Agile Helps With Regulatory Compliance

Medical Device Development

In a nutshell, regulations around medical device development focus on patient safety and ensuring that the device works according to its intended use. In the article, "10 Myths About Agile & the FDA", the authors cite IEC 62304, FDA 21 CFR 820 (Quality Systems Regulations), and ISO 14971 to gradually debunk the idea that these regulations mandate a waterfall lifecycle. Instead, a growing coalition of nations are harmonizing their medical device regulations to acknowledge that designs need to evolve throughout a project (and use an emergent, iterative, or similar product development lifecycle). For example, while the IMDRF's guidance on Software as a Medical Device (SaMD): Application of Quality Management System states it is process-agnostic, it refers to iterations, a product backlog, automated builds, and the importance of product development staff to have a thorough understanding of a patient's (customer's) needs. These are all concepts made popular by Agile methodologies. By adopting and tailoring your Agile practices, you can have frictionless mapping between your process and the breadcrumbs required to show you're following the Quality Management System and CGMP (Current Good Manufacturing Processes) regulations and standards. If you'd like help tailoring your practices, let us know!

Here are some key resources on learning and interpreting the medical device regulations:

FDA 21 CFR 820, Quality System Regulation

AAMI TIR 44 ($) (officially recognized by the FDA as of 1/15/2013)

International Medical Device Regulators Forum Documents -- includes cross-references to regulations from Australia, Brazil, Canada, China, the European Union, Japan, Russia, Singapore, South Korea, and the US.

Here are other documents you may find useful:

ISO (International Standards Organization) / IEC (International Electrotechnical Commission) / ICH (International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use)

ISO 13485 ($) Quality Management Systems
ISO 14971 ($), Medical devices--Application of risk management in medical devices
IEC 62304 ($), Medical Device software--Software lifecycle processes
IEC: TR 80002-1 ($), Technical Report--Medical device software--Part 1: Guidance on the application of ISO 14971 to medical device software
ICH E6: Good Clinical Practices

North America

Canadian Medical Device Requirements (CMDR)
Canadian Current Good Manufacturing Practices (CGMP)
FDA Current Good Manufacturing Practices (CGMP)
FDA Guidance for the content of premarket submissions for software contained in medical devices
FDA General principles of software validation: Final guidance for industry and FDA staff
FDA Guidance for industry, FDA reviewers and compliance on off-the-shelf software use in medical devices
FDA Guidance for industry and FDA premarket and design control reviewers: Medical device use-safety: Incorporating human factors engineering into risk management
FDA Applying human factors and usability engineering to optimize medical device design
FDA Design Control Guidance for Medical Device Manufacturers
FDA 21 CFR Part 11/Annex 11 Electronic Records: Electronic Signatures


EU Eudralex CGMP
EU Medical Device Directive (93/42/EEC)
EU COMMISSION DIRECTIVE 2003/94/EC of 8 October 2003
Active Implantable Medical Device Directive (90/385/EEC)
German Medical Device Act


PMDL Requirements (Japan)
Australia CGMP

Drug Supply Chain Security Act (DSCSA)

In a nutshell, this regulation sets up an audit trail to show who handled pharmaceutical drugs along each step of the supply chain on the way to the patient, and requires inspection of tamper-safety features along the way. Manufacturers, repackagers, wholesale distributors, and dispensers all have notification requirements in the event they suspect tampering of a drug, and are subject to 1- or 2-day response times any time the FDA requests inspection information (DSCSA overview).

From an Agile perspective, this regulation will impact the Acceptance Criteria, Definition of Ready, and Definition of Done for your tailored process. Use of these documents will be triggered by your company's CGMP (FDA 21 CFR 210, 211, 225, 226) procedures.

For more info, see the DSCSA itself, or the FDA's list of key provisions.