Title: Standards White Paper
Series: Regulatory Standards within the Medical Device Industry
Author: Tim Carroll
Federal standards governing the safety and efficacy of medical products have been overseen in the United States by the FDA since the original 1906 Food and Drugs Act. The approach to medical product safety on the federal level has evolved over the years, and it was not until 1976 that the Medical Device Amendments were passed to ensure the safety and efficacy of medical devices. Today, many countries in addition to the U.S. have regulations governing the sale of medical devices within their borders. Compliance with these regulations is mandatory, and non-compliance has far-reaching consequences, including fines, forced cessation of manufacture, import bans, and even criminal prosecution.
Because of the importance of regulatory compliance in the design and manufacture of medical devices, a wide array of standards and guidances has been developed by different governing and consulting bodies. Each standard is intended to meet the requirements of a particular regulation or group of regulations, or to provide further clarification on how a regulation is to be met. Because of the regulatory complexity of the international market for medical devices, certain standards are also intended to harmonize the regulations of different countries. Though the standards landscape can appear complex—there are at least 1,102 medical device standards recognized in the world today—a systematic approach to understanding which standards apply in a given setting is possible. This paper will focus on U.S. regulations, with mention given to a few of the standards outside of U.S. jurisdiction.
To begin, there are multiple organizations that have produced standards or guidances. It is helpful to understand the difference between these organizations, in order to fully grasp the applicability of the standards produced by them. These include:
- International Medical Device Regulators Forum (IMDRF)—This is a voluntary group of medical device regulators from around the world whose goal is to promote international harmonization of medical device regulations among participating countries. These countries include Japan, the U.S., Russia, Canada, Australia, China, Brazil, and the EU. The IMDRF supersedes but builds on the similar work of the Global Harmonization Task Force (GHTF).
- International Standards Organization (ISO)—As it relates to medical devices, ISO has produced a number of standards (ISO 13485, ISO 14971, etc.) that are meant to guide medical device manufacturers towards regulatory compliance. Compliance with ISO standards is usually voluntary, as this organization has no official oversight of medical device manufacture in any country. However, many device manufacturers seek certification to an ISO standard, especially 13485, as an indication that they are compliant with the regulatory standards of their country.
- International Electrotechnical Commission (IEC)—This organization prepares and publishes international standards for all electrical, electronic, and related devices, not limited to medical devices. It is made up of member countries, each of which has a vote in what goes into an IEC standard. Specific to medical devices, IEC standards include IEC 60601, IEC 62304, IEC 62366, IEC 80001, and others.
- United States Food and Drug Administration (FDA)—The FDA has legally binding oversight of medical device design, approval, manufacture, and sale in the U.S. The specific branch of the FDA in charge of medical devices is the Center for Devices and Radiological Health (CDRH). Together, applicable medical device standards include CRF 21 Part 820, which is legally binding on device manufacturers, and numerous CDRH guidances, which expound on what compliance with Part 820 means. FDA controls the medical device industry in the US through several processes: 1) review and audit of a company’s quality management system; 2) review and approval/rejection of new devices; 3) control of labelling to ensure labelling matches intended use; and 4) gathering of post-market device-related incidents. It is important to note that Part 820 applies to all medical devices marketed in the United States, even if it is manufactured in another country. The FDA conducts inspections and issues citations of non-compliance to manufacturers outside of the U.S. if they import their device to the U.S.
- Other international regulatory bodies—Each country is governed by its own set of medical device regulations. Of note, the European Union countries have collaborated to produce a set of non-binding guidances that are meant to cover member-country regulations. These are named according to the convention Year/#/EEC. One such guidance is 92/42/EEC. Other IMDRF members recognize many standards in common, including IMDRF, GHTF, ISO, and IEC standards, but in the end each country regulates the medical device industry with its own regulations, so that Part 820 has no bearing on medical devices outside of the U.S., and EEC guidances are irrelevant to a device sold only in the U.S., and so on.
Once the organizations that create and publish medical device standards are understood, it is more manageable to understand which specific standards apply to a particular medical device manufacturer. In the U.S., the best starting point is an understanding of CFR 21 Part 820.
Regulations in the United States
CFR Part 820, often referred to as simply Part 820, delineates the requirements for a quality management system that must govern the design and manufacture of any device sold in the United States. Part 820 consists of 224 “shalls”, which are each legally binding. The FDA is in charge of assuring that a device manufacturer’s quality system has implemented all 224 “shalls” in the code and that compliance with each one in documented in a clear way. If a medical device is produced in non-compliance with Part 820, it is labelled “adulterated” by the FDA. Discovery of adulterated devices results in the issuance of a FDA 483 warning letter to the manufacturer of record, indicating the points of non-compliance and requiring a response to the FDA. Depending on the severity of the violation, further repercussions may also occur, including forced cessation of manufacture, recalls, import bans, or fines, or criminal prosecution.
Simply stated, a quality management system (QMS) is a set, documented, repeatable process that is intended to produce uniform results when followed; in the case of a medical device, the result is a device that is safe and efficacious. The quality system requirements in Part 820 are wide-reaching. Some of its components include:
- Documentation requirements
- Training of employees
- Control of the design process
- Risk management
- Manufacturing requirements, including special circumstances such a sterile devices or active implantable devices
- Corrective and Preventive Action (CAPA), or how to respond when issues occur
- Ongoing surveillance of quality system efficacy
Typically, a medical device manufacturer will have staff dedicated solely to the creation and oversight of a quality system that is compliant with Part 820. However, it is important for medical device companies of all sizes to understand that Part 820 is not just the concern of the “quality department”. All employees need to understand the importance of compliance with Part 820. Though a single employee might be involved in only a very small component of Part 820 adherence, each part is crucial to the system operating to produce medical devices that are marketable (i.e., will be approved by the FDA), are safe, and do what they claim to do. Companies should work to help employees understand that quality system processes are not just random rules for “the way we do things” but are part of an important big-picture framework. In the end, executive management is responsible for ensuring that their company’s QMS is effective for regulatory compliance of their device(s).
How is Compliance Ensured?
All medical devices in the U.S. must be approved by the FDA before they can be legally marketed. The FDA defines a medical device as “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar related article… intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease….” Of recent note, there has been clarification by a number of regulatory entities, including the FDA, that software alone can, under certain circumstances, be considered a medical device.
Device approval by the FDA can be achieve in two ways: the 510(k) process, in which the manufacturer must provide evidence that the device they intend to market is “substantially equivalent” to a device already approved by the FDA; and the pre-market approval (PMA) process, which is required for all devices that cannot be approved under the 510(k) process.
Once a device is approved, its manufacture, marketing, post-market surveillance, and control of design changes is also regulated by the FDA, according to the statues in Part 820. Post-approval requirements include constant surveillance of the efficacy of the quality management system, surveillance and reporting of adverse events, and adequate response to any problems that do occur.
While the FDA has jurisdiction over device pre-market approval and ongoing compliance after a device is on the market, it is not positioned to provide much consultation on whether or not a company is “doing well” leading up to application for approval or between post-market inspections. In other words, as it relates to the FDA, a company is essentially in a perpetual pass/fail situation with FDA regulators. FDA employees do not provide feedback until very late in the process of submission of a device for approval, and post-market inspectors are concerned primarily with looking for any places, however small, that might result in a device being designated “adulterated”.
This limited capacity of the FDA to provide consultation leaves medical device manufacturers vulnerable in terms of knowing if their systems are adequate to pass regulatory requirements. The cost and delay of submitting a device for approval, only to find that your systems are inadequate, is enormous. Similarly, learning during an FDA inspection that a device is adulterated not only causes financial set-back, but is a safety concern for end-users and patients. This company vulnerability explains the importance of other standards, such as ISO, and consulting organizations.
One of the most prominent examples of a supplementary standard is ISO 13485, a standard that outlines the necessary requirements for a medical device quality management system. Note that this is the same purview as Part 820: medical device QMS. But from a legal point of view, compliance with ISO 13485 is completely voluntary, while with Part 820 it is required. The key to understanding how ISO 13485 and Part 820 relate is in the ability of a company to become certified in ISO 13485. Certifying bodies for ISO 13485 offer the consultation and feedback on how a company is doing that the FDA cannot provide. After the initial inspection and certification of a company’s QMS, certifying bodies also require annual audits in order for a company to keep certification, as a means to ensure ongoing compliance. So while the FDA gives no notice whatsoever to whether a device manufacturer is ISO 13485 certified, this certification gives a company feedback on whether or not the FDA is likely to discover problems in the company’s application for pre-market approval or a site inspection.
Other FDA guidances, authored by CDRH, are also intended to provide an indication on whether or not a company is meeting FDA regulatory requirements, but once again the FDA does not consult on actual compliance between inspections. There is also no available certification for CDRH guidances; it is the responsibility of each individual company to understand and accurately apply such guidances.
Digging Deeper: How to be Compliant
As mentioned previously, the components of Part 820 are wide-reaching. As a result, the code needs further elaboration to allow a medical device company to know what “compliance” means. Two of the most important areas this applies are in risk management and, for software-related devices, control of software life-cycle.
Risk management is the process of identifying potential hazards in a medical device, determining the likelihood and severity of each hazard, and mitigating each hazard to an acceptable level of risk or removing it altogether. It is the process by which the safety of a potential device is thoroughly analyzed, with all potential sources of device-failure being accounted for. Lack of adequate risk management, depending on the type of device, would result in anything from minor harm to severe disability to death.
In order to provide further clarification on risk management, ISO developed ISO 14971, and the FDA has issued a CDHR guidance on the topic. There is no certification available for ISO 14971, but compliance with 14971 is necessary to gain certification in ISO 13485. Risk management, especially with design and manufacture of devices that have high potential risk, almost always requires experts in the applicable fields of electronics, software, medicine, and risk management itself. However, ISO 14971 and the CDHR guidance enable to company to develop a process that ensures the right people are involved in risk management and that it stays forefront throughout the device development process.
In terms of software-related devices, a new standard has emerged from the increasing scrutiny given to the specific risks attendant with software design. Notably, many software-related medical device failures have stemmed from product upgrades, in which inadequate software process control resulted in product failure. The regulatory industry has responded with IEC 62304 on software life-cycle process. This standard underscores that software must undergo a careful development process, which includes ongoing risk management, among other things. Software for a medical device cannot be developed in relative isolation from the wider development effort, and it must also be developed in such a way that future product upgrades will still meet all safety and regulatory requirements.
Understanding medical standards begins with sorting through the jurisdictions and relationships of the various governing and certifying bodies. Once the relevant governing bodies are identified, the standards coming from each body are seen more clearly and can be accurately applied. While there are many approaches to medical standards, a helpful process first identifies the core, legally binding regulatory standard of a given country, and then uses supplementary standards as a mean of ensuring compliance.