Blog

510k Design Control Requirements and 510k Risk Management Requirements

This article reviews 510k design control and risk management requirements when compared with your design history file (DHF) and your risk management file.

Design Controls and Risk Management 510k Design Control Requirements and 510k Risk Management Requirements

Last week I presented a free webinar on how to combine Risk Management with Design Controls, when planning to submit a 510k. There were many questions about what design history file (DHF) and risk management file (RMF) documents are required for a 510k. There is no specific part of the the regulations stating what the 510k design control requirements are. However, certain elements of the DHF are required as 510k design control documentation, but not necessarily in the exact form as maintained in the DHF. For example, Design Inputs and Design Outputs are presented as applicable recognized standards and design specifications, while others will remain exactly the same (i.e., verification and validation test reports).

For Risk Management, the only submissions that require inclusion of risk documentation are devices containing software of at least moderate level risk. There are some exceptions to this as well though, based on a few special control guidance documents—especially when the submission type is an abbreviated 510k. This is article identifies which of the DHF and RMF elements are 510k design control requirements and 510k risk management requirements.

510k Design Control Requirements

Design Controls are identified in 21 CFR 820.30. Every manufacturer of any class II or class III devices, and certain class I devices (class I devices with software, tracheobronchial suction catheters, surgeon gloves, protective restraints, radionuclide applicators, radionuclide teletherapy devices) need to control design per this regulation. The requirement for a Design History File is item j) and states:

“Each manufacturer shall establish and maintain a DHF for each type of device. The DHF shall contain or reference the records necessary to demonstrate that the design was developed in accordance with the approved design plan and the requirements of this part.”

The “requirements of this part” refers to the other bullets in 21 CFR 820.30 which can be summarized as:

a) Establish and maintain procedures to control design of device.

b) Design and Development Planning – Each manufacturer shall establish a plan that describes the design and development activities, and defines responsibilities for implementation.

c) Design Inputs – Manufacturers need to ensure design requirements relating to a device are appropriate and address the intended use of the device.

d) Design Outputs – Design outputs need to be documented in terms that allow an adequate evaluation of conformance to design input requirements. Design outputs that are essential for the proper functioning of the device should be identified.

e) Design Review – Formal documented reviews of design results should be planned and conducted at appropriate stages of device development.

f) Design Verification – Design verification confirms that the design output meets the design inputs requirements.

g) Design Validation – Design validation shall be performed under defined operating conditions on initial production units or their equivalents, and shall ensure that devices conform to defined user needs and meet the intended use of the device.

h) Design Transfer – Design transfer documentation shall ensure that the device design is correctly translated into production specifications.

i) Design Changes – changes should be identified, documented, validated/verified, reviewed and approved before their implementation.

The Design History File is intended to be a repository of the records required to demonstrate compliance with your design plan and design control procedures. While companies are required to create, and maintain this documentation according to the FDA regulation, not all of the documentation will be reviewed as part of the 510k. The following table compares the elements that comprise a DHF with the 510k design control requirements.

DHF Element 510k Design Control Requirements
Design Plan Not Required
User Needs Not Required
Design Inputs

Cover Sheet (Section 1) and

Declaration of Conformity (Section 9)

 

Some design inputs will appear in the form of standards in FDA Form 3514 (Cover Sheet) and in the Declaration of Conformity FDA Form 3654 (Standards Data Report)

Design Outputs

Device Description (Section 11)

 

The Device Description lists the specifications of the device, and your Design Outputs document will help populate the Device Description. This can include drawings, pictures, or written specifications that describe your device.

Labeling

Proposed Labeling (Section 13)

The labeling is usually considered part of the Design Outputs within the DHF, and is included specifically in the labeling section of the 510(k) submission. This includes both the Instructions for Use and any Package Labeling.

Verification and Validation Protocols

Not Required

 

You do not have to include the protocols, but the reviewer may ask to see them if they have any questions when reviewing the reports.

Verification and Validation Reports

Sterilization (Section 14)

Biocompatibility (Section 15)

Software (Section 16)

Electrical Safety and EMC (Section 17)

Bench Performance Testing (Section 18)

Animal Performance Testing (Section 19)

Clinical Performance Testing (Section 20)

 

Of course, not all of these sections will be applicable for every device, but you should include all relevant validation test reports within your submission in the appropriate section of the 510k. Typically, each of these sections will have a cover sheet that outlines the reports that are included within the section, and then you can just include the report from the DHF in its entirety behind the cover sheet in that section.

Process Validation Only required for sterilization validation typically, but there are exceptions for novel materials and coatings
Work Instructions Not Required for 510k
Design Review Meeting Minutes Not Required for 510k
Design Trace Matrix Only required for software
Risk Management File Sometimes – See Risk Management File Table Below
Post-Market Surveillance Plan Not Required, but a few exceptions for high risk devices
Clinical Data Summary Required only if used to demonstrate safety and efficacy
Regulatory Approval Will result from 510k Clearance, so nothing to be included in 510k submission.

510k Risk Management Requirements

Regarding the FDA regulations for risk management, there is a requirement under the Design Validation section of 21 CFR 820.30 that states:

“Design validation shall include software validation and risk analysis, where appropriate.”

For the purposes of FDA compliance and CE Marking, both recognize ISO 14971 as the standard for risk management. FDA recognizes ISO 14971:2007 whereas EN ISO 14971:2012 is the European National version for CE Marking. Rob Packard wrote an article describing the contents of the risk management file as well as the specific differences in the requirements between the FDA and CE Marking with regard to ISO 14971.

For the purposes of your 510k submission, the FDA only requires risk management documentation to be included if the product contains software and the risk is at least a level of “moderate concern”. There are some other cases when risk management is required by special controls guidance documents, but even when it is required you only have to submit your risk analysis. The table below describes the risk management requirements in greater detail.

RMF Element 510k Risk Management Requirement
Risk Management Plan Not Required
Hazard Identification

510ks with Software Only (Section 16)

 

Hazard Identification is only required for devices that have a software component. It is not required for most other devices.

Risk Assessment

510(k)s with Software (Section 16)

Certain Special Controls Guidance

 

The Risk Assessment is only required to be included if your device contains software, or if a special controls guidance document specifically requires risk assessment. It is not required for other 510ks.

Risk Control Option Analysis Software and Certain Special Controls Guidance
Risk Control Verification and Validation

Sterilization (Section 14)

Biocompatibility (Section 15)

Software (Section 16)

Electrical Safety and EMC (Section 17)

Bench Performance Testing (Section 18)

Animal Performance Testing (Section 19)

Clinical Performance Testing (Section 20)

 

This will not be any additional or special documentation specific to Risk Management, and was already included in the DHF breakdown above, but the verification and validation also relate back to risk management in ensuring that the risks have been adequately mitigated.

Risk Benefit Analysis

Not Required for 510(k)

 

Risk Benefit analyses are only required for De Novo applications, Humanitarian Device Exemptions and PMAs.

Informing Users and Patients of Risks

Labeling (Section 13)

 

Part of the risk management will appear in the Labeling section of the 510k as warnings, contraindications, and precautions within the Instructions for Use and Package Labeling.

Risk Management Report Not Required

Your first step in preparing your 510k submission is to search the FDA Guidance Document Database to determine if there is an applicable guidance document for your device. You can read another blog we wrote to explain Special Controls Guidance documents, and how to determine if one is applicable to your device. The following list provides examples of Class II Special Controls Guidance documents that require risk analysis to be included within the 510k:

When there are 510k risk management requirements, the special controls guidance document will typically state, “We recommend that the summary report contain:

An identification of the Risk Analysis method(s) used to assess the risk profile in general as well as the specific device’s design and the results of this analysis. (Refer to Section 6 for the risks to health generally associated with the use of this device that FDA has identified.)

Discussion of the device characteristics that address the risks identified in this class II special controls guidance document, as well as any additional risks identified in your risk analysis.”

The special controls guidance will also identify risks to health that have been identified for products of that type, which you should be sure to include in your risk analysis as appropriate.

More information on 510k design control & risk Management requirements

Hopefully, you are now able to determine which elements of your DHF are 510k design control requirements and which elements of your RMF are 510k risk management requirements. If you would like more information about how to implement design controls and risk management within your product development process, please register for our free webinar. If you need any further information or specific assistance with your 510k submission, please feel free to send me an email at mary@fdaecopy.com or schedule a call with our principal consultant, Rob Packard who can answer any of your medical device regulatory questions.


Click here to schedule a 15 minute call 300x62 510k Design Control Requirements and 510k Risk Management Requirements

Posted in: 510(k), Design Control, Risk Management

Leave a Comment (0) →

Cybersecurity FDA Guidance for Devices with Software and Firmware

This article reviews the FDA guidance for premarket and post-market cybersecurity of medical devices with software and firmware—including requirements for reporting of field corrections and removals.

Cybersecurity with custom aspect ratio Cybersecurity FDA Guidance for Devices with Software and Firmware

Hospitals, home health systems, and medical devices are more connected now than ever. The automatic communication between medical devices and network systems is improving the efficiency and accuracy in the world of healthcare. Medical devices are capable of more computing, analysis, reporting and automation to improve the speed and quality of patient care. Along with technological advances, new risks and concerns are also introduced. The risk of hackers exploiting vulnerabilities in networks and software is inevitable. The FDA introduced guidance for both pre-market and post-market cybersecurity to assist manufacturers in developing effective controls to protect patients and users. Cybersecurity protection requires Identification, Protection, Detection, Response, and Recovery.

The first step is incorporating processes and procedures to improve device cybersecurity into your quality management system. You should have a specific cybersecurity plan to outline the steps necessary to ensure a safe and secure medical device.

Identify Cybersecurity Risks

The key to understanding and assessing the cybersecurity risks involved with your device begin in the early stages of design development. At the start of the risk management process, you need to identify the essential safety and performance requirements of the device. You need to identify any potential cybersecurity vulnerabilities that could impact safety or performance, as well as the specific harms that could result if the vulnerability was exploited. In assessing the specific vulnerabilities, the FDA recommends using the Common Vulnerability Scoring System (CVSS). There is a CVSS calculator available online through NIST. The overall score is calculated based on different factors such as: attack vector (local, adjacent network, network), access complexity (high, medium, low), authentication (multiple, single, none), impact of confidentiality (none, partial, complete), exploitability (unproven that exploit exists, proof of concept code, functional exploit exists), remediation level (official fix, temporary fix, workaround, unavailable), collateral damage potential (low, medium, high), etc. This score is used in the hazard analysis in determining the level of risk.

Cybersecurity Protection

The process of assessing the exploitability and harms can also assist in determining mitigations that can be implemented to reduce the cybersecurity risk. During the design process, the FDA expects you to implement as many protections as practicable. Protections include:

  • Limit Access to Trusted Users
    • Password protection, strengthened password requirements
    • User authentication
    • Layered privileges based on user role
  • Limit Access to Tampering
    • Physical locks on devices and/or communication ports
    • Automatic timed methods to terminate sessions
  • Ensure Trusted Content
    • Restrict software or firmware updates to authenticated code
    • Systematic procedures for authorized users to download software and firmware only from the manufacturer
    • Ensure capability of secure data transfer, use of encryption

Cybersecurity Detection

The FDA also requires you to implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use. You should develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event. Methods for retention and recovery should be provided to allow recovery of device configuration by an authenticated privileged user.

If you include off-the-shelf (OTS) software in your device, you are responsible for the performance of the software as part of the device. All software changes to address cybersecurity vulnerabilities of the OTS software need to be validated. You need to maintain formal business relationship with the OTS vendor to ensure timely notification of any information concerning quality problems or corrective actions. Sometimes you will need to involve the OTS vendor to correct cybersecurity vulnerabilities.

Post-Market Surveillance

Once you complete the hazard analysis, mitigation implementation, validations, and has deployed their device for use – your activities shift to post-market management. There are several QMS tools that can assist in the cybersecurity processes post-market including: complaint handling, quality audits, corrective and preventive action, ongoing risk analysis, and servicing. A critical component of every cybersecurity program is monitoring of cybersecurity information sources to assist in the identification and detection of risk. You should maintain contact with third-party software suppliers for identification of new vulnerabilities, updates and patches that come available.

There are many sources that companies should follow for information relating to cybersecurity including: independent security researchers, in-house testing, software or hardware suppliers, healthcare facilities, and Information Sharing and Analysis Organizations (ISAO). Involvement in ISAOs is strongly recommended by the FDA and reduces your reporting burden if an upgrade or patch is required postmarket. ISAOs share vulnerabilities and threats that impact medical devices with their members. They share and disseminate cybersecurity information and intelligence pertaining to vulnerabilities and threats spanning many technology sectors, and are seen as an integral part of your post-market cybersecurity surveillance program.

Response and Recovery

If you identify a cybersecurity vulnerability, there are remediation and reporting steps that need to occur. Remediation may involve a software update, bug fixes, patches, “defense-in-depth” strategies to remove malware or covering an access port to reduce the vulnerability. Uncontrolled risks should be remediated as soon as possible, and must be reported to the FDA according to 21 CFR 806. There are certain circumstances that remove the reporting requirement. The decision flowchart below can be used to determine the reporting requirements.

Cybersecurity software change decision tree Cybersecurity FDA Guidance for Devices with Software and Firmware

In addition to reporting corrections and removals, the FDA identifies specific content to be included in PMA periodic reports regarding vulnerabilities and risks. If you have a Class III device, you should review that section thoroughly to ensure annual report compliance.

If a device contains software or firmware, cybersecurity will be an important component of the risk management processes, and continual cybersecurity management will be necessary to ensure the on-going safety and effectiveness of your device. If you need of more help with cybersecurity risk management of your medical device, please schedule a free 15-minute call with Medical Device Academy by clicking on the link below.

Click here to schedule a 15 minute call 300x62 Cybersecurity FDA Guidance for Devices with Software and Firmware

Posted in: Software Verification and Validation

Leave a Comment (0) →

Performance Qualification (PQ) for EO Sterilization Validation

Article explains requirements for a performance qualification (PQ) of EO sterilization validation and how it is different from other PQ process validations.

Your cart is empty

Mind your ps and qs 1024x291 Performance Qualification (PQ) for EO Sterilization Validation

Performance Qualification (PQ) – What is the difference between an IQ, OQ and PQ?

When you are performing a process validation, the acronyms IQ, OQ and PQ sometimes cause confusion. IQ is the installation qualification of the equipment used in your validated process. The purpose of the installation qualification is to make sure that your equipment was installed correctly–this includes calibration and connection to utilities. OQ is the operational qualification. The purpose of the operational qualification is to make sure that the equipment you are using is capable of operating over the range of parameters that you specify in order to make your product. The PQ is a performance qualification. The purpose of the performance qualification is to ensure that you can consistently make product within specifications (i.e., repeatable).

Different Definitions for Operational Qualification (OQ)

The GHTF guidance document for process validation provides the following definition for an OQ: “Establishing by objective evidence process control limits and action levels which result in product that meets all predetermined requirements.” ISO 11135-1:2014, the international standard for ethylene oxide (EO) sterilization validation, provides a slightly different definition for an OQ: “process of obtaining and documenting evidence that installed equipment operates within predetermined limits when used in accordance with its operational procedures.” The difference in these two definitions is important, because the OQ is typically performed by contract sterilizers and does not need to be repeated unless there is a significant change or maintenance to the sterilizer that requires repeating the OQ. In contrast, when you perform an OQ for packaging, the OQ is specific to the packaging materials you are going to be sealing and therefore a new OQ is required whenever new packaging materials are developed. For EO sterilization, the analogous step of the validation process is called a microbial performance qualification (MPQ).

Performance Qualification (PQ) = MPQ + PPQ

A performance qualification (PQ) for ethylene oxide sterilization validation consists of two parts: 1) microbial performance qualification (MPQ), and 2) physical performance qualification (PPQ). The microbial performance qualification is intended to determine the minimum process parameters for the EO sterilizer sufficient to ensure product bioburden is killed. These parameters are referred to as the half-cycle, because the full production cycle will be twice as long in duration. For example, a half-cycle consisting of 3 injections will correspond to a full cycle of 6 injections.

What are fractional cycles?

Fractional cycles are typically shorter in duration than the duration of a half-cycle. The purpose of a fractional cycle is to demonstrate that external biological indicators (BIs) located outside of your product, but inside the sterilization load, are more difficult to kill than internal BIs. Fractional cycles are also be used to demonstrate that the product bioburden is less resistant than the internal BIs. To achieve both of these objectives, it is typical to perform two fractional cycles at different conditions to achieve 100% kill of internal BIs and partial external BI kill in one fractional cycle, and 100% kill of product bioburden but only partial kill of internal BIs in the other fractional cycle. When your goal is partial kill, you should also target more than one positive BI, because this reduces the likelihood that poor technique resulted in a BI positive from growth.

Microbial Performance Qualification (MPQ)

The microbial performance qualification (MPQ) typically consists of three half cycles and one or more fractional cycles. 100% kill of external BIs is not required for the MPQ during a half cycle–only the internal BIs must be 100% killed, but the external BIs are only useful if 100% kill of the external BIs is achieved in the full cycles. If you are re-validating the sterilization process, you are only required to complete one half cycle and one fractional cycle. For re-validation, the fractional cycle is intended to achieve 100% kill of product bioburden but only partial kill of internal BIs in order to verify that the product bioburden remains less resistant to sterilization than the internal BIs. You are also required to perform bioburden measurements of non-sterile product for the initial MPQ and re-validation to demonstrate that bioburden can be adequately recovered from the product and measured.

Physical Performance Qualification (PPQ)

The physical performance qualification (PPQ) typically consists of three full cycles and measurement of EO residuals in accordance with ISO 10993-7:2008. If PPQ is performed during the MPQ, then it is only necessary to complete one full cycle–assuming the MPQ consists of at least three half cycles. If you are performing a re-validation of the sterilization process, then you are required to perform three full cycles and measurement of EO residuals.

Repeatability, Reproducibility, Product Variability and Environmental Factors

Typically a performance qualification (PQ) is intended to verify that the same person can repeat the process multiple times, other people can reproduce the first person’s results and any variation product from lot to lot will not prevent the process from producing acceptable product. In addition, any variation in environmental factors should be assessed during a PQ. In sterilization processes, however, the equipment is typically automated. Therefore, variation between operators is typically a non-issue. In addition, sterilization lots also typically consist of a large volume of product where multiple samples are tested for sterility. Therefore, performing three runs sufficiently challenges the repeatability and reproducibility of the sterilization process–including any product variability. The issue of environmental variations in heat and humidity are addressed by designing preconditioning cycles into the sterilization process. Sensors are included in each validation load to verify that the process specifications were achieved and maintained for temperature and humidity, but the sensors also help to identify the worst-case locations in a load to use for sampling and placement of BIs.

If you are interested in learning more about sterilization validation, please read our blog from last year on evaluation of the need to re-validate your sterilization process or you can watch our webinar on sterilization and shelf-life testing. You can also purchase our procedure for EO sterilization validation by clicking on the link below.

Purchase the EO Sterilization Validation Procedure (SYS-031) – $299

EO Sterilization Cycle 1 150x150 Performance Qualification (PQ) for EO Sterilization Validation
SYS-031 EO Sterilization Validation Procedure

This new procedure defines the requirements for ethylene oxide (EO) sterilization validation and revalidation which has been outsourced to a contract sterilizer.

Price: $299.00

 

Posted in: Process Validation, Validation

Leave a Comment (0) →

Safety Agency Mark – Is it required for medical electrical equipment?

This article explains when a safety agency mark is required for electrical medical equipment for products sold in the USA.

Safety Marks 1024x228 Safety Agency Mark – Is it required for medical electrical equipment?

What is a safety agency mark?

Examples of a safety agency mark include UL, CSA, Intertek, SGS Q-mark and other marks indicating that a recognized testing lab completed the electrical safety testing and the device passed the testing. Health Canada requires a safety agency mark to certify approval by a lab that is accredited by the Standards Council of Canada (SCC). However, device manufacturers are frequently unclear what the requirements are in the USA for electrical medical equipment regarding a safety agency mark.

Leo Eisner’s explanation of the requirements for a safety agency mark in the USA

Leo Eisner of Eisner Safety was kind enough to answer this question. The simple answer is yes. In the US there is a requirement for equipment in the workplace to have a NRTL Safety Agency Approval Mark for the applicable category on the device to meet OSHA requirements. The requirements for NRTL approval of electric equipment (or medical electrical equipment) are in 29 CFR 1910.303(a) and 29 CFR 1910.307(c). Because of these requirements, most electric equipment used in the workplace must be NRTL approved. Biomeds maintain and track all the medical equipment in hospitals and clinical environments, and the biomeds usually insist upon an Agency Approval Mark. However, the biomeds may not be aware of the NRTL requirements.

What is a NRTL?

A NRTL is a Nationally Recognized Test Lab that is approved or authorized by Occupational Safety & Hazard Administration (OSHA) for specific device test standards (i.e UL 60601-1 [National deviation version of IEC 60601-1, 2nd ed. medical electrical equipment standard] and / or AAMI ES 60601-1 [National deviation version of IEC 60601-1, ed 3.1], among many other standards) to allow a US Mark to be placed on approved devices that meet the applicable standard. Not all NRTL labs can test to the listed medical electrical standards for medical electrical equipment to allow a US mark be placed on devices. You need to go to the OSHA NRTL site to verify that the test lab can issue a US mark. Within the labs link you can find which standards each test lab is allowed to issue US Marks for.

Posted in: IEC 60601

Leave a Comment (0) →

Mandatory Problem Reporting Procedure for Reporting to Health Canada

The Mandatory Problem Reporting Procedure defines process and regulatory requirements for submitting adverse event reports to Health Canada.

Your cart is empty

SYS 035 Mandatory Problem Reporting Procedure 1024x530 Mandatory Problem Reporting Procedure for Reporting to Health Canada

Sections of the Mandatory Problem Reporting Procedure (SYS-035)

As with all of the procedures I write, I included the following sections in the Mandatory Problem Reporting Procedure:

  1. Purpose
  2. Scope
  3. References and Relationships
  4. Definitions
  5. Document Approval
  6. Revision History
  7. Responsibilities and Authorities
  8. Procedure
  9. Monitoring and Measurement
  10. Training/Retraining
  11. Risk Management
  12. Records

Details of the Mandatory Problem Reporting Procedure

This procedure includes exact quotes from the most recent amendment of the Canadian Medical Devices Regulations updated last on April 25, 2017. The procedure is detailed enough to enable a person that has not submitted a mandatory problem report before to do so. In addition, there are detailed instructions for importers of your device–who are also required to submit mandatory problem reports. The procedure is 5 pages in length and includes hyperlinks to the Health Canada webpages specific to the guidance document for Mandatory Problem Reporting.

Unique Features of this Mandatory Problem Reporting Procedure

Well-written procedures typically state that you should review and update your risk management documentation when you are investigating complaints–especially when there is a new adverse event to report. However, this procedure includes references to the risk management process and makes recommendations on specifically what to review and update. Specifically, it recommends that the scale used to quantitatively estimate severity of potential harm be aligned to identify which scores require mandatory problem reporting, and which scores do not require reporting.

The section of the procedure that is specific to monitoring and measurement also identifies specific metrics related to the mandatory problem reporting process to track and report to Top Management during Management Review meetings. These metrics include tracking the closure of complaints, preliminary reporting timelines and final reporting timelines. The procedure even includes links to the post-market surveillance procedure to remind you to update your post-market surveillance plan to ask questions related to new or revised risks related to the adverse event you are reporting.

Additional Training Available on the Canadian Medical Devices Regulations

Medical Device Academy recorded a webinar on the Canadian Medical Devices Regulations (CMDR and CMDCAS). In addition, Mary Vater, one of our new consultants, will be presenting a new live webinar on Canadian Medical Device Licensing on May 24, 2017.

Purchase the Mandatory Problem Reporting Procedure (SYS-035) – $299

SYS 035 Mandatory Problem Reporting Procedure 1 150x150 Mandatory Problem Reporting Procedure for Reporting to Health Canada
SYS-035 Mandatory Problem Reporting Procedure

This new procedure defines the process and the regulatory requirements for submitting mandatory problem reports to Health Canada for adverse events that are reportable.

Price: $299.00

Posted in: Health Canada

Leave a Comment (0) →

Reprocessed Single-Use Devices: Considerations for a 510k Submission

This is blog entry summarizing an article published on the FDAeCopy website about the unique challenges of 510k submissions for reprocessed devices.

FDA eCopy Blog Abstract Reprocessed Single Use Devices: Considerations for a 510k Submission

Mary Vater joined Medical Device Academy as a new regulatory consultant in March 2017. She published her first new blog on our FDA eCopy website today. The blog explains the unique challenges of reprocessed single-use devices when preparing a 510k submission.

Challenges of 510k Submissions for reprocessed devices

There are three areas in particular that challenge reprocessors when preparing a 510k submission for reprocessed single-use devices:

  1. Section 13, labeling
  2. Section 15, biocompatiblity
  3. Section 18, performance testing

In her article, Mary reviews each of these sections of a 510k submission and identifies both pitfalls and solutions for testing requirements in each of the sections of a 510k.

One of the most important things to know when preparing a 510k submission for a reprocessed device, is whether you need to perform any biocompatibility testing at all. Biocompatibility testing is one of the longest verification and validation tests–as well as the most costly. If you do not modify the device during reprocessing, then you don’t need to perform biocompatibility testing. This article reviews the types of modifications that will require biocompatibility testing.

You also need to develop your own instructions for use and labeling for reprocessed devices. You can reference the original equipment manufacturer’s (OEM) IFU, but you there is specific information needed for reprocessed devices that should be included. This information includes the name and model number of the OEM device.

Finally, it is not enough to provide performance testing data showing that after reprocessing a device it remains equivalent to the OEM device. You must show that the performance remains equivalent after multiple reprocessing cycles. Most devices will deteriorate over time and may only be able to survive a certain number of reprocessing cycles. This testing data needs to be included in your 510k submission.

If you are interested in learning more about how to prepare a 510(k) for a reprocessed single-use device, please visit the FDA eCopy website.

Posted in: 510(k)

Leave a Comment (0) →

IFU Validation and Post-Market Surveillance – A risk-based approach

This article describes how to perform IFU validation prior to commercialization and how to conduct post-market surveillance to ensure that your IFU continues to be suitable as your user population and patient population expand.

IFU Validation and PMS IFU Validation and Post Market Surveillance   A risk based approach

Most companies create an IFU for a new product by plagiarism. They merely copy a competitor’s IFU and change the name. If the IFU is created by a regulatory expert, the IFU will be nearly identical to the competitor IFU. However, if the IFU is created by a marketing person, the IFU will explain how your product is total different from the competitor product. Neither approach is effective.

Creating a risk-based IFU

EN ISO 14971:2012 identifies deviations between the ISO 14971:2007 international standard and the three EU Directives. However, deviation #7 is specific to labeling and instructions for use. Even if your product is not CE marked, you should be developing a risk-based approach to IFUs. The first priority of risk controls is to eliminate and reduce risks by design, manufacture and selection of materials. The second priority is to implement protective measures such as alarms to warn users of risks. The last priority for risk controls is to inform users of residual risks. The best practice is to utilize a risk traceability matrix to document each of the risk controls you implemented to eliminate and reduce risks of hazards identified.

The EN version of ISO 14971 will not allow you to reduce risks quantitatively in your risk assessment for information provided to users about risks, because this type of risk control is not completely effective. However, you are required to verify that each residual risk is disclosed to users in your IFU and you must validate that your warnings, precautions and contraindications are adequately identified such that users understand the residual risks. You are also required to determine any user training needed to ensure specified performance and safe use of your medical device in accordance with ISO 13485:2016, Clause 7.2.1d. Clause 7.2.2d) requires that your company ensure that user training is made available. Any user training you provide should also be validated for effectiveness.

When to perform IFU validation

Some companies ask physicians that helped them with product development review draft IFUs. However, these physicians are already familiar with your product, your company and they are highly skilled in the specific procedures your device will be used for. After your own experts have make their final edits to your draft IFU, you now need a “fresh set of eyes.”  The best approach is to validate the effectiveness of your IFU with potential users that don’t know you or your company. If your product requires animal performance testing or human clinical studies, you could use these studies to validate your IFU. However, I recommend conducting a simulated use study prior to conducting animal or human studies. Conducting a simulated use study prior to animal and human studies can prevent deviations from your documented protocols that were caused by inadequate review of the IFUs.

Methods of IFU validation

The best method for validating your IFU is to perform a simulated use study or human factors study. The FDA published a human factors guidance document that can help you assess the risk of human factors and ergonomics. The FDA guidance requires that you identify your intended user population(s). For each individual population of users, you are required to have a minimum of 15 users for your study. If your product is not for specific indications, you may be able to randomly select 15 users at a few sites. However, if your device is intended for two different specialties, then you need to 30 users–15 for each specialty.  I recommend recording a video of simulated use studies too. Videos identify small details that you might miss, and clips from the videos are useful in creating training videos for future users.

Gathering Post-Market Surveillance

Post-market surveillance is not just asking customers if they are satisfied. You need to continue to monitoring adverse event databases, your own complaint database and any service records to determine if there are any new risks and to verify that the risks you identified were accurately estimated with regard to severity and probability of occurrence of harm. In fact, clinical studies and PMS are the only way you can gather data regarding probability of occurrence of harm. When you design your post-market surveillance questions, make sure you include questions specifically targeting the residual risks you identify in your IFU. You should also ask, “What indications do you use this device for. Specifically, please identify the intended diagnosis, treatment and patient populations.” This wording is more effective than asking if a physician is using your product “off label.”

Revalidation of IFU after labeling changes

Changes to labeling and IFUs should always be considered design changes and may require revalidation. If the change is in response to a complaint or CAPA, then it is crucial that you revalidate the IFU and labeling to verify effectiveness of your corrective action. Any validation should be documented, reviewed and approved prior to implementation and acceptance criteria should be determined ahead of time. Your acceptance criteria should be quantitative so you can objectively determine if the change is effective or not. You might be able to copy your previous IFU validation protocol or simulated use protocol and simply repeat the validation exactly as you did before with new users. However, sometimes the reason why the IFU was not 100% effective in the past is that the risk you are addressing in the revised IFU was not evaluated adequately in the original simulated use protocol.

New webinar for risk-based IFU validation and PMS

If you want to learn more about using a risk-based approach to developing IFUs, validating IFUs and performing post-market surveillance to monitor the effectiveness of your IFU, then please click on the webinar link below.

IFU Validation Webinar Button 300x62 IFU Validation and Post Market Surveillance   A risk based approach

 

Posted in: Clinical Studies & Post-Market Surveillance, Validation

Leave a Comment (0) →

DHF Required for a Class I Device? At least 67%…

Is a DHF required appears to be a simple yes/no question? If you reword the question, however, you get a very different answer.

Is a DHF required DHF Required for a Class I Device? At least 67%...

If you ask “how much less documentation is required for the design of a Class 1 device compared with a Class 2 device?” you get a very different answer. Instead of 0% (Yes a DHF is required) of 100% (No DHF required), the answer is that you need 33% less documentation for the design of a Class 1 device.

The FDA shared a presentation on design controls in 2015.

In that presentation, the agency identified six, Class 1 product classifications that require design controls, while thousands of Class 1 product classifications do not require design controls. Despite the lack of design controls, manufacturers must still maintain a procedure for design transfer, maintain an approved device master file with all the approved design specifications (i.e., design outputs) and design changes may still require revalidation prior to implementation.

Why is a DHF Required for Class 2, but Not for Class 1?

Class 1 devices are simple devices that are already on the market and have a history of clinical safety. Class 2 devices are generally more complex and present a moderate risk. Therefore, changes in the technological characteristics often present a greater risk for Class 2 devices. When you design a Class 1 device, you still have to determine what your design specifications will be, but you don’t need: 1) to review and approve design inputs, 2) a procedure to document your design process, 3) to document formal design reviews, and 4) to create a design plan.

In the 1997 guidance document for design controls, the FDA states that a design transfer procedure should include at least three basic elements:

  1. design and development procedures should include a qualitative assessment of the completeness and adequacy of the production specifications;
  2. procedures should ensure that all documents and articles which constitute the production specifications are reviewed and approved; and
  3. procedures should ensure that only approved specifications are used to manufacture production devices.

The first of these basic elements is not required for Class 1 devices, because product specifications for most Class 1 devices are simple. The other two requirements are basic principles of document control and configuration management. Therefore, you still need a design transfer procedure for Class 1 devices but you don’t need to include the first element that relies upon design and development procedures.

If you have a Class 1 device, you must still comply with labeling requirements (i.e., 21 CFR 820.120). If your device is sterile, you must still validate and re-validate the process in accordance with 21 CFR 820.75. Class 1 products also require, a device master record (DMR) in accordance with 21 CFR 820.181.

What is Not DHF required?

Needed for Class I (67%)

  1. Approved Design Outputs
  2. Labeling Procedure
  3. Approved Labeling
  4. Sterilization Validation Procedure
  5. Sterilization Validation Protocol and Report
  6. Design Transfer Procedure
  7. Approved DMR
  8. Design Change Procedure

Needed for Class II and Class I requiring Design Controls (100%)

  1. Design Control Procedure
  2. Design Plan
  3. Approved Design Inputs
  4. Approved Design Outputs
  5. Labeling Procedure
  6. Approved Labeling
  7. Sterilization Validation Procedure
  8. Sterilization Validation Protocol and Report
  9. Design Transfer Procedure
  10. Evidence of at least 1 Design Review
  11. Approved DMR
  12. Design Change Procedure

Therefore, although you do not technically have to have a DHF for a Class 1 products, the difference between the two categories is the following elements:

  1. Design Control Procedure
  2. Design Plan
  3. Approved Design Inputs
  4. Evidence of at least 1 Design Review

When an FDA inspection occurs, the investigator will review your design control procedure and then audit your DHF in accordance with your design plan.

When you have a Class 1 device, you are not typically inspected unless there is a problem and when ORA inspectors perform an inspection for Class 1 devices the inspector looks for evidence of items in first list.

If you are interested in learning more about design history files (DHF), please check out our DHF webinar.

Posted in: Design Control

Leave a Comment (2) →

Checking adverse event history for your device and competitors

Article explains checking adverse event data for medical devices as part of design and development, risk management and post-market surveillance.

TPLC Database Checking adverse event history for your device and competitors

When should you be checking adverse event history?

There are three times when you should be checking adverse event history:

  1. when you are planning a new or improved medical device and you want to know how current devices on the market malfunction (design and development planning),
  2. when you are identifying hazards associated with a medical device as part of your risk management process, and
  3. when you are gathering post-market surveillance data about your device and competitor devices.

Where should you be checking adverse event history?

Most countries have some kind of database for gathering adverse event data for medical devices, but most of these databases are not open to the public. The most common question I am asked is, “How do you access the Eudamed database?” for reporting of adverse events in Europe. Unfortunately, you can’t access Eudamed. The Eudamed database is only available to competent authorities at this time. The primary publicly accessible database for adverse event reporting is the US FDA MAUDE database. The MAUDE database is also integrated with other FDA databases for 510k submissions and recalls. This combined database is called the Total Product Life Cycle database.

Are there other public databases for checking adverse event history?

Yes. The Therapeutic Good Administration (TGA) in Australia makes adverse event data publicly available. The TGA also has a national registry for implanted orthopedic devices that publishes an annual report. There are other countries that also have public registries.

When will checking adverse event data for Europe be possible?

The Eudamed database for Europe was created in 1999 by the German organization DIMDI. In 2000 the responsibility for the database was taken over by the European Commission. The latest update is that manufacturers will be responsible for updating the Eudamed database in the future as part of the new European Regulations. This requirement will be implemented during the next years. The database will also become accessible to the public.

When you collect post-market surveillance data, which data should you collect?

Searching for post-market surveillance data should be performed on a frequency that is risk-based. If you have a brand new device, a high risk device or a device that is implanted; post-market surveillance data should be reviewed frequently–either monthly or quarterly. In fact, the new European guidance document for clinical evaluation reports (MEDDEV 2.7/1 rev 4) requires that clinical evaluation reports be updated at least annually for these devices. It is also important that you collect post-market surveillance data for both your device and competitor products. Therefore, you should be reviewing all the publicly available adverse event databases. You should also be reviewing your own complaint data, and you should be searching for journal articles that may include adverse event data–possibly associated with a clinical study.

Available Resources

If you want to learn more about post-market surveillance data collection, please visit our webinar page. There is also a procedure for Post-Market Surveillance (SYS-019).

Posted in: Risk Management

Leave a Comment (0) →

Updating Training Procedure for Compliance with ISO 13485:2016

This article explains my process for updating training procedure SYS-004 for compliance with ISO 13845:2016 while the procedure was also simplified.

Training and Competency 1 Updating Training Procedure for Compliance with ISO 13485:2016

In addition to weekly blogging for the Medical Device Academy website and the FDAeCopy website, I am also updating each of my procedures for ISO 13485:2016 compliance. This week the training and competency procedure (SYS-004) was updated. You are updating your own procedures for compliance with the revised standard, but are you making any other strategic changes at the same time?

Changes to Training in ISO 13485:2016

The primary change to Clause 6.2 in ISO 13485 was the addition of the phrase, “shall document the process(es) for establishing competence, providing training and ensuring awareness.” This doesn’t represent a change in the intent of the standard, but it does signal that certification bodies should be emphasizing the importance of assessing effectiveness of training and competency–not just verifying the existence of training records.

Updating Training Procedure

The original version of SYS-004 had 8 pages and includes three different flow charts to explain the process. The procedure also required the use of a training plan for each employee. While I agree that training should be planned by managers, if you make this a formal requirement with a controlled form it creates an unnecessary burden for managers.

Therefore, when the procedure was updated to the requirements of ISO 13485:2016, the procedure was also simplified for easier implementation by start-up companies. When you update your procedures you might look for similar opportunities to simplify and streamline the processes.

The updated procedure now has suggestions for how to consolidate certain roles for smaller companies. The procedure still references a training record for documenting training, but now there is also a reference to a training matrix to help document training requirements for each employee.

The FDA also requires that there are documented training requirements. Therefore, the procedure identifies the need to create a job description that includes training and competency requirements. The procedure does not, however, require that the job descriptions be maintained as controlled documents. If your company has multiple people with the same job function (e.g., customer service), then it might make sense to have a controlled document that is a job description for customer service. A company with 4 employees do not need controlled documents and instead a unique record for each employee makes more sense.

Updating Training Procedure to Explain How to Complete Forms?

Another option is to make your procedure very detailed to explain how to complete each section of a form, such as the training record (FRM-002) or the training matrix (FRM-026). However, I see very few managers struggle with completing training records. Therefore, instead I plan to record a brief training webinar that explains how to fill in the forms. This will be provided as a free update to anyone that purchases the training competency procedure. This makes it easier to review the procedure for regulatory compliance and puts the details on how to complete forms in the training curriculum where it belongs.

If you have questions about how to update any of your procedures to ISO 13485, please email me at rob@13485cert.com. Maybe I’ll use your question as a topic for a future blog.

Posted in: ISO 13485:201x, ISO Certification

Leave a Comment (0) →
Page 1 of 23 12345...»
Follow

Get every new post on this blog delivered to your Inbox.

Join other followers:

Simple Share Buttons
Simple Share Buttons