QMS Development Question- Small Medical Device Manufacturer

[Gish]

It was concluded back then that the MDD was not up to scratch anymore and the game needed to be lifted (which I tended to agree with at the time). The problem is that they overdid it.

In my view the way they 'overdid it' was to not have the MDR itself be truly risk-based (a QMS requirement for manufacturers under 13485:2016). They have, more or less, 'thrown the book at' the entire medical device industry. The only risk-based distinctions in the regulation are by product class (I, Is/r/m, IIa, IIb, III). They do not account for market performance. Class I and IIa devices with decent nonconformance track records should not be subject to updating a CER or SSCP, unless there is a serious event or a very bad audit (and loss of certificate). Class IIb devices should be eligible for reduced scrutiny once they achieve a patient safety track record.
But they put the enforcement cart before the data-driven horse, so to speak. Basically, a backwards implementation.
In order to avoid a public health crisis (from device shortages) things are now moving towards over-correction in the other direction. The European Parliament created a motion for reform last October. In December the EU Health Commissioner added his weight to the motion Health Commissioner touts swifter reform of EU medical devices rules than expected.
Small or new companies should hold off on EU market applications until the dust settles, probably something like two years from now, IMHO.

 

[Ronen E]

... be truly risk-based (a QMS requirement for manufacturers under 13485:2016).

IMO this is a common misinterpretation. The "risk-based" element in 13485:2016 is quite limited in scope (the risk of processes not achieving their defined goals) and not as all-encompassing as people would like to think. I wrote about it at length here at some point, so won't repeat myself.

Class I and IIa devices with decent nonconformance track records should not be subject to updating a CER or SSCP, unless there is a serious event or a very bad audit (and loss of certificate). Class IIb devices should be eligible for reduced scrutiny once they achieve a patient safety track record.

This is a bit cyclic in my opinion. If you don't update regularly, how would you know that there are no serious (or non-serious) events/issues? Additionally, the current paradigm is implying the acceptability of clinical benefit-risk balance is relative, i.e. where your device is in relation to alternatives currently available. A mediocre clinical performance might be acceptable if your device is one of a kind; not necessarily once the landscape changes and there are more devices around and more experience in general.

 

[Gish]

This is the purpose of the Vigilance reporting requirements under Articles 87-90. The MIR vigilance reporting form requires the manufacturer to assess the level of Harm and other risk factors associated with the event. Whichever Competent Authority receives the report is tasked with reviewing the report and looking at the history of the company and of the device (this is part of the purpose of requiring and registering the device's UDI). Every device maker is required to perform post-market surveillance, either through a PMSR or PSUR. With all this information, requiring low- and mid-risk devices to additionally report repeated cycles of clinical evaluation or safety and clinical performance is not risk-based and it is overkill.
I am not alone in this opinion; the EU Parliament is becoming aware of the medical device shortages that are accumulating, the propulsion for the EU Health Minister to grant the interview cited above.

 

[Swimming In The Soup]

I do NOT recommend going the purchase a template route. That's likely just to confuse matters.

I agree. The QMS software platforms are too rigid and expensive for small companies. Being part of one, I did the research and ultimately chose Cognidox as a compliant document server. It does not dictate process but allows all the meta data functions for traceability, revision control, and approvals. Not very hard to make a functioning QMS with it. I have passed FDA audits with it. Pretty inexpensive also.

 

[d_addams]

This, imo, is clearly a consultant activity. Here is why. Building a QMS is different than managing a QMS. You'll want someone with 20+ yrs experience to build the QMS. But once its built, you don't need that level of expertise to maintain it, thus someone with 10yrs experience would be sufficient long term. Presumably money is tight and there isn't a clear pathway to viable equity compensation necessary to attract a 20+ yrs experience person as a Full-Time employee. Going with a consultant also allows you to switch from someone with specialty in one area or another.

If you go with a full-time employee I'd temper the expectations about the type of talent you could attract and that 'it will be good' the first time. If there is tolerance for continuous improvement and a few bumps along the road, there is a lot of value if the person who builds it turns into a long term employee.

Difficult choices with no obvious 'correct' path. Good luck

 

[Ronen E]

This is the purpose of the Vigilance reporting requirements under Articles 87-90. The MIR vigilance reporting form requires the manufacturer to assess the level of Harm and other risk factors associated with the event. Whichever Competent Authority receives the report is tasked with reviewing the report and looking at the history of the company and of the device (this is part of the purpose of requiring and registering the device's UDI). Every device maker is required to perform post-market surveillance, either through a PMSR or PSUR. With all this information, requiring low- and mid-risk devices to additionally report repeated cycles of clinical evaluation or safety and clinical performance is not risk-based and it is overkill.

If we lived in a perfect world and the Vigilance system worked perfectly as-designed and as-intended, and all device makers were following their obligations fully, that would indeed have been an overkill. Sadly, we all know this is not the case. I acknowledge there is a redundancy in the expectations but this is safety-factoring, accounting for reality.

I am not alone in this opinion; the EU Parliament is becoming aware of the medical device shortages that are accumulating, the propulsion for the EU Health Minister to grant the interview cited above.

Sorry for the cynicism, but the EU Parliament (as any parliament) is a political body. Since when are politicians pressure-free and impartial?... At the end of the day, most device shortages are the result of economical decision-making, subject to enterprise / shareholders profit. Ongoing post market follow up is not impossible; it just takes resources. I wouldn't be surprised to learn that politicians care little to fully understand the intricate economical and regulatory workings of the entire device supply chain.

 

[Tidge]

I don't think it is cynical (or requiring absolution) for pointing out the political motivations of the EU Parliament. Yes, there was a health crisis caused by a device that was designed with malice (intentionally or otherwise), and it was a no-cost (in the political accounting sense) to "do something"... and are we surprised that the "something" turned out to be aligned with the interests of lawyers?

I don't have a great answer for the OP... I feel like an experienced consultant is needed to review the current system, review the previously identified gaps, explain a couple different ways to close the gaps (without re-inventing things that work). The consultant shouldn't be a software salesperson, but it is likely that one or more software solutions can be presented... presumably for the gap areas first and again not as an effort to bolt something new onto something old.

As an example... if the device is only just getting into the market, a software solution that only (or primarily) handles "complaint" data an interfaces with regulatory databases may be worthwhile (in terms of cost and complexity) without having to be part of a "one stop solution" for all your QMS needs.

 

[RegRookie]

How important is it to implement QMS for MDR before 26th MAY? Do the NC check the timelines?