Author name: Robert Packard

Cybersecurity FDA Guidance for Devices with Software and Firmware

This article reviews the 2014 FDA guidance for premarket and post-market cybersecurity of medical devices with software and firmware—including requirements for reporting field corrections and removals.

Cybersecurity with custom aspect ratio Cybersecurity FDA Guidance for Devices with Software and Firmware

Hospitals, home health systems, and medical devices are more connected now than ever. The automatic communication between medical devices and network systems is improving efficiency and accuracy in the world of healthcare. Medical devices are capable of more computing, analysis, reporting, and automation to improve the speed and quality of patient care. There are even devices that consist only of software (i.e. software as a medical device or SaMD). Along with technological advances, new risks and concerns are also introduced. The risk of hackers exploiting vulnerabilities in networks and software is inevitable. The FDA introduced guidance for both pre-market and post-market cybersecurity to assist manufacturers in developing effective controls to protect patients and users. Cybersecurity protection requires Identification, Protection, Detection, Response, and Recovery.

The first step is incorporating processes and procedures to improve device cybersecurity into your quality management system. You should have a specific cybersecurity plan (i.e. security risk management plan) to outline the steps necessary to ensure a safe and secure medical device. In addition, your software development team will need cybersecurity training. The only medical device guidance document specific to cybersecurity is currently AAMI TIR57:2016.

Identify Cybersecurity Risks

The key to understanding and assessing the cybersecurity risks involved with your device begin in the early stages of design development. At the start of the risk management process, you need to identify the essential safety and performance requirements of the device. You need to identify any potential cybersecurity vulnerabilities that could impact safety or performance, as well as the specific harms that could result if the vulnerability was exploited. In assessing the specific vulnerabilities, the FDA recommends using the Common Vulnerability Scoring System (CVSS). There is a CVSS calculator available online through NIST. The overall score is calculated based on different factors such as attack vector (local, adjacent network, network), access complexity (high, medium, low), authentication (multiple, single, none), the impact of confidentiality (none, partial, complete), exploitability (unproven that exploit exists, proof of concept code, functional exploit exists), remediation level (official fix, temporary fix, workaround, unavailable), collateral damage potential (low, medium, high), etc. This score is used in the hazard analysis in determining the level of risk.

Cybersecurity Protection

The process of assessing the exploitability and harms can also assist in determining mitigations that can be implemented to reduce the cybersecurity risk. During the design process, the FDA expects you to implement as many protections as practicable. Protections include:

  • Limit Access to Trusted Users
    • Password protection strengthened password requirements
    • User authentication
    • Layered privileges based on user role
  • Limit Access to Tampering
    • Physical locks on devices and/or communication ports
    • Automatic timed methods to terminate sessions
  • Ensure Trusted Content
    • Restrict software or firmware updates to authenticated code
    • Systematic procedures for authorized users to download software and firmware only from the manufacturer
    • Ensure capability of secure data transfer, use of encryption

Cybersecurity Detection

The FDA also requires you to implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during regular use. You should develop and provide information to the end-user concerning appropriate actions to take upon the detection of a cybersecurity event. Methods for retention and recovery should be provided to allow recovery of device configuration by an authenticated privileged user.

If you include off-the-shelf (OTS) software in your device, you are responsible for the performance of the software as part of the device. All software changes to address cybersecurity vulnerabilities of the OTS software need to be validated. You need to maintain a formal business relationship with the OTS vendor to ensure timely notification of any information concerning quality problems or corrective actions. Sometimes you will need to involve the OTS vendor to correct cybersecurity vulnerabilities.

Post-Market Surveillance

Once you complete the hazard analysis, mitigation implementation, validations, and has deployed their device for use – your activities shift to post-market management. Several QMS tools can assist in the cybersecurity processes post-market, including complaint handling, quality audits, corrective and preventive action, ongoing risk analysis, and servicing. A critical component of every cybersecurity program is the monitoring of cybersecurity information sources to assist in the identification and detection of risk. You should maintain contact with third-party software suppliers for the identification of new vulnerabilities, updates, and patches that come available.

There are many sources that companies should follow for information relating to cybersecurity, including independent security researchers, in-house testing, software or hardware suppliers, healthcare facilities, and Information Sharing and Analysis Organizations (ISAO). Involvement in ISAOs is strongly recommended by the FDA and reduces your reporting burden if an upgrade or patch is required post-market. ISAOs share vulnerabilities and threats that impact medical devices with their members. They share and disseminate cybersecurity information and intelligence pertaining to vulnerabilities and threats spanning many technology sectors, and are seen as an integral part of your post-market cybersecurity surveillance program.

Response and Recovery

If you identify a cybersecurity vulnerability, there are remediation and reporting steps that need to occur. Remediation may involve a software update, bug fixes, patches, “defense-in-depth” strategies to remove malware, or covering an access port to reduce the vulnerability. Uncontrolled risks should be remediated as soon as possible and must be reported to the FDA according to 21 CFR 806. Certain circumstances remove the reporting requirement. The decision flowchart below can be used to determine the reporting requirements.

Cybersecurity software change decision tree Cybersecurity FDA Guidance for Devices with Software and Firmware

In addition to reporting corrections and removals, the FDA identifies specific content to be included in PMA periodic reports regarding vulnerabilities and risks. If you have a Class III device, you should review that section thoroughly to ensure annual report compliance.

If a device contains software or firmware, cybersecurity will be an important component of the risk management processes, and continual cybersecurity management will be necessary to ensure the ongoing safety and effectiveness of your device. If you need more help with cybersecurity risk management of your medical device, please schedule a free 30-minute call with Medical Device Academy by clicking on the link below.

Click here to schedule a 15 minute call 300x62 Cybersecurity FDA Guidance for Devices with Software and Firmware

Cybersecurity FDA Guidance for Devices with Software and Firmware Read More »

Performance Qualification (PQ) for EO Sterilization Validation

The article explains requirements for a performance qualification (PQ) of EO sterilization validation and how it is different from other PQ process validations.

Your cart is empty

Mind your ps and qs 1024x291 Performance Qualification (PQ) for EO Sterilization Validation

Performance Qualification (PQ) – What is the difference between an IQ, OQ, and PQ?

When you are performing a process validation, the acronyms IQ, OQ, and PQ sometimes confuse. IQ is the installation qualification of the equipment used in your validated process. The purpose of the installation qualification is to make sure that your equipment was installed correctly–this includes calibration and connection to utilities. OQ is the operational qualification. The purpose of the operational qualification is to make sure that the equipment you are using is capable of operating over the range of parameters that you specify to make your product. The PQ is a performance qualification. The purpose of the performance qualification is to ensure that you can consistently make a product within specifications (i.e., repeatable).

Different Definitions for Operational Qualification (OQ)

The GHTF guidance document for process validation provides the following definition for an OQ: “Establishing by objective evidence process control limits and action levels which result in a product that meets all predetermined requirements.” ISO 11135-1:2014, the international standard for ethylene oxide (EO) sterilization validation, provides a slightly different definition for an OQ: “process of obtaining and documenting evidence that installed equipment operates within predetermined limits when used in accordance with its operational procedures.” The difference in these two definitions is essential because the OQ is typically performed by contract sterilizers and does not need to be repeated unless there is a significant change or maintenance to the sterilizer that requires repeating the OQ. In contrast, when you perform an OQ for packaging, the OQ is specific to the packaging materials you are going to be sealing. Therefore a new OQ is required whenever new packaging materials are developed. For EO sterilization, the analogous step of the validation process is called a microbial performance qualification (MPQ).

Performance Qualification (PQ) = MPQ + PPQ

A performance qualification (PQ) for ethylene oxide sterilization validation consists of two parts: 1) microbial performance qualification (MPQ), and 2) physical performance qualification (PPQ). The microbial performance qualification is intended to determine the minimum process parameters for the EO sterilizer sufficient to ensure product bioburden is killed. These parameters are referred to as the half-cycle because the full production cycle will be twice as long in duration. For example, a half-cycle consisting of 3 injections will correspond to an entire cycle of 6 injections.

What are fractional cycles?

Fractional cycles are typically shorter in duration than the duration of a half-cycle. The purpose of a fractional cycle is to demonstrate that external biological indicators (BIs) located outside of your product, but inside the sterilization load, are more challenging to kill than internal BIs. Fractional cycles are also be used to demonstrate that the product bioburden is less resistant than the internal BIs. To achieve both of these objectives, it is typical to perform two fractional cycles at different conditions to make 100% kill of internal BIs and partial external BI kill in one fractional cycle, and 100% kill of product bioburden but only partial kill of internal BIs in the other fractional cycle. When your goal is partial kill, you should also target more than one positive BI, because this reduces the likelihood that poor technique resulted in a BI positive from growth.

Microbial Performance Qualification (MPQ)

The microbial performance qualification (MPQ) typically consists of three half-cycles and one or more fractional cycles. 100% kill of external BIs is not required for the MPQ during a half-cycle–only the internal BIs must be 100% killed, but the external BIs are only useful if 100% kill of the external BIs is achieved in the full cycles. If you are re-validating the sterilization process, you are only required to complete one-half cycle and one fractional cycle. For re-validation, the fractional cycle is intended to achieve a 100% kill of product bioburden. Still, only partial kill of internal BIs to verify that the product bioburden remains less resistant to sterilization than the internal BIs. You are also required to perform bioburden measurements of non-sterile products for the initial MPQ and re-validation to demonstrate that bioburden can be adequately recovered from the product and measured.

Physical Performance Qualification (PPQ)

The physical performance qualification (PPQ) typically consists of three full cycles and measurement of EO residuals in accordance with ISO 10993-7:2008. If PPQ is performed during the MPQ, then it is only necessary to complete one full cycle–assuming the MPQ consists of at least three half-cycles. If you are performing a re-validation of the sterilization process, then you are required to complete three full cycles and measurement of EO residuals.

Repeatability, Reproducibility, Product Variability and Environmental Factors

Typically a performance qualification (PQ) is intended to verify that the same person can repeat the process multiple times, other people can reproduce the first person’s results and any variation product from lot to lot will not prevent the process from producing an acceptable product. Besides, any variation in environmental factors should be assessed during a PQ. In sterilization processes, however, the equipment is typically automated. Therefore, variation between operators is usually a non-issue. Also, sterilization lots typically consist of a large volume of products where multiple samples are tested for sterility. Therefore, performing three runs sufficiently challenges the repeatability and reproducibility of the sterilization process–including any product variability. The issue of environmental variations in heat and humidity is addressed by designing preconditioning cycles into the sterilization process. Sensors are included in each validation load to verify that the process specifications were achieved and maintained for temperature and humidity. Still, the sensors also help to identify the worst-case locations in a load to use for sampling and placement of BIs.

If you are interested in learning more about sterilization validation, please read our blog from last year on an evaluation of the need to re-validate your sterilization process, or you can watch our webinar on sterilization and shelf-life testing. You can also purchase our procedure for EO sterilization validation by clicking on the link below.

Purchase the EO Sterilization Validation Procedure (SYS-031) – $299

EO Sterilization Cycle 1 150x150 Performance Qualification (PQ) for EO Sterilization Validation
SYS-031 EO Sterilization Validation Procedure
This procedure was updated in 2024 to include recent versions of various standards and to incorporate changes to make the procedure consistent with other procedures in Medical Device Academy's turnkey quality system. The updated procedure defines the requirements for ethylene oxide (EO) sterilization validation and revalidation/requalification outsourced to a contract sterilizer.
Price: $299.00

 

Performance Qualification (PQ) for EO Sterilization Validation Read More »

Safety Agency Mark: Is it required for medical electrical equipment?

This article explains when a safety agency mark is required for electrical medical equipment for products sold in the USA.

Safety Marks 1024x228 Safety Agency Mark: Is it required for medical electrical equipment?

What is a safety agency mark?

Examples of safety agency marks include UL, CSA, Intertek, SGS Q-mark, and other marks indicating that a recognized testing lab completed the electrical safety testing and the device passed the testing. Health Canada requires a safety agency mark to certify approval by a lab that is accredited by the Standards Council of Canada (SCC). However, device manufacturers frequently find it unclear what the requirements are in the USA for electrical medical equipment regarding a safety agency mark.

Leo Eisner’s explanation of the requirements for a safety agency mark in the USA

Leo Eisner of Eisner Safety was kind enough to answer this question. The simple answer is yes. In the US, there is a requirement for equipment in the workplace to have an NRTL Safety Agency Approval Mark for the applicable category on the device to meet OSHA requirements. The requirements for NRTL approval of electric equipment (or medical electrical equipment) are in 29 CFR 1910.303(a) and 29 CFR 1910.307(c). Because of these requirements, most electric equipment used in the workplace must be NRTL-approved. Biomeds maintain and track all the medical equipment in hospitals and clinical environments, and the biomeds usually insist upon an Agency Approval Mark. However, the biomeds may not be aware of the NRTL requirements.

What is an NRTL?

An NRTL is a Nationally Recognized Test Lab that is approved or authorized by Occupational Safety & Hazard Administration (OSHA) for specific device test standards (i.e., UL 60601-1 [National deviation version of IEC 60601-1, 2nd ed. medical electrical equipment standard] and/or AAMI ES 60601-1 [National deviation version of IEC 60601-1, ed 3.1], among many other standards) to allow a US Mark placed on approved devices that meet the applicable standard. Not all NRTL labs can test to the listed medical electrical standards for medical equipment to allow a US mark to be placed on devices. You must go to the OSHA NRTL site to verify that the test lab can issue a US mark. The lab’s link shows which standards each test lab can issue US Marks for.

Safety Agency Mark: Is it required for medical electrical equipment? Read More »

IFU validation is not a risk reduction – Deviation 7

This article describes how to perform IFU validation before commercialization and how to conduct post-market surveillance to ensure that your IFU continues to be suitable as your user population and patient population expand.

IFU Validation and PMS IFU validation is not a risk reduction   Deviation 7

Most companies create an IFU for a new product by plagiarism. They merely copy a competitor’s IFU and change the name. If a regulatory expert creates the IFU, the IFU will be nearly identical to the competitor IFU. However, if a marketing person creates the IFU, the IFU will explain how your product is different from the competitor’s product. Neither approach is practical.

Creating a risk-based IFU

EN ISO 14971:2012 identifies deviations between the ISO 14971:2007 international standard and the three EU Directives. However, deviation #7 is specific to labeling and instructions for use. Even if your product is not CE marked, you should be developing a risk-based approach to IFUs. The priority of risk controls is to eliminate and reduce risks by design, manufacture, and selection of materials. The second priority is to implement protective measures such as alarms to warn users of risks. The last priority for risk controls is to inform users of residual risks. The best practice is to utilize a risk traceability matrix to document each of the risk controls you implemented to eliminate and reduce the risks of hazards identified.

The EN version of ISO 14971 will not allow you to reduce risks quantitatively in your risk assessment for information provided to users about risks, because this type of risk control is not entirely effective. However, you are required to verify that each residual risk is disclosed to users in your IFU, and you must validate that your warnings, precautions, and contraindications are adequately identified such that users understand the residual risks. You are also required to determine any user training needed to ensure specified performance and safe use of your medical device in accordance with ISO 13485:2016, Clause 7.2.1d. Clause 7.2.2d) requires that your company ensure that user training is made available. Any user training you provide should also be validated for effectiveness.

When to perform IFU validation

Some companies ask physicians that helped them with product development review draft IFUs. However, these physicians are already familiar with your product, and your company, and they are highly skilled in the specific procedures your device will be used for. After your experts have made their final edits to your draft IFU, you now need a “fresh set of eyes.” The best approach is to validate the effectiveness of your IFU with potential users that don’t know you or your company. If your product requires animal performance testing or human clinical studies, you could use these studies to validate your IFU. However, I recommend conducting a simulated use study before conducting animal or human studies. Conducting a simulated use study before animal and human studies can prevent deviations from your documented protocols that were caused by the inadequate review of the IFUs.

Methods of IFU validation

The best method for validating your IFU is to perform a simulated use study or human factors study. The FDA published a human factors guidance document that can help you assess the risk of human factors and ergonomics. The FDA guidance requires that you identify your intended user population(s). For each individual population of users, you are required to have a minimum of 15 users for your study. If your product is not for specific indications, you may be able to select 15 users at a few sites randomly. However, if your device is intended for two different specialties, then you need 30 users–15 for each specialization.  I recommend recording a video of simulated use studies too. Videos identify small details that you might miss, and clips from the videos are useful in creating training videos for future users.

Gathering Post-Market Surveillance

Post-market surveillance is not just asking customers if they are satisfied. You need to continue to monitor adverse event databases, your complaint database, and any service records to determine if there are any new risks and to verify that the risks you identified were accurately estimated concerning severity and probability of occurrence of harm. Clinical studies and PMS are the only way you can gather data regarding the likelihood of occurrence of harm. When you design your post-market surveillance questions, make sure you include questions explicitly targeting the residual risks you identify in your IFU. You should also ask, “What indications do you use this device for. Specifically, please identify the intended diagnosis, treatment, and patient populations.” This wording is more effective than asking if a physician is using your product “off label.”

Revalidation of IFU after labeling changes

Changes to labeling and IFUs should always be considered design changes and may require revalidation. If the switch is in response to a complaint or CAPA, then you must revalidate the IFU and labeling to verify the effectiveness of your corrective action. Any validation should be documented, reviewed, and approved before implementation, and acceptance criteria should be determined ahead of time. Your acceptance criteria should be quantitative, so you can objectively determine if the change is valid or not. You might be able to copy your previous IFU validation protocol or simulated use protocol and simply repeat the validation precisely as you did before with new users. However, sometimes the reason why the IFU was not 100% effective in the past is that the risk you are addressing in the revised IFU was not evaluated adequately in the original simulated use protocol.

New webinar for risk-based IFU validation and PMS

If you want to learn more about using a risk-based approach to developing IFUs, validating IFUs, and performing post-market surveillance to monitor the effectiveness of your IFU, then please click on the webinar link below.

IFU Validation Webinar Button 300x62 IFU validation is not a risk reduction   Deviation 7

If you are interested in ISO 14971 training, we were conducting a risk management training webinar on October 19, 2018.

IFU validation is not a risk reduction – Deviation 7 Read More »

DHF Required for a Class I Device? At least 67%…

Is a DHF required appears to be a simple yes/no question? If you reword the question, however, you get a very different answer.

Is a DHF required DHF Required for a Class I Device? At least 67%...

If you ask, “how much less documentation is required for the design of a Class 1 device compared with a Class 2 device?” you get a very different answer. Instead of 0% (Yes, a DHF is required) of 100% (No DHF required), the answer is that you need 33% less documentation for the design of a Class 1 device.

The FDA shared a presentation on design controls in 2015.

In that presentation, the agency identified six Class 1 product classifications that require design controls, while thousands of Class 1 product classifications do not need design controls. Despite the lack of design controls, manufacturers must still maintain a procedure for design transfer, maintain an approved device master file with all the approved design specifications (i.e., design outputs), and design changes may still require revalidation before implementation.

Why is a DHF Required for Class 2, but Not for Class 1?

Class 1 devices are simple devices that are already on the market and have a history of clinical safety. Class 2 devices are generally more complex and present a moderate risk. Therefore, changes in the technological characteristics often present a higher risk for Class 2 devices. When you design a Class 1 device, you still have to determine what your design specifications will be. Again, you don’t need: 1) to review and approve design inputs, 2) a procedure to document your design process, 3) to document formal design reviews, and 4) to create a design plan.

In the 1997 guidance document for design controls, the FDA states that a design transfer procedure should include at least three basic elements:

  1. design and development procedures should consist of a qualitative assessment of the completeness and adequacy of the production specifications;
  2. procedures should ensure that all documents and articles which constitute the production specifications are reviewed and approved; and
  3. procedures should ensure that only approved specifications are used to manufacture production devices.

The first of these basic elements is not required for Class 1 devices because product specifications for most Class 1 devices are simple. The other two requirements are fundamental principles of document control and configuration management. Therefore, you still need a design transfer procedure for Class 1 devices, but you don’t need to include the first element that relies upon design and development procedures.

If you have a Class 1 device, you must still comply with labeling requirements (i.e., 21 CFR 820.120). If your device is sterile, you must still validate and re-validate the process in accordance with 21 CFR 820.75. Class 1 products also require a device master record (DMR) in accordance with 21 CFR 820.181.

What is Not DHF required?

Needed for Class I (67%)

  1. Approved Design Outputs
  2. Labeling Procedure
  3. Approved Labeling
  4. Sterilization Validation Procedure
  5. Sterilization Validation Protocol and Report
  6. Design Transfer Procedure
  7. Approved DMR
  8. Design Change Procedure

Needed for Class II and Class I requiring Design Controls (100%)

  1. Design Control Procedure
  2. Design Plan
  3. Approved Design Inputs
  4. Approved Design Outputs
  5. Labeling Procedure
  6. Approved Labeling
  7. Sterilization Validation Procedure
  8. Sterilization Validation Protocol and Report
  9. Design Transfer Procedure
  10. Evidence of at least 1 Design Review
  11. Approved DMR
  12. Design Change Procedure

Therefore, although you do not technically have to have a DHF for a Class 1 products, the difference between the two categories is the following elements:

  1. Design Control Procedure
  2. Design Plan
  3. Approved Design Inputs
  4. Evidence of at least 1 Design Review

When an FDA inspection occurs, the investigator will review your design control procedure and then audit your DHF in accordance with your design plan.

When you have a Class 1 device, you are not typically inspected unless there is a problem. When ORA inspectors perform an inspection for Class 1 devices, the inspector looks for evidence of items in the first list.

If you are interested in learning more about design history files (DHF), please check out our DHF webinar.

DHF Required for a Class I Device? At least 67%… Read More »

Checking adverse event history for your device and competitors

The article explains checking adverse event data for medical devices as part of design and development, risk management, and post-market surveillance.

TPLC Database Checking adverse event history for your device and competitors

When should you be checking adverse event history?

There are three times when you should be checking adverse event history:

  1. when you are planning a new or improved medical device, and you want to know how current devices on the market malfunction (design and development planning),
  2. when you are identifying hazards associated with a medical device as part of your risk management process, and
  3. when you are gathering post-market surveillance data about your device and competitor devices.

Where should you be checking adverse event history?

Most countries have some kind of database for gathering adverse event data for medical devices, but most of these databases are not open to the public. The most common question I am asked is, “How do you access the Eudamed database?” for reporting of adverse events in Europe. Unfortunately, you can’t access Eudamed. The Eudamed database is only available to competent authorities at this time. The primary publicly accessible database for adverse event reporting is the US FDA MAUDE database. The MAUDE database is also integrated with other FDA databases for 510k submissions and recalls. This combined database is called the Total Product Life Cycle database.

Are there other public databases for checking adverse event history?

Yes. The Therapeutic Good Administration (TGA) in Australia makes adverse event data publicly available. The TGA also has a national registry for implanted orthopedic devices that publishes an annual report. Other countries also have public registries.

When will checking adverse event data for Europe be possible?

The Eudamed database for Europe was created in 1999 by the German organization DIMDI. In 2000 the responsibility for the database was taken over by the European Commission. The latest update is that manufacturers will be responsible for updating the Eudamed database in the future as part of the new European Regulations. This requirement will be implemented during the next years. The database will also become accessible to the public.

When you collect post-market surveillance data, which data should you collect?

Searching for post-market surveillance data should be performed on a risk-based frequency. If you have a brand new device, a high-risk device, or a device that is implanted, post-market surveillance data should be reviewed frequently–either monthly or quarterly. The new European guidance document for clinical evaluation reports (MEDDEV 2.7/1 rev 4) requires that clinical evaluation reports be updated at least annually for these devices. It is also important that you collect post-market surveillance data for both your device and competitor products. Therefore, you should be reviewing all the publicly available adverse event databases. You should also be reviewing your complaint data, and you should be searching for journal articles that may include adverse event data–possibly associated with a clinical study.

Available Resources

If you want to learn more about post-market surveillance data collection, please visit our webinar page. There is also a procedure for Post-Market Surveillance (SYS-019).

Checking adverse event history for your device and competitors Read More »

MEDDEV 2.7/1 rev 4: How will your clinical evaluation change?

Article overviews of the new MEDDEV 2.7/1 rev 4 for clinical evaluation of medical devices, including a quality plan to comply with the latest revision.

MEDDEV 271 rev 4 MEDDEV 2.7/1 rev 4: How will your clinical evaluation change?

What’s new in MEDDEV 2.7/1 rev 4 for clinical evaluations?

The third and fourth revisions both give manufacturers three choices: 1) a clinical literature review, 2) performing a clinical study, and 3) a combination of literature review and performing a clinical study. However, the fourth revision is completely re-written. The fourth edition is 19 pages longer, and it is now much harder to use the “literature only” route. The fourth revision includes stringent requirements for demonstrating equivalence between another device and your device. Therefore, many companies are now struggling to update their clinical evaluation reports to satisfy this new guidance document.

Overview of the content in MEDDEV 2.7/1 rev 4

The third and fourth revisions of the guidance both have a 5-stage process for clinical evaluations, but in the third revision, only articulated stages 1 through 3 as stages leading up to writing a clinical evaluation report. The figure in section 6.3 of revision four now identifies a planning Stage 0, and the writing of the clinical evaluation report is referred to as Stage 4. Therefore, there is a lot more detail describing the planning and report writing stages than there was in revision 3. In addition, Stage 2 (Appraisal of clinical data) has been expanded from a single page to eight pages.

Based upon the above changes, you can infer that Competent Authorities have been unsatisfied with the quality of clinical data being provided to support the essential requirements for safety and performance. In turn, Notified Bodies are expected to be much more critical of the data presented, and more guidance is provided to manufacturers. There is also much more guidance and more examples provided in the appendices, while the 12-page clinical evaluation checklist that was provided in revision three has been replaced by one page of bulleted items for Notified Bodies to consider.

Demonstration of equivalence

It is no longer sufficient to list several devices that are similar to your device and include those devices in your search of clinical literature. Now you may only select one device for equivalence. You must also provide a thorough analysis of equivalence with that device based on clinical, technical, and biological characteristics. This comparison includes providing drawings or pictures to compare the size, shape, and elements of contact with the body.

Updating clinical evaluations

The new European Medical Device Regulations (EMDR) is expected to specify minimum requirements regarding the frequency of updating clinical evaluations, but MEDDEV 2.7/1 rev 4 discusses this in section 6.2.3. The frequency of updating your clinical evaluations must be justified and documented. Many considerations for this justification are discussed, but the end of that section indicates that devices with significant risks (e.g., implants) require at least annual updates to the clinical evaluation report. For devices with non-significant risks, and where the device is well established (e.g., a long clinical history), 2-5 years is the range of possible frequency. Longer than five years are not allowed.

Who should perform clinical evaluations?

Many device manufacturers are receiving nonconformities because the evaluators are not sufficiently qualified, or the qualifications are not documented. The qualifications must follow 6.4 of the new guidance, and the qualifications set by your company should be documented in your procedure for clinical evaluations. You will need to document these qualifications with more than an abstract, but you will also need to present a declaration of interest for each evaluator. Evaluators need knowledge in clinical study design, biostatistics, information management, regulatory requirements, and medical writing. Evaluators also need knowledge specific to the device, its technology, and its application. Evaluators must also have a higher education degree in the field and five years of experience or ten years of experience if they do not have a higher education degree. Due to the breadth and depth required of qualifications required, it may be necessary to assemble a team to perform evaluations.

Creating a quality plan for compliance with MEDDEV 2.7/1 rev 4

Seven steps need to be included in your quality plan for compliance with MEDDEV 2.7/1 rev 4:

  1. update your external standards to replace MEDDEV 2.7/1 rev 3 with MEDDEV 2.7/1 rev 4
  2. revise your procedure and associated templates for a literature review and clinical evaluation report to meet the requirements of MEDDEV 2.7/1 rev 4
  3. document the qualifications of evaluators for clinical evaluations
  4. document a plan/schedule for updating your clinical evaluation reports for each product family
  5. train evaluators, regulatory personnel and any applicable internal auditors on the requirements of MEDDEV 2.7/1 rev four and updated procedures and forms
  6. begin updating clinical evaluations according to your plan
  7. perform an internal audit of your clinical evaluation process

Learning more about MEDDEV 2.7/1 rev 4

If you are interested in learning more about this revised guidance document, please register for our live webinar on Friday, January 27 @ Noon EST by clicking on the button below.

Click Here 300x115 MEDDEV 2.7/1 rev 4: How will your clinical evaluation change?

MEDDEV 2.7/1 rev 4: How will your clinical evaluation change? Read More »

Color change is only device modification. Is a new 510k required?

This article explains the process for determining if a color change and other material changes require a new 510k before implementing the change.

color change Color change is only device modification. Is a new 510k required?

I recently taught a frequently asked questions (FAQs) webinar, where I asked attendees to provide questions in advance of the webinar, and I answered the questions during the webinar. One of the attendees asked how to know if a new 510k is required if the only modification to a device is a color change.

New FDA guidance for device modifications

On August 8, 2016, the FDA released a new draft guidance document for device manufacturers regarding device modifications and when a new 510k is required. The current final guidance is titled “Deciding when to submit a 510(k) for a change to an existing device,” and that guidance is dated January 10, 1997. A draft guidance document on this topic was released several years ago, but that draft guidance was withdrawn in response to feedback from the industry. The new draft guidance document includes modified decision trees to help manufacturers decide which types of changes will require a new submission, but there are also examples provided in Appendix A. The most helpful part of the guidance, however, is Appendix B. Appendix B explains how to document changes properly—regardless of whether a change requires submission or not.

Decision Trees from the Guidance

There are five decision trees or flow charts provided in the new draft guidance. The purpose of each decision tree is identified below:

  • Main flow chart
  • Decision Tree A = labeling changes
  • Decision Tree B = technology, engineering and performance changes
  • Decision Tree C = material changes
  • Decision Tree D = IVD product changes

How to apply Decision Tree C to a color change

Typically adding a colorant, or changing a colorant, does not negatively impact the strength of a device, but this is the first cautionary statement made at the beginning of the section for material changes. Therefore, if your device has a performance testing requirements that involve a component that is involved in a proposed color change, then you need to repeat the performance testing to verify that the color change has not negatively impacted the strength. Sometimes large concentrations of colorant result in weakening of plastics. Therefore, repeating some of the performance testing or providing data that supports the need for no further testing is expected. In the decision tree, this is addressed by question C5, “Could the change affect performance specifications?” If no, then you document the change, but a new 510k is not required. If yes, then you refer to decision tree question B5.

The next concern addressed by Decision Tree C is the biocompatibility of your modified device. If the material change of the device or device component comes into direct contact with the body, blood, or tissues, then biocompatibility risks must be assessed. If the change does create new or increased issues related to biocompatibility, then question C4.1 asks, “Has the manufacturer used the same material in a similar legally marketed device?” If the changed material has not been used previously for a similar application, then a new 510k is required—typically a Special 510k if only the material is changed and only biocompatibility needs to be assessed by the FDA.

Reference to FDA biocompatibility guidance

Within the guidance document, the FDA explains that you may want to refer to “Use of International Standard ISO 10993-1, ‘Biological Evaluation of Medical Devices Part 1: Evaluation and Testing,’” when you are answering question C4. This new final guidance was released on June 16, 2016, and the Office of Device Evaluation (ODE) appears to be focusing much more closely on biocompatibility since this new guidance released.

Examples of material changes from FDA guidance

There are six examples of material changes presented in the new draft guidance:

  1. A slight change in polymer composition for a catheter = letter to file
  2. Change in polymer for a catheter
    1. Change in a polymer for a catheter to a polymer already used by another manufacturer for a 510k cleared device with the same indications = new 510k submission
    2. Change in a polymer for a catheter to a polymer already used by your company for another 510k cleared catheter of the same type and duration of contact = letter to file
    3. Change in a polymer for a catheter to a polymer already used by your company for another 510k cleared catheter of the same type but shorter duration of contact = new 510k submission
    4. Change in a polymer for a catheter to a polymer already used by your company for another 510k cleared catheter of the same type but longer duration of contact = letter to file
  3. Change in the manufacturing method of catheter tubing (i.e., molding to extrusion) = new 510k submission
  4. Change in material for a catheter
    1. The new polymer is already used by your company for another 510k cleared catheter of the same type and same duration, but the sterilization method changes (i.e., gamma to EO) = new 510k submission
    2. The new polymer is already used by your company for another 510k cleared catheter of the same type, duration, method of manufacturing (i.e., molding) and method of sterilization (i.e., EO) = letter to file
    3. The new polymer is already used by your company for another 510k cleared catheter of the same type, duration, method of manufacturing and sterilization, but the performance specifications are slightly different = letter to file (depends upon the impact of difference)
  5. Change in the dental implant from the untreated surface to acid-etched = new 510k submission (may also be considered a design change)
  6. The implantable device is marked temporarily with tape proven not to leave a residue = letter to file

Do you have other questions about biocompatibility?

On Thursday, December 1, @ 11:00 am EST, I will be hosting a new live webinar on the topic of biocompatibility. The webinar will address both requirements for 510k submissions and for CE Marking technical files. If you are interested in registering for that webinar, please click on the following link:

Click Here for Biocompatibility Webinar 300x64 Color change is only device modification. Is a new 510k required?

Do you have a question about your 510k submission?

If you have a question related to your 510k submission, you can submit your question to me and download the webinar recording for free by clicking on the following link:

Click Here for 510k FAQs Webinar 300x64 Color change is only device modification. Is a new 510k required?

I will respond to your question by email, but most questions make great future blog topics—like this one.

You might also be interested in our 510k course series:

Click Here for 510k Course 300x64 Color change is only device modification. Is a new 510k required?

You gain unlimited access to 24 webinars related to 510k submission.

Color change is only device modification. Is a new 510k required? Read More »

Redacted 510k Database – Have you used the newest FDA tool?

This article describes the new database of redacted 510k submissions recently made available online for immediate download by the US FDA.

Number of Redacted 510k Available Since November 2000 Redacted 510k Database   Have you used the newest FDA tool?

Recently, the FDA redacted 510k submissions that were previously released through Freedom of Information Act (FOIA) requests available online for immediate download. 496 redacted 510k submissions have been available since November 2000–as indicated by the graph above. This is only a tiny fraction of the total number of 510k submissions, but the number that is available online will increase over time.

Types of redacted 510k Submissions

Of the 496 submissions, there is a mixture of submission types.

  • 382 are traditional 510k submissions
  • 97 are special 510k submissions
  • 17 are abbreviated 510k submissions
  • 14 were 3rd Party reviewed

What remains in a redacted 510k submission

The redacted versions do not include testing data, but you will find other goodies such as:

  • 3rd Party SE memorandums (where applicable)
  • Table of Contents
  • Pre-market Notification Cover Sheet (i.e., FDA Form 3514)
  • 510k Cover Letter
  • Indications for Use (i.e., FDA Form 3881)
  • 510(k) Summary
  • Truthful & Accuracy Statement
  • Device Description
  • Executive Summary
  • Substantial Equivalence Discussion (Partially Redacted)
  • Summary of Biocompatibility Testing (Partially Redacted)
  • Summary of Sterilization & Shelf-Life (Partially Redacted)
  • Proposed Labeling
  • Predicate Device Labeling
  • Declarations of Conformity (i.e., FDA Form 3654)
  • Deficiency Letter

This information can be used to help select a potential predicate and develop a verification and validation testing plan. If you are less experienced in preparing a 510k submission, it will help to see how other regulatory experts have organized their 510k submissions.

Learning more about redacted 510k submissions

To access this database, click this link: Redacted FOIA 510k Database. To limit your search to only 510k submissions that are available as a redacted full 510k, click on the box for “Redacted FOIA 510k.” If you want to learn more about how to make the most of this new resource, please sign up for my latest webinar on Monday, November 21 @ 9 am EST.

Redacted 510k Database – Have you used the newest FDA tool? Read More »

Abbreviated 510k or Traditional 510k?

The article briefly explains the three types of 510k submissions and identifies when you should be submitting an abbreviated 510k instead of a traditional 510k.

Abbreviated 510k Abbreviated 510k or Traditional 510k?Three types of 510k submissions

The FDA has three different target timelines for reviewing a 510k submission and issuing a decision regarding substantial equivalence (i.e., SE Letter):

  1. Special 510k
  2. Abbreviated 510k
  3. Traditional 510k

Special 510k submissions

The first type is a special 510k submission. The FDA target timeline for a special 510k is 30 days, but you can only submit a Special 510k for a modification of your device that already has a 510k issued. Also, a Special 510k is only possible if the device modification requires a single technical discipline to review the change. For example, changes to software and materials require a review of software validation and biocompatibility. Therefore, two reviewer specialists must coordinate their efforts, and the review cannot be completed in 30 days. In this case, an abbreviated or traditional 510k must be submitted instead.

Abbreviated 510k submissions

The second type of 510k submission is an abbreviated 510k. The FDA target timeline for review is 60 days. If there is a recognized standard specific to the type of device you are submitting, or the FDA has issued a guidance document addressing that device classification, then an abbreviated 510k submission is recommended. For example, a dental handpiece (i.e., product code is ) has a special controls guidance document that explicitly written for dental handpieces, and the guidance states that an abbreviated 510k submission is recommended. Besides, the FDA recognizes the latest standard for dental handpieces: ISO 14457:2012 (FDA Doc # 4-206).

Traditional 510k submissions

The third type of 510k submission is a traditional 510k submission. The FDA target timeline for review is 90 days. If you are submitting a 510k for a new device, or the device modifications require more than one functional area of expertise, then a special 510k is not an option. If there is no recognized standard for the device type and the FDA has not issued the guidance of a special control for your device classification, then an abbreviated submission is also not an option. A traditional 510k submission is your only option in this case.

How frequently is an abbreviated 510k submission type used?

In September 2016, there were 260 510k SE decisions issued by the FDA. Here’s the breakdown by type:

  • Special 510k – 47 submissions = 18%
  • Abbreviated 510k – 8 submissions = 3%
  • Traditional 510k – 205 submissions = 79%

In general, I think it requires a little more effort to write clear and concise summaries for the various sections of an abbreviated 510k than it does for a traditional 510k. But if you can get your product to market a month quicker then it’s worth it.

Additional Resources for 510k submissions

If you would like additional training on 510k submissions or you would like to access Medical Device Academy’s templates, you can purchase all of our templates and 510k webinars on our 510k course webpage.

Abbreviated 510k or Traditional 510k? Read More »

Scroll to Top