by George C., Consultant on RegDesk

As a result of fraudulent medical devices entering the US market (such as orgone accumulators and other quack medical devices), an increase in the number of medical device recalls, and various medical devices causing death and/or serious injuries to patients (such as the Dalcon IUD Shield), the US FDA (Food and Drug Administration) initiated the medical device good manufacturing practice (GMP) in 1976 due to pressure from Congress. As such, medical devices were no longer indirectly regulated by the current GMP for pharmaceutical products (i.e. 21 CFR 210/211). At the same time, a similar industry standard ISO 13485 (medical device quality management system) came about from industry and foreign governmental requests (such as from Europe). Both the FDA GMP (21 CFR 820) and the ISO standard 13485 were developed from and were similar in concept to ISO 9001 (i.e. a general quality management system used by various industries including automotive, airline, and toy industries).

Europe wished to be a nation of peoples from different geographic areas (countries) that wanted to share a common market through the free movement of goods, services, jobs, and people. As a result, the European Union (EU) was formed. For the medical device industry, the EU issued three medical device directives (laws) associated with general medical devices, active implantable medical devices, and in-vitro medical devices. Under the governmental body, the EU decided for competent authorities (i.e. the regulatory bodies under the departments of health and welfare for its individual nations) to implement the three medical device directives (MDDs), regulate clinical research, appoint ethics committees and notified bodies, and approve the initiation of medical device trials. The notified bodies are independent, accredited bodies of experts (such as BSI and TÃœV) that enforce the regulations (such as the medical device directives and various industrial standards, including ISO 13485), review clinical trial results, and inspect a manufacturer’s quality management system in application for certification, CE Marking, and approval for sale of a medical device.

Since the initiation of the 1976 medical device GMP, FDA noticed that over 45% of medical device recalls were design related. So what was the problem if US and foreign medical devices were following 21 CFR 820? It was two-fold. First of all, the 1976 GMP did not address product design and purchasing controls. Second, the basic scope of the 1976 GMP was product acceptance testing. This indirectly meant to test a product into compliance. As such, no total quality system concept was used by the US medical device industry.

After 20 years of recalls and various quality problems, FDA finally revised 21 CFR 820 in 1996 from the GMP approach to a quality system approach. The new 21 CFR 820 is known as the quality system regulation (QSR). The QSR (as depicted below) entwines and links seven subsystems: management controls, design controls, CAPA subsystem, production and process controls (P&PC), facility and equipment controls, material controls, and document and change controls.
Many companies are under false pretenses after passing a notified body audit. They believe that they will automatically pass an FDA investigation.

Notice what I just said- EU audits and FDA investigates. Never forget this important fact!

First, I will briefly discuss the QSR v. ISO 13485.

Even though the QSR is similar to ISO 13485, there are slight differences. These differences (such as pertaining to training, design controls, complaint handling, document and change controls, and production and process controls) are what FDA concentrates on when visiting a medical device company. Also, FDA does not require a quality manual (unlike ISO 13485 & the MDDs). However, if the company wants to have a quality manual, make sure it jives with the lower level procedures and the procedures jive with the operations and documentation.

What is the basic premise of a good quality system? SAY WHAT YOU DO AND DO WHAT YOU SAY! Also, use the KISS approach when developing and implementing procedures and systems- KEEP IT SIMPLE STUPID!

The other concern is the basic philosophy between the FDA and the European Union (EU).

Even though ISO 13485 is systematic in nature, it is a voluntary standard for companies outside of Europe. What this means is that the ‘paid’ medical device notified bodies performing the third party medical device audits are actually part of the medical device companies. Therefore, it is very rare for a notified body to decertify a medical device company’s quality system. Why? Simple! Decertifying against ISO 13485 and the MDD equates another notified body getting chosen by the medical device industry. Additionally, ‘you get what you pay for’. Therefore, there are differing requirements for each notified body because there is no centralization between notified bodies throughout different European countries.

Now comes the FDA. The FDA’s philosophy is health and quality risk based, unlike the consistent process and customer base for the EU. Additionally, the FDA is a law enforcement government agency. If bad products are released, the FDA will be very concerned. EU will not be concerned if the company has shown to follow its procedures. Besides the difference in philosophies, FDA’s investigation approach is a top down systematic approach (i.e. QSIT). Each notified body has a different approach when conducting audits. FDA will look deeply into the information contained in each design history record, device history record, recall report, complaint record, CAPA documentation, nonconformance report, and other quality records and link each record with other records and the quality system. EU notified bodies normally do not dig deep, because 1) their audit approaches differ from FDA’s, and 2) they are actually performing a service for you (i.e. your ‘paid contractor’ to obtain CE marking).

Therefore, it is nobody’s fault but top management’s fault if the company fails an FDA QSR inspection. Why? Simply put ¦ Poor quality equates to bad planning, inadequate resources, and taking short cuts to meet internal goals over quality. It takes patience to correct the barriers and costs of quality. In some cases, there are bad managers and leaders (i.e. unethical and immoral types) who will eventually be visited by FDA’s criminal investigations group. Good luck when this occurs!

So, why take the risk? You are fooling yourself, if you keep on rolling the regulatory compliance dice, hoping not to be caught by the FDA. Eventually, the regulatory compliance dice will roll ‘snake-eyes’ and you will go ‘bust’! Remember, there is someone far worse than the FDA or a Notified Body ¦ your customer’s attorney! Keep on rolling … Once you lose, it is costly!