use, and technology used.
- Software requirement specifications - Include specifications for all requirements, including functional, performance, interface, and safety requirements.
- Software architecture - Include diagrams of subsystems, major components, and the interfaces between them. This can provide segregation of software entities for risk control.
- Software hazards analysis - The hazard analysis should identify potential hazards and the software components that could cause them. Include mitigations that feed back into the requirements. Be sure to include OTS and wireless QoS hazard analysis where applicable.
- Cybersecurity plan - Document cybersecurity controls and features, threat model, hazard analysis, and penetration testing.
- Detailed design descriptions - Include specifications detailing how the software is implemented.
- Off-the-shelf software list – Identify any OTS software used, including detailed information regarding source, version, and licensing.
- Code unit verification - Document the unit test and code review as performed to plan.
- Integration tests - Document the integration, regression, and OTS software testing performed per the plan.
- System software verification protocols - Document test protocols for final device software. Include requirements tracing and show coverage of requirements (using pass/fail criteria).
- Summary test report - Create a summary of all software verification per the verification and validation plan.
- Trace matrix - Link system requirements to software requirements to associated design specifications and test protocols in one document (typically a spreadsheet). Include software hazards with software mitigations.
- Revision level history - Document major revisions and releases made during development, including descriptions of each.
- Unresolved anomalies - Document any anomalies still present and their associated risk. Include justification for release.
- Software problem resolution process - Describe how reported problems are evaluated and investigated, including how change requests and any necessary regression testing will be handled.
Complying with IEC 62304
More than most other standards, IEC 62304 requires an understanding of multiple disciplines to ensure compliance. Be sure to include team members with expertise in software development, risk management, and regulatory affairs when defining processes related to this standard.
Complying with IEC 62304 is only part of what is required for market clearance for software as a medical device. In the U.S., a 510(k) submission is typically required. Read our 510(k) guide here.
RIM vs PLM software for medical device manufacturers
Regulatory affairs professionals at large medical device companies must manage heavy submission workloads, registrations for products currently on the market, and ever-changing regulatory requirements. Many RA teams are still relying on paper documents, spreadsheets, and other outdated tools and methods to complete this work, while others have taken steps toward digitization and automation of key processes.
Regulatory teams often struggle to find software tools designed specifically for them. Because the processes they manage are typically product-focused, RA teams may attempt to use software built for product design and engineering teams, including product lifecycle management (PLM) systems.
What is PLM software?
Product lifecycle management (PLM) applications provide a central system for managing everything from the design of a new product to testing and ongoing maintenance. PLM systems are typically used by multiple teams, including product design and engineering teams, to coordinate product-related processes. The core elements of a PLM system include:
- Document management of design files and process documents
- Product structure management (source of truth for bills of material)
- Product component detail tracking and approvals (attribute management)
- Workflow and project/task management for product-related processes
- Product version control
- Secure management and approval processes for engineering and product changes (ECNs, ECOs, etc.)
- Integration with CAD and PDM (product data management) tools
PLM software can be considered both a data warehouse and a secure project system. PLM systems are used for storing and retrieving all product design-related information; including version-specific manufacturing (CAD) drawings, specifications, and supplier requirements. These systems also manage the workflows associated with each stage of a product’s lifecycle, from the design process to product maintenance to end of life activities. For medical device manufacturers, the PLM system is typically where design history files and device master records are maintained.
What are RIM systems?
Regulatory information management (RIM) systems have been around for years in the pharmaceutical industry but are relatively new in the medical device industry. Holistic RIM systems enable users to create a single source of truth for all data associated with regulatory submissions and registration management. RA teams are able to focus on critical tasks by using RIM systems to digitize data and automate key processes.
RIM system functions are designed to support a range of regulatory activities across a product’s lifecycle. In addition to centralizing core regulatory data and managing regulatory registrations and certificates, RIM systems can also support:
- Submission planning, authoring, and assembly
- Market entrance requirements and pre-built submission templates
- Collaborative content authoring and project management
- UDI management
- Standards management
- Essential principles/GSPR management, including bulk updating
RIM systems also tend to be product-centric, structuring data around individual regulated products, but are focused on saleable products, components, and packages where PLM systems are focused on the manufactured items. This means that RIM systems can track product-specific data, such as sales status by country, and link standards with individual products to easily identify products affected by standards updates and assess their impact.
Integrating PLM and RIM systems
PLM systems will often be integrated with ERP systems to ensure the correct bills of material and other product details for the current version of the product are being used by the manufacturing system. PLM systems can also be integrated with eQMS (quality management systems) and RIM systems to ensure coordination of risk management activities, product updates, and quality data between the regulatory, quality, and product teams. Ideally, your regulatory team should be notified as early as possible of any planned updates or changes to a product that is in-market or pending market approval.
RIM for regulatory projects and processes
Digitization and automation of regulatory data are more critical as global regulations continue to change and become more complex. Getting a medical device to market is a difficult process, but RIM software cuts the time and costs associated with product registrations while providing tools essential for ensuring ongoing compliance. PLM systems are critical as well, but their focus on product design and other product details simply does not provide the functionality needed by regulatory teams. Integrate a strong PLM system with a holistic RIM system to give both your engineering and regulatory teams the tools they need to bring your products to market successfully and to maintain compliance. To get your regulatory ducks in a row, only a RIM system will do!
To learn more about the Rimsys RIM system, talk to one of our experts today.
