Featured
Rimsys Announces Rimsys AI to Eliminate Repetitive Tasks and Enhance Decision-Making for MedTech Regulatory Teams
Rimsys, the leading Regulatory Information Management (RIM) platform for the MedTech industry, today announced the launch of Rimsys AI, a suite of embedded artificial intelligence (AI) agents.
The beginner's guide to the FDA De Novo classification process
This article is an excerpt from The beginner's guide to the FDA De Novo classification process ebook.
Contents
- Introduction
- Chapter 1: What is an FDA De Novo request?
- Chapter 2: Contents of a De Novo request
- Chapter 3: Submitting a De Novo request
- Appendix A: Acceptance review checklist
Congratulations, you have successfully developed a new medical device! Now you need to take it to market. Normally in the United States this would mean completing a 510(k) submission. However, the 510(k) relies on “substantial equivalence”—a comparison to a similar device already on the market (also called a predicate device) to assess the risk profile of the new device. What if your device is totally new, and there isn’t a similar device to compare it to? Enter the FDA De Novo process. The De Novo process provides a pathway to market for novel devices with a low to medium risk profile.
What does De Novo mean?
According to the Merriman-Webster dictionary, de novo is a Latin word meaning “as if for the first time; or anew.” Perfectly fitting that the FDA uses this term “De Novo” to describe market approval requests for new medical devices or technology where there is no comparable predicate device on the market.
The Food and Drug Administration Modernization Act of 1996 provided the FDA with the authority to create the De Novo Classification Process. It's a process that uses a risk-based strategy for a new, novel kind of medical device, in vitro diagnostic, or medical software solution whose type has previously not been identified and/or classified. It’s a process by which a novel medical device can be classified as a Class I or Class II device, instead of being automatically classified as Class III, which may not be appropriate. Before the implementation of the De Novo process in 1997, all the “not substantially equivalent” (NSE) products were required to be initially classified as a Class III device. But for a lot of devices, this risk class didn’t really make sense. The De Novo process provides a pathway for more accurate classifications of novel, lower-risk devices.
October, 2021, the FDA released a final guidance document "De Novo Classification Process (Evaluation of Automatic Class III Designation)" to provide guidance to the requester (also known as the manufacturer) and the FDA on the process for the submission and review of a De Novo Classification Request under section 513(f)(2) of the Federal Food, Drug, and Cosmetic Act (the FD&C Act). This process provides a pathway to an initial Class I or Class II risk classification for medical devices for which general controls or general and special controls, provide a reasonable assurance of safety and effectiveness, but for which there is no legally marketed predicate device. This guidance document replaced the "New Section 513(f)(2) – Evaluation of Automatic Class III Designation, Guidance for Industry and CDRH Staff" document, dated February 19, 1998.
Consistent with the final rule, the FDA updated the guidance documents below to provide recommendations for submitting De Novo requests, as well as criteria and procedures for accepting, withdrawing, reviewing, and making decisions on De Novo requests, effective January 3, 2022.
- User Fees and Refunds for De Novo Classification Requests
- FDA and Industry Actions on De Novo Classification Requests: Effect on FDA Review clock and Goals
- Acceptance Review for De Novo Classification Requests
The 510(k) and the De Novo processes are similar in that they are both pathways to market for medical devices with low to moderate risk, which is Class I and Class II. The biggest difference between the two is that the 510(k) heavily relies on the concept of "substantial equivalence" to an existing medical device. You must prove this to get the clearance of your 510(k) submission. In the De Novo process, there isn’t a product currently on the market that is “substantially equivalent” to yours, so it’s like starting with a clean slate. For more on the 510(k) process, see our Beginner’s Guide to the 510(k) ebook.
A result of the De Novo process to be aware of is that a successful submission will lead to a new predicate device type that someone else can reference to bring their product to market through the 510(k) process. You’ve done all the work, so now it’s available for anyone to use to provide "substantial equivalence".
De Novo history/timeline
Preparing a De Novo request
1. Do your research! Be sure to complete all the necessary research prior to your submission. You want to be sure that your device is not substantially equivalent to an existing device. Resources to review include:
- The Center for Devices and Radiological Health (CDRH)
- U.S. FDA Device Classification Database
- Device Classification Under Section 513(f)(2)(De Novo)
2. A De Novo request can be submitted with or without a preceding 510(k). There are two options for when you can submit a De Novo request:
Option A: After receiving a not substantially equivalent (NSE) determination (that is, no predicate, new intended use, or different technological characteristics that raise different questions of safety and effectiveness) in response to a 510(k) submission.
Option B: If you’ve determined, after extensive research, that there is no legally marketed device on which to base a determination of substantial equivalence.
3. Be sure all fees are paid to the FDA in advance of submitting a De Novo request. The FDA’s fiscal year begins in October and runs through the following September. Fees have increased each year since they were introduced, but the FDA’s percentage of reviews completed within the 150-day window has increased as well.
A business that is qualified and certified as a “small business” is eligible for a substantial reduction in most of the FDA user fees, including De Novo. The CDRH is responsible for the Small Business Program that determines whether a business is qualified.
Medical Device User Fee Amendments (MDUFA) guidance documents can provide more detailed information about all FDA user fees.
4. The initial request process serves only to determine if the De Novo request is administratively acceptable based upon the Acceptance Checklist. The initial acceptance is followed by substantive review which will determine the final risk classification of your device.
5. A Pre-Submission (Pre-Sub) is a formal written request for feedback from the FDA that is provided in formal written form, and then followed by a meeting. Although a Pre-Sub is not required prior to a De Novo request, it can be extremely helpful to receive early feedback, especially for devices that have not previously been reviewed under a 510(k). If you think you would like to submit a pre-sub first, there are suggested guidelines for submission you should consider:
- Describe your rationale for a Class I or Class II classification for your device.
- Provide the search results of FDA public databases and other resources used to determine that no legally marketed device and no classification for the same device type exists.
- Provide a list of regulations and/or product codes that may be relevant.
- Provide a rationale for why the subject device does not fit within and/or is different from any identified classification regulations, based on available information.
- Identify each health risk associated with the device and the reason for each risk.
- Briefly describe any ongoing and/or planned protocols/studies that need to be completed in order to collect the necessary data to establish the device’s risk profile.
- Provide information regarding the safety and effectiveness of the device. Cite the types of valid scientific evidence you anticipate providing in your De Novo request, including types of data/studies relating to the device’s safety and effectiveness.
- Briefly describe any ongoing and/or planned protocols/studies that need to be completed to collect the necessary safety and effectiveness data.
- Provide protocols for non-clinical and clinical studies (if applicable), including how they will address the risks you anticipate and targeted performance levels that will demonstrate that general controls or general and special controls are sufficient to provide reasonable assurance of safety and effectiveness.
- Share any proposed mitigation measure(s)/control(s) for each risk, based on the best available information at the time of the submission. Highlight which mitigations are general controls and which are special controls and provide details on each.
- Include any other risks that may be applicable, in addition to those identified in the Pre-Sub, given the indications for use for the device.
- If applicable, provide any controls that should be considered to provide a reasonable assurance of safety and effectiveness for the device.
- Provide any non-clinical study protocols that are sufficient to allow the collection of data from which conclusions about device safety and/or effectiveness can be drawn. These protocols should address whether the identified level of concern is the appropriate level of concern for the device software, and if any additional biocompatibility and/or sterility testing is required.
- If clinical data is needed, provide information to show that the proposed study design and selected control groups are appropriate?
6. The FDA will attempt to review the De Novo request submission within 15 calendar days of receipt of the request to make a determination that the submission is declined or accepted for review. If they are unable to complete the review within the 15 days, your submission will automatically move to “accepted for review” status. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/de-novo-classification-process-evaluation-automatic-class-iii-designation
7. There are times when the FDA will refund your application fee. They have created a guidance document “User Fees and Refunds for De Novo Classification Requests” for the purpose of identifying:
- the types of De Novo requests subject to user fees
- exceptions to user fees
- the actions that may result in refunds of user fees that have been paid
When is a De Novo request subject to a user fee?
When will the FDA refund a De Novo user fee?
What fee must be paid for a new device submission following a De Novo “decline” determination?
To continue reading this eBook including a detailed walk-through of all the Traditional 510(k) components, submission requirements and timelines, and an overview of the other 510(k) forms including the Abbreviated 510(k) and the Special 510(k), please register to download the full version.
The ultimate guide to the medical device single audit program (MDSAP)
This article is an excerpt from The ultimate guide to the medical device single audit program (MDSAP) ebook.
Table of contents
- What is MDSAP?
- History of MDSAP
- Who is responsible for the MDSAP?
- How does an MDSAP audit work?
- Audit sequence
- You got a nonconformity – now what?
- What does an MDSAP audit cost?
- Why choose the MDSAP certification process?
- Potential disadvantages of the MDSAP
- Ready to participate? – Here’s how to get started
- Completing a successful MDSAP audit
The Medical Device Single Audit Program (MDSAP) was designed and developed to allow a single audit of a medical device manufacturer to be applied to all country markets whose regulatory authorities are members of the program. The MDSAP provides efficient and thorough coverage of the standard requirements for medical device manufacturer quality management systems, and requirements for regulatory purposes (ISO 13485:2016). In addition, there are specific requirements of each medical device regulatory authority participating in the MDSAP that must be met:
- Conformity Assessment Procedures of the Australian Therapeutic Goods (Medical Devices) Regulations (TG(MD)R Sch3)
- Brazilian Good Manufacturing Practices (RDC ANVISA 16)
- Medical Device Regulations of Health Canada (ISO 13485:2003)
- Japan Ordinance on Standards for Manufacturing Control and Quality Control of Medical Devices and In Vitro Diagnostic Reagents (MHLW Ministerial Ordinance No 169)
- Quality System Regulation (21 CFR Part 820), and specific requirements of medical device regulatory authorities participating in the MDSAP program.
This means that a report from a single MDSAP audit of a medical device manufacturer would be accepted as a substitute for routine inspections by all the member Regulatory Authorities (RAs) across the world. There are currently five participating Regulatory Authorities (RA) representing the following countries: Australia, Brazil, Canada, Japan and the USA.
In April, 2021, the RAs released an “Audit Approach” document (MDSAP AU P0002.006) that combines the formerly separate MDSAP Audit Model and Process Companion documents into a single guidance document. It includes guidance for assessing the conformity of each process and includes an audit sequence, instructions for auditing each specific process, and identifies links that highlight the interactions between the processes.
In March 2012 the US FDA announced that they had approved a final pilot guidance document “Guidance for Industry, Third Parties and Food and Drug Administration Staff: Medical Device ISO 13485:2003 Voluntary Audit Report Submission Pilot Program.” This allowed the owner or operator of a medical device manufacturing facility to be removed from FDA’s routine inspection work plan for 1 year upon completing a ISO 13485:2003 audit. This guidance document went into effect in June 2012, and was intended as an interim measure while a single audit program was being developed.
This pilot program was not very successful and few companies signed up because they did not see any advantage in participating. The manufacturer had to pay for a third party to inspect their facilities, generate a report, and share the inspection results back to the FDA. Many companies were reluctant to contract “someone else” to perform their inspection when they could easily wait for the FDA to conduct an inspection for free.
During its inaugural meeting in Singapore in 2012, the International Medical Device Regulators Forum (IMDRF) appointed a working group to develop a set of documents for a harmonized third-party auditor system. Hence, the “Medical Device Single Audit Program” (MDSAP) was formed. The concept was similar to the FDA’s original idea of creating a third-party auditor to help reduce their workload of performing regulatory audits of medical device manufacturers’ quality management systems. This new approach would consist of a single audit that would review regulatory QMS compliance, conducted by a third-party, who would later be called an Auditing Organization (AO).
From January 2014 to December 2016, five countries participated in a Medical Device Single Audit Program Pilot. In June 2017, a report was generated summarizing the outcomes of prospective “proof- of-concept” criteria established to confirm the success of the program. The outcomes are documented in the final MDSAP Pilot Report and recommended that the program become fully active and open to any manufacturer who requested this type of audit.
The governing body of the MDSAP is the Regulatory Authority Council (RAC), which is composed of two senior managers (and a few other staff members) from each participating RA. They are responsible for executive planning, strategic priorities, setting policy, and making decisions on behalf of the MDSAP International Consortium. The RAC also reviews and approves documents, procedures, work instructions, and more. The mission of the MDSAP International Consortium is to jointly leverage regulatory resources to manage an efficient, effective, and sustainable single audit program focused on the oversight of medical device manufacturers on a global scale.
Other international partners that are involved in the MDSAP include:
MDSAP Observers:
- European Union (EU)
- United Kingdom’s Medicines and Healthcare products Regulatory Agency (MHRA)
- The World Health Organization (WHO) Prequalification of In Vitro Diagnostics (IVDs) Program
MDSAP Affiliate Members:
- Argentina’s National Administration of Drugs, Foods and Medical Devices (ANMAT)
- Republic of Korea’s Ministry of Food and Drug Safety
- Singapore’s Health Sciences Authority (HSA)
The observers and affiliate members are not the same as the participating member RA’s. The observers simply observe and/or contribute to RAC activities. Affiliate members, on the other hand, are interested in engaging in the MDSAP program and are subject to certain rules. They are only given access to a certain level of information about the manufacturers, audit dates, and information in audit reports.
They are also invited to attend sessions that are open to members, observers, and affiliates only.
Audits can also be conducted by MDSAP participating RAs at any time and for various reasons including:
- "For Cause" due to information obtained by the regulatory authority
- as a follow up to findings from a previous audit
- to confirm the effective implementation of the MDSAP requirements
The purpose of audits conducted by the RAs is to ensure appropriate oversight of the AOs MDSAP auditing activities. The AOs are appointed by the RAs and a list of the currently approved AO’s is published on the FDA website. Most AOs offer a broad range of management system certification services, beyond just medical devices. Manufacturers should verify that prospective AOs are clearly trained and perform MDSAP audits of medical devices.
AOs have the final word as to whether a manufacturer has met the requirements for the MDSAP during the execution of the audit and generation of the associated reports summarizing the results. MSDAP RAC participating RAs have the final decision regarding all development, implementation, maintenance, and expansion activities associated with the program.
Although an unannounced visit by an AO is rare, it can happen in circumstances where high-grade nonconformities have been detected.
To continue reading this eBook including a detailed look at the MDSAP audit process and grading, pros and cons of the approach, and how to get started please register to download the full version.
Medical device audits - preparation and responses
The word “audit” can strike panic in poorly prepared medtech companies. However, audits serve an important purpose in ensuring a compliant and effective quality system and production of safe and effective medical devices. And organizations can limit the stress and risk around audits through proper preparation.
The key to a positive audit is to ensure that your organization’s focus is on building and implementing quality processes and procedures that cover the entire product life cycle and are continuously evaluated and improved upon. Not only is it the right thing to do, but focusing too closely on simply passing an inspection or audit may leave gaps in your processes and present a false sense of compliance. This article covers audit basics, how to prepare for them, and what to do when you receive an audit finding.
What is an audit?
Per ISO 19011 an audit is a systematic documented and independent process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. Audits can be internally conducted, externally conducted by interested parties (i.e., customers/ suppliers), and externally conducted by government agencies and notified bodies to ensure that product design, manufacturing, safety, and documentation requirements are being met. Audits will verify compliance with regulatory and quality system/GxP (Good Manufacturing Practices, Good Distribution Practices, etc.) requirements. GxP standards are dictated by the US FDA, European Medicines Agency (EMA), the UK Medicines and Healthcare Products Regulatory Agency (MHRA), and other regulatory bodies which rely on country-specific regulations as well as standards developed by the International Organization for Standardization (ISO).
Audits are required regardless of device class, but audit requirements in the EU and US, along with most other markets, can be dependent on the device classification. For most medium to high-risk devices in the US and EU, the following audits take place:
- Audits by EU Notified Bodies: Audits by EU Notified Bodies focus on compliance with MDR 2017/745 or IVDR 2017/746. Notified Bodies are also responsible for certifying quality management systems (QSR) against the requirements of ISO 13485:2016. Periodic “surveillance audits” will also be performed, based on the classification of the medical device(s).
- FDA Inspections: The FDA will conduct inspections to ensure compliance with the quality system regulation, 21 CFR 820, and to confirm that a facility is capable of manufacturing the medical device. The FDA will conduct pre-approval inspections to verify data included in a market submission, along with periodic routine inspections, following the Quality System Inspection Technique (QSIT) as required by regulation (currently every two years for Class II and Class III USA-based device manufacturers and every five years for international device manufacturers).
- Unannounced and “for cause” inspections: Manufacturers in the US and EU, and many other markets, are subject to different types of inspections triggered by consumer complaints, reported non-conformities, or other issues. These “for cause” inspections may be scheduled or unannounced.
How to prepare for an inspection
Audit preparation is a continuous process that should be built into your quality system and regulatory processes. Some items to consider:
Internal Quality audits
The best way to prepare for an upcoming audit or inspection is to use the internal audit program to your benefit. The FDA QSR, FDA 21 CFR 820, calls for medical device manufacturers to perform regular internal audits of their systems and to provide evidence of these audits and their effectiveness. When possible, conduct internal audits as if you’re the regulatory body and take them seriously. Internal audits should find the issues before the regulators do. Issue nonconformances and address them in a timely manner.
Performing “mock” audits is another great way to prepare for external inspections/audits from the FDA, notified bodies, and other regulatory authorities. Mock audits are a rehearsal for your team to prepare them for the real thing. They can act as try-outs to determine who is equipped to handle being audited and those that are too nervous or offer too much information when asked a question, requiring additional training. Mock audits are typically separate from the internal audit program since they are conducted based on different objectives and for training purposes.
It’s common to contract an independent third party to perform mock audits. Consider conducting unannounced mock audits to get the truest picture of your company’s preparedness. In short, the tougher medical device manufacturers are on themselves while preparing for the audit, then the less stressful the actual audit will be.
Self-identify issues as they appear and do not wait for the internal audit. If an issue is identified during the audit preparation or mock audit, implement corrective and preventive actions (CAPA) to address the issue. This is vital to demonstrate that you are aware of an issue and have begun remediation or corrective actions if and when those issues are uncovered during the real inspection or audit.
Choose the right audit host
When you have an upcoming audit or inspection, you must choose the right company representative to host the auditor(s). The person you choose will represent your company, so be deliberate about selecting those who know the company, its quality management system, and its products well. It should also be someone you’re confident can perform well under pressure and remain mission-focused in managing the audit and not necessarily answering every question immediately. The audit host can significantly impact the audit for the better or worse, so be certain that you have the right person in place who will be able to represent the organization’s values and facilitate an efficient audit.
While the person or people working directly with the auditor(s) are often from your quality team, they will need to be supported by subject matter experts (SMEs) from other functions for the duration of the audit – this will include the regulatory, engineering, operations, and marketing teams – who can answer specific questions and gather requested documents. These SMEs must be pre-identified along with alternates as part of the audit preparation. They should be comfortable facing an auditor and answering the auditor’s questions.
Gather all the necessary documents
As part of the audit process, the auditor(s) will expect access to information that they need to determine your organization’s compliance with all quality system and regulatory requirements. Based on the requirements, audit guidance, and previous audits, commonly requested documents should be known. This documentation should be pre-identified, compliant, and available before the start of an audit. This can be in the form of hard copies or electronically through files or links. The goal is to have documents readily available to avoid audit delays.
"If it takes too long to get documents to the auditor when they ask for them, you’re not making a good overall impression that everything is under control, making things more difficult for the auditor(s). Auditors have schedules to meet and follow certain audit trails. The last thing you want is your auditor getting agitated because they are spending a lot of time waiting for information." - Bruce McKean, Rimsys Director of Regulatory Affairs
It is critical that all regulatory information related to your products is readily available during an audit, such as registration status, certificates, regulatory impact assessments, and essential principles, along with submission content and post-market data. A central RIM system that stores all regulatory data and links to (or references) the current versions of records from other systems, such as PLM, eQMS, and ERP systems, can smooth the audit process significantly.
During an audit
As an organization, you will want to manage as much of the audit process as possible. Your audit host will greet the auditor(s) and give them a brief overview or presentation of your company, and most likely conduct a facility tour. After this, while the auditor(s) will direct the process, the more your host can assist and guide them, the better.
In the case of unannounced inspections/audits, there must be a procedure in place that defines how to receive and handle these types of audits. This will include who is the primary contact during such an inspection (often a Quality Management team member or representative), as well as Executive Management, and alternates when those people are not available.
Ideally, you should have more than one company representative with the auditor(s) during the audit and auditors should not be left alone at any point. Most companies have a team in the “front room” with the auditor(s) led by the audit host. The main job of this team is to transcribe every question, answer, and activity that occurs during the audit. The “front room” team will communicate with other team members in the “back room” in real-time (often via instant messaging), relaying to them any open questions, requested documents, or queuing up SMEs the auditor(s) need to speak with.
Best practices for sharing information with auditors
During an audit, employees should be cooperative and helpful, but should only share information that is specifically requested by the auditor. If information is requested that seems outside the scope of the audit, such as corporate strategic or financial documents, employees should notify the appropriate executive before providing such information.
Auditor(s) should be given access to requested information through photocopies or limited computer system access. Original documents can be presented if requested, but should never be kept by the auditor(s). All information provided should be prepared, verified, and recorded in the “back room” and then passed through to the audit host so that it can be controlled. The “back room” should mark the copies “Confidential” or “Proprietary,” as appropriate. They should also make an extra copy for the audit file, so the exact documentation given to the auditor(s) is known for future reference.
Addressing missing or incorrect information
Ideally, any potential issues with the existing quality system and related procedures are identified before an audit and corrective actions are identified and put in place. Even in cases where an issue has not been fully resolved, being able to point to awareness and appropriate actions is important.
Some findings may be able to be corrected during the audit. These findings are typically isolated issues (one-offs) that do not pose significant risks. For instance, a missing revision number, missing signature, or outdated reference. If corrected during the audit, it may negate a finding, but the auditor may want to understand why the issue occurred and what actions you have or will be, taking to ensure that it does not recur.
In cases where you are unable to produce the information requested by an auditor, or when there are questions about the validity or accuracy of the information, your internal team should acknowledge the issue but should not immediately speculate on the cause or the effect of the missing or inaccurate information. A discussion of appropriate actions under the existing quality system may be appropriate.
What to do in case of a finding
Be prepared to receive findings from any inspection. Ideally, the auditors should be working to ensure that you are compliant with regulatory requirements and that your records accurately state what you do. However, “By the nature of the beast,” says Bruce McKean, “they’re there to find instances of noncompliance.” This means that auditors will be focused on documentation that can prove or disprove adherence to your stated procedures and policies.
All findings should be disclosed before the audit closing meeting. There should be no surprises. Ensure that the findings are understood by both parties. If they are not clear, perhaps the auditor misunderstood or did not see specific objective evidence and you should discuss or review the issue with the auditor as this may negate a finding. Be sure to debrief upper management before the closing meeting. At the audit closing meeting, there should be no debate over findings. Any finding, whether major or minor, should be addressed diligently.
Audit findings or observations will result in the regulatory body in charge of the audit issuing a document that lists those findings. In most cases, you will have limited time to respond with a satisfactory plan for correcting and preventing the recurrence of the identified issues.
In the case of the FDA, multiple enforcement actions are available to the agency, ranging from warning letters to criminal prosecution. Note that many regulatory agencies will not respond further to your actions if they agree with the actions you prescribe for addressing audit observations. However, additional actions may be triggered if your response is not found to be satisfactory.
Rimsys is a holistic regulatory information management system designed for and by regulatory affairs professionals. Rimsys makes it easier to create and track submissions, keep up with product registrations and certificates, and even share pertinent data across ERP, PLM, and eQMS software platforms to ensure data integrity. Learn more about how Rimsys can help you face audits with the confidence that you have all of your regulatory ducks in a row.
Australian Essential Principles
The Therapeutic Goods Administration (TGA), under the Australian Department of Health and Aged Care, is responsible for evaluating, assessing, and monitoring products that are defined as therapeutic goods. They regulate medicines, medical devices, and biologicals to help Australians stay healthy and safe.
Manufacturers are responsible for generating, collating, assessing, and maintaining scientific and engineering evidence that shows that their devices comply with the Essential Principles. The evidence must be relevant to the device's intended purpose and must be objective, sufficient, and robust. Manufacturers manage this by having a solid, quality management system (QMS).
An ‘Essential Principle’ is fulfilled during the design and manufacturing of medical devices and IVD medical devices, to ensure that they are safe and perform as intended. A global adoption of a common set of fundamental ‘essential’ design and manufacturing requirements for medical devices provides significant benefits to, among others, manufacturers, users, patients/consumers, and to regulatory authorities. From a high-level perspective, three basic points make up ‘Essential Principles’:
- A device must be designed to be safe and perform effectively throughout its lifecycle.
- Device manufacturers must maintain all design characteristics.
- A device must be used in a way that is consistent with how it was designed.
Many countries use the term ‘Essential Principles’ (EP's) in regulations and guidance documents. ‘Essential Requirements’ is the terminology used in the EU MDD 93/42/EEC and AIMD 90/385/EEC. With the release of the MDR/IVDR, they are now referred to as GSPR's (general safety and performance requirements). Regardless of the terms used, Essential Principles are of similar nature and overlap many of the Essential Requirements in the new GSPRs.
Demonstrating Compliance
It is the manufacturer’s responsibility to demonstrate that their medical device is compliant. The TGA’s regulatory process does not necessarily dictate “how” a manufacturer must demonstrate compliance with the Essential Principles. However, there is a range of data points that are suggested to be used as objective evidence to show that your device complies with the Essential Principles. Listed below are some examples of the data you would want to track and list in your Essential Principles documentation, commonly referred to as The Essential Principles Checklist or GSPR’s.
Details of design and construction:
- a general description of the medical device and its intended purpose
- specifications, protocols, procedures, and details of design and development methods, and technologies used for manufacturing, packaging, storage, handling and distribution
- procedures for measuring and monitoring the safety, performance, and quality of your device
- procedures for servicing (if appropriate)
- procedures for assuring your medical device is sterile (if appropriate)
Risk management reports:
- risk analysis
- risk evaluation
- identification of residual risks
- controls of known and foreseeable risks
Demonstrate compliance with relevant, generally acknowledged state-of-the-art and best-practices:
- technical standards, guidelines, or other validated methods
- codes of practice
- monographs
Characterization studies:
- Verification and validation activities, including protocols, testing and analysis.
- Records of qualitative or quantitative information obtained through observations, measurements, and tests.
Clinical evidence:
- literature reviews that include information about the hazards and associated risks from the use and potential misuse of the device.
- information about the performance of the devices you are manufacturing, including a description of the techniques used to examine whether devices of that kind achieve their intended purpose or not.
- Collation and analysis of post-market data including complaints, adverse-event reports, vigilance reports, registry data and recalls/field corrections/advisory notices.
Additional information:
- Copies of labels, packaging, patient information, and instructions for use.
- Critical evaluation written report, by an expert in the relevant field, of data (including outcomes from literature reviews) about your device.
Essential Principles checklist
The checklist is a form template that the TGA created for medical device manufacturers. It lists all the necessary requirements that must be met, as part of the technical file, to demonstrate regulatory compliance. It’s structured in a table format with each general principle clearly stated with instructions on how to complete the form (Fig 1).
The TGA follows the guidelines of the International Medical Device Regulators Forum (IMDRF). They were one of the founding members to take part in the IMDRF that was established in 2011, building off the groundwork of the Global Harmonization Task Force (GHTF). Today there are 11 countries that participate in accelerating international medical device regulatory harmonization. This group of regulators provide input to policies, offer guidance on strategies, create clear directions - all in an effort to help build a strong foundation for the safety of the medical device industry.
For additional information on Australian medical device regulations and links to resources, see our Australia Regulatory Market Profile. For information on the use of essential principles in the EU, see The ultimate guide to the EU MDR and IVDR general safety and performance requirements (GSPR).
RIM - Master data management for RA teams
Large medtech companies often have data stored in multiple ERP, PLM, and eQMS systems due to mergers, acquisitions, and siloed growth within product teams and departments. While segmented data can cause issues for everyone, it provides particularly concerning obstacles for regulatory affairs teams. RA teams in large organizations typically manage multiple product lines with various levels of classification across many global markets. When product and registration data is not centralized, regulatory teams will not only encounter significantly more complex processes related to managing and controlling data properly, but will also struggle to find and organize the data needed for submissions, license renewals, and other standard RA activities.
Regulatory data management issues without RIM
- Maintaining validation records for multiple systems: In the highly regulated world of medical technology, manufacturers are required to fully validate any system used to design, develop, or manufacture a medical device. Among other things, manufacturers must be able to demonstrate that only the current, approved version of a device can be manufactured. System updates and other changes trigger a re-validation process, which becomes increasingly complex as the number of systems increases. Not only does the system that is being changed need to be validated again, but any other system and process that is using data from the updated/changed system may need to be validated again as well. Issues with data integration between systems is a common finding during quality and regulatory audits.
- Ensuring data accuracy: As mentioned above, validating systems becomes exponentially more complex as the number of systems increases. In cases where the same data is stored in more than one system, the possibility exists that the data is not synchronized in real-time. Whether data is automatically transferred between systems or requires manual data entry or integration steps, each integration point is a possible point of failure. Regulatory and quality teams need to ensure that they identify the “source of truth” for each piece of data that is duplicated and that they can demonstrate the processes that ensure data integrity is being maintained.
- Managing user access: Managing user permissions in large systems, such as ERP solutions, often involves setting specific permission levels for a large number of detailed system functions. Users with access to information in one system may not have access to the same information in another system, causing auditing issues and creating difficulty in administering user credentials. For example, does a user have access to add regulatory documentation, such as EU MDR technical files or medical device certificates, into the system? If not, many companies end up circumventing their own systems by also using SharePoint or other shared drives to store updated files – where they may get lost or overlooked.
- Establishing system-related processes: Establishing and maintaining processes for system issues, downtime, updates, and other regular maintenance is impacted by the number of systems and the ways in which they are integrated. Regulatory teams won’t control these processes for non-regulatory systems, but may require access to data in these systems for time-critical tasks.
Regulatory workflow issues without RIM
Regulatory affairs professionals are familiar with the massive, color-coded spreadsheets that are often central to maintaining medical device registration information. While those spreadsheets work in some situations, without a centralized RIM system RA teams face two large challenges:
Software solutions not built for regulatory teams
- Spreadsheets are not the answer: While those large spreadsheets can be sufficient in smaller companies with a few products in a few markets, they quickly become unwieldy. Regulatory teams managing multiple submissions projects across global markets are compiling large amounts of information into specifically formatted portfolios for each country – a process that is difficult, at best, to manage with spreadsheets and pdf documents.
- Non-compliance risks: Regulatory teams that are managing data without a centralized RIM solution also run the risk of identifying changes and expiration dates too late, leading to higher consultant costs and the risk of non-compliant products.
- Missed opportunities: Most regulatory teams do an amazing job keeping multiple projects on track, products in compliance across the globe, and their company prepared for audits and inspections. What if, however, regulatory teams had access to a centralized regulatory system that could provide them with the information, and the time, to contribute to strategic product marketing and staffing decisions? We believe that an organization with a revenue-aligned, strategic regulatory team has a competitive advantage in the marketplace. Read more in our ebook, Regulatory Strategy as a Competitive Advantage.
Regulatory data in multiple systems
We know that 70% of regulatory teams spend at least half of their time on repetitive administrative tasks. Much of this is because the data they need is stored in multiple systems across the organization, with the same data often being stored in multiple places. This leads to an increased chance of outdated information being used, required data being missed, and difficulties in proving that the data management processes in place are sufficient for ensuring accuracy.
The information required by regulatory teams comes from teams throughout an organization, including product data from the engineering team, production and supplier information from the manufacturing team, quality records from the QA team, clinical trial data from the clinical team, and more. This is all in addition to the regulatory submissions, changes, and agency communications managed by the RA team themselves. Without a centralized system to record and reference all of this data, regulatory teams are left to a lot of research, searching, and duplication of efforts across the team.
Data warehouses as an option
In cases where there are multiple, enterprise-level systems sharing the same data, a data warehouse is often used. Data warehouses provide a centralized system in which to store data and maintain that single “source of truth” that all systems can pull data from. However, these systems can be extremely expensive and complex to set up and maintain. They normally require a team of consultants or internal staff to manage the setup and maintenance of the warehouse, including complex ETL (extract, transform, and load) workflows. These workflows are required because data stored in multiple systems will almost never be in the same format and will need to be “transformed” before being loaded into the data warehoused.
In addition, data warehouses are not typically updated in real-time and require that data cleaning and verification procedures run before data is uploaded. This makes a data warehouse a poor option for data that is needed for daily workflows and processes, such as UDI data management.
Regulatory Information Management (RIM) systems as a better option for master regulatory data management
Regulatory Information Management (RIM) systems, such as Rimsys, are designed to be the central source of truth for regulatory information. Purpose-built for regulatory teams, RIM solutions are powerful because they provide:
Centralized, product-centric, regulatory data
Information and data that is specific to regulatory activities can be stored and accessed directly in the RIM solution. This includes information such as submission documents, registration certificates, product references to standards and essential principles, and regulatory authority communications. The RIM solution is the original “source of truth” for this information.
As a result, RIM solutions provide regulatory teams with control over critical data, such as “available to sell” flags at a product version and country or market level. This ensures that the regulatory team is managing a product’s availability to be sold, market-by-market, based on its regulatory status in each market.
Integrated data
Regulatory teams require data from across the organization to manage submissions and other regulatory activities. A strong RIM solution will provide for integration with PLM, eQMS, eDMS, ERP, and other solutions that typically house information used by regulatory teams. For example, the design and engineering teams will likely utilize a PLM system to manage product details and revisions. While that data is needed by the regulatory team, it is owned by the design and engineering teams and belongs in their PLM system.
Rimsys provides secure API endpoints that simplify integration with nearly any system with a REST API.
Rimsys also simplifies compliance with 21CFR part 11 and other regulations by providing complete and easy-to-read activity logs for all actions taken within the software.
To learn more about how Rimsys can be your master data management system, schedule a time with one of our product experts to see Rimsys in action.
EU country-specific medical device registration requirements
There are 27 member states that belong to the European Union (EU), along with additional countries that participate in the European Economic Area (EEA) and the EU’s single market. One of the benefits of belonging to the EU is the unification of regulations for medical devices and in-vitro diagnostics. As you know, registering medtech devices (ultimately known as applying the CE Mark) is a complex process. Applying the CE Mark allows your devices to easily be imported and sold throughout Europe.
Some of the member states and those participating in the single market require additional registration steps beyond those required by the EU for class IIa, class IIb, and class III medical devices. In general, a medical device manufacturer is required to submit a registration form and/or enter information in the online database before placing the product on the market. Typically, this notification includes the upload of a localized label, instructions for use, Declaration of Conformity, and the CE certificate.
The additional registration requirements apply to manufacturers outside of the EU who wish to market devices in an EU member country. Most markets will also have additional or different registration requirements for local Authorized Representatives and Manufacturers. Once EUDAMED is fully implemented, the assumption is that most of these country-specific registration requirements will be removed.
The table below lists all 27 EU member states, along with additional countries that participate in the EU single market. This table is for reference only – Regulatory professionals are urged to consult country Competent Authority websites for country-specific requirements.
* Countries not in the EU
+ Devices supported by Finnish distributors to hospitals and retailers require notification.
++ Registration may be required if an importer, authorized representative, or manufacturer located in Germany is placing the product on the market for the first time.
Note: Specific requirements for local economic operators are not included here and may include both additional entity and device registration requirements.
FDA transition plans for Covid-19-related medical devices
New guidance
The FDA has issued two final guidance documents intended to assist with transition plans for medical devices that are currently being distributed under emergency use authorizations (EUAs) or that fall under specific policies issued to support the response to the COVID-19 pandemic. The agency states that they recognize that it will take time for manufacturers and others to adjust to “normal operations” as policies adopted during the pandemic come to an end. However, they are recommending that organizations move quickly to plan their regulatory strategy and engage with the agency where necessary.
The two guidance documents are:
- Transition Plan for Medical Devices Issued Emergency Use Authorizations (EUAs) Related to Coronavirus Disease 2019 (COVID-19) Guidance
- Transition Plan for Medical Devices that Fall Within Enforcement Policies Issued During the Coronavirus Disease 2019 (COVID-19) Public Health Emergency
Transition periods
Advance notices will be published in the Federal Register for each EUA declaration 180 days prior to the termination of the EUA.
For devices that fall within enforcement policies issued during the COVID-19 public health emergency (PHE), a 180-day transition period is also available and will begin following the expiration of the section 319 PHE declaration. Manufacturers should refer to the following “list 1” COVID-19 public health emergency enforcement policies for more detail:
- Digital pathology devices
- Imaging systems
- Non-invasive fetal and maternal monitoring devices
- Telethermographic systems
- Treating psychiatric disorders
- Extracorporeal membrane oxygenation and cardiopulmonary bypass devices
The FDA’s stated intent with this guidance is to, among other things, “help avoid disruption in device supply and help facilitate compliance with applicable FD&C act requirements after the termination of the relevant EUA declaration…”
Guiding principles
The following guiding principles are taken directly from the guidance documents listed at the beginning of this article, and they are the same in both documents.
- This guidance is intended to help facilitate continued patient, consumer, and healthcare provider access to devices needed in the prevention, treatment, and diagnosis of COVID19.
- FDA believes the policies and recommendations in this guidance will help to ensure an orderly and transparent transition for devices that fall within the scope of this guidance. FDA’s policies and recommendations in this guidance are consistent with the Agency’s statutory mission to both protect and promote the public health.
- FDA’s policies and recommendations follow, among other things, a risk-based approach with consideration of differences in the intended use and regulatory history of devices, including whether the device is life-supporting or life-sustaining, capital or reusable equipment, a single-use device, and whether another version of the device is FDA cleared or -approved.
- As always, FDA will make case-by-case decisions regarding the enforcement of legal requirements in response to particular circumstances and questions that arise regarding a specific device or device type. This may include FDA revising or revoking an EUA,29 requesting a firm initiate a recall (see 21 CFR 7.45), or taking other actions, including an enforcement action. Moreover, FDA may revise the enforcement policies and recommendations in the guidance, as appropriate.
Do not wait to submit marketing submissions
Manufacturers who intend to seek market authorization for devices currently under COVID-19-related EUAs should begin working on their market submission and transition implementation plan as soon as possible. The CDRH is encouraging organizations that want to continue marketing their device, and need a marketing submission, to take advantage of the full transition period, including submitting a pre-submission if needed. The pre-submission process allows for early interactions with the CDRH.
Nonconformance reporting for medical device manufacturers
Defining nonconformance
Very simply, a nonconformance occurs when a specification is not met. The FDA defines a specification in 21 CFR 820.3 as “any requirement with which a product, process, service, or other activity must conform,” and ISO 13485:2016 as a “need or expectation that is stated, generally implied, or obligatory.”
While managing nonconformance starts with fully defining specifications; it is the identification, tracking, and resolution of nonconformance that is a focus of medtech quality and regulatory teams and a requirement of both ISO 13485:2016 and the FDA’s 21 CFR Part 820 quality system regulation.
Identifying nonconformance occurrences
As part of a compliant quality system, medical device manufacturers should implement procedures to identify and address both major and minor non-conformances. Nonconformances may be identified through processes found in multiple subsystems that are part of an overall quality management system within the organization.
The systems and subsystems in which nonconformances are identified typically include:
- ERP
- Regulatory information management (RIM)
- Product lifecycle management (PLM)
- Document management
- Customer service / customer management
- Complaint handling
- Device history records
- Audit management
- CAPA
- Training/learning management
- Calibration/preventative maintenance
- Development change management
Evaluating nonconformance
Once a nonconformance is identified, it should be evaluated in a timely manner, and a determination made as to the disposition of any affected products. Requirements for additional investigation and reporting should also be identified. Based on the severity of the nonconformance and its effect on the safety and efficacy of devices being manufactured or already in the market, a CAPA (corrective/preventative action) record may need to be created. In the U.S., this is defined in the quality regulation 21 CFR Part 820.100.
To disposition a nonconformance, consider the following:
- Will the existing system detect the nonconformance if it recurs in time for remediation?
- How likely is it that this issue will recur?
- What is the impact of the non-conformance (i.e., could it affect patient health)?
Issues that are more severe or are more likely to recur should trigger a more immediate and comprehensive response.
Nonconformances that are escalated and handled under CAPA are based on risk and can include those that have or could have an impact on a product or process that is:
- Not easily corrected
- Recurring
- Severe
In addition, nonconformances that rise to the level of a CAPA require significant resources and typically result in a full project to identify root cause(s), containment, and corrective actions, and monitoring for effectiveness.
Nonconformances that don’t require a CAPA have simpler resolutions that include documenting actions taken to correct the issue (or justification for no action). If the issue is not recurring, there may be no other action required. For example, a nonconforming material received from a vendor may be a singular issue that was easily identified through existing inspection procedures and is not expected to recur. In this case, the material is returned to the vendor and no additional action is required.
Processes that are out of conformance are often resolved through improved documentation and/or additional user training. However, be sure that the true root cause of the nonconformance is identified as procedural nonconformances can signal additional issues.
Documenting nonconformances
An important part of nonconformance procedures is the nonconformance report (NCR) or other documentation procedures. Nonconformances are typically documented within the subsystem in which they were identified. Some organizations will have a nonconforming system in which issues originating from all subsystems are documented. Centralized nonconformance systems allow for trending and other analysis across all subsystems, the results of which may generate CAPAs.
The requirements for documenting a nonconformance may vary by subsystem. In general, however, nonconformance documentation records:
- The requirement/specification that was not met.
- The objective evidence supporting the determination.
- The action that is being taken to address the nonconformity.
Nonconformances are a common point of focus during quality audits by regulatory bodies, including the FDA, and should follow a well-documented process. Auditors will often try to determine if the quality system is functioning effectively by looking at self-identified nonconformances and comparing them to externally reported nonconformances. This is to ensure that nonconforming products were not released, or that the appropriate actions were taken to resolve issues in the field.
The importance of nonconformance reports
Nonconformances related to distributed products of higher risk result in nonconformance reports issued to government authorities through vigilance reporting, medical device reporting, and field action/recall reports. For example, the FDA requires that a medical device report be submitted within 30 days of a serious adverse event (see 21 CFR Part 803 Subpart E). Strong reporting procedures for nonconformances of all types are important in identifying trends, addressing issues before they become critical, and as part of a complete quality management system.
A nonconformance reporting procedure is only part of a strong quality system. Read An overview of 21 CFR part 820 and ISO 13485 overview for more information on establishing quality systems for medtech companies.
