Corrections, Corrective Actions, and Preventive Actions: Effectively Handling Nonconformances in Compliance with the EU MDR

EU MDR Supplier Quality Requirements: Convergence of Best Practice and Regulation

EU MDR Supplier Quality Requirements examined in my latest contribution to MedTech Intelligence:

https://www.medtechintelligence.com/column/eu-mdr-supplier-quality-requirements-convergence-of-best-practice-and-regulation/

Beyond the Checkbox

Bryan has given the blog a short summer vacation!  Please see the link below for an article Bryan contributed to MedTech Intelligence.  More content and linked articles will follow soon!

https://www.medtechintelligence.com/column/beyond-the-checkbox/

Acquisitions and Investment: Quality and Regulatory Due Diligence

Two activities regularly follow an acquisition or investment with inadequate quality and regulatory due diligence or no due diligence at all: recalls and remediation.  Medical device manufacturing firms eager for investment or acquisition may be taxed for resources and eager to present a rosier picture than truly exists.  This can lead to quality and regulatory breakdowns with little or no visibility to the investor or buyer.  This article reviews three of the significant breakdowns I’ve observed and how these complications went unnoticed with inadequate quality and regulatory due diligence.

REGULATORY RISKS

In seeking to increase market share and win over key opinion leaders to champion their products, an implant manufacturing firm expanded several product lines.  Several of these product line extensions were outside of the scope of FDA clearance.  Letters to file were written to justify only some changes to products that were implemented without refiling.  In some cases, the changes were arguably within the scope of the original clearance but nonetheless challenging to defend in an FDA inspection.  Other product line extensions included significant dimensional and geometry changes well outside of the bounds cleared by the FDA in the 510(k) applications for the product lines.  Furthermore, these parameter changes resulted in new risks and exceeded parameters of other existing products marketed by other companies.  This oversight resulted in significant regulatory and legal liability for the new owners of the company.  The resulting recall of unapproved products impacted the company’s reputation and resulted in scrutiny by the Food and Drug Administration.

How did this happen?  The target company was careless in extending product lines and changes were made without the appropriate authorization from the company’s regulatory department.  The due diligence team of the buyer reviewed regulatory submissions and letters to file but did not review the product technical documentation for regulatory compliance.  Since no submission was filed and no letter to file was generated for the product family in question, the team did not identify this non-compliance.

PROCESS FAILURES

A company with a seemingly lucrative contract for OEM manufacturing was an appealing target for acquisition due to the high revenue generated in part by the contracted products.  The OEM products were all single-use, sterile surgical instruments.  The due diligence team evaluated samples of finished, packaged product provided by the acquiree and reviewed some technical documentation including product specifications.  The products and product packaging appeared appropriate and equivalent to similar, competing products.  However, multiple problems were identified after acquisition:

-          Inappropriate packaging material selection resulting in packaging debris within some packages

-          Improperly designed packaging systems resulting in packaging damage during shipping and thus non-sterile product

-          Sterile packaging process errors resulting in non-sterile product

-          Improper sterilization validations possibly resulting in inadequately sterilized product

-          Erroneous labeling due to inadequate labeling controls

The cost of the resulting recall, redesign and testing of the packaging, labeling corrections, and sterilization validation resulted in a substantial loss immediately after acquisition.  The products were backordered for months during these product remediation activities.  Furthermore, the related quality system remediation significantly tied up internal human resources.  Lastly, the relationship with the own-branding company was damaged and the revenue calculated during due diligence decreased significantly.

How did this happen?  Egregious lack of basic quality management at the target company resulted in failures with process validation, process control, design control, and packaging validation.  The company maintained the required procedures for these activities, but employees did not follow them.  No employees had undergone training in these areas and there was absentee management across all quality and regulatory areas.  The due diligence team reviewed product documentation and high-level process documentation but did not probe records generated through these activities.  No assessment of training records or on-site evaluation of operations was performed by individuals with quality or operations experience. When product samples were requested, they were “cherry-picked” to provide the best-looking packaging.  An auditing approach to due diligence may have prevented this acquisition or, at least, resulted in a more appropriate valuation of the target.

PRODUCT PERFORMANCE & POST-MARKET SURVEILLANCE

During due diligence for an acquisition, the acquiring company requested complaint files and adverse event reports (both terms having specific definitions in the medical device world).  The target company provided records which demonstrated that few complaints were reported and very few adverse events had occurred during the use of the device. 

After acquisition and during integration of quality system processes into the parent company, the quality personnel discovered that numerous reports alleging product failures were received by the company but were not categorized as “complaints” or “reportable adverse events”.  Due to the use informal and incorrect terminology, these events were categorized as:

-          “pre-complaints” indicating that the information may constitute a complaint, but a final determination was not pursued

-          “non-complaints” because the company erroneously determined the information did not constitute a complaint

-          “non-events” because the company’s regulatory consultant falsely determined that the adverse event did not meet the criteria for reporting

Furthermore, most product failures were associated with one accessory – the top selling accessory used in each surgery.  Numerous adverse event reports were filed with the FDA by one user facility, prompting an investigation by the FDA into the reported events.  The following activities were required to rectify the situation:

-          Retrospective reporting of adverse events to the Food and Drug Administration

-          Customer advisory notice (classified as a recall) to prevent product failures during use of existing hospital inventory

-          Quality system corrective and preventive actions with the resulting actions reported to the FDA per their mandate (including the revision of procedures and retraining of all employees)

-          Redesign of the accessory to prevent failures

-          Revisions to the instructions for use to prevent failures and adverse events

How did this happen? The target company was eager to stifle bad news about their products and was fearful of action by FDA in response to reporting product issues.   The company attempted to be creative with the regulatory definitions and requirements (not an altogether uncommon practice) to justify decisions and developed their own terminology to skirt requirements.  The due diligence team, blinded by optimism and eager to close the deal, did not delve further and trusted that the provided information was the totality of information regarding product failures.  The due diligence team specifically requested product complaint files and adverse event reports.  Since they inadvertently limited the scope of their request, not all information related to the performance or product in the field was divulged.  Auditing techniques that would have identified this information were not employed by the due diligence team.

RECOMMENDATIONS

As you can imagine, the case studies above do not represent the only problems in each target company.  However, these situations were chosen to succinctly highlight the importance of thorough due diligence using publicly available information to maintain confidentiality.  In performing due diligence for an acquisition or investment, I recommend the following:

-          Hire a quality and regulatory consultant and auditor with experience working with numerous and varied companies to ensure adequate investigation and probing.  If you have had some exposure to quality and regulatory matters, don’t assume a basic understanding is adequate to identify risks like those described above.

-          Ask open-ended and general questions to avoid receiving limited information, be mindful of any inadvertent restrictions in how you phrase requests.

-          Use a top-down assessment of the Quality Management System in addition to product-specific reviews.  Quality processes can have a substantial impact on product.

-          Perform a checklist and process-based assessment of the quality management system and regulatory files to ensure a thorough assessment.

-          Don’t let the excitement of the acquisition or investment prevent you from investigating adequately.  Identifying compliance or liability issues won’t necessarily terminate the deal; it will allow a fair valuation.

If you would like expert quality and regulatory support for due diligence, contact Brosseau Consulting LLC by email to bryan@brosseauconsult.com or by telephone at 770-855-7372.  I can help prevent buyer’s remorse by providing experienced quality and regulatory support during due diligence.

Economic Operators: A Supplier Quality Approach for Manufacturers

While the existing Medical Devices Directive addresses requirements for authorized representatives, importers, and distributors, the new EU Medical Device Regulation contains additional requirements for these entities. The EU MDR introduces a new term, “economic operator”.   Economic operator means a manufacturer, authorized representative, importer, distributor, entity that combines products into systems or procedure packs, or entity that sterilizes systems or procedure packs for distribution.  Requirements for the organizations now termed “economic operators” have increased under the new EU MDR. While the requirements generally require entities to assess compliance upstream, I recommend that manufacturers also assess compliance of downstream economic operators (e.g. importers and distributors). If not before, these organizations are now providing services commensurate with what is typically considered from suppliers. Consider applying elements of supplier management best practices to ensure all organizations involved in the distribution of your products in the EU comply with the MDR.  In some cases, you may already be aware that some economic operators are struggling with the new requirements. By acting now, you ensure your business partners are prepared and reduce a risk of distribution interruption in the EU.

A manufacturer’s current agreements with importers, distributors, and authorized representatives should spell out all existing regulatory requirements.  This includes maintaining product traceability, proper storage of product (particularly those with specific storage conditions), reporting adverse events to the manufacturer, and assisting in the event of any field safety corrective actions (recalls).  This article describes additional requirements to be met by economic operators, how a manufacturer might verify or assist with their compliance, and manufacturers’ obligations regarding other economic operators.

GENERAL REQUIREMENTS

This MDR contains new and revised general requirements for economic operators.  The applicability of some previous requirements is expanded to include all economic operators (e.g. post-market surveillance). In other cases, completely new processes are introduced (e.g. Eudamed registration).

Communication and Post-Market

Requirements for the manufacturer’s quality management system now include procedures for handling communications with economic operators. Ensure that your procedures for handling complaints, feedback, and adverse event reports define economic operators and how such information received from them is handled in your organization. Verify that such procedures meet the new requirements for post-market surveillance.

The post-market surveillance plan required per Article 84 of the MDR must include methods and protocols to communicate effectively with competent authorities, notified bodies, economic operators and users. By definition in the regulation, “post-market surveillance” includes economic operators as participants. You must proactively engage economic operators to ensure adequate collection of post-market data for evaluating real-world device safety and performance.  Therefore, coordination with all economic operators is required in developing and executing your post-market surveillance plan. By relying on economic operators for this participation, their compliance is critical and should be verified.

Post-market surveillance is not the only area requiring communication with economic operators. Consider other areas where communications are received from economic operators and apply similar procedural and contractual requirements (processing of orders, patient confidentiality, user inputs for design and development, contracts, etc.).

Traceability

Upon request by a competent authority, economic operators must identify any organization to whom they have supplied a medical device or from whom they have received a medical device. Additionally, economic operators must keep and store the unique device identifier (UDI) of certain devices they have received or distributed.  This requirement for UDI records applies to Class III implantable devices as well as any group of devices determined by the EU commission in the future. As part of your ongoing regulatory intelligence strategy, ensure your organization is prepared to address this requirement when these devices are identified by the commission.

Verify each economic operator maintains detailed distribution records and can make such information available to the competent authorities upon request.  Ensure any systems used by you or an economic operator for inventory control and distribution meet these requirements. Also, don’t forget to assess any electronic systems for validation requirements.

Registration

Electronic registration (in Eudamed) of economic operators will be required and a single registration number (SRN) will be assigned to each.[1] Manufacturers will use their SRN to register devices by UDI and apply to the notified body for conformity assessment. Some economic operators will also reference the applicable UDIs in their registrations.

All economic operators must register in Eudamed prior to placing a device on the market and must update data in the system within one week of any change. Electronic registration is not limited to devices with certificates issued under the new regulation; you also must register devices with certificates issued under previous regulation (Directive 90/385/EEC or Directive 93/42/EEC). Section 1 of Part A of Annex VI outlines the specific information that must be entered in Eudamed for economic operators.

Ensure you have a plan for using Eudamed and for ensure all economic operators are prepared. Notify downstream economic operators when you have entered information into Eudamed and confirm when they have done so.

Competent Authority Requests and Inspections

Economic operators must be prepared to provide the competent authorities with technical documentation or samples of devices free of charge. And, economic operators are subject to unannounced inspections by the competent authorities. Therefore, each economic operator should have documented procedures or policy to comply with these requirements.  Or, at a minimum, these requirements should be documented in your contracts or agreements with economic operators. For example, your agreement should include a requirement for the economic operator to notify you if a competent authority arrives for an unannounced inspection.

Economic operators must also cooperate with actions taken by the competent authorities when they believe a device does not comply with the regulations or presents an unacceptable risk to users, patients, other persons, or public health. The regulation apportions the responsibility for such corrective actions across all economic operators. Therefore, each economic operator in the supply chain must cooperate with the others in recalling devices or otherwise remedying a problem with distributed product. Where an economic operator fails to address non-compliance within the timeframe specified by the authorities, the applicable national government will intervene to ensure the affected product is no longer available on the market. This means it is preferable for all involved economic operators to handle such situations quickly and efficiently to avoid intervention by the member states.

These interrelated responsibilities must be clearly defined across your organization and all economic operators.  Your agreements with economic operators and your procedures are the best places to describe these general responsibilities and the specific requirements described in the following section. Verify that your procedures are consistent with your economic operators’ procedures or policies.

SPECIFIC REQUIREMENTS

Articles 11 through 14 identify obligations for the following specific economic operators: authorized representatives, importers, and distributors.

Authorized Representatives

Each manufacturer is required to designate an authorized representative in the European Union.  This is not a new general requirement and you should already have an authorized representative if you are placing devices on the market in the EU (or “putting them into service” as defined in the MDR). There may be only one authorized representative for each device or device family. An agreement (called a “mandate” in the MDR) between the manufacturer and authorized representative must be maintained which outlines the authorized representative’s new responsibilities and requires the authorized representative to:

-          verify the manufacturer’s declaration of conformity, technical documentation, and correct conformity assessment for the devices covered by the agreement

-          maintain the documentation in the bullet above as well as applicable certificates (record retention requirements outlined in the MDR apply)

-          comply with the applicable requirements in the EU MDR

-          provide information (directly) or samples (through request to the manufacturer) upon request from competent authorities and cooperate with competent authorities on corrective or preventive action to mitigate risks related to devices covered by the agreement

-          foreword reports of incidents associated with the devices to the manufacturer

-          terminate the agreement with the manufacturer if the manufacturer does not comply with the EU MDR

Other responsibilities for the authorized representative include accepting liability for defective devices and reporting to the competent authority the termination of an agreement with a manufacturer. The agreement must also define arrangements for a change in the manufacturer’s authorized representative (see Article 12 for details). If desired, the manufacturer may identify other responsibilities for the authorized representative in the agreement.

As representation in the EU, the authorized representative is identified in numerous documents. The authorized representative must be identified in the declaration of conformity, product labeling, and the UDI record in the Eudamed database.  The authorized representative will also be identified on certificates issued by the notified body. You should already identify your authorized representative in your product labeling, but you will need to plan for Eudamed as described in the section titled ‘Registration’ above.

Like manufacturers, each authorized representative must have aPerson responsible for regulatory compliance”.  Refer to Article 15 for the detailed requirements associated with this role. I recommend documenting the required communication between the regulatory compliance personnel at your organization and the authorized representative.  This is particularly important for incident reporting requirements, post-market surveillance, and changes in technical documentation.

Importers

Importers may only place devices on the market in the EU after verifying compliance with the EU MDR. Importers must:

-          verify the device is CE-marked, has a declaration of conformity, and has compliant labeling including the unique device identifier (UDI) and instructions for use

-          verify the manufacturer has an authorized representative in the EU

-          provide any requested information to the manufacturer, authorized representative and distributor for the investigation of complaints

-          ensure devices are stored under the specified conditions

-          maintain any relevant certificates and declarations of conformity generated by the manufacturer for the devices imported

-          identify the importer’s name and address on product labeling without obscuring the manufacturer’s original information.

Article 13 also outlines requirements for an importer if they believe the device may be out of compliance with the regulation, to mitigate any risks posed by a device after it is placed on the market, or in the event of a falsified device. A falsified device is a device with a deliberately false presentation of its identity, source, CE marking certificates and/or documents relating to CE marking procedures.

Distributors

Like importers, distributors may only place devices on the market in the EU after verifying they comply with the EU MDR. Distributors must:

-          verify the device is CE-marked and has a declaration of conformity 

-          verify that the importer for the device (if applicable) meets the requirements for importers

-          verify that the manufacturer has provided the required information with the device and has assigned a UDI

-          ensure devices are stored under the specified conditions

-          maintain any relevant certificates and declarations of conformity generated by the manufacturer for the devices distributed

-          provide information to the competent authority upon request to demonstrate conformity of the device (alternatively, the distributor may ensure that the manufacturer or authorized representative will provide this information upon request)

To ensure the devices meet these requirements, the distributor may sample devices for inspection. 

Article 14 also outlines requirements for distributors if they believe the device may be out of compliance with the regulation, to mitigate any risks posed by a device after it is placed on the market, or in the event of a falsified device.

Manufacturer Obligations Imposed on Economic Operators

If an economic operator “own-brands” a device, changes the intended purpose of the device, or modifies the device in certain matters, that economic operators assumes the regulatory obligations of a manufacturer.  Exceptions are provided for certain types of repackaging and relabeling where the device, its safety, and its intended use are not affected (e.g. translation of labeling). Assess any activities performed by your economic operators to verify that manufacturer obligations are met if required.

As a manufacturer, you will need to verify that responsibilities are clearly delineated between you and the other economic operators. And, you must verify that each economic operator is performing its duties as defined in the MDR and your agreement with them. The information presented in this article provides a summary of requirements and recommendations, but you should ultimately determine the method that best works for you and your economic operators. With varying resources and levels of experience, your economic operators will likely require varying levels of assistance in preparing for MDR.

RECOMMENDATIONS

To ensure business partners who meet the definition of economic operators are compliant with new requirements and to ensure uninterrupted operations in the European Union, I recommend the following:

1.       Contact economic operators now to verify their awareness of new requirements and assess their plan for compliance.  Consider forwarding them this article to help them understand requirements.

2.       Review Articles 11 to 14 in detail to determine requirements for economic operators associated with your devices.

3.       Revise your contracts and agreements with economic operators to incorporate new requirements.

4.       Plan to assess economic operators in some manner. If you haven’t already done so, consider adding economic operators to your supplier quality program. Also consider adding them to your audit schedule to assess compliance to the EU MDR. 

5.       As with other changes for EU MDR, revise your own policies and procedures for compliance with these new requirements.

While you are organizing for your own compliance to the EU MDR, assisting your economic operators with the transition may seem burdensome. Contact Brosseau Consulting LLC to assist your economic operators with the transition, perform assessments of their compliance, or to assist with your own transition to the EU MDR. I am available by email to bryan@brosseauconsult.com or by telephone at 770-855-7372.

 

[1] Of note, the regulation specifically identifies a contingency if Eudamed is not fully functional by May 26, 2020. Refer to Article 123, paragraph 3, subparagraph (d) of the MDR for details.

Preparing for an FDA Inspection or Unannounced Notified Body Audit

To begin, let me advise that there is no crystal ball for FDA inspections and unannounced Notified Body audits and no single tool to guarantee you a successful outcome. There are numerous variables that all contribute to the results of an FDA inspection or Notified Body audit of your organization (I will refer to both as “inspections” for simplicity). There are however measures you can take to improve your chances of a successful inspection.

Two recent FDA inspections in which I participated had very similar results on paper - each company received a 483 with one or two relatively minor observations. However, the companies were in different states of compliance - one with a robust quality management system employing best practices and the other with numerous non-compliance and quality issues resulting in multiple recalls. 483s are now issued quite frequently and your goal should be to minimize, if not eliminate, any observations. For the latter example, the results could have been much worse. However, sufficient planning and preparation was employed in advance of the inspection. And, the audit was “managed” by me and the staff in a manner to minimize the findings. The best way to prepare for an inspection is to ensure your quality system is effective, your staff is ready, and you have experienced guidance during the inspection.

QUALITY PLANNING

The first step in preparing for an inspection is to ready your quality management system. An effective quality management system (QMS) is a regulatory requirement and critical to the safety of your patients and the satisfaction of your customers.   Therefore, regardless of any upcoming inspection you should ensure your QMS is effective. You likely already have a good idea of any weaknesses in your QMS. My recommendation is to establish a documented plan for improving these areas to:

a) ensure that improvement efforts for weak areas are monitored and actively managed,

b) engage staff and promote quality at all levels of the organization, and

c) demonstrate to any inspectors that you recognize the need for improvement and are acting on this need.

I have extensive experience in the effectiveness of this strategy in remedying non-compliance and mitigating inspection risks. As you work through the plan, you may identify QMS process linkages that need to be strengthened or other areas that require improvement. Feel free to modify the plan at any time (using revision control of course) to add additional requirements. You may use your existing quality system monitoring and improvement methods to track progress of the action items.

Assign action items to responsible members of your company with authority for implementing changes and hold them accountable. I recommend weekly meetings to assess the progress and ensure the plan is completed in a timely manner, particularly if substantial remediation is required. If the team is progressing quickly through action items, recognize their accomplishments and give them additional time to work on their action items by reducing the frequency of the recurring meetings. Ultimately, their responsibilities and success in your organization are also affected in the event of an unsuccessful inspection. It is easier to prevent an FDA 483 or warning letter concurrently with existing workload than it is to remedy a 483 or warning letter concurrently with existing workload. However, executive management must also recognize the efforts required and assign resources appropriately. Consider a consultant, temporary staff, or reassigning qualified staff temporarily to address quality system improvement efforts.  Remember, regulators are increasingly focused on management responsibility for the quality management system and assignment of adequate resources!

MOCK INSPECTION

Organizing a mock regulatory inspection of your facility is my second recommendation in preparing for the inevitable inspection. A mock regulatory inspection should be conducted by an independent auditor with substantial regulatory audit experience. This fresh perspective and experience from actual regulatory audits is important in identifying weak areas in your organization prior to an inspection. While you should preserve the mock inspector’s independence, I do advise you notify them of the areas for improvement you’ve already recognized. This will allow them to see those areas from a new perspective while also probing other areas of your quality management system for potential weakness. The results from the mock regulatory inspection may feed into your quality plan for QMS improvement described in the previous section (again, changes to the plan must be managed with revision control). Such mock inspections are also useful in providing a general assessment of the health of your QMS. Therefore, even if you’re not expecting an FDA inspection or unannounced audit from your Notified Body, mock regulatory inspections are quite useful. Also, a mock inspection may be leveraged as an internal audit.

The mock regulatory inspection also provides your company an opportunity to iron out the logistics of hosting an FDA inspection or unannounced Notified Body audit. That is, you can arrange the appropriate resources (conference room, computer, communication methods, staff resources, etc.), assign roles and responsibilities for inspections, and document a plan to follow when the inspector arrives at your door.  Particularly when you engage an independent auditor for this activity, you can evaluate your staff’s interaction with inspectors and auditors. This allows you to identify the best audit leads in your company and provide constructive feedback on their handling of the mock inspection.

IMPLEMENTING CHANGE

After identifying areas for improvement and establishing a plan, your team will begin changes to processes, procedures, forms, work instructions, and other documentation. Again, recognizing the resources required for such activities is the responsibility of executive management. For each change, your team should evaluate the feasibility, the efficiency, the complexity, and the effectiveness of each change to address the challenge. I recommend frequent and regular reminders to the team that added process steps or complexity do not necessarily improve the process. You must attain a healthy balance between documented procedural steps and verifiable employee competence and training. One recurring example where this balance is essential is for adverse event regulatory reporting (MDRs and Vigilance reports). There is no algorithm, flowchart, or other tool that can capture the detail of every adverse event and the various nuances and permutations. As such, trained and competent staff are essential as are clear and unambiguous procedures. The natural tendency to add detail to procedures and additional fields to forms is understandable but additional complexity presents opportunities for additional breakdowns. In an inspection, your staff must be able to confidently explain and defend processes requiring a combination of procedural detail and staff competence and training.  Again, a mock regulatory inspection is valuable in preparing your staff for such a scenario.

The two main criteria by which your staff should judge processes and process changes are effectiveness and compliance to applicable regulations. I recommend that you make no revisions without comparing the changes to the applicable regulations. That is, employees should compare procedures to 21 CFR 820, ISO 13485:2016, Health Canada Medical Device Regulations, Australian Regulatory Guidelines for Medical Devices, Japan Pharmaceuticals and Medical Devices Act, or other regulatory requirements as applicable. One should literally open the regulations and compare them line by line to the procedures they are authoring, assessing, or revising. Consider documenting this line-by-line analysis in the change record for the revision.

To assess the effectiveness of these process changes, I recommend following the revised procedures for fictional scenarios while probing for potential breakdowns. These effectiveness verifications should be performed by the employees who will complete the actual tasks and documented in the report used to close out the quality plan. Consider also using this activity as a way of demonstrating competence for these employees. By observing or “scoring” staff on the processes, you are evaluating both the process and the employee.

SUMMARY OF RECOMMENDATIONS

This approach allows you to engage your staff, demonstrate executive management’s commitment to an effective quality management system, and let everyone experience ownership of quality. This empowers your staff, promotes quality within your organization, and establishes cohesiveness among your team. The efforts of identifying weaknesses and addressing them demonstrates to auditors and inspectors that you are committed to the continued effectiveness of your quality management system (a regulatory requirement!). When the auditor or inspector is convinced of this commitment, the outcome of the inspection will be more favorable. In summary, I leave you with these recommendations:

-  Engage executive management to obtain the necessary resources to prepare for inspections

-  Perform a mock regulatory inspection to identify areas of improvement

-  Implement QMS improvements through a quality plan with inputs from the mock inspection

-  Verify the effectiveness of the QMS improvements and the competence of your staff

If you would like to arrange a mock regulatory inspection, a quality system improvement plan, a contract internal audit, or any other quality services please contact Brosseau Consulting. Or, we can discuss other options to improve your odds in a regulatory inspection. You can contact me by email to bryan@brosseauconsult.com or by telephone at 770-855-7372.

Risk Management Under the New EU Medical Device Regulation

The new EU Medical Device Regulation (Regulation 2017/745) adopts a more universally risk-based approach compared to the EU Medical Device Directive (93/42/EEC, the “MDD”).  The new regulation also aligns requirements for medical devices more closely with the harmonized standard for risk management (EN ISO 14971:2012).  More explicit requirements for manufacturers are laid out regarding the maintenance of a risk management program and life-cycle risk management.  Responsibilities and authority for both Notified Bodies and member states are defined. For example, the standard requires that notified body auditors must have knowledge and experience in risk management as well as device-related standards and guidance.  And, Competent Authorities will perform market surveillance which will include risk assessment and management.  This surveillance may include a review of documentation, evaluation of device samples, or announced and unannounced inspections of economic operators (review this definition and the associated regulatory requirements in detail!).  With the increased scrutiny on Notified Bodies and their increased responsibilities, manufacturers will likely find that Notified Bodies are less lenient on compliance to the requirements as they relate to risk.  For these reasons and to ensure continued device performance and safety, compliance to the more detailed regulatory requirements for risk management is imperative. 

The general requirements for risk management in the new regulation are familiar from the MDD and ISO 14971 albeit more explicitly described than in the MDD.  As before, devices are required to achieve the performance intended and must be designed and manufactured to fulfill their intended purpose. The devices must not compromise safety and the individual and cumulative risks must be outweighed by the clinical benefit.  Risk management is emphasized in the regulation as an iterative process throughout the entire lifecycle of a device (a key input in developing the new regulation was to implement more of a lifecycle approach).  The following are required for each device:

-          a risk management plan for each device

-          identification and analysis of possible hazards associated with each device

-          estimation of risk associated with the intended use and misuse of the device

-          risk mitigation (reduction or elimination of risk)

-          assessment of production and post-market information on the documented risk assessment

-          changes to control measures (e.g. safety by design, alarms, safety information) when required based on the assessment of production and post-market information

The first four points are currently addressed in the risk management files maintained by most manufacturers for their devices. However, weak linkages between production and post-market information and the risk management file are common. Additionally, where a “checkbox approach” to risk management is employed, device design (specifically, control measures) may not be adequately evaluated in response to production and post-market information. Consider strengthening procedures around risk management and production and post-market information to comply with these requirements.  Also ensure that you are evaluating the device design in response to post-market information.

Per the regulation, the manufacturer must establish, document, implement and maintain a system for risk management as part of the quality system.  Therefore, thorough documentation of requirements and procedures for risk management is required.  In other words, your risk management and related procedures (clinical evaluation, post-market surveillance, etc.) must provide clear instructions that are consistent with the regulation and contain the applicable elements.  If you currently have very basic procedures and forms and must verbally describe how your risk activities are performed, you will need to update your risk program.  For example, if you use Failure Modes and Effects Analysis (FMEA) with a rating system based on the combination of severity, occurrence, and/or detection, you must describe in your procedure how this document is generated, define the scoring system, and state how this document is linked to other documents (e.g. design inputs/outputs, hazard/harm listing, and historical data for the device or similar devices). The technical file for each device must include the results of the risk management process including the benefit-risk analysis, the solutions adopted to address risks, and the updated PSUR (see section below titled CLINICAL EVALUATION AND POST-MARKET SURVEILLANCE for more information regarding the PSUR).  All risk documentation for each product must be maintained and readily available per record retention requirements.

RISK MANAGEMENT DURING DESIGN AND BEYOND

Annex I contains the most detailed information for manufacturers regarding risk management during design. A side note: re-processors assume risk management responsibilities to ensure the device properties are not changed with reprocessing and to address the use of the reprocessed device (essentially, preprocessors are treated as manufacturers in this regard).  Risk control measures must be state of the art and adopted in the following order of priority:

1.       Eliminate or reduce risks as far as possible through safe design and manufacture

2.       Adequate protection measures for risks that cannot be eliminated (e.g. alarms)

3.       Provide information or user training for safety and disclose any residual risks

Item 3, above, diverges slightly from the requirement of EN ISO 14971:2012 which allows the manufacturer to determine which residual risks are to be disclosed (for residual risks deemed acceptable).  The EU MDR simply states that the manufacturer “shall inform users of any residual risks” (refer to the section below titled RESIDUAL RISK for more information regarding this requirement).

As with the MDD, Annex 1 of the MDR provides general requirements for medical devices such as sterilization, material characteristics, performance requirements, etc.  All risks associated with device characteristics must be eliminated or mitigated and individual and cumulative risks must be acceptable when weighed against the benefit of the device.  Each applicable technical aspect addressed in Annex I should be represented in the risk management file for your device.  For example, if your device is provided sterile you should consult areas addressing sterility in Annex I when assessing risks for your device.  Of note, the regulation specifies that risk be evaluated for the device when used under the conditions and for the purposes intended. One does not need to wildly imagine scenarios where the device may cause risks when used in a manner that is grossly inconsistent with the labeled indication and instructions; however, for reasonably foreseeable misuse, those risks should be evaluated.

RESIDUAL RISK

Earlier, I mentioned the disclosure of risks to users as it relates to the current requirements in ISO 14971. The new regulation specifically prohibits manufacturers from “failing to inform the user or the patient of a likely risk associated with the use of the device in line with its intended purpose”. The regulation also allows manufacturers to use a pictogram following the CE Mark to identify any special risk.  I recommend defining the symbol in the labeling, especially if it is not defined in the harmonized standard ISO 15223-1. The use of risk mitigation is also applied to distributed devices as the regulation discusses corrective action taken for devices that have already been placed on the market. Therefore, residual risks must be addressed at every stage of the device lifecycle, including when those risks are identified after distribution.

CLINICAL EVALUATION AND POST-MARKET SURVEILLANCE

Risk management and clinical evaluation are interdependent and thus must be cross-referenced and updated concurrently and regularly.  Clinical risks must be identified in the risk management file and addressed as part of clinical investigations, the clinical evaluation and post-market clinical follow up (PMCF).  During the post-market phase, manufacturers must systematically and actively gather post-market information and update the technical documentation relating to risk assessment and clinical evaluation.  The clinical evaluation must be performed according to a plan and include an assessment of nonclinical testing, clinical investigation results, and post-market information.  Post-market information includes but is not limited to feedback, complaints, field corrective actions, recalls, etc.  The PMCF plan should expand on these inputs to also include pro-active solicitation of post-market information - consider clinical trials, clinical registries, or detailed and thorough solicitation of feedback from frequent users (for example, user surveys where you may account for the overall experience with your device at one or more specified facilities).  Like the clinical evaluation plan, the PMCF plan must also be linked to the risk management processes. You must specify methods and procedures for identifying and analyzing emergent risks based on post-market evidence and referencing the risk management activities/documents for the device. 

Data gathered through post-market surveillance must be used to update the benefit-risk determination and improve risk management.  Further to an increase in serious adverse events, any statistically significant increase in the frequency or severity of any incidents (incidents that are not serious or expected side-effects) that could may lead to unacceptable risks or benefit-risk profile should be acted upon and reported to the Competent Authorities.  This increased occurrence is established in comparison to the foreseeable frequency and severity as specified in the technical file (this likely refers to the clinical history for similar devices leading to the estimated frequency and severity in the risk file).  If you do not already identify risk thresholds and tie your post-market surveillance back to those limits, now is the time to start.

In addition to the requirement for a PMCF, manufacturers of class IIa, class IIb and class III devices must also prepare a periodic safety update report (PSUR) for each device (and groups of devices where relevant).  The PSUR includes the results and conclusions of the post-market surveillance analysis and any corrective or preventive action taken, and the updated benefit-risk determination.  The PSUR must also include the “denominator” for the data in the form of sales volume or estimated usage of the device. The PSUR must be updated periodically (timeframe is based on device risk class) and must be done so with consideration for risk activities.

Another new requirement specifically for implantable and Class III devices is the Summary of safety and clinical performance.  Residual risks, undesirable effects, warnings and precautions must all be included in the Summary of safety and clinical performance which is submitted to the Notified Body (NB) during conformity assessment and uploaded by the NB to EUDAMED.

CE marking without clinical evidence for your device or an equivalent device will no longer be possible for many devices. Where clinical data is not used to demonstrate safety and performance, the notified body will be rigorously inspecting your risk management file to ensure that risks are adequately characterized and mitigated without clinical data.  There must be adequate linkages between clinical evaluation and risk management to ensure that the clinical evaluation includes an assessment of risk.  To ensure that risk is adequately assessed as part of the clinical valuation, your clinical evaluation plan must identify the parameters used to evaluate risks and the benefit-risk ratio, assessment against the state-of-the-art (refer to MEDDEV 2.7/1 Rev. 4 for more information), and an evaluation of specific risks related to medicinal, animal-origin, or human-origin materials incorporated in your device.  Additionally, procedures for clinical evaluation must clearly describe risk management activities as they relate to the clinical evaluation.

In summary, your risk management, clinical evaluation, PMCF, and PSUR procedures and plans must all be synchronized, and each resulting report must each consider the data and results of the others.

CLINICAL INVESTIGATIONS

As you may now realize, clinical investigations will be required for more medical devices under the new medical device regulation. The regulation specifically identifies the use of clinical investigations as a method of assessing the benefit-risk ratio of medical devices.   Additionally, risk assessment must be used in justifying any foreseeable risks to trial subjects when weighed against the benefits. A robust evaluation of the risks to subjects and the benefits must be documented in the clinical investigation plan. The plan must also include an ongoing monitoring strategy for the risks and the benefit-risk ratio. The new regulation also requires that subjects are notified of risks by way of the informed consent and outlines requirements for possible risks to incapacitated and minor subjects. Investigators must also be notified of the benefit-risk analysis and summary of risk management in the investigator’s brochure. Specific risks must be identified in the investigator’s brochure including those related to medicinal, human-derived, or animal-derived substances incorporated in the device.  For clinical trial applications, member states are required to assess the minimization of risks and the risks compared to the clinical benefits of the device. 

COMMON SPECIFICATIONS AND HARMONIZED STANDARDS

The transition to the new medical device regulation also comes with the potential for additional requirements for your devices after you have demonstrated compliance to the MDR.  In addition to the continued use of harmonized standards, the regulation introduces a new regulatory concept for medical devices: Common Specifications. Common Specifications will be implemented by the European Union Commission and will address requirements for both products and quality system management. That is, there will be Common Specifications for safety and performance requirements for devices (specifically, high-risk devices such as implantable and class III devices) and quality system requirements (for technical documentation and risk management, among other areas). You will need to ensure that you search for Common Specifications when you perform your periodic review of new or revised regulatory requirements.  This review is typically performed at least once a year (and preferably more often) to identify new or revised regulations applicable to your devices or QMS.  When a Common Specification is implemented for risk management, you will want to ensure that your risk management processes and documentation are compliant.

RECOMMENDATIONS

The new requirements described in this document represent a small portion of the work needed to comply with the EU MDR. While the task of becoming compliant may seem daunting, I recommend the following simple steps to get you started:

-          Review the EU MDR and highlight new requirements and differences between the new regulation in the existing regulations and standards with which you comply.

-          Develop a general plan for revising your procedures and other documented Quality Management System requirements. This plan should include assignments for responsible parties within your organization.

-          Hold regular meetings with the involved parties to verify activities are performed to schedule.

-          If you haven’t already discussed the transition with your Notified Body, do so now.

-          Attend any training opportunities you can regarding the EU MDR.

Of course, Brosseau Consulting is available to assist you with the transition.  Hiring an expert may very well be your quickest and most sure path to compliance.