The FDA draft guidance for distinguishing between medical device servicing and remanufacturing recommends that these third parties document the rationale for determining whether their work constitutes remanufacturing. The draft guidance states that this information would be helpful during FDA inspections, but there is a question as to whether the agency can conduct an inspection prior to determining whether the third party has engaged in remanufacturing activities.
The scope of the remanufacturing draft guidance, which the FDA released concurrently with the discussion paper for serviced device cybersecurity, includes software and electronic products as well as class I, II and III devices. The FDA emphasized that the draft does not create any new regulatory liabilities, but instead is an attempt to clarify standing policy. Reprocessing of single-use devices is outside the scope of the draft.
As we highlighted in our blog regarding cybersecurity in serviced devices, third-party servicing of medical devices has been controversial for some time. Up to now, the FDA has not indicated it would require third parties to deploy a quality management systems (QMS) despite those controversies, and this new draft guidance does not explicitly state that this will be required going forward even in the absence of remanufacturing practices. Much of the content of this draft guidance was anticipated by a white paper released by the FDA in 2018.
Under the terms of the draft, third-party servicing entities would be required to make a formal determination about their activities and the cumulative effects of multiple servicing activities on a device. The third party would have to document the decision-making process and the basis for the determination as to whether a given set of activities constituted remanufacturing.
This documentation should be prepared to allow the FDA or an outside entity to understand the changes imposed by the third party and the rationale for concluding that the activities did not constitute remanufacturing. The agency’s explanation for the need to record these activities and decisions is that it would prove useful in the event that the FDA conducts an inspection, or when this information is requested by another outside entity.
Whether the FDA is statutorily authorized to conduct inspections of these third parties and other independent servicing organizations (ISOs) is not discussed in the draft. It might be safely assumed that a third party or ISO is subject to both inspections and the Quality System Regulation (QSR) once it is determined that this entity has engaged in remanufacturing. In the absence of such a determination – or a clear indication of a problem identified in postmarket surveillance, necessitating a for-cause inspection – a third party’s premises and records might not be subject to an FDA inspection or a formal compliance requirement.
The tension between the FDA’s interest in preemptively regulating these organizations and the seeming absence of the explicit authority to do so is hinted at in a February 2021 statement by the Medical Imaging & Technology Alliance (MITA), which states that these organizations operate in “a regulatory gray area.” MITA’s position is that these third parties are currently subject to nothing more than voluntary standards, but should be required to register with the FDA and to comply with Part 820.
Results, not Intent, the Key for FDA
The draft guidance and the 2018 white paper were prompted by complaints and adverse event reports attributed to inadequate servicing, but the FDA is of the view that the majority of these reports were in fact due to remanufacturing activities. The FDA defines remanufacturing as any activity that significantly changes the finished device’s performance, safety specifications, or intended use. Among the activities that could lead to a determination of remanufacturing are those that can be defined as processing, conditioning, repackaging, or restoration activities.
Servicing is generally any activity intended to restore the device to the safety and performance specifications established by the original equipment manufacturer (OEM). This includes repairs as well as preventive and routine maintenance. The draft provides definitions for a number of other terms, such as third-party servicers and ISOs, but the FDA said the emphasis is not on how organizations identify themselves, but on the types of activity they undertake.
One of the more informative sections of the draft is Section V, which lists six guiding principles, one of which is the impact of the third party’s activities on the safety and/or performance of the device. Among the issues listed in this section is whether the activities individually or cumulatively affect device safety or performance.
The agency emphasizes that the key question is not whether the third party’s activities are intended to alter safety and performance characteristics, but whether those activities have had a significant effect on those parameters, intended or not. Device makers would do well to take note of the fact that the draft states that any changes that inadvertently or deliberately improve the device’s safety or performance may be deemed remanufacturing.
Those with some experience in FDA regulation may recognize the question of the impact of cumulative effects, which has arisen in connection with the phenomenon of predicate drift for 510(k) devices. The agency’s attention to detail on the question of cumulative changes has apparently not ebbed, which also plays into the draft’s discussion of whether any of these servicing/remanufacturing activities incur a degree of change sufficient to require a new marketing submission.
The content of Section V of the draft describes the activities that could trigger a need to deploy a QMS. The reference to ISO 14971 makes several points worthy of note, including that servicing activities:
- May introduce a new risk;
- May modify the probability or severity of a known risk; and
- May constitute remanufacturing when that activity creates new risks or modifies the probability or severity of a known risk.
The documentation associated with these risk determinations should not merely provide sufficient detail to make clear how the third party determined that remanufacturing did not take place, but also provide supporting verification and validation data. Any servicing activities performed on different devices of the same model and version need not be accompanied by a fresh risk analysis, assuming the performed servicing activities were also identical. This section includes the reference to the utility of such documentation in the event of an FDA inspection.
Broadly speaking, there are three general types of activities the agency believes could affect safety or performance. These are:
- Changes to sterilization methods;
- Changes to instructions for reprocessing (of multiple-use devices); and
- Changes to a device’s control mechanism, operating principle, or energy type.
Consistent with the FDA’s traditional view of changes that might require a new regulatory filing, any changes to a device by a third party that would change the intended use would constitute remanufacturing. Another example is a change in the material used on patient-contacting surfaces, which might constitute remanufacturing if that new material affected the OEM’s validated reprocessing instructions.
However, a change to materials that do not directly contact the patient might suffice to lead to a determination of remanufacturing if that materials change affects biocompatibility or validated reprocessing instructions. If a replacement component bears different physical dimensions than the original component, this might constitute remanufacturing even in the absence of direct or indirect patient contact, although a risk analysis may render a determination of servicing rather than remanufacturing activity if safety and performance specifications are unaffected.
Much of the content of the draft is inapplicable to software, changes to which would not constitute remanufacturing if the change is limited to updates and upgrades provided by the OEM. Other routine software maintenance activities also fall outside the definition of remanufacturing, but software changes that exert an effect on architecture or unresolved anomalies would fall into the category of remanufacturing.
As is seen in the discussion of hardware changes, the draft cites cumulative changes as a determinant of whether software remanufacturing has occurred. Another example of a software change that would constitute remanufacturing is when a device is connected to a network running on a different operating system than was assumed during software design. The FDA is accepting comment on this draft through Aug. 23, 2021, but the agency has scheduled a July 27 webinar to review the draft and the associated cybersecurity discussion paper.