It may not be the most exhilarating subject, but staying in medical device compliance with regulations is nonetheless crucial for medical device manufacturers. Not only does failing to be in compliance with these regulations put you at risk for fines and supply chain disruptions, but it also ultimately means that a customer may be using a faulty product.
People rely on these devices for their health, making quality and medical device compliance a top-of-mind issue for medical device manufacturers. Here are some best practices to keep in mind when striving to make your manufacturing process compliant.
Medical device regulations present a lot of material to cover, but it’s important to have at least a cursory understanding of them. Of course, you already know that — that’s what brought you here.
If you only intend to sell your device in the US market, then you’ll need to become familiar with Title 21 Code of Federal Regulations (CFR) Part 820. ISO 13485, on the other hand, is a global standard that is quite similar to Part 820. Compliance with the ISO standard is particularly important for selling your devices in the European market.
However, both of these systems can be applied to your manufacturing process, and it is highly recommended that you apply both. That way, you will ensure that your devices are completely safe for your customers and available for sale in as broad a market as possible.
There are 14 domains of medical device manufacturing that Title 21 offers regulatory guidance on:
|
|
Diving into each of these domains in depth is outside the scope of this article (you can review the full code yourself here), but we’ll want to pay special attention to three key documents that appear throughout the regulation often called the three Ds.
In order to be in compliance with Part 820, you’ll need to focus on correctly developing and maintaining a design history file (DHF), device master record (DMR) and device history record (DHR).
A DHF file documents the design and development processes of your medical device, such as user needs, risk assessments and verification and validation protocols, among other requirements. You’ll need to develop this prior to gaining FDA approval to manufacture your device.
A DMR file builds off the DHF to document all the information needed to build, test, package and maintain your device.
A DHR file contains the documentation related to the production history of your device. If you get audited, the auditor will likely compare the DHR to the DMR to see if the actual production matched the intended production.
ISO 13485 broadly maps to the requirements laid out in Part 820, in part because the FDA worked with the ISO to develop the standard. For example, the standard doesn’t require the creation of a DHR, but does contain a clause relating to the “Planning of Product Realization,” which would effectively be satisfied by creating a DHR.
ISO 13485 provides guidance on the following aspects of medical device regulation:
By meeting the requirements of Part 820, you’ll meet many of the requirements of the ISO 13485 standard as well. Although it costs a small fee, getting a copy of the standard is highly recommended: you can do so here.
Another important distinction between these two quality system frameworks is that Part 820 is a federal law, while the ISO 13485 is an optional standard. That means that your facility or your manufacturer’s facility can get certified in the standard, and individuals at your organization can get certified as ISO 13485 auditors. To ensure compliance, getting certified under ISO 13485 is well worth your time.
But you’ll also want to consult with somebody who has experience with FDA audits. This could be a manufacturing consultant who has undergone an audit before, but ideally this would be a former FDA auditor.
Naturally, this can be a time-consuming and costly process. A more straightforward method would be to work with a contract manufacturer that has been audited before and has already received the ISO 13485 certification to avoid the costs associated with medical device regulation compliance.
If you choose to follow that route, you’ll want to make sure that you’re working with a reliable manufacturer. It can be difficult to trust a third-party with manufacturing your devices, and any failed audits could disrupt your supply chain. Here are some questions on how you can vet a potential contract manufacturer.
Ask to see their quality manual and quality procedures. Any compliant contract manufacturer will have their quality management policies documented in a quality manual as well as procedures for enforcing those policies. Review their manual and procedures to see if they meet medical device regulations.
What are the contents of their DHF, DMR and DHRs? As noted earlier, these documents are critical for remaining in medical device compliance with FDA regulations. Being aware of the general contents of each will allow you to determine whether your contract manufacturer is adhering to the proper procedures. Since the actual documents for each customer are confidential, they will only be able to share general guidelines on what information they maintain.
Do they conduct process validations? How many steps are involved in their validation processes? Ask them to describe each step and provide one or two examples of their validation procedures. The results of process validation (or objectively confirming that your manufacturing processes meet your quality requirements) are based on medical device regulations. Solid procedures should allow you to gain confidence in their facility’s compliance.
Ask about their risk management approach. Your contract manufacturer should have adopted some risk management method. There are a variety of methods out there, but FMEA, or failure mode and effects analysis, is the preferred approach. In this method, an engineer reviews an entire system for the different ways it can fail (a failure mode) and its downstream effects. An FMEA should be conducted at regular intervals, such as every year, every time there is an engineering change order, every time a new machine is introduced and so on.
Are they familiar with CAPA? If so, what method do they use to analyze a non-conforming event? CAPA refers to corrective and preventive action, and establishing a CAPA process is required by the FDA. When a non-conforming event occurs, such as a faulty medical device, manufacturers should start their pre-determined CAPA process to determine the root cause and address the problem.
Have they passed an FDA audit? If so, how many nonconformities resulted? Since the FDA conducts random routine audits, not all manufacturers will have been audited. If they have been audited, ideally they will have passed the audit with zero nonconformities.
Unfortunately, the real challenge of medical device regulations isn’t in understanding them — it’s in implementing them consistently, 100%, every time. People are going to rely on these devices for their health, and a faulty device can be extremely harmful. Ensuring that their devices work as intended is a serious responsibility for medical device manufacturers, a responsibility that regulatory bodies take equally seriously.
This means that the recommended processes need to be followed as intended. When conducting an internal audit, for instance, manufacturers can’t merely conduct the audit on paper in order to technically meet the requirements; they need to actually assess their operations and processes.
It’s also important to ensure that all manufacturing personnel are fully trained to the regulations and in full compliance. Operators on the line can’t decide that a process really only requires eight steps when the documented process calls for 10.
Medical device compliance requires personnel, time, money, training and practice, but doing it right benefits everybody involved. Having all the proper systems in place and managed by qualified staff makes for quality products and successful audits, both of which will ensure continued production, more innovation and that your devices consistently meet your customer’s needs.