Tag: Product Life Cycle

Click now to hear from Jordan Elder, RCA’s Director of Regulatory Affairs, regarding the latest info on Quality System Regulation (QSR) regulations and FDA harmonization efforts:

 

 

When developing a quality management system (QMS), it is important to understand any pitfalls that could arise as well as understand what each notified body looks for in a compliant quality system. Recently, one of the US Food and Drug Administration’s (FDA’s) top medical device regulators said harmonizing the agency’s current Quality System Regulation with the International Organization for Standardization (ISO) 13485:2016 is a “high priority”.

 


Click to learn about the latest updates to the QMSR File Rule.


 

QMS Harmonization

 

Currently, the US Food and Drug Administration (FDA) does not enforce ISO’s 13458:2016 standards set in place for Quality Management Systems, but uses its own Quality System Regulation (QSR) guidelines that do include parts of the 13458 standards. But this is set to change for the better. The FDA has recently proposed plans to align its quality system requirements with ISO 13485:2016, creating a new regulation dubbed the Quality Management System Regulation (QMRS). This shift came four years after the agency first proposed the regulatory alignment.

 

Quality Management System

 

Manufacturers who already conform to the ISO standard should not see much change and this move should help create efficiencies for them in the long run. The FDA proposed the alinement by incorporating the 2016 edition of the international standard specific for medical device quality management systems ISO13485. Through this rulemaking, the FDA is also proposing additional requirements that help connect and align ISO13485 with existing requirements in the FD&C Act and its implementing regulations. This will include making conforming edits to 21 CFR Part 4 to clarify the device CGMP requirements for combination products as well.

 

Risk Management

 

The most noticeable difference between the current quality systems regulation and ISO13485 is that the risk management requirements are integrated throughout the aspects of the quality management system in ISO13485. This differs from 21 CFR 820, in that the only risk-specific requirement in the QS regulation is listed in §820.30(g), as it relates to risk analysis as a part of design validation.

 

These revisions are intended to supplant the existing ISO13485 requirements with the specifications of an international consensus standard for medical device manufacturers. The revisions are expected to reduce device manufacturers’ burdens, specifically aspects of compliance and recordkeeping through the harmonization of domestic and international requirements.

 

ISO Standard

 

With a membership of 168 national standards bodies, ISO is an independent, non-governmental international organization that brings together experts from around the world to share knowledge and develop voluntary, consensus-based, market-relevant International Standards that support innovation and provide solutions to global challenges.

 

Although the standers set by ISO are recognized by organizations around the world, ISO compliance itself isn’t a legal requirement, the standards naturally align with different regulations across the industries. ISO compliance means using ISO standards as guidelines for aligning your policies, processes, and operating procedures to adhere to the standard.

 

ISO 13485:2016

 

ISO 13485:2016 specifies requirements for medical device quality management systems where an organization needs to demonstrate its ability to consistently meet customer and applicable regulatory requirements. This includes one or more stages of the product life cycle, including:

 

  • Design controls and development
  • Production and manufacturing
  • Storage and distribution
  • Installation
  • Servicing a medical device
  • Technical support

 

ISO13485:2016 can also be used by suppliers or external parties that provide products, including quality management system-related services to such organizations.

 

 

To begin the Regulatory Compliance Associates® scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. 

 

As Artificial intelligence (AI) continues to grow, the health care industry is beginning to explore the benefits it can bring. With the potential to advance medical product development, improve patient care, and augment the capabilities of health care practitioners. The US Food and Drug Administration’s (FDA’s) Center for Biologics Evaluation and Research (CBER), Center for Drug Evaluation and Research (CDER), Center for Devices and Radiological Health (CDRH), and Office of Combination Products (OCP) are jointly collaborating to safeguard public health while fostering responsible and ethical innovation medical devices and pharmaceuticals. 

 

AI management requires a risk-based regulatory framework built on robust principles, standards, and best practices. With the use of state-of-the-art regulatory science tools the risk-based framework can be applied across AI applications and be tailored to the relevant medical product. Do to the complex and dynamic processes involved in the development, deployment, use, and maintenance of AI technologies. They benefit from careful end-to-end management of AI applications throughout the product life cycle. The process starts from ideation and design and progresses through data acquisition; preparation; model development and evaluation; deployment; monitoring; and maintenance. This approach can help address ongoing model performance, risk management, and regulatory compliance of AI systems in real-world applications.

 

The US FDA CBER, CDER, CDRH, and OCP divisions have identified four areas of focus regarding the development and use of AI across the product life cycle to help meet the FDA GMP guidelines that are already established.

 

The Focus Areas

  1. Foster Collaboration to Safeguard Public Health – Cultivate a patient-centered regulatory approach that emphasizes collaboration and health equity.
    • Collect input from interested parties to consider critical aspects such as transparency, governance, bias, cybersecurity, and quality assurance.
    • Promote the development of educational initiatives to support regulatory bodies, health care professionals, patients, and researchers to ensure safe and responsible use of AI in medical product development.
    • Work closely with global collaborators to promote international cooperation on standards, guidelines, and best practices to encourage global consistency.
  2. Advance the Development of Regulatory Approaches That Support Innovation – FDA intends to develop policies that provide regulatory predictability and clarity for the use of AI.
    • Monitor and evaluate trends and emerging issues to detect potential knowledge gaps and opportunities in the current FDA guidelines.
    • Supporting efforts for evaluating AI algorithms for robustness and resilience against current FDA regulations.
    • Build upon existing initiatives for the evaluation and regulation of AI use in medical product development, including in manufacturing.
    • Issuing guidance regarding the use of AI in medical product development and in medical products.
  3. Promote the Development of Standards, Guidelines, Best Practices, and Tools for the Medical Product Life Cycle. – Upholding safety and effectiveness standards across AI-enabled medical products. As well as building on Good Machine Learning Practice Guiding Principles.
    • Refine and develop considerations for evaluating the safe, responsible, and ethical use of AI in the medical product life cycle.
    • Identify and promote best practices for long-term safety and real-world performance monitoring.
    • Best practices for documenting and ensuring that data used to train and test AI models are fit for use.
    • Develop a framework and strategy for quality assurance of AI-enabled tools or system.
  4. Support Research Related to the Evaluation and Monitoring of AI Performance. – To gain valuable insights into AI’s impact on medical product safety and effectiveness.
    • Identify projects that highlight different points where bias can be introduced in the AI development life cycle and how it can be addressed.
    • Support projects that consider health inequities associated with the use of AI to promote equity and ensure data representativeness, leveraging ongoing diversity, equity, and inclusion efforts.
    • Support the ongoing monitoring of AI tools in medical product development within demonstration projects to ensure adherence to standards and maintain performance and reliability.
  1.  

 

CBER, CDER, CDRH and OCP plan to tailor their regulatory approaches for the use of AI in medical products to protect patients and health care workers and ensure the cybersecurity of medical products in a manner that promotes innovation.

 

 

To begin the Regulatory Compliance Associates® scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. 

 

The International Medical Device Regulation Forum (IMDRF) recently published updated cybersecurity guidance for the medical device industry. The medical device cybersecurity working groups at IMDRF have been busy lately, publishing multiple final documents about medical devices & software as medical device (SaMD). 

 

Regulatory Compliance

 

IMDRF’s medical device guidance provides steering assumptions for both regulatory compliance & medical device cybersecurity, which are appropriate for sponsors developing medical devices. Further, a primary objective of the guidance is simultaneously increasing patient safety & reducing external threats for providers and HCPs.

 

Global Harmonization

 

The guidance begins with harmonization concepts that could affect multiple departments inside a medical device manufacturer. Additionally, key areas for harmonization programs highlighted by the cybersecurity guidance include:

 

  • Product design
  • Risk management activities
  • Device labelling
  • Regulatory submission
  • Information sharing
  • Post-market activities

 

Product Life Cycle (PLC)

 

IMDRF’s cybersecurity guidance continues on with a deeper evaluation of risks associated across the product life cycle. It is recommended for potential vulnerabilities to be considered for any product life cycle stage, especially considering legacy devices that may be vulnerable to strategic risk. 

 

 

Product Design

 

Product design considerations include the initial phases of medical device development and continues until the end of support (EOS) once a product is discontinued. The four product design stages the cybersecurity guidance refers to when it comes to total product life cycle:

 

  • Development Stage
  • Support Stage
  • Limited Stage
  • End of Support

 

Development Stage (Stage 1)

 

The Development Stage occurs during the pre-commercialization phase before a medical device is approved by a regulatory body. This is when medical device manufacturers begin to incorporate security into the product concepts being designed. Design controls are critical in this stage for medical device manufacturers to leverage when considering how to mitigate risks.

 

Finally, an important deliverable of the Development Stage is product-related security documentation. The documentation is designed to help unfamiliar users to understand how to securely operate the medical device. 

 

Support Stage (Stage 2)

 

The Support stage is during the initial post-launch phase and may continue for many years. Medical devices in this stage are:

 

  • Currently used for providing patient care
  • Available for purchase on the open market
  • Contain major software, firmware, or programmable hardware components
  • Support for software, firmware or components is provided by the medical device manufacturer

 

Additionally, medical devices in the Support stage should receive full cybersecurity support. This support often includes software patches, software updates, hardware updates, and incremental support the manufacturer considers appropriate.

 

Limited Support Stage (Stage 3)

 

Medical device manufacturers continue to provide cybersecurity support during Stage 3. However, as product development transitions to a more current medical device design, different constraints are involved with the transition. Medical devices in Stage 3 often require additional network controls compared to medical devices in Stage 2:

 

  • Third-party components or software may be used more frequently than internally developed updates or patches
  • Cybersecurity best practices integration is often governed by the ease of following support practices outlined in the Stage 2
  • Medical device manufacturers must explain to users the existing limitations that are now recognized in the devices and services affected
  • Healthcare providers using the medical device should begin to take more of an active role in unmitigated features of security defense.

 

End of Support Stage (Stage 4)

 

Medical devices in Stage 4 are considered more vulnerable than any of the other stages. They may still be in use for providing patient care, but they have been publicly identified as no longer being supported by the medical device manufacturer. Each of these scenarios result in a medical device that cannot be consistently defended against modern cybersecurity dangers.

 

Critical facets healthcare information technology departments should look for include:

 

  • Medical devices that have been declared EOS by the medical device manufacturer
  • Medical devices that are not actively marketed or sold by the medical device manufacturer
  • Medical devices that contain software, firmware, or programmable hardware components no longer supported by software developers
  • Medical devices with known risks to device safety and effectiveness that are unmitigated

 

Risk Management

 

risk managementFurther, the guidance calls for a risk management approach to product lifecycle management featuring:

 

  • Security risk analysis
  • Security risk evaluation
  • Security risk control
  • Security risk acceptability

 

The cybersecurity guidance expands on product design and how security is incorporated and maintained through the product life cycle. This can be accomplished through using risk control and a secure development framework.

 

Risk mitigation recommendations for medical device manufacturers include:

 

  • Security design and controls based on intended use of the medical device
  • Security risk assessments across the risk management process
  • Threat modelling to help determine operational risk

 

Security testing and communication for medical device manufacturers include:

 

  • Customer facing product security documentation & communication
  • Post-market monitoring of cybersecurity vulnerabilities
  • Identification of vulnerabilities in third party risk management
  • Vulnerability risk identification based on the device security design, controls, and mitigations

 

Ensuring availability of security patches & mitigations based on device risk:

 

  • Coordinated and clear communication to all affected users
  • Description related to the vulnerability and its corresponding mitigations
  • Identification of other mitigation options when a security patch is unavailable

 

Data Integrity

 

One of the core principles the guidance stresses is cybersecurity information, data integrity and the importance of information sharing. IMDRF encourages medical device industry stakeholders to implement a proactive pre- and post-market approach to cybersecurity information sharing.

 

Moreover, timely information can help the industry recognize threats, evaluate associated risks, and react quickly as needed. An increase in industry transparency could directly benefit healthcare providers, medical device users and medical device companies.

 

Security Updates

 

An important section of the medical device cybersecurity guidance details stakeholder responsibilities related communications, risk management, and transfer of responsibility. Specifically, it is important that medical device manufacturer communications are comprehensive & identify types of documentation needed and when the medical device user may need it. 

 

Product Security Documentation

 

Medical device manufacturers should ideally provide PLC documentation about security or support changes early in the Support stage. This helps HCP risk management during both the procurement & deployment of medical devices. Types of life cycle support for product security documentation includes:

 

  • Manufacturer disclosure statement for medical device security
  • Software Bill of Materials (SBOM)
  • Security test report summaries
  • Third-party security certifications
  • Customer security documentation

 

Product Life Cycle Documentation

 

Medical device companies should communicate the strategic life cycle milestones to their customers. Further, these interactions would include cybersecurity EOL and EOS dates if available. This helps to support HCPs during both the procurement & installation process.

 

Additionally, medical device manufacturers should provide this information as far in advance as possible. The goal is at least 2 years in advance to best support healthcare professionals with the following information:

 

  • Affected medical devices
  • Medical device operating system(s)
  • Version of medical device deployed
  • Medical device software components
  • Expected date of medical device service changes
  • Extent of medical device maintenance after a service change occurs
  • Additional design controls that help all involves parties

 

Vulnerability & Patching Information

 

If a vulnerability is uncovered, medical device companies should provide related vulnerability information. Further, the guidance specifically mentions the importance of both the appropriate mitigation or available software patch. Additionally, the guidance stresses an elevated priority be placed on high-risk vulnerabilities where timely communication is required. This communication is designed to help prevent both patient injury or device interruption.

 

Finally, the mitigation method and implementation instructions should be provided to the medical device operators. These security updates include both an over-air update or deployment of service personnel to help install the remedy.

 

Proactive Communications for Third-Party Components

 

Medical device software and other digital components within a medical device will reach EOL/EOS before the product itself does. In these cases, risk can increase based on the lack of support for these elements. To help compensate for these security risks, the cybersecurity guidance suggests medical device companies should:

 

  • Validate the list of third-party components used in medical devices
  • Track support status updates of third-party components used within their device
  • Assess the risks that exist when third-party components become unsupported
  • Communicate new risks and available risk mitigations to healthcare providers

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. You may also email us at [email protected].

 

About RCA’s Quality Assurance Services

In the life science industry, quality assurance (QA) is more than merely ensuring the quality of a finished product. You need the tools to monitor and regulate every process from the design of a new product to continued quality compliance as the device or drug is sent to market. At Regulatory Compliance Associates (RCA), we offer you the quality assurance services you need to monitor these quality processes and ensure quality compliance every step of the way.

 

RCA’s quality assurance services include quality system assessments, strategy, implementations, and identification of quality metrics. Our quality consultant projects are designed to ensure continuous improvement and align with your business needs & goals. Our quality consultants are quality experts with experience spanning major corporations and start-ups. Our quality management consultant team knows firsthand how to achieve, maintain, and improve quality, and we excel in transferring this knowledge to your organization.

 

Follow the links below to learn more about our quality assurance services in Pharmaceuticals and Medical Devices. 

 

Pharmaceuticals

Medical Device

 

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. You may also email us at [email protected].