In a field as highly regulated as medical devices, one would think that the information you must keep track of would be pretty standard. However, there is a huge amount of variability from product to product, depending on the nature of the device and the risks involved in its use. In this article, we explore what information about your electronics manufacturing process needs to be retained in your medical device records.
The original equipment manufacturer of a medical device (the legal “sponsor”) has an obligation to keep production records for up to 15 years in what is known as the Device History Record (DHR).
The DHR must demonstrate that the product is manufactured according to the agreed plan (Device Master Record - DMR) approved by regulatory authorities. The regulatory requirements set out some bare minimum information such as the dates, quantities and unique identifiers of each device. However, it also includes a requirement to retain “acceptance records”, which very much depends on the individual product.
What tests need to be performed and why? It turns out the range of acceptance records depends on a whole range of factors arising from risk and regulatory compliance reasons.
Risk analysis starts with design. A good product developer will aim to design out the probability or impact of possible hazards, but there will always be inherent risks remaining that need to be tested during manufacturing.
For example, it is sensible to design a product that minimises the risk of electrocution by including batteries sealed inside an insulating plastic casing, using a contactless charging system. However, where this is not possible and components are required across the isolation barrier, a high potential test may be specified and the test results are then required in the DHR.
In the case of PCBs, electrical and functional tests can be specified by the designer. The final assembled product may also have tests to confirm the device’s efficacy. So, these test results are the primary acceptance records.
However, even a perfectly designed product can be faulty or dangerous if assembled incorrectly. For example, it may be critical that particular components are installed in a particular orientation or labelled correctly. The risk analysis of the manufacturing process will identify the highest risk process steps (probability/impact) and if checks (and records) on these steps are needed in the DHF.
The manufacturing process for any given product will generate a huge number of data points and not all of these are needed in the DHR.
Data generation starts even before components arrive in the factory, as components are delivered with their own information. For most components, there is no need to include the information in the DHR but sometimes it is necessary to confirm that critical components have the right certificates of approval and these may be included in the DHR. It is also common to have sub-assemblies manufactured by sub-contractors with their own DHR which must be incorporated into the system-level DHR.
Beyond risk factors, there is a lot of information required by various regulatory standards, most notable the ISO 13458 quality management system standard. For example, the standard requires the manufacturer to trace the history, distribution, location, and application of products, including parts and materials, and to maintain records of this.
It is not specified that this traceability information should be included in the DHR, just that processes and procedures for properly managing the information are in place. Who manages this kind of information thus becomes a matter of commercial negotiation between the product developer and their contract manufacturer(s).
There is a spectrum of risk-sharing arrangements. In the case of larger companies, the product developer may take on all the risk not requiring any information from the contract manufacturer at all. In this case, the product owner conducts all their own tests and periodically audits any suppliers to validate the quality of their supply chain. However, this arrangement is rare for smaller and medium-sized companies as it places a great burden on the product developer, essentially duplicating quality systems and processes already in place at the contractor manufacturer.
At the other end of the spectrum, a contract manufacturer will sometimes take on 100% of the risk. In this case, the contractor conducts all the tests, issues a certificate of conformance and releases the product for sale, shipping the product directly to distributors or customers. Circuitwise provides this service for a small number of customers for which it does the entire box build of the product. A DHR is generated for every single device shipped and this is handed over to the product owner.
By far the most common arrangement is shared risk. In this case, the product developer takes responsibility for the key high-risk elements and trusts the contractor to manage the vast majority of the routine risks and regulatory requirements such as traceability. Under this arrangement, Circuitwise takes responsibility for managing its information for the required period and the product owner manages its information.
Who is responsible for what is encapsulated in a Quality Agreement (and a commercial Supply Agreement). A critical element of this arrangement is the role of ISO 13485. The optimal arrangement is that every company in the supply chain is certified to ISO 13485, or at least for all the critical components. Responsibilities can then be delegated down the supply chain and regulatory authorities will accept that these certified suppliers have trusted systems and processes in place. Under this scenario, the product owner does not need to show all of the information in its DHR, as the companies down the supply chain will each maintain their own DHR on whatever information they are responsible for, as set out in the Quality Agreement.
What information is goes into the DHR is ultimately a matter of collaboration and negotiation from both a quality and commercial perspective, depending on the nature of the information and the tests involved. The key is to have a trusted relationship with your supplier that results in a win-win arrangement.
NOTE: The terms used in this article vary from country to country but the principles generally remain the same. We have taken the most common terms used in Australia and globally. Before applying this in the particular jurisdictions you are targeting, check the correct terminology for the regulatory framework in that location.