The Medical Device Innovation Consortium (MDIC) has existed since 2012 as a way for the US Food and Drug Administration (FDA) and medical device industry to collaborate on improving the development, assessment and review of new technologies. MDIC members include the National Institutes of Health and the Centers for Disease Control and Prevention, alongside medical conglomerates like Johnson & Johnson and Boston Scientific.
Since MDIC’s inception, its quality pilot initiative, Case for Quality Voluntary Improvement Program (CFQ VIP), has aimed to improve quality of products, manufacturing and processes at medical device firms.
It does so by appraising them against its Capability Maturity Model Integration (CMMI) framework. CMMI frameworks apply to numerous industries, including automotives, defence and aerospace, and aim to improve the capability of an organisation to deliver its objectives and collaborate with partner firms. When it comes to medical devices, CMMI helps ensure the industry at large is producing high-quality devices while focusing on patient safety and continuous improvement.
Until now, the CFQ VIP has only been available to medical device companies with clean compliance records. If a company is found to have violated the rules and regulations of the FDA, it won’t be able to take part.
The FDA has now awarded MDIC $2.8m to develop a pilot programme which mirrors CFQ VIP for non-compliant firms. Currently known colloquially as the Non-compliant manufacturing site participation in the CFQ VIP (NCS VIP), the programme will use CFQ VIP’s appraisal model to try to improve the performance of manufacturers that have been struggling to meet regulatory requirements.
NCS VIP will be used to evaluate whether the execution of a CMMI-style framework will result in faster improvement at a non-compliant company, rather than a direct focus on improving compliance results alone. It will mirror CFQ VIP, modifying the process so it is more suited to quality system issues.
MDIC compliance explained: what does this mean for non-compliant firms?
The NCS VIP pilot will begin evaluation with up to ten voluntary participants, although MDIC estimated that the pilot study will most likely include between two and four. If successful, the pilot will be incorporated into CFQ VIP programme as an additional offering for advancing quality and patient safety at non-compliant firms.
The non-compliant firms which will be subject to NCS VIP will not be treated in exactly the same way as the firms subject to CFQ VIP. Non-compliant participants in the NCS VIP pilot will not receive any of the regulatory incentives offered to compliant companies under CFS VIP, for example.
The perks include streamlined and accelerated options for 30-day notices, site-transfer changes and premarket submissions. CFQ VIP firms also avoid regular facility inspections and pre-approval audits are waived.
MDIC’s October 2019 statement on the matter states that the programme “will apply the systemic improvement focus of the quality maturity appraisal used by the CFQ VIP, product safety metrics, and incorporate regulatory compliance perspective using the ISO 13485 standard.”
ISO 13485 is an internationally recognised quality system used by device firms to ensure their products are compliant with the regulations of a variety of different countries, including Canada, Australia, Japan and the EU member states. The FDA is currently in the process of harmonising its own internal quality regulation with ISO 13485.
Compliant firms that submit themselves to CFQ VIP can be removed from routine FDA inspection and have their performance independently monitored by the MDIC. Should they complete a quality maturity assessment, the FDA may adjust their engagement activities and premarket approval (PMA) submission requirements, and MDIC has suggested that this process could eventually become an alternative to FDA inspections altogether.
Expanding to cybersecurity
Alongside the NCS VIP programme, part of the $2.8m funding will go towards a ‘cybersecurity bootcamp’, which will give manufacturers the opportunity to work on threat modelling for cybersecurity of medical devices.
An MDIC spokesperson says: “MDIC will work together with FDA and subject matter experts from medical device industry, other industries, academia and non-profit organizations to design, develop and implement boot camps on Threat Modelling for medical device stakeholders.
“The bootcamp series will focus on hands-on training on threat modelling techniques and best practices for accurately conveying the severity of the risks as applied to the total product life cycle of a medical device.”
MDIC maintains that a systematic approach to threat modelling could enable manufacturers to effectively address system level risks. These include risks related to design, production and deployment of a product, alongside the overall supply chain, with the aim of strengthening cybersecurity protections throughout the entire lifecycle of a medical device.
The FDA and MDIC clearly have big ambitions for the $2.8m grant. With the pilot timetabled to begin in September 2020, non-compliant device manufacturers will have an opportunity to receive support from an industry body as they attempt to come back into line with regulation. It remains to be seen what the exact form of the programme will be, but seeing a regulator step in to assist struggling firms instead of merely penalising them is an undeniably positive development.