Another great couple of questions Julie about CMOs and 510(k)s.
We definitely have an interesting puzzle on our hands when grappling with FDA's statements that design control includes the design of a device and the associated manufacturing processes, and that the development of production processes is a design rather than a manufacturing activity. FDA also gave additional guidance in its Device Advice website guidance where the agency stated, "…all of that [referring to device processing and the manufacturing process] needs to be considered during your design and development…" Similarly, when Kim Trautman was still with FDA, she stated that, '…we were teaching that design and development covered the product, its processes, its testing and everything – it was a point that you could see from the comments was sometimes not well understood…" I'm confident she still maintains this position.
Be aware that FDA is intent on enforcing design controls in accordance with certain explanations cited in such guidance. In fact, a couple years ago a new client came to me whose PMA review had been put on hold, due specifically to insufficient design inputs. In that case, FDA quoted directly from its guidance document in asserting the agency's terms and requirements for lifting the hold.
Another indication of FDA's position that I've mentioned before to the Forum pertains to 21 CFR 820.70(b) (manufacturing process change control) and the requirement therein to verify or validate such changes. FDA has reminded us that this needs to be done according to 820.30 design controls and is really just a redundant reiteration of the design control requirement.
A few other parties that have reiterated how design inputs need to include prescription for the development of the manufacturing process are, for example, AdvaMed (in its Points to Consider document) and Vern Geckler in his book covering design controls.
Also of note is that the aforesaid PMA sponsor was in fact a "virtual" firm (a Specification Developer) who outsourced the entire manufacturing process, yet the PMA hold letter nonetheless included citations against the manufacturing process (process validation specifically). Therefore, take care not to decouple a Specification Developer's ultimate responsibility for the development of the manufacturing process, even when that development is outsourced.
ISO/TC 210 gives similar hints about the relationship between the manufacturing process and the design and development process in its ISO 13485:2016 practical guide where it reiterates the aforementioned FDA concurrent engineering principles, stating that, "…This addition [ISO 13485:2016] highlights the need to consider manufacturability in the design and development process…the manufacturing process should be capable and stable to consistently produce product that is safe and performs as intended…", moreover showing that process design inputs are needed for in-house and outsourced manufacturing alike.
I remember a case a few years ago where, prior to my involvement, a client (also a Specification Developer) launched a new implantable product into the market. Though implantable, the product had a very "simple" design with an "easy" manufacturing process that was well understood by the expert well known CMO. With that mindset and an incomplete understanding of the regulatory requirement for including process development in the design control process, the firm launched with full-scale manufacturing without first proving the capability of the manufacturing process. All of the resulting product, hundreds of thousands of units, turned out to be nonconforming. This resulted in a very costly and embarrassing market entry. That could have been avoided with proper manufacturing process design inputs and corresponding verification and validation. Accordingly, this isn't just a regulatory requirement, it seems to make critical business sense.
Therefore, a key lesson learned is to assure not to end up with orphaned design outputs (e.g., manufacturing process specifications and methods) that can't objectively be linked back to corresponding design inputs, and forward to corresponding design verification and validation.
In my opinion, this actually doesn't need to be a big undertaking, and many organizations are probably already doing much of what is required to meet this requirement. As an example of how to implement this, consider the most basic manufacturing design input, which is whether the product will be manufactured in-house or by a CMO. Then consider things like how capable the process (whether in-house or outsourced) needs to be. For example, some may find it valuable to have a manufacturing design input stating that the process needs to achieve a Cpk of 1.33 or better (by the way, I'm no process capability expert, so don't let me leave you with that impression). That approach gives more objective credence to the acceptance criteria later written into the process qualification/validation studies. Another very common example of a manufacturing process design input is the usual specification related to sterile products that many organizations already state in their design inputs, namely that the sterilization process must achieve a specified SAL.
Regarding how the FDA section 510(k) process fits into this equation, it is indeed true that 510(k)s can and do get cleared even if the manufacturing process has yet to be developed. In fact, I've gotten 510(k) clearances even before the device design efforts are finished. The reason for this is that there is a unique statutory/regulatory purpose for a section 510(k) Notification. Namely, that purpose is to show substantial equivalence to another legally marketed device. In other words, a 510(k) is, at its statutory heart, supposed to be just a comparative effort. A 510(k) is not intended to prove device safety, efficacy, or full compliance with design controls [though FDA in my opinion pushes that envelope with the Special 510(k) paradigm, and also even in traditional 510(k)s where, again in my opinion, FDA seems often to exceed the boundary of the substantial equivalence concept, delving into requests that are more akin to proofs of safety and effectiveness. But that pet peeve is another discussion entirely, so I'll get back to the question at hand]. Indeed, certain design outputs, verification, and validation are often needed to justify a 510(k) substantial equivalence claim. But I recommend that we don't let that muddy the waters between the intent of 21 CFR 820.30 vs. Part 807. Most, if not all, of the supporting data in a 510(k) are in fact deliverables from the design control process, but not all design control deliverables are needed to support a substantial equivalence claim.
© Copyright 2019 by ComplianceAcuity, Inc. All rights reserved.
------------------------------
Kevin Randall, ASQ CQA, RAC (U.S., Europe, Canada)
Principal Consultant
ComplianceAcuity, Inc.
Golden, CO
United States
www.complianceacuity.com© Copyright 2019 by ComplianceAcuity, Inc. All rights reserved.
------------------------------
Original Message:
Sent: 20-Nov-2019 13:10
From: Julie Omohundro
Subject: ISO 13485 Exclusions
Sorry, overlooked your further response here, now just have time to skim, but my initial response is:
"The one-and-only-way ISO and FDA requirements have for us to create any design output (whether manufacturing processes or otherwise) is via the design control process."
I am leaving ISO out of it, but it sounds to me more like the architects of Part 820 mostly overlooked the need to develop a manufacturing process, then someone pointed that out, and they tried to awkwardly backfill them in a way that doesn't exactly leap out at anyone. For example, while the term may be perfectly appropriate, I have never heard anyone in manufacturing talk about "designing" a manufacturing process. They always say "developing." For that reason alone, no one would naturally go looking to "Design Controls" for anything related to manufacturing, I don't think. (ISO 13485 does better, with 7.0 titled Design and Development, which evokes actual processes, rather than ways to control a process.)
Certainly long-standing practice in much of the industry has been that a product design team (in no way qualified to design a manufacturing process) works in isolation from both manufacturing and quality, and then, when they have their output, "throws it over the fence" to manufacturing, sometimes in-house and sometimes contract, and moves on, leaving manufacturing to figure out a process.
Now if someone will just list all the different ways "specification" is used along the way, and tell me the difference among them, I might actually be starting to understand something here, lol. (I googled "product specifications" and "medical devices" and got three different definitions on the first page of listings alone, lol.)
------------------------------
Julie Omohundro, ex-RAC (US, GS), still an MBA
Principal Consultant
Class Three, LLC
Mebane, North Carolina, USA
919-544-3366 (T)
434-964-1614 (C)
julie@class3devices.com
Original Message:
Sent: 19-Nov-2019 16:13
From: Kevin Randall
Subject: ISO 13485 Exclusions
OP,
No apologies are needed for how you phrased your questions; this Forum exists in my opinion to help all participants regardless of their location on the learning-curve journey.
Further to my reply to Julie's question, since ISO 13485 clause 7.3.3(e) specifically demands design inputs for the manufacturing process (and thereby integration of production process design into the design and development process), then it would be clear grounds for an ISO audit Nonconformity if an organization can't show corresponding production process design and development inputs (and consequently, corresponding production design outputs, verification, and where needed, validation) in the design and development file. Any ISO auditor who overlooked this would not, in my opinion, be auditing in full alignment with sub-clause 7.3.3(e).
Regarding ISO 13485 clause 7.5 vs. 7.3, my recommendation for products not excluded from clause 7.3 is to view clause 7.5 (and FDA's analog, 21 CFR 820.70) as more of a production control litmus list. For example, sub-clause 7.5.1 (like 820.70) reminds us of the particular types of production controls that may be appropriate. But it is the clause 7.3 / 21 CFR 820.30 process where each organization is required to systematically and methodically work this out on the way to deriving the particular production controls that are necessary, whatever those may be. Remember (per my reply to Julie) that the production process is fundamentally considered to be a design output. The one-and-only-way ISO and FDA requirements have for us to create any design output (whether manufacturing processes or otherwise) is via the design control process. Only the design control process contains the particular requirements to be met for the general derivation and control of design outputs. Consequently, if we in this context instead assert that clause 7.5 / 820.70 are for controlling the development of the production process design outputs, then it would improperly decouple that development from the required developmental controls demanded by sub-clause 7.3.4 / 21 CFR 820.30(d) and the related controls demanded by the surrounding clause 7.3 / 820.30 sections.
Now finally, on the other hand, when tackling how to approach production process development for products that are excluded from clause 7.3, then a more sustainable assertion can be made for deploying such development under the scope of sub-clause 7.5.1, yet only then in combination with corresponding clause 7.1 product realization planning. In that approach (remember, speaking only for products excluded from clause 7.3), the clause 7.1 product realization plan functions in an analogous way to the sub-clause 7.3.2 planning applicable to products not excluded from clause 7.3.
------------------------------
Kevin Randall, ASQ CQA, RAC (U.S., Europe, Canada)
Principal Consultant
ComplianceAcuity, Inc.
Golden, CO
United States
www.complianceacuity.com
© Copyright 2019 by ComplianceAcuity, Inc. All rights reserved.
Original Message:
Sent: 18-Nov-2019 16:50
From: Anonymous Member
Subject: ISO 13485 Exclusions
This message was posted by a user wishing to remain anonymous
Hi Kevin,
I am the OP. I appreciate your input and I apologize for the imprecision of my initial question. I see where I could have added more info to make it more clear and will take this as a learning experience for next time.
Regarding point #4: the device is class II and not exempt from design controls according to FDA, so there is no regulatory justification to exclude 7.3.
Regarding point #2: I intend to include this issue as a finding - I am concerned that their ISO auditor has not done them any favors by being too lenient on this topic in the past.
I still have a question about point #1 - this is actually what my original question was meant to ask. I was proposing that the company was interpreting clause 7.3 too narrowly, because they were only considering design of the device and not considering design and development of process. In my opinion, the company is in the Design Transfer phase (7.3.8); they received a prototype, engineering drawings, BOM, etc from their D&D vendor. I observed that they are now in the process of developing production jigs and fixtures, developing QC test tools, methods and specifications, and other tasks that seem to me to be "development". However, some other posters argued that the manufacturing development falls under 7.5. What is the boundary between when work is development of a process under 7.3 or when it falls under 7.5?
@Dan O'Leary
Original Message:
Sent: 15-Nov-2019 11:38
From: Kevin Randall
Subject: ISO 13485 Exclusions
Looks to me like the discussion got right on target once the necessary background information was provided. I've often found as a Forum respondent that when we as posters ask for more details before responding, then oftentimes more information is not forthcoming, and it just delays getting needed information to the requester. So I've generally made it a practice to do the best I can to respond with the information provided, yet by explaining the presumptions (or inferences as Dan likes to say) on which my response is contingent.
Anyhow, a few more quick points that reinforce the general consensus reached here:
1. ISO 13485 'Design and development' and FDA design controls fundamentally and specifically demand that the responsible organization not only design the product, but also the manufacturing process. Therefore, design inputs, outputs, verification, validation, etc., are required for both the product and the process.
2. If FDA were to inspect this firm (i.e., the responsible organization), the agency would demand that the firm produce a full Design History File for the subject device. Likewise, a proper ISO auditor would also demand the same. Ultimately this means that if the responsible organization's DHF is currently lacking, then it would receive a corresponding FDA 483 Observation and/or ISO audit Nonconformity (perhaps even categorized as a Major depending on the extent of the deficiency). Therefore, an internal audit should categorize these findings accordingly.
3. I believe that the organization could support an argument that the bulk of the written design control process operating procedures for the device are to be established by the contract designer. In this setup, the responsible organization's written design control procedures could be commensurately limited in scope. Specifically, detailed operating procedures for the various product design phases could be left to the quality management system of the contract designer, with only basic explanation of this approach being stated in the responsible organization's quality management system. The viability of this arrangement would be contingent on the responsible organization assuring, under ISO 13485 clause 4.1.5 and 21 CFR 820.50, that proper design control operating procedures are in place at the contract designer. As part of this, the responsible organization's design control operating procedure would need to carefully explain that the responsible organization would be appropriately involved with the design effort when the contract designer executes the project. For example (not exhaustive), the responsible organization would need to be deeply involved with the derivation of the design plan and the design inputs; yet those steps could be moderated/orchestrated/executed under the covering of the contract designer's quality management system with copies of the deliverables from these steps (i.e., the final approved design plan and design inputs) needing to be filed in the responsible organization's DHF. Note that this scenario is not a clear candidate for ISO 13485 clause 1 "non-application" of design controls [21 CFR 820.1(a)] because the responsible organization described in this scenario would in my opinion still need to have corresponding design control procedures in place to be sure each party's responsibilities and the related logistics are clearly established.
4. Finally, as other respondents have stated, ISO 13485 clause 1 "exclusion" is not applicable in any event unless there is an applicable regulatory exclusion such as the 21 CFR 820.30(a) exclusion for certain FDA class I devices.
------------------------------
Kevin Randall, ASQ CQA, RAC (Europe, U.S., Canada)
Principal Consultant
ComplianceAcuity, Inc.
Golden, CO
United States
www.complianceacuity.com
© Copyright 2019 by ComplianceAcuity, Inc. All rights reserved.
Original Message:
Sent: 13-Nov-2019 10:13
From: Anonymous Member
Subject: ISO 13485 Exclusions
This message was posted by a user wishing to remain anonymous
Hello,
I am doing an audit of a medical device company with a scope of 21 CFR part 820 and ISO 13485:2016.
I came across this sentence in their Quality Manual:
"Exclusion: ISO 13485:2016, Section 7.3, Design and Development (including all subsections)Justification: COMPANY does not design or develop products. All principal product characteristics are specified by the customers or their consultants. Our engineering activities are limited to developing methods and means of production, assemble, repair, or installation."
I want to get the communities thoughts on this exclusion: my hot take is that this is not a valid exclusion, as they have engineers who are developing production, assembly, repair and installation. I think this company has interpreted the meaning of clause 7.3 too narrowly, but I would like to get some outside input before I write this up as a nonconformance.
Some references that support my position:
7.3.3 (b) inputs include applicable regulatory requirements (and in this case, the company claims 21 CFR part 820, which includes service and installation)
7.3.3 (e) inputs include other requirements essential for the design and development of the product and processes.
7.3.8 Design and development transfer
7.3.9 Control of design and development changes
4.2.3 Medical Device File
4.2.3(c) specifications for procedures for manufacturing, packaging, storage, handling, and distribution.
4.2.3(e-f) installation and servicing.
Your opinions are appreciated.