Featured
Rimsys Announces Rimsys AI to Eliminate Repetitive Tasks and Enhance Decision-Making for MedTech Regulatory Teams
Rimsys, the leading Regulatory Information Management (RIM) platform for the MedTech industry, today announced the launch of Rimsys AI, a suite of embedded artificial intelligence (AI) agents.
The ultimate guide to the medical device single audit program (MDSAP)
This article is an excerpt from The ultimate guide to the medical device single audit program (MDSAP) ebook.
Table of contents
- What is MDSAP?
- History of MDSAP
- Who is responsible for the MDSAP?
- How does an MDSAP audit work?
- Audit sequence
- You got a nonconformity – now what?
- What does an MDSAP audit cost?
- Why choose the MDSAP certification process?
- Potential disadvantages of the MDSAP
- Ready to participate? – Here’s how to get started
- Completing a successful MDSAP audit
The Medical Device Single Audit Program (MDSAP) was designed and developed to allow a single audit of a medical device manufacturer to be applied to all country markets whose regulatory authorities are members of the program. The MDSAP provides efficient and thorough coverage of the standard requirements for medical device manufacturer quality management systems, and requirements for regulatory purposes (ISO 13485:2016). In addition, there are specific requirements of each medical device regulatory authority participating in the MDSAP that must be met:
- Conformity Assessment Procedures of the Australian Therapeutic Goods (Medical Devices) Regulations (TG(MD)R Sch3)
- Brazilian Good Manufacturing Practices (RDC ANVISA 16)
- Medical Device Regulations of Health Canada (ISO 13485:2003)
- Japan Ordinance on Standards for Manufacturing Control and Quality Control of Medical Devices and In Vitro Diagnostic Reagents (MHLW Ministerial Ordinance No 169)
- Quality System Regulation (21 CFR Part 820), and specific requirements of medical device regulatory authorities participating in the MDSAP program.
This means that a report from a single MDSAP audit of a medical device manufacturer would be accepted as a substitute for routine inspections by all the member Regulatory Authorities (RAs) across the world. There are currently five participating Regulatory Authorities (RA) representing the following countries: Australia, Brazil, Canada, Japan and the USA.
In April, 2021, the RAs released an “Audit Approach” document (MDSAP AU P0002.006) that combines the formerly separate MDSAP Audit Model and Process Companion documents into a single guidance document. It includes guidance for assessing the conformity of each process and includes an audit sequence, instructions for auditing each specific process, and identifies links that highlight the interactions between the processes.
In March 2012 the US FDA announced that they had approved a final pilot guidance document “Guidance for Industry, Third Parties and Food and Drug Administration Staff: Medical Device ISO 13485:2003 Voluntary Audit Report Submission Pilot Program.” This allowed the owner or operator of a medical device manufacturing facility to be removed from FDA’s routine inspection work plan for 1 year upon completing a ISO 13485:2003 audit. This guidance document went into effect in June 2012, and was intended as an interim measure while a single audit program was being developed.
This pilot program was not very successful and few companies signed up because they did not see any advantage in participating. The manufacturer had to pay for a third party to inspect their facilities, generate a report, and share the inspection results back to the FDA. Many companies were reluctant to contract “someone else” to perform their inspection when they could easily wait for the FDA to conduct an inspection for free.
During its inaugural meeting in Singapore in 2012, the International Medical Device Regulators Forum (IMDRF) appointed a working group to develop a set of documents for a harmonized third-party auditor system. Hence, the “Medical Device Single Audit Program” (MDSAP) was formed. The concept was similar to the FDA’s original idea of creating a third-party auditor to help reduce their workload of performing regulatory audits of medical device manufacturers’ quality management systems. This new approach would consist of a single audit that would review regulatory QMS compliance, conducted by a third-party, who would later be called an Auditing Organization (AO).
From January 2014 to December 2016, five countries participated in a Medical Device Single Audit Program Pilot. In June 2017, a report was generated summarizing the outcomes of prospective “proof- of-concept” criteria established to confirm the success of the program. The outcomes are documented in the final MDSAP Pilot Report and recommended that the program become fully active and open to any manufacturer who requested this type of audit.
The governing body of the MDSAP is the Regulatory Authority Council (RAC), which is composed of two senior managers (and a few other staff members) from each participating RA. They are responsible for executive planning, strategic priorities, setting policy, and making decisions on behalf of the MDSAP International Consortium. The RAC also reviews and approves documents, procedures, work instructions, and more. The mission of the MDSAP International Consortium is to jointly leverage regulatory resources to manage an efficient, effective, and sustainable single audit program focused on the oversight of medical device manufacturers on a global scale.
Other international partners that are involved in the MDSAP include:
MDSAP Observers:
- European Union (EU)
- United Kingdom’s Medicines and Healthcare products Regulatory Agency (MHRA)
- The World Health Organization (WHO) Prequalification of In Vitro Diagnostics (IVDs) Program
MDSAP Affiliate Members:
- Argentina’s National Administration of Drugs, Foods and Medical Devices (ANMAT)
- Republic of Korea’s Ministry of Food and Drug Safety
- Singapore’s Health Sciences Authority (HSA)
The observers and affiliate members are not the same as the participating member RA’s. The observers simply observe and/or contribute to RAC activities. Affiliate members, on the other hand, are interested in engaging in the MDSAP program and are subject to certain rules. They are only given access to a certain level of information about the manufacturers, audit dates, and information in audit reports.
They are also invited to attend sessions that are open to members, observers, and affiliates only.
Audits can also be conducted by MDSAP participating RAs at any time and for various reasons including:
- "For Cause" due to information obtained by the regulatory authority
- as a follow up to findings from a previous audit
- to confirm the effective implementation of the MDSAP requirements
The purpose of audits conducted by the RAs is to ensure appropriate oversight of the AOs MDSAP auditing activities. The AOs are appointed by the RAs and a list of the currently approved AO’s is published on the FDA website. Most AOs offer a broad range of management system certification services, beyond just medical devices. Manufacturers should verify that prospective AOs are clearly trained and perform MDSAP audits of medical devices.
AOs have the final word as to whether a manufacturer has met the requirements for the MDSAP during the execution of the audit and generation of the associated reports summarizing the results. MSDAP RAC participating RAs have the final decision regarding all development, implementation, maintenance, and expansion activities associated with the program.
Although an unannounced visit by an AO is rare, it can happen in circumstances where high-grade nonconformities have been detected.
To continue reading this eBook including a detailed look at the MDSAP audit process and grading, pros and cons of the approach, and how to get started please register to download the full version.
The beginner's guide to the FDA 510(k)
This article is an excerpt from The beginner's guide to the 510(k) ebook.
Table of Contents
- Introduction
- 510(k) basics
- Contents of a Traditional 510(k)
- 510(k) submission and timelines
- Other 510(k) forms
Congratulations! You have successfully developed a new medical device. Now you need to take it to market. In the United States, this often means submitting a 510(k). A 510(k) is a structured package of information about your device and its performance and safety that you submit to the Food and Drug Administration (FDA) for “clearance” before you can sell your device in the U.S. In order to receive clearance from the FDA, your 510(k) will need to demonstrate that your medical device is substantially equivalent to another legally marketed device (called a predicate device). The substantial equivalence approval process is a simple equation that looks something like this:
The 510(k) is generally the most efficient route to market clearance in the U.S. because you show your device is safe and effective based on this substantial equivalence standard, instead of needing to present more extensive clinical trial data.
There are three types of 510(k): Traditional, Abbreviated, and Special. This eBook will begin with a general overview of the 510(k) process, including its purpose and benefits. Next, we will explore the Traditional 510(k) and the sections and components required in depth. Finally, we will look at the Special and Abbreviated 510(k).
FDA: background and device oversight
Before we explain what a 510(k) is let’s first talk generally about the FDA and device oversight. The FDA is the U.S. governmental agency responsible for overseeing medical devices, drugs, food, and tobacco products. When it comes to medical devices, the FDA’s mission is to “protect the public health by ensuring the safety, efficacy, and security of…medical devices.” At the same time, the FDA also has an interest in “advancing public health by helping to speed innovations.” In other words, the FDA’s goal is to make sure devices are safe and effective for public use, while also ensuring that devices have a quick and efficient path to market.
In order to achieve this balance of safety and efficiency, the FDA has three different levels of oversight depending on the risk level of the device: (1) exempt from premarket submission, (2) Premarket Notification, also known as 510(k), and (3) Premarket Approval (PMA).
When is a 510(k) required?
A 510(k) is required for medium risk devices that have a predicate on the market which can be used to demonstrate the safety and effectiveness of the new device. Meanwhile, a PMA is required for high-risk or novel devices which require a higher level of scrutiny to be confirmed safe and effective.
A 510(k) is not only required for new devices, but also for devices that have been modified in a way that could impact safety or effectiveness. This could include changes to the:
- Design
- Components
- Materials
- Chemical composition
- Energy source
- Manufacturing process
- Intended use
You must submit your 510(k) at least 90 days before marketing the device.
What Exactly is Substantial Equivalence?
Now that we know what a 510(k) is, let’s talk about the substantial equivalence standard. You’ll recall from the introduction that your 510(k) must show that the new (or modified) device is substantially equivalent to at least one other legally marketed device, called a predicate device. Substantial equivalence looks at the intended use and the technological characteristics of the two devices.
More specifically, you must show:
- that the new device has the same intended use as the predicate, and
- the differences between the two devices do not raise questions about the safety and effectiveness of the new device.
Now let’s take a closer look at intended use and technological characteristics.
Intended use
Intended use means the general purpose or function of the device. The FDA will look at your proposed labelling and your Indications of Use section of the 510(k) to determine the intended use of your device (this is covered in Chapter 2). Intended use includes:
Technological characteristics
Once the FDA has determined that a predicate device exists and that the new device and the predicate device have the same intended use, it will move on to compare the technological characteristics. Technological characteristics include:
- Materials
- Design
- Energy source
- Other device features
The two devices do not have to be identical, and in fact they almost never are. The key here is to demonstrate that any differences do not have a significant impact on safety or effectiveness. Here’s what to cover when you compare your device’s technological characteristics with that of the predicate device:
Overall description of the device design
- Engineering drawings or diagrams to explain the device and component parts.
- List of component parts and explanation of how each component contributes to the overall use and function of the device.
- Physical specifications: dimensions, weight, temperature, tolerances, etc.
Materials
- Detailed chemical formulation used in all materials of constructions (especially those that come into contact with a patient).
- Any additives, coatings, paint, or surface modifications.
- How materials have been processed and what state they’re in.
Energy Sources
- Use of batteries, electricity, etc.
Other technological features
- Software/hardware
- Features
- Density
- Porosity
- Degradation characteristics
- Nature of reagents
- Principle of the assay method
In deciding whether the differences in technological characteristics impact safety or effectiveness, the FDA will typically rely on descriptive information about the technological characteristics as well as non-clinical and clinical performance data.
Let’s look at an example: A manufacturer submits a 510(k) for a new type of contact lens. Both the new device and the predicate device are indicated for daily wear for the treatment of astigmatism. The predicate device is only available in a clear lens, but the new device comes in a line of colors, including purple tinted lenses.
Who is responsible for submitting a 510(k)?
The following four types of organizations may be responsible for submitting a 510(k):
Manufacturers
- End-of-line device manufacturers who will be placing a device on the U.S. market.
- Note: Does not apply to component part manufacturers unless components will be marketed independently.
Specification developers
- Companies that develop the specifications for a finished device which has been manufactured elsewhere
Repackers or relabelers
- Required to submit a 510(k) if they significantly alter the labeling or condition of the device, including modification of manuals, changing the intended use, deleting or adding warnings, contraindications, sterilization status.
- Note: This is rare. The manufacturer, not the repackager or labeler, is typically responsible for the 510(k) submission.
Importers
- Importers that introduce a new device to the U.S. market may need to submit a 510(k), if it hasn’t already been submitted by the manufacturer.
Now that we’ve covered the basics, let’s explore what actually goes into your 510(k).
A Traditional 510(k) should contain all the following components in the list below. In some cases, a particular section may not apply to your device. When that happens, it’s a good idea to include the section anyway and just state “This section does not apply” or “N/A” under that heading.
To continue reading this eBook including a detailed walk-through of all the Traditional 510(k) components, submission requirements and timelines, and an overview of the other 510(k) forms including the Abbreviated 510(k) and the Special 510(k), please register to download the full version
The ultimate guide to the China UDI system and database
This article is an excerpt from The ultimate guide to the China NMPA UDI system and database ebook.
Table of Contents
- Overview
- UDI basics and benefits
- UDI format requirements and issuing entities
- UDI database and submission requirements
- Implementation of UDI and the UDI database in China
The current Chinese medical device regulatory regime kicked-off in 2014 with the Regulation on Supervision and Administration of Medical Devices. This core set of registration requirements, modeled after the United States and European Union systems, established a set of device classifications (class I, II, and III) based on risk and procedures for obtaining market clearance for each type of device.
Medical devices in China are regulated by the National Medical Products Administration (NMPA). Class I devices, such as clinical laboratory equipment or non-invasive skin dressings, require only notification to the NMPA for marketing authorization, and that authorization does not expire. Class II and III devices such as implantable devices or devices with a measuring function require full registration and a formal review before market clearance can be obtained.
These initial regulations have been expanded since their introduction, adding accelerated pathways to market for certain products in certain regions, easing acceptance of clinical data from overseas, and more specific roles and responsibilities for local agents of international manufacturers. In addition, in 2019, the regulations added a provision that medical devices carry a unique device identification (UDI). China’s UDI requirements are similar to those in the US and European Union. They establish specific device ID and labeling requirements, as well as a central, state-administered database of devices.
This eBook walks through the basics of medical device UDIs, the specifics of China’s implementation, and how MedTech companies who market their devices in China can prepare for the full rollout of these regulations in the coming years.
A UDI is a unique alphanumeric code that is designed to identify medical devices sold in a particular country/region from manufacturing, through distribution, to use by a patient. Like other aspects of the medical device regulatory regime, the UDI system in China follows the approach taken by the United States FDA and European Commission, and is based on the guidance from the International Medical Device Regulators Forum (IMDRF). Generally, UDI systems are designed to improve patient safety and optimize care by:
- Increasing the traceability of medical devices, including field safety corrective actions
- Providing an unambiguous identification method for medical devices throughout distribution and use
- Making adverse event reports more accessible
- Reducing medical errors by providing detailed information related to the device
- Simplifying medical device documentation and making it more consistent
There are three components to the UDI system in China:
- UDI code: The actual UDI code can be assigned by one of three (3) issuing agencies and contains information about the product, it’s expiration date, and the manufacturing batch/lot it’s associated with.
- UDI labeling: Put simply, medical devices must carry the UDI code on them. The regulations stipulate how devices and their packaging must be labeled for compliance.
- UDI database: In addition to labeling, all device UDIs must be submitted to a central database that is administered by the NMPA.
The following sections explore each of these components in more detail.
The UDI code
The first element of the UDI system is the code itself. The UDI code is the alphanumeric identifier that is associated with a specific medical device. UDI codes have two (2) elements to them, the UDI device identifier (UDI-DI) or static portion, and the UDI production identifier (UDI-PI) or dynamic portion. You can see the two components in the UDI diagram below:
The UDI-DI contains information about the issuing entity—the organization that is authorized to assign UDI codes. In China, this can be one of three entities: GS1, an international barcode and electronic data interchange standards organization, and two domestic organizations: the Zhongguancun Industry & Information Research Institute (ZIIOT), and AliHealth. Additional details about the issuing agencies are covered in Chapter 2. In addition, the UDI-DI contains information about the manufacturer and the specific model or version of the device.
The UDI-PI contains information about the manufacturing and production of the device. This typically includes information about the lot or batch number in which the device was manufactured, the manufacturing date and expiration date for the device (if applicable), and the specific serial number for the device. Here you can see all of the components marked up using the same UDI example:
Note that each packaging permutation and level for a given device will need to be assigned its own UDI. So for example, let’s say that a company manufactures 5ml enteral (oral) syringes in two packaging options: 1 – packaged individually and 2 – packaged in a box of 5. Each packaging option would need its own UDI, despite the fact that the underlying product is the same.
Now looking at packaging levels, let’s assume that the manufacturer packages the single syringe offering into boxes of 6, and again into larger containers of 24. Each of those packaging options needs its own UDI as well.
Labeling
In addition to obtaining UDI code for each device as outlined in the previous section, medical device manufacturers are required to ensure that devices are appropriately labeled with the assigned UDI. This label is called the UDI Carrier. The UDI is represented in two forms on the UDI Carrier: a machine-readable form and a human-readable form.
The machine-readable form or automatic identification data capture (AIDC) is a barcode or some other technology that can be used to automatically capture UDI information. The NMPA regulations support 3 types of machine-readable formats: 1-dimensional barcode, 2-dimensional barcode, and radio-frequency identification (RFID).
The regulations note that “use of advanced automatic identification and data collection technologies is encouraged”—prompting manufacturers to use more modern 2D and RFID machine-readable carriers where possible. Note, however, that if a device uses RFID, the UDI Carrier must also include the UDI in barcode format.
The human-readable form or human-readable interpretation (HRI) is the numeric or alphanumeric code for the UDI that can be read and manually entered into systems.
The UDI Carrier should be included on the device and on all levels of packaging. The UDI Carrier must be clear and readable during the operation and use of devices. If there isn’t room on the device for both the human and machine-readable forms of the UDI, then manufacturers should prioritize the machine-readable form.
UDI database
The third component of the NMPA UDI system is the UDI database. This is a centralized database of UDI and product information, administered by the NMPA. Manufacturers are required to submit UDI information into the database within 60 days after a product is approved (for sale in China) and before it is commercialized. The database contains a more detailed product record than what is included in the UDI itself, and it is the responsibility of the manufacturer (and/or their in-country representative) to submit the information correctly, and ensure that it’s kept up to date.
Chapter 3 of this eBook goes into detail about the specific fields and data requirements for UDI database submissions.
To continue reading this eBook including information about UDI format requirements and issuing entities, implementation timelines, and affected device types, please register to download the full version.
RIM - Master data management for RA teams
Large medtech companies often have data stored in multiple ERP, PLM, and eQMS systems due to mergers, acquisitions, and siloed growth within product teams and departments. While segmented data can cause issues for everyone, it provides particularly concerning obstacles for regulatory affairs teams. RA teams in large organizations typically manage multiple product lines with various levels of classification across many global markets. When product and registration data is not centralized, regulatory teams will not only encounter significantly more complex processes related to managing and controlling data properly, but will also struggle to find and organize the data needed for submissions, license renewals, and other standard RA activities.
Regulatory data management issues without RIM
- Maintaining validation records for multiple systems: In the highly regulated world of medical technology, manufacturers are required to fully validate any system used to design, develop, or manufacture a medical device. Among other things, manufacturers must be able to demonstrate that only the current, approved version of a device can be manufactured. System updates and other changes trigger a re-validation process, which becomes increasingly complex as the number of systems increases. Not only does the system that is being changed need to be validated again, but any other system and process that is using data from the updated/changed system may need to be validated again as well. Issues with data integration between systems is a common finding during quality and regulatory audits.
- Ensuring data accuracy: As mentioned above, validating systems becomes exponentially more complex as the number of systems increases. In cases where the same data is stored in more than one system, the possibility exists that the data is not synchronized in real-time. Whether data is automatically transferred between systems or requires manual data entry or integration steps, each integration point is a possible point of failure. Regulatory and quality teams need to ensure that they identify the “source of truth” for each piece of data that is duplicated and that they can demonstrate the processes that ensure data integrity is being maintained.
- Managing user access: Managing user permissions in large systems, such as ERP solutions, often involves setting specific permission levels for a large number of detailed system functions. Users with access to information in one system may not have access to the same information in another system, causing auditing issues and creating difficulty in administering user credentials. For example, does a user have access to add regulatory documentation, such as EU MDR technical files or medical device certificates, into the system? If not, many companies end up circumventing their own systems by also using SharePoint or other shared drives to store updated files – where they may get lost or overlooked.
- Establishing system-related processes: Establishing and maintaining processes for system issues, downtime, updates, and other regular maintenance is impacted by the number of systems and the ways in which they are integrated. Regulatory teams won’t control these processes for non-regulatory systems, but may require access to data in these systems for time-critical tasks.
Regulatory workflow issues without RIM
Regulatory affairs professionals are familiar with the massive, color-coded spreadsheets that are often central to maintaining medical device registration information. While those spreadsheets work in some situations, without a centralized RIM system RA teams face two large challenges:
Software solutions not built for regulatory teams
- Spreadsheets are not the answer: While those large spreadsheets can be sufficient in smaller companies with a few products in a few markets, they quickly become unwieldy. Regulatory teams managing multiple submissions projects across global markets are compiling large amounts of information into specifically formatted portfolios for each country – a process that is difficult, at best, to manage with spreadsheets and pdf documents.
- Non-compliance risks: Regulatory teams that are managing data without a centralized RIM solution also run the risk of identifying changes and expiration dates too late, leading to higher consultant costs and the risk of non-compliant products.
- Missed opportunities: Most regulatory teams do an amazing job keeping multiple projects on track, products in compliance across the globe, and their company prepared for audits and inspections. What if, however, regulatory teams had access to a centralized regulatory system that could provide them with the information, and the time, to contribute to strategic product marketing and staffing decisions? We believe that an organization with a revenue-aligned, strategic regulatory team has a competitive advantage in the marketplace. Read more in our ebook, Regulatory Strategy as a Competitive Advantage.
Regulatory data in multiple systems
We know that 70% of regulatory teams spend at least half of their time on repetitive administrative tasks. Much of this is because the data they need is stored in multiple systems across the organization, with the same data often being stored in multiple places. This leads to an increased chance of outdated information being used, required data being missed, and difficulties in proving that the data management processes in place are sufficient for ensuring accuracy.
The information required by regulatory teams comes from teams throughout an organization, including product data from the engineering team, production and supplier information from the manufacturing team, quality records from the QA team, clinical trial data from the clinical team, and more. This is all in addition to the regulatory submissions, changes, and agency communications managed by the RA team themselves. Without a centralized system to record and reference all of this data, regulatory teams are left to a lot of research, searching, and duplication of efforts across the team.
Data warehouses as an option
In cases where there are multiple, enterprise-level systems sharing the same data, a data warehouse is often used. Data warehouses provide a centralized system in which to store data and maintain that single “source of truth” that all systems can pull data from. However, these systems can be extremely expensive and complex to set up and maintain. They normally require a team of consultants or internal staff to manage the setup and maintenance of the warehouse, including complex ETL (extract, transform, and load) workflows. These workflows are required because data stored in multiple systems will almost never be in the same format and will need to be “transformed” before being loaded into the data warehoused.
In addition, data warehouses are not typically updated in real-time and require that data cleaning and verification procedures run before data is uploaded. This makes a data warehouse a poor option for data that is needed for daily workflows and processes, such as UDI data management.
Regulatory Information Management (RIM) systems as a better option for master regulatory data management
Regulatory Information Management (RIM) systems, such as Rimsys, are designed to be the central source of truth for regulatory information. Purpose-built for regulatory teams, RIM solutions are powerful because they provide:
Centralized, product-centric, regulatory data
Information and data that is specific to regulatory activities can be stored and accessed directly in the RIM solution. This includes information such as submission documents, registration certificates, product references to standards and essential principles, and regulatory authority communications. The RIM solution is the original “source of truth” for this information.
As a result, RIM solutions provide regulatory teams with control over critical data, such as “available to sell” flags at a product version and country or market level. This ensures that the regulatory team is managing a product’s availability to be sold, market-by-market, based on its regulatory status in each market.
Integrated data
Regulatory teams require data from across the organization to manage submissions and other regulatory activities. A strong RIM solution will provide for integration with PLM, eQMS, eDMS, ERP, and other solutions that typically house information used by regulatory teams. For example, the design and engineering teams will likely utilize a PLM system to manage product details and revisions. While that data is needed by the regulatory team, it is owned by the design and engineering teams and belongs in their PLM system.
Rimsys provides secure API endpoints that simplify integration with nearly any system with a REST API.
Rimsys also simplifies compliance with 21CFR part 11 and other regulations by providing complete and easy-to-read activity logs for all actions taken within the software.
To learn more about how Rimsys can be your master data management system, schedule a time with one of our product experts to see Rimsys in action.
EU country-specific medical device registration requirements
There are 27 member states that belong to the European Union (EU), along with additional countries that participate in the European Economic Area (EEA) and the EU’s single market. One of the benefits of belonging to the EU is the unification of regulations for medical devices and in-vitro diagnostics. As you know, registering medtech devices (ultimately known as applying the CE Mark) is a complex process. Applying the CE Mark allows your devices to easily be imported and sold throughout Europe.
Some of the member states and those participating in the single market require additional registration steps beyond those required by the EU for class IIa, class IIb, and class III medical devices. In general, a medical device manufacturer is required to submit a registration form and/or enter information in the online database before placing the product on the market. Typically, this notification includes the upload of a localized label, instructions for use, Declaration of Conformity, and the CE certificate.
The additional registration requirements apply to manufacturers outside of the EU who wish to market devices in an EU member country. Most markets will also have additional or different registration requirements for local Authorized Representatives and Manufacturers. Once EUDAMED is fully implemented, the assumption is that most of these country-specific registration requirements will be removed.
The table below lists all 27 EU member states, along with additional countries that participate in the EU single market. This table is for reference only – Regulatory professionals are urged to consult country Competent Authority websites for country-specific requirements.
* Countries not in the EU
+ Devices supported by Finnish distributors to hospitals and retailers require notification.
++ Registration may be required if an importer, authorized representative, or manufacturer located in Germany is placing the product on the market for the first time.
Note: Specific requirements for local economic operators are not included here and may include both additional entity and device registration requirements.
FDA transition plans for Covid-19-related medical devices
New guidance
The FDA has issued two final guidance documents intended to assist with transition plans for medical devices that are currently being distributed under emergency use authorizations (EUAs) or that fall under specific policies issued to support the response to the COVID-19 pandemic. The agency states that they recognize that it will take time for manufacturers and others to adjust to “normal operations” as policies adopted during the pandemic come to an end. However, they are recommending that organizations move quickly to plan their regulatory strategy and engage with the agency where necessary.
The two guidance documents are:
- Transition Plan for Medical Devices Issued Emergency Use Authorizations (EUAs) Related to Coronavirus Disease 2019 (COVID-19) Guidance
- Transition Plan for Medical Devices that Fall Within Enforcement Policies Issued During the Coronavirus Disease 2019 (COVID-19) Public Health Emergency
Transition periods
Advance notices will be published in the Federal Register for each EUA declaration 180 days prior to the termination of the EUA.
For devices that fall within enforcement policies issued during the COVID-19 public health emergency (PHE), a 180-day transition period is also available and will begin following the expiration of the section 319 PHE declaration. Manufacturers should refer to the following “list 1” COVID-19 public health emergency enforcement policies for more detail:
- Digital pathology devices
- Imaging systems
- Non-invasive fetal and maternal monitoring devices
- Telethermographic systems
- Treating psychiatric disorders
- Extracorporeal membrane oxygenation and cardiopulmonary bypass devices
The FDA’s stated intent with this guidance is to, among other things, “help avoid disruption in device supply and help facilitate compliance with applicable FD&C act requirements after the termination of the relevant EUA declaration…”
Guiding principles
The following guiding principles are taken directly from the guidance documents listed at the beginning of this article, and they are the same in both documents.
- This guidance is intended to help facilitate continued patient, consumer, and healthcare provider access to devices needed in the prevention, treatment, and diagnosis of COVID19.
- FDA believes the policies and recommendations in this guidance will help to ensure an orderly and transparent transition for devices that fall within the scope of this guidance. FDA’s policies and recommendations in this guidance are consistent with the Agency’s statutory mission to both protect and promote the public health.
- FDA’s policies and recommendations follow, among other things, a risk-based approach with consideration of differences in the intended use and regulatory history of devices, including whether the device is life-supporting or life-sustaining, capital or reusable equipment, a single-use device, and whether another version of the device is FDA cleared or -approved.
- As always, FDA will make case-by-case decisions regarding the enforcement of legal requirements in response to particular circumstances and questions that arise regarding a specific device or device type. This may include FDA revising or revoking an EUA,29 requesting a firm initiate a recall (see 21 CFR 7.45), or taking other actions, including an enforcement action. Moreover, FDA may revise the enforcement policies and recommendations in the guidance, as appropriate.
Do not wait to submit marketing submissions
Manufacturers who intend to seek market authorization for devices currently under COVID-19-related EUAs should begin working on their market submission and transition implementation plan as soon as possible. The CDRH is encouraging organizations that want to continue marketing their device, and need a marketing submission, to take advantage of the full transition period, including submitting a pre-submission if needed. The pre-submission process allows for early interactions with the CDRH.
Nonconformance reporting for medical device manufacturers
Defining nonconformance
Very simply, a nonconformance occurs when a specification is not met. The FDA defines a specification in 21 CFR 820.3 as “any requirement with which a product, process, service, or other activity must conform,” and ISO 13485:2016 as a “need or expectation that is stated, generally implied, or obligatory.”
While managing nonconformance starts with fully defining specifications; it is the identification, tracking, and resolution of nonconformance that is a focus of medtech quality and regulatory teams and a requirement of both ISO 13485:2016 and the FDA’s 21 CFR Part 820 quality system regulation.
Identifying nonconformance occurrences
As part of a compliant quality system, medical device manufacturers should implement procedures to identify and address both major and minor non-conformances. Nonconformances may be identified through processes found in multiple subsystems that are part of an overall quality management system within the organization.
The systems and subsystems in which nonconformances are identified typically include:
- ERP
- Regulatory information management (RIM)
- Product lifecycle management (PLM)
- Document management
- Customer service / customer management
- Complaint handling
- Device history records
- Audit management
- CAPA
- Training/learning management
- Calibration/preventative maintenance
- Development change management
Evaluating nonconformance
Once a nonconformance is identified, it should be evaluated in a timely manner, and a determination made as to the disposition of any affected products. Requirements for additional investigation and reporting should also be identified. Based on the severity of the nonconformance and its effect on the safety and efficacy of devices being manufactured or already in the market, a CAPA (corrective/preventative action) record may need to be created. In the U.S., this is defined in the quality regulation 21 CFR Part 820.100.
To disposition a nonconformance, consider the following:
- Will the existing system detect the nonconformance if it recurs in time for remediation?
- How likely is it that this issue will recur?
- What is the impact of the non-conformance (i.e., could it affect patient health)?
Issues that are more severe or are more likely to recur should trigger a more immediate and comprehensive response.
Nonconformances that are escalated and handled under CAPA are based on risk and can include those that have or could have an impact on a product or process that is:
- Not easily corrected
- Recurring
- Severe
In addition, nonconformances that rise to the level of a CAPA require significant resources and typically result in a full project to identify root cause(s), containment, and corrective actions, and monitoring for effectiveness.
Nonconformances that don’t require a CAPA have simpler resolutions that include documenting actions taken to correct the issue (or justification for no action). If the issue is not recurring, there may be no other action required. For example, a nonconforming material received from a vendor may be a singular issue that was easily identified through existing inspection procedures and is not expected to recur. In this case, the material is returned to the vendor and no additional action is required.
Processes that are out of conformance are often resolved through improved documentation and/or additional user training. However, be sure that the true root cause of the nonconformance is identified as procedural nonconformances can signal additional issues.
Documenting nonconformances
An important part of nonconformance procedures is the nonconformance report (NCR) or other documentation procedures. Nonconformances are typically documented within the subsystem in which they were identified. Some organizations will have a nonconforming system in which issues originating from all subsystems are documented. Centralized nonconformance systems allow for trending and other analysis across all subsystems, the results of which may generate CAPAs.
The requirements for documenting a nonconformance may vary by subsystem. In general, however, nonconformance documentation records:
- The requirement/specification that was not met.
- The objective evidence supporting the determination.
- The action that is being taken to address the nonconformity.
Nonconformances are a common point of focus during quality audits by regulatory bodies, including the FDA, and should follow a well-documented process. Auditors will often try to determine if the quality system is functioning effectively by looking at self-identified nonconformances and comparing them to externally reported nonconformances. This is to ensure that nonconforming products were not released, or that the appropriate actions were taken to resolve issues in the field.
The importance of nonconformance reports
Nonconformances related to distributed products of higher risk result in nonconformance reports issued to government authorities through vigilance reporting, medical device reporting, and field action/recall reports. For example, the FDA requires that a medical device report be submitted within 30 days of a serious adverse event (see 21 CFR Part 803 Subpart E). Strong reporting procedures for nonconformances of all types are important in identifying trends, addressing issues before they become critical, and as part of a complete quality management system.
A nonconformance reporting procedure is only part of a strong quality system. Read An overview of 21 CFR part 820 and ISO 13485 overview for more information on establishing quality systems for medtech companies.
Regulatory strategy as a competitive advantage
This article is an excerpt from the Regulatory strategy as a competitive advantage ebook.
Table of Contents
- The regulatory revenue opportunity
- Regulatory responsibilities
- Limitations of the "cost-center" approach to regulatory affairs
- Regulatory as a revenue function
- Competitive advantage #1: Faster time to market
- Competitive advantage #2: Cost avoidance
- Competitive advantage #3: Out-pacing competitors
- Why invest in regulatory/revenue alignment?
- Getting started - 3 steps to move towards a revenue-aligned RA team
It is well known that medical technology (medtech) companies are highly regulated, given the potential risks their products present. Understanding and complying with the complex regulations in each country is, therefore, a necessary part of marketing and selling medical devices. To realize any revenue from a medical device, it must not only demonstrate compliance with all applicable regulations, it must also receive and maintain market clearance from each country in which it is to be sold. No market clearance means no revenue. Given the key role regulatory compliance plays in revenue attainment, regulatory teams, tools, and processes present a significant opportunity for differentiation for organizations willing to invest in them.
For the majority of medtech companies, however, regulatory departments have traditionally been treated as operational cost centers, with departmental improvements focused on cost reduction and efficiency improvements. Limited investment in people and tools, and limited interest in digital transformation, have left regulatory teams across the medtech industry underfunded and under-resourced.
This has led to great resourcefulness within the RA community, where most members can point to heroes within their team who worked long hours to meet a submission deadline, headed off a disaster by uncovering a pending expiration, created ad-hoc systems to organize information and streamline communication between the RA and QA teams for smoother audits, or have otherwise gone above and beyond their typical responsibilities.
Regulatory teams, however, have the potential to be a revenue-driving competitive weapon for companies that are willing to look at them a little differently and invest in regulatory performance above regulatory cost-effectiveness. Well-supported regulatory teams can provide a true competitive advantage by providing the resources and direction to:
- Capture market share by being first to market with novel devices.
- Avoid lost revenue by effectively tracking and planning for registration renewals/updates.
- Out-pace competitors and grow market share by adapting to regulatory changes more quickly and taking advantage of competitors’ non-compliance or inability to enter a new market.
We believe we are entering a new era for regulatory affairs within the medtech industry. One in which RA teams have a seat at the table when go-to-market, competitive positioning, and strategic decisions are being made.
In the medtech industry, regulatory affairs (RA) teams have a broad range of responsibilities across the product lifecycle:
Premarket regulatory strategy
Obtaining market clearance for a new medical device is the primary activity typically attributed to RA teams. It is not unusual for a regulatory team to be given market entrance projects with little warning, but ideally, the RA team would be brought in as early as possible to contribute to go-to-market discussions.
Premarket regulatory strategy, at a minimum, involves:
- Determining the most appropriate pathway to market approval. For example, a 510(k) or PMA submission in the U.S.
- Working with quality, product, and other teams to gather information needed for market submission.
- Establishing communication with applicable regulatory bodies and third-party approved auditors.
- Compiling and submitting required documentation for market approval. This includes managing follow-up activities, questions, and requests for additional information throughout the approval process.
Forward-thinking organizations often look to bring in RA teams even earlier in the process. As regulatory experts, RA professionals can provide unique insight into product development plans. In consultation with R&D teams, can help to refine product strategies, and steer development in areas that will reduce regulatory hurdles when new products are ready to be commercialized.
Maintaining regulatory compliance for existing products
While the primary focus of regulatory teams is often considered to be new market submissions, the majority of their time is actually spent on maintaining compliance for products that are already in-market. Even in situations where market registrations do not expire, constant vigilance is required to ensure that devices remain compliant with current regulations. These efforts take a considerable time for a typical RA team because information is often spread across disparate systems, where it can be difficult to find and confirm.
Maintaining regulatory compliance for approved devices includes:
- Staying on top of changing standards and making changes as required to existing technical files and other documentation.
- Submitting appropriate documentation updates when there is a change made that could potentially affect the efficacy or safety of the product, such as a material switch or facility change.
- Understanding pending regulatory changes and proactively addressing any that have an impact on devices currently in-market.
- Tracking registration expirations and preparing for timely re-submissions to ensure there is no lapse in market clearance.
Post-market activity
Post-market surveillance and vigilance activities are required by most countries and should involve the cooperation of the quality and regulatory teams. Ensuring that changing post-market reporting requirements are understood and complied with is an important regulatory responsibility.
Regulatory teams typically play a role in:
- Post-market surveillance of adverse events, complaints, and any issues associated with a device in the field.
- Assembling and submitting any required periodic safety reports to country/regional health authorities.
- Post-market vigilance and reporting of serious events to the appropriate regulatory agencies.
- Any required communication with regulatory authorities regarding adverse events or concerning trends in product quality.
Ask any RA professional, and they are likely to tell you that they work long hours and are often scrambling to meet looming deadlines...
To continue reading this ebook, download the full version.
Essential principles
What are Essential Principles?
Essential Principles (EPs) are requirements established by a country’s health agency. Medical device manufacturers need to prove that they comply with these requirements in order to sell their device in each country where they are required. This is often tracked in a burdensome table in which each requirement is explained by applicable standards and other items used to demonstrate compliance with each requirement. The manufacturer will link their evidence files to prove that they meet the requirement or provide an explanation as to why it is not applicable in their situation.
Think of this like cliff-notes for the submission and related documents. Submission documents, their locations, and explanations can all vary depending on the device type, manufacturer, and their processes.
What countries require Essential Principles?
Not every country requires EPs for their submissions. Some of the main countries that do require them include:
- The European Union – where they are called General Safety and Performance Requirements (GSPR)
- Australia
- Malaysia
- Singapore (accepts EU documentation in most cases)
- China
What do Essential Principles look like?
GSPR (General Safety and Performance Requirements) in the European Union are an example of Essential Principles requirements. The language in the GSPR comes directly from Annex 1 of the EU MDR of 745/2017 for medical devices and EU IVDR 2017/746 for in-vitro diagnostic devices. Medical device manufacturers are taking the text of this regulation, numbering and all, and documenting whether they apply to it, the standards that they apply to, and then providing their evidence.
Let’s look at an example that directly comes from EU MDR 2017/745, Regulatory text, Annex I, 7th requirement:
“Devices shall be designed, manufactured and packaged in such a way that their characteristics and performance during their intended use are not adversely affected during transport and storage, for example, through fluctuations of temperature and humidity, taking account of the instructions and information provided by the manufacturer.”
The validation of the Essential Principles for this particular requirement would be displayed in a table like the one below. Note that the description column in the table and in the EU MDR regulatory requirement are identical to each other.
These tables change constantly, and it is a large administrative burden on the regulatory professional to quickly identify changes, perform a gap analysis (check for changes and do testing if needed), and update the tables when required. In addition, we have seen the following issues caused by changing standards:
- Large companies can have hundreds to thousands of Essential Principles tables. Without a bulk upload, this can take an incredibly long time to process all of those documents.
- Errors can occur with standards updates by missing a product that is associated to a standard.
- If a gap analysis is done too late and testing a product to a revised or new standard is required - your product might need to be blocked from a market for months, which could mean massive revenue loss.
- Accidentally missing a reference to new testing data because only the standard was updated.
Rimsys allows regulatory professionals to be notified of standard changes and even do bulk additions and deletions of documents, standards and certificates to your Essential Principles Tables, which can save regulatory professionals countless hours in administrative work. For more information on how one of our customers benefited from our Essential Principles tool, reducing their EP and GSPR maintenance by 99%, read our Bisco case study.
