The European Commission published a proposal for new European medical device regulations in September 2012. The regulations have been moving through the legislative process ever since, and most observers expect them to be published in late 2015.
While the final text of the regulation is still being massaged, there are some key aspects that will have a profound impact on medical device manufacturers, as well as their suppliers, doing business in the European Union, the second largest medtech market in the world. Those elements include the requirement to hire a Qualified Person, the institutionalization of unannounced audits, and the establishment of a scrutiny procedure, which could cause delays in bringing products to market.
What is a Qualified Person, and why do I need one?
As it stands, the proposed medical device regulation requires all medical device manufacturers to employ a person with at least five years of regulatory experience on site. This will not be a burden for large companies, which typically have people with this expertise on staff, but it could cause considerable hardship for small to mid-size manufacturers.
"The Qualified Person requirement can be a big problem for small companies that have used consultants to fulfill this role in the past," says Christopher J. Devine, PhD, President of Devine Guidance International, which provides consultancy services related to quality management and regulatory compliance. "Smaller companies don't necessarily have the resources to hire a full-time Qualified Person. And, frankly, if this measure is approved—and it's not at all sure that it will pass as currently worded—I don't think you will find enough people with the appropriate qualifications to meet demand."
Surprise! It's time for your audit
Public outrage over the Pip breast implant scandal—as you may recall, French manufacturer Poly Implant Prothèse (Pip) used industrial-grade silicone instead of medical-grade silicone in breast implants and was able to hide the practice for many years—forced authorities to jump into action and find ways to prevent this from happening again, which brings us to unannounced audits.
Under this new rule, which is currently in effect but has not been widely implemented, Notified Bodies are required to perform unannounced visits to manufacturers or their critical subcontractors at least once every third year—more frequently under some circumstances. The thinking is that this will make it more difficult to commit outright fraud, as was the case with Pip, where the vats of industrial silicone would be hidden when auditors were scheduled to drop by.
|The Medical Design & Manufacturing (MD&M) East Conference in New York, NY, in June will feature several sessions devoted to regulatory affairs, including in-depth presentations of the new EU medical device regulations. For a full conference schedule and additional event information, go to the MD&M East conference website.|
While industry has largely accepted this measure, it does raise some issues. "What if the individual who is best positioned to answer the auditor's questions is not present when the unannounced visit occurs?" asks Devine. "He or she may be ill or on vacation. Again, this can be a real problem for small manufacturers that don't have the resources of the big guys."
In some cases, subcontractors to medical device OEMs may be targeted for an unannounced audit, as well. A recommendation from the European Commission states the following:
"Notified bodies may, instead of or in addition to visiting the manufacturer, visit one of the premises of the manufacturer's critical subcontractors or crucial suppliers if this is likely to ensure more efficient control. This applies in particular if the main part of the design development, manufacturing, testing or another crucial process is located with the subcontractor or supplier."
The sticking point here is that the critical subcontractor is not strictly defined in the regulation, says Mark Leimbeck, Program Manager, Medical Regulatory Advisory Services, UL.
"The critical subcontractor could be an injection molder or circuitry supplier or software developer. It all depends," says Leimbeck. "The manufacturer must identify what is being outsourced and consider which features are critical for the safe and effective use of the medical device. If the clinical function is dependent on the outsourced component, then the supplier could well be considered a critical subcontractor," says Leimbeck.
The trouble with scrutiny
Article 44, the so-called scrutiny procedure, has been hotly debated by industry, as it has the potential to significantly delay time to market. The regulation calls for the formation of an expert committee called the Medical Device Coordination Group (MDCG), made up of members appointed by EU member states and chaired by the European Commission. The MDCG would have the authority to take a second look at innovative, high-risk devices that already have been assessed by a Notified Body. By some estimates, the process could delay time to market by six months or more, and put a serious dent into the benefit of launching products in Europe first.
So, what should I do now?
Given the prospect of unannounced audits and fundamental regulatory changes, the first thing to do, says Devine, is to stay in constant contact with your Notified Body. "Don't forget that you're paying your Notified Body, they work for you," says Devine.
Review your risk management process, recommends Leimbeck. "Historically, OEMs have treated components as a black box—they look at the ratings, price, delivery times. This is not sufficient when it comes to critical parts," he says.
Leimbeck also advises adopting a tiered approach to supplier controls. "Ramp up controls to match the criticality of the part, and identify areas where components are out of spec." Suppliers may change specifications without informing their customer because, from their perspective, the variance won't affect functionality. "They don't realize the impact it can have on a medical device," says Leimbeck.
Finally, if you claim to have a robust incoming inspection process, as you should, and are not reporting any component variations, you might want to reboot. "You need to spec well and do incoming inspections," says Leimbeck. "If you're not seeing any variances, that goes against the law of probability and will be a red flag to auditors."