Blog

Are 510k pre-sub meetings a waste of time?

This article reviews four of the top reasons for why other companies feel requesting 510k pre-sub meetings is a waste of time, but you can’t afford to.

Requesting 510k pre sub meeting is a waste of time 1024x448 Are 510k pre sub meetings a waste of time?

It only takes my team 8-10 hours to prepare a 510k pre-sub request. The FDA does not charge you a cent for requesting 510k pre-sub meetings, and a pre-sub should be part of every design plan. But most companies are resistant to requesting 510k pre-sub meetings. Here are the top 4 reasons why companies tell me they don’t need to request a meeting:

It’s too late for requesting 510k pre-sub meetings

If you are less than a week away from submitting a 510k, it is too late for requesting 510k pre-sub meetings. The FDA target for scheduling a 510k pre-sub meeting is 60-75 days from the date your request was submitted. That’s 10-11 weeks. Most companies tell me that they plan to submit a 510k within weeks or a couple of months, but most of the companies take several months and frequently there is a delay that requires 6 months or more. For example, what if your device fails EMC testing, and you have to change the design and retest for both EMC and electrical safety? At best you will have an 8-week delay. If you submit request next week, and everything goes as you plan, you can always withdraw your request for the pre-sub. If you encounter a delay for any reason, suddenly it’s not too late.

Our design is not finalized yet

I believe that waiting until your design is almost complete is the number one reason why companies wait too long to request 510k pre-sub meetings. If they wait too long, then the previous reason for not requesting a meeting takes over. The ideal time to submit a pre-sub request is 75 days before you approve your design outputs (i.e., design freeze). However, very few people are that precise in their design planning and execution. You should try to target sometime after you approve your design inputs, but before you approve your design outputs. As long as you submit an update to your pre-sub request 2 weeks before the meeting, the FDA will accept it. Also, you can always schedule a date that is later than 75 days if you realize you requested the meeting too early.

We don’t want to be bound by what the FDA says in the 510k pre-sub meeting

510k pre-sub meetings are “non-binding.” That means that the FDA can change their mind, but it also means you don’t have to do everything the FDA says in a 510k pre-sub meeting. If you don’t ask a question about testing requirements, that doesn’t mean that the FDA does not have any testing requirements. The FDA knows what previous companies have submitted for testing better than you do, and they may be in the process of evaluating a draft special controls guidance. If you ask questions, you will have better insights into what the FDA expects. Understanding FDA expectations helps you write better rationales for testing or test avoidance. You also might learn about deadlines for implementation of new testing requirements that you might be able to avoid. Finally, you can ask the FDA about possible testing options you are considering if your most optimistic testing plans are denied by the FDA.

There is already a guidance document for our device

Not all device classifications have a guidance document explaining what information should be submitted in a pre-market 510k submission. However, there almost one hundred Class II Special Controls Guidance Documents. Therefore, there is a good chance that the FDA published special controls as part of the regulation for your device or as a guidance document. As part of the special controls, the FDA defines what performance testing is required for your device. If you already know what testing is required, then the value in requesting 510k pre-sub meetings is diminished. But at least three other key benefits remain.

First, you can verify that the predicate you plan to use for comparative testing is not going to be a problem. Although, the FDA can’t tell you which predicate to pick, the FDA can tell you if there is a problem with the predicate you have selected. This is especially important if the product is not currently registered and listed, because you may not know if the device was withdrawn from the market after it was cleared.

Second, not all testing standards are prescriptive. Many tests, have testing options that require you to make a decision. Input from the FDA may be valuable in making choices between various performance testing options Sometimes you even forgo testing and provide a rationale instead. FDA feedback on any rationale for not doing testing is critical to prevent delays and requests for additional information later.

Third, there are many different FDA representatives that participate in 510k pre-sub meetings. The lead reviewer will invite specialists and the branch chief to the meeting. Each of these specialists can answer questions during a pre-submission meeting that they are not able to answer during the actual review process. You also have the opportunity to get feedback from the branch chief–who has insight from all the previous devices that were cleared with your product classification. Your lead reviewer is not likely to be as experienced as the branch chief, and may only have been working at the FDA for months. Your request for the 510k pre-sub meeting will help an inexperienced lead reviewer as much as it will help your company.

Learning More about 510k Pre-sub Meetings

On Thursday, February 22 there will be a free webinar offered on the topic of 510k pre-sub meetings. We had 50 people register for the webinar in the first day it was announced, and we have already answered more than a dozen related questions. If you are planning to submit a 510k this year, this webinar will show you exactly how to prepare your own request for a 510k pre-sub. You will even receive copies of all of our templates for free.Stop wasting time and register now Are 510k pre sub meetings a waste of time?

Posted in: 510(k)

Leave a Comment (0) →

Biocompatibility testing questions answered in pre-submission requests

The following is a copy of my responses to someone that submitted biocompatibility testing questions in preparation for the 510k pre-submission webinar that I am hosting Thursday, February 22 @ 4pm EST.

510k pre submission webinar February 22 for LinkedIn.jpg 1024x459 Biocompatibility testing questions answered in pre submission requests

Can you please answer the following biocompatibility testing questions?

This was the request by a person that registered for my live webinar next Thursday. The person asked some great questions that are very similar to other clients I work with. They also asked the biocompatibility testing questions in a way that did not divulge any confidential information–other than to indicate they live in Germany. Therefore, I am sharing my email response with you. Please register for this webinar and submit your own questions. Questions are entered in an open text box, and you have room to ask multiple questions.

1. Does the FDA now already ask for the AET (Analytical evaluation threshold) for chemical analyses?

I’m not an analytical chemist. That would be an awesome question for Thor Rollins at Nelson Labs. He is giving a 1-day workshop on bicompatibility testing on March 20:
 
Nelson Labs is offering a 1-day seminar the day before the 510(k) workshop on biocompatibility ($499): https://news.nelsonlabs.com/education/events/biocompatibility-testing-for-medical-devices-seminar.

 

2. How can I avoid time consuming genotox studies for FDA?

Typically if you perform the “Big 3” (i.e., cytotox, irritation and sensitization), and then you perform chemical characterization, you are often able to prepare a Biological Evaluation Report to explain why there are no identified compounds in the chemical characterization that would warrant performing the genotox studies. This is also often true for the acute toxicity testing and sub-chronic toxicity testing. In order to verify the FDA will accept this approach, you will typically provide a biological evaluation plan (BEP) as part of your pre-submission request. This often saves > $10K.

 

3. And how can I face FDA with a cytotoxic wound dressing but which passed irritation, sensitization, genotox and pyrogenicity tests?
I had a product that contained aluminum. Aluminum is cytotoxic to the cell line that is used in the cytotoxicity testing. However, aluminum does not have a high level of toxicity for the route of administration for that product. You should identify the reason why your product is cytotoxic and then provide an explanation why the device is no toxic for the intended use and duration of contact. This would normally be part of that BEP mentioned above.

 

4. Which genotox tests are state of the art for the FDA?
There are three ways to determine that. One is to look in the recognized standards database on the FDA website. Second is to review the FDA guidance on biocompatibility and application of ISO 10993-1. Finally, you can ask the FDA about the suitability of another test you want to perform during a pre-sub. If they prefer a different test, they will say so in an email response and they are available for discussion by conference call during the pre-sub meeting to clarify their response.

 

Note: I did not answer this question outright, because biocompatibility testing (and all verification testing) requirements change over time. In fact, for one 510k project I had 7 different standards change just prior to submission. During a pre-submission meeting, the FDA should make you aware of coming changes to these tests. Also, the better biocompatibility testing labs, such as Nelson Labs, are also aware of the changes before they are implemented. This is because personnel like Thor Rollins personally get involved in the revision of standards.

 

5. Will the meeting be recorded since I live in Germany?
Yes, all of my webinars are recorded. I will email you a link for downloading it and you will receive that email in the morning after the webinar. You can also schedule calls with me as a follow-up using the following link:

 

 

Future Related Events

In addition to the 1-day seminar by Thor Rollins on biocompatibility testing (March 20), we are also offering a 2-day 510k workshop at the same Embassy Suites Hotel in Las Vegas. The cost is $995 (discount for multiple attendees). Here’s the link for registration–or email rob@13485cert.com and I can invoice your company.

Posted in: 510(k)

Leave a Comment (0) →

FDA User Fee Increase for FY 2018 – Strategic Implications

This article identifies strategic implications of the FDA user fee increase for FY 2018 that was published by the FDA last week.

FY 2018 MDUFA Fees FDA User Fee Increase for FY 2018   Strategic Implications

You didn’t know the FDA user fee increased?

In August, the FDA publishes the new FDA user fee schedule for the next fiscal year, which begins on October 1. Last year the FDA published an updated small business guidance document in early August that included the fee schedule. This year, the release of the FY 2018 FDA user fee schedule was delayed until the end of August, because the re-authorization of user fees was not approved until August 18, 2017.

The MDUFA IV user fee schedule was negotiated in October of 2016, and the new user fee schedule proposed to increase the user fees to $999.5 million. That negotiated plan called for an increase in standard fees for 510k submissions while keeping small business fees lower. The final enacted MDUFA IV user fees follows this plan. There is a significant difference between PMA fees and 510k fees in the new fee schedule. There was a 33% increase for all PMA-related standard and small business fees. However, standard 510k fees increased by 125%, while small business fees for a 510k increased by 13%. The establishment registration fees increased by 37%, and there is still no discounted registration fee for small businesses. Finally, the biggest change is there will now be a fee for De Novo applications.

Implications of the De Novo FDA user fee increase

Congress authorized the MDUFA III fees in 2012 for five years, and there were no fees associated with De Novo applications. In 2012, the Food and Drug Administration Safety and Innovation Act (FDASIA) also streamlined the De Novo application process. The purpose of having no fees, and for streamlining the process, was to encourage medical device innovation. However, only 40% of De Novo application reviews were completed within 150 days during 2015 and 2016. The balance of the applications required 200 to 600+ days to complete. Negotiations between the FDA and industry in 2016 resulted in an agreement to trade an increase in FDA user fees for a decrease in the review time required for 510k clearance. However, the FDA also committed to decreasing the De Novo application review time to less than 150 days as follows:

De Novo application decision goals for MDUFA IV 1024x118 FDA User Fee Increase for FY 2018   Strategic Implications
Unfortunately, the agreed FDA user fee for De Novo applications in MDUFA IV for FY 2018 are $93,229 as a standard fee and $23,307 for small businesses. During the past 5 years, during MDUFA III, companies that felt they had a potential De Novo application would try to persuade the FDA that a borderline 510k submission should be a De Novo application instead. However, under MDUFA IV you will be more likely to persuade the FDA that a borderline classification should be considered for a 510k submission instead of a De Novo application.

In addition, you should plan your De Novo application more carefully than you might have for a free application. Pre-submission meeting requests should always be submitted during the development process, and these pre-sub requests should be submitted at least 90 days prior to your design freeze. Special consideration should also be devoted to risk analysis and gathering preliminary data to demonstrate the effectiveness of the risk controls you select to ensure that the clinical benefits of your device outweigh the residual risks of the device after implementing risk controls. Ideally, you will gather enough evidence to create a draft special controls guidance document to submit to the FDA as a supplement to your pre-submission meeting.

If you are planning a De Novo application for FY 2018, you should expect your FDA reviewer to pay special attention to ensuring that there are no unnecessary delays in the review process. You should also monitor the FDA recent final guidance webpage for release of a final guidance document for De Novo applications. The draft guidance was released on August 14, 2014. Creating a final guidance will probably be priority for FY 2018.

Implications of the 510k FDA user fee increase

The standard FDA user fee for a 510k increased 125% from $4,690 to $10,566. However, the absolute dollar amount of a 510k submission is still less than cost of biocompatibility testing or sterilization validation. Therefore, the increase should not significantly decrease the number of submissions. However, the small business fee has only been increased by 13%. Therefore, if you are a small business (i.e., income < $100 million), you should complete an application for small business qualification as soon as you can (i.e., October 1, 2017) to make sure that you are eligible for the discounted fee when you submit your next 510k submission. If you need help preparing your small business qualification form, there will be a webinar on this topic Friday, September 8, 2017.

When you are planning a 510k submission, you should also determine if your device product classification is eligible for third party review. In the past, the increased cost of the third party review made submission of a 510k to a third party reviewer unattractive. However, the fees for third party reviews range from $9,000 to $12,000 typically. Therefore, its possible that there may be no difference in the fee for a third party review unless your company is a qualified small business.

Implications of establishment registration FDA user fee increase

The increase in the annual establishment registration fee is 37% for medical device firms to $4,624. If you are already registered as a medical device firm, you should increase your annual budget for the establishment registration fee accordingly. If you are about to launch a new product, remember that you are required to register and list your product within 30 days of distribution of your product. Therefore, if shipments are going to begin in September, you don’t need to register until October (i.e., after the start of the new fiscal year). Therefore, you may be able to avoid paying the FY 2017 establishment registration and only pay the FY 2018 establishment registration. This would not be the case for foreign firms that need to import the product prior to distribution.

What you can do about the FDA user fee increase now

You may not be able to change the user fee schedule for FY 2018, but there are three things you can do now to improve your situation. First, if you are a small business, you can speak to your accounting department and get them to provide a copy of the FY 2016 tax return so that you can complete the small business qualification form on October 1. Second, you should contact Regulatory Technology Services and the Third Party Review Group to obtain a quote for a third party review of your 510k submission instead of submitting directly to the FDA. Third, you should add a reminder to your calendar for August 1, 2018 to start reviewing the FDA website and other sources for a FY 2019 FDA user fee schedule.

Learning how to submit a small business qualification form

If you have not completed a small business qualification form before, you can learn how to prepare your application for small business qualification by registering for my webinar on Friday, September 8, 2017.

Posted in: 510(k), FDA

Leave a Comment (0) →

510k Design Control Requirements and 510k Risk Management Requirements

This article reviews 510k design control and risk management requirements when compared with your design history file (DHF) and your risk management file.

Design Controls and Risk Management 510k Design Control Requirements and 510k Risk Management Requirements

Last week I presented a free webinar on how to combine Risk Management with Design Controls, when planning to submit a 510k. There were many questions about what design history file (DHF) and risk management file (RMF) documents are required for a 510k. There is no specific part of the the regulations stating what the 510k design control requirements are. However, certain elements of the DHF are required as 510k design control documentation, but not necessarily in the exact form as maintained in the DHF. For example, Design Inputs and Design Outputs are presented as applicable recognized standards and design specifications, while others will remain exactly the same (i.e., verification and validation test reports).

For Risk Management, the only submissions that require inclusion of risk documentation are devices containing software of at least moderate level risk. There are some exceptions to this as well though, based on a few special control guidance documents—especially when the submission type is an abbreviated 510k. This is article identifies which of the DHF and RMF elements are 510k design control requirements and 510k risk management requirements.

510k Design Control Requirements

Design Controls are identified in 21 CFR 820.30. Every manufacturer of any class II or class III devices, and certain class I devices (class I devices with software, tracheobronchial suction catheters, surgeon gloves, protective restraints, radionuclide applicators, radionuclide teletherapy devices) need to control design per this regulation. The requirement for a Design History File is item j) and states:

“Each manufacturer shall establish and maintain a DHF for each type of device. The DHF shall contain or reference the records necessary to demonstrate that the design was developed in accordance with the approved design plan and the requirements of this part.”

The “requirements of this part” refers to the other bullets in 21 CFR 820.30 which can be summarized as:

a) Establish and maintain procedures to control design of device.

b) Design and Development Planning – Each manufacturer shall establish a plan that describes the design and development activities, and defines responsibilities for implementation.

c) Design Inputs – Manufacturers need to ensure design requirements relating to a device are appropriate and address the intended use of the device.

d) Design Outputs – Design outputs need to be documented in terms that allow an adequate evaluation of conformance to design input requirements. Design outputs that are essential for the proper functioning of the device should be identified.

e) Design Review – Formal documented reviews of design results should be planned and conducted at appropriate stages of device development.

f) Design Verification – Design verification confirms that the design output meets the design inputs requirements.

g) Design Validation – Design validation shall be performed under defined operating conditions on initial production units or their equivalents, and shall ensure that devices conform to defined user needs and meet the intended use of the device.

h) Design Transfer – Design transfer documentation shall ensure that the device design is correctly translated into production specifications.

i) Design Changes – changes should be identified, documented, validated/verified, reviewed and approved before their implementation.

The Design History File is intended to be a repository of the records required to demonstrate compliance with your design plan and design control procedures. While companies are required to create, and maintain this documentation according to the FDA regulation, not all of the documentation will be reviewed as part of the 510k. The following table compares the elements that comprise a DHF with the 510k design control requirements.

DHF Element 510k Design Control Requirements
Design Plan Not Required
User Needs Not Required
Design Inputs

Cover Sheet (Section 1) and

Declaration of Conformity (Section 9)

 

Some design inputs will appear in the form of standards in FDA Form 3514 (Cover Sheet) and in the Declaration of Conformity FDA Form 3654 (Standards Data Report)

Design Outputs

Device Description (Section 11)

 

The Device Description lists the specifications of the device, and your Design Outputs document will help populate the Device Description. This can include drawings, pictures, or written specifications that describe your device.

Labeling

Proposed Labeling (Section 13)

The labeling is usually considered part of the Design Outputs within the DHF, and is included specifically in the labeling section of the 510(k) submission. This includes both the Instructions for Use and any Package Labeling.

Verification and Validation Protocols

Not Required

 

You do not have to include the protocols, but the reviewer may ask to see them if they have any questions when reviewing the reports.

Verification and Validation Reports

Sterilization (Section 14)

Biocompatibility (Section 15)

Software (Section 16)

Electrical Safety and EMC (Section 17)

Bench Performance Testing (Section 18)

Animal Performance Testing (Section 19)

Clinical Performance Testing (Section 20)

 

Of course, not all of these sections will be applicable for every device, but you should include all relevant validation test reports within your submission in the appropriate section of the 510k. Typically, each of these sections will have a cover sheet that outlines the reports that are included within the section, and then you can just include the report from the DHF in its entirety behind the cover sheet in that section.

Process Validation Only required for sterilization validation typically, but there are exceptions for novel materials and coatings
Work Instructions Not Required for 510k
Design Review Meeting Minutes Not Required for 510k
Design Trace Matrix Only required for software
Risk Management File Sometimes – See Risk Management File Table Below
Post-Market Surveillance Plan Not Required, but a few exceptions for high risk devices
Clinical Data Summary Required only if used to demonstrate safety and efficacy
Regulatory Approval Will result from 510k Clearance, so nothing to be included in 510k submission.

510k Risk Management Requirements

Regarding the FDA regulations for risk management, there is a requirement under the Design Validation section of 21 CFR 820.30 that states:

“Design validation shall include software validation and risk analysis, where appropriate.”

For the purposes of FDA compliance and CE Marking, both recognize ISO 14971 as the standard for risk management. FDA recognizes ISO 14971:2007 whereas EN ISO 14971:2012 is the European National version for CE Marking. Rob Packard wrote an article describing the contents of the risk management file as well as the specific differences in the requirements between the FDA and CE Marking with regard to ISO 14971.

For the purposes of your 510k submission, the FDA only requires risk management documentation to be included if the product contains software and the risk is at least a level of “moderate concern”. There are some other cases when risk management is required by special controls guidance documents, but even when it is required you only have to submit your risk analysis. The table below describes the risk management requirements in greater detail.

RMF Element 510k Risk Management Requirement
Risk Management Plan Not Required
Hazard Identification

510ks with Software Only (Section 16)

 

Hazard Identification is only required for devices that have a software component. It is not required for most other devices.

Risk Assessment

510(k)s with Software (Section 16)

Certain Special Controls Guidance

 

The Risk Assessment is only required to be included if your device contains software, or if a special controls guidance document specifically requires risk assessment. It is not required for other 510ks.

Risk Control Option Analysis Software and Certain Special Controls Guidance
Risk Control Verification and Validation

Sterilization (Section 14)

Biocompatibility (Section 15)

Software (Section 16)

Electrical Safety and EMC (Section 17)

Bench Performance Testing (Section 18)

Animal Performance Testing (Section 19)

Clinical Performance Testing (Section 20)

 

This will not be any additional or special documentation specific to Risk Management, and was already included in the DHF breakdown above, but the verification and validation also relate back to risk management in ensuring that the risks have been adequately mitigated.

Risk Benefit Analysis

Not Required for 510(k)

 

Risk Benefit analyses are only required for De Novo applications, Humanitarian Device Exemptions and PMAs.

Informing Users and Patients of Risks

Labeling (Section 13)

 

Part of the risk management will appear in the Labeling section of the 510k as warnings, contraindications, and precautions within the Instructions for Use and Package Labeling.

Risk Management Report Not Required

Your first step in preparing your 510k submission is to search the FDA Guidance Document Database to determine if there is an applicable guidance document for your device. You can read another blog we wrote to explain Special Controls Guidance documents, and how to determine if one is applicable to your device. The following list provides examples of Class II Special Controls Guidance documents that require risk analysis to be included within the 510k:

When there are 510k risk management requirements, the special controls guidance document will typically state, “We recommend that the summary report contain:

An identification of the Risk Analysis method(s) used to assess the risk profile in general as well as the specific device’s design and the results of this analysis. (Refer to Section 6 for the risks to health generally associated with the use of this device that FDA has identified.)

Discussion of the device characteristics that address the risks identified in this class II special controls guidance document, as well as any additional risks identified in your risk analysis.”

The special controls guidance will also identify risks to health that have been identified for products of that type, which you should be sure to include in your risk analysis as appropriate.

More information on 510k design control & risk Management requirements

Hopefully, you are now able to determine which elements of your DHF are 510k design control requirements and which elements of your RMF are 510k risk management requirements. If you would like more information about how to implement design controls and risk management within your product development process, please register for our free webinar. If you need any further information or specific assistance with your 510k submission, please feel free to send me an email at mary@fdaecopy.com or schedule a call with our principal consultant, Rob Packard who can answer any of your medical device regulatory questions.


Click here to schedule a 15 minute call 300x62 510k Design Control Requirements and 510k Risk Management Requirements

Posted in: 510(k), Design Control, Risk Management

Leave a Comment (0) →

Cybersecurity FDA Guidance for Devices with Software and Firmware

This article reviews the FDA guidance for premarket and post-market cybersecurity of medical devices with software and firmware—including requirements for reporting of field corrections and removals.

Cybersecurity with custom aspect ratio Cybersecurity FDA Guidance for Devices with Software and Firmware

Hospitals, home health systems, and medical devices are more connected now than ever. The automatic communication between medical devices and network systems is improving the efficiency and accuracy in the world of healthcare. Medical devices are capable of more computing, analysis, reporting and automation to improve the speed and quality of patient care. Along with technological advances, new risks and concerns are also introduced. The risk of hackers exploiting vulnerabilities in networks and software is inevitable. The FDA introduced guidance for both pre-market and post-market cybersecurity to assist manufacturers in developing effective controls to protect patients and users. Cybersecurity protection requires Identification, Protection, Detection, Response, and Recovery.

The first step is incorporating processes and procedures to improve device cybersecurity into your quality management system. You should have a specific cybersecurity plan to outline the steps necessary to ensure a safe and secure medical device.

Identify Cybersecurity Risks

The key to understanding and assessing the cybersecurity risks involved with your device begin in the early stages of design development. At the start of the risk management process, you need to identify the essential safety and performance requirements of the device. You need to identify any potential cybersecurity vulnerabilities that could impact safety or performance, as well as the specific harms that could result if the vulnerability was exploited. In assessing the specific vulnerabilities, the FDA recommends using the Common Vulnerability Scoring System (CVSS). There is a CVSS calculator available online through NIST. The overall score is calculated based on different factors such as: attack vector (local, adjacent network, network), access complexity (high, medium, low), authentication (multiple, single, none), impact of confidentiality (none, partial, complete), exploitability (unproven that exploit exists, proof of concept code, functional exploit exists), remediation level (official fix, temporary fix, workaround, unavailable), collateral damage potential (low, medium, high), etc. This score is used in the hazard analysis in determining the level of risk.

Cybersecurity Protection

The process of assessing the exploitability and harms can also assist in determining mitigations that can be implemented to reduce the cybersecurity risk. During the design process, the FDA expects you to implement as many protections as practicable. Protections include:

  • Limit Access to Trusted Users
    • Password protection, strengthened password requirements
    • User authentication
    • Layered privileges based on user role
  • Limit Access to Tampering
    • Physical locks on devices and/or communication ports
    • Automatic timed methods to terminate sessions
  • Ensure Trusted Content
    • Restrict software or firmware updates to authenticated code
    • Systematic procedures for authorized users to download software and firmware only from the manufacturer
    • Ensure capability of secure data transfer, use of encryption

Cybersecurity Detection

The FDA also requires you to implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use. You should develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event. Methods for retention and recovery should be provided to allow recovery of device configuration by an authenticated privileged user.

If you include off-the-shelf (OTS) software in your device, you are responsible for the performance of the software as part of the device. All software changes to address cybersecurity vulnerabilities of the OTS software need to be validated. You need to maintain formal business relationship with the OTS vendor to ensure timely notification of any information concerning quality problems or corrective actions. Sometimes you will need to involve the OTS vendor to correct cybersecurity vulnerabilities.

Post-Market Surveillance

Once you complete the hazard analysis, mitigation implementation, validations, and has deployed their device for use – your activities shift to post-market management. There are several QMS tools that can assist in the cybersecurity processes post-market including: complaint handling, quality audits, corrective and preventive action, ongoing risk analysis, and servicing. A critical component of every cybersecurity program is monitoring of cybersecurity information sources to assist in the identification and detection of risk. You should maintain contact with third-party software suppliers for identification of new vulnerabilities, updates and patches that come available.

There are many sources that companies should follow for information relating to cybersecurity including: independent security researchers, in-house testing, software or hardware suppliers, healthcare facilities, and Information Sharing and Analysis Organizations (ISAO). Involvement in ISAOs is strongly recommended by the FDA and reduces your reporting burden if an upgrade or patch is required postmarket. ISAOs share vulnerabilities and threats that impact medical devices with their members. They share and disseminate cybersecurity information and intelligence pertaining to vulnerabilities and threats spanning many technology sectors, and are seen as an integral part of your post-market cybersecurity surveillance program.

Response and Recovery

If you identify a cybersecurity vulnerability, there are remediation and reporting steps that need to occur. Remediation may involve a software update, bug fixes, patches, “defense-in-depth” strategies to remove malware or covering an access port to reduce the vulnerability. Uncontrolled risks should be remediated as soon as possible, and must be reported to the FDA according to 21 CFR 806. There are certain circumstances that remove the reporting requirement. The decision flowchart below can be used to determine the reporting requirements.

Cybersecurity software change decision tree Cybersecurity FDA Guidance for Devices with Software and Firmware

In addition to reporting corrections and removals, the FDA identifies specific content to be included in PMA periodic reports regarding vulnerabilities and risks. If you have a Class III device, you should review that section thoroughly to ensure annual report compliance.

If a device contains software or firmware, cybersecurity will be an important component of the risk management processes, and continual cybersecurity management will be necessary to ensure the on-going safety and effectiveness of your device. If you need of more help with cybersecurity risk management of your medical device, please schedule a free 15-minute call with Medical Device Academy by clicking on the link below.

Click here to schedule a 15 minute call 300x62 Cybersecurity FDA Guidance for Devices with Software and Firmware

Posted in: Software Verification and Validation

Leave a Comment (0) →

Performance Qualification (PQ) for EO Sterilization Validation

Article explains requirements for a performance qualification (PQ) of EO sterilization validation and how it is different from other PQ process validations.

Your cart is empty

Mind your ps and qs 1024x291 Performance Qualification (PQ) for EO Sterilization Validation

Performance Qualification (PQ) – What is the difference between an IQ, OQ and PQ?

When you are performing a process validation, the acronyms IQ, OQ and PQ sometimes cause confusion. IQ is the installation qualification of the equipment used in your validated process. The purpose of the installation qualification is to make sure that your equipment was installed correctly–this includes calibration and connection to utilities. OQ is the operational qualification. The purpose of the operational qualification is to make sure that the equipment you are using is capable of operating over the range of parameters that you specify in order to make your product. The PQ is a performance qualification. The purpose of the performance qualification is to ensure that you can consistently make product within specifications (i.e., repeatable).

Different Definitions for Operational Qualification (OQ)

The GHTF guidance document for process validation provides the following definition for an OQ: “Establishing by objective evidence process control limits and action levels which result in product that meets all predetermined requirements.” ISO 11135-1:2014, the international standard for ethylene oxide (EO) sterilization validation, provides a slightly different definition for an OQ: “process of obtaining and documenting evidence that installed equipment operates within predetermined limits when used in accordance with its operational procedures.” The difference in these two definitions is important, because the OQ is typically performed by contract sterilizers and does not need to be repeated unless there is a significant change or maintenance to the sterilizer that requires repeating the OQ. In contrast, when you perform an OQ for packaging, the OQ is specific to the packaging materials you are going to be sealing and therefore a new OQ is required whenever new packaging materials are developed. For EO sterilization, the analogous step of the validation process is called a microbial performance qualification (MPQ).

Performance Qualification (PQ) = MPQ + PPQ

A performance qualification (PQ) for ethylene oxide sterilization validation consists of two parts: 1) microbial performance qualification (MPQ), and 2) physical performance qualification (PPQ). The microbial performance qualification is intended to determine the minimum process parameters for the EO sterilizer sufficient to ensure product bioburden is killed. These parameters are referred to as the half-cycle, because the full production cycle will be twice as long in duration. For example, a half-cycle consisting of 3 injections will correspond to a full cycle of 6 injections.

What are fractional cycles?

Fractional cycles are typically shorter in duration than the duration of a half-cycle. The purpose of a fractional cycle is to demonstrate that external biological indicators (BIs) located outside of your product, but inside the sterilization load, are more difficult to kill than internal BIs. Fractional cycles are also be used to demonstrate that the product bioburden is less resistant than the internal BIs. To achieve both of these objectives, it is typical to perform two fractional cycles at different conditions to achieve 100% kill of internal BIs and partial external BI kill in one fractional cycle, and 100% kill of product bioburden but only partial kill of internal BIs in the other fractional cycle. When your goal is partial kill, you should also target more than one positive BI, because this reduces the likelihood that poor technique resulted in a BI positive from growth.

Microbial Performance Qualification (MPQ)

The microbial performance qualification (MPQ) typically consists of three half cycles and one or more fractional cycles. 100% kill of external BIs is not required for the MPQ during a half cycle–only the internal BIs must be 100% killed, but the external BIs are only useful if 100% kill of the external BIs is achieved in the full cycles. If you are re-validating the sterilization process, you are only required to complete one half cycle and one fractional cycle. For re-validation, the fractional cycle is intended to achieve 100% kill of product bioburden but only partial kill of internal BIs in order to verify that the product bioburden remains less resistant to sterilization than the internal BIs. You are also required to perform bioburden measurements of non-sterile product for the initial MPQ and re-validation to demonstrate that bioburden can be adequately recovered from the product and measured.

Physical Performance Qualification (PPQ)

The physical performance qualification (PPQ) typically consists of three full cycles and measurement of EO residuals in accordance with ISO 10993-7:2008. If PPQ is performed during the MPQ, then it is only necessary to complete one full cycle–assuming the MPQ consists of at least three half cycles. If you are performing a re-validation of the sterilization process, then you are required to perform three full cycles and measurement of EO residuals.

Repeatability, Reproducibility, Product Variability and Environmental Factors

Typically a performance qualification (PQ) is intended to verify that the same person can repeat the process multiple times, other people can reproduce the first person’s results and any variation product from lot to lot will not prevent the process from producing acceptable product. In addition, any variation in environmental factors should be assessed during a PQ. In sterilization processes, however, the equipment is typically automated. Therefore, variation between operators is typically a non-issue. In addition, sterilization lots also typically consist of a large volume of product where multiple samples are tested for sterility. Therefore, performing three runs sufficiently challenges the repeatability and reproducibility of the sterilization process–including any product variability. The issue of environmental variations in heat and humidity are addressed by designing preconditioning cycles into the sterilization process. Sensors are included in each validation load to verify that the process specifications were achieved and maintained for temperature and humidity, but the sensors also help to identify the worst-case locations in a load to use for sampling and placement of BIs.

If you are interested in learning more about sterilization validation, please read our blog from last year on evaluation of the need to re-validate your sterilization process or you can watch our webinar on sterilization and shelf-life testing. You can also purchase our procedure for EO sterilization validation by clicking on the link below.

Purchase the EO Sterilization Validation Procedure (SYS-031) – $299

EO Sterilization Cycle 1 150x150 Performance Qualification (PQ) for EO Sterilization Validation
SYS-031 EO Sterilization Validation Procedure

This new procedure defines the requirements for ethylene oxide (EO) sterilization validation and revalidation which has been outsourced to a contract sterilizer.

Price: $299.00

 

Posted in: Process Validation, Validation

Leave a Comment (0) →

Safety Agency Mark – Is it required for medical electrical equipment?

This article explains when a safety agency mark is required for electrical medical equipment for products sold in the USA.

Safety Marks 1024x228 Safety Agency Mark – Is it required for medical electrical equipment?

What is a safety agency mark?

Examples of a safety agency mark include UL, CSA, Intertek, SGS Q-mark and other marks indicating that a recognized testing lab completed the electrical safety testing and the device passed the testing. Health Canada requires a safety agency mark to certify approval by a lab that is accredited by the Standards Council of Canada (SCC). However, device manufacturers are frequently unclear what the requirements are in the USA for electrical medical equipment regarding a safety agency mark.

Leo Eisner’s explanation of the requirements for a safety agency mark in the USA

Leo Eisner of Eisner Safety was kind enough to answer this question. The simple answer is yes. In the US there is a requirement for equipment in the workplace to have a NRTL Safety Agency Approval Mark for the applicable category on the device to meet OSHA requirements. The requirements for NRTL approval of electric equipment (or medical electrical equipment) are in 29 CFR 1910.303(a) and 29 CFR 1910.307(c). Because of these requirements, most electric equipment used in the workplace must be NRTL approved. Biomeds maintain and track all the medical equipment in hospitals and clinical environments, and the biomeds usually insist upon an Agency Approval Mark. However, the biomeds may not be aware of the NRTL requirements.

What is a NRTL?

A NRTL is a Nationally Recognized Test Lab that is approved or authorized by Occupational Safety & Hazard Administration (OSHA) for specific device test standards (i.e UL 60601-1 [National deviation version of IEC 60601-1, 2nd ed. medical electrical equipment standard] and / or AAMI ES 60601-1 [National deviation version of IEC 60601-1, ed 3.1], among many other standards) to allow a US Mark to be placed on approved devices that meet the applicable standard. Not all NRTL labs can test to the listed medical electrical standards for medical electrical equipment to allow a US mark be placed on devices. You need to go to the OSHA NRTL site to verify that the test lab can issue a US mark. Within the labs link you can find which standards each test lab is allowed to issue US Marks for.

Posted in: IEC 60601

Leave a Comment (0) →

Mandatory Problem Reporting Procedure for Reporting to Health Canada

The Mandatory Problem Reporting Procedure defines process and regulatory requirements for submitting adverse event reports to Health Canada.

Your cart is empty

SYS 035 Mandatory Problem Reporting Procedure 1024x530 Mandatory Problem Reporting Procedure for Reporting to Health Canada

Sections of the Mandatory Problem Reporting Procedure (SYS-035)

As with all of the procedures I write, I included the following sections in the Mandatory Problem Reporting Procedure:

  1. Purpose
  2. Scope
  3. References and Relationships
  4. Definitions
  5. Document Approval
  6. Revision History
  7. Responsibilities and Authorities
  8. Procedure
  9. Monitoring and Measurement
  10. Training/Retraining
  11. Risk Management
  12. Records

Details of the Mandatory Problem Reporting Procedure

This procedure includes exact quotes from the most recent amendment of the Canadian Medical Devices Regulations updated last on April 25, 2017. The procedure is detailed enough to enable a person that has not submitted a mandatory problem report before to do so. In addition, there are detailed instructions for importers of your device–who are also required to submit mandatory problem reports. The procedure is 5 pages in length and includes hyperlinks to the Health Canada webpages specific to the guidance document for Mandatory Problem Reporting.

Unique Features of this Mandatory Problem Reporting Procedure

Well-written procedures typically state that you should review and update your risk management documentation when you are investigating complaints–especially when there is a new adverse event to report. However, this procedure includes references to the risk management process and makes recommendations on specifically what to review and update. Specifically, it recommends that the scale used to quantitatively estimate severity of potential harm be aligned to identify which scores require mandatory problem reporting, and which scores do not require reporting.

The section of the procedure that is specific to monitoring and measurement also identifies specific metrics related to the mandatory problem reporting process to track and report to Top Management during Management Review meetings. These metrics include tracking the closure of complaints, preliminary reporting timelines and final reporting timelines. The procedure even includes links to the post-market surveillance procedure to remind you to update your post-market surveillance plan to ask questions related to new or revised risks related to the adverse event you are reporting.

Additional Training Available on the Canadian Medical Devices Regulations

Medical Device Academy recorded a webinar on the Canadian Medical Devices Regulations (CMDR and CMDCAS). In addition, Mary Vater, one of our new consultants, will be presenting a new live webinar on Canadian Medical Device Licensing on May 24, 2017.

Purchase the Mandatory Problem Reporting Procedure (SYS-035) – $299

SYS 035 Mandatory Problem Reporting Procedure 1 150x150 Mandatory Problem Reporting Procedure for Reporting to Health Canada
SYS-035 Mandatory Problem Reporting Procedure

This new procedure defines the process and the regulatory requirements for submitting mandatory problem reports to Health Canada for adverse events that are reportable.

Price: $299.00

Posted in: Health Canada

Leave a Comment (0) →

Reprocessed Single-Use Devices: Considerations for a 510k Submission

This is blog entry summarizing an article published on the FDAeCopy website about the unique challenges of 510k submissions for reprocessed devices.

FDA eCopy Blog Abstract Reprocessed Single Use Devices: Considerations for a 510k Submission

Mary Vater joined Medical Device Academy as a new regulatory consultant in March 2017. She published her first new blog on our FDA eCopy website today. The blog explains the unique challenges of reprocessed single-use devices when preparing a 510k submission.

Challenges of 510k Submissions for reprocessed devices

There are three areas in particular that challenge reprocessors when preparing a 510k submission for reprocessed single-use devices:

  1. Section 13, labeling
  2. Section 15, biocompatiblity
  3. Section 18, performance testing

In her article, Mary reviews each of these sections of a 510k submission and identifies both pitfalls and solutions for testing requirements in each of the sections of a 510k.

One of the most important things to know when preparing a 510k submission for a reprocessed device, is whether you need to perform any biocompatibility testing at all. Biocompatibility testing is one of the longest verification and validation tests–as well as the most costly. If you do not modify the device during reprocessing, then you don’t need to perform biocompatibility testing. This article reviews the types of modifications that will require biocompatibility testing.

You also need to develop your own instructions for use and labeling for reprocessed devices. You can reference the original equipment manufacturer’s (OEM) IFU, but you there is specific information needed for reprocessed devices that should be included. This information includes the name and model number of the OEM device.

Finally, it is not enough to provide performance testing data showing that after reprocessing a device it remains equivalent to the OEM device. You must show that the performance remains equivalent after multiple reprocessing cycles. Most devices will deteriorate over time and may only be able to survive a certain number of reprocessing cycles. This testing data needs to be included in your 510k submission.

If you are interested in learning more about how to prepare a 510(k) for a reprocessed single-use device, please visit the FDA eCopy website.

Posted in: 510(k)

Leave a Comment (0) →

IFU Validation and Post-Market Surveillance – A risk-based approach

This article describes how to perform IFU validation prior to commercialization and how to conduct post-market surveillance to ensure that your IFU continues to be suitable as your user population and patient population expand.

IFU Validation and PMS IFU Validation and Post Market Surveillance   A risk based approach

Most companies create an IFU for a new product by plagiarism. They merely copy a competitor’s IFU and change the name. If the IFU is created by a regulatory expert, the IFU will be nearly identical to the competitor IFU. However, if the IFU is created by a marketing person, the IFU will explain how your product is total different from the competitor product. Neither approach is effective.

Creating a risk-based IFU

EN ISO 14971:2012 identifies deviations between the ISO 14971:2007 international standard and the three EU Directives. However, deviation #7 is specific to labeling and instructions for use. Even if your product is not CE marked, you should be developing a risk-based approach to IFUs. The first priority of risk controls is to eliminate and reduce risks by design, manufacture and selection of materials. The second priority is to implement protective measures such as alarms to warn users of risks. The last priority for risk controls is to inform users of residual risks. The best practice is to utilize a risk traceability matrix to document each of the risk controls you implemented to eliminate and reduce risks of hazards identified.

The EN version of ISO 14971 will not allow you to reduce risks quantitatively in your risk assessment for information provided to users about risks, because this type of risk control is not completely effective. However, you are required to verify that each residual risk is disclosed to users in your IFU and you must validate that your warnings, precautions and contraindications are adequately identified such that users understand the residual risks. You are also required to determine any user training needed to ensure specified performance and safe use of your medical device in accordance with ISO 13485:2016, Clause 7.2.1d. Clause 7.2.2d) requires that your company ensure that user training is made available. Any user training you provide should also be validated for effectiveness.

When to perform IFU validation

Some companies ask physicians that helped them with product development review draft IFUs. However, these physicians are already familiar with your product, your company and they are highly skilled in the specific procedures your device will be used for. After your own experts have make their final edits to your draft IFU, you now need a “fresh set of eyes.”  The best approach is to validate the effectiveness of your IFU with potential users that don’t know you or your company. If your product requires animal performance testing or human clinical studies, you could use these studies to validate your IFU. However, I recommend conducting a simulated use study prior to conducting animal or human studies. Conducting a simulated use study prior to animal and human studies can prevent deviations from your documented protocols that were caused by inadequate review of the IFUs.

Methods of IFU validation

The best method for validating your IFU is to perform a simulated use study or human factors study. The FDA published a human factors guidance document that can help you assess the risk of human factors and ergonomics. The FDA guidance requires that you identify your intended user population(s). For each individual population of users, you are required to have a minimum of 15 users for your study. If your product is not for specific indications, you may be able to randomly select 15 users at a few sites. However, if your device is intended for two different specialties, then you need to 30 users–15 for each specialty.  I recommend recording a video of simulated use studies too. Videos identify small details that you might miss, and clips from the videos are useful in creating training videos for future users.

Gathering Post-Market Surveillance

Post-market surveillance is not just asking customers if they are satisfied. You need to continue to monitoring adverse event databases, your own complaint database and any service records to determine if there are any new risks and to verify that the risks you identified were accurately estimated with regard to severity and probability of occurrence of harm. In fact, clinical studies and PMS are the only way you can gather data regarding probability of occurrence of harm. When you design your post-market surveillance questions, make sure you include questions specifically targeting the residual risks you identify in your IFU. You should also ask, “What indications do you use this device for. Specifically, please identify the intended diagnosis, treatment and patient populations.” This wording is more effective than asking if a physician is using your product “off label.”

Revalidation of IFU after labeling changes

Changes to labeling and IFUs should always be considered design changes and may require revalidation. If the change is in response to a complaint or CAPA, then it is crucial that you revalidate the IFU and labeling to verify effectiveness of your corrective action. Any validation should be documented, reviewed and approved prior to implementation and acceptance criteria should be determined ahead of time. Your acceptance criteria should be quantitative so you can objectively determine if the change is effective or not. You might be able to copy your previous IFU validation protocol or simulated use protocol and simply repeat the validation exactly as you did before with new users. However, sometimes the reason why the IFU was not 100% effective in the past is that the risk you are addressing in the revised IFU was not evaluated adequately in the original simulated use protocol.

New webinar for risk-based IFU validation and PMS

If you want to learn more about using a risk-based approach to developing IFUs, validating IFUs and performing post-market surveillance to monitor the effectiveness of your IFU, then please click on the webinar link below.

IFU Validation Webinar Button 300x62 IFU Validation and Post Market Surveillance   A risk based approach

 

Posted in: Clinical Studies & Post-Market Surveillance, Validation

Leave a Comment (0) →
Page 1 of 23 12345...»
Follow

Get every new post on this blog delivered to your Inbox.

Join other followers:

Simple Share Buttons
Simple Share Buttons