Regulatory Authorities are challenged to keep their markets open and to ensure that patients have proper access to devices while at the same time keeping non-compliant, possibly dangerous devices away from their populations. To achieve this they need to use risk control strategies. Authorities that are rethinking their approaches to risk management could consider a three-tier system:
- A 100% check on all devices for a limited number of items per device;
- A more extensive routine check on issues that emerge from the first check;
- In-depth analysis of the few devices or dossiers that give rise to further questions from this second check.
Emergo has recently acquired specific expertise in this field. Now several Regulatory Authorities have requested assistance in developing efficient supervision strategies. This article will profile in general terms this type of risk management system.
This article is not intended to help non-compliant companies evade regulatory compliance--although it will help regulatory authorities detect dangerous or non-compliant devices. But there is no quick fix. Getting this right will still demand a lot of hard work from all involved.
Challenge for regulators
Regulators worldwide must balance the need to maintain open and competitive markets with the obligation to protect public health. The most thorough way to prevent non-compliant products from entering the market is by doing an in-depth check on all devices. This is not practical, as there are so many devices and by far most of them will be found compliant, with acceptable risks. Checking all devices before granting market access would therefore lead to very high costs, with minimal improvement in safety. So regulators should use sampling methods based on certain risk models.
The most opportune situations to check compliance of a device are:
- Market access: a manufacturer or importer wants to introduce a new device to the population.
- Market entry: a device that has been allowed market access is physically entering the market.
- Ad hoc cases: for example when an accident happens in which the device is involved.
In each of these instances, a Regulatory Authority could use a three-tier system for checking compliance of the device:
- In the first tier, all devices or dossiers are checked on easily identifiable points.
- Devices that score an elevated risk on those points will get a more thorough check.
- If the device is still not clearly identified as compliant, it can be investigated in detail. This may include dossier examination or product testing.
The moment a newly developed device enters the market for the first time, that device should undergo some kind of market access approval. This market access approval process should be capable of handling two types of situations. This first is the situation where a local manufacturer wants to enter the market with his product using local (domestic) legislation; the second is that a manufacturer wants to enter the market with a device that has already been approved in another market under different market access legislation.
The situation of locally manufactured devices under local legislation can be handled by referring to procedures under national law. Manufacturers based somewhere else may refer to the same procedures as local manufacturers, for example when a manufacturer based outside of Europe uses a Notified Body for CE-marking. But often those devices are manufactured under foreign legislation. Sometimes there are mutual recognition agreements that enable market access for devices manufactured under different legislation, but that is not always the case.
Then authorities face a challenge. On one hand, devices should be compliant to their own legislation and requirements. On the other hand, there is an assumption of some level of quality and safety if a device is placed on another market.
But whatever the route of a device to the national market, authorities can try to make use of documents provided by other authorities, notified bodies or other accredited organisations to make market access an efficient and effective process. The first tier activities performed to grant market access will mainly be split into two groups:
- Check the conformity of the device. This will be done based on documents and can be a relatively simple check. Authorities have various options for organising this check, but the approach should focus on documents only. Examples of this are:
- Certificates handed out by recognised authorities stating that the device is legally placed on the market elsewhere;
- Documents demonstrating a successful compliance assessment procedure;
- Certificates demonstrating the manufacturer uses a recognised quality system, combined with evidence of successful testing of the device;
- Register the device. The device’s applicable certificates, manufacturer information and (if applicable) importer information can be put into a database for analysis and later use.
An obvious design for the first tier would be to have the manufacturer, the company's representative or the importer enter data through a website. In that way the company will remain responsible for the quality of the data and it will reduce workload for the authorities. Once these data have been entered they can be checked. If designed well, part can even be done automatically. This check may result in uncertainty regarding the compliance of the device or the companies involved. In such a case, the file will be escalated to a higher level.
This next step (second tier) will involve the Regulatory Authority requesting more information from the companies involved, as well as research into other sources of data. For example, if it is not clear a product is a medical device this may be evaluated more in detail. A product status specialist may assess claims on the label or in the instructions for use, for example.
If those steps are still inconclusive, a specialist may examine the manufacturer’s technical file and request additional information (third tier). This may result in a specific decision by the Regulatory Authority regarding this particular device or company.
It is obvious that each tier demands a higher level of expertise, but that will be focused on a smaller amount of devices. Each authority will have to develop a risk model to filter these devices for the next level of scrutiny.
Once a device has been granted market access, a manufacturer can physically place that device on the market. Imported devices usually have limited points of entry like airports and harbours. Customs checkpoints provide a good opportunity for verifying that imported devices are allowed into a particular market. Details on the label and in accompanying documents need to match those in the database. The main question is whether this device has been granted market access:
- Is it possible to identify this product as a device that has been positively assessed for market access?
- Does the information accompanying this device match with information that is already in the system?
In case this check leads to questions, there should preferably be a quick help line available to assist Customs with clearing these devices. Staff at the help desk may have access to further details in the database and have more in depth knowledge about the subject.
Should this not lead to a clear conclusion, further investigation, e.g. product testing may be necessary. That will demand more time for the whole process and there may be substantial costs involved.
Again the three tiers can be identified: from a simple 100% check to a limited check that requires high levels of expertise. All this needs to be organised well, and a central database plays a vital part.
Ad hoc cases
A vigilance case, a serious complaint, a document that is not compliant—all these are examples of special situations where an ad hoc case can occur. Regulatory Authorities often have procedures in place for these kinds of cases.
In such situations the three-tier system is also applicable. For example, there may be a vigilance procedure for situations where a medical device has been involved in accidents. The first tier would comprise the registration of the incident. The fact that a manufacturer notifies a Regulatory Authority about a reportable incident at least sends a clear signal that the firm understands this specific part of the legislation. The notification of the incident also provides a good opportunity to use a simple risk assessment tool to make a first selection of low risk cases. Of course, a first step would be to look in the database and see if this device has been granted market access, and to check other related information. More senior and experienced Regulatory Authority staff can examine high-risk cases as well as those in which it is not possible to clearly assess risk (second tier).
If a case leads to questions about the compliance of the device it may become necessary to go to the third tier and to have the technical file or other information assessed by senior staff.
Three-tier system training
The three-tier system involves several levels of expertise and often several organisations working together on a national level. Data collection, data storage and data sharing should be developed carefully. But organisations that want to start using the three-tier system should first make sure they fully understand it. Emergo Group is capable of providing this training and help with developing the systems behind the three-tier approach. By helping authorities to understand all the aspects of this approach, it becomes possible for them to develop their own dedicated systems and procedures. Training for the three-tier system will not lead to a finished system, but is a good start toward developing one.
Ronald Boumans is Senior Global Regulatory Consultant at Emergo Group and formerly a senior inspector with the Dutch Healthcare Inspectorate. He has been involved in developing risk models for supervision of medical devices.
Read the original posts on Emergo's blog here and here.