Featured
Rimsys Announces Rimsys AI to Eliminate Repetitive Tasks and Enhance Decision-Making for MedTech Regulatory Teams
Rimsys, the leading Regulatory Information Management (RIM) platform for the MedTech industry, today announced the launch of Rimsys AI, a suite of embedded artificial intelligence (AI) agents.
The beginner's guide to the FDA De Novo classification process
This article is an excerpt from The beginner's guide to the FDA De Novo classification process ebook.
Contents
- Introduction
- Chapter 1: What is an FDA De Novo request?
- Chapter 2: Contents of a De Novo request
- Chapter 3: Submitting a De Novo request
- Appendix A: Acceptance review checklist
Congratulations, you have successfully developed a new medical device! Now you need to take it to market. Normally in the United States this would mean completing a 510(k) submission. However, the 510(k) relies on “substantial equivalence”—a comparison to a similar device already on the market (also called a predicate device) to assess the risk profile of the new device. What if your device is totally new, and there isn’t a similar device to compare it to? Enter the FDA De Novo process. The De Novo process provides a pathway to market for novel devices with a low to medium risk profile.
What does De Novo mean?
According to the Merriman-Webster dictionary, de novo is a Latin word meaning “as if for the first time; or anew.” Perfectly fitting that the FDA uses this term “De Novo” to describe market approval requests for new medical devices or technology where there is no comparable predicate device on the market.
The Food and Drug Administration Modernization Act of 1996 provided the FDA with the authority to create the De Novo Classification Process. It's a process that uses a risk-based strategy for a new, novel kind of medical device, in vitro diagnostic, or medical software solution whose type has previously not been identified and/or classified. It’s a process by which a novel medical device can be classified as a Class I or Class II device, instead of being automatically classified as Class III, which may not be appropriate. Before the implementation of the De Novo process in 1997, all the “not substantially equivalent” (NSE) products were required to be initially classified as a Class III device. But for a lot of devices, this risk class didn’t really make sense. The De Novo process provides a pathway for more accurate classifications of novel, lower-risk devices.
October, 2021, the FDA released a final guidance document "De Novo Classification Process (Evaluation of Automatic Class III Designation)" to provide guidance to the requester (also known as the manufacturer) and the FDA on the process for the submission and review of a De Novo Classification Request under section 513(f)(2) of the Federal Food, Drug, and Cosmetic Act (the FD&C Act). This process provides a pathway to an initial Class I or Class II risk classification for medical devices for which general controls or general and special controls, provide a reasonable assurance of safety and effectiveness, but for which there is no legally marketed predicate device. This guidance document replaced the "New Section 513(f)(2) – Evaluation of Automatic Class III Designation, Guidance for Industry and CDRH Staff" document, dated February 19, 1998.
Consistent with the final rule, the FDA updated the guidance documents below to provide recommendations for submitting De Novo requests, as well as criteria and procedures for accepting, withdrawing, reviewing, and making decisions on De Novo requests, effective January 3, 2022.
- User Fees and Refunds for De Novo Classification Requests
- FDA and Industry Actions on De Novo Classification Requests: Effect on FDA Review clock and Goals
- Acceptance Review for De Novo Classification Requests
The 510(k) and the De Novo processes are similar in that they are both pathways to market for medical devices with low to moderate risk, which is Class I and Class II. The biggest difference between the two is that the 510(k) heavily relies on the concept of "substantial equivalence" to an existing medical device. You must prove this to get the clearance of your 510(k) submission. In the De Novo process, there isn’t a product currently on the market that is “substantially equivalent” to yours, so it’s like starting with a clean slate. For more on the 510(k) process, see our Beginner’s Guide to the 510(k) ebook.
A result of the De Novo process to be aware of is that a successful submission will lead to a new predicate device type that someone else can reference to bring their product to market through the 510(k) process. You’ve done all the work, so now it’s available for anyone to use to provide "substantial equivalence".
De Novo history/timeline
Preparing a De Novo request
1. Do your research! Be sure to complete all the necessary research prior to your submission. You want to be sure that your device is not substantially equivalent to an existing device. Resources to review include:
- The Center for Devices and Radiological Health (CDRH)
- U.S. FDA Device Classification Database
- Device Classification Under Section 513(f)(2)(De Novo)
2. A De Novo request can be submitted with or without a preceding 510(k). There are two options for when you can submit a De Novo request:
Option A: After receiving a not substantially equivalent (NSE) determination (that is, no predicate, new intended use, or different technological characteristics that raise different questions of safety and effectiveness) in response to a 510(k) submission.
Option B: If you’ve determined, after extensive research, that there is no legally marketed device on which to base a determination of substantial equivalence.
3. Be sure all fees are paid to the FDA in advance of submitting a De Novo request. The FDA’s fiscal year begins in October and runs through the following September. Fees have increased each year since they were introduced, but the FDA’s percentage of reviews completed within the 150-day window has increased as well.
A business that is qualified and certified as a “small business” is eligible for a substantial reduction in most of the FDA user fees, including De Novo. The CDRH is responsible for the Small Business Program that determines whether a business is qualified.
Medical Device User Fee Amendments (MDUFA) guidance documents can provide more detailed information about all FDA user fees.
4. The initial request process serves only to determine if the De Novo request is administratively acceptable based upon the Acceptance Checklist. The initial acceptance is followed by substantive review which will determine the final risk classification of your device.
5. A Pre-Submission (Pre-Sub) is a formal written request for feedback from the FDA that is provided in formal written form, and then followed by a meeting. Although a Pre-Sub is not required prior to a De Novo request, it can be extremely helpful to receive early feedback, especially for devices that have not previously been reviewed under a 510(k). If you think you would like to submit a pre-sub first, there are suggested guidelines for submission you should consider:
- Describe your rationale for a Class I or Class II classification for your device.
- Provide the search results of FDA public databases and other resources used to determine that no legally marketed device and no classification for the same device type exists.
- Provide a list of regulations and/or product codes that may be relevant.
- Provide a rationale for why the subject device does not fit within and/or is different from any identified classification regulations, based on available information.
- Identify each health risk associated with the device and the reason for each risk.
- Briefly describe any ongoing and/or planned protocols/studies that need to be completed in order to collect the necessary data to establish the device’s risk profile.
- Provide information regarding the safety and effectiveness of the device. Cite the types of valid scientific evidence you anticipate providing in your De Novo request, including types of data/studies relating to the device’s safety and effectiveness.
- Briefly describe any ongoing and/or planned protocols/studies that need to be completed to collect the necessary safety and effectiveness data.
- Provide protocols for non-clinical and clinical studies (if applicable), including how they will address the risks you anticipate and targeted performance levels that will demonstrate that general controls or general and special controls are sufficient to provide reasonable assurance of safety and effectiveness.
- Share any proposed mitigation measure(s)/control(s) for each risk, based on the best available information at the time of the submission. Highlight which mitigations are general controls and which are special controls and provide details on each.
- Include any other risks that may be applicable, in addition to those identified in the Pre-Sub, given the indications for use for the device.
- If applicable, provide any controls that should be considered to provide a reasonable assurance of safety and effectiveness for the device.
- Provide any non-clinical study protocols that are sufficient to allow the collection of data from which conclusions about device safety and/or effectiveness can be drawn. These protocols should address whether the identified level of concern is the appropriate level of concern for the device software, and if any additional biocompatibility and/or sterility testing is required.
- If clinical data is needed, provide information to show that the proposed study design and selected control groups are appropriate?
6. The FDA will attempt to review the De Novo request submission within 15 calendar days of receipt of the request to make a determination that the submission is declined or accepted for review. If they are unable to complete the review within the 15 days, your submission will automatically move to “accepted for review” status. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/de-novo-classification-process-evaluation-automatic-class-iii-designation
7. There are times when the FDA will refund your application fee. They have created a guidance document “User Fees and Refunds for De Novo Classification Requests” for the purpose of identifying:
- the types of De Novo requests subject to user fees
- exceptions to user fees
- the actions that may result in refunds of user fees that have been paid
When is a De Novo request subject to a user fee?
When will the FDA refund a De Novo user fee?
What fee must be paid for a new device submission following a De Novo “decline” determination?
To continue reading this eBook including a detailed walk-through of all the Traditional 510(k) components, submission requirements and timelines, and an overview of the other 510(k) forms including the Abbreviated 510(k) and the Special 510(k), please register to download the full version.
The ultimate guide to the medical device single audit program (MDSAP)
This article is an excerpt from The ultimate guide to the medical device single audit program (MDSAP) ebook.
Table of contents
- What is MDSAP?
- History of MDSAP
- Who is responsible for the MDSAP?
- How does an MDSAP audit work?
- Audit sequence
- You got a nonconformity – now what?
- What does an MDSAP audit cost?
- Why choose the MDSAP certification process?
- Potential disadvantages of the MDSAP
- Ready to participate? – Here’s how to get started
- Completing a successful MDSAP audit
The Medical Device Single Audit Program (MDSAP) was designed and developed to allow a single audit of a medical device manufacturer to be applied to all country markets whose regulatory authorities are members of the program. The MDSAP provides efficient and thorough coverage of the standard requirements for medical device manufacturer quality management systems, and requirements for regulatory purposes (ISO 13485:2016). In addition, there are specific requirements of each medical device regulatory authority participating in the MDSAP that must be met:
- Conformity Assessment Procedures of the Australian Therapeutic Goods (Medical Devices) Regulations (TG(MD)R Sch3)
- Brazilian Good Manufacturing Practices (RDC ANVISA 16)
- Medical Device Regulations of Health Canada (ISO 13485:2003)
- Japan Ordinance on Standards for Manufacturing Control and Quality Control of Medical Devices and In Vitro Diagnostic Reagents (MHLW Ministerial Ordinance No 169)
- Quality System Regulation (21 CFR Part 820), and specific requirements of medical device regulatory authorities participating in the MDSAP program.
This means that a report from a single MDSAP audit of a medical device manufacturer would be accepted as a substitute for routine inspections by all the member Regulatory Authorities (RAs) across the world. There are currently five participating Regulatory Authorities (RA) representing the following countries: Australia, Brazil, Canada, Japan and the USA.
In April, 2021, the RAs released an “Audit Approach” document (MDSAP AU P0002.006) that combines the formerly separate MDSAP Audit Model and Process Companion documents into a single guidance document. It includes guidance for assessing the conformity of each process and includes an audit sequence, instructions for auditing each specific process, and identifies links that highlight the interactions between the processes.
In March 2012 the US FDA announced that they had approved a final pilot guidance document “Guidance for Industry, Third Parties and Food and Drug Administration Staff: Medical Device ISO 13485:2003 Voluntary Audit Report Submission Pilot Program.” This allowed the owner or operator of a medical device manufacturing facility to be removed from FDA’s routine inspection work plan for 1 year upon completing a ISO 13485:2003 audit. This guidance document went into effect in June 2012, and was intended as an interim measure while a single audit program was being developed.
This pilot program was not very successful and few companies signed up because they did not see any advantage in participating. The manufacturer had to pay for a third party to inspect their facilities, generate a report, and share the inspection results back to the FDA. Many companies were reluctant to contract “someone else” to perform their inspection when they could easily wait for the FDA to conduct an inspection for free.
During its inaugural meeting in Singapore in 2012, the International Medical Device Regulators Forum (IMDRF) appointed a working group to develop a set of documents for a harmonized third-party auditor system. Hence, the “Medical Device Single Audit Program” (MDSAP) was formed. The concept was similar to the FDA’s original idea of creating a third-party auditor to help reduce their workload of performing regulatory audits of medical device manufacturers’ quality management systems. This new approach would consist of a single audit that would review regulatory QMS compliance, conducted by a third-party, who would later be called an Auditing Organization (AO).
From January 2014 to December 2016, five countries participated in a Medical Device Single Audit Program Pilot. In June 2017, a report was generated summarizing the outcomes of prospective “proof- of-concept” criteria established to confirm the success of the program. The outcomes are documented in the final MDSAP Pilot Report and recommended that the program become fully active and open to any manufacturer who requested this type of audit.
The governing body of the MDSAP is the Regulatory Authority Council (RAC), which is composed of two senior managers (and a few other staff members) from each participating RA. They are responsible for executive planning, strategic priorities, setting policy, and making decisions on behalf of the MDSAP International Consortium. The RAC also reviews and approves documents, procedures, work instructions, and more. The mission of the MDSAP International Consortium is to jointly leverage regulatory resources to manage an efficient, effective, and sustainable single audit program focused on the oversight of medical device manufacturers on a global scale.
Other international partners that are involved in the MDSAP include:
MDSAP Observers:
- European Union (EU)
- United Kingdom’s Medicines and Healthcare products Regulatory Agency (MHRA)
- The World Health Organization (WHO) Prequalification of In Vitro Diagnostics (IVDs) Program
MDSAP Affiliate Members:
- Argentina’s National Administration of Drugs, Foods and Medical Devices (ANMAT)
- Republic of Korea’s Ministry of Food and Drug Safety
- Singapore’s Health Sciences Authority (HSA)
The observers and affiliate members are not the same as the participating member RA’s. The observers simply observe and/or contribute to RAC activities. Affiliate members, on the other hand, are interested in engaging in the MDSAP program and are subject to certain rules. They are only given access to a certain level of information about the manufacturers, audit dates, and information in audit reports.
They are also invited to attend sessions that are open to members, observers, and affiliates only.
Audits can also be conducted by MDSAP participating RAs at any time and for various reasons including:
- "For Cause" due to information obtained by the regulatory authority
- as a follow up to findings from a previous audit
- to confirm the effective implementation of the MDSAP requirements
The purpose of audits conducted by the RAs is to ensure appropriate oversight of the AOs MDSAP auditing activities. The AOs are appointed by the RAs and a list of the currently approved AO’s is published on the FDA website. Most AOs offer a broad range of management system certification services, beyond just medical devices. Manufacturers should verify that prospective AOs are clearly trained and perform MDSAP audits of medical devices.
AOs have the final word as to whether a manufacturer has met the requirements for the MDSAP during the execution of the audit and generation of the associated reports summarizing the results. MSDAP RAC participating RAs have the final decision regarding all development, implementation, maintenance, and expansion activities associated with the program.
Although an unannounced visit by an AO is rare, it can happen in circumstances where high-grade nonconformities have been detected.
To continue reading this eBook including a detailed look at the MDSAP audit process and grading, pros and cons of the approach, and how to get started please register to download the full version.
IEC 62304: Standard for medical device software
What is IEC 62304?
IEC 62304:2006 / AMD 1:2015 is the current version of the international standard that defines the software lifecycle processes for software used in medical devices. IEC 62304:2006 is considered a harmonized standard, meaning that it is recognized by the FDA and other regulatory agencies around the world.
Note that this standard applies both to Software as a Medical Device (SaMD) and Software in a Medical Device (SiMD).
How is IEC 62304:2006 organized?
There are 9 chapters in IEC 62304. The first 4 chapters define the scope of the standard as well as references, terms, and general requirements. The following 5 chapters are as follows:
- Chapter 5 – Software Development Process. This chapter is the most important to fully understand because it defines the software development planning process, including requirements analysis, design, testing, and release processes.
- Chapter 6 – Software Maintenance. This chapter defines the need for a software maintenance plan, including implementation of a maintenance plan and issue analysis procedures.
- Chapter 7 – Software Risk Management. Identification of hazardous situations, risk control, verification, and risk management procedures assume that an organization-level risk management plan is in place following the ISO 14971 standard.
- Chapter 8 – Software Configuration Management. This includes change control and configuration status tracking.
- Chapter 9 – Software Problem Resolution. This chapter addresses investigating and reporting on problems, change control processes, trend analysis, and resolution testing and verification.
IEC 62304:2006 software risk categories
IEC 62304:2006 defines three classes of risk for medical device software based on the risk of harm from a hazardous situation which the software could cause or to which it could contribute. As with risk management systems for other medical devices, the procedures, controls, and processes for medical device software should be appropriate for the level of risk posed by the software.
- Class A – No injury or damage to health is possible.
- Class B – Injury is possible, but not serious.
- Class C – Death or serious injury is possible.
Software development and maintenance processes in IEC 62304
The software development process, as defined in Chapter 5 of this standard, lays out 8 process steps.
- Software development planning (5.1)
- Software requirements analysis (5.2)
- Software architectural design (5.3)
- Software detailed design (5.4)
- Software unit implementation and verification (5.5)
- Software integration and integration testing (5.6)
- Software system testing (5.7)
- Software release (5.8)
IEC 62304 recommended documentation
In general, the following list of deliverables is typically needed to establish conformance with IEC 62304:2006:
- Software development plan - Define processes, deliverables, and development activities. The plan should include the Life Cycle Activities, Risk Management Plan, Documentation Plan, Configuration Management Plan, Change Control process, and Problem Resolution process.
- Software verification plan - Describe the software test plan. Include all verification activities, such as code review, unit test and integration test plans, and the final system software verification test plan.
- Software classification – Classify the software based on risk level as Class A, B, or C per definitions in the standard. Classification should also be established per market-specific requirements (ie: FDA Class I, II, or III).
- Software description – High-level description of the software function, intended use, and technology used.
- Software requirement specifications - Include specifications for all requirements, including functional, performance, interface, and safety requirements.
- Software architecture - Include diagrams of subsystems, major components, and the interfaces between them. This can provide segregation of software entities for risk control.
- Software hazards analysis - The hazard analysis should identify potential hazards and the software components that could cause them. Include mitigations that feed back into the requirements. Be sure to include OTS and wireless QoS hazard analysis where applicable.
- Cybersecurity plan - Document cybersecurity controls and features, threat model, hazard analysis, and penetration testing.
- Detailed design descriptions - Include specifications detailing how the software is implemented.
- Off-the-shelf software list – Identify any OTS software used, including detailed information regarding source, version, and licensing.
- Code unit verification - Document the unit test and code review as performed to plan.
- Integration tests - Document the integration, regression, and OTS software testing performed per the plan.
- System software verification protocols - Document test protocols for final device software. Include requirements tracing and show coverage of requirements (using pass/fail criteria).
- Summary test report - Create a summary of all software verification per the verification and validation plan.
- Trace matrix - Link system requirements to software requirements to associated design specifications and test protocols in one document (typically a spreadsheet). Include software hazards with software mitigations.
- Revision level history - Document major revisions and releases made during development, including descriptions of each.
- Unresolved anomalies - Document any anomalies still present and their associated risk. Include justification for release.
- Software problem resolution process - Describe how reported problems are evaluated and investigated, including how change requests and any necessary regression testing will be handled.
Complying with IEC 62304
More than most other standards, IEC 62304 requires an understanding of multiple disciplines to ensure compliance. Be sure to include team members with expertise in software development, risk management, and regulatory affairs when defining processes related to this standard.
Complying with IEC 62304 is only part of what is required for market clearance for software as a medical device. In the U.S., a 510(k) submission is typically required. Read our 510(k) guide here.
RIM vs PLM software for medical device manufacturers
Regulatory affairs professionals at large medical device companies must manage heavy submission workloads, registrations for products currently on the market, and ever-changing regulatory requirements. Many RA teams are still relying on paper documents, spreadsheets, and other outdated tools and methods to complete this work, while others have taken steps toward digitization and automation of key processes.
Regulatory teams often struggle to find software tools designed specifically for them. Because the processes they manage are typically product-focused, RA teams may attempt to use software built for product design and engineering teams, including product lifecycle management (PLM) systems.
What is PLM software?
Product lifecycle management (PLM) applications provide a central system for managing everything from the design of a new product to testing and ongoing maintenance. PLM systems are typically used by multiple teams, including product design and engineering teams, to coordinate product-related processes. The core elements of a PLM system include:
- Document management of design files and process documents
- Product structure management (source of truth for bills of material)
- Product component detail tracking and approvals (attribute management)
- Workflow and project/task management for product-related processes
- Product version control
- Secure management and approval processes for engineering and product changes (ECNs, ECOs, etc.)
- Integration with CAD and PDM (product data management) tools
PLM software can be considered both a data warehouse and a secure project system. PLM systems are used for storing and retrieving all product design-related information; including version-specific manufacturing (CAD) drawings, specifications, and supplier requirements. These systems also manage the workflows associated with each stage of a product’s lifecycle, from the design process to product maintenance to end of life activities. For medical device manufacturers, the PLM system is typically where design history files and device master records are maintained.
What are RIM systems?
Regulatory information management (RIM) systems have been around for years in the pharmaceutical industry but are relatively new in the medical device industry. Holistic RIM systems enable users to create a single source of truth for all data associated with regulatory submissions and registration management. RA teams are able to focus on critical tasks by using RIM systems to digitize data and automate key processes.
RIM system functions are designed to support a range of regulatory activities across a product’s lifecycle. In addition to centralizing core regulatory data and managing regulatory registrations and certificates, RIM systems can also support:
- Submission planning, authoring, and assembly
- Market entrance requirements and pre-built submission templates
- Collaborative content authoring and project management
- UDI management
- Standards management
- Essential principles/GSPR management, including bulk updating
RIM systems also tend to be product-centric, structuring data around individual regulated products, but are focused on saleable products, components, and packages where PLM systems are focused on the manufactured items. This means that RIM systems can track product-specific data, such as sales status by country, and link standards with individual products to easily identify products affected by standards updates and assess their impact.
Integrating PLM and RIM systems
PLM systems will often be integrated with ERP systems to ensure the correct bills of material and other product details for the current version of the product are being used by the manufacturing system. PLM systems can also be integrated with eQMS (quality management systems) and RIM systems to ensure coordination of risk management activities, product updates, and quality data between the regulatory, quality, and product teams. Ideally, your regulatory team should be notified as early as possible of any planned updates or changes to a product that is in-market or pending market approval.
RIM for regulatory projects and processes
Digitization and automation of regulatory data are more critical as global regulations continue to change and become more complex. Getting a medical device to market is a difficult process, but RIM software cuts the time and costs associated with product registrations while providing tools essential for ensuring ongoing compliance. PLM systems are critical as well, but their focus on product design and other product details simply does not provide the functionality needed by regulatory teams. Integrate a strong PLM system with a holistic RIM system to give both your engineering and regulatory teams the tools they need to bring your products to market successfully and to maintain compliance. To get your regulatory ducks in a row, only a RIM system will do!
To learn more about the Rimsys RIM system, talk to one of our experts today.
The state of regulatory performance in 2023
Today at Rimsys, we unveiled the 2023 MedTech Regulatory Performance Report, a new set of insights into the state of medtech regulatory affairs. Compiled based on interviews with 200 regulatory professionals and executives, the study provides a detailed look into how regulatory teams are staffed, their processes, the tools they use, and ultimately how they perform.
Why did we create this study? There were two driving factors behind the research. The first was a common theme that we heard from a number of our customers: Regulatory leaders don’t have clear data and benchmarks. They don’t necessarily know how long a new market submission should take, and how to plan for or assess the work of their teams. While other studies look at the medtech industry broadly or the state of the regulatory profession, this study tries to build a comprehensive resource for regulatory (and company) leaders.
The second factor was really for ourselves and the team at Rimsys. As a company building solutions specifically for medtech regulatory affairs, we wanted more insight into where companies were successful, where they struggled, and where we can add value.
What did we find? Regulatory teams perform a lot of hero work and rate themselves highly for their accomplishments. At the same time there is a lot of opportunity for process improvements, and companies that invest in digital transformation for regulatory affairs see better performance.
Regulatory professionals are superheroes
Regulatory teams are generally pretty small. Most companies have less than 10 full-time regulatory professionals. These small teams complete an enormous amount of work. Last year on average, RA teams completed 50 license renewals, 50 license updates, and 10 new market submissions. This is impressive output.
Digging a bit under the covers, we found that this output relied heavily on the support of external consultants. 90% of companies use consultants to keep pace with their regulatory workload. Front-line employees also struggle with burnout. They were much more likely to report feeling under-resourced than regulatory leaders.
But process problems persist
A lot of regulatory work remains extremely manual. 70% of regulatory teams spend half their time or more on repetitive administrative tasks. All of this manual work increases the frequency of errors and required rework. 61% of companies reported a major non-compliance incident in the past 2 years.
Manual work also makes it difficult to complete regulatory projects in a timely fashion. Teams completed a lot of projects, but each took a long time. Over half of all companies spend 4 months or more on license renewals, license updates, and new market submissions.
Moving regulatory affairs forward
As regulatory requirements become more complex, there’s a natural question about how teams will work moving forward. MDR & IVDR in Europe have significantly increased the regulatory workload required to bring and keep products on the market. Will organizations be able to keep pace with the same resources, tools, and processes?
No, and the performance report shows that medtech companies are investing to improve their regulatory capabilities. The majority of companies are planning to increase the sizes of their RA teams in 2023, and 40% expect to increase their investments in regulatory software. Companies are increasingly adopting specialized software to better support regulatory processes.
Dig into the survey results
The full survey results provide insights into more aspects of regulatory performance. They show that companies need to take a deeper look into their processes and how regulatory resources are allocated. There are two ways to learn more:
- Visit the survey page to see the full results (the survey whitepaper can be downloaded at no cost)
- Watch the recording of our webinar with PA Consulting. We discuss the survey results in more detail and share our regulatory predictions for 2023
RIM vs eQMS software for medical device manufacturers
Regulatory affairs professionals at large medical device companies must manage heavy submission workloads, registrations for products currently on the market, and ever-changing regulatory requirements. Many RA teams are still relying on paper documents, spreadsheets, and other outdated tools and methods to complete this work, while others have taken steps toward digitization and automation of key processes.
Regulatory teams often struggle to find software tools designed specifically to help manage their regulatory projects. As a result, some RA teams attempt to repurpose software developed for other functions, such as electronic quality management systems (eQMS). While eQMS systems can provide some functionality that RA teams need, regulatory information management (RIM) software delivers a holistic platform designed to reduce administrative work and manage global compliance activities. In this post, we’ll compare eQMS and RIM software as they relate to regulatory compliance.
What is eQMS software?
Electronic quality management systems (eQMS) are software programs that help quality teams centrally store, monitor, and manage quality and compliance processes. These platforms are usually provided via cloud technology as software-as-a-service (SaaS) solutions. They aim to provide digitization and automation of critical tasks that quality teams traditionally handle manually, such as quality, compliance, and design processes. For medical device companies, these requirements are defined by multiple standards, most notably ISO 13485:2016, FDA 21 CFR Part 820, and the EU MDR.
Digitization and automation are growing trends in most industries, including regulatory affairs and quality management. As you know, medical device manufacturers, especially their quality and RA teams, must manage a large volume of data, of which accuracy and consistency are of the utmost importance. eQMS systems typically handle data and processes in support of the following:
- Document management
- Non-conformance tracking
- Audit management
- Risk management
- Corrective and preventive action (CAPA) management
- Training management
This means that while eQMS software provides some functions and certainly have information that RA teams can use, they are designed around the processes that quality teams are responsible for. RIM software, on the other hand, is designed specifically to help regulatory specialists work more effectively and efficiently.
What are RIM systems, and what do they do?
Regulatory information management (RIM) systems have been around for years in the pharmaceutical industry, but are relatively new in the medical device industry. Comprehensive RIM systems enable users to create a single source of truth for all data associated with regulatory submissions and registration management. These systems lighten the burden on RA teams by digitizing data and automating key processes.
RIM system functions are designed to support a range of regulatory activities across a product’s lifecycle. In addition to centralizing core regulatory data and managing regulatory registrations and certificates, RIM systems can also support:
- Submission planning, authoring, and assembly
- Market entrance requirements and pre-built submission templates
- Collaborative content authoring and project management
- UDI management
- Standards management
- Essential principles/GSPR management, including bulk updating
RIM systems also tend to be product-centric, structuring data around individual regulated products, as opposed to the process-centric approach taken by most eQMS systems. This means that RIM systems can track product-specific data, such as sales status by country, and link standards with individual products to easily identify products affected by standards updates and assess their impact.
Integrating eQMS and RIM systems
While processes in an eQMS system are designed to support quality and risk management requirements, they contain a lot of information that is relevant to regulatory affairs teams. RIM systems such as Rimsys are designed to integrate to eQMS, PLM, and ERP systems in order to coordinate processes and synchronize data. In the case of RIM and eQMS integrations, the systems can synchronize product master data to ensure smoother regulatory submissions and identify the impact of changing documentation on global product registrations and submissions. And Performance and testing data can be linked to digital essential principles tables.
RIM for regulatory projects and processes
Digitization and automation of regulatory data are more critical as global regulations continue to change and become more complex. Getting a medical device to market is a difficult process, but RIM software cuts the time and costs associated with product registrations while providing tools essential for ensuring ongoing compliance. Quality systems are critical as well, but their focus on risk management and corrective and preventative activities simply does not provide the functionality needed by regulatory teams. Integrate a strong eQMS system with a holistic RIM system to give both your quality and regulatory teams the tools they need to bring your products to market successfully and to maintain compliance. To get your regulatory ducks in a row, only a RIM system will do!
To learn more about the Rimsys RIM system, talk to one of our experts today.
6 reasons medtech companies shouldn't delay MDR certification
The latest announcement from the European Commission (EC) recommending an extension to the MDR transition period has led to sighs of relief throughout the healthcare community in the EU, where providers and patients have been concerned about the ongoing availability of life-saving medical devices. Medical device manufacturers, however, have no time to waste in moving forward with MDR certifications for their devices.
On January 6th, the EC adopted the proposal recommended a month earlier to delay the full implementation of the Medical Device Regulation (MDR). The EU’s parliament and council now needs to issue final approval for the proposal, which will be processed through an “accelerated co-decision procedure.” While the proposed changes give medical device manufacturers some breathing room in recertifying existing devices, the changes do not apply to all devices or all situations and are not designed to allow manufacturers to delay the entire process of becoming compliant with MDR requirements.
Yes, if the proposal is approved by the European Commission as it is written today, your MDD-certified device may be able to remain in the EU market longer – the end of 2027 for high-risk devices and 2028 for medium- and low-risk devices. So, why do regulatory teams need to push forward as quickly as possible with MDR certification projects?
1. No extension for IVD devices
The proposed extensions to the transition periods apply only to medical devices covered under the MDR. The original deadlines for IVD devices as defined by the IVDR remain in place:
- May 26, 2025 - Class D IVD devices
- May 26, 2026 - Class C IVD devices
- May 26, 2027 - Class A sterile IVD devices and Class B IVD devices.
2. Lack of Notified Body resources
In April, 2022, a survey of MedTech Europe members revealed that MDR certificates had not yet been issued for more than 85% of the 500,000+ medical devices certified under MDD or AIMDD. Currently, certifications for lower classifications of devices take approximately 10 to 18 months; and for more complex products, the certification timeline can be two years or more. The number of Notified Bodies certified to review MDR applications remains low, and even if Notified Bodies are able to add resources in the coming years, review timelines will only become longer as companies rush to certify the hundreds of thousands of devices expected to remain on the market. The challenges will be even greater for smaller manufacturers and others that do not already have an established relationship with a Notified Body.
What does this mean for medical device manufacturers today? For those with higher-risk class devices, assume a 2-year certification period – which means starting the process with a Notified Body as early as possible, given the unknown availability of NB resources in the near future. At the latest, manufacturers need to have signed with a Notified Body by September 26, 2024 (Per Annex VII, Section 4.3 of the MDR). And prior to starting that process, of course, all required data, processes, and documentation should be in place. This means that any manufacturer who has not started this process needs to do so now.
3. Inability to update devices
The postponed MDR deadlines only apply to devices that do not present any unacceptable risk to health and safety and have not undergone significant changes in design or intended purpose. Any medical device certified under the MDD to which significant changes are made will need to recertify under the MDR before the updated device is placed on the market.
4. EUDAMED and UDI compliance deadlines remain the same
While the exact deadlines for EUDAMED compliance are based on the actual (future) release dates of all modules, The European Commission expects requirements around vigilance, clinical investigation and performance studies, and market surveillance modules to become mandatory by the end of 2024. The Commission is proposing a longer transition period for UDI/device registration and the notified body certificate modules, with a mandatory compliance date around the 2nd quarter of 2026.
Note that the expected EUDAMED compliance dates are prior to the extended MDR compliance deadlines. This means that information not previously tracked under MDD requirements will be mandatory within the next few years. This includes UDI and device information, including Basic UDI-DI (BUDI-DI). Post-market surveillance (PMS) and periodic safety update reports (PSUR), requirements of the vigilance and market surveillance module, also become required upon EDUAMED implementation.
5. MDR certification may affect registrations in non-EU countries
An increasing number of countries outside of the EU will accept CE certification as a path to accelerated market approval. In some countries, such as China, proof of certification in the device’s country of origin is required. It is unclear how these requirements will change in recognition of MDR requirements and deadlines. If your current regulatory strategy requires country of origin for the European Union, you may experience a more burdensome application process in other markets.
6. Opportunity to create a competitive advantage
Instead of looking at MDR as an obstacle to overcome, medical devices manufacturers would be well advised to take this as an opportunity to create a competitive advantage. Companies without the necessary resources to re-certify all existing devices are expected to remove products from the EU market in the coming years. In addition, those companies who wait will likely experience higher costs and longer delays in obtaining certification – creating additional opportunities for their competitors.
And don’t forget that the transition period extensions apply only to legacy devices - any new products entering the EU market will require certification under MDR before being placed on the market!
If your data and processes aren’t yet fully ready for MDR, implementing a Regulatory Information Management (RIM) system as part of the process can create additional advantages beyond streamlining the MDR submission process. RIM systems digitize, automate, and simplify the submission and tracking of regulatory documents. The use of a RIM system not only speeds time to market, but provides regulatory teams tools for ensuring continued compliance for all products in all markets.
Doing nothing now is not an option
It is important to note that the extensions apply only to manufacturers that already have MDR compliance activities underway and have made an effort to become compliant, including the implementation of a compliant quality management system. Per Annex VII, Section 4.3 of the MDR, manufacturers must submit a formal application for a conformity assessment by May 26, 2024. In addition, the manufacturer and Notified Body must have signed a written agreement no later than September 26, 2024. The intent of the extended transition period is primarily to allow manufacturers to access Notified Body resources, and the Commission appears to be making an effort to limit any incentives for manufacturers to delay MDR certification.
We expect to see leaders in the medical device industry embracing MDR compliance not only as a way to keep revenue-generating devices in market, but as a way to gain a competitive advantage and market share in the coming years.
Want to learn more? Watch a replay of our recent webinar - Impact of the MDR transition period extension.
ISO 10993: Standards for the biologic evaluation of medical devices
The International Organization for Standardization (ISO) is the largest body in the world publishing standards. In fact, it is a conglomeration of standards bodies from over 160 countries working together to harmonize standards. As such, ISO 10993 is the international standard that is practically used globally for testing and determining the biocompatibility of medical devices. So it’s critical for medical device manufacturers to understand all 23 parts of ISO 10993 for the success of 510(k), pre-market authorization (PMA), and other device submission projects for regulatory authorities worldwide. As an example, the FDA has issued guidance on the Use of International Standard ISO 10993-1.
What is biocompatibility?
According to ISO 10993-1:2018, the current version of part 1 of the standard, biocompatibility is the ability of a medical device or material to perform with an appropriate host response in a specific application. Any device that comes into direct or indirect contact with the skin must be tested for biocompatibility. A medical device that makes indirect contact with the skin is one that encounters a liquid, gas, or another medium, that makes direct contact with the patient or user.
Categorizations for medical devices according to ISO 10993
When testing the biocompatibility of a device, it is broken down into two categories; one based on its type of contact with humans, and the other based on the duration of contact.
The categorizations for types of contact are:
- Non-contacting medical devices: These are medical devices that do not make direct or indirect contact with patients. Examples include in-vitro diagnostics devices, blood collection tubes, and petri dishes.
- Surface-contacting devices: Surface-contacting medical devices are ones that touch the skin, in-tact mucous membranes, and breached or compromised surfaces. Examples of these devices are catheters, contact lenses, and bronchoscopes.
- Externally communicating devices: Externally communicating devices are those that are partially or wholly external and come into contact with bodily fluids. These devices are usually intended to deliver or draw fluids to or from the body and are attached to an external delivery or withdrawal system. Examples include dialyzers and dialysis tubing accessories, transfer and transfusion sets, and arthroscopes.
- Implantable devices: Implantable devices are the riskiest type for medical devices because they are embedded within human tissue. Pacemakers, artificial larynxes, and heart valves are all implantable devices.
The categorizations for times of duration are:
- Limited exposure – Medical devices whose cumulative sum of single, multiple, or repeated duration of contact is up to 24 hours.
- Prolonged exposure – Medical devices whose cumulative sum of single, multiple, or repeated contact time is likely to exceed 24 hours but does not exceed 30 days.
- Long-term exposure – Medical devices whose cumulative sum of single, multiple, or repeated contact time exceeds 30 days.
Determining biocompatibility
Medical devices are most commonly made of metals, plastics, and fabrics, which are composed of chemicals with varying properties. Manufacturers must gather physical and chemical information about the device, which is vital to its biological and material evaluation and characterization.
For devices with components that are made of or utilize novel chemicals or materials, or those known to cause adverse effects, ISO 10993 requires rigorous risk assessment and management according to the standards of ISO 14971. Furthermore, there are prescribed data endpoints that set the foundation for determining the biocompatibility of medical devices and their intended uses and components.
The main things manufacturers must consider when determining the biocompatibility of medical devices and their components are listed below:
- Complete chemical characterization – ISO 10993 requires manufacturers to describe the chemical and material makeup of the medical device and its components, as well as the use of chemicals in the manufacturing of the device. Sometimes, a test of extractable and leachable chemicals is required to determine the safety of the medical device.
- Toxicological assessment – Toxicological assessment serves to determine and mitigate the risk of medical devices when they come into contact with patients and users. There are four pillars of toxicology assessment: hazard identification, hazard characterization, exposure assessment, and risk characterization.
- Biocompatibility testing – Biocompatibility testing is the process of testing the local and systemic effects of a medical device on the tissues it comes into contact with. Oftentimes a favorable toxicological assessment by a qualified individual, based on the facts of the thorough chemical characterization, can rule out the possibility of adverse effects and the need for biocompatibility testing.
ISO 10993 compliance
Biocompatibility assessment is a vital part of risk management according to ISO 14971. Ensuring compliance with risk management and biocompatibility assessment standards requires buy-in from all departments, from marketing and design to quality assurance and regulatory affairs.
It is vital that you begin considering ISO 10993-1:2018 in the early stages of product design. Part 1 of the standard will refer to additional parts, as listed in the following section. Completing your complete chemical characterization and toxicology assessment early in the process will help ensure the biocompatibility of your medical device during the design phase and expedite your device registration and time to market.
Also, it’s important to note that many regulatory authorities around the world have their own variation of ISO 10993. While these varying standards have the same foundation and are similar in many ways, you must understand their nuances if you plan to offer your medical device internationally.
ISO 10993 sections
ISO 10993 is made up of 23 different sections or parts, each of which is maintained and updated separately. Previews of the standard can be viewed on the ISO website, but full versions of the standard need to be purchased.
- ISO 10993-1:2018 – Evaluation and testing within a risk management system
- ISO 10993-2:2022 – Animal welfare requirements
- ISO 10993-3:2014 – Tests for genotoxicity, carcinogenicity, and reproductive toxicity
- ISO 10993-4:2017 – Selection of tests for interactions with blood
- ISO 10993-5:2009 – Tests for in vitro cytotoxicity
- ISO 10993-6:2016 – Tests for local effects after implantation
- ISO 10993-7:2008 – Ethylene oxide sterilization residuals
- ISO 10993-8: - Withdrawn (Selection of reference materials for biologic tests)
- ISO 10993-9:2019 – Framework for identification and quantification of potential degradation products
- ISO 10993-10:2021 – Tests for skin sensitization
- ISO 10993-11:2017 – Tests for systemic toxicity
- ISO 10993-12:2021 – Sample preparation and reference materials
- ISO 10993-13:2010 – Identification and quantification of degradation products from polymeric medical devices
- ISO 10993-14:2001 – Identification and quantification of degradation products from ceramics
- ISO 10993-15:2019 – Identification and quantification of degradation products from metals and alloys
- ISO 10993-16:2017 – Toxicokinetic study design for degradation products and leachables
- ISO 10993-17:2002 – Establishment of allowable limits for leachable substances
- ISO 10993-18:2020 – Chemical characterization of medical device materials within a risk management process
- ISO 10993-19:2020 – Physico-chemical, morphological, and topographical characterization of materials
- ISO 10993-20:2006 – Principles and methods for immunotoxicology testing of medical devices
- ISO 10993-22:2017 – Guidance on nanomaterials
- ISO 10993-23:2021 – Tests for irritation
How can we help?
Many manufacturers endure longer and more costly paths to market than necessary because they do not have systems and tools designed specifically for their regulatory teams. Furthermore, a lack of visibility and collaboration from departments that see regulatory teams traditionally as the “department of saying no” leaves ample room for human error in regulatory, quality management, and even marketing processes and activities. Read more about why we believe regulatory teams need to be considered revenue functions, not cost centers.
The resulting inefficiencies lead to problems such as marketing products with expired certificates, missing certificates, inaccurate and/or incomplete submissions, and even non-compliance with current regulatory requirements. Having a holistic RIM system is central to staying in compliance with standards, regulations, and guidance in the many markets around the world. Rimsys is the only RIM system of its kind built specifically for the medtech industry.
To learn how Rimsys can help your company get its regulatory ducks in a row, click here to schedule a demo.
