Tuesday, April 28, 2020
Medical device manufacturers are required to carry out a regular “regulatory update.” Because as strange as it sounds, regulatory requirements oblige manufacturers to continuously monitor and evaluate changes to regulatory requirements and take any necessary measures.
Keeping track of thousands of regulatory requirements is a challenge. Manufacturers should have a clear understanding of the typical mistakes that they should avoid at all costs in order to, firstly, have certainty during audits and, secondly, to save themselves unnecessary time and effort on their “regulatory update.”
The regulatory map is as complex as it is extensive:
A further overview of regulations with the corresponding links can on the “Regulatory Affairs” page of our website.
The EU regulations require medical devices to meet the general safety and performance requirements of Annex I (MDR Article 5(2)). These general safety and performance requirements must comply with the “generally acknowledged state of the art” (MDR, Annex I, paragraphs 1 and 4).
This is because Article 8 allows manufacturers to use harmonized standards to demonstrate that devices comply with the state of the art. Therefore, manufacturers must also track these standards. The MDR even explicitly states that:
changes in the harmonized standards or CS by reference to which the conformity of a device is declared shall be adequately taken into account in a timely manner.
Conclusion: medical device manufacturers must actively track standards and common specifications (CS) to make sure that they know the state of the art and can demonstrate that their devices meet it.
As the harmonization of standards has come to a standstill, notified bodies generally expect manufacturers to follow the most recent versions of standards.
The MDR and IVDR have significantly increased the requirements for QM systems. As a result, the MDR requires:
Those procedures and techniques shall specifically cover:
— the strategy for regulatory compliance, including processes for identification of relevant legal requirements, qualification, classification, handling of equivalence, choice of and compliance with conformity assessment procedures
ISO 13485 also explicitly addresses the topic. It states:
“Top management shall ensure that customer requirements and applicable regulatory requirements are determined and met.”
DIN EN ISO 13485:2016, Section 5.2
Section 5.6 (“Management review”) makes clear how important this monitoring is for the standard. This management review must assess the “applicable new or revised regulatory requirements” as an input.
The output of this management review must define the “changes needed to respond to applicable new or revised regulatory requirements.”
In addition, ISO 13485 requires manufacturers to determine the stakeholder requirements for each device. This means, firstly, customer requirements. And secondly, regulatory requirements:
“The organization shall determine: [...] applicable regulatory requirements related to the product;”
ISO 13485 Section 7.2.1
But identifying these requirements is not enough:
“The organization shall review the requirements related to product. This review [...] shall ensure that [...] [the] applicable regulatory requirements are met; [and] the organization has the ability to meet the defined requirements.”
ISO 13485 Section 7.2.3
ISO 20416 considers the “regulatory update” part of the post-market surveillance. The standard explicitly states:
“Medical device organizations should monitor applicable regulatory requirements for any change to evaluate upcoming gaps, and plan for continued compliance. Standards, guidances and best practices are typically not mandatory requirements (see regulatory requirements) but describe the state of the art.
Changes in regulatory requirements, standards, guidances and best practices can suggest a change in the state of the art, impacting design and development inputs and potentially requiring design and development changes”
ISO 20416 (Draft)
The FDA does not state quite so explicitly that manufacturers have to identify the regulatory requirements and standards. But it does say that:
“Where process controls are needed they shall include: Compliance with specified reference standards or codes; “
That FDA inspectors assume that the manufacturers know and follow all the regulations should, however, go without saying.
It is common sense that manufacturers must know and comply with the regulatory requirements. But the challenges they face to do so are complex:
The Johner Institute frequently sees the following mistakes that can lead to unpleasant surprises during audits or authorization processes being made:
Regardless of whether a process or procedure is required for the regulatory update, it is always better to have one. A corresponding standard operating procedure might include the following steps:
Step 1: Defining the responsible roles
Determine the roles that are responsible for creating the initial list of regulatory requirements and its continuous monitoring. Typical roles include device manager, developer, regulatory affairs and quality managers, the legal department and regional office.
Step 2: Creating an initial list of regulatory requirements
Now assign (for each device) specific people to the roles. These people will create and monitor device-specific and company-specific lists of applicable regulations. Normally, several lists are created and then consolidated.
Step 3: Naming a contact person for each regulation
Next, for each regulation, designate the person who will review changes to the regulation and act as the responsible contact person. The designated person should also document the version status in the aforementioned list.
Step 4: Determining the monitoring date
It is now necessary to define when the regulations will be checked – either for each regulation individually or for all the regulations together.
Step 5: Performing the monitoring
The selected roles or persons monitor the identified regulations in accordance with these specifications at the specified frequency and document whether there have been any changes.
Step 6: Evaluating changes and initiating possible actions
If there are any changes, the roles from step 5 inform the contact partner and request:
Step 7: Sending the results
In each case, i.e., regardless of whether changes were identified or not, the results must be used as an input for other processes and be sent for use in these processes. This particularly includes processes such as the management review and post-market surveillance.
The “branching off into other processes” mentioned in step six can refer to, for example, the:
Sections three and four have already highlighted how challenging the regulatory update process is and described the typical mistakes made by manufacturers.
In order to avoid these errors and having to carry out repetitive activities, manufacturers should consider automating these activities. Computers can perform the process faster, with fewer errors and more cost-effectively.
For example, the Johner Institute uses crawlers to continuously monitor websites and databases and send changes to a monitoring team for analysis.
By the way, this team is responsible for monitoring regulations for a lot of manufacturers, which means that the manufacturers also benefit from economies of scale.
Manufacturers who do not use an automated service like the Johner Institute’s Regulatory Radar but prefer to automate the monitoring themselves should pay attention to the following:
Manufacturers must proactively monitor and evaluate changes to regulatory requirements. This is itself a regulatory requirement.
While it is true that manufacturers are not explicitly required to establish a procedure for doing this, we strongly recommend doing so. The MDR demands a “strategy” at the very least.
The growing number of regulations and the frequency with which they are updated means that manufacturers have to invest a lot of time and effort in monitoring and evaluation. Therefore, we recommend automating or outsourcing these activities as much as possible, like the pharmaceutical industry, for example, has already been doing for a while.
Anyone automating this monitoring process must validate their system.
Manufacturers must by no means limit their monitoring to regulatory requirements specific to medical devices. In fact, they must also research and comply with regulations on, for example, data protection, product safety, waste management and social law.
In addition, manufacturers should not see the regulatory update as an isolated process but as part of the post-market surveillance. This obliges manufacturers to collect, evaluate and respond to a much greater volume of information.
Find of more on the Regulatory Radar, the Johner Institute's regulatory update service, here.