Is monitoring every procedure required?

1 Comment / ISO 13485:2016, ISO Certification, Quality Management System / By

Process monitoring is required but do you know whether monitoring every procedure is required by the FDA QSR or ISO 13485?

One of the elements that Medical Device Academy has incorporated into each procedure we created in our turnkey quality system is a section titled, “monitoring and measurement.” The purpose of this section is to force each process owner to identify a process metric for monitoring every procedure. In some cases, we suggest a metric that would be appropriate for most companies establishing a new quality system. In other procedures, we use the following default text:

Enter a quality metric that you want to track for this process in accordance with ISO 13485:2016, Clause 8.2.5 and the procedure for Monitoring, Measurement, and Analysis (SYS-017).

Where are the requirements for process monitoring in 21 CFR 820?

Some of the companies that have purchased our turnkey quality system have asked, “Is it required to monitor and measure something in every procedure?” In general, it is not a specific requirement to have a metric specified in each procedure. In fact, if your quality system is not ISO 13485 certified, there are actually only a few places where the US FDA requires monitoring. The FDA does not have a section specific to monitoring and measurement of processes, but there is a section of the regulations specific to statistical techniques (i.e. 21 CFR 820.250). However, it does not state in the QSR that statistical analysis is required for all processes. In fact, there are only six instances where the word “statistical” is used:

  • 21 CFR 820.100(a)(1) – “Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems;”
  • 21 CFR 820.200(b) – “Each manufacturer shall analyze service reports with appropriate statistical methodology in accordance with § 820.100.”
  • 21 CFR 820.250 – “(a) Where appropriate, each manufacturer shall establish and maintain procedures for identifying valid statistical techniques required for establishing, controlling, and verifying the acceptability of process capability and product characteristics. (b) Sampling plans, when used, shall be written and based on a valid statistical rationale. Each manufacturer shall establish and maintain procedures to ensure that sampling methods are adequate for their intended use and to ensure that when changes occur the sampling plans are reviewed. These activities shall be documented.” Note: the other two instances are the title of 21 CFR 820.250.

The word “monitoring” is equally rare (i.e. 4x) in the QSR:

  • 21 CFR 820.70(a) – “Each manufacturer shall develop, conduct, control, and monitor production processes to ensure that a device conforms to its specifications…Where process controls are needed…(2) Monitoring and control of process parameters and component and device characteristics during production.”
  • 21 CFR 820.75(b) – “Each manufacturer shall establish and maintain procedures for monitoring and control of process parameters for validated processes to ensure that the specified requirements continue to be met…(2) For validated processes, the monitoring and control methods and data, the date performed, and, where appropriate, the individual(s) performing the process or the major equipment used shall be documented.”

Where are the requirements for process monitoring in ISO 13485:2016?

ISO 13485:2016 has a section specific to monitoring and measurement of processes (i.e. Clause 8.2.5). In addition, the word “monitoring” occurs 52 times in the standard and there are 60 incidents of some variant or the exact word. , but there is a section of the regulations specific to statistical techniques (i.e. 21 CFR 820.250). However, it does not state in the QSR that statistical analysis is required for all processes. In fact, there are only six instances where the word “statistical” is used. There are four Clause headings that actually include the word monitoring:

  • Clause 7.6, Control of monitoring and measuring equipment
  • Clause 8.2, Monitoring and measurement
  • Clause 8.2.5, Monitoring and measurement of processes
  • Clause 8.2.6, Monitoring and measurement of product

In Clause 1, Scope, and Clause 4.1.5, the Standard states that any outsourced processes remain the responsibility of the company and must be accounted for in the quality system by monitoring, maintaining, and controlling the processes.

Monitoring of risk is included in the definition of “risk management” in the Standard (i.e. Clause 3.18).

Clause 4.1.3 states that the organization shall, “b) ensure the availability of resources and information necessary to support the operation and monitoring of these processes…d) monitor, measure as appropriate, and analyze these processes.”

Clause 4.2.3 states that the contents of the Medical Device File (i.e. MDR or TF), shall include, “d) procedures for measuring and monitoring.”

Monitoring and measurement of processes and product are required inputs to the Management Review in Clauses 5.6.2e) and f).

Clause 6.4.1 requires a procedure for monitoring the work environment if it can have an effect on product quality.

Clause 7.1 requires the company to consider including monitoring in product realization planning.

Clause 7.4.1 requires a plan for monitoring suppliers.

Clause 7.5.1 requires monitoring production and service, including the monitoring of process parameters and product characteristics.

Clause 7.5.6 requires monitoring of validated process parameters.

Clause 7.5.8 requires identification of status with regard to product monitoring and measurement (i.e. inspection status).

Clause 7.6 requires monitoring and measurement of calibrated devices and validation of any computer software used to monitor calibrated devices.

Clause 8.1 states that companies shall plan and implement monitoring and measurement of processes.

Clause 8.2 is titled, “Monitoring and measurement.”

Clause 8.2.1 requires monitoring of customer feedback.

Clause 8.2.5 requires monitoring of processes to ensure planned results are achieved.

Clause 8.2.6 requires monitoring of products to ensure product requirements have been met.

Clause 8.4 requires data analysis of monitoring data from at least six different processes:

  1. Feedback
  2. Conformity to product requirements
  3. Characteristics and trends of processes and products, including opportunities for improvement
  4. Suppliers
  5. Audits
  6. Service reports, as appropriate

In summary, while not every single clause that requires a procedure includes a requirement for monitoring, there are a number of processes where the requirement to monitor the process is explicitly stated.

Why do all of our procedures include the requirement for metrics?

Medical Device Academy expanded the requirement for monitoring to all procedures for five reasons:

  1. Quality objectives must be “established at relevant functions and levels within the organization.” Therefore, establishing monitoring requirements for each procedure ensures that top management has metrics for every process and a lack of data is never an excuse for not establishing a new quality objective when improvement is needed.
  2. If every procedure has a requirement for monitoring, then employees don’t have to remember which processes require monitoring and which processes do not explicitly require monitoring.
  3. The process approach to auditing includes metrics of the process as one of the seven items that are included in every process turtle diagram, and therefore, including metrics for each procedure facilitates the process approach to auditing.
  4. If a company does not have a process metric already established, it is often difficult to perform an investigation of the root cause of quality issues. If a metric is already being monitored for the process, this facilitates the investigation of the root cause and you can use the baseline monitoring data to help you establish effectiveness criteria for the corrective action.quantitative effectiveness check 300x209 Is monitoring every procedure required?
  5. Finally, most companies struggle to identify preventive actions as required by Clause 8.5.3, and we have found that data analysis of monitoring data is the best source of identifying new preventive actions.

What are the disadvantages when you monitor and measure something in every procedure?

The primary reason for resistance to identifying a metric for monitoring in every procedure is that it will increase the workload for the employees responsible for that process. However, monitoring of data does not always increase workload. In fact, when process data is recorded in real-time on a run chart it is often possible to identify a trend much earlier than when data is simply recorded and subjected to monitoring.

  • Example #1: The automatic tracking of toner in a printer tells HP when to ship you a new toner cartridge before you need it. This ensures that there is no loss in productivity because you never run out of ink or the ability to print documents.
  • Example #2: Companies will use project management software (e.g. Asana) to monitor labor utilization. This will help identify when a specific resource is nearing capacity. When this occurs, the project manager can add time buffers to prerequisite steps and adjust the starting date of the resource-limited tasks to an earlier starting date. This ensures that more time is available to finish the task or to take advantage of resource availability at an earlier date.
  • Example #3: Monitoring the revision date for procedures helps the document control process owner identify procedures that should be evaluated for the need to be revised and updated. Often this is articulated as a quality objective of reviewing and updating all procedures within 2 years. This also ensures that procedures remain current and compliant with regulatory requirements.

What are the advantages of monitoring every procedure?

The phrase “what gets measured gets managed” is a popular business philosophy that implies measuring employee activity increases the likelihood that employees will complete a task or perform it well. In contrast, if a process is not monitored, employees may assume that it is not important and the tasks may be skipped or completely forgotten. Setting quantitative goals is also sometimes integrated with economic incentives or bonuses that are granted to individuals and teams.

FDA transition from QSR to ISO 13485

The US FDA is planning its transition from 21 CFR 820 to ISO 13485 as the quality system criteria. This will force companies to make adjustments to their quality systems and increase the amount of process monitoring performed. My general advice is to work with employees that are performing tasks to identify streamlined methods for monitoring those tasks without being overly burdensome. Then you and the employees you manage can analyze the data together and identify opportunities for improvement. When you do this, experiment with manual methods using whiteboards and paper charts that are visible in public areas first. Only implement automated solutions after you have optimized the data being collected and the frequency of data collection, and remember that not every process will benefit from automated statistical process control. Sometimes the simple approach is best.

Is monitoring every procedure required? Read More »

What’s new in the 2022 draft cybersecurity guidance?

1 Comment / 510(k), Cybersecurity / By

On April 8, 2022, the FDA released a new draft cybersecurity guidance document to replace the 2018 draft that the industry does not support.

Why was the draft cybersecurity guidance created?

Due to the ubiquitous nature of software and networked devices in the medical industry, the impact of cybersecurity attacks is becoming more frequent and more severe. The WannaCry Ransomeware Attack is just one example of this global cybersecurity issue. The FDA is responding to the need for stronger cybersecurity controls by issuing a new draft cybersecurity guidance for 2022.

The first four paragraphs of the introduction explain why we need this, and WannaCry is mentioned in the second paragraph of the background section. This new guidance is only a draft, but this is the FDA’s third attempt at regulating the cybersecurity of medical devices. The first guidance was finalized in 2014. That’s the 9-page guidance we currently have in effect. The guidance mentions risk 11 times and there is no mention of testing requirements or a bill of materials (BOM). The 2018 draft guidance (24-pages) met with resistance from the industry for a lot of reasons. One of the reasons mentioned by Suzanne Schwartz in an interview is the inclusion of a cybersecurity bill of materials (CBOM). The industry felt it would be too burdensome to disclose all of the hardware elements that are related to cybersecurity. Therefore, the FDA rewrote the 2018 draft and released a new draft on April 8, 2022 (49-pages).

Untitled presentation e1650071404761 What’s new in the 2022 draft cybersecurity guidance?

You might have expected the FDA to soften its requirements in the face of resistance from industry, but the new draft does not appear to be less robust. It is true that the CBOM was replaced by a software bill of materials (SBOM). However, the SBOM must be electronically readable and it must include:

  • the asset(s) where the software resides;
  • the software component name;
  • the software component version;
  • the software component manufacturer;
  • the software level of support provided through monitoring and maintenance from the software component manufacturer;
  • the software component’s end-of-support date; and
  • any known vulnerabilities.

You can be sure that the medical device industry will view providing an SBOM as a hefty burden. After all, a machine-readable SBOM is more complex than UDI labeling requirements. An SBOM will not fit on the “Splash Screen” for anyone’s software application. Companies may provide documentation through the company website with a link in their software to that information. The format of the information could be in the “Manufacturer Disclosure Statement for Medical Device Security (MDS2).” However, MDS2 is a 349-line item Excel spreadsheet to be used as a checklist (i.e. quite a bit longer than the GUDID data elements spreadsheet), and it took the FDA eight years to complete the transition for the UDI Final Rule (i.e. 2013 – 2021).

The 2018 draft cybersecurity guidance document from the FDA required a cybersecurity bill of materials (CBOM). CBOM was defined as “a list that includes but is not limited to commercial, open source, and off-the-shelf software and hardware components that are or could become susceptible to vulnerabilities.” Therefore, the FDA’s change from a CBOM to an SBOM eliminated the requirement to disclose the hardware components. Despite the change in disclosure requirements, manufacturers will still be expected to monitor potential hardware vulnerabilities to cybersecurity attacks. It should also be noted that the language in the PATCH Act (a new bill submitted to the House of Representatives and to the Senate for ensuring the cybersecurity of medical devices) specifically requires manufacturers “to furnish a software bill of materials as required under section 524B (relating to ensuring the cybersecurity).”

 Structure of the draft cybersecurity guidance

The 2022 draft cybersecurity guidance organizes the requirements into four major principles:

  1. cybersecurity as part of device safety and the quality system regulations
  2. designing for security
  3. transparency
  4. submission documentation

The draft cybersecurity guidance recommends the implementation of a Secure Product Development Framework (SPDF). However, there is not much detail provided in the guidance for a SPDF. In the past, the term for this type of process was referred to as a Secure Software Development Lifecycle (i.e. Secure SDLC). However, in February 2022, the NIST Computer Security Resource Center (CSRC) released version 1.1 of the Secure SDLC guidance which is now titled “Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities.” This guidance provides guidance on the implementation of best practices for reducing the risk of software vulnerabilities because existing standards for managing the software development lifecycle do not explicitly address software security (e.g. IEC 62304-1:2015). The SSDF recommends implementing a core set of high-level secure software development practices that can be integrated into your SDLC process. Your software development team will also require cybersecurity training.

Design for security is the second principle of the draft cybersecurity guidance

Under this new draft cybersecurity guidance, the FDA will be evaluating the cybersecurity of devices based on the ability of the device to provide and implement the following security objectives:

  • Authenticity, which includes integrity;
  • Authorization;
  • Availability;
  • Confidentiality; and
  • Secure and timely updatability and patchability.

Transparency of cybersecurity information is for users

The draft cybersecurity guidance seeks to give device users more information pertaining to the device’s cybersecurity controls, potential risks, and other relevant information. This information will be in the form of an SBOM that is electronically readable. This information shall include disclosure of 1) known vulnerabilities or risks, 2) information to securely configure and update devices, and 3) communication interfaces and third-party software.

In addition to providing an SBOM, the FDA draft cybersecurity guidance includes requirements for cybersecurity labeling in section VI(A). There are 15 specific labeling requirements identified by the FDA for sharing with device users to improve the transparency of cybersecurity information. The first of these requirements is recommendations from the manufacturer for cybersecurity controls appropriate for the intended use environment (e.g., antimalware software, use of a firewall, password requirements). This first labeling requirement is identical to the 2018 draft guidance. Several of the other requirements are copied from the 2018 draft guidance, but others are new and/or reworded cybersecurity labeling requirements.

FDA Submission Documentation Requirements

The 2022 FDA draft cybersecurity guidance includes requirements for FDA submission documentation. Submission documentation must include a security risk management plan and report. The draft cybersecurity guidance explains on page 13 (numbered 9) that “performing security risk management is a distinct process from performing safety risk management as described in ISO 14971:2019.” Therefore, instead of using your safety risk management process, your software development team will need to have a different risk management process for software security. Details on the content for security risk management plans and reports can be found in AAMI TIR57:2016 – Principles for medical device security—Risk management. Appendix 2 also provides guidance for the inclusion of a) call flow diagrams, and b) information details for an architecture view.

Cybersecurity testing requirements for your FDA submission

The biggest impact of this new draft guidance may be the requirement for testing. The 2014 guidance has no testing requirement, the 2018 draft guidance mentioned testing 5 times in a few bullet points, but this new draft guidance mentions testing 43 times. The testing requirements for cybersecurity risk management verification include:

  1. Security requirements
  2. Threat mitigation
  3. Vulnerability testing
  4. Penetration testing

This guidance also includes a paragraph with multiple bullets of requirements for each of the four types of testing. This would essentially double the size and scope of the current software section for a 510k submission, and manufacturers will need to create new procedures and templates for their cybersecurity risk management process. For example, penetration testing requirements include the following elements:

  • Independence and technical expertise of testers,
  • Scope of testing,
  • Duration of testing,
  • Testing methods employed, and
  • Test results, findings, and observations.

Differences between the cybersecurity guidance documents

The following table provides a high-level overview comparing the four cybersecurity guidance documents released by the FDA, including the 2016 guidance on post-market management of cybersecurity:

Screenshot 2022 04 16 12.48.51 AM 1024x291 What’s new in the 2022 draft cybersecurity guidance?

Vulnerability management plans

The FDA draft cybersecurity guidance document also has a requirement for manufacturers to develop a plan for identifying and communicating vulnerabilities to device users after the release of the device. The FDA requires this plan to be included in your device submission. The vulnerability management plan should include the following information (in addition to the requirements of the 2016 guidance for postmarket cybersecurity management):

  • Personnel responsible;
  • Sources, methods, and frequency for monitoring for and identifying vulnerabilities (e.g. researchers, NIST NVD, third-party software manufacturers, etc.);
  • Periodic security testing to test identified vulnerability impact;
  • Timeline to develop and release patches;
  • Update processes;
  • Patching capability (i.e. rate at which update can be delivered to devices);
  • Description of their coordinated vulnerability disclosure process; and
  • Description of how manufacturer intends to communicate forthcoming remediations, patches, and updates to customers.

What’s the next step for the draft cybersecurity guidance?

In March the “Protecting and Transforming Cyber Health Care Act of 2022 (PATCH Act)” was introduced to the House of Representatives and the Senate. The goal of the PATCH Act is to enhance medical device security by requiring manufacturers to create a cybersecurity risk management plan for monitoring and addressing potential postmarket cybersecurity vulnerabilities. The FDA seeks comments on the draft cybersecurity guidance through July 7, 2022. Given the support of the new bill in the House of Representatives and Congress, it is likely that the FDA will get the support it needs for this new guidance. 

What’s new in the 2022 draft cybersecurity guidance? Read More »

What are the IVDR risk management requirements?

3 Comments / ISO 14971:2019 (Risk Management), IVDR - Regulation (EU) 2017/746 / By

This article reviews unique IVDR risk management requirements for CE Marking of in vitro diagnostic (IVD) devices in Europe.

Last week I posted a blog about “How to create an IVDR checklist.” The article was very popular because we included a form for downloading a free IVDR checklist. That form included the opportunity for people to ask a question about the IVDR. One of the subscribers, a gentleman from New Zealand, entered a very simple comment: “risk management requirements.” My first thought was that the risk management file is the required technical documentation for the IVDR. Then I quickly remembered that in 2012, EN ISO 14971:2012 was released with three new annexes for the three directives: ZA (for the MDD), ZB (for the AIMD), and ZC (for the IVDD). In Annex ZC there were seven deviations, and even though ISO 14971 was updated in 2019, the international standard continues to deviate from the European regulations in significant ways. Therefore, this blog provides an overview of the IVDR risk management requirements.

If you are already compliant with ISO 14971:2019, do you meet the IVDR risk management requirements?

The biggest difference between the ISO 14971:2019 standard and the IVDR risk management requirements is that the standard only requires a benefit-risk analysis to be performed if risks are unacceptable. In contrast, the IVDR requires that a benefit/risk analysis be performed for all risks and the overall residual risk. Therefore, you must include a benefit/risk analysis in your technical file submission regardless of risk acceptability. The harmonized version of the standard (i.e. EN ISO 14971:2019/A:11:2021) was released in December of 2021. If you already purchased ISO 14971:2019, you only need to purchase the amendment which consists of Annex ZA (comparison between the standard and Annex I of MDR) and ZB (comparison between the standard and Annex I of the IVDR).

In the amendment, it states that manufacturers must have a risk management policy that is compliant with Annex I of the EU regulation. There are notes at the beginning of each harmonization annex that indicates that the risk management process needs to be compliant with the IVDR, which means risks have to be ‘reduced as far as possible’, ‘reduced to a level as low as reasonably practicable’, ‘reduced to the lowest possible level’, ‘reduced as far as possible and appropriate’, ‘removed or reduced as far as possible’, ‘eliminated or reduced as far as possible’, ‘prevented’ or ‘minimized’, according to the wording of the corresponding section in Annex I of the IVDR. The comparison table has a column with remarks/notes. In most cases, the deficiency identified states, “Device-specific execution of the process is not covered.” There are also two remarks/notes that state “Device-specific and usability-specific execution of the process is not covered.” 

Where are the IVDR risk management requirements?

Blog tip 1024x183 What are the IVDR risk management requirements?

IVDR risk management requirements are found in Annex II, Section 5 of the IVDR. However, there are 228 references to the word risk throughout the IVDR. The following risk-related requirements in IVDR are particularly important:

  • Article 10, Sections 2 & 8(e) – risk management procedure requirement
  • Annex I, Section 3 – reiteration of risk management procedure requirement, but specific steps in the risk management process are identified (e.g. a risk management plan, hazard identification, estimation of risks, evaluation of risks, etc.)
  • Annex I, Section 4 – Priority of risk control measures
  • Annex I, Section 5 – Elimination or reduction of use-related risks
  • Annex III, Section 1(b) – Reassessment of the benefit-risk analysis and risk management using post-market surveillance data

How should you document your risk management file for the IVDR?

In your risk management file of course. There is no format requirement for risk management files, but there are requirements for the content and there is a GHTF guidance document for risk management, and ISO/TR 24971:2020 is a new guidance document on the application of ISO 14971 to medical devices. Neither of these guidance documents is specific to IVDR risk management requirements. Annex H of ISO/TR 24971:2020, however, provides guidance specific to IVD devices.

What do the IVDR risk management requirements include for risk analysis?

In our March 23, 2022 blog posting, I described four types of risk analysis:

  1. Design risk analysis
  2. Process risk analysis
  3. Software hazard analysis
  4. User-related risk analysis (URRA)

Of these four types of risk analysis, only the software hazard analysis is sometimes not applicable. For an FDA 510(k) submission, you would need to provide software hazard analysis and URRA in the actual submission. The other two types of risk analysis would only be included in your design history file (DHF), and the FDA would review the design and process risk analysis during a routine inspection when the DHF is sampled as part of the design control process.

In contrast, the IVDR requires that a complete risk management file be submitted as part of the technical file (see Annex II, Section 5):

“Benefit-risk analysis and risk management

The documentation shall contain information on:

    • the benefit-risk analysis referred to in Sections 1 and 8 of Annex I, and
    • the solution adopted and the results of the risk management referred to in Section 3 of Annex I.”

The above documentation typically consists of design risk analysis and does not typically include process risk analysis, software hazard analysis, or use-related risk analysis. These other three risk analysis documents are IVDR risk management requirements, but they are referenced by the technical file in other sections. The most obvious IVDR risk management requirements are referenced in Annex I, Sections 1-9. These are referred to as the General Safety and Performance Requirements (GSPRs), and this requirement is typically met by including a GSPR checklist in the technical file to meet the requirement of Annex II, Section 4.

The process risk analysis is typically included with manufacturing information to meet the requirement of Annex II, Section 3.2. This documentation may include, any and all of the following elements:

  1. a process failure mode and effects analysis (pFMEA)
  2. a risk control plan including all processes from receiving inspection to final inspection and product release
  3. a process validation plan that is risk-based and linked to the risk control plan

The best practice for estimation of process risks is to link the probability of occurrence and probability of detection to the quantitative data gathered during process validation. In addition, you may establish a risk management policy that prescribes specific types of process risk controls (e.g. automated inspection) for the highest risk processes where manufacturing process errors are not acceptable residual risks. For example, an inspection of printed circuit board assemblies (PCBAs) typically requires automated optical inspection (AOI) methods, because visual inspection is not sufficient by itself and not all PCBAs allow sufficient ICT coverage, and functional testing is limited.

The software hazard analysis, if applicable, is typically performed in accordance with IEC/TR 80002-1:2009, Guidance on the application of ISO 14971 to medical device software. In the software hazard analysis, it is unnecessary to estimate the probability of occurrence of harm. Instead, it is only necessary to identify hazards and estimate harm. Examples of these hazards include loss of communication, mix-up of data, loss of data, etc. Software failures are systemic in nature and the probability of occurrence cannot be determined using traditional statistical methods. Therefore, we recommend that you assume that the failure will occur and estimate software risks based on the severity of the hazard resulting from the failure. For these reasons, it is recommended that software hazard analysis documentation is maintained as a separate document from your design risk analysis. The software hazard analysis documentation should be referenced in your risk management report, but the software hazard analysis should be included as part of your software verification and validation. The IVDR requires that you include a summary of software verification and validation in Annex II, Section 6.4 rather than the complete hazard analysis document.

A use-related risk analysis should be part of your useability engineering file for IVD devices as required by EN 62366-1:2015. Use-related risks are mentioned in Annex I, Section 5:

“In eliminating or reducing risks related to use error, the manufacturer shall:

    • reduce as far as possible the risks related to ergonomic features of the device and the environment in which the device is intended to be used (design for patient safety), and
    • Give consideration to the technical knowledge, experience, education, training and use environment, where applicable, and the medical and physical conditions of intended users (design for lay, and professional, disabled or other users).”

The above requirement includes not only the ability to read and interpret test results of IVD devices but also the ability of laypersons to properly self-select if an IVD is intended to be sold as an over-the-counter product. Usability also is mentioned in Article 78, Section 3(f):

“for the identification of options to improve the usability, performance and safety of the device;”

Therefore, there should be specific elements of your post-market surveillance plan that are designed to gather feedback on the usability of your IVD device. 

When should risk management activities be performed for IVD devices?

The IVDR does not specifically define when in the design and development process the various risk management activities shall be performed. However, the required risk management activities are specified in the IVDR within Annex I. ISO 14971:2019, however, is more descriptive of the risk management activities and the risk management process. Therefore, your risk management plan should align with the process defined in ISO 14971:2019, Clause 4.1.

Unfortunately, most companies do not include risk management as an integral part of the design and development process. Instead, risk management documentation is created retroactively as part of the documentation preparation for technical file submission. For this reason, most medical device executives fail to see the benefit associated with the risk management process. Even biomedical engineers struggle to appreciate the necessity of following the process outlined in the risk management standard in order to prevent device malfunctions and use errors.

The following is a list of the required risk management activities in the order that they should be occurring. Each activity also references the applicable clause of ISO 14971:2019. We have also grouped the activities into the five phases of design and development:

Design Controls with risk 1024x542 What are the IVDR risk management requirements?

Design Planning

    • Risk management planning (Clause 4.4)

Design Inputs

    • Identification of hazards and hazardous situations (Clause 5.4)

Design & Development

    • Risk estimation (Clause 5.5)
    • Risk evaluation (Clause 6)
    • Risk control option analysis (Clause 7.1)
    • Implementation of risk control measures (Clause 7.2)
    • Residual risk evaluation (Clause 7.3)

Design Verification and Validation

    • Benefit/risk analysis (Clause 7.4)
    • Risk control effectiveness verification (Clause 7.6)

Design Release

    • Evaluation of overall residual risk (Clause 8)
    • Risk management review (Clause 9)

If your company is preparing a 510(k), the company may be able to submit the 510(k) immediately after completion of risk control effectiveness verification. You may also be able to postpone the benefit/risk analysis until you submit your IVD technical file for CE Marking approval. The benefit/risk analysis is not required by ISO 14971 unless the risks are unacceptable, and the FDA does not require a benefit/risk analysis except for novel devices seeking market authorization through a De Novo Classification Request or a Pre-Market Approval (PMA). The FDA also does not require the submission of the complete risk management file.

IVDR risk management requirements are quite different than the US FDA requirements for risk management. An IVD technical file must include a risk management summary report that summarizes all activities that were performed according to the risk management plan. A benefit/risk analysis is required for each risk and the overall risk. The Notified Body auditor is also expected to sample the complete risk management file during quality system audits. Finally, the IVDR includes a requirement for a post-market surveillance plan that includes the collection of production and post-production data as feedback on the risk management process and a post-market clinical performance follow-up (PMPF) plan. 

What production and post-production information should you be collecting for IVD devices?

Medical device manufacturers struggle to see the benefits of requiring a post-market surveillance system, and smaller companies, in particular, complain that the cost of the new European post-market surveillance requirements is excessive and prohibits innovation. However, the primary role of post-market surveillance is to ensure rapid initiation of containment and corrective actions for devices that malfunction and/or present unacceptable risks to the intended users and intended patient population. The purpose of generating the post-market surveillance data is defined in the IVDR within Article 78, Section 3.

The minimum requirements for post-market surveillance are defined in Annex III, Section 1(a):

  • Information concerning serious incidents, including information from PSURs, and field safety corrective actions;
  • records referring to non-serious incidents and data on any undesirable side-effects;
  • information from trend reporting;
  • relevant specialist or technical literature, databases and/or registers;
  • information, including feedback and complaints, provided by users, distributors, and importers; and
  • publicly-available information about similar medical devices.

The IVDR is not prescriptive regarding what production data shall be collected for post-market surveillance, but the reason for this is that there are many different types of manufacturing processes with different process risks. In addition, the IVDR includes software as a medical device where there is no manufacturing process at all. Therefore, the best approach for determining what production data to collect is the review your process risk analysis (e.g. pFMEA). The process risk analysis for each manufacturing process should allow you to identify the manufacturing process steps that have the greatest residual risks (e.g. risk priority number or RPN) and potentially the highest severity of the effect. The risks should be identified as a priority for post-market surveillance. You should also include process parameter monitoring data for any validated processes (e.g. sterilization time, temperature, and pressure). Finally, you should also monitor rejects at incoming inspection, in-process inspection, and final inspection operations.  

Other IVD Risk Management Resources

The following resources may be helpful for creating and maintaining your IVD risk management file:

  1. EN ISO 14971:2019 + A11:2021
  2. ISO/TR 24971:2020
  3. GHTF/SG3/N15R8
  4. Regulation (EU) 2017/746 (i.e. IVDR)
  5. IEC/TR 80002-1:2009
  6. EN 62366-1:2015 + A1:2020

Note: Whenever possible, hyperlinks to the Estonian Centre for Standardization and Accreditation (EVS) are provided for procedures, because we find that this source is frequently the least expensive, and digital versions are available on-demand as a multi-user license.

What are the IVDR risk management requirements? Read More »

How to create an IVDR checklist

4 Comments / CE Marking, In Vitro Diagnostic (IVD) Devices, ISO 13485:2016, ISO Auditing, ISO Certification, IVDR - Regulation (EU) 2017/746 / By

This article provides an IVDR checklist for updating your ISO 13485 quality system to comply with EU Regulation 2017/746.

IVD Checklist 1024x474 How to create an IVDR checklist

Why I created an IVDR checklist?

Hundreds (if not thousands) of IVD manufacturers are currently updating their ISO 13485:2016 certified quality system from compliance with the In Vitro Diagnostic Directive (i.e. Directive 98/79/EC) or IVDD to the new EU In Vitro Diagnostic Regulation (i.e. Regulation 2017/746). Revision of technical files and the associated procedures for creating your technical files is a big part of these updates. However, there is much more that needs to be updated than just the technical documentation. Therefore, IVD manufacturers are asking Medical Device Academy to conduct remote internal audits of their quality system to identify any gaps. Usually, we conduct internal audits using the process approach to auditing, but this is one of the scenarios where the element approach and an audit checklist are invaluable.

If you would like to download our IVDR checklist for FREE, please fill in the form below.

How do you use an audit checklist?

An audit checklist is used by quality system auditors to collect objective evidence during an audit. This objective evidence verifies compliance with regulatory requirements or internal procedural requirements. If the auditor is unable to find supporting evidence of compliance, the auditor may continue to search for data or identify the requirement as a nonconformity. Typically the checklist is in four columns using a tabular form. The left-hand column lists each requirement. The next column is where the auditor documents records sampled, procedures reviewed, and personnel interviewed. In the third column, the auditor indicates what they were looking for in the records, procedures, or during the interview. Some of the information in the second and third columns can often be entered prior to starting the audit by reviewing audit preparation documents (e.g. procedures and previous audit reports). In the fourth column the auditor will enter the objective evidence for conformity collected during the audit.

How to create an IVDR quality plan

Most of the companies that are preparing for an IVDR audit by their notified body already have ISO 13485:2016 certification and they are using the self-declaration pathway for CE Marking under the IVDD. Under the IVDR, a notified body must now review and approve the technical file. The notified body must also confirm that their quality system has been updated to include the IVDR requirements. The Technical File requirements are found in Annex II and III; while most of the quality system requirements are found in the Articles.  The quality system requirements include:

  1. a risk management process in accordance with Annex I – deviations from ISO 14971:2019 will be necessary)
  2. conduct a performance evaluation–including a post-market performance follow-up (PMPF). This requirement is defined in Article 52 and Annex XIII
  3. create and maintain a technical file in accordance with Annex II & III
  4. create and maintain a Declaration of Conformity in accordance with Article 17
  5. CE Mark the product in accordance with Article 18
  6. implement a UDI system in accordance with Article 24, 26, and 28
  7. record retention requirements for the technical file, Declaration of Conformity, and certificates shall be increased from 5 years to 10 years
  8. set-up, implement, and maintain a post-market surveillance system in accordance with Article 78
  9. document a procedure for communication with Competent Authorities, Notified Bodies, Economic Operators, Customers, and/or other Stakeholders
  10. update procedures for reporting of serious incidents and field safety corrective actions in the context of vigilance to require reporting within 15 calendar days
  11. update the product labeling to comply with Annex I, section 20
  12. revise the translation procedure to ensure translations of the instructions for use are available in all required languages of the member states, and make sure these translations are available on the company website
  13. create a procedure for utilization of the Eudamed database for registration, CE Marking applications, UDI data entry, and vigilance reporting

Which IVDR requirements are already met by your quality system?

Some companies also manufacture medical devices that must comply with Regulation (EU) 2017/745. For those companies, many of the above requirements are already incorporated into their quality system. In this case, you should still include all of the IVDR checklist requirements in your plan, but you should indicate that the requirement has already been met and audited previously.

Content related to our IVDR checklist

On Friday, April 1, 2022 @ 11 am EDT (8 am Pacific), Rob Packard will be Joe Hage’s guest speaker on the weekly MDG Premium Live video (please click on the link to register). The topic of the live presentation will be “How to create an IVDR quality plan.” #MedicalDevices #MDGpremium

How to create an IVDR checklist Read More »

What are the four types of risk analysis?

1 Comment / ISO 14971:2019 (Risk Management) / By / , , , , , , , , , , , ,

You are familiar with design and process risk analysis, but do you know all four types of risk analysis?

Last week’s YouTube live streaming video answered the question, “What are the four different types of risk analysis?” Everyone in the medical device industry is familiar with ISO 14971:2019 as the standard for medical device risk management, but most of us are only familiar with two or three ways to analyze risks. Most people immediately think that this is going to be a tutorial about four different tools for risk management (e.g. FMEA, Fault Tree Analysis, HAZOP, HACCP, etc.). Instead, this article is describing the four different quality system processes that need risk analysis.

What are the four different types?

The one most people are familiar with is risk analysis associated with the design of a medical device. Do you know what the other three are? The second type is process risk management where you document your risk estimation in a process risk analysis. The third type is part of the medical device software development process, specifically a software hazard analysis. Finally, the fourth type is a Use-Related Risk Analysis (URRA) which is part of your usability engineering and human factors testing. Each type of risk analysis requires different information and there are reasons why you should not combine these into one risk management document or template.

Design Risk Analysis

Design risk analysis is the first type of risk analysis we are reviewing in this article. The most common types of design risk analysis are the design failure modes and effects analysis (dFMEA) and the fault-tree analysis (FTA). The dFMEA is referred to as a bottom-up method because you being by identifying all of the possible failure modes for each component of the medical device and you work your way backward to the resulting effects of each failure mode. In contrast, the FTA is a top-down approach, because you begin with the resulting failure and work your way down to each of the potential causes of the failure. The dFMEA is typically preferred by engineers on a development team because they designed each of the components. However, during a complaint investigation, the FTA is preferred, because you will be informed of the alleged failure of the device by the complainant, but you need to investigate the complaint to determine the cause of the failure. Regardless of which risk analysis tool is used for estimating design risks, the risk management process requires that production and post-production risks be monitored. Therefore, the dFMEA or the FTA will need to be reviewed and updated as post-market data is gathered. If a change to the risk analysis is required, it may also be necessary to update the instructions for use to include new warnings or precautions to prevent use errors.

Process Risk Analysis

Process risk analysis is the second type of risk analysis. The purpose of process risk analysis is to minimize the risk of devices being manufactured incorrectly. The most common method of analyzing risks is to use a process failure modes and effects analysis (i.e. pFMEA). This method is referred to as a bottom-up method because you begin by identifying all of the possible failure modes for each manufacturing process step. Next, the effects of the process failure are identified. After you identify the effects of failure for each process step, the severity of harm is estimated. Then the probability of occurrence of harm is estimated, and the ability to detect the failure is estimated. Each of the three estimates (i.e. Severity, Occurrence, and Detectability) are multiplied to calculate a risk priority number (RPN). The resulting RPN is used to prioritize the development of risk controls for each process step.

As risk controls are implemented, the occurrence and detectability scores estimated again. This is usually where people end the pFMEA process, but to complete one cycle of the pFMEA the risk management team should document the verification of the effectiveness of the risk controls implemented. For example, if the step of the process is sterilization then documentation of effectiveness consists of a sterilization validation report. This is the last step of one cycle in the pFMEA, but the risk management process includes monitoring production and post-production risks. Therefore, as new process failures occur the pFMEA is reviewed to determine if any adjustments are needed in the estimates for severity, occurrence, or detectability. If any of the risks increase, then additional risk controls may be necessary. This process is continuously updated with production and post-production information to ensure that process risks remain acceptable.

Software Hazard Analysis

Sofware hazard analysis is becoming more important to medical devices as physical devices are integrated with hospital information systems and with the development of software as a medical device (SaMD). Software risk analysis is typically referred to as hazard analysis because it is unnecessary to estimate the probability of occurrence of harm. Instead, it is only necessary to identify hazards and estimate harm. Examples of these hazards include loss of communication, mix-up of data, loss of data, etc. For guidance on software hazard identification, IEC/TR 80002-1:2009 is a resource. FDA software validation guidance indicates that software failures are systemic in nature and the probability of occurrence cannot be determined using traditional statistical methods. Therefore, the FDA recommends that you assume that the failure will occur and estimate software risks based on the severity of the hazard resulting from the failure. 

Use-Related Risk Analysis

The fourth and final type of risk analysis is use-related risk analysis (URRA). Most development teams assume that they are able to use traditional hazard identification techniques to identify the potential use-related risks. However, use-related risks are inextricably linked to the experiences of the user. The development team has unique knowledge of the device they are developing, and therefore it is likely that use-related risks associated with a lack of knowledge about the device will result in use errors that the development team would not realize. For this reason, formative testing is necessary to identify unforeseen use-related risks. Once formative testing identifies these risks, additional formative usability testing can be used to create and refine the instructions for the use of a medical device. Finally, formative testing can be used to develop user training programs that prevent potential use errors. Once the development team has completed the necessary formative testing, then summative usability testing is used to validate the effectiveness of the risk controls that were implemented.
 
In the past, I believed that the FDA’s focus on usability was the review of summative usability testing. However, I have learned that the FDA feels it is equally important to begin the human factors testing process by first performing a use-related risk analysis and then identifying the critical tasks. Without identifying these critical tasks, it is not possible for the FDA to determine if the moderator of the summative testing has observed all of the critical tasks being performed correctly. An example of a Use-Related Risk Analysis (URRA) was provided by the FDA in a 510(k) AI deficiency letter that we received. The example is provided below.
URRA table example from the FDA 300x117 What are the four types of risk analysis? Example of a URRA Table provided by the FDA
 

Can you use only the IFU to prevent use-related risks?

Instructions for use (IFU) are required to include warnings and precautions. This information provided by the manufacturer explains how to use a medical device correctly and identifies the residual risks. This is a form of risk control, but it is the least effective form of risk control and should be the risk control of last resort. Not everyone reads the IFU, and you cannot guarantee that everyone will understand the instructions. You certainly can’t be sure that users will remember all your warnings or precautions when they are tired, stressed, or acting in an emergency situation. Design controls and protective measures should be implemented as the first and second priority for risk controls, and the IFU should be your lowest priority.
 
This is the reason why we have color-coding, design features that eliminate the possibility of a use error, we provide training to users, and we are required to monitor use-related risks for medical devices. Formative usability testing is intended to identify use errors we did not anticipate, to help us develop instructions for use (IFU), and help us develop training for users. Summative testing is intended to validate that the design, training, and IFU are effective at preventing use errors. All three of these aspects work together–not the IFU alone. In fact, there is an entire alarms standard that identifies protective measures that shall be used for electromedical devices to prevent use errors (i.e. – IEC 60601-1-8).

 

Facilitating Risk Management Activities – An Interview with Rick Stockton

I listened to our YouTube video about the four different types of risk analysis, you may have heard my reference to Rick Stockton’s interview that we posted on our YouTube channel and embedded above. In our interview with Rick Stockton, we discussed how to facilitate risk management activities during the design and development of medical devices. If you are interested in learning more about Rick and facilitating risk management activities, please watch the video of our interview with Rick.
 

What are the four types of risk analysis? Read More »

Medical Device Shortage Reporting

1 Comment / FDA, Health Canada / By / ,

The FDA and Health Canada both have executive-level orders requiring medical device shortage reporting or supply-chain disruptions.

In a previous article, we discussed supply-chain disruptions and mentioned that there might be medical device shortage reporting requirements if that disruption causes a market shortage of the manufactured device. Both the United States and Canada have reporting requirements for supply disruptions or the market’s ability to meet the demand of specific types of devices.

Both the U.S. FDA and Health Canada have executive-level orders that require reporting of shortages or disruptions to the supply of medical devices deemed necessary for the COVID-19 Health Emergency. There is some overlap, but each country is monitoring and experiencing shortages and disruptions of different devices.

Where did medical device shortage reporting responsibilities come from?

Check 21 CFR 820, ISO 13485:2016, and even peek at SOR 98-282 and see if you can find your obligations for reporting. Go ahead. I’ll wait… Not much in there, right? Adverse events, complaints, etc., but not market shortages.
Medical device shortage reporting is specific to health emergencies. The U.S. FDA and Health Canada happen to be two authorities having jurisdiction with reporting requirements for shortages concerning the COVID-19 Health Emergency. However, there may be others, so having your organization’s regulatory affairs manager verify the reporting requirements for the markets in which you are engaged might not be bad.

U.S. FDA 506J reporting-

fda logo Medical Device Shortage Reporting
U.S. FDA logo


In the United States, an Amendment to the U.S. Food, Drug, and Cosmetics Act requires regulatory reporting by medical device manufacturers to the U.S. FDA. It is sometimes called 506J reporting for the Section of the U.S. FD&C Act where it is located.

You will find the statutory requirements outlined within 21 USC 356J.

21 USC 356j screenshot from uscode.house .gov cropped title Medical Device Shortage Reporting
21 USC 356J Discontinuance or interruption in the production of medical devices

For the full text read, 21 USC 356j: Discontinuance or interruption in the production of medical devices. (Interestingly enough, the website where this information is available is not an HTTPS site, so visit at your own discretion).

http://uscode.house.gov/browse.xhtml

What devices are subject to 506J reporting?

There are two types of devices that the FDA is monitoring. “Critical” devices and an FDA-published list of devices for which COVID-19 is causing a higher than expected demand.

The FDA has released a guidance document that contains criteria for what is considered to be a “Critical Device”. This includes devices such as those used during surgery, emergency medical care, and those intended to treat, diagnose, prevent, or mitigate COVID-19.

fda guidance criteria for 506j critical devices Medical Device Shortage Reporting
Screenshot of the Critical Device Criteria for 506J reporting

There is also a published list of concerned devices that the FDA is specifically monitoring. The FDA website lists these devices by product code, but include the following device types;

  • Clinical Chemistry Products
  • Dialysis-Related Products
  • General ICU/Hospital Products
  • Hematology Products
  • Infusion Pumps and Related Accessories
  • Microbiology Products
  • Needles and Syringes
  • Personal Protective Equipment (PPE)
  • Sterilization Products
  • Testing Supplies and Equipment
  • Ventilation-Related Products
  • Vital Sign Monitoring
fda 506j shortage list screenshot Medical Device Shortage Reporting
Screenshot of the FDA Shortage List

Understandably this process may not be intuitive, and for this, the FDA has released a guidance document that addresses;

  • Who must make the notification
  • When you should make a notification
  • What information needs to be included within your 506J notification
  • How to make a notification, and
  • Penalties for failure to make a notification

The referenced product codes may not be an all-inclusive list or entirely up to date. The best suggestion for full compliance is to go straight to the source of the regulation, in part because noncompliance can result in enforcement action from the FDA. If you think that your device might require notification to the FDA but isn’t in the reference table, you should contact the FDA for notification clarification. Below is the quote from the FDA website, and it includes the contact email for asking these specific questions to ‘the agency.’

“If a device type is not included in this table, but you believe it requires a notification under section 506J of the FD&C Act, or if you have questions regarding the device types in this table, you should contact FDA at CDRHManufacturerShortage@fda.hhs.gov and include “Question” in the subject line of the email.”

Link to the FDA Guidance Document for 506J Reporting- HERE

How to make a 506J report to the U.S. FDA?

The FDA accepts 506J reports in multiple ways. For example, you may use the 506J Reporting web form or submit a notification by email directly to (Include Email Here). In addition, Medical Device Academy has developed a Work Instruction and Form to determine if your company is experiencing a reportable discontinuance or meaningful disruption in manufacturing a medical device as well as compiling the report for submission.

There are a few methods of notification, a web form for individual notifications and spreadsheet options for multiple notifications at once, or emailing a report directly to the FDA reporting email included below;

CDRHManufacturerShortage@fda.hhs.gov

fda 506j webform screenshot Medical Device Shortage Reporting
Screenshot of the FDA 506J reporting Webforms from https://fdaprod.force.com/shortages

It is for this process that Medical Device Academy developed WI-010 506J Shortage Reporting to the U.S. FDA. This work instruction and associated form, FRM-053 506J Reporting Form are designed to walk you through the process of determining reportability and compiling the information necessary to either complete the webform or email the report directly to the shortage reporting email.

Medical Device Shortage Reporting to Health Canada

health canada logo sante canada 1024x224 1 Medical Device Shortage Reporting
Health Canada logo

Rather than discontinuance and disruption of manufacture, Health Canada is monitoring for shortages of specific devices. Therefore, Health Canada wants Medical Device Shortage Reports regardless of the reason for the shortage. It also shows that this is not identical reporting of the same conditions to two different authorities. Health Canada will also accept reports from Importers because the frame of reference is Canada’s supply of medical devices concerning Canada’s needs.

As an Authority Having Jurisdiction, Health Canada also has reporting requirements for medical device shortage reporting of specific types of medical devices. Health Canada is also an independent authority that uses a different device classification system than the U.S. FDA.

The table below shows the device types by their classification level that HC requires supply chain disruption notifications for. This information is current as of September 5th, 2021, and the link below will take you to the HC website page for the most up-to-date list.

https://www.canada.ca/en/health-canada/services/drugs-health-products/medical-devices/shortages/covid19-mandatory-reporting.html

Class I Medical Devices
Masks (surgical, procedure or medical masks) – Level 1, 2, 3 (ATSM)
N95 respirators for medical use
KN95 respirators for medical use
Face shields
Gowns (isolation or surgical gowns) – Level 2, 3 and 4
Gowns (chemotherapy gowns)
Class II Medical Devices
Ventilators (including bi-level positive airway pressure or BiPAP machines, and continuous positive airway pressure or CPAP machines)
Infrared thermometers
Digital thermometers
Oxygen Concentrators
Pulse Oximeters (single measurement)
Aspirators/suction pumps (portable and stationary)
Laryngoscopes
Endotracheal tubes
Manual resuscitation bags (individually or part of a kit)
Medical Gloves – Examination and Surgical (Nitrile, Vinyl)
Oxygen Delivery Devices
Class III Medical Devices
Ventilators (including bi-level positive airway pressure or BiPAP machines)
Pulse Oximeters (continuous monitoring)
Vital Signs Monitors
Dialyzers
Infusion Pumps
Anesthesia Delivery Devices
Class IV Medical Devices
Extracorporeal Membrane Oxygenation (ECMO) Devices
List of ‘Specified Devices’ that Health Canada is monitoring for shortage reporting

One of the things that Health Canada does an excellent job of is defining its expectations. In the Second Interim Order Respecting Drugs, Medical Devices and Foods for a Special Dietary Purpose in Relation to COVID-19, it is explained the Manufacturers or Importers should report to the Minister actual or expected shortages of the device, OR components, accessories, or parts. These notifications must be made within 5-days of becoming aware of the shortage or the anticipated shortage date. Update reports must be made within 2-days of becoming aware of new information regarding the shortage, and a closing report must be made within 2-days of the end of the shortage.

(This link is to the HC website for the 2nd Interim Order referenced above)

https://www.canada.ca/en/health-canada/services/drugs-health-products/covid19-industry/drug-medical-device-food-shortages/interim-order-2021.html

How to make a shortage report to Health Canada?

These reports are submitted online through the Health Canada Website. They have an entire section dedicated to medical device shortages, and the reporting links can be found there (Link here). If you have any questions or are on the fence about notification, you can email Health Canada at MD.shortages-penurie.de.IM@canada.ca.

Inkedhc reporting shortages overview screenshot edited LI 1024x384 Medical Device Shortage Reporting
Health Canada Webforms for reporting a shortage and the end of a shortage

The webform for reporting a shortage is the same webform that is used for providing update reports to Health Canada as well. This is both for manufacturers of specified medical devices as well as importers.

Medical Device Shortage Reporting Read More »

Feedback options for your pre-sub meeting request

1 Comment / 510(k) / By

This article analyzes feedback options offered for a pre-submission meeting request and gives you insight into which option is best for you.

Pre submission meeting request feedback options Feedback options for your pre sub meeting request

In 2021 the FDA published an updated guidance document about pre-submission meeting requests (i.e., pre-sub meetings). The purpose of a pre-submission meeting is to ask and obtain answers to your questions directly from the FDA. The guidance document has great advice on what to ask the FDA and what you should not ask. The best time to be asking the FDA questions is before you begin your verification and validation testing. The FDA can give you valuable feedback on your testing plan to demonstrate safety and efficacy, but if you already started your testing it’s too late. Unfortunately, the guidance document has no advice on which method of feedback to select or why.

What is the last section of your pre-sub?

The last section of your pre-submission meeting request should indicate what method of feedback you prefer and what your preferred dates are for a potential meeting with the FDA. There are three options offered for methods of feedback:

  1. a face-to-face meeting
  2. a conference call
  3. an email response

Feedback option 1 – A Face-to-Face Meeting

Some executives believe that face-to-face meetings are critical in establishing relationships with people. However, you need to understand the culture of the people your are trying to build a relationship with. The FDA is an overworked bureaucracy, and government agencies have security concerns. When the FDA meets with visitors they must go to a different building and arrange for their guests to pass through security. This is more work and takes more time. To justify the extra work and time, you need a compelling reason why a face-to-face meeting with the FDA is necessary.

Traveling to the FDA will cost your team money and time that conference calls and emails will not. More importantly, you are limited to one hour for a pre-submission meeting. One hour is barely enough time to ask questions and listen to the answers. You only have minutes to introduce your company, your team and the describe the product. There is no time for relationship building. The best way to impress the FDA is to: 1) prepare thoroughly, 2) conduct an efficient meeting, and 3) ask smart questions.

There is one time when you should visit the FDA face-to-face–if you have a powerful demonstration and video just isn’t good enough.

Feedback option 2 – Conference Call

Conference calls save you time and money, but conference calls also save the FDA time and effort. You won’t personally meet people from the agency, but you can communicate information prior to the meeting and you can provide videos of simulated use for your device. Conference calls do have the advantage of allowing you to mute the call for a moment and make a comment among your team members without the agency listening as well. Whenever you are discussing a performance testing plan or a clinical study protocol with the FDA, you will probably want a conference call to enable clarification questions.

Feedback option 3 – Email

Email responses from the FDA are highly underrated in value. When you specify an email response, you generally receive a response to your questions sooner. You also should receive more information, because each person from the agency is able to provide an hour of their time to write detailed feedback. In a conference call, you are speaking for part of the hour and only one person from the FDA can speak at a time. Therefore, you almost always have less feedback during conference calls and face-to-face meetings. The primary downside to email as a feedback method is that it is not interactive.

Update Related to Covid-19 Pandemic

The FDA is not allowing face-to-face meetings during the Covid-19 pandemic. Three of the pre-subs Medical Device Academy submitted during the pandemic were rejected by the FDA due to insufficient FDA resources. We are also noticing increased delays in the pre-sub timeline. Two pre-subs had a 5-month scheduling lead-time instead of 60-75 days. Due to these delays, we have advised many clients to skip the presub if testing requirements are well defined in guidance documents and predicate 510k summaries. Althought the email option should theoretically result in a faster response from the FDA, during the pandemic we have actually seen that the teleconference options has been faster. My theory is that the teleconferences are require coordinating the schedules of multiple people, and therefore there is more focus by lead reviewers in making sure the feedback is provided in time for the scheduled teleconference. 

Which feedback option will you pick?

Regardless of which feedback method you choose, you can always follow-up with supplemental questions and obtain additional feedback from the FDA after you receive the initial response to your pre-submission meeting request. If you are planning a clinical study, you might seek interactive feedback in a conference call during the pre-submission meeting. Then you can follow-up with a clinical study protocol as a supplement to obtain additional feedback from the FDA.

Additional Resources

If you are interested in learning more about a pre-submission meeting request to the FDA, consider watching and listening to a webinar on the topic.

Feedback options for your pre-sub meeting request Read More »

MDR Gap Analysis, how small changes in EU 2017/745 can result in BIG…

1 Comment / CE Marking / By

A profound realization was made while performing a routine MDR gap analysis of Medical Device Academy’s technical documentation procedure.

%name MDR Gap Analysis, how small changes in EU 2017/745 can result in BIG...

In this article I wanted to discuss the functional effect that a gap analysis can have on your entire quality system. Everything mentioned below is because I performed a MDR gap analysis against a single procedure which resulted in the addition of three words to a single sentence. This small modification was made simply for clarification of a sentence that was already compliant without the change. Those three words made me reexamine the entire procedure. Then I tried to identify possible interpretations of that one sentence both before and after the modification. Finally, I questioned how adding three words might affect quality systems as a whole.

What was the section reviewed in the MDR gap analysis?

The MDD (i.e. 93/42/EEC) did not include a section that defined the requirements for technical documentation. The MDD does not include the phrase “device description,” or “intended patient population.” Therefore, when the MDR came into force, companies were forced to update their technical documentation procedure to comply with the new Annex. The section of the regulation that I was performing the MDR gap analysis against was Annex II. Specifically, subsections 1.1a) and 1.1c):

  • 1.1(a) “product or trade name and a general description of the device including its intended purpose and intended users“;
  • 1.1c) “the intended patient population and medical conditions to be diagnosed, treated and/or monitored and other considerations such as patient selection criteria, indications, contra-indications, warnings;

(taken from the English Version of Regulation EU 2017/745 on 08/30/2018)

There are only two places in the MDD where the phrase “intended users” is found: Article 11(14) and Annex I(1). In Annex I(1) of the MDD, the Directive clarified that design of devices shall include: “consideration of the technical knowledge, experience, education and training and where applicable the medical and physical conditions of intended users (design for lay, professional, disabled or other
users).” The introduction of the phrase “intended patient population” in the MDR forced me to reevaluate the wording we were using in our SYS-025 Technical Documentation Procedure. The wording we were using was: “users and patients.” Therefore, first I added the word “intended” before “users” and “patient”, and second I added the word “population” after “patient.”

Why would the MDR require these specific changes?

These are very small changes but the changes were meant to more clearly explain that documentation was needed for very specific areas. Previous versions of the procedure left more room for interpretation that intended users may not have been differentiated as strongly from intended patients, especially for cases where they are one in the same. These two subsections of Annex II, 1.1 (a) and 1.1 (c), outline that there are two specific populations of real people that must be taken into account within the device description and design specification areas of your technical documentation:

  • the intended users, and
  • the intended patient.

Even if the user and the patient represent the same person, these are two separate areas that require technical documentation. Intended users, whom may or may not be within the “intended patient population” that the device was designed for, should be entirely separate on your technical documentation.

Take for example, a home use lancet device included within a glucometer kit. The intended user is probably going to be the diabetic patient who wishes to check their blood glucose levels at home. In this case the intended user would also be a member of the intended patient population.

However, because this is not always the case there should be a clear separation of the documentation between the intended users of 1.1(a) and the intended patient population in 1.1(c). An example of this would be something like a surgical scalpel. A medical device that would probably be intended to be used by a physician within the controlled environment of a surgical procedure. In this example scenario the intended patient population would differ from the user because the patient would be the population of people who would need to undergo the above mentioned surgical procedures, but the user of the device is the physician or surgeon actually performing the procedure.

Considerations going beyond my MDR gap analysis

Everything that we are talking about is for intended patient populations or intended users. Documentation regarding these areas is important for several reasons and strong record keeping early on in the device development stages will help with things like statistical analysis, tracking and trending, and even possible modifications to Instructions For Use or labeling in the future. Most people performing a gap analysis would just make the changes and move forward without a second thought. However, the phrase “intended patient population” was introduced to the MDR for a reason, and it forced me to think beyond the task at hand.

Let us look back at our diabetic patient with the home use glucometer kit. I like fleshing my characters out, and providing a back story really helps me mentally associate these fictitious characters with the potential real-life patients they may represent.

I am going to name him Matthew D. Mellitus Jr. He is 28 years old. A morbidly obese type II diabetic, and a married father of two. Beyond the extraordinary play on words with Mr. D. Mellitus, II is I promise that there is a purpose behind this.

Matt is the intended user of the specific glucometer kit that he has. It contains within it, a glucometer, alcohol prep pads, a lancet device, spare lancets, and a container of test strips. He is also a member of the intended patient population because he is a diabetic with orders from his primary care physician to check his blood glucose levels at home.

One day while at home his spouse finds that it appears he is sleeping at an odd time of day and is rather unarousable. Knowing that he is diabetic she checks his blood sugar using that same glucometer kit. Now this is a broad made up but plausible scenario. Is his spouse an “intended user”? Sure, Matt the diabetic is still a member of the “intended patient population”, but ask yourself some of these follow up questions:

  • Did the manufacturer of the glucometer kit design and document the intended user to include caretakers of the “intended patient population”?
  • If not, does this mean that Matt’s spouse was using the glucometer in an off-label manner?
  • If both caretakers and patients are intended users, are the Instructions For Use written in such a manner that they are clearly understood when applied to testing blood glucose levels on others as well as yourself?
  • Perhaps this was an unforeseen human factor when designing the glucometer kit that needs further study?

I promise that questions like these are better asked and incorporated into the design and development of a medical device early on rather than having to address them post-market release and have to consider recalls, notifications, corrective actions, etc. in the future.

Do the questions end with my MDR gap analysis?

All of the above discussion resulted from a single sentence, being tweaked just a little bit, in order to make a procedure more clear and leaving less room for interpretation.These are just theoretical questions that should be asked. As the ‘rabbit hole’ always seems to go deeper and branch off so do some of these theoretical situations. This was just a bit of a back and forth conversation with myself regarding a very specific section of Annex II. As we delve deeper into the proverbial rabbit hole, consider again the situation where Matt’s spouse used the device. If she was not an “intended user,” does this qualify as “misuse of the device”? Maybe, or maybe not, but each situation will result in different answers to these questions.

If you go back to Annex I, Chapter 1, Section 3(c) it states, “estimate and evaluate the risks associated with, and occurring during, the intended use and during reasonably foreseeable misuse.” If that is considered misuse, is it ‘reasonably foreseeable’ (taken from the English Version of Regulation EU 2017/745 on 08/31/2018)? What is considered misuse? The EU MDR does not have misuse in its definitions. In fact, the term misuse is only even used three times. To narrow down whether or not this is reasonably foreseeable misuse we need to find a working definition within an accepted harmonized standard or other regulation that applies to the governance of medical devices within the same manner that the EU MDR does.

That same thoroughness needs to be applied to how misuse may be considered foreseeable. Maybe through human factors studies? Maybe through post market surveillance it is discovered that the device is sometimes used by someone other than an intended user, or for something other than the intended purpose. Should misuse be discovered, or suspected does it fall under the realm of it being ‘reasonably foreseeable?’ Ask these questions early, ask them often and then don’t be afraid to ask if they still apply in the future. Have regulations or standards changed? Proactive measures can help discover issues sooner. This lets risks be addressed sooner and ultimately could prevent negative outcomes and experiences from the patients these devices are meant to help.

Conclusions of this MDR gap analysis

I had these thoughts while updating Medical Device Academy’s procedures. First, procedures should always be living documents that can grow and change as standards and regulations metamorphasize to meet the needs of the ever evolving medical device community. This MDR gap analysis applies largely to technical documentation and as such we updated our technical documentation procedure. Every time we analyze quality system documents and technical documentation through the lens of a new standard or regulation, we are certain to expand our appreciation for the complexity of medical device design and development.

MDR Gap Analysis, how small changes in EU 2017/745 can result in BIG… Read More »

Device Supply Chain Disruptions

3 Comments / FDA, Supplier Quality Management / By

What can you do to stay ahead of medical device supply chain disruptions and comply with reporting requirements of possible device shortages?

Device Supply Chain Disruptions Device Supply Chain Disruptions

Supply chain issues can be somewhat cyclical. As we approach the holiday season, we also approach the shipping season. Public shipping services such as FedEx and UPS see an increase in freight as the holiday seasons approach. Manufacturers need raw materials and components to stock the shelves with all of those holiday gifts. Since we are still living under pandemic conditions, I would be willing to bet there will be more care packages and mailed gifts in place of traditional gatherings. On top of the approaching increase in demand, staffing shortages can very quickly exacerbate supply chain bottlenecks. All the while importers are still expected to… well, import! If transportation affects all general industry you can bet it can also cause medical device supply chain disruptions.

So what does an overburdened mail service have to do with medical devices and quality systems?

Consider, how are your customers getting your product in their hands? How are you receiving raw materials and components? How about your contract manufacturer? Do they have supply chain redundancies? Does your supplier quality agreement address notifications for shipping disruptions? 

Do you have a regulatory obligation to report a shortage/supply chain disruption or interruption of manufacturing to the FDA, or Health Canada? The FDA monitors for discontinuance and meaningful disruption of manufacturing certain devices and similarly Health Canada monitors their own list of devices for market shortages. Supply chain disruptions either through difficulty sourcing of raw materials and components, or through transportation breakdown of finished devices to market are just one way you could experience a reportable disruption or shortage.

Matthew did not choose the topic of medical device supply chain disruptions randomly. His signature brand of pessimistic cynicism is the reason we have him tasked with keeping his fingers on the pulse of global concerns and potential threats and risks. Potential supply chain disruptions will involve your quality staff in developing preventive actions and contingency plans in case there is an issue. Then, your regulatory team will be in charge of reporting and AHJ notification if you are an affected manufacturer (or importer in Canada!). Understaffed and overloaded shipping and transportation suppliers are about to be bombarded with seasonal freight. This makes them an attractive target for ransomware because, just like healthcare facilities, they will not be in a situation where they can afford any downtime. 

fda logo Device Supply Chain Disruptions
U.S. FDA

The FDA requires reporting shortages and supply chain disruptions to CDHR of permanent discontinuance or interruption in manufacturing of a medical device in Section 506J of the FD&C Act. Especially so in response to the COVID-19 public health emergency. In part, the general public’s need for healthcare during the pandemic guides what devices the FDA needs notification about.

Currently, the FDA is concerned about specific device types by product code or any devices that are critical to public health during a public health emergency. For the most up to date list, the URL to the FDA website will show the specific product codes of the monitored device types;

health canada logo sante canada 1024x224 1 Device Supply Chain Disruptions
Health Canada

As an Authority Having Jurisdiction, Health Canada also has reporting requirements for supply chain disruptions of specific types of medical devices. Health Canada is also an independent authority that uses a different device classification system than the U.S. FDA.

The table below shows the device types by their classification level that HC requires supply chain disruption notifications for. This information is current as of September 5th, 2021, and the following link will take you to the HC webpage for the most up-to-date list.

Class I Medical Devices
Masks (surgical, procedure or medical masks) – Level 1, 2, 3 (ATSM)
N95 respirators for medical use
KN95 respirators for medical use
Face shields
Gowns (isolation or surgical gowns) – Level 2, 3 and 4
Gowns (chemotherapy gowns)
Class II Medical Devices
Ventilators (including bi-level positive airway pressure or BiPAP machines, and continuous positive airway pressure or CPAP machines)
Infrared thermometers
Digital thermometers
Oxygen Concentrators
Pulse Oximeters (single measurement)
Aspirators/suction pumps (portable and stationary)
Laryngoscopes
Endotracheal tubes
Manual resuscitation bags (individually or part of a kit)
Medical Gloves – Examination and Surgical (Nitrile, Vinyl)
Oxygen Delivery Devices
Class III Medical Devices
Ventilators (including bi-level positive airway pressure or BiPAP machines)
Pulse Oximeters (continuous monitoring)
Vital Signs Monitors
Dialyzers
Infusion Pumps
Anesthesia Delivery Devices
Class IV Medical Devices
Extracorporeal Membrane Oxygenation (ECMO) Devices

How to prevent device supply chain disruptions

Harden your supply chain with redundancies. Now is the time to qualify a second supplier as a contingency plan before it is too late…. Maybe even consider opening a Preventive Action? (HINT HINT for those ISO 13485 manufacturers that need to beef up their Clause 8.5.3. operations!)

Supply chains have both up and downstream functions. First, you likely need to source raw materials and components for production. Then you also need to ship those finished devices to distribution centers and your customers. Disrupt either of those and your ability to sell your devices is compromised or even completely halted.

Ask yourself, “Do I have a backup option for shipping?”, and “Do I have a backup option for raw materials and components?”.

Why?

Why go through all of that effort? Well, if you lose UPS and have to use FedEx instead, are their shipping procedures identical? Likely you will need a WI level document for each shipper to explain the process. It is easier to pre-qualify a contingency supplier and establish a WI now rather than in December when holiday shipping is at its peak. Consider if you also need to open accounts, etc. Scheduling pickup online may not be intuitive.

Just identifying a backup is important, but you can take that a step further and pre-qualify them. If they are a shipping and transportation supplier then give them a shipment or two in order to evaluate them. Hold them to the same standards you would for your primary supplier.

Did your shipment arrive on time? Was it damaged during transit? This is provisional, or pre-qualification. Did they perform adequately enough to use as a tentative supplier in the event the primary supplier is unable to perform? This is designed to make a full qualification of this supplier simple and easy… If you need to utilize them that is. Maintaining this pre-qualification should also be simple and easy as well. Once a year or so have them deliver a shipment for you.

That is just for importing or shipping finished devices. Do you have backup raw material or components suppliers identified? If not identifying or even pre-qualifying secondary suppliers might not be a bad idea either. You are probably tied down to a specific geographic area for shipping and transportation. You may not be for raw materials. If you need barrels of silicone consider a backup supplier from a different area than your primary supplier. Natural disasters create havoc for shipping. If your silicone comes from Company A, and they are closed down because of a hurricane then Company B ten miles away is likely affected as well.

For example, if you are in the U.S. and your primary supplier is in the Northeast then a backup supplier in the Southeast may be strategically important. Whereas a backup supplier from the Southwest may be cost-prohibitive.

What about your suppliers? Is your device high-risk enough that if your supply chain is disrupted, you have an obligation to report it to the FDA? In that scenario, if you use a contract manufacturer, it may be worth requiring supply chain contingencies and clearly identifying who owns what reporting responsibilities within your quality agreement with them.

There is an element of proactive responsibility in reporting these shortages, or projected shortages. In order to be able to predict medical device supply chain disruptions, there should be metrics that your quality system is monitoring. What is your monthly production capacity? How much raw material or components does your warehousing have on hand? How many units could you manufacture if the transport industry stopped right this second?

Determine what you need to track in order to identify a disruption before it occurs.

Prepare for notification now. This article looked at the problem from the point of view that transportation issues were the root cause of the supply chain disruption. However, many other things could be disruptive, such as natural disasters and supply availability. Therefore, develop a WI level document for conducting these types of regulatory reporting activities and train personnel before a disruption happens. It is easier to tackle these kinds of problems if you already have process controls in place and trained competent staff than if you wait until the reporting timeline clock is already ticking.

In the near future, we will be posting a new blog about 506J and Shortage Reporting. We will also have a work instruction and training webinar available soon.

Future blogs about device supply chain disruptions…Shortage Reporting

About the Author

20190531 005146 150x150 Device Supply Chain DisruptionsMatthew came to us with a regulatory background that focused on OSHA and NFPA regulations when he was a Firefighter/EMT. Since we kidnapped him from his other career, he now works in Medical Device Quality Management Systems, Technical/Medical Writing, and is a Lead Auditor. Matthew has updated all of our procedures for  He is currently a student in Champlain College’s Cybersecurity and Digital Forensics program, and we are proud to say that he is also a member of both the Golden Keys and Phi Theta Kappa Honor Societies! Matthew participates as a member of our audit team and has a passion for risk management and human factors engineering. Always the mad scientist, Matthew pairs his professional life in regulatory affairs with hobbies in the culinary arts as he also holds a Butchers/Meat Cutters certificate from Vermont Technical College.

Email: Matthew@FDAeCopy.com

Connect on Linkedin: http://www.linkedin.com/in/matthew-walker-214718101/

Device Supply Chain Disruptions Read More »

How to find updated FDA forms for a 510k

1 Comment / 510(k) / By

Before you complete FDA forms for your 510k submission, you need to made sure you have the most updated FDA forms.

How do you know if the FDA form you are using is current?

The FDA assigns numbers to each FDA form and the document control number is found in the bottom left footer of the document. In addition, the top right-hand header of the document will have an expiration date for the form (see the picture below). Often the changes to FDA forms are minor, but you should only submit the current version of the FDA form which has not expired.

FDA Form 3881 screen capture How to find updated FDA forms for a 510k

What happens if you are using an expired FDA form?

In the past, if you included an obsolete document in your submission the FDA would often ignore this an proceed with the review of your submission anyway. Now FDA reviewers will identify the obsolete form and require you to resubmit the document on the current version of the form. If the reviewer is conducting an initial Refusal to Accept (RTA) screening, and one of the required items in the RTA screening are identified, then you will receive an RTA Hold letter and the RTA checklist will include a comment that you have used an obsolete version of an FDA Form.

If there are no deficiencies identified in the RTA checklist, the reviewer may still send you an email asking you to submit the document on the correct form. This could be a formal amendment (e.g. K123456/A001) or it could be as an informal email of the corrected document. This type of request could also be identified after the substantive review is complete in the form of a comment in an Additional Information (AI) Request or as part of an Interactive Review Request. An AI Request must be responded to with a formal supplement submitted to the Document Control Center (DCC) as a supplement to the original submission (e.g. K123456/S001) or as an informal ammendment submitted by email.

Examples of updated FDA forms for your 510k submission

Expired forms are frequently submitted to the FDA because submitters are using templates that have not been properly maintained or the submitter modified a form that was submitted in a previous 510k submission. The most common examples include: FDA Form 3514 (i.e. Submission Coversheet), FDA Form 3881 (i.e. Indications for Use), and the RTA Checklist.

Where can you find updated FDA forms?

Recently one of our clients noticed that the 510k template folder we share with people that have purchased our 510k course included obsolete templates for Financial Disclosure. There are three financial disclosure forms that can be used for a 510k submission or De Novo Classification Request:

  1. FDA Form 3454, Certification: Financial Interest and Arrangements of Clinical Investigator (PDF)
  2. FDA Form 3455, Disclosure: Financial Interest and Arrangements of Clinical Investigators (PDF)
  3. FDA Form 3674, Certification of Compliance, under 42 U.S.C. , 282(j)(5)(B), with Requirements of ClinicalTrials.gov (PDF)

We normally update these FDA forms as soon as the new form is released, but this financial disclosure forms are only used in about 10-15% of 510k submissions.

The current version of most FDA forms can usually be found by simply conducting an internet search for the form using your favorite browser. However, sometimes you may find a copy of the document that was editted by a consultant to facilitate completion of the document as an unsecured PDF or Word document. Although this is convenient, you should not use these “bastardized” forms. You should use the original secured form provided by the FDA. These native forms require Adobe Acrobat to complete the form and save the content. The most current version of the FDA form can be found using the FDA’s Form search tool.

Editing and Signing FDA Forms

Most of the FDA forms are secured and you can only enter information in specific locations. If there is a location for a signature, usually the signature cannot be added in Adobe to the secured form. In these situations, our team will save the document as a “Microsoft Print PDF” format. Once the document has been saved in this “non-native” format, you can manipulate almost anything in the document. Then we will add signatures using the “Fill and Sign” tool in Adobe Acrobat or we will use the “Edit” tool. Editing also gives us ability to make corrections when the document has incorrect information filled in the form somewhere.

Another option for adding dates and signatures is for you to save the document as a non-secure PDF. Then using an electronic signature software tool like Docusign, you can request that another person add their electronic signature or you can add your own electronic signature. Some companies prefer to do this to ensure the electronic signature meets 21 CFR Part 11 requirements, but the FDA accepts scanned images of a signature that was added to the document without certification in a 510k submission. This is even true for the Truthful and Accuracy Statement for a 510k. That document can be attached as a PDF in an FDA eSTAR template or you can electronically sign the eSTAR template if the person preparing the eSTAR is also the person signing the Truthful and Accuracy Statement.

Tips and Tricks for maintaining templates

Our company is a consulting firm, and we do not have a formal document control process that would be typical of our clients. However, we do have a shared Dropbox folder where we maintain the most current version of 510k templates. Any obsolete versions we move to an archive folder. However, there are ways to improve this informal system. You can include a date of the document in the file name. For example, “Vol 4 001_Indications for Use (FDA Form 3881) rvp 2-7-2022.” This indicates that this file is the FDA Form 3881 which is the indications for use form used in Volume 4 of the 510k submission. The document is the first document in that volume. The date the form was revised and saved is February 7, 2022 and the author’s initials are “rvp.”

If you are saving 510k templates you might consider adding an expiration date to the file name. For example, “Vol 4 001_Indications for Use (FDA Form 3881) exp 06-30-2023.” This file name indicates that the form’s expiration date is June 30, 2023. The inclusion of an expiration date in the file name is a visual reminder of when you will need to search for an updated FDA form.

A third way to manage your FDA Forms is to include them in your documents of external origin. ISO 13485:2016, Clause 4.2.4, requires that you maintain control of documents of external origin. Therefore, if your company has a formal quality system, a list or log of documents of external origin is the best way to manage FDA forms. Your log should indicate the date the updated FDA form was created, any parent guidance documents should be cross-referenced, and the expiration date of the FDA form should be identified. By using a log of this type, you can sort the list by expiration date or by the date of creation if there is no expiration date identified. Sorting the list will help your team prioritize which documents need to be reviewed next for new and revised versions.

Additional 510k submission resources

The FDA will be updating the 510k guidance for the new FDA eSTAR template by September 2022. Medical Device Academy will be systematically updating all of our templates and training webinars related to preparation of 510k submissions. We will also be preparing for the transition from FDA eCopy submissions to electronic submissions via a Webtrader Account.

You can keep up-to-date on template revisions in one of two ways:

  1. Purchase our 510k course, and you will receive access to the updated templates as they are created. We will send email notifications each time a template is updated.
  2. Register for our New Blog email subscription for automated email notifications of when a new blog is released about updated FDA forms, templates, and webinars.
  3. Register for our New Webinar email subscription for automated email notifications of when a new or revised webinar is scheduled and for email notification of our newest live streaming YouTube videos.

How to find updated FDA forms for a 510k Read More »

Scroll to Top