Tag: Risk Management

Medical Device Cybersecurity Guidance

Posted on by Brandon Miller

The International Medical Device Regulation Forum (IMDRF) recently published updated cybersecurity guidance for the medical device industry. The medical device cybersecurity working groups at IMDRF have been busy lately, publishing multiple final documents about medical devices & software as medical device (SaMD). 

 

Regulatory Compliance

 

IMDRF’s medical device guidance provides steering assumptions for both regulatory compliance & medical device cybersecurity, which are appropriate for sponsors developing medical devices. Further, a primary objective of the guidance is simultaneously increasing patient safety & reducing external threats for providers and HCPs.

 

Global Harmonization

 

The guidance begins with harmonization concepts that could affect multiple departments inside a medical device manufacturer. Additionally, key areas for harmonization programs highlighted by the cybersecurity guidance include:

 

  • Product design
  • Risk management activities
  • Device labelling
  • Regulatory submission
  • Information sharing
  • Post-market activities

 

Product Life Cycle (PLC)

 

IMDRF’s cybersecurity guidance continues on with a deeper evaluation of risks associated across the product life cycle. It is recommended for potential vulnerabilities to be considered for any product life cycle stage, especially considering legacy devices that may be vulnerable to strategic risk. 

 

 

Product Design

 

Product design considerations include the initial phases of medical device development and continues until the end of support (EOS) once a product is discontinued. The four product design stages the cybersecurity guidance refers to when it comes to total product life cycle:

 

  • Development Stage
  • Support Stage
  • Limited Stage
  • End of Support

 

Development Stage (Stage 1)

 

The Development Stage occurs during the pre-commercialization phase before a medical device is approved by a regulatory body. This is when medical device manufacturers begin to incorporate security into the product concepts being designed. Design controls are critical in this stage for medical device manufacturers to leverage when considering how to mitigate risks.

 

Finally, an important deliverable of the Development Stage is product-related security documentation. The documentation is designed to help unfamiliar users to understand how to securely operate the medical device. 

 

Support Stage (Stage 2)

 

The Support stage is during the initial post-launch phase and may continue for many years. Medical devices in this stage are:

 

  • Currently used for providing patient care
  • Available for purchase on the open market
  • Contain major software, firmware, or programmable hardware components
  • Support for software, firmware or components is provided by the medical device manufacturer

 

Additionally, medical devices in the Support stage should receive full cybersecurity support. This support often includes software patches, software updates, hardware updates, and incremental support the manufacturer considers appropriate.

 

Limited Support Stage (Stage 3)

 

Medical device manufacturers continue to provide cybersecurity support during Stage 3. However, as product development transitions to a more current medical device design, different constraints are involved with the transition. Medical devices in Stage 3 often require additional network controls compared to medical devices in Stage 2:

 

  • Third-party components or software may be used more frequently than internally developed updates or patches
  • Cybersecurity best practices integration is often governed by the ease of following support practices outlined in the Stage 2
  • Medical device manufacturers must explain to users the existing limitations that are now recognized in the devices and services affected
  • Healthcare providers using the medical device should begin to take more of an active role in unmitigated features of security defense.

 

End of Support Stage (Stage 4)

 

Medical devices in Stage 4 are considered more vulnerable than any of the other stages. They may still be in use for providing patient care, but they have been publicly identified as no longer being supported by the medical device manufacturer. Each of these scenarios result in a medical device that cannot be consistently defended against modern cybersecurity dangers.

 

Critical facets healthcare information technology departments should look for include:

 

  • Medical devices that have been declared EOS by the medical device manufacturer
  • Medical devices that are not actively marketed or sold by the medical device manufacturer
  • Medical devices that contain software, firmware, or programmable hardware components no longer supported by software developers
  • Medical devices with known risks to device safety and effectiveness that are unmitigated

 

Risk Management

 

risk managementFurther, the guidance calls for a risk management approach to product lifecycle management featuring:

 

  • Security risk analysis
  • Security risk evaluation
  • Security risk control
  • Security risk acceptability

 

The cybersecurity guidance expands on product design and how security is incorporated and maintained through the product life cycle. This can be accomplished through using risk control and a secure development framework.

 

Risk mitigation recommendations for medical device manufacturers include:

 

  • Security design and controls based on intended use of the medical device
  • Security risk assessments across the risk management process
  • Threat modelling to help determine operational risk

 

Security testing and communication for medical device manufacturers include:

 

  • Customer facing product security documentation & communication
  • Post-market monitoring of cybersecurity vulnerabilities
  • Identification of vulnerabilities in third party risk management
  • Vulnerability risk identification based on the device security design, controls, and mitigations

 

Ensuring availability of security patches & mitigations based on device risk:

 

  • Coordinated and clear communication to all affected users
  • Description related to the vulnerability and its corresponding mitigations
  • Identification of other mitigation options when a security patch is unavailable

 

Data Integrity

 

One of the core principles the guidance stresses is cybersecurity information, data integrity and the importance of information sharing. IMDRF encourages medical device industry stakeholders to implement a proactive pre- and post-market approach to cybersecurity information sharing.

 

Moreover, timely information can help the industry recognize threats, evaluate associated risks, and react quickly as needed. An increase in industry transparency could directly benefit healthcare providers, medical device users and medical device companies.

 

Security Updates

 

An important section of the medical device cybersecurity guidance details stakeholder responsibilities related communications, risk management, and transfer of responsibility. Specifically, it is important that medical device manufacturer communications are comprehensive & identify types of documentation needed and when the medical device user may need it. 

 

Product Security Documentation

 

Medical device manufacturers should ideally provide PLC documentation about security or support changes early in the Support stage. This helps HCP risk management during both the procurement & deployment of medical devices. Types of life cycle support for product security documentation includes:

 

  • Manufacturer disclosure statement for medical device security
  • Software Bill of Materials (SBOM)
  • Security test report summaries
  • Third-party security certifications
  • Customer security documentation

 

Product Life Cycle Documentation

 

Medical device companies should communicate the strategic life cycle milestones to their customers. Further, these interactions would include cybersecurity EOL and EOS dates if available. This helps to support HCPs during both the procurement & installation process.

 

Additionally, medical device manufacturers should provide this information as far in advance as possible. The goal is at least 2 years in advance to best support healthcare professionals with the following information:

 

  • Affected medical devices
  • Medical device operating system(s)
  • Version of medical device deployed
  • Medical device software components
  • Expected date of medical device service changes
  • Extent of medical device maintenance after a service change occurs
  • Additional design controls that help all involves parties

 

Vulnerability & Patching Information

 

If a vulnerability is uncovered, medical device companies should provide related vulnerability information. Further, the guidance specifically mentions the importance of both the appropriate mitigation or available software patch. Additionally, the guidance stresses an elevated priority be placed on high-risk vulnerabilities where timely communication is required. This communication is designed to help prevent both patient injury or device interruption.

 

Finally, the mitigation method and implementation instructions should be provided to the medical device operators. These security updates include both an over-air update or deployment of service personnel to help install the remedy.

 

Proactive Communications for Third-Party Components

 

Medical device software and other digital components within a medical device will reach EOL/EOS before the product itself does. In these cases, risk can increase based on the lack of support for these elements. To help compensate for these security risks, the cybersecurity guidance suggests medical device companies should:

 

  • Validate the list of third-party components used in medical devices
  • Track support status updates of third-party components used within their device
  • Assess the risks that exist when third-party components become unsupported
  • Communicate new risks and available risk mitigations to healthcare providers

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. You may also email us at [email protected].

 

Data Integrity

Posted on by Brandon Miller

Data integrity is the reliability, consistency, and accuracy of data at rest and in transit. Quality data adheres to several standards, beginning with integrity, confidentiality and availability.

 

Data integrity is a process to ensure consistent and accurate data over its life cycle. Requirements specify that data records need to be attributable, legible, contemporaneous, original, and accurate (ALCOA). In addition to the ALCOA, there is ALCOA+ which also requires data to be complete, consistent, enduring, and available.

 

Good Practices for Data Management and Integrity

 

Compromised data can lead to poor business decisions. Any decisions based on inaccurate data are suspect during inspections. To ensure the integrity of your company’s data:

 

  • Implement access controls. Locking and securing sensitive records and restricting unauthorized users from accessing data can reduce loss and corruption. 
  • Make backups. Once lost, raw data is irreplaceable. Backups must include original, raw data creates a duplicate in an alternate location. 
  • Validate the data. Automate digital validation by organizing and filtering data using scripts. Validation checks the quality of the data to be secure, meaningful and correct. 
  • Have a quality system in place. Having a quality system in place and ensuring procedures can be completed on- or off-site will help solve any issues. 
  • Think through changes. If you’re going to change processes to adapt to a more virtual environment where employees work from home, think about all necessary steps or procedures.
  • Organize files and systems. Systemically arranging your files helps you easily pass off or explain data to others such as auditors and inspectors.
  • Validate input. You can use input validation to block cyberattacks, such as structured query language (SQL) injection prevention. Checking input at the time it is recorded is crucial.

 

Does your team need help with Data Integrity? Talk to our Experts→

 

New Guidance From the Food and Drug Administration (FDA)

 

The best way to maintain a supply of safe and effective products and prevent a drug shortage is to comply with data integrity concepts to prevent batch rejection/recall and monitor sites and stay up to date on FDA guidelines. You can do this by: 

 

  • Reviewing the staff manual guide. This guide covers FDA internal procedures for requesting records in advance of or in place of a drug inspection. 
  • Ensuring your company has a quality culture. Complications during the COVID-19 pandemic have only made processes more complicated, so establishing procedures around quality culture can help deter issues. 
  • Building quality into your operations: make sure you have a strong training program and it’s importance to the organization and the product.
  • Having a solid risk management plan. A solid risk management strategy can save you money, time, and unnecessary manufacturing disruptions and establish a process to deal with potential risks that may arise.

 

About RCA’s Pharmaceutical Consulting Services 

 

Regulatory Compliance Associates (RCA) has helped thousands of pharmaceutical companies meet regulatory, compliance, quality assurance, and remediation challenges. With more than 20 years of experience with FDA, Health Canada, EU and global regulatory agencies worldwide, Regulatory Compliance Associates® offers leading pharmaceutical consultants. We’re one of the few pharma consulting companies that can help you navigate the challenges associated with industry regulations.

 

Our pharmaceutical consulting firm includes over 500 seasoned FDA, Health Canada & EU compliance consultants and regulatory affairs experts who understand industry complexities. It’s a pharma consultancy founded by regulatory compliance executives from the pharmaceutical industry. Every pharmaceutical industry consultant on the Regulatory Compliance Associates team knows the unique inner workings of the regulatory process. 

 

Client Solutions

 

Whether you’re in the product planning, development or pharmaceutical lifecycle management stage or need a remediation strategy for a compliance crisis, Regulatory Compliance Associates will guide you through every pharmaceutical consulting step of the regulatory process. Our pharmaceutical consulting Experts will create a customized approach depending on your product and company’s individual needs. Our regulatory compliance clients include:

 

  • Companies new to FDA, Health Canada or EU regulations and regulatory compliance
  • Start-up organizations with novel submissions to 510(k) submissions from multi-national corporations
  • Investment firms seeking private equity due diligence for pre-acquisition and post-deal research
  • Law firms seeking pharmaceutical consulting firm expertise in the remediation of warning letters, consent decrees, 483’s or import bans

 

Regulatory Affairs

 

Regulatory affairs is Regulatory Compliance Associates backbone. We exceed other pharma consulting companies with industry experts experienced in complexities of the pharmaceutical and biopharmaceutical industries. Our pharma consulting expertise spans all facets and levels of Regulatory Affairs. Additionally, we specialize in Regulatory Support for New Products to Life Cycle Management, Outsourced Regulatory Affairs, Submissions, Training, and more.

 

As your partner, we can negotiate the potential assessment minefield of regulatory compliance services with insight, hindsight, and the clear advantage of our breadth and depth of knowledge and regulatory compliance consulting. We offer the following pharma consulting regulatory affairs services for pharmaceutical companies.

 

  • New Product Support
  • Product Lifecycle
  • Other Regulatory Services
  • Combination Products

 

Compliance Assurance

 

The regulations process surrounding pharmaceutical companies can be tricky for even the most experienced industry veteran to understand. Just one misstep could mean significant and lasting consequences for your business. At Regulatory Compliance Associates, we offer the pharma consulting experience and pharma consultants necessary to guide you through the quality compliance process.

 

  • Assessments
  • Audits
  • Regulatory Agency Response
  • Preparation and Training
  • Inspection Readiness
  • Data Integrity

 

Quality Assurance

 

Regulatory Compliance Associates Quality consulting includes assessments, strategy, implementations, staff augmentations, and identification of quality metrics to ensure continuous improvement. Our pharma consultants understand the strategic thinking needed to align your business needs and goals. Regulatory Compliance Associates quality assurance services include quality experts with experience spanning major corporations and start-ups. Our pharmaceutical consulting firm knows firsthand how to achieve, maintain, and improve quality. Finally, our regulatory compliance services team excels in transferring continuous improvement knowledge to your organization.

 

  • 21 CFR Part 11
  • Data Integrity
  • Manufacturing Support
  • Facility Support
  • Quality Metrics

 

Remediation Services 

 

Regulatory Compliance Associates has a proven remediation services approach to managing FDA Warning Letters, Consent Decrees, Remediation and other serious regulatory situations. Our pharma consultants know how to partner with executive, legal, and communication teams. Each RCA pharma consulting Expert will develop a response that will be accepted by the regulatory agency and be realistic to execute.

 

Regulatory Compliance Associates pharma regulatory consultants will develop a comprehensive proof book of documented evidence demonstrating the corrective action taken to remediate non-compliant issues. In addition, each Regulatory Compliance Associates pharma consulting Expert understands compliance enforcement. We’ll prepare a comprehensive pharma consulting strategy to assist in your remediation efforts, drive continuous improvement, and maintain regulatory compliance with the regulations.

 

  • Regulatory Action
  • Regulatory Compliance
  • Regulatory Enforcement
  • Warning Letter
  • 483 Observation
  • Oversight Services
  • Risk Management Plan

 

About Regulatory Compliance Associates

 

pharmaceutical consultantsRegulatory Compliance Associates® (RCA) provides pharmaceutical consulting to the following industries for resolution of life science challenges:

 

 

We understand the complexities of running a life science business and possess areas of expertise that include every facet of R&D, operations, regulatory affairs, quality, and manufacturing. We are used to working on the front lines and thriving in the scrutiny of FDA, Health Canada, MHRA and globally-regulated companies.

 

As your partners, Regulatory Compliance Associates can negotiate the potential minefield of regulatory compliance and regulatory due diligence with insight, hindsight, and the clear advantage of our unique expertise and experience.

 

  • Founded in 2000
  • Headquartered in Wisconsin (USA)
  • Expertise backed by over 500 industry subject matter experts
  • Acquired by Sotera Health in 2021

 

About Sotera Health

 

The name Sotera Health was inspired by Soteria, the Greek goddess of safety, and reflects the Company’s unwavering commitment to its mission, Safeguarding Global Health®.

 

Sotera Health Company, along with its three best-in-class businesses – Sterigenics®Nordion® and Nelson Labs®, is a leading global provider of mission-critical end-to-end sterilization solutions and lab testing and advisory services for the healthcare industry. With a combined tenure across our businesses of nearly 200 years and our industry-recognized scientific and technological expertise, we help to ensure the safety of over 190 million patients and healthcare practitioners around the world every year.

 

We are a trusted partner to 5,800+ customers in over 50 countries, including 40 of the top 50 medical device companies and 9 of the top 10 pharmaceutical companies.

 

Commitment to Quality

 

Our Certificate of Registration demonstrates that our Quality Management System meets the requirements of ISO 9001:2015, an internationally recognized standard of quality.

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. 

FDA Publishes Updated Biologics Guidance

Posted on by Brandon Miller

The US Food and Drug Administration (FDA) recently issued final guidance for Biologics industry executives to help define modifications to existing products and update submission procedures.  The primary focus of the guidance is to help biologics industry employees responsible for reporting understand which type of risk category is appropriate for updated variations in chemistry, manufacturing, and controls (CMC).

 

The guidance is applicable to CMC products with an existing biologics license application (BLA) currently approved by the FDA. It’s a critical update since any Biologics company or regulatory partners must notify the FDA about every change to an approved BLA under the Code of Federal Regulations (21 CFR 601.12).

Need help adhering to the New Guidance? Contact Us Now →

FDA submission data

 

FDA Guidance

The final FDA guidance goes into detail about each post-approval change in the product, including production process, quality controls, equipment and facilities, responsible employees, and established labeling. Expanded submission data will potentially provide greater detail about the the risk profile related to the changes, and how revised changes impact the intended safety or efficacy of the product.

 

Assessing and implementing manufacturing changes is laid out in great detail in the FDA guidance. Comparability data will be used to show variations of the product pre- and post- changes. The comparability analysis is necessary to help gauge possible effects of the product changes. Data from the analysis will be represented through a variety of sources, including a combination of testing, validation studies, and non-clinical or clinical studies.

 

FDA submission procedure

 

More importantly, the guidance provides a greater amount of detail about the updated FDA submission procedure. A significant focus of the guidance acknowledges the opportunity for adverse effects and how to measure and minimize based on data about the revised formulation. The biologic submission must show reference information that considers the new identity, strength of the product, quality of the product, and purity or potency of the product.

 

The three unique types of Biologics reporting includes Prior Approval Supplement, Changes Being Effected in 30 Days/Changes Being Effected (CBE30/CBE) and an Annual Report:

 

Prior Approval Support (PAS)

  • This includes changes that have significant potential for an adverse effect on product quality. The PAS must be approved by the FDA before a Biologics company can distribute any updated BLA approved product to the market involving the changes.

 

Guidance Changes Being Effected in 30 Days/Changes Being Effected (CBE30/CBE)

  • This includes changes that have a moderate potential to have an adverse effect on product quality. The CBE30/CBE requires an applicant to report the change to the FDA in a supplement at least 30 days before distribution of the product to the market.

 

Annual Report (AR)

  • This includes changes that have a minimal potential to have an adverse effect on product quality.

 

FDA process validation

 

Assessing the impact of the change on product quality is critically important in the reporting submission.  Reporting data should include prior knowledge and findings from product development activity. Documentation surrounding process validation activities and manufacturing expertise of the approved BLA product are also requested.

 

Quality risk management activities or pre-commercial studies that provide expanded awareness of the effects of the changes can also be very valuable for FDA decision makers. Finally, a cumulative impact assessment of multiple changes on the updated BLA product can help ensure post-market surveillance activities are aligned between the FDA and Biologics company.

 

Quality Management System

 

References to a robust quality culture appear throughout the guidance, including developing of robust manufacturing processes and process controls. Innovative process validation techniques and analytical testing are listed as critical drivers Biologics companies should practice to help mitigate risks associated with manufacturing changes.

 

Having an effective quality risk management system allows Biologics industry executives to make knowledgeable choices regarding manufacturing variations. The quality system data increases the confidence of product quality and process consistency for both executives and the FDA. Formal and informal risk assessments to support of post-approval manufacturing changes increases the accuracy of a more effective assessment of the change, which can increase the speed of the FDA’s decision.

 

About RCA’s Biologics & Biotech Consulting Services

Regulatory Compliance Associates® can assist you in ensuring the quality of your biologics or biosimilar product during its entire lifecycle. From pre-market to post-market reviews, inspection, and compliance, our Biotech consulting experts can shepherd your biologics through design, labeling, promotion, production, and testing. Our Biologics consultants & consulting services include:

 

Regulatory Affairs

 

Regulatory affairs is Regulatory Compliance Associates®  backbone and we fully understand the complexities of the biologics industry. Our biotech consulting expertise spans all facets and levels of Regulatory Affairs, from early phase & bioanalytical sciences through late phase and post approval.

 

  • Preclinical & CMC Consulting
    • FDA Meetings & Briefing Package Assistance
    • Clinical Trial Applications
    • Marketing Applications
    • Medical Writing
  • Lifecycle Management
  • Submission Planning & Strategic Support
    • eCTD Publishing & Submissions
  • Strategic Consulting & Intelligence
  • US Agent
  • Project Management Support
  • Clinical Development Support
    • Clinical Research Organization (CRO) Sourcing
  • Analytical Development Support
    • Bioassay Design & Validation
    • Immunoassay Support
    • Statistical Analysis & Specification Setting

 

Compliance Assurance

 

Biotech ConsultingIncreasingly, life science companies are feeling the pressure of greater scrutiny by regulators, and responding by developing sustainable compliance strategies. Whether it’s biologics consultants preparing for an audit, developing a response to an FDA finding, or remediation to an adverse event, Regulatory Compliance Associates® biotech consulting global team can help.

 

  • Assessments
    • Current Good Manufacturing Practice (cGMP)
    • Corrective & Preventive Action (CAPA), Investigations & Deviations
    • Facility & Maintenance 
    • Data Integrity
    • Quality System Gap Assessment
  • Audits
    • Supplier Audits
    • CRO Audits
    • cGMP Compliance Audits: Manufacturing, Pilot Plant, Laboratory
    • cGLP Audits
    • Good Clinical Practices
  • Preparation, Training & Inspection Readiness
    • cGMP Fundamentals (Annual Training Required by Regulations)
    • Quality System Regulation
    • Risk Management
    • Investigations, Deviations & CAPA & Root Cause Analysis
    • Validation & Technology Transfer
    • Purchasing Controls & Supplier Management
    • Document Management & Change Control
    • Audit Readiness
    • Quality Culture & Management Responsibility
    • Data Integrity & Good Documentation Practices (GDP) Centered on How the Data is Recorded, How to Correct an Error, and How to Document the Reason(s) for the Error

 

Quality Assurance

 

Regulatory Compliance Associates® Quality consulting services include assessments, strategy, implementations, staff augmentations, and identification of quality metrics. Our biologics consultants goal is to ensure continuous improvement, aligning with your business needs and goals. Our biotech consulting subject matter experts have experience spanning major corporations and start-ups.

 

We know firsthand how to achieve, maintain, and improve quality, and we excel in transferring this knowledge to your organization.

 

  • Quality Management System Implementation
  • SOP Development
  • Document Control Systems
  • Change Control
  • Laboratory Operations & Control

 

Remediation Services

 

Regulatory Compliance Associates® is widely recognized within the life science industry and global regulatory agencies for its ability to help companies successfully resolve complex remediation services challenges. With a proven track record of success, Regulatory Compliance Associates® biologics consultants have significant experience with the development of responses to 483 Observations, Warning Letters, Untitled Letters and Consent Decrees.

 

  • Regulatory Action
    • 483 Response & Remediation
    • Warning Letter Response & Remediation
    • Consent Decree Response & Remediation
    • Oversight Services
  • Consulting
    • Comprehensive Audits
    • Remediation Plan Development & Implementation
  • Manufacturing Support
    • Re-validation of Existing Equipment & Processes
    • Remediation of System Deficiencies Related to, Manufacturing Process, Equipment, or Facility 
    • Facility Improvements (Aging Facilities) 

 

Strategic Consulting

 

Whether it’s a corporate needs analysis, corporate growth / transformation strategy or due diligence / acquisition, Regulatory Compliance Associates®  worldwide biotech consulting experience can help ensure a successful mix of top-notch advice and people so your engagement is on time, on budget, and you’re never embroiled in a costly mistake.

 

  • Portfolio Management
  • Mergers & Acquisitions / Due Diligence
  • Staffing Support

 

About RCA

 

fda guidanceRegulatory Compliance Associates® (RCA) provides biologics consulting & biotech consulting to the following industries for resolution of life science challenges:

 

 

We understand the complexities of running a life science business and possess areas of expertise that include every facet of R&D, operations, regulatory affairs, quality, and manufacturing. We are used to working on the front lines and thriving in the scrutiny of FDA, Health Canada, MHRA and globally-regulated companies.

 

As your partners, we can negotiate the potential minefield of regulatory compliance and regulatory due diligence with insight, hindsight, and the clear advantage of our unique expertise and experience.

 

  • Founded in 2000
  • Headquartered in Wisconsin (USA)
  • Expertise backed by over 500 industry subject matter experts
  • Acquired by Sotera Health in 2021

 

About Sotera Health

 

The name Sotera Health was inspired by Soteria, the Greek goddess of safety, and reflects the Company’s unwavering commitment to its mission, Safeguarding Global Health®.

 

Sotera Health Company, along with its three best-in-class businesses – Sterigenics®Nordion® and Nelson Labs®, is a leading global provider of mission-critical end-to-end sterilization solutions and lab testing and advisory services for the healthcare industry. With a combined tenure across our businesses of nearly 200 years and our industry-recognized scientific and technological expertise, we help to ensure the safety of over 190 million patients and healthcare practitioners around the world every year.

 

We are a trusted partner to more than 5,800 customers in over 50 countries, including 40 of the top 50 medical device companies and 8 of the top 10 pharmaceutical companies.

 

To begin the Regulatory Compliance Associates® scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. 

Waterfall Methodology

Posted on by Brandon Miller

Click now to watch Regulatory Compliance Associates® Dr. Stephen Coulter explain how design controls and risk management play an intricate role in the Waterfall methodology:

 

 

The Waterfall methodology incorporates the usage of FDA design controls into the medical device design process. It serves as the primary connection between quality system requirements (QSR) and current good manufacturing practices (CGMP).

 

Waterfall Method

 

Conceptually, the FDA Waterfall model is designed to provide engineers with the flexibility to mitigate product risk, meet regulatory compliance and satisfy customer needs. It is a sequential process based on the quality assurance and medical device engineering principles listed in 21 CFR 820. The methodology itself is conceptualized in the image below from the Medical Device Bureau of Health Canada. 

 

Waterfall Development

 

To increase risk mitigation during the Waterfall methodology, both risk management & design controls are considered. They often become integrated processes during Waterfall product development. Many unique tools that medical device engineers use to define requirements & meet user needs are shared across these processes, even though each is based on a separate standard.

 

While design controls for FDA approval are referred to in 21 CFR 820, medical device risk management is internationally associated with ISO 14971. Three critical elements of risk mitigation strategies clearly focus on avoiding risk during product development:

 

  • Evaluating an associated risk
  • Controlling an evaluated risk
  • Monitoring risk control effectiveness overall

 

Input Requirements

 

The success of the Waterfall development method depends on early research & assessments conducted about input requirements that include strategic risk. Further, spending time documenting the inputs of user interface, user stories and product epics can help increase positive outcomes and reduce requirement risk overall.  Finally, any inconsistencies during the waterfall methodology between the proposed design & input requirements can be corrected across stages. This aligns with one of the primary motivations behind FDA originally developing 21 CFR 820 (e.g. helping medical device manufacturers find design deficiencies earlier in the process).

 

Risk Management

 

By starting the Waterfall process with this end state in mind, design inputs are more likely to pass failure testing & become a manufacturing output. This risk management strategy during a Waterfall project can begin with identifying the publicly known risks of competitive products. Second, the team is challenged to investigate if similar hazards could be associated with your medical device. When working with a Regulatory Compliance Associates risk management consultant, our clients are reassured that Waterfall development should detail how hazards can impact user needs & potential customers.

 

For example, design inputs should consider current regulations and global standards early in the waterfall process. This helps incorporate a risk management perspective even before verification and validation testing begins. Intended uses should consider predicate devices and if any causes for recalls are related to design, materials, or software. 

 

Waterfall Approach

 

So, does this mean risk management & design controls are connected in the waterfall approach? And if they are, how important is one over the other when leading to marketing approval or regulatory compliance? This process is often measured against a combination of factors, including:

 

  • Regulations & standards for clinical approval
  • Risk class of medical device being manufactured
  • Regulatory body reviewing the marketing submission

 

Enterprise risk management would consider all three of these factors individually and in combination when considering how to eliminate systemic risk. The Waterfall project management team can also use various tools and techniques while developing the risk management plan. These risk identification tools include conducting a risk analysis, performing an FMEA, and charting risk tolerance. 

 

Risk Analysis

 

Existing regulations & standards offer various types of risk tools that can be incorporated into design controls. This can include identifying risk levels and creating severity charts during the user needs & design inputs stages. Additionally, each new product will have different hazards and risk tolerance levels associated with the target patient. Being able to analyze the problem, control the problem, and mitigate the risk is essential to define in your risk analysis. Challenge yourself to reduce and identify hazards by analyzing the known data as much as possible.

 

FMEA

 

Failure Mode and Effects Analysis (FMEA) is a controlled technique to detect & concentrate on budding trouble. Each failure is commonly assigned a rating based on the negative effect it may cause. The Waterfall process would then take each rating and project how the marketplace, healthcare systems, or patients can be impacted. FMEAs are one of many risk mitigation tools that can help your team identify the hazards of your severity chart. Each charted hazard is established based on the severe nature of the hazard to the user and project requirements for design control.

 

Risk Tolerance

 

Further, after the severity is defined, all known or projected hazards can be developed into a risk tolerance chart. The risk tolerance chart can then be shared cross-functionally across the team to help everyone understand which design steps can increase user risk. One of the benefits of a risk tolerance chart is being able to show data visualization. The design team should consider how design controls and user needs can reduce the hazard’s impact. Finally, a waterfall chart could also project the negative consequences of adverse events and what the estimated cumulative impact might be during a product crisis scenario.

 

Risk Management Summary

 

Finally, once your team has evaluated the risks and decided on precautions, a risk management summary is developed. It may include involves multiple failure mode analysis types (e.g. product, process, etc.) and risk ratings. These initial ratings are typically based on the types of failures and the severity of the failure itself. Ranges can also be given to determine the risk management strategy and what is the acceptable level of product risk (e.g. high, medium, low).

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. You may also email us at [email protected].