Day: June 29, 2022

How to do business under MDR? A 12-step guide to preparing your company for the new regulations

How to do business under MDR? A 12-step guide to preparing your company for the new regulations

The requirements brought in by the Medical Device Regulation have posed a serious challenge for many companies operating in the medical device industry. Adapting to the new legal reality requires a significant amount of time and effort. We have prepared a short guide for the transition process based on the EU recommendations to give you a clearer view of the situation.

The Medical Device Regulation (MDR) has been legally binding since May 26, 2021. In many aspects, the new regulations are considered an improvement on the Medical Devices Directive (MDD), which had been in force for almost 30 years. However, the MDR imposes stricter rules and applies also to products and issues that were not covered by the MDD. As a result, it poses a challenge to many medical companies as well as some businesses operating in the cosmetics industry.

It is worth to stress that the new regulations affect not only manufacturers but also three other groups of stakeholders identified in the MDR, namely: authorized representatives, importers and distributors, referred to as Economic Operators. Understanding the implications of the MDR is essential for many companies, so that they are able to comply with the new legal framework and stay competitive on the medical device market.

There is still some time left to fully adapt to the new business environment. The EU offers four transition periods for medical companies with regard to UDI implementation and dealing with certificates issued under the MDD. In no way does it mean that lingering is acceptable. A well-structured and determined approach to compliance is a must for companies that want to evolve in the new reality.

Implementing the MDR requirements in 12 steps

In order to help you successfully implement the MDR requirements, we have drafted a step-by-step guide for the transition process based on the EU recommendations. The process consists of 12 steps which – if performed properly – should safely drive you through the legal and practical intricacies of the new directive. Let’s give them a look.

1. Pre-assessment

Essentially, pre-assessment consists in the awareness of legal and business implications of the MDR, resulting in proper decision making and introducing necessary changes. It is crucial that you inform your management about the importance of compliance with the new regulations and make sure everyone in charge clearly understands the influence of the MDR on your business, budgeting, management and other operational issues.l

2. Gap analysis

As soon as the decision makers in your company are fully aware about the MDR requirements, you may start to prepare the gap analysis. It is advisable to begin with assessing the impact of the new regulations on the company’s current products, internal resources and the budget. Among other measures, this involves:

– checking the new classification rules, as some of the products may fall into different classes or subclasses under MDR,

– confirming the validity of your conformity assessment roles,

– determining the sufficiency of all the data collected so far in the new legal reality.

– reviewing the existing technical documentation based on the new requirements as well as crucial processes, such as post-market surveillance (PMS), vigilance, risk management (RM), to be able to handle documentation in accordance with the MDR.

3. Quality Management System (QMS)

In general terms, it is essential to verify which of the standards, procedures and SOPs currently employed by the company require updating in accordance with the new regulations. To comply with MDR it may also be necessary to create new procedures from scratch and incorporate them into your QMS. Another important obligation imposed by the new directive is to designate a person responsible for regulatory compliance. Basically, you have three options:

– to nominate a skilled expert from within the organization,

– to train an employee,

– to hire an expert.

The sooner you act, the better, as your expert will be involved in most of the activities during implementing the MDR requirements.

4. Legal entities

Although registration requirements for manufacturers haven’t changed a lot, the new policy – as opposed to the previous one – clearly specifies the rules for authorized representatives, importers and distributors. Consequently, you need to verify the companies in your supply chain with regard to their compliance with the MDR. Keep in mind that the new liability regulations may prompt some businesses to terminate particular activities in the medical device industry.

5. Portfolio verification

The cost of the transition from the MDD to the MDR environment is a crucial factor to consider. New standards and requirements regarding product classification, conformity assessment, PMS, technical documentation and so on impose additional expenses. Thus, an extensive review of your portfolio combined with a cost-benefits analysis should be an obvious step  on your way to implement the new requirements. Obviously, it may result in a decision to limit the offer and stick only to selected products, ensuring their full compliance with the MDR. Mind that the portfolio review should include the verification of other parties involved in the supply chain that are liable according to the MDR rules.

6. Master implementation plan

Once you have completed the above steps, it is time to draft the master implementation plan. Basically, it is a road map comprising several subprojects, focused on critical compliance issues, such as clinical trials, documentation, PMS, and other. When planning, you should remember about the expiry dates of your certificates and focus on the products with the nearest expiry date.

7. Notified bodies

Another crucial step on the way to the MDR compliance is arranging the collaboration with the notified bodies. Their limited availability has for some time been an issue for medical device companies. So, it is strongly recommended that you contact the preferred institutions and check their capacity as well as determine the time expense necessary for performing the assessment. Only then you will be able to correctly plan all your activities.

8. Regulatory training

Adapting your business to the MDR standards requires training your staff and making them fully aware of the current regulations. It is best to conduct regulatory training gradually during the new requirements implementation process, so that at the final stage everyone involved is ready to perform their duties in accordance with the MDR norms.

9. Execution of the master implementation plan

The successful execution of the master implementation plan relies on the proper implementation of particular subprojects relating to clinical evaluation, technical documentation, PMS, vigilance, UDIs, labeling, supply chain and IT-related issues. The number and variety of subprojects depend on the specific circumstances. In any case, it is highly advisable to appoint a cross-functional project management team with clearly defined responsibilities. The team should be able to handle an overview of all the activities in all the (sub)projects covered by the master implementation plan. The purpose of this is to make sure that all the projects are consistent with one another, properly managed and effectively implemented.

10. Review of efficiency and effectiveness

Obviously, during the whole implementation process you should hold regular meetings to discuss the current project status, progress, issues, challenges and potential risks. Apart from the regular meetings, it is recommended to hold extra meetings with the decision makers to keep them up to date as to the development of the project. Of course, specific approach to the review depends on the applied methodology.

11. Notified body submission

If you haven’t been able to discuss all the necessary arrangements with the notified bodies this is the last call to do that. To avoid issues with the certification and CE conformity, make sure you are provided with detailed requirements regarding submission of the documentation, such as deadlines, terms, scope and type of data, and so on.

12. Ongoing monitoring

Apart from the monitoring applied as a part of PMS, vigilance and other standard processes, it is necessary to keep track of all the additional MDR-related updates and guidelines provided by the EU authorities. You need to make sure you properly understand all the regulations and you are following the best practices. This obligation should primarily fall on the person responsible for the MDR compliance. Last but not least, keep in mind that notified bodies are bound to perform both announced and unannounced audits. It is in your best interest to always be prepared for such an inspection.

If you have any doubts regarding MDR implementation and applying the correct procedures, don’t hesitate to contact us for consultation: info@luzernbaar.ch

Data integrity – order and security

Data integrity – order and security

Modern IT solutions and industry automation are changing the world, and in many areas are contributing to the dynamic development of various sectors, including the pharmaceutical industry. In addition to the obvious benefits stemming from the digitization and automation of processes, the progressive computerization of the pharmaceutical industry also has a second, slightly less-beneficial side. Together with the increasing amount of digital data and electronic records, we’re seeing more and more data integrity breaches. The FDA (Food and Drug Agency), among others, is highlighting this in its publication “Data Integrity and Compliance with CGMP Guidance for Industry” published in 2016. The US FDA is not alone in its assessment, because the British MHRA (Medicines and Healthcare Products Regulatory Agency) and other global regulatory bodies are paying increasingly more attention to maintaining the accuracy and reliability of stored data to ensure an adequate level of safety and quality of drugs.

In response to the emerging problem with maintaining the integrity of data, a range of guides has been created to define and unify the rules of conduct in the data management process. These include:

  • MHRA: “GMP Data Integrity Definitions and Guidance for Industry” (March 2018);
  • WHO: “Guidance on Good Data and Record Management Practices” (2016);
  • FDA: “Data Integrity and Compliance with CGMP – Questions and Answers, Guidance for Industry” (December 2018);
  • PIC/S 041-1 “Good Practices for Data Management and Integrity in regulated GMP/GDP Environments” (July 2021),
  • EMA: “Questions and answers: Good Manufacturing Practice” (April 2016).

So what is “data integrity”? According to the MHRA, it’s a process that’s responsible for the completeness, accuracy and reliability of generated data throughout their entire life cycle (Data Life Cycle – DLC). DLC includes all phases in the life of data – from generation and recording, to processing, use, retention, archiving and destruction. Data integrity also includes data consistency, which ensures that data are not deliberately or inadvertently modified, falsified, distorted, deleted or amended in an unauthorized manner. This applies to both data recorded in electronic format and data in paper form.

According to the MHRA guidelines, data that have integrity should be “ALCOA”, meaning they should have five basic attributes:

  • A- Attributable – attributed to the person generating the data;
  • L- Legible – readable;
  • C- Contemporaneous – recorded in real time;
  • O- Original;
  • A- Accurate.

Data integrity is also associated with a range of terms and tools used in the process of maintaining data management, such as:

  • Metadata;
  • Audit Trail;
  • Backup Data;
  • Static vs. Dynamic Records;
  • System Validation.

According to the definition included in the MHRA document, metadata are data that describe the attributes of other data, such as their structure, inter-relationships and other characteristics of data e.g. author’s details, date of issue/creation, version, disk access path, etc.

The audit trail is a type of metadata that are a list of information that’s important from the point of view of GMP (Good Manufacturing Practice). It enables the re-creation of the history of the creation, deletion, supplementation or amendment of data, without impacting the original records. It’s a chronological record of user operations and actions containing who changed or modified what, when, and why.

Backup is simply a copy of original data, e.g. metadata, configuration settings, measurement data, etc. that is then secured and stored appropriately for a specific period. Data contained in the backup copy must be recorded in the original format or in a format that matches the original.

A static record is a fixed data document created in paper or non-editable electronic format that cannot be amended. The dynamic recording format enables interaction between the user and the record content, e.g. tracking trends or reprocessing.

A validated system comprises computer equipment, software, procedures, training and, of course, the validation process.

The collection and creation of data that are precise, exact and generated in a timely manner are important for researchers for assessing the credibility and reliability of research. Errors in data collection or damage to data result in a range of potential consequences, such as misleading other researchers, the need to repeat falsified research several times, or increased use of resources necessary to perform the studies.  Therefore, data integrity is an essential element in research. However, in the healthcare sector it has much more importance. Incorrect, inadequate or falsified data may pose a threat to the health and life of patients if they are the basis for product launches, qualitative research or the development of medicinal products for humans and animals. In the case of integrity breaches of data related to the quality of medicinal products, there can be serious consequences leading to health complications among patients taking the given drug. Why is this so?What is the reason for the lack of data integrity? It can be caused by the absence of appropriate procedures, training and, increasingly, adequate supervision of computerized systems used in the pharmaceutical industry. For many years, computerized systems have been replacing traditional processes, and paper forms of documents are being replaced by electronic data. However, we need to remember that the introduction of computer systems into various processes must not decrease the quality of these processes or increase risk. Some manufacturers and analytical laboratories are of the opinion that if they go back to paper documentation, data integrity requirements will no longer apply to them. They couldn’t be more wrong. As mentioned above, integrity applies not only to electronic data, but to paper data as well!

What happens in the absence of data integrity? What are the potential consequences? Despite the fact that data integrity has long been a topic described in legal regulations, its importance has increased significantly in recent times. This is because audits and inspections revealed many errors related to data integrity. This is why the FDA issued numerous warning letters.

So what should you do to avoid data inconsistencies? The most important aspect is for the pharmaceutical company to ensure the originality, accuracy, correctness and consistency of data generated during the broadly understood creation process. For this purpose, it would be good to introduce a coherent policy for conduct that allows assessment and analysis of data risk, control and management of data, and continuous data monitoring.

In order to avoid problems related to data integrity during audits, a three-tier system is recommended:

1. Monitoring and maintaining a culture of quality at the organization – the absence of data integrity is not just the result of deliberate fraud, but often of bad practice, organizational behavior or inadequate quality systems that create opportunities for data manipulation. That’s why companies should consider improving the organization of work by taking procedural, technical and behavioral actions.

2. Control tools – the following tools, among others, allow you to maintain data integrity throughout the entire system life cycle:

  • Computerized system validation
  • Regular Audit Trail record reviews
  • Introduction of a Data Risk Management approach
  • Staff training
  • Service supplier audits
  • Introduction of document management procedures
  • Defining rules for data migration and storage
  • Data security audits

3. Training – to create the right level of awareness among employees, internal auditors should become a focus. Experienced consultants and internal auditors introducing a fresh approach to the organization also contribute to the improvement of data integrity programs.

Given the numerous recorded data integrity deficiencies, their verification is a priority for the FDA and EMA (European Medicines Agency) during pharmaceutical inspections. When the main stakeholders – patients – take a given drug, they believe that the documents and data containing the decisions related to the production, research and launch of drugs are credible and reliable, and that the quality of the medicinal product is not at risk. Emerging problems that manufacturers face in terms of ensuring data integrity may lead to the imposition of huge fines, the suspension of drug production, import and distribution, and first and foremost, threaten patient safety, which is of course the most important aspect.