The U.S. FDA has been working for some time to harmonize its approach to quality management systems (QMS) regulation with that of other nations, and this was no trifling ambition even before the COVID-19 pandemic. A number of companies were undoubtedly up to speed on a converged ISO 13485/Part 820 approach by the end of 2019, but companies that have struggled with that task have a chance to make up ground while the FDA grapples with perhaps the largest and most critical public health threat in its history, the SARS-CoV-2 virus.
The FDA’s interest in harmonization dates back further than is perhaps commonly appreciated as a guidance document from March 1997 demonstrates. This guidance addresses the overlap between the 1994 edition of ISO 9001 and Part 820 of Title 21 of the Code of Federal Regulations. The question here was how these two standards were aligned for design controls, and the now-defunct Global Harmonization Task Force (GHTF) was a key contributor toward the effort. Interestingly, this document also briefly examined the question of risk management, which the International Standards Organization addressed separately the following year with the first edition of ISO 14971.
Aversion to 9001 Largely Due to Documentation
ISO 13485 was not the first non-FDA approach to quality management the agency had to consider. The FDA explained in a Q&A document why it decided against a wholesale adoption of ISO 9001. This was in part because:
- The ISO standard “requires less documentation” than the related elements of Part 820, an issue that would be addressed in ISO 13485;
- Questions about how an ISO standard might be handled in the U.S., given that ISO 9001 was copyrighted and thus could not be posted in the U.S. government’s Federal Register; and
- Concerns not enumerated in the FDA paper, such as whether future modifications to 13485 would be subject to the U.S. notice-and-comment process.
The formal unveiling of a programmatic adoption of ISO 13485 appeared in the spring 2018 regulatory agenda with a proposed date of April 2019 for the notification of proposed rulemaking (NPRM). The FDA noted that the change would reduce record-keeping and compliance costs for regulated industries, but it also acknowledged that any such change would require a modernization of the associated regulation.
The regulatory agenda for fall 2019 pushed that date back by a year, however, and in the meantime, the FDA had issued a paper that spelled out the benefits of adoption of ISO 13485, including the statement that in such a move, “we gain more than we lose.” The convergence with the ISO standard also allows stronger alignment with ISO 14971, the increasingly popular multilateral risk management framework. A common site inspection program that relied on ISO 13485 has since been overwritten by the Medical Device Single Audit Program (MDSAP), which is administered by the International Medical Device Regulators Forum (IMDRF).
Adoption of 13485 will force the FDA to revise its quality systems inspections technique (QSIT) model as well, which was itself a substantial operational lift for the Center for Devices and Radiological Health in 1999. In a related document, the FDA highlighted some of the functional aspects of the QSIT paradigm. For instance, this inspectional guidance indicated that a review of design controls should focus at first on a single project, and that a review of software validation should be undertaken for any devices that incorporate software.
The timeline for FDA’s adoption of 13485 had called for an advisory panel meeting and a collaborative effort with the Association for the Advancement of Medical Instrumentation to draft a “mapping” document that provided a highly detailed comparative analysis for the two standards. The timeline for this joint FDA/AAMI report was “early-mid 2019,” and although a draft emerged, there is no indication as to when the final edition of this paper will be published. Despite this, AAMI published a fairly detailed analysis in February 2017, with an update added a year later.
Part 820 Often Less Prescriptive
One example of the tensions encountered in the convergence between Part 820 and ISO 13485 is the question of design controls. The regulation for design controls was enabled by the Safe Medical Devices Act of 1990, which ushered in a regulatory liability that undoubtedly improved device safety, but which nonetheless imposed a substantial liability regarding documentation. There are some important functional differences between the two approaches to design controls, differences that must be addressed by any company that intends to broach multiple competent authorities.
The most recent edition of ISO 13485 spells out some of the expectations for design inputs in section 7.3.3, which itemizes some of the documentation requirements for design and development inputs. Among these are:
- Functional, performance, usability, and safety requirements per the device’s intended use;
- Information derived from previous similar designs; and
- Other requirements deemed essential for product design and development.
In contrast, Part 820.30(c) is much less prescriptive, starting out with a requirement that the manufacturer or developer establish and maintain procedures to ensure that design requirements reflect the needs of the user or patient. While this paragraph from Part 820 also points to a need to include a mechanism for addressing incomplete, conflicting or ambiguous requirements, the FDA leaves much to the sponsor/developer to determine what sort of standard operating procedures are needed to ensure that design controls are up to the task of keeping a faulty design off the market.
This difference in level of detail is not unmitigated, however, as neither standard is utterly prescriptive for considerations such as disposition of non-conforming product. Section 8.4 of ISO 13485 and Part 820.90(b) are both vague enough to give the manufacturer some leeway, although that regulatory flexibility at times becomes an inspectional liability. However, one possible source of vexation for developers of machine learning (ML) algorithms and other artificial intelligence (AI) products is whether the concept of change control will be part of any novel regulatory regime, whether provided by the FDA or by Congress.
Former FDA commissioner Scott Gottlieb briefly touched on that consideration in an April 2, 2019, press release accompanying the issuance of the agency’s AI discussion paper. Gottlieb said the FDA is “working to develop an appropriate framework” for the evolutionary nature of these algorithms, many of which are showing up in radiological suites. It has been argued by three members of the U.S. Senate that the FDA needs new statutory authorities to fully implement the pre-cert program for software as a medical device (SaMD), and the discussion draft for AI and ML explicitly nods to SaMD as a regulatory precursor. Should it be incumbent upon Congress to step in regarding regulation of AI and ML as well as SaMD, the statutory fix might not become available until passage of legislation required to enable the next device user fee schedule, legislation that won’t be necessary until 2022.
In the meantime, developers are left to wonder how the FDA might ultimately require them to monitor each licensed version of these algorithms, which may make their ways down different evolutionary paths thanks to the different patient inputs provided by each of the licensed clinical sites. Whatever the answer to that regulatory riddle might be, there is no guarantee it will bear a particularly strong resemblance to either Part 820 or ISO 13485.