Featured
Rimsys Announces Rimsys AI to Eliminate Repetitive Tasks and Enhance Decision-Making for MedTech Regulatory Teams
Rimsys, the leading Regulatory Information Management (RIM) platform for the MedTech industry, today announced the launch of Rimsys AI, a suite of embedded artificial intelligence (AI) agents.
The ultimate guide to the EU MDR and IVDR general safety and performance requirements (GSPR)
This article is an excerpt from The ultimate guide to the EU MDR and IVDR general safety and performance requirements (GSPR) ebook.
Table of contents
- Overview
- Terminology
- EU MDR/IVDR Annex I
- EU MDR/IVDR Annex II
- Proactive Monitoring & Maintenance
- Comparison Table: EU MDR/IVDR Annex I GSPRs vs EU MDD/IVDD Annex I Essential Principles
With the initial rollout of the European Medical Device Regulation (MDR) complete, medical device companies are shifting focus to the sister In Vitro Diagnostic Regulation (IVDR) which has rolling effective dates starting in May 2022. Like the MDR, the IVDR also includes new General Safety and Performance Requirements (GSPR). The expanded 2nd edition of this ebook includes a detailed summary of the IVDR GSPR regulations in addition to those of the MDR. It provides you with practical guidance on how to meet the GSPR requirements for all types of medical technology products. This ebook, however, should not take the place of reviewing the actual regulations and consulting regulatory experts when needed
Timeline
The EU MDR submission became mandatory from the previous MDD directive on May 26, 2021, and the EU IVDR effective date is quickly approaching. In fact, all submissions for new devices under the new EU IVDR must be implemented no later than May 25, 2022. Below is a high-level overview of key dates for both regulations.
*Note that the timeline for compliance was extended in 2021. Class D (high-risk) devices have until 2025 to comply with IVDR, while Class C devices have until 2026. Class B and Class A sterile devices have until 2027 to comply with IVDR.
What’s the difference between Essential Requirements, General Safety and Performance Requirements (GSPR), and Essential Principles. In order to have a meaningful dialogue, let’s first discuss the three (3) main terms used in the industry.
#1 Essential requirements
The ‘Essential Requirements’ is the backbone for establishing conformity with the Medical Device Directive (MDD 93/42/EEC) and the Active Implantable Medical Device Directive (AIMDD 90/385/EEC). Detailed within Annex I of the MDD and AIMDD, the ‘Essential Requirements’ laid out the requirements that devices must meet in order to state compliance to the directives. With the implementation of the new EU Medical Device Regulation (MDR 2017/745), the ‘Essential Requirements’ will become superseded by the new EU MDR General Safety and Performance Requirements (GSPRs).
#2 Essential principles
The IMDRF laid out Essential Principles requirements in a document entitled Essential Principles of Safety and Performance of Medical Devices and IVD Medical Devices. From a high-level perspective, three basic tenets make up these ‘Essential Principles’:
- A device must be designed to be safe and perform effectively throughout its lifecycle.
- Device manufacturers must maintain all design characteristics.
- Devices must be used in a way that is consistent with how it was designed.
Many countries use the term ‘Essential Principles’ when compiling the documentation required to determine compliance to the law. For instance, the Australian Therapeutic Goods Administration (TGA) uses the term ‘Essential Principles Checklist’. Regardless of the term used, Essential Principles are of similar nature and overlap many of the Essential Requirements and new GSPRs.
#3 General safety and performance requirements (GSPR)
As of May 26, 2021, medical device manufacturers must start to comply with Annex I – General Safety and Performance Requirements (GSPRs) of the new EU Medical Device Regulation (MDR 2017/745). GSPRs are specific to the European MDR and IVDR. If you hear any other term (i.e. Essential Principles), it most likely means it is not referencing the European market.
Annex I of the EU MDR and IVDR details the specific requirements of the General Safety and Performance Requirements (GSPRs). The GSPRs are broken down into three (3) chapters in Annex I, MDR 2017/745 and IVDR 2017/746:
- Chapter 1 - General requirements
- Chapter 2 - Requirements regarding design and manufacture
- Chapter 3 - Requirements regarding the information supplied with the device
Chapter 1 - General requirements
Both the EU MDR and the EU IVDR outline General Safety and Performance Requirements (GSPRs) in great detail for medical device designers and manufacturers. The general requirements for each are almost identical and consist of the following:
- Devices must perform in a way that aligns with the intended design.
- They must not compromise the health or safety of a patient, user, or any other person associated with the device.
- Risks must be reduced as much as possible, but not so much that they negatively affect the risk-benefit ratio.
- Device manufacturers must implement and maintain a thorough, well-documented, and evaluative risk management system that continues to be updated throughout the life cycle of a device.
- Manufacturers and designers must include any necessary measures for protecting users in cases where risks cannot be completely eliminated.
- Manufacturers must provide users with information about any potential risks that remain. This information must be clear, easy to understand, and considerate of the users’ technical knowledge level, use environment, and any applicable medical conditions.
- Devices must withstand the stresses of normal use for the duration of their lifecycle. Devices must be designed, manufactured, and packaged in a way that protects them from damage during transport and storage.
- When it comes to risks and negative side effects that are known and foreseeable, designers and manufacturers must make every effort to minimize negative outcomes. They must also ensure that potential risks are acceptable when compared to the potential benefits of a device to its users.
Chapter 2 - Requirements regarding design and manufacture
The GSPRs also provide key details regarding specific information about the performance, design and manufacture of medical devices. As it relates to design inputs, the MDR and IVDR GSPRs provide highly detailed requirements relating to a device’s technical information. Further detail can be found in the comparison tables in Appendix A and Appendix B, where we have compared MDR to MDD and IVDR to IVDD.
Chapter 3 - Requirements regarding the information supplied with the device
The final key area of governance within the GSPRs relates to specific information a manufacturer must supply with a device. The general requirements for this information states that, “Each device shall be accompanied by the information needed to identify the device and its manufacturer, and by any safety and performance information relevant to the user, or any other person, as appropriate.” The requirements provide further detail as far as location - specific information that must be provided on the following:
- The device label includes its UDI.
- The user instructions.
- The packaging of a device that is intended to maintain its sterile condition.
Medical devices are subject to significant regulations and a full understanding of EU MDR and/or IVDR labeling as defined in Annex 1 Chapter 3.
In addition to the specific requirements identified within Annex I of the EU MDR and IVDR, Annex II, Technical Documentation, identifies additional requirements. Specifically, in both EU MDR and IVDR’s Section 4 – General Safety and Performance Requirements it states:
“the documentation shall contain information for the demonstration of conformity with the general safety and performance requirements set out in Annex I that are applicable to the device taking into account its intended purpose, and shall include a justification, validation and verification of the solutions adopted to meet those requirements. The demonstration of conformity shall include:
(a) the general safety and performance requirements that apply to the device and an explanation as to why others do not apply;
(b) the method or methods used to demonstrate conformity with each applicable general safety and performance requirement;
(c) the harmonised standards, CS or other solutions applied; and
(d) the precise identity of the controlled documents offering evidence of conformity with each harmonised standard, CS or other method applied to demonstrate conformity with the general safety and performance requirements. The information referred to under this point shall incorporate a cross reference to the location of such evidence within the full technical documentation and, if applicable, the summary technical documentation.”
Let’s break this down into each part.
Requirement
(a) the general safety and performance requirements that apply to the device and an explanation as to why others do not apply;
What needs to be documented for the requirements that apply or the requirements that do not apply?
Each and every section of the EU MDR GSPR or EU IVDR should be assessed in its own right as it pertains to your medical device. When a requirement applies, a simple statement may be made that this requirement applies to the device. In practice this is often achieved using a checklist or table, with a column for applicability and a Yes/No answer against each requirement. When a requirement applies, you can move on to the other parts of demonstrating conformity regarding methods used and standards applied.
When a requirement is not applicable, a statement must be made to that effect, i.e. a ‘No’ in the applicability column. Additionally, it must be fully and properly justified. Such a justification may be something like ‘The device is not powered and is therefore not an active device. This requirement does not apply.' The justification should clearly state why the requirement has been deemed not to apply so that your notified body can understand your reasoning
Requirement
(b) the method or methods used to demonstrate conformity with each applicable general safety and performance requirement;
What is meant by “method or methods used”?
This relates to the way you complied with that GSPR requirement, historically it would be listed as a standard or other documentation reference that you have applied to demonstrate compliance, however, the question of ‘method or methods used’ is new to the MDR and it is expected that a verbal description be provided such as:
i. Risk analysis weighed against clinical evaluation benefit
ii. Performance intended demonstrated by design requirements, verification and validation
Requirement
(c) the harmonized standards, common standards (CS) or other solutions applied;
What are harmonized standards, common specifications (CS), and “other solutions”?
Harmonized standards
These are standards that have been specifically developed and assessed for compliance to a regulation or directive. They are published in the Official Journal of the European Union (sometimes just referred to as ‘the OJ’) and if you comply with these standards then there is a ‘presumption of conformity’ with that directive or regulation to which they have been harmonized. These harmonized standards can only be created by a recognized European Standard Organization (such as CEN or CENELEC). When a standard is harmonized, an annex is added that describes how the standard conforms to the directive or regulation. When using harmonized standards, you should make sure that you understand how the standard conforms so that you do not claim compliance when the standard either does not meet that requirement or only partially meets that requirement.
If a standard does not meet a certain requirement of the directive or regulation, or indeed only partially meets it, then you must employ additional mechanisms for compliance. If a harmonized standard meets part of a directive or regulation, then by complying with that standard you also fully meet the corresponding requirement(s) The list of harmonized standards continues to grow - refer to the “Healthcare Engineering” section of the European Commission’s Harmonized Standards page for current information. In this case, using an MDD harmonized standard and documenting a justification for doing so (i.e. how you believe the standard demonstrates compliance with the GSPRs), should provide sufficient evidence
Common specifications
Common Specifications (CS) are a new concept in the MDR. They allow the European Union to add additional requirements that must be met in order to claim compliance where harmonized standards do not exist or where relevant standards are considered insufficient. The definition of a Common Specification is:
‘A set of technical and/or clinical requirements, other than a standard, that provides a means of complying with the legal obligations applicable to a device, process or system.’
Requirement
(d) the precise identity of the controlled documents offering evidence of conformity with each harmonized standard, CS or other method applied to demonstrate conformity with the general safety and performance requirements. The information referred to under this point shall incorporate a cross- reference to the location of such evidence within the full technical documentation and, if applicable, the summary technical documentation;
What is the expectation for incorporating a "cross-reference to the location of such evidence within the full technical documentation"?
This means that someone looking at the document should be able to identify exactly where in the technical documentation that the compliance evidence can be found. For example, this may refer to test reports and their exact location, or it could even reference locations within a large document, depending on the GSPR and your particular documentation. (i.e. if you have included usability risks as part of a larger risk assessment, you may need to say ‘See Technical File XXX, Section XX, Doc RMF001 rev 3 lines 65-78’). In other cases it could just mean the whole document reference, i.e. Have you done risk management? – then yes, it is RMF001 rev 3. What the specific reference actually is depends on how you have managed your technical documentation and how defined it is (i.e. separate reports or one big one). There should be no ambiguity as to where the document is located
An example of a completed GSPR checklist could look something like this (applicable and nonapplicable examples are shown):
Specification developers and manufacturers must continually maintain their technical documentation to stay compliant. Part of this process is to ensure that they take into account the "generally acknowledged state of the art".
Proactive monitoring
'State of the art'
There is no formal definition of ‘state of the art’ within the EU MDR or IVDR, although it is mentioned many times. ‘State of the art’ is an ongoing debate; however, it generally means that it embodies what is currently and generally accepted as good practice in the medtech industry. The ‘state of the art’ does not necessarily imply the most technologically advanced solution.
One consensus on state of the art is being up to date and compliant with the current and in effect standards that are applicable to your device. This means that if a standard is updated that your medical device is compliant with, you must evaluate that update to ensure that it would meet the EU MDR or EU IVDR ‘state of the art’ requirement. This is not a new requirement from the EU MDD but it is spelled out more clearly in the EU MDR.
The specification developer or manufacturer is ultimately responsible for determining if the updated standard applies or does not apply to their device(s). Either way, the justification should be documented within a gap analysis.
Monitoring for changes
Of course, 'state of the art' only applies if you actually know if something changed. This is why you need to develop a process for monitoring the standards that compliance is claimed. Every single standard that is associated with your technical documentation must be actively monitored, reviewed, and reported on.
If you have a product on the market and need a better way to monitor and maintain your General Safety and Performance Requirements (GSPR) or Essential Principles, Rimsys can help. Rimsys digitizes and automates GSPR and Essential Requirements so you can dynamically update and proactively monitor changing standards and evidence files.
When a standard or evidence file changes, you will automatically be notified and can update one GSPR or all of your GSPRs as applicable with a single click of a button. If additional information is needed, such as testing, it’s also invaluable to ensure that all devices are identified. What used to take weeks of manual, error-prone administrative tasks is now done in seconds within a fully validated, secure, maintenance-free, cloud-based solution
Maintenance
Maintaining and updating your technical documentation is generally the hardest part of staying compliant. Robust processes must be established to ensure nothing slips through the cracks and show up as nonconformances during regulatory audits.
Gap analysis
In addition to meeting the ‘state of the art’ requirements and the continuous proactive monitoring of standards, once a change has been detected that affects the technical documentation, a proper and thorough gap analysis must be completed.
The gap analysis between the old versions and the new versions, or an evaluation of a brand new standard, must occur and be properly documented. The gap analysis should detail what is applicable and what is not applicable, with your supporting justification.
If something within the new or revised standard was applicable to your device, additional engineering testing, documentation, justification, and, in some instances design changes, may be needed to ensure compliance
GSPR updates
Once the gap analysis has been properly documented, specification developers and manufacturers must update their GSPRs.
These updates include finding the withdrawn or superseded standard or evidence file throughout each row within your GSPR table, for every single device on the market on which this change is applicable. This could be one table or dozens of tables depending on the complexity of the products and your product mix.
Without a holistic RIM system to help you, this is an error-prone process as is it tedious, administrative, and extremely easy to miss an inappropriate referenced standard or evidence file.
Extreme diligence on the regulatory or engineering team must occur to ensure these critical updates to the GSPRs are not missed and a gap analysis must be properly referenced throughout. Any justification for including or excluding a new standard or evidence file will be scrutinized by regulatory auditors, and without proper maintenance, may lead to additional review time.
To continue reading this eBook including Comparison Table of the EU MDR Annex I GSPR vs. the EU MDD Annex I Essential Requirements, please register to download the full version.
The beginner's guide to the FDA PMA submission process
This article is an excerpt from The beginner's guide to the FDA PMA submission process ebook.
Table of Contents
- Introduction
- PMA basics
- FDA interactions
- Contents of a traditional PMA submission
- PMA supplements and amendments
- PMA Quality Management System (QMS)
- Review process and timeline
If your organization is planning to market a new medical device in the United States, you first need to determine which regulatory class the device falls under. The vast majority of medical devices regulated by the FDA are either Class I or Class II medical devices, requiring a 510(k) premarket notification or a simple registration if exempt from 510(k) requirements. However, if your device sustains or supports life, is implanted, or presents a “potential unreasonable risk of illness or injury,” your device is likely a Class III device which will require Premarket Approval (PMA) from the FDA before it can be marketed in the United States. Novel devices, for which there are no existing substantially equivalent devices, are automatically classified as Class III as well. Novel devices with a lower risk profile, however, may qualify for the De Novo process instead of the PMA. Just 10% of devices regulated by the FDA are Class III devices.
This ebook provides an overview of the PMA process and its requirements, but it is not designed to be the only resource used in compiling a PMA submission. The FDA provides significant documentation on this process, starting with the regulation governing premarket approval that is located in Title 21 Code of Federal Regulations (CFR) Part 814.
FDA: Background and device oversight
Before we explain what a PMA is, let’s first talk generally about the Food and Drug Administration (FDA) and device oversight. The FDA is the U.S. governmental agency responsible for overseeing medical devices, drugs, food, and tobacco products. When it comes to medical devices, the FDA’s mission is to “protect the public health by ensuring the safety, efficacy, and security of...medical devices.” At the same time, the FDA also has an interest in “advancing public health by helping to speed innovations.” In other words, the FDA’s goal is to make sure devices are safe and effective for public use, while also ensuring that devices have a quick and efficient path to market.
In order to achieve this balance of safety and efficiency, the FDA has three different levels of oversight depending on the risk level of the device: (1) exempt from premarket notification, (2) Premarket Notification, also known as 510(k), and (3) Premarket Approval (PMA).
When is a PMA required?
The PMA process is the most stringent regulatory process for medical device approval under the FDA and applies to almost all Class III devices. To determine whether your device requires a PMA, you must first Classify your device by searching the Product Classification Database. The database will provide you with similar devices; their name, classification, and link to the Code of Federal Regulations (CFR) if applicable.
- If a substantial equivalent is found in the Product Classification Database with a submission type of 510(k), you should submit a 510(k), not a PMA.
- If the product classification database identifies your device as Class III and/or requiring a PMA - you should submit a PMA.
- If your device involves a new concept and does not have a classification regulation in the CFR, the database will list only the device type name and product code. In this case, the three-letter product code can be used to search the PMA database and the 510(k).
- If your device cannot be found in the product classification database because it is a new type of device and should be classified as a Class III device because of the level of risk it presents*.
Class III devices support or sustain human life, are of substantial importance in preventing impairment of human health, or present a potential and unreasonable risk of illness or injury.
Note that if your device is a new concept without a substantial equivalent, but does not present the level of risk of a class III device, it may be eligible for the De Novo process as a class I or class II device.
PMA vs 510(k)
Not only are PMA and 510(k) processes applicable to different types of devices, they have different purposes.
510(k): A 510(k) is intended to demonstrate that the device for which approval is being sought is as safe and effective as a currently marketed device that does not require a PMA.
PMA: A PMA is intended to prove that a new device is safe and effective for the end user. A PMA is much more detailed and in-depth than a 510(k). Device manufacturers are typically required to present human clinical trial data, in addition to laboratory testing data.
The difference in complexity between a PMA and 510(k) also affects the time needed to process the submissions. The FDA typically accepts or rejects a 510(k) submission within 30-90 days, at which point the device is posted to the FDA’s 510(k) database. A PMA submission can take up to 180 days to be processed, at which point the FDA can approve or deny the application. The FDA may also issue an “approvable” or “not approvable” letter, which the applicant can choose to respond to, thereby adding time to the submission process.
PMA application methods
There are a number of types of PMA application methods. While most devices which require a PMA will follow the traditional process, be sure to verify that you are using the correct application process to maximize your chances for success and avoid unnecessary delays:
Traditional PMA
The most common method for attaining FDA clearance for Class III devices, the traditional PMA is the appropriate option for most devices that have completed clinical testing.
Modular PMA
The modular PMA is the appropriate application method for devices that have not yet completed clinical testing. Applicants complete individual “modules,” with final confirmation granted once all sections are completed. For additional information on specific requirements of a modular PMA, read the FDA’s Premarket Approval Application Modular Review.
Product Development Protocol
Use the Product Development Protocol (PDP) with medical devices that are based on well-established technology. The PDP process for gaining market approval merges the clinical evaluation and development of information, and involves an agreement between the manufacturer and the FDA. The process provides the advantage of early predictability for the manufacturer and allows early interaction that can identifyFDA concerns as soon as possible in the development process. Because the PDP identifies the agreed upon design and development details, a completed PDP is considered to have an approved PMA. For additional information, read more about the FDA’s PMA Application Methods.
Humanitarian Device Exemption
A Humanitarian Use Device (HUD) is specifically defined as a device intended to benefit patients that are affected by a disease or condition that affects less than 8,000 individuals in the U.S. per year. TheHumanitarian Device Exemption (HDE) approval process is designed to encourage clinical activity around rare conditions, and does have certain restrictions, including:
- After receiving HDE approval, a HUD is eligible to be sold for profit only if the device is intended to address a disease or condition that occurs primarily in pediatric patients, or occurs in pediatric patients in small numbers.
- If an HDE is approved to be sold for profit, the FDA will determine an annual distribution number(ADN). Any devices sold beyond the ADN limit are required to be sold for no profit.
For more information see the FDA’s explanation of the Humanitarian Device Exemption.
CBER Submissions
There are two centers within the FDA responsible for evaluating medical devices. While the majority of devices will go through the Center for Devices and Radiological Health (CDRH), some will be managed by The Center for Biologics Evaluation and Research (CBER). CBER regulates medical devices related to blood and cellular products, including blood collection and processing procedures as well as cellular therapies. This ebook focuses on submissions made through the CDRH, but you can view CBER Regulatory Submissions – Electronic and Paper for more information on the CBER process.
To continue reading this eBook, including a walk through of the different types of required and optional FDA meetings and communications, a detailed list of the contents of a traditional PMA submission, and an overview of quality management system requirements, please register to download the full version.
An overview of 21 CFR Part 11 regulations for medical device companies
What is 21 CFR Part 11?
21 CFR Part 11 refers to the federal regulation that address electronic records and electronic signatures associated with FDA requirements. This single, relatively small, part of the Code of Federal Regulations is extremely significant for companies with FDA-regulated products because it impacts every document signature, electronic file, and FDA submission. Codified in 1997, interpretations of this FDA-issued regulation continue to be debated and re-evaluated as the technology supporting electronic records and signatures changes. In this article, we’ll discuss the regulation and generally accepted interpretations.
Note that discussions and statements in this document are our observations only and should not be taken as fact. You can refer directly to the regulation here.
Part 11: General Provisions
The General Provisions section of 21CFR11 addresses the scope of the regulation, when and how it should be implemented, and defines some of the key terms used. It states that the purpose of Part 11 is to define the criteria under which electronic records, electronic signatures, and handwritten signatures attached to electronic records are equivalent to, and as reliable as, handwritten signatures on paper documents.
Fundamentally, any record that is maintained, used, or submitted under any FDA records regulation is subject to Part 11, and the FDA will accept electronic records in lieu of paper records if an organization can prove that their records and systems meet the Part 11 requirements.
The General Provisions subpart also sets forth a number of definitions, and we’ve listed the ones that are most significant to our discussion here:
- Closed System: A computer system or software whose access is controlled by the same people who are responsible for the information stored in the system. Because the opposite of a closed system, and “open system,” is subject to additional scrutiny be sure that you are able to thoroughly explain and provide documentation for a decision to classify your system as a “closed system.”
- Open System: A computer system or software whose access is not controlled by the same people who are responsible for the information stored in the system.
- Digital Signature: An electronic signature created in a manner that can be verified, ensures the identity of the signer, and maintains the integrity of the document and signature. This often involves the use of cryptography and/or biometric data.
- Electronic Signature: Symbols that represent a legally binding equivalent to an individual’s handwritten signature (as adopted and authorized by the signer).
Part 11: Electronic Records
The Electronic Records section sets forth the requirements for administration of closed and open electronic record-keeping systems, then discusses signature manifestations and requirements for establishing a link between signatures and records.
Part 11 defines a “closed system” as any computer system in which the users controlling access to the system are the same people who are responsible for the data in the system. Today, most systems can be classified as closed systems, but take special care to document control procedures around software that is hosted offsite or classified as a SaaS solution.
This section of the regulation deals with the controls that need to be in place for all applicable electronic record systems by defining:
- Procedures to ensure that all electronic records are authentic, have integrity, and can ensure confidentiality (where that is appropriate).
- Validation requirements for systems that maintain electronic records to ensure that all records are accurate, reliable, and that the system performs consistently according to regulatory requirements.
- Audit trail requirements for all regulated records to ensure a complete history of all changes to records are maintained.
- Controls around system access and document signatures.
Part 11: Electronic Signatures
The Electronic Signatures section defines the components of electronic signatures and the required controls and procedures necessary for using them.
In general, an organization must be able to demonstrate that electronic signatures:
- Are unique to each individual, and that the individual assigned an electronic signature has had their identity and level of authorization verified.
- Must be based either on biometric data (such as fingerprints) or made up of two distinct pieces (ie: a User ID and password)
- Require appropriate controls to ensure that they are verified periodically, cannot be used by someone other than the intended user, and are immediately deactivated if compromised in any way.
Practical application of 21CFR Part 11 for regulatory affairs professionals
21 CFR Part 11 is a critical regulation, and one that can be open to interpretation. Below, we cover some of the key areas that should be of concern for RA professionals. This is an overview of key areas only, and should not be taken as complete instruction or guidance for 21CFR part 11 compliance.
System compliance and validation
Any system that you are using to store electronic records that fall under FDA regulations needs to be compliant with Part 11. This includes everything from spreadsheets to full-featured RIM and document management systems.
Software vendors will often document how their systems are developed to be compliant, and may even support system validation during implementation - but it is ultimately the responsibility of the user organization to ensure that their systems and processes are compliant with Part 11. System validation is the process of documenting that your system meets all of the Part 11 requirements. Software vendors can support this process by ensuring that their systems are built on a highly secured infrastructure that can be demonstrated and proven.
The Rimsys system was built from the ground up to meet the stringent requirements of not only 21 CFR Part 11, but other industry standards and good practices guidelines (GxP). We have put in place a rigorous validation program, built by industry experts and supported by a secure and well-documented infrastructure. For more information, visit the Rimsys Security and Privacy page.
Audit trails
Audit trails are the required system logs that track the who, when, and what of every change made to data that falls under Part 11. Audit trails should be generated and time-stamped by the system, with no ability for users to change that information. Audit trails serve two purposes under 21 CFR Part 11:
- To demonstrate that documented policies and procedures are being followed, including that only users with the appropriate authority are managing data.
- To prove that data retention policies are being adhered to (see below).
At any time, you should be able to view the history of any record, from a Design History File to a submission document, in order to determine what changes have been made, when they were made, and by whom.
Record retention
21 CFR Part 11 specifies that electronic records must be protected and readily available throughout the defined record retention period. Additionally, 21 CFR Part 820 specifies that records related to the quality, manufacturer, regulatory submissions, or any other data that falls under FDA regulation, should be maintained for the life of the medical device and for a minimum of two years from the date of first commercial distribution. This is often referred to as “cradle to grave” tracking.
This means that regulatory professionals need to not only be aware of their company’s record retention policy, but need to ensure that any system being used to track regulatory submissions or other data subject to audit meets Part 11 and Part 820 requirements. Note that record retention requirements apply also to paper records where they are the source document.
Electronic and digital signatures
An important piece of 21 CFR Part 11 is its definition of electronic and digital signatures. “Electronic signature” is used to define any set of symbols that are used in place of a handwritten signature, whereas a “digital signature” is an electronic signature based on methods that ensure the identity of the signer where the integrity of the data can be verified. A digital signature can be based on biometric data (such as fingerprints) or secure user IDs and passwords that are controlled to ensure only one authorized user can use the signature.
As a regulatory affairs professional, you should ensure that:
- Everyone on your team who needs to sign documents has their own unique digital signature and understands the importance of protecting it. Sharing of electronic credentials is a common FDA audit observation. Also ensure that users who are not required to sign documents have appropriate access to data to discourage other users from sharing login credentials with them.
- You are following your company’s policies concerning electronic signature audits so that passwords remain updated and strong and signatures are revoked when a user leaves or changes positions.
- You immediately report any possible loss, theft, or sharing of user credentials or devices that generate identification codes.
While 21 CFR Part 11 is usually considered more of a “quality regulation,” it is important that regulatory teams within medical device organizations fully understand this regulation and its compliance implications. To learn more about the regulations, click below to read our regulatory brief.
To build or to buy: evaluating options for Regulatory Information Management
Your regulatory team needs dedicated software to manage market entry activities, maintain regulatory integrity, and ensure post-market compliance. While small medtech companies often start out managing regulatory data in spreadsheets, this quickly becomes unwieldy.
Can you develop a system that tracks product information and registration expiration dates? Yes, absolutely – especially if your medical device company has internal software development capabilities as part of your IT team. However, a strong RIM system will also give you the ability to completely manage market entrance documents and regulatory workflows. And building a RIM system will also require significant input from your regulatory and quality teams, in addition to IT resources.
Admittedly, we are a bit biased here, but this is the reason we started Rimsys – to create regulatory order in the medtech community and help regulatory professionals automate processes and digitize information so that they can spend more time on activities that truly make a difference for their organizations.
Before you begin a project to build your own RIM system, or to modify an existing system to meet regulatory needs, consider the entire size and scope of the project. This article discusses the common areas where custom-built RIM projects can run into unanticipated costs or issues.
Meeting software regulatory requirements
RIM systems are the source of information used by your regulatory team to provide accurate and timely information to regulators and auditors to ensure that your organization is compliant with existing regulations. This means that the software system itself needs to meet certain requirements. To ensure a compliant and secure RIM system, you need the following:
- ISO 9001 certification
Your organization may already be ISO 9001 certified, but in developing your own software to manage internal data and processes, you are greatly expanding the scope of your ISO 9001 project.
- ISO/IEC 27001 certification
ISO/IEC 27001 is the global standard for information security management, including data protection and cyber security and resilience. You will need to obtain ISO/IEC 27001 certification for your RIM system.
- 21CFR Part 11 compliance (US) and EU annex 11 (EU)
21 CFR Part 11 is the portion of US federal regulation that addresses electronic records and electronic signatures as related to FDA processes and documents. The EU Annex 11 is the equivalent regulation in the EU. A good RIM system is designed with Part 11 and Annex 11 compliance in mind and can easily be validated to the regulations. You will need to demonstrate procedures that ensure all electronic records kept in the RIM system are controlled, authentic, and can be verified. Features such as data audit trails and specific electronic signature requirements need to be implemented.
- SOC II Type 2
SOC II Type 2 may be used in place of ISO/IEC 27001 to demonstrate suitable data security, particularly in cloud-based systems. SOC II Type 2 reports prove a company’s controls, but are not a certification provided by an independent registrar. SOC II Type 2 also requires an Informational Security Management System (ISMS), which is the framework focused on risk management and risk mitigation.
- GDPR compliance (EU)
While often associated with email marketing activities, the EU General Data Protection Regulation requires companies that store any information about an EU citizen to have specific safeguards in place. In particular, if your RA team includes EU citizens then their personal data is subject to GDPR and, among other things, they have the right to request their data is deleted from the system if they leave the company. All personal data needs to be protected from outside access as well.
Reducing overall cost of ownership
Building a RIM system from scratch or building RIM features into a QMS or PLM system is not a one-time endeavor. Consider the following on-going activities that will be required:
- Addressing regulatory changes
Global medtech regulations are constantly changing. For example, Rimsys created an entirely new module to handle Unique Device Identifier (UDI) requirements as countries announced compliance dates related to UDI labeling and databases. In this example, and in others, each country has different requirements regarding the data that needs to be stored, the format of that data, and the ways in which it is to be reported.
A RIM system is not just a software development project. It requires the attention of regulatory professionals who can ensure that the system is properly handling the requirements of each country in which your device is marketed.
- Managing validation documentation
As with a medical device, a validated RIM system cannot be modified without following specific and documented procedures designed to ensure the system’s integrity. Any time a new feature is added, or a change is made to the system – whether it be a small bug fix or the addition of a major new function to address an updated regulation – the affected part of the system will need to be revalidated.
- System support
The cost of maintaining and supporting a system as complex as a RIM system is significant. Such costs include not only the development costs, but the cost to train and support users of the system on an ongoing basis. If you are using internal resources, as many companies do, it is important that you include the lost opportunity cost for your development team in cost calculations. What are your developers not working on while they build your RIM system?
Consider carefully whether your IT team is positioned to become a software development team in the long-term. An IT team that is advocating for an in-house solution should be able to provide a plan for how often new features will be provided, how the system will be supported, and how an ongoing product roadmap will be managed.
Reasons not to build a RIM system in-house
Considering the above information, the primary arguments you can make against building a RIM system in-house are:
- Building a RIM system is not just a software development project. We will need to stay on top of changing regulations and requirements and be prepared to update the system frequently. Note that this is the primary argument to be made when an IT team is pushing for an in-house solution (a situation we see frequently).
- A RIM system built with internal resources builds your existing regulatory process into the system. Are you sure that those processes can’t be improved upon? A RIM system that is used by many medtech companies not only includes built-in industry best practices but will evolve to support new workflows and processes as the industry changes. A custom-built RIM system will have none of those advantages.
- The system will need to be validated and certified according to several standards and regulations, like our medical devices. This has the potential to significantly increase the scope of our ISO-related processes and other internal procedures.
- Purchasing a dedicated RIM system from a company that is solely focused on providing up-to-date functionality for regulatory professionals is a safer and simpler choice.
We have worked with a number of companies that ultimately chose to implement Rimsys after attempting to build a RIM system in-house. Faced with the unexpected complexity of the development project, they ultimately chose to go with a packaged solution. Be sure to carefully evaluate all potential costs, including on-going costs, when making the build vs buy decision.
Post-market surveillance for medical devices in the European Union
This article is an excerpt from Post-market surveillance for medical device in the European Union.
Table of Contents
- What is post-market surveillance?
- What classes of medical devices require post-market surveillance?
- Components of a successful post-market surveillance plan
- PMS data requirements
- Post-market surveillance system goals
- Required post-market surveillance reporting
- Embracing post-market surveillance as an integral part of your quality program
- Getting started with post-market surveillance
Post-market surveillance (PMS) is designed to monitor the performance of a marketed medical device by collecting and analyzing field use data. Article 10 of the EU MDR and IVDR requires all device manufacturers to have a post-market surveillance system in place. The main elements of the PMS are laid out in Article 83, and additional details for lower-risk and higher-risk devices are covered in articles 84 and85, respectively.
In general, a PMS system consists of both proactive activities and reactive, or vigilance, activities. While post-market surveillance and vigilance are sometimes used interchangeably, vigilance consists of separate activities that feed post-market surveillance programs.
Post-market surveillance systems are used to collect and analyze data not only about the manufacturer’s device but also about related competitors’ devices that are on the market. Data collected through PMS procedures is then used to identify trends that may lead to, among other things, quality improvements, updates to user training and instructions for use, and identification of manufacturing issues.
Note that “market surveillance” encompasses activities performed by a Competent Authority to verify MDR compliance, and should not be confused with the topic of this ebook,“post-market surveillance," which is performed by the manufacturer.
All medical devices marketed in the EU require some level of post-market surveillance, and all medical device manufacturers must implement a post-market surveillance system (PMS). The requirements of the PMS, however, vary and should be “proportionate to the risk class and appropriate for the type of device” (MDR Chapter VII). In particular, the type and frequency of reporting vary based on a device’s risk class.
A post-market surveillance plan (PMS) is an integral part of a manufacturer’s quality management system and provides a system for compiling and analyzing data that is relevant to product quality, performance, and safety throughout the entire lifetime of a device. The PMS should also provide methods for determining the need for and implementing any preventative and corrective actions. A PMS system should include and define:
Surveillance data sources
With the increased focus on proactive risk identification in the MDR, it is important to design post-market surveillance systems that actively acquire knowledge and detect potential risks. It is not sufficient to rely solely on spontaneous reporting by healthcare providers, patients, and other stakeholders.
In addition to information coming from Clinical Evaluation Reports and complaint and adverse event reporting, typical sources of surveillance data include:
• Social media networks: Because many of your stakeholders may be communicating on social media networks, it is important to employ social listening techniques and/or tools to identify issues and concerning trends as they develop.
• Industry and academic literature: Any studies, academic papers, and other literature that addresses similar devices or the specific use cases for which your device is designed should be evaluated. In particular, risk factors and adverse events identified with similar devices should be closely examined. It is also important to identify newer technologies that may affect the benefit-risk ratio and establish a new definition of “state of the art” for the device type.
• EUDAMED: While the European Database on Medical Devices (EUDAMED) is not yet fully functional, it is intended to provide a living picture of the lifecycle of all medical devices marketed in the EU. Manufacturers should take special care to consider information for similar devices made available through the EUDAMED system in the future.
• Registries: Patient, disease, and device registries can provide information that informs the clinical evaluation process which provides input into the post-market surveillance system.
Data analysis methodology
A well-defined data analysis methodology will accurately identify trends and lead to defendable decisions in the application of post-market experience. Once the necessary information has been identified and collected, and potentially cleaned of incomplete or otherwise unusable data, the data needs to be analyzed.
The goal is to identify meaningful trends, correlations, variations, and patterns that can lead to improvements in the safety and efficacy of the device. There are many data analysis tools available that can assist with:
• Regression analysis that will identify correlations between data (e.g. the device location/geography correlates to battery life).
• Data visualization that can be useful in spotting trends in the data.
• Predictive analytics, which can be particularly useful with large data sets, to identify future trends based on historical data.
• Data mining, which is also normally used with large datasets, to organize data and identify data groups for further analysis.
Benefit-risk indicators and thresholds
The MDR requires that medical device manufacturers not only demonstrate the clinical benefit of their device but also quantify the benefit-risk ratio. The benefit of a device must be shown to clearly outweigh the risk for it to gain market approval. Article 2 (24) of the MDR defines the benefit-risk determination as “the analysis of all assessments of benefit and risk of possible relevance for the use of the device for the intended purpose when used in accordance with the intended purpose given by the manufacturer.”
A PMS system should clearly define benefit-risk calculations and the data used to support them. Post-market surveillance activities are critical in order to re-evaluate and maintain the benefit-risk calculations and determinations of a device throughout its life. Information that is gained through a PMS system can lead to:
• Identification of new risk factors.
• Adjustments to risk frequency and/or severity values based on actual use data.
• Adjustments to established risk calculations based on new “state of the art” technologies becoming available.
• Adjustments to established benefit calculations based on actual use data.
While complaint handling and other feedback tracking are more often described as part of post-market vigilance systems, they play a role in the more proactive post-market surveillance processes as well. A PMS system should define ...
To continue reading this ebook, download the full version.
Regulatory should be a revenue function
“Regulatory has a seat at the table.” This quote, while seeming innocuous, is actually quite meaningful. The context is a discussion about regulatory digital transformation. At RegUP Boston, one of our customers was discussing the organizational conditions that led to a large-scale digital transformation initiative across regulatory affairs for an enterprise medical device manufacturer. The change was precipitated by a clear awareness of the impact that regulatory affairs has on both the top and bottom lines of the business. As a result, the regulatory team was given a voice in business strategy, and an opportunity to invest in growth.
The challenges of ‘cost-center’ thinking
At some level, this would seem obvious. Of course regulatory affairs is strategic in a highly-regulated industry. Yet despite this, most RA teams are treated primarily as a cost center—a function that doesn’t directly contribute to revenue or profit. This means that the business is continually looking to minimize the cost incurred by regulatory activities, but more importantly, it leads to significant friction between teams. Rather than a go-to-market partner, regulatory is viewed as an operational impediment to revenue generation by sales and marketing teams.
Cost-center thinking also manifests itself in poor measurement and objectives for regulatory teams. Often regulatory teams are assessed by volume-based metrics: number of submissions completed, speed of submission completion, and percentage completed ‘on-time’. While these are decent measures of output, they don’t have a direct correlation with revenue. Submissions or renewals that can be completed quickly aren’t necessarily associated with the highest-value products or markets.
Staffing levels also aren’t well optimized in a cost-center mindset. Apart from attempting to minimize full-time regulatory staff, many companies allocate regulatory headcount based on device risk classes or number of markets served. Again, these are good benchmarks for ongoing work volume, but they don’t necessarily align with future go-to-market plans or revenue targets for different product lines. This approach can leave RA teams under-resourced, and force businesses to rely on consultants when regulatory staffing levels “unexpectedly” don’t match got-to-market needs.
Regulatory is a key contributor to revenue and profit
Treating regulatory affairs as a cost center misses an important reality: regulatory clearance is an essential aspect of revenue generation in the medtech industry. It’s a prerequisite for growth, as any new product or geographic expansion of an existing product requires a new market submission and approval from health authorities before it can be sold. Regulatory affairs also has direct responsibility for sustaining revenue. The regulatory lifecycle of a product doesn’t end after market clearance. RA teams ensure the continued revenue stream from a product by keeping track of license expirations, relevant regulatory and standards changes, and managing post-market surveillance activities.
Unlike (necessary and valuable) support functions like accounting or IT, there’s a direct line between regulatory activities and revenue for the business. This means that RA functions are obviously important, but also that alignment between sales, marketing, and regulatory affairs is necessary for go-to-market success.
An analogy: sales & marketing alignment
There is a similar dynamic at almost any B2B business between sales and marketing teams. Nobody would question that both sales and marketing have responsibility for revenue generation, but that doesn’t always mean they are closely aligned. If teams don’t have an agreed-upon revenue target (X% of sales should be driven by marketing activities), marketing teams can end up measuring themselves on things that have less direct business impact such as website traffic or re-shares of social media posts. This leads to conflict between teams as different activities are prioritized, and sales teams perceive that marketing isn’t an active, helpful partner.
It’s not that marketing teams aren’t executing in the outlined scenario, it’s that the measures and priorities aren’t aligned. When sales and marketing share a defined revenue goal, upstream measurements like new lead and pipeline generation guide marketing activity prioritization. Marketing reports on results that are relevant to sales goals, and sales teams have clarity into how marketing is contributing. The result is an aligned and productive, rather than adversarial, go-to-market motion.
What does revenue-aligned regulatory affairs look like?
Note that this is not an accounting discussion. Alignment here is not about how medtech companies should account for expenses associated with regulatory compliance. Rather it’s about how regulatory objectives and investments should be structured. Changing those structures to be revenue aligned produces two beneficial outcomes.
The first is in regulatory planning. When marketing activities are derived from revenue goals (like pipeline generation) the result is that activities that have the highest revenue impact are prioritized. If regulatory affairs teams carry a revenue target, the projects that are prioritized are those with the highest revenue impact. This simple criterion drives closer alignment between regulatory, marketing, and sales teams, and prevents priorities from being determined by the “loudest” voices in the room, or project length/complexity—which can happen when RA teams are measured on activity alone.
The second outcome is a shift in investment strategy. In a cost-center mindset, all investments are designed to minimize costs. In a revenue mindset, investments are driven based on expected returns. When regulatory projects are prioritized according to revenue impact, it’s easier to allocate headcount based on the anticipated workload as a return on each additional hire can be easily estimated. The same goes for investments in technology and tools. With a direct line between work product and revenue, it’s easier to make the business case for investment. In the same way that marketing campaigns require investment to generate sales opportunities, regulatory projects require investment to create revenue for the business.
Revenue alignment improves organization and focus for regulatory affairs teams. It allows them to effectively prioritize activities, and plan to adequately staff them. It reduces a focus on activity for activity’s sake and instead strengthens alignment across all go-to-market teams. It also makes it easier to justify investments in improving regulatory processes. From new tools to end-to-end digital transformation, regulatory affairs can be optimized to deliver on revenue projections.
Why give regulatory a “seat at the table”?
Medical device and in vitro diagnostic companies simply won’t have a choice. The current approach to managing regulatory affairs isn’t keeping up with the pace of change in the industry. The MDR and IVR rollout in the EU is expected to leave 50% to 76% of the products currently on the market behind. RA teams that are measured on work volume (as much as possible), at the lowest possible cost aren’t effective in this environment, and the organizational friction between them and other go-to-market teams will only further hinder execution.
Companies that succeed in today’s environment are those that take a different approach to regulatory affairs. By treating regulatory as a revenue function and aligning regulatory activities to financial goals, companies can more strategically plan for regulatory workload. They can prioritize projects that have the largest impact on the business while reducing churn and repetitive administrative work within the team. They can justify investments in productivity and process improvement by tying them to expected return for the business. And they create tight alignment across marketing, sales, and regulatory affairs in an integrated go-to-market motion for the business.
Ask us Anything ... about China submissions!
Your submission questions answered for imported devices in China
Our latest “Ask us Anything” webinar this week focused on the topic of medical device submission strategies for China, specifically for devices being imported into China. Karen Cohn, Regulatory Specialist here at Rimsys was on-hand to answer everyone’s questions. Karen specializes in international submission strategies and was a subject-matter expert on NMPA submissions while at Philips.
In this article, we have included the most common questions we received and put them together with their answers, along with related links to additional information that was mentioned during the webinar.
Remember that you can always ask us a question by using #AskRimsys on Twitter or LinkedIn - or using our short survey. Your questions help us select topics for upcoming webinars, and every week we select one question to answer directly on our social media channels.
The following list provides direct links to relevant CMDE information (Center for Medical Device Evaluation of the NMPA). These sites are in Chinese, but we have found that Google translate does a good job of providing English versions for purposes of researching regulations, but be sure to obtain verified translations for documents and regulations that are important to your organization.
- CMDE Main Page
- CMDE QMS Guidance
- Class I CMDE Guidance (requirements and instructions are in the documents at the bottom of the page)
- Clinical Evaluation Guidance (following the guidance depends on which Sub-Category your device falls under)
- Guiding Principles
- Innovative Device Pathway
Karen’s answers are below.
Q: Do I need to have submission documentation translated into Cantonese or Mandarin?
Cantonese and Mandarin are spoken dialects of Chinese. What you are looking for is a Simplified Chinese Translation, which is the written language. There is also a written language called Traditional Chinese, but the NMPA only accepts translations into Simplified Chinese. You will also need to provide the original document as well.
Q. How do I find the NMPA standards that may be applicable to my device?
The CMDE (Center for Medical Device Evaluation) has information on its standards and guiding principles (see additional links at the top of this article).
Standards for China have differences from their ISO and other standard association counterparts. There may be different labeling, testing, and other requirements. I would highly suggest that you get verified translations of these standards and review them during the developmental period of your device.
Q. Could you elaborate on essential principles and using the EU GSPRs instead?
You can try to use EU GSPRs, but it is important that you do a gap analysis first and note that the EU GSPR will be using ISO and Harmonized Standards, whereas the NMPA essential principles will need to use NMPA standards. Note that the NMPA is very particular about the organization of their submission information, which includes essential principles.
Q. Is there a pathway for combination products, or is China similar to the EU in that the drug and the device need to be approved separately?
The short answer is that there is a combination pathway, which is closest to the pathway available with the FDA. You are required to submit to the CMDE and the CD (Center for Drugs) and they coordinate with each other and with you. I would highly recommend having a pre-submission meeting to determine which agency should be leading the process.
Q. How do I let leadership know of the personnel cost of registering in China?
It is important to align with your manager and director if you are a specialist, especially if they are not currently aware of the process of registering a device in China.
Q. How do I effectively work with my China counterparts to coordinate my submission activities?
I’ve been in situations where you are working with a China counterpart - sending them detailed information and documents mainly by email and SharePoint - but you don’t get the final documentation back to review and don’t see the final submission product. The actual submission can become a bit of a black hole, which is a compliance risk. Using a tool like Rimsys can help, because it allows you to create separate submission templates such as the NMPA PTR and the NMPA eRPS ToC. You can then use these templates to easily create the submission documents. You also can clearly assign owners and track progress for each section of the submission to clearly indicate who should be doing the work.
Q: Could you elaborate on QMS requirements?
QMS requirements have recently been updated, and the NMPA is now requiring QMS information in submission documentation. For a while, there was no guidance regarding QMS requirements, but guidance has recently been released for the inspection criteria.
Q: Could you elaborate on clinical evaluation requirements?
Clinical evaluation requirements depend on the device type. There are a number of pathways listed on the CMDE website and your clinical team will need to understand which one is applicable to your device(s).
Q: For large devices, such as MRIs, are there any unique steps or additional information we need to provide?
Building and installing a device can take 18+ months and special site requirements need to be met before clinical trials can start.
You can certainly include this information in your submission. Strongly consider sending someone from your organization with the device when it is time for type testing. It is up to the manufacturer to make sure that the type testing is done correctly, to your standard, and under conditions that are compliant with your requirements.
Q: Does NMPA have an abbreviated pathway if the device has been 510(k) cleared or EU CE marked?
China requires that the device be approved/cleared in its country of origin. This doesn’t provide an abbreviated pathway.
Q: What is a PTR?
PTR stands for Product Technical Requirements. It is a document that outlines the device specifications and testing methods based on the applicable Chinese standards. This is an important document used for the in-country testing required for registration in China and for the NMPA submission. Once approved, the NMPA testing center will stamp the PTR and send a testing summary. Both items are needed for the market access submission for Class II and III regulated products. Class I devices also need a PTR even though they do not go through type testing.
Q: Do medical device registrations expire?
Class II and Class III Registrations expire after 5 years from their certificate approval date. The renewal must be submitted six months prior to the expiration date.
If the mandatory standards for medical devices have been revised, you may need to submit a change notification. Note that a change notification and a renewal cannot be submitted in parallel, so be conscious of the requirements and leave yourself enough time to get through the submission process.
Q: Are pre-submission consultations available?
Yes, pre-submission consultations are available through the NMPA. Ensure that you document all meetings and discussions, as it is required to include meeting notes in market-entry submissions for class II and class III devices.
You may also be interested in our Ultimate guide to the China UDI system and database.
FDA databases
The FDA maintains many publicly accessible databases that are valuable to medical device manufacturers preparing product submissions, compiling post-market data, researching guidance documents, and more. We have listed some of the most commonly used databases below, along with a summary of information they provide and how they can be used.
FDA databases useful for new medical devices
Product Classification
This database contains medical device names along with the three-letter device product code and device classification. Manufacturers may use this database to properly classify a new device.
- Search the CDRH product classification database
- Read A primer of medical device classification (includes device classification information for multiple countries)
Pre-market Notifications - 510(k)
The 510(k) database includes all released 510(k) submissions and can be searched by 510(k) number, type, product code, device name, and more. In order to use the 510(k) pre-market notification process, a new device requires that an existing predicate device that also used the 510(k) process be identified. Use this database to identify devices that are substantially equivalent to the new device and meet the requirements of a predicate device.
Pre-market Approvals (PMA)
The PMA database lists pre-market approvals, including supplements that have been approved. PMA data can be searched by PMA number, device name, decision date, supplement type, and more. A new device that is substantially equivalent to a PMA-approved device means that the new device will require a PMA and be classified as a Class III device.
- Search the Pre-market Approval (PMA) database
- Read The beginner’s guide to the FDA PMA submission process
De Novo
The De Novo database includes all De Novo classification orders and can be searched by De Novo number, product code, 510(k) number, device name, and more. The De Novo process allows medical device manufacturers to request reclassification for novel devices with low to moderate risk profiles, that would otherwise be automatically classified as Class III devices.
Devices@FDA
The Devices@FDA database provides a simple search of both the 510(k) database and the PMA database. While convenient for initial searches, it only allows searches by device name and approval date.
Standards and guidance documents
CFR Title 21
The FDA provides a searchable online reference database for Title 21 that provides an organized table of contents and timelines of changes to the regulation.
FDA guidance documents
FDA guidance documents provide the FDA’s interpretation of regulatory policies, discuss the application of regulations to specific products, and also provide guidance for industry. Guidance documents can be searched for based on product, topic, issue date, FDA organization, and more. In addition, users may browse a list of guidance documents by topic.
FDA recognized consensus standards
The FDA provides a searchable database of voluntary consensus standards to which the agency will accept a declaration of conformity. Because these are standards developed by different organizations, this database can be searched by standards and organization, along with keywords, product codes, and more.
Unique Device Identifier - UDI
GUDID
AccessGUDID provides searchable access to the GUDID database of device information, including the device identifier, device name, company name, and more.
- Learn more about GUDID and searching the GUDID database
- If you are looking for information on submitting UDI information to the GUDID database, see the FDA’s GUDID submission page.
FDA post-market databases
522 Post-market surveillance studies program
This database allows users to search post-market surveillance studies by manufacturer or device. The 522 post-market surveillance studies program defines requirements for the design, tracking, oversight, and review of studies mandated under section 522 of the FD&C act.
MedSun reports
The Medical Product Safety Network (MedSun) is an adverse event reporting program launched in 2002 designed to allow the CDRH to work collaboratively with the clinical community to identify, understand, and solve problems related to the use of medical devices.
Post-approval studies (PAS)
The post-approval studies (PAS) database contains information about studies that manufacturers are required to complete as a condition of device approval. The PAS database can be searched by applicant or device information.
Medical device recalls
The medical device recall database contains recall information since November 1, 2002, and can be searched by product, recall class, product code, recall date, root cause, and more.
MedWatch
MedWatch is the FDA safety information and adverse event reporting system that is available to health professionals, patients, and consumers. Note that in addition to medical devices, MedWatch is available for reporting on medicines, biologics, cosmetics, and food.
Additional FDA databases
Establishment registration and device listing
The registration and listing database contains information on all establishments engaged in the manufacture, preparation, propagation, compounding, assembly, or processing of medical devices. It also includes listings of medical devices in commercial distribution by both domestic and foreign manufacturers. Establishment owners are generally required to register their facilities and devices with the FDA annually.
Total product lifecycle (TPLC)
The TPLC database includes both pre-market and post-market data about medical devices, including PMA and 510(k) approvals, adverse events, and recalls. The TPLC database can be searched by device name or product code and includes full reports by product line.
Do your research!
In many cases, the same information is contained in multiple databases, so take the time to understand which databases provide the right combination of data for your needs. This article references only a portion of the FDA database. See the FDA’s Medical Device Databases listing for all of the available FDA databases.
IMDRF: International Medical Device Regulatory Forum
The medical device industry is vast and diverse, with each country or regional authority having its own regulatory body and requirements. For instance, medical devices are classified in ascending order in the United States, with Class I devices being the lowest risk class. Devices that pose the highest risk to users or patients and require the most regulatory oversight (pacemakers, defibrillators, etc.) are Class III devices, and devices that pose a moderate risk, such as syringes and catheters, are Class II devices. While this is a logical way to categorize medical devices, not every country uses this model.
Medical device regulations will likely never be universally uniform. Still, there is a concerted effort on behalf of regulatory experts from some of the largest medical device markets in the world to harmonize regulations and regulatory best practices. The International Medical Device Regulatory Forum (IMDRF) is a body of medical device regulatory specialists from around the world working together to standardize regulations and “accelerate international medical device regulatory harmonization and convergence.” While the IMDRF isn’t a regulatory body, its guidelines are often adopted by its member countries and adapted to fit their regulations and initiatives. In this article, we’ll give you an overview of the IMDRF, including its history and how its work impacts the global medical device industry.
The IMDRF’s beginning
The IMDRF was conceived in 2011 when Australia, Brazil, Canada, China, the EU, Japan, the US, and the World Health Organization (WHO) met to discuss the formation of this forum. One of their main goals was to build on and expedite the work of the Global Harmonization Task Force (GHTF), the organization that laid the foundation for the IMDRF.
The idea for the GHTF came from a meeting between representatives from the US, EU, Canada, and Japan in 1992. They met to discuss the possibility of forming a “consultative body” of regulatory specialists with the goal of “harmonizing medical device regulatory practices” worldwide. The GHTF held its first meeting in January 1993, forming study groups to evaluate different aspects of regulatory processes, including each member nation's quality management and Good Manufacturing Practices (GMPs). Today, the IMDRF continues to build on the strong foundation laid by the GHTF.
IMDRF members
As mentioned, the IMDRF works to harmonize medical device regulatory best practices worldwide. This mission requires the cooperation of regulators from many countries, performing in-depth studies and publishing guidelines that shape the global regulatory landscape. There are 11 members and their regulatory authorities that comprise the IMDRF:
- Australia - Therapeutic Goods Administration (TGA)
- Brazil - Brazilian Health Regulatory Agency (ANVISA)
- Canada - Health Canada
- China - National Medical Products Administration (NMPA)
- The European Union - European Commission (EC)
- Japan - Pharmaceutical and Medical Device Agency (PMDA)
- Russia - Russian Ministry of Health
- Singapore - Health Sciences Authority (HSA)
- South Korea - Ministry of Food and Drug Safety (MFDS)
- The United Kingdom - Medicines and Healthcare products Regulatory Agency (MHRA)
- The United States of America - US Food and Drug Administration (FDA)
IMDRF functions
The IMDRF is an international medical device regulatory body that offers guidance rather than implementing binding regulations, i.e., they don’t have the authority to mandate directives. According to the FDA, they “develop internationally agreed upon documents related to a wide variety of topics affecting medical devices.” Its members develop these documents by conducting studies via working groups, which we discuss in the next section.
IMDRF working groups
The IMDRF working groups are like subcommittees that focus on specific regulatory issues pertaining to medical devices. They address new technology, trends, and areas where harmonization of standards and regulations would be most beneficial. Their working groups conduct studies and research with the aim of providing regulatory best practices and universally applicable guidelines. There are currently seven active working groups:
- Adverse Event Terminology
- Artificial Intelligence Medical Devices
- Good Regulatory Review Practices
- Medical Device Cybersecurity Guide
- Personalized Medical Devices (PMD)
- Regulated Product Submission
- Software as a Medical Device (SaMD)
There are various participants in every active working group, and these groups can also include regulatory bodies that aren’t IMDRF members. Through their sharing and collection of data, working groups gain valuable insights that enable them to create guidelines that IMDRF members can relatively and easily implement around their existing medical device regulations. This helps to ensure the safety and efficacy of medical devices while promoting the harmonization of regulatory best practices and standards. These documents serve to accelerate the convergence of medical device regulations around the globe and have produced 69 guidances to date.
The IMDRF might not be a regulatory body or have any binding authority, but they are well respected within the medical device community. Their guidance documents help to shape regulatory standards in the world’s largest medical device markets. Staying abreast of IMDRF developments is a regulatory intelligence best practice (much like having a holistic regulatory information management system that provides structure for the medical device industry). Shameless plug aside, understanding the current undertakings of IMDRF working groups is a great way to better understand what’s going on in the medical device regulatory world and what changes might be coming down the road.
To learn more about the IMDRF, visit their website at imdrf.org.
