Your company is developing an innovative product, and you want to get it to market as soon as possible. Most products, whether they are drugs, medical devices or diagnostics, need some form of approval (or clearance) from the FDA or your region’s regulatory body. As part of your submission, you must show compliance of both your product and your company’s internal business processes to all applicable FDA or your region’s requirements.

This guide provides an overview of how to get started with a Quality Management System. Our other guides will provide an overview of the FDA and EU regulations and product classifications.

A Quality Management System (QMS) is a formalized system that documents business and product processes, procedures, and employee responsibilities toward achieving the company quality policy and objectives. A QMS helps coordinate and direct an organization’s activities to meet market and regulatory requirements and improve its effectiveness and efficiency on a continuous basis.

The core processes of the QMS should be established once your company has developed a prototype.

Manufacturers must establish and follow defined quality system requirements to help ensure products consistently meet applicable regulatory requirements and product performance, safety and efficacy claims. A quality management system is necessary to achieve company goals. The quality systems for FDA-regulated products (food, drugs, biologics, and devices) are significant components of overall Current Good Manufacturing Practices (CGMP’s).

“The key advantage regarding quality systems is that they represent a preventive approach to assuring medical device quality versus the previous reactive approach by inspection and rejection at the end of the manufacturing line. Prevention has been proven to be more efficient and cost effective in controlling manufacturing processes and maintaining medical device quality.”

- Medical Device Regulations: Global overview and guiding principles; World Health Organization; 2003

Establishing a QMS early in your first product life cycle, aids in organizing documentation and ensuring appropriate processes are being followed. Ensuring that the process is implemented (written, approved, released, trained to, and being followed correctly) helps your company produce a consistent product and prevent and mitigate mistakes, thereby reducing cost and getting your product to market faster.  

Setting up the QMS early can help your company, especially startups, gain credibility with FDA (or your country’s equivalent), customers, and potential acquirers.

Also, establishing a QMS early will help you avoid high consultant fees during the submission process. The QMS includes a system of organizing your documentation such that a consultant is not needed to piece information together.

“FDA recognizes: that a small manufacturer may not need the same amount of documentation that a large manufacturer does in order to achieve a state-of-control; and, that some of records maintained to fulfill the GMP requirements for written procedures may not be as long and complex for a small manufacturer.”

- Medical Device Quality Systems Manual: A Small Entity Compliance Guide; FDA Center for Devices and Radiological Health (CDRH)

Keep in mind, launching your first product without a QMS in place is illegal, and can lead to failing your first audit. With the FDA, failing an audit results in significant extra work to avoid receiving further sanctions including and up to the seizure of your product.

In the US, FDA is responsible for ensuring the safety and efficacy of products. While the core concepts of the regulation are the same for all medical products, there are specific rules for some types of products. Medical device and in vitro diagnostic devices are overseen by the Center for Devices and Radiological Health (CDRH). Current Good Manufacturing Practices (CGMPs) requirements for devices 21 CFR Part 820 is the primary minimum standard applicable to medical device companies that market and sell products in the US.

CDRH defines a “medical device” as “any healthcare product that does not achieve its principal intended purposes by chemical action or by being metabolized.” Devices are therefore everything from tongue depressors, to pacemakers, to MRIs and digital (app) therapeutics.

To market a product outside the United States (‘OUS’), there are several agencies to which you will need to submit depending on your desired marketing geography.    

‍CE marking is a certification mark which indicates that your device conforms to the health, safety and protection standards outlined by the European Economic Area (EEA) and is granted by one of numerous possible authorized Notified Body agencies. Your company contracts with one of these Notified Bodies to complete ISO certification audits such ISO13485 Quality Management Systems for Medical Devices and ISO 14971 Risk Management for Medical Devices as well as to review and approve your device submission all prior to marketing your device in an EU state.

Health Canada is the regulatory body that ensures the safety of drugs and devices available in Canada. The China Food and Drug Administration (CFDA) is responsible for supervising the safety of food, cosmetics, drugs, and devices in mainland China. Many other countries have specific agencies for themselves as well.

All regulatory organizations have guidance documents available on their websites. Read our FDA and Notified Body 101 Guide to learn more.

If your company markets a product OUS, you will also have to follow the local regulations as well as applicable ISO standards. Compliance with applicable ISO standards is often seen as the first step in achieving compliance with European regulatory requirements. One of the regulations, ISO 13485 is a globally accepted standard (recognized by FDA) and provides a way to comply with general quality management system requirements.

FDA also recognizes many such standards which then can aid you in designing and developing your product for the US market as well. Demonstrating compliance to an applicable international standard aids FDA in evaluating whether your product was designed and developed according to current best practices.

The FDA and the international governmental agencies want companies to demonstrate the safety and efficacy of their product.

The FDA and Notified Bodies conduct inspections, here are a few examples:

• FDA inspects manufacturers or processors of FDA-regulated products to verify that they comply with relevant regulations.
• Foreign manufacturing and processing sites for FDA-regulated products that are sold in the United States

The also evaluate Device Approvals, Denials and Clearances

• Premarket Notification [510(k)]
• Premarket Approval (PMA) decisions

FDA has explicit requirements for various types of regulatory submissions prior to commercializing a product as well as the various business processes that comprise your QMS.

Device classification depends on the intended use of the device and also upon its indications for use. Devices are classified based on their level of risk and categorized as Class I, Class IIa, Class IIb or Class III, each with increasing risk, requirements and scrutiny. The device classification determines the type of submission required to market and sell it. Read our Product Risk Classification Guide to learn more about how products are classified.

Regardless of the device classification, all medical devices/diagnostics are required to have a QMS (21 CFR Part 820) at the time of submission.

The QMS of a startup is comprised of over a dozen sub-parts which can be implemented the first time at various stages of initial product development. For your company’s second and all future products, the QMS will already fully be in place.

Ideally it’s best to start establishing a QMS once you are in the design and development phase, minimally once you achieve design “freeze” (or frost).

During each phase, primary subparts are what you will be using the most, and the secondary  subparts should be established for use as needed.

Let’s take a closer look at some selected subparts. View the full regulation.

Document Controls [21 CFR 820.40]

Document Control focuses on document distribution, changes, and approvals.

Through Document Control, companies establish procedures and processes to store documents and records and record changes/revisions and approvals; this system can be either paper-based or electronic. It stores the “single source of truth” of regulated documentation - and the history of that documentation; this is accessed and used by nearly all employees.

Before submission, companies must demonstrate that their Document Control process is in place.

Training [21 CFR 820.25(b)]

The goal of the Training is to ensure that all employees in the company are trained on their responsibilities and the applicable QMS elements and procedural requirements prior to conducting activities within the QMS (being trained to do work before they do the work).

In addition, manufacturers must provide procedures for identifying training needs and making sure that employees are trained accordingly.

Design Control [21 CFR 820.30]
‍

The goal of Design Control is to ensure that the product development process produces products that meet user needs, company-defined specifications, and fulfills the designed intended uses.

Design control begins with early prototype development and documenting user needs and requirements, and continues through final design information and throughout all design testing. Design control does not end with the transfer of a design to production. Design control applies to all changes to the device, including those occurring long after a device has been introduced to the market.

Design control is the single most misunderstood aspect of medical device regulation. Startups can streamline the design control process by matching it to the needs of their company. Regulations are written loosely enough such that a variety of agile and waterfall workflows are acceptable to follow; there are basic documentation requirements that are easy to follow.

You must establish and maintain procedures necessary for the implementation of design controls for your product. Here are some of the aspects that need to be implemented:

1. Document design and development planning activities
2. Gather and document all the user needs and design inputs ranging from  engineering/business/regulatory requirements
3. Integrate risk management and Human factors into the design control process
4. Document the design outputs
5. Conduct design reviews
6. Verify that design output meets the design inputs
7. Validate that your final product meets the user needs under the intended use conditions.
8. At completion of your activities, conduct a design transfer
9. Update the design history file
10. Continuously document the design change process
    

As part of the FDA submission, you have to demonstrate that your Design Control process is in place.

‍
Risk Management

Risk Management is an important part of an effective QMS. It enables the identification of sources of risk and assesses those risks to prioritize efforts to control and mitigate them.

"While the requirement for the conduct of risk analysis appears in Section 820.30(g) Design Validation, a firm should not wait until they are performing design validation to begin risk analysis. Risk analysis should be addressed in the design plan and risk should be considered throughout the design process. Risk analysis must be completed in design validation."
Guide to Inspections of Quality Systems: Quality Systems Inspections Techniques [QSIT]; FDA

Therefore, Risk Management begins when you start establishing your user needs and requirements. As your design evolves, you can identify new risks and the controls to mitigate them. As a result, unacceptable risks can be identified and mitigated early in the design process and help reduce rework and cost.

‍

Risk Management is an ongoing process that is tied into various other subparts of the QMS, most importantly the product design, development and manufacturing processes.

Management Responsibility [21 CFR 820.20]

Management Responsibility is an important element of the QMS for senior leadership. Company management is ultimately responsible for establishing policies, objectives and an organizational structure. They must ensure adequate, trained, resources are made available to implement and maintain the QMS.

Management’s responsibility is to:

1. Establish and maintain the company’s quality policy
2. Maintain adequate organizational structure
3. Establish a QMS and regularly review its effectiveness, history of nonconformances (NCs) and Corrective and Preventive Actions (CAPAs), and results of recent audits
4. Assign at least one Quality Management Representative who ensures the QMS is working effectively and that management swiftly acts on any deficiencies
5. Ensure that employees have the adequate education, background, and training to complete their jobs  
   

Read the FDA’s guidelines for more details. When you submit to the FDA, they evaluate if management has all the documentation and processes in place to implement the QMS.

Production and Process Control

Production and Process Control ensures that the products your company manufactures consistently meet specifications, and are validated as outlined in your documentation.

Companies must be able to demonstrate:

1. Production processes consistently conform to specifications
2. Equipment used in production and testing is qualified and maintained
3. Processes are monitored and evaluated for whether they remain in a state of control
4. Statistical techniques are used to validate the process and ensure they are adequate
   

Production and Process Controls must be in place before you submit to the FDA.

Corrective and Preventive Action (CAPA)

The purpose of a CAPA process is to detail how your company deals with product and process quality issues, preventing their recurrence/occurrence.

Through CAPA, regulatory organizations view company documentation on:

1. How you analyze a problem (determine root cause)
2. Develop an action plan and verify and validate the solution
3. Implement the solution and document the changes
4. Verify the effectiveness of those actions
5. Communicate the changes to management and those affected
   

CAPA must be established before your company submits to your regulatory organization. Also, CAPA is an auditor’s main insight into your company’s internal processes. Every single audit (except maybe your first) will involve a review of your CAPAs.  

In 2014, most of the warning letters (which are made public) that FDA issued were due to poorly implemented or executed CAPAs/CAPA systems.

The use of software medical devices is increasing and extends beyond traditional hardware and software.

"SaMD is defined as software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device."
- IMDRF

Software medical devices (and mobile apps) are identified as SaMD products if they meet the definition of a medical device including whether they are:

1. Software-only-based in-vitro diagnostic devices
2. Software capable of running on non-medical computing platforms
3. Software that does not require hardware to reach its intended medical purpose
4. Software that can be used in conjunction with hardware to reach its intended medical purpose
   

In order to develop SaMD that are safe, you have to identify risks, establish measures/features to control and mitigate those risks, and demonstrate confidence that the residual risks are acceptable. Simply testing the software is not enough; risk management principles should be built into the software to assure its safety. You must also establish a design and development process, post market surveillance and change control; in other words, SaMD products are treated the same as traditional medical devices throughout the product life cycle.

SaMD products follow the same medical device product classification system. For details, refer to the section 'How are products classified?'

FDA is evaluating alternative approaches to regulating SaMD products, including basic quality system regulations as well as submission requirements under a new program called Digital Health Software Precertification (Pre-Cert) Program.

Contact info@enzyme.com for more information.