We’re going through changes: Major upcoming regulatory changes for manufacturers explained

Jon Speer, founder and VP of QA/RA for software company Greenlight Guru, explains the major regulatory changes which are coming soon for manufacturers of medical devices.

Between the transition to ISO 13485:2016, the EU MDR and political instability, the past five years of regulatory changes in the medical device industry arguably represent more change than the industry has seen in 20 years.

While large, multinational manufacturers have the resources necessary to navigate these changes, small device makers - which make up 80% of the market, will likely be forced to make difficult decisions on the future commercialisation of their products in certain markets.

Let’s take a look at four of the largest changes facing the industry today:

ISO 13485:2016 and the push for global harmonisation of Quality Management System (QMS) standards

ISO 13485:2016 introduced a long overdue shift in industry mentality towards quality management systems, shifting focus towards a risk-based approach to produce safe and effective medical devices. The standard also introduced the idea that medical device requirements should be less regionally governed and more globally harmonised.

While the 2016 version of the standard took more than a dozen years to update, don’t expect future updates to ISO 13485 to take nearly as long. Working groups of the standard will initiate discussions in the latter half of 2019 to outline the next generation of the ISO 13485 standard.

The transition to the 2016 version of ISO13485 was painful for some organisations, as it required significant changes in culture and systems, and engineering and quality teams would be well served to retain the lessons learned in the transition to avoid falling prey to “corporate amnesia” during future transition periods.

The EU MDR compliance date is looming

If you are anything like me, you have May 26^th, 2020 circled in red ink on your calendar. This is the deadline for full implementation of the European Union’s Medical Device Regulations (MDR 2017/745), upon which manufacturers actively marketing products in the EU must be fully compliant with these new regulations or cease operations until they are.

Compared to its predecessor, the Medical Device Directive (MDD), the EU MDR is less focused on the pre-approval stage of medical device manufacturing. Instead, the new regulations promote policies and procedures that elevate the manufacturer responsibilities throughout the lifecycle of their products. Securing a CE Mark, a symbol that indicates conformity with health, safety, and environmental protection standards for products sold in Europe, is no longer an end-state for device makers.

There are two key aspects worth noting:

1. The scarcity of Notified Bodies actively certified to serve the bandwidth from medical device companies requiring conformity assessments of products to receive CE Mark certifications
2. The cost of compliance: To date, only three organisations have secured licenses to act as a Notified Body under the new regulations, whereas under the MDD there were nearly 2,500 Notified Bodies. This is significant because as of the date of writing this, the current number of designated Notified Bodies will not have the capacity to address the entire EU market demand. Going from 2,500 down to 20 entities is going to be a significant bottleneck for medical device companies seeking EU market presence.

One of the systems most impacted by the MDR is a device maker’s QMS. While ISO 13485:2016 certification still holds weight in the eyes of regulators, the MDR introduces additional QMS requirements including post-market surveillance, Periodic Safety Update Report (PSUR), incidents and Field Safety Corrective Actions (FSCA), and a dozen or so other items.

Due to the significant amount of new regulations that companies are expected to follow, many smaller-scale device makers will have to make difficult decisions as to whether the cost of compliance in the European market makes fiscal sense.

Taking risks with risk management

Plain and simple, ISO 14971 defines the international standards of risk management for medical devices. If the transition to ISO 13485:2016 wasn’t enough of a whirlwind for companies, the latest revision to ISO 14971:2012 is expected to be released in late 2019, bringing with it a new wave of changes for device makers to implement.

Working groups are still finalising edits to the standard, but based on insights provided from group members, we can expect to see further clarifications on benefits and risk written into the guidelines. Risk has been well-defined in previous versions, however, benefits have not and it’s well overdue.

Unfortunately, some companies are experiencing the repercussions of falling behind on compliance, for example the transition to ISO 13485:2016. This should serve as a cautionary tale for others to avoid falling behind on transitioning to the new ISO 14971 as soon as they are able. Device makers need to assign internal and external owners of risk management who will be responsible for implementing the necessary changes once the new version of ISO 14971 is released.

Medical Device Single Audit Program (MDSAP) moves toward further harmonisation

In 2012, the International Medical Device Regulators Forum (IMDRF) introduced a working group that would develop a framework for the MDSAP - a global standard for medical device quality system compliance.

Under MDSAP, medical device companies may elect to undergo a single audit conducted by a recognised auditing organisation to qualify for selling their medical device in the program’s participating regions around the world, which includes Australia, Brazil, the United States, Canada, and Japan. Companies that choose to go via this route can avoid the high cost and effort associated with multiple market regulatory submissions and inspections or audits for their company.

MDSAP is a progressive push toward global harmonisation and has the potential to reduce the regulatory costs of audits and compliance for both device makers and regulators. After the close of the pilot program, both Canada and Australia have fully adopted the MDSAP program as their primary audit system.

However, MDSAP is based on the outdated guidelines from ISO 13485:2003, leading the European Union to pass on further participation in the MDSAP program. With an expected update to the current 2016 version of ISO 13485 coming in the near future, I do not foresee MDSAP lagging behind for long.

Summary

As consumer awareness of the medical device industry continues to increase and the demands for higher product quality grow louder, medical device manufacturers should expect regulatory changes to continue. The days of ten years or more passing between major updates to regulations are likely a thing of the past.

Furthermore, the move towards regulatory global harmonisation will continue at a rapid pace as established best-practices become codified in law. In the past half-decade alone, we have witnessed many companies struggle to keep up with regulatory changes, which is likely due to a lack of dedicated initiatives within those organisations to proactively implement changes. As the pace of regulatory change shows no signs of slowing, and with many signs that it will likely increase, reactivity will no longer be an acceptable strategy.

The companies that will thrive in the coming decades will be the ones that recognise that their internal regulatory governance and QMS must be agile and patient-centric and make the necessary changes now to prepare for the regulations of the future.