- How should combination product companies monitor impacts of product, process or regulatory changes?
- What technical documentation and supporting processes should be in place for effective post market product management?
- How are post market issues such as Corrective and Preventive Actions (CAPAs), Complaints and Change Controls managed? Who is responsible for evaluation of these systems and how does this get managed with multiple suppliers?
This article is targeted for companies that have existing combination products on the market or are prepping their quality management systems to be compliant with FDA Final Rule 21 CFR Part 4. If you have a product under development, aside from meeting all requirements of 21 CFR Part 4, the FDA will want to see a post market maintenance plan for the product after it is launched, especially when there are multiple contract suppliers involved. This article will serve as support for products at both stages. Combination products, which is a combination of a drug or biologic with a device delivery constituent part, are typically designed, developed and maintained under a robust contract manufacturing process. It is quite difficult to do an “all-in-one” combination product that is made by a single organization. For example, it is not uncommon for combination product companies to have the following types of contract suppliers:
- A Contract Development Organization (CDO) is responsible to design and develop the device constituent parts and is typically responsible to build the Design History File (DHF). In some cases, these organizations are also contracted to maintain the DHF for the lifetime of the product.
- A Drug Supplier (DS) is responsible to supply the bulk drug to the CMO (as defined below).
- A Contract Manufacturing Organization (CMO) is responsible to receive design transfer requirements from the CDO and receive the drug substance from the DS to manufacture the combination product. A CMO can also be an affiliated company within the Product Owner’s global organization.
- A Human Factors (HF) organization is contracted to perform Human Factors activities under Design Validation.
- A Lab Supplier (LS) organization is contracted to perform product testing. The services can be for raw material, in-process and final product testing. A LS can also be an affiliated company within the Product Owner’s global organization.
It is important to note that the Product Owner, not the CMO, is responsible for the overall quality of the product. The FDA holds the Product Owner responsible for any issues that occur in the field and during operations. This is why it is important to set up a robust quality management system that evaluates, qualifies and monitors contract supplier performance. So now, let’s walk through the device centric 21 CFR Part 4 requirements applicable to supplier performance and control.
21 CFR Part 820.20 Management Responsibilities
Quality Objectives must be set by the Product Owner under this element. It’s a good practice to include measurable quality objectives for these suppliers to ensure they are being monitored. Quality Metrics are set based on the organization’s quality objectives. Management Reviews must be set to review the progress and effectiveness of the quality management system which includes contract suppliers managed under that system. Here are some tips to consider:
- Track contract supplier effectiveness via metrics reviewed during management review.
- Quality Metrics should include key performance indicators specific to product performance and supplier related objectives.
- Supplier CAPAs should be monitored and evaluated for trends and timeliness of closure.
- Assign resources to be aware of regulatory changes which may affect the product and suppliers. Review these changes during management review.
- It is recommended to have Management Reviews at least twice per year with dedicated resource to track progress of open items and supplier performance.
Regarding Quality Planning, how will the suppliers collaborate for Complaint investigations, CAPA investigations, and Change Control updates post product launch? When the product is on the market, the Product Owner needs to ensure the right subject matter experts are evaluating and reviewing these documents. Quality Planning encourages product safety and efficacy by having supplier relations set in place to ensure all parties are aware of their responsibilities. Here are some tips to consider:
- Create a shared Post Market Quality Planning Document with the critical contract suppliers that explains the manufacturing process. The plan will indicate who manufactures, who tests, who maintains the DHF, etc. for product post market surveillance.
- The Product Owner and critical suppliers (e.g. CMO) should sign off on the Quality Planning Document.
- The Quality Planning Document is an expanded document of the Quality Agreement. If the Quality Agreement is a shared agreement between suppliers, it can be used in place of the Quality Planning Document provided it is sufficient enough to cover all quality planning activities stated above.
- If your product includes software, explain high level software integration and product lifecycle management in the Quality Planning Document.
21 CFR Part 820.30 Design Control
There are a number of items that need to be in place for product post market maintenance. Design Controls is the only element in the medical device quality system regulations that links product development to commercialization. The DHF that is released at the final design review prior to product launch continues to be a living file throughout the lifetime of the product. This also includes the product Risk Management File. The DHF requirements must be referenced for all major and critical CAPAs, Complaint Investigations, Deviations, Change Controls and any other product related events. Below are some items that should be considered:
- Who is maintaining the DHF for product lifecycle? Is the CDO contracted for this or does the Product Owner have an internal subject matter expert?
- Updates to procedures, drawings, specifications, test methods, etc. must be tracked and in the same version between Product Owner, DHF holder, and CMO.
- Is there an expert on risk management assigned to product lifecycle management? Risk documents must be maintained and can only be done by subject matter experts.
- Software Lifecycle Management:
-Configuration management must be established and connected to the Change Control system of the overall product and maintained throughout product lifecycle;
-DHF is required for the combination product of the device AND the associated connected software as part of that system;
-Software requirements should be established at the design inputs high level requirements (top down) and then cascaded down into the software requirements;
-Major/critical software changes must be evaluated for impact to the DHF. A subject matter expert will need to be in place for this (contract supplier organization or internal employee); and
-Software Risk Management Planning must serve as an input to the overall Product Risk Management Planning during product development and provides continual feedback for post market maintenance.
21 CFR Part 820.50 Purchasing Controls
The Product Owner is responsible to select, evaluate, qualify and monitor all suppliers. The monitoring system should be risk based. For example, it is expected for critical suppliers to have the most stringent controls requiring audits and other means of continuous monitoring. This element of the regulations stresses that suppliers must not implement any changes without knowledge of the Product Owner and that these changes must be evaluated for potential impact to the product. In fact, changes must be verified or validated prior to implementation to ensure the change had no impact to the safety or efficacy of the product. This rule prevents Product Owners from completely relying on their suppliers without monitoring them. The following are also factors that should be considered under this element:
- Quality Agreements must be established with major and critical suppliers and they must address post market maintenance of the product (e.g. managing of CAPAs, Complaints, Changes, Deviations, etc.)
- How will Deviations and CAPAs be investigated?
- How will Complaints be managed and investigated?
- Determine the extent of control of 21 CFR Part 4 and ensure that your suppliers’ quality management systems are in compliance.
- As stated under the Design Control discussion above, the purchase order system should be designed to prevent building with components with incorrect versions.
21 CFR Part 820.100 Corrective and Preventive Action (and discussion on Complaints)
Managing CAPAs can get complicated when there are multiple suppliers that have input into product distribution. Purchasing Controls are a very important system that will help manage the CAPA process that includes a thread of suppliers. Verification and/or validation of executed CAPA plans must be performed. Companies can leverage the quality metrics process to help monitor suppliers for continuous improvement and CAPA verification. Here are some tips on CAPAs and Complaints:
- Post market risk assessment must be established to receive, investigate and mitigate investigations, CAPAs and Complaints between suppliers.
- All quality system indicators (failures, audit findings, complaints, etc.) should connect to the Product Owner’s CAPA system for major or critical issues determined by the Risk Management Process.
- As stated above, outline responsibilities in the Quality Technical Agreement and Quality Planning Document that is shared between suppliers.
- Remember, for combination products, all CAPAs MUST be verified or validated for effectiveness. FDA has issued 483s to combination product sites that fell short on this requirement.
- Ensure the right subject matter experts are assigned to determine root cause. Ineffective root causes lead to repeat issues in the field.
- It is recommended that Software, Design and Product Residual Risks identified during the development phase should be added as potential complaint errors to monitor in the field.
- Which agency receives the complaint? The root cause directs you to which agency needs to be notified (sometimes both).
- Complaints/Recall Facilitator must be familiar with current FDA Guidance on Postmarket Safety Reporting for Combination Products.
- Remember that the Product Owner (not the Supplier) is responsible to notify the FDA for safety reporting.
However, the Post Market Quality Plan should only include suppliers contracted for commercial operations. For companies getting ready to launch their product, this document should be developed during the Design transfer phase as it will be an excellent aide during the FDA PAI. For companies with legacy products, the plan will help in routine FDA inspections.
In sum, post market surveillance of combination products that are managed under multiple contract suppliers can be maintained with the right systems in place provided that the Product Owner is fully aware of what is required. Subject matter experts must be in place to ensure the product is properly maintained throughout the lifetime of the product. Follow the tips above and you will be on your way to a successful state of compliance.
Lori-Ann Woodard CBA, CQE, CSQE
Lachman Consultant Services
Lori-Ann Woodard, is Director of Medical Devices in the Compliance Practice at Lachman Consultants. With more than 20 years of experience, Ms. Woodard delivers expertise in the creation and implementation of Quality Management Systems for Medical Devices including Software as a Medical Device (SaMD), and for Combination Products. She is an expert with extensive knowledge and application of the Code of Federal Regulations and International Standards in the Medical Device, Combination Product, and Pharmaceutical industries.