The 100-foot Wave of Regulation is Already Making Landfall
The past five years of regulatory changes in the medical device industry arguably represent more change than the industry has witnessed in the last 20. Between ISO 13485:2016, the European Union’s (EU’s) Medical Device Regulation (MDR) and complications from Brexit, medical device companies seeking compliance across all markets have their work cut out for them.
Large multinational medical device manufacturers more than likely have the necessary resources to navigate these regulatory changes and maintain compliance. However, the small device makers that make up 80% of the market will likely struggle and be forced to make difficult decisions on the future of their products.
In an effort to help make these issues easier to manage, let’s take a look at some of the most significant changes facing the industry today.
ISO 13485:2016 and the Push for Global Harmonization of Quality Management Standards
ISO 13485:2016 created a long-overdue shift in industry mentality by introducing a risk-based approach to a company’s quality management system (QMS) in order to produce safe and effective medical devices. The regulatory standard also introduced the idea that medical device regulations should be globally harmonized and less regionally governed.
The angst that ISO 13485:2016 created within the industry was primarily a result of the time that elapsed from the previous version of the standard, which was published in 2003. The world changed a great deal from 2003 to 2016, especially changes that impacted the medical device industry. Many regarded the updates presented in ISO 13485:2016 as mostly “catch up” to align with best practices and current regulatory expectations.
It’s important to note that, while the 2016 version of the standard was updated more than a dozen years after the previous version was released, future updates to ISO 13485 won’t take nearly as long. In fact, ISO Working Groups, an assembled team of experts responsible for preparing working drafts of the standard, are already planning to initiate discussions before the end of this year on the next version of the standard, and to outline the future path of ISO 13485.
Medical device manufacturers would be well served to retain the lessons learned and the agility required to streamline future implementations of regulatory changes in this area. Engineering and quality teams should identify industry partners and subject matter experts now to avoid falling prey to “corporate amnesia” during future regulatory transitions.
Another related note on the topic of ISO 13485 is that the U.S. Food and Drug Administration (FDA) has been very clear throughout 2018 and 2019 that they intend to adopt ISO 13485 in lieu of 21 CFR Part 820. While there are plenty of nuances and details that have yet to be ironed out, FDA claims
to be on board with the global harmonization theme for QMS.
The Storm Brewing in the European Union
If you are anything like me, you have the date of May 26, 2020 cemented in your mind. It’s the final deadline for the transition to the EU’s MDR (2017/745). By that date, medical device manufacturers actively marketing products in the EU must be fully compliant with these new regulations or cease all related marketing activities until they are.
As a quick reminder, the MDR was created to replace the EU’s former Medical Device Directive (MDD) over a 3-year transition period. European officials decided the MDD needed to be updated for several reasons. One main reason was that, when the directive became law in 1992, medical devices were still predominantly hardware-based, and the idea of software as a medical device (SaMD) did not yet exist. Additionally, demographics have significantly changed throughout Europe since 1992; the population is growing older and, with it, a growing need for medical devices. With this increased need, there is an increased push for transparency of medical device technical information to be made available to the general public.
Compared with its predecessor, the EU MDR is less focused on the pre-approval stage of medical device manufacturing. Instead, the regulations promote policies and procedures that elevate the manufacturer’s responsibilities throughout the lifecycle of their products. Securing a CE Mark, a symbol that indicates conformity with health, safety and environmental protection standards for products sold in the EU, is no longer an end-state.
Where the storm begins to brew is in two key areas: 1) the scarcity of approved Notified Bodies to handle the bandwidth of medical device companies requiring audits and CE Marks in advance of the transition date; and 2) the cost of compliance.
Notified Bodies, organizations who assess and audit conformity with EU regulations, are feeling a similar pinch. As a result of new regulations, the process around receiving and maintaining certification as a Notified Body is significantly more stringent than it was under MDD.
To date, only three organizations have secured its license to act as a Notifying Body under the new regulations, whereas, under the MDD, there were less than 90 Notifying Bodies. In fact, more common in the news lately have been reports for the Notified Bodies deciding not to pursue EU MDR accreditation. This is significant because as of the date of this writing, May 2020 is less than a year away and the current Notified Bodies accredited will not be able to handle the entire EU market demand. Yes, there are rumors that we should expect 10 – 20 Notified Bodies by year-end. Even if this happens, going from nearly 90 down to 20 entities is going to be a significant bottleneck and challenge for companies with EU market presence.
One of the systems most impacted by the MDR is a device maker’s QMS. While ISO 13485:2016 certification still holds weight, the MDR introduces additional QMS requirements. These new requirements include post-market surveillance systems, periodic safety update reporting (PSUR), incidents and field safety corrective actions (FSCA) reporting, and resource and supply chain management. Also complicating matters are new requirements applicable to unique device identifiers (UDIs), labeling, regulatory compliance, document management and retention, general safety and performance requirements, implantable devices, clinical evidence, economic operators and the European database on medical devices (EUDAMED).
Due to the significant amount of new regulations that companies will be expected to follow, many smaller-scale device makers will have to make difficult decisions as to whether the cost of compliance in the European market makes fiscal sense.
Brexit and the EU MDR
Adding further difficulty to the changes associated with EU MDR is the United Kingdom’s potential exit from the EU and the entire European Single Market.
Further delays on the decision of whether the UK will “stay” or “leave” –and under what conditions– is creating further uncertainty for medical device manufacturers. As of this writing (August 2019) the deadline for a Brexit decision is October 31, 2019, leaving UK-based manufacturers little time to decide whether they will keep their devices on the European market, the second-largest economy in the world.
This tight timeline is further complicated by the lack of Notified Bodies to handle the volume of applications and audits necessary to secure a CE Mark. In fact, one of the four currently approved EU Notified Bodies under the MDR is headquartered in the UK. Whatever happens, there will surely be an impact of some magnitude on all parties.
Taking Risks with Risk Management
Plain and simple, ISO 14971 defines the international standards of risk management for medical devices. If transitioning to compliance with ISO 13485:2016 wasn’t enough of a whirlwind for companies, the latest revision to ISO 14971 will be published later this year.
Working Groups are still finalizing edits to the risk management standard. But, based on insights provided by Working Group members, we can expect to see further clarifications on “benefits” and “risk” written into the guidelines. The concept of risk has been well-defined in previous versions of the standard; however, benefits have not, and it’s well overdue.
We are currently seeing the repercussions from falling behind on compliance with the transition to ISO 13485:2016, including the failure to meet regulatory requirements to remain on the market. These repercussions should serve as a cautionary tale for falling behind on compliance with ISO 14971 as well. Device makers need to quickly identify internal and external “owners” of risk management and ensure they are compliant before the new standard is published.
Further Moves Toward Harmonization
In 2012, the International Medical Device Regulators Forum (IMDRF) met in Singapore and one of the outcomes of the meeting was the identification of a working group that would develop a framework for advancing a Medical Device Single Audit Program (MDSAP), a global program for medical device quality system compliance.
Under the MDSAP program, medical device companies may choose to undergo a single audit of their QMS conducted by a recognized Auditing Organization to qualify them for selling their medical device in five major participating markets around the world. Companies that choose to go this route can avoid the high cost and effort associated with multiple market regulatory inspections and audits for their company, each with varying sets of requirements to follow.
MDSAP is an extremely progressive push toward global harmonization and has the potential to reduce the regulatory costs of audits and compliance for both device makers and regulators. The initial coalition for the MDSAP pilot program consisted of Australia, Brazil, the U.S., Canada, Japan and Europe (prior to the adoption of MDR, which now removes them from this list). After the close of the pilot program, both Canada and Australia fully adopted the MDSAP program as their primary audit system.
After the close of the pilot program, Canada made MDSAP compulsory and Australia adopted MDSAP alongside a CE Mark or Japanese QMS certificate as a path into the Australian market.
Adding a further complication to the matter is the fact that the MDSAP is based on guidelines from the 2003 version of ISO 13485. This issue is what ultimately led the EU to pass on further participation in the MDSAP program. However, with an update to the current 2016 version of ISO 13485 coming in the near future, I do not foresee the MDSAP lagging behind for long.
One thing should be clear. The trends happening in the medical device industry for the past few years are that significant regulatory changes are likely to continue. Yes, many of these changes are in the spirit towards global harmonization. And achieving this requires major updates throughout many regulatory markets in order to achieve this objective.
Many companies have been struggling to keep up with these profound changes, largely because there have not been dedicated resources and internal initiatives to stay current with this tsunami of regulatory changes proactively. Those who are struggling most are reacting. They tend to delay, assuming there will be plenty of time to adopt the new changes. As an outcome, the results are, unfortunately and all too often, slipshod and not thorough and well thought out for effective implementation.
The companies who will thrive in this “new” era of medical device regulations realize that changes are likely to be the theme for the foreseeable future. The companies who will thrive recognize that their QMS and internal business practices must constantly evolve to align with the latest regulatory interpretation and industry best practices and, of course, what is best for patients using their products.