Remediation: What Challenges Do Device Companies Face?

Remediation of a quality system is a complex, time-consuming task that requires expertise and clear understanding of procedures and risk management. In March, MedTech Intelligence is hosting a conference to help medical device manufacturers with this process. Leading up to the event, Mark Leimbeck, program manager, medical regulatory advisory services at UL, LLC sat down with us to explain some of the issues device companies experience along the way, key considerations during the remediation process, and risk priorities in a three-part series on remediation.

Mark Leimbeck, UL

MedTech Intelligence: Remediation: What documentation and other challenges do device companies face?

Mark Leimbeck:

Compliance mandates

One of the challenges we have seen manufacturers struggle with is planning for pending regulatory changes, and then acting on them, far enough in advance to avoid last minute heroics. Specifically, when standards and regulations are updated, manufacturers are typically reluctant to allocate resources until the dates are imminent.

Case in point, we see trouble brewing with the new in vitro diagnostic (IVD) Regulation in Europe, which presents a perfect opportunity for lack of planning and action. Under this new regulation, about 80% of the IVD devices on the market today will be in scope; this is to be contrasted with the current IVD Directive where only about 20% of IVD devices on the market are in scope.  To put it mildly, that’s a significant expansion; and from a planning perspective, we hope that manufacturers take a long hard look at the number of products they produce, and the gaps that may exist in their documentation for support of regulatory compliance.

In addition to simply adding more products under regulatory control, the new regulations in Europe will add additional requirements that apply to every product and quality management system.  For example, the expectation of what needs to be covered going into clinical trials, will be more demanding.

There are also increased expectations for Notified Body staff with respect to training and qualifications.  Couple this with a lack of qualified people in the market to perform the required work, a longer and more complex process to train and qualify new staff, and there are fewer and fewer people available to perform the work involved.

And to top it off, a number of notified bodies need to be re-certified. There are fewer notified bodies out there to do the work, so it’s easy to see how companies could find themselves in a situation pretty quickly where schedules are already booked and you just can’t meet the deadline that’s been dictated by the regulatory mandates.  That’s a pretty big challenge a lot of different manufacturers will face, specifically with respect to the in vitro diagnostics regulation.

Sponsored Content

Regardless of industry or business size—the common denominator is risk. What can companies do to not just reduce risks, but prevent them from occurring in the first place? Download this comprehensive guidebook to learn some of the best tools and techniques to ensure an effective risk management process.

Limited documentation with legacy devices

Another challenge we have seen manufacturers struggle with is legacy devices. Often companies go back to their documentation in an attempt to provide the documentation necessary to support regulatory compliance, only to find that the information simply doesn’t exist.  Many times, I have worked with customers that describe verbally what they have done, and how it supports compliance with the regulations; however, it’s not documented.  Even with the best intentions, if it’s not documented, from a regulatory perspective, it wasn’t done.  This typically results in a massive effort where companies are forced to create new information.

Process maturity

One of the challenges encountered by manufacturers facing remediation as a result of new regulations is that fact that, for some, their processes are not designed to provide the evolving level of sophistication expected. Historically, we have seen that some manufacturers focus strictly on compliance, a check-the-box exercise, if you will. This may have been found to be compliant in the past; however, the newer regulations are increasingly expecting a sophisticated level of interaction of what was, heretofore, organizational functions and processes that tended to operate as stand-alone entities.

The practice of reviewing production and post-production data is one example of a process that can, and should, provide information to a variety of areas where feedback will result in improved products, processes and services.  As risk management becomes more pervasive and mature, the expectation is that companies will look at the data and try to improve the product safety and effectiveness, taking appropriate actions.  Because many manufacturers are not there yet, there’s a lot of infrastructure-related work to get the systems generating production and post-production data and disseminating it to facilitate proactive risk management, rather than strictly compliance.   Consequently, some companies find themselves having to retrospectively create new structures and processes.

Staff competence and involvement

Many employees are not fully versed and competent on risk management. I use the word “competent” because it’s one of the expectations of the new ISO 13485 (published earlier in 2016)—it’s now a requirement not just for training but also for competence.  It has been our experience that staff has had little or no formal training in risk management, and now the expectation is even higher. The question then becomes, how does one validate that staff members are in fact competent to perform the risk management activities that they are responsible for?

Related to the competence question, if you’re retrospectively looking at your devices and what information can be compiled to generate a risk management file, the first problem you’re likely to encounter is the fact that the original team that generated the information is no longer at the company.  In most of the remediation cases I’ve seen for legacy devices, a company has purchased another company, and the people who originally generated the information are long gone. You’re looking for a needle in a haystack of documentation.  There’s no one around to even ask who might have been involved.  Further, it is virtually impossible that the processes the original team followed and the training they received was compliant with the new requirements, simply because the requirements didn’t exist at the time.

On the point of staff involvement during risk management and risk assessment, it’s important to identify the applicable disciplines that should be involved to get a true picture of the risks that may be involved. Best-in-class companies have true subject matter experts who can readily identify the risks related to their area of subject matter expertise. One example is clinical input: frequently I see files where a clinician and/or actual user was not engaged in identifying or reviewing the risks that may be associated with a device – that information is simply missing, resulting in a “blind spot” in the risk assessment.

Logistics constraints

In situations where regulatory mandates having a broad, sweeping scope are introduced, such as the new IVD regulation, project management and planning are critical to overcome the triple constraint of cost, time and resources.  A great deal of work must be accomplished to generate the necessary information, and many normally separate functions must be brought together to achieve the goals. Who has the resources and what’s in it for them? It is no surprise that the politics and agendas of those involved must be considered and balanced to result in the best possible outcome.

Communication

It’s critical to understand if all stakeholders are on the same page.  One common thing I see when I start working with clients to remediate their files is that everyone has their own perception based on what they’ve done before. Establishing expectations, defining a clear project plan and getting agreement from people is critical.  Once this is established, communicate, communicate, communicate, until the project is complete.  Also, it’s not a bad idea to debrief at the end for lessons learned.

Related Articles

About The Author

Exit mobile version