Hello, everyone and welcome back to another week of MedTech Compliance Chronicles! We have come quite a long way, in fact, we have achieved our original goal of placing a medical device on the market in the United States. At this point full production will begin and things will happen, lessons will be learned, methods thought of or invented that weren’t there before or the regulations or standards themselves may even change. In any case, it is always the case that changes will need to be made, either to your procedures, your processes, your QMS or even the device itself. For this reason, FDA has built in change control requirements into 21 CFR part 820.
If you have been reading thus far, you know that essentially the entire point of FDA regulation is to ensure that medical devices distributed into the United States are safe and effective. This involves two primary parts; design controls, to ensure that the device is designed adequately and according to the state of the art, and production and process controls, to ensure that all devices are manufactured according to the specifications and processes (DMR) that prove the device is safe and effective. An effective change control system in an organization ensures that these two things remain true throughout the implementation of a change. There are many types of changes that could occur and many ways to carry them out. In general, you must review and approve all changes in a similar manner to how the original document/specification, etc, was reviewed and approved, which may necessitate redoing several quality activities.
Regulatory Context
Change control is often referred to as its own part of the quality management system in industry, with its own SOPs and sometimes even dedicated employees. Despite that, it does not have its own designated part of the regulation or standard (ISO 9001 or 13485). Instead, the FDA mentions in four specific areas, that changes in those areas must be controlled. Those areas are design, documentation, production processes and purchasing information. FDA also specifies that the status of process validations and sampling plans should be evaluated when conduction changes. Other than that, the FDA does not really mention much about changes, specifically in the regulations.
The important thing to consider, and where simple requirements can turn into a long process, is that the production of the medical device must remain in a state of proven suitability throughout the implementation of, and after the change. This means all of the same work that would have initially been required (if you were originally designing the product/process) must be evaluated and, based on the results of the evaluation, may need to be repeated. Usually, only a subset of activities will actually need to be repeated due to a change, but this is not always the case. For example, change in process control limits may require revalidation of certain aspects of the process, but likely would require redoing installation activities, unless moving around equipment and even in that case the installation activities from moving equipment around the same facility may be abbreviated compared to the original installation activities. As always, it all depends on risk.
Change Control Process
The change control process itself is quite simple. All changes within the QMS must be reviewed and approved. That simple statement masks a process that can encompass every part of the quality systems regulation. The key part here is the review. The change must be reviewed by the same person(s) or at least same functional roles as what originally reviewed the item affected by the change, unless specifically designated otherwise (for instance, an R & D engineer might have approved the original design where as a product manager might be designated to review changes to the same product). The approval of a change is essentially an attestation that the change does not affect the safety, efficacy or regulatory compliance of the device or organization. Another note on approvals, the review responsibilities should be laid out in the change control procedure and not all functional areas should be reviewing the same thing. For example, if the change is to a process, then a process engineer may be a reviewer and would be designated to review aspects related to their function (i.e. process revalidations, tooling changes, method changes, etc.). A process engineer would not be reviewing a change for quality management activities or might not need to review the change at all if no manufacturing processes are affected by the change. The functional roles to review changes and when their review is required along with what they are required to review should all be pre-established in the procedure.
The change control process has its way of triggering all other regulations, depending on what exactly is being changed. A critical mistake is focusing only on the part of the QMS that is changing, ALL parts of the QMS must remain compliant subsequent to the change. This requires the review of changes to be quite extensive. Part of the review of every change should be a risk assessment. In addition to assessing the risk of the change itself, this risk assessment should identify all possible parts of the QMS that could be affected by the change. The change control process must capture all of this and any activities required, including any additional changes. For instance, process changes usually always include updates (changes) to multiple documents, at least the specific document for performing that process. A design change may trigger all of the above by requiring the process to be changed and then requiring document updates. If any of these processes are validated, revalidation should be considered and justified, if not performed. Likewise, changes to your ERP system may affect all of your documentation and various business processes, while leaving the design of the device and manufacturing processes alone.
The requirement to evaluate changes does not just stop within your organization. Medical device manufacturers are required to have their suppliers notify them of changes so that the organization may evaluate them in the same manner they would an internal change. Of course, this is not always possible and not all suppliers will and that needs to be considered in the supplier selection process, along with the risk of the particular supplied product.
Conclusions
Overall, the change control process itself is quite simple. The devil is in the details. The change process must identify the risks of the change and any additional changes (risk controls, etc.) needed to implement the change and then do these activities. The review of the change is both looking for the completeness of these activities, ensuring they encompass every affected area and the adequacy of these activities. Approval is a representation that the approving individual has reviewed the change for their pertinent area of expertise and found it to be complete and adequate.
Commentaires