Author name: Robert Packard

European Medical Device Regulations-4 Key Eucomed Recommendations

1 Comment / CE Marking / By / , ,

Screen Shot 2014 04 23 at 10.19.29 AM 300x244 European Medical Device Regulations 4 Key Eucomed RecommendationsEuropean Medical Device Regulations-4 Key Eucomed Recommendations,” reviews why the Eucomed position paper will help draft the new European Medical Device Regulations.

Eucomed, the medical technology industry representative group for Europe, released a new position paper on April 1, 2014, http://bit.ly/Eucomed-April-2014. This paper was created in response to the proposed European Medical Device Regulations, and focuses on four industry concerns:

  1. 1. Introduction of a pre-market “scrutiny process”
  2. 2. Revised clinical requirements
  3. 3. Restriction of hazardous substances
  4. Re-use of single-use devices

History

The original draft of the proposed regulations (i.e., the proposal) was released by the European Commission on September 26, 2012 (http://bit.ly/EUProposal). Europe’s Parliament Committee for Environment, Public Health and Food Safety (ENVI) voted on the Commission’s proposed regulations on September 25, 2013–after three postponed votes. The ENVI Committee made several revisions to the proposed EMDR (i.e., draft legislation), but in general, the ENVI Committee recommended the proposed EMDR. The European Parliament voted on the proposed regulations on October 22, 2013 (i.e., Plenary Vote). Parliament made additional revisions to the draft legislation and mandated negotiation by Parliament representatives (i.e., rapporteurs) with the European Council.

There were three versions of the new EU regulations for the Council to consider:

  1. A proposal by the EU Commission
  2. Draft legislation by the ENVI Committee
  3. Revised draft legislation by Parliament

Eucomed published a position paper on January 30, 2013 (http://bit.ly/EucomedPositionPaper) in response to the original proposal by the Commission, but Eucomed did not respond to the draft legislation until April 1, 2014. Now, the Council has a fourth version to consider–the 2014 Eucomed position paper.

I expected Eucomed to criticize Parliament’s revised draft before the 2013 holidays, but there was no further public response from Eucomed. Instead of being critical of Parliament’s revised draft, Eucomed focused on four industry concerns and made its recommendations for each issue. The Eucomed position paper is specially addressed to the EU Council with the hope of influencing the Council’s version of the new EMDR.

Pre-market “Scrutiny Process” (Article 44)

The EU Commission introduced the concept of the “Scrutiny Process” in Article 44 of the proposed EMDR. Still, the EU Parliament replaced the “Scrutiny Process” with Article 44a in the Parliament Amendment from the Plenary Vote. Article 44a involved a review by the European Medicines Agency for high-risk submissions. Both of these solutions are unpopular with industry. In the April 2014 position paper, Eucomed does not endorse either version. Instead, Eucomed proposed its process for review of premarket submissions, which is referred to as a “Reinforced Control Procedure.”

The Reinforced Control Procedure is a process that is built into the existing Notified Body process. Eucomed outlined the new procedure in detail as an Annex to the position paper.

Revised Clinical Requirements (Articles 49-60)

Eucomed’s April 2014 position paper endorses the proposed regulations by the EU Commission and does not support the stricter legislation proposed by Parliament that mandates Randomized Control Trials (RCTs). In addition, Eucomed listed the following seven points below that the Council should address to ensure that the new Clinical Requirements are “fit-for-purpose”:

  1. Ensure no “one-size-fits-all” approach
  2. Include appropriate elements from pharmaceutical legislation
  3. Consider that effectiveness is measured across the full lifecycle
  4. RCTs are not always practically possible or ethical
  5. Utilize the power of big data and scientific literature
  6. Consider a balanced concept of equivalence
  7. Importance of intellectual property and know-how for medtech companies

Restriction of Hazardous Substances

Eucomed’s position paper encourages the EU Council to support the European Commission’s proposal on the use of hazardous substances in medical devices–not the Parliament version. Eucomed cites the existing horizontal legislation that is in place (i.e., Reach Legislation, http://bit.ly/REACH-Legislation; and RoHS 2, http://bit.ly/RoHS-2). The position paper points out that Parliament’s proposed ban has the following flaws:

  • Proposed ban disregards potential benefits offered by these substances
  • Scope of the proposed ban is broader than can be practically implemented at this time
  • The three-year implementation period is too short of a timeline
  • Four-year period for applying for exemptions is too short a timeframe for industry subject matter experts to submit the required requests
  • The proposed ban is not consistent with the existing REACH and RoHS legislation

Re-use of Single-use Devices

The Eucomed position paper recommends that the EU Council support the EU Commission proposal for addressing the re-use of single-use devices. The Parliament approach stated that all devices should be considered re-usable unless the manufacturer can demonstrate that the device cannot be re-used. The industry response to Parliament’s approach can be summarized in one phrase from the Eucomed paper: “Medical device industry believes that Parliament’s amendments create a potential threat to patient safety.” The Eucomed paper goes on to identify specific deficiencies in the Parliament amendments:

  • Amendment presents a potential threat to patient safety
  • The approach is generic and cannot be applied to all products
  • The process proposed is unclear and may create delays
  • An amendment is not required by other countries and would increase the cost of products to Europeans
  • Roles and responsibilities of manufacturers and reprocessors are unclear
  • Standardization is not feasible

Conclusion

The Eucomed position paper should be helpful to the European Council in framing a more moderate draft for the new European Medical Device Regulations. However, the Council is likely to create a few solutions of its own that will require additional review. I expect to see a draft from the Council this Fall and do not expect Parliament or the Council to reach an agreement on a final version in 2015.

European Medical Device Regulations-4 Key Eucomed Recommendations Read More »

What is UDI and Why It Matters

1 Comment / Unique Device Identification (UDI) / By / , ,

udi 2 300x162 What is UDI and Why It MattersIn this blog, “What is UDI and Why It Matters,” the author reviews the fundamentals of UDI, FDA’s Final Rule applications, and its global significance. 

FDA’s Final Rule (Federal Register – UDI Definition) states a Unique Device Identifier (UDI) is a code that sufficiently identifies a medical device throughout its distribution and use. The UDI is comprised of a static component, “Device Identifier” (DI), and a dynamic component, “Production Identifier” (PI). 

The DI itself is made up of your Labeler Identification Code and a code that pinpoints the specific version or model of that device. PI, on the other hand, includes manufacturing information for that specific device, such as lot or batch number, serial number, expiration date, or manufacturing date (both in YYYY-MM-DD format).

Human cells, tissues, or cellular or tissue-based product (HCT/P) regulated as a medical device requires the use of the ISBT-128 format UDI. The UDI Final rule requires medical device labels to contain a UDI, unless exempt or provides for an exception or alternative placement. The UDI must be both human-readable and in a form that uses automatic identification and data capture (AIDC) technology. 

Reprocessed and Single-Use Devices

Medical devices that are both used more than once by intention and reprocessed by intention must have the UDI directly marked on the device. The Final Rule details exceptions to this requirement (Federal Register – Direct Marking Requirement). UDI does not need to be on individual single-use devices. Instead, it needs to be located on the next higher package. For example, non-sterile exam gloves would require a UDI on the box label, not each glove. 

This section of the rule stipulates individual single-use devices, all of which are the same version or model, must be distributed together in a single device package, is intended to be stored in that device packaging until removed for use, and is not intended for individual sale.  However, it does not apply to implanted devices, which require a UDI on the package of the individual device. Federal Register – Single-use Device 

Stand-Alone Software

Stand-Alone Software that is regulated as a medical device, must also bear a UDI. The software version should be included in the production identifier. If the software is downloaded from a website, the UDI must be in plain text (i.e., not in AIDC format) and displayed whenever the software is started and/or in the plain text displayed through a menu command, such as the “About” screen. If Stand-Alone Software is sold in a package, the package must have the UDI on its label. However, the DI of packaged software may be identical to the downloaded version. Federal Register – Stand-Alone Software

Why Now? Why Does It Matter?

Some medical device companies, especially distributors, obscure manufacturers’ names and item codes on device labels. Different devices might have the same item code, while the same device might have different item codes. These inconsistencies confuse healthcare professionals—especially during recalls and adverse event reporting. Therefore, FDA and other regulatory agencies are implementing UDI regulations to:

  • Improve patient safety by reducing medical errors.
  • Strengthen the Electronic Medical Records initiative by providing a standard method for recording the identity of each device during use in clinical information systems, claim data sources, and registries.
  • Address counterfeiting and diversion
  • Prepare for medical emergencies and disasters
  • Provide a foundation for a global, secure distribution chain. 

The most important reason for UDI regulations is the need to improve the accuracy and timeliness of Post-Market Surveillance (PMS) data. More accurate and timely PMS data will indirectly improve patient safety by helping facilitate more accurate reporting, reviewing, and analyzing of adverse event reports, so problem devices can be pinpointed, corrected, and removed faster. 

Impact of UDI Regulations Globally

FDA hopes the UDI regulations will lead to the development of a globally harmonized medical device identification system that is recognized around the world. The European Union and regulatory agencies around the globe are drafting their versions of a UDI regulation. In addition to the benefits of implementing a UDI system in general, a global UDI system would:

  • Allow companies to create globally harmonized labeling with a single UDI worldwide
  • Promote worldwide tracking and tracing of devices for easier recalls
  • Provide another risk control to prevent counterfeiting and diversion of medical devices

To that extent, the International Medical Device Regulators Forum (IMDRF) published their UDI Guidance document IMDRF UDI Guidance Document, which has many similarities to the FDA Final Rule.

The Unique Device Identifier Final Rule is more than just a new FDA regulation—it is also good business practice. Healthcare customers are embracing the use of unique identifiers. In past experiences with implementing GTINs (another form of UDI from the UDI issuing agency GS1), customers demanded implementation of GTINs, or they would find a new supplier. Manufacturers may choose to ignore one or two customers. Still, eventually the number of customers demanding UDI will be significant, and they will need to act quickly—regardless of FDA deadlines.

What is UDI and Why It Matters Read More »

Medical Device Regulation: FDA Pilot Programs for Global Harmonization

3 Comments / FDA / By / , ,

international harmonization Medical Device Regulation: FDA Pilot Programs for Global HarmonizationThis blog provides an overview of global harmonization efforts by the FDA that were implemented for medical device regulation.

Harmonization of international regulatory requirements for medical devices began in 1992 with the founding of the Global Harmonization Task Force (GHTF). There were five founding regulatory bodies: 1) US FDA, 2) Health Canada, 3) European Commission, 4) Therapeutics Goods Administration of Australia, and 5) Ministry of Health, Labour and Welfare in Japan. The organization created many guidance documents for the medical device industry, and members of the GHTF organization also participated in the development of ISO 13485 that was released in 1996. GHTF was disbanded in late 2012, and it has been replaced by the International Medical Device Regulators Forum (IMDRF), and IMDRF maintains the documentation created by GHTF.

In 1996, when ISO 13485 was released, Health Canada made certification to ISO 13485 mandatory for all medical device manufacturers that wanted to distribute in Canada. Health Canada’s requirement for ISO 13485 certification resulted in the widespread adoption of ISO 13485 certification throughout the world. At the same time, the US FDA chose to publish its Quality System Regulations. The QSR is very similar to ISO 13485, but there are minor differences beyond the obvious reorganization of the requirements.

FDA Modernization Act of 1997

Under the FDA Modernization Act of 1997, the FDA implemented a 3rd party review program for 510(k) reviews and inspections. This program involves “Accredited Persons” (AP) that have been trained by the FDA and work for a third-party consulting firm, registrar, or Notified Body. The FDA expanded the pilot program for third-party 510(k) reviews to include most 510(K) devices. Unfortunately, even though there was great interest from third-parties to participate in the program, there was little interest from manufacturers. After more than a decade, only the following seven third-party organizations have managed to get an Accredited Person (AP) to complete the qualification process so that they can perform inspections independently:

  1. BSI
  2. LNE/G-MED
  3. CMS/ITRI
  4. Orion Registrar
  5. SGS
  6. TUV SUD
  7. TUV Rheinland

The FDA continues to experiment with different approaches to international harmonization. In 2003, Health Canada (HC) signed a memorandum of understanding between Health Canada (HC) and the U.S. In 2006, the FDA launched the pilot, Multi-purpose Audit Program (pMAP). Third-party auditors performed ten combined audits. The conclusions and recommendations resulting from the pMAP were posted on the FDA website in 2010. One of the recommendations was to develop a guidance document for the format and content of regulatory reports. Therefore, in 2011, GD211 was released by HC, and several videos were posted on the FDA website by HC and the US FDA CDRH Learn webpage for training.

Once the 14 recognized registrars had managed to train their CMDCAS auditors on the GD211 report format, the FDA announced the Voluntary Audit Report Submission Pilot Program. For eligible companies, they may submit a regulatory report in the GD211 format, and the FDA will remove the manufacturer from the routine workload for FDA inspections. A few companies have taken advantage of this and successfully avoided a routine inspection for 12 months.

FDA’s New Pilot Program

Recently, the FDA announced a new Voluntary Compliance Improvement Program Pilot. This new program is a small pilot that will allow 3-5 manufacturers to select a third party (to be approved by the FDA) to help them identify areas for compliance improvement and initiate corrective actions. Identification of areas for improvement would presumably be determined during a mock-FDA inspection performed by the third party, but this is not explained in the FDA announcement. This program is available by invitation only, but it appears to be a significant departure from the AP program and voluntary submission of GD211 audit reports.

IMDRF is finally starting to have an impact on the harmonization of medical device inspections. In January 2014, the FDA began accepting inspection reports from the Medical Device Single-Audit Program Pilot (MDSAP) as a substitute for routine agency reports. Kim Trautman at the FDA is the IMDRF representative chairing the program, and her presentation announcing the program can be downloaded. This program should be extremely popular with manufacturers because the MDSAP reports can also be used to meet requirements for inspections by Japan’s MHLW and Brazil’s ANVISA. ANVISA has a massive backlog of inspections due to a strike by government workers, and many companies were forced to file a lawsuit against ANVISA to accelerate the inspection prioritization. The challenge with the MDSAP will be to train and qualify third parties to conduct the audits correctly.

Medical Device Regulation: FDA Pilot Programs for Global Harmonization Read More »

Unique Device Identifier Final Rule-FAQs-Part II

1 Comment / Unique Device Identification (UDI) / By / , , ,

Screen Shot 2014 04 03 at 10.24.33 PM Unique Device Identifier Final Rule FAQs Part II

Did you know that September 24, 2014, is the first UDI DEADLINE for Class III devices, Stand-Alone Software, and devices licensed under the PHS Act? 

Who is an Issuing Agency?

FDA has accredited three (3) agencies for the operation of a system to issue unique device identifiers. They are GS1 (www.gs1.org), Health Industry Business Communications Council (HIBCC) (www.hibcc.org), and International Council for Commonality in Blood Bank Automation (ICCBBA) (www.iccbba.org).  GS1 and HIBCC are for medical devices, while ICCBBA is for medical products of human origin that are regulated as medical devices.

We sell single-use devices; do we need to label these products?

A UDI does not need to be placed on each single-use device (i.e., primary packaging). Instead, the UDI is to be placed on the secondary packaging (e.g., outer box). For example, exam gloves. The UDI label goes on the box, not each glove. This rule requires the package:

  • Have a single version or model
  • Be distributed together in a single device package
  • Are intended to stored in that device packaging, and
  • Are not intended for individual sale

Placement of the UDI on the secondary packaging for single-use devices does not apply to implanted devices. While implants are technically “single-use” devices, implants (defined as devices placed in the body for 30 days or longer) must have a UDI on the primary packaging.  Federal Register – Single-use Devices

I understand there are implementation deadlines; what are they?

There are several deadlines related to this new regulation based on device Class. For example, Class III devices, Stand-Alone Software, and devices licensed under the PHS Act must be “compliant” and have a UDI on its package label, and information submitted to the Global UDI Database (GUDID) by September 24, 2014. There is an opportunity to file for a 1-year extension for these classes of devices under §801.55. The deadline for filing this extension is June 23, 2014.

Other implementation deadlines are (includes submitting data to GUDID):

September 24, 2015,           Implantable, Life-Sustaining & Life Supporting Devices

September 24, 2016            Class II devices and Stand-Alone Software

Class III devices intended to be used more than once and reprocessed between uses must be directly marked with UDI

September 24, 2018            Class I devices and Stand-Alone Software

Devices not classified into Class I, II or III

Class II devices intended to be used more than once and reprocessed between uses must be directly marked with UDI

September 24, 2020            Class I devices, and devices that have not been classified as Class I, II or III, intended to be used more than once, and reprocessed between uses, must be directly marked with UDI

On-hand inventory labeled before the deadline does not need to be relabeled with a UDI for up to three (3) years past the deadline. FDA considers consignment inventory to fall under this rule. This requires that you track consignment inventory, as well as ensure the inventory is used before this three-year exception expiring. Federal Register – Implementation Dates

Our device is packaged one unit per package; do we need to label the device itself?

This is a “unit of use” issue. If you sell ten individually packaged devices ONLY in an outer pack, the individual devices do not require a UDI. Generally, labeling the outer pack with the UDI is sufficient. This assumes the device is stored and used that way.

I heard the information on our devices needs to be submitted to a “database.” Please explain?

UDI has been implemented to facilitate postmarket surveillance activities, including the identification of medical devices through its distribution and use. FDA believed a significant part of this was the ability for healthcare professionals and users to “search” a database to locate information about devices. This resulted in the creation of the Global Unique Device Identification Database (GUDID) system, which is a repository for 60-plus attributes for each Device Identifier and its corresponding Labeler information.  Federal Register – GUDID Information

How do we submit data to the Global UDI Database?

There are two standard-based methods to submit date to the Global UDI Database (GUDID) – structured input via an FDA web interface, or using the Health Level 7 Structured Product Labeling (HL7 SPL) process. HL7 SPL is in XML format and uses the FDA electronic submission gateway as the pathway to input data into GUDID. To submit data to GUDID, you first need to request a GUDID user account from the FDA. Data is submitted one record at a time for both methods. There is no batch process.  Federal Register – GUDID Submission

What additional information needs to be printed on a label under this new rule?

Medical devices must also follow labeling requirements detailed in Title 21, Subchapter H, §801, in addition to the new requirements per the UDI rule. Required information printed on the labels is also dictated by other regulatory agencies, such as the EU. Specifically, the UDI regulation requires a UDI be printed in easy-to-read plain text, and an Automatic Identification and Data Capture (AIDC) format and placed on the device label. The AIDC format is dictated by the format of the issuing agency you have chosen. The other label element FDA requires is the date format when a date is used on a label. The date format is YYYY-MM-DD, and a day must always be used.  Federal Register – UDI Format

When do I need a new Device Identifier?

A new UDI is required when there is a change to a version or model. If you are calling the device a new version or model, and the users think the same, then it is a new device and requires a new Device Identifier (DI) and label changes. If the number of units in a device package changes – for instance, going from 5 to 10, then a new DI is required. This aspect often confuses people, as they think it has to do with changes in package artwork.  Federal Register – New UDIs

Need More Information on how to design and implement a compliance plan for the Unique Device Identifier Rule? 

FDA UDI Regulation on Medical Device Labelers is a complimentary webinar and PowerPoint training. To access – CLICK HERE

Unique Device Identifier Final Rule-FAQs-Part II Read More »

Unique Device Identifier Final Rule-FAQs-Part I

1 Comment / Unique Device Identification (UDI) / By / , , , , ,

Screen Shot 2014 04 03 at 10.23.51 PM Unique Device Identifier Final Rule FAQs Part IThis blog,Unique Device Identifier Final Rule-FAQs-Part 1,” answers questions, such as, what is a UDI? Who is responsible for applying the UDI label? Etc. 

What is a “UDI?”

The Unique Device Identifier (UDI) adequately identifies a device throughout the supply chain and while in use. It is constructed of two main sections – a device identifier and a production identifier. The device identifier is comprised of a permanently assigned product code (model or version) and a labeler identification code. The production identifier is a dynamic component and made up of a lot number, serial number, manufacturing date, expiration date, etc. The device identifier and production identifier together make up the UDI.  Federal Register – Unique Device Identifier definition

Who is responsible for applying the UDI label? 

FDA has defined the “Labeler” to be the entity responsible for applying the UDI label. This entity may or may not be the actual manufacturer. The Labeler is defined as the entity that causes a label to be secured to a device and who places the device into commercial distribution with the expectation the label will not be replaced or modified in any way. Additionally, should an entity replace or substantially modify the original label, and then place the device into commercial distribution with the expectation the label will not be replaced or modified in any way is also a Labeler. Distributors who simply add their name and address to the package are not defined as a Labeler under this definition. 

Private label devices present a situation where the actual manufacturer or brand name holder can be the Labeler. This would be a business decision between the manufacturer and the brand name holder. The Labeler may also be the specification developer, a single-use device reprocessor, a convenience kit assembler, a repackager, or a relabeler.  Federal Register – Labeler definition

What does a “standardized” date format mean? 

FDA has decided for all human-readable dates (manufacturing date, expiration date, etc.) printed on labels must follow a YYYY-MM-DD format. The DAY is an absolute requirement. For example, March 31, 2014, must be presented as 2014-03-31. This requirement applies to ALL medical device classes that use a date on their label. Federal Register – Date format definition

I have kits that are comprised of several devices; how does this rule apply to me?

There are many types of kits. Kits can be made up of one or more medical devices, packaged together with one or more combination products, drugs, or biologics, to expedite a single surgical or medical procedure. §801.30(a)(11) states when a device is packaged within the “immediate container of a combination product or convenience kit, the label of the device will not be required to bear a UDI,” as long as the label on the kit has a UDI. Should your kit have a National Drug Code (NDC) number on its label, it does not also need to have a UDI.  §801.30(b)(3) clearly states devices that are included in a combination product with an NDC number on its label and does not have a UDI; the device components must bear a UDI on its label. Federal Register – Kits Exemption

What does reprocessing mean? 

FDA uses the term “reprocessing” in conjunction with a direct marking of a unique device identifier. Devices intended to be used more than once must have the UDI permanently marked directly on the device (with a few exceptions), and will be reprocessed between each use. However, the FDA has not yet defined what “reprocessing” means. I have asked FDA this question, with their response being they will “shortly” issue additional guidance on this matter. When they do, I will let you know via this blog. Until they do, use the following definition of “reprocessing” – clean, clean plus disinfected, or clean plus sterilized. Federal Register – Direct Marking and Device Reprocessing

We sell software that is considered a medical device; how do I label these devices?

Stand-Alone Software (SAS) regulated as a medical device must also have a UDI. SAS that is downloaded from the web and/or sold packaged must use the version number (as the lot number) in its production identifier. The full version of the UDI must be displayed in easy-to-read plain text, following the rules of the issuing agency you have selected, on the start-up screen and/or a menu command screen, such as the “About” screen. The UDI on the SAS packaged form may have the same device identifier. Federal Register – Stand-Alone Software

What is a device package? 

A device package is a package that contains a fixed number of a specific version or model of a device. The use of this term has often confused people who think it has something to do with the package design. Federal Register – Device Package definition

Do I need to label our shipping containers? 

A shipping container, for this regulation, is defined as a container used to ship or transport devices in which the items within may change from one shipment to another. The rule does not require a UDI label for any shipping container. Federal Register – Shipping Container

Unique Device Identifier Final Rule-FAQs-Part I Read More »

Stage 2 audit preparation for ISO 13485 certification – Part 2

1 Comment / ISO Certification / By / , ,

In this article, you will learn what ISO 13485 stage 2 audit preparation you should complete specific to training records and practice interviews.
ISO Stage 2 Cert Stage 2 audit preparation for ISO 13485 certification Part 2Stage 2 Audit Preparation

If you aren’t sure what ISO 13485 is, please visit our two-part training webinar series. During your Stage 1 ISO 13485 Certification audit, the auditor verifies that your company has all 28 procedures required in ISO 13485:2016. During the Stage 2 audit preparation, however, the auditor will be reviewing training records for each employee. A training matrix is one of the best tools for verifying that your training records are completed. First, you create a table of all 28 required procedures in Excel (this is your far left column). Across the top of the table, you need to list each of the employees in your organization. This would be difficult for a large organization, but most companies seeking initial ISO 13485 certification have less than 20 employees. In your training matrix, you need to identify which procedures each employee must be trained on. This is one of the most common ways to identify training requirements, and color-coding the matrix works is helpful.

Once you have defined your training requirements, review and approve this document as a controlled document that you will maintain as the company grows. However, as the company grows, you may convert specific names to job functions. Once the training requirements matrix is reviewed and approved, you should enter the date that training was completed for each employee. This is a more effective check than the “checkbox” approach, and it enables you to verify that everyone was trained since the last revision of any procedure. Now, you have a summary document to prove that 100% of your employees have current training on each of the 28 required procedures.

Interview employees as part of your Stage 2 audit preparation

During the Stage 2 audit, any of the employees could be interviewed by the auditor. As part of your Stage 2 audit preparation, you should interview each employee on your training matrix by asking them the following open-ended questions:

  1. Can you show me where I can find the company’s quality policy?
  2. Please explain how the quality policy is relevant to your job.
  3. Can you show me a copy of the training procedure?
  4. What quality objectives do you or your department monitor?

The first question is typical of auditors. You don’t have to have the policy memorized, but every employee should know where to find it. My favorite location is the back of employee ID badges, but the quality policy needs to be updated periodically. If everyone has the policy on their ID badge, you might consider handing out updated stickers with the revised quality policy when you hand out paychecks. The second question is related to the first, and it verifies that each person understands the importance of their job function as it relates to quality.

The third question is a test to ensure every employee can locate procedures. Don’t help them, because the auditor won’t. After each employee answers the question, make sure you explain the correct answer concerning where the most current version of every procedure is. Redlined copies in a drawer do not exist. The person should also have read each procedure in their training matrix so that they can answer a question. It’s ok to say “I don’t remember,” but they shouldn’t guess.

The fourth question verifies that top management has established quality objectives for all functions and at all levels within the company. Every manager should have at least one quality objective they are tracking, and progress toward the quality objective should be visibly communicated to everyone in the department. Employees, especially managers, should also be aware of where quality objectives for the company as a whole are posted. Ideally, each employee will know how their job function contributes to one or more of these objectives.

Stage 2 audit preparation – How to handle “stage fright”

Anyone can get nervous when they are being interviewed by an auditor–even the most experienced managers. In particular, a large entourage of observers following an auditor can make the situation worse. Therefore, you should anticipate this and discuss this with every employee in your company when you are doing practice interviews. Tell them this is normal, and it’s ok to be nervous. Remind them to take a deep breath to settle their nerves. Assure employees that they will not get in trouble for being nervous, and the company will not fail and audit just because someone has difficulty answering a question. At worst, you will need to initiate a CAPA and do some more training. The best-case scenario for a certification audit is that you will need to initiate a CAPA and do some more training. Either way, the outcome is the same. 

Congratulations on your successful Stage 2 audit preparation

Do not stress everyone out the day before your Stage 2 certification audit. You had six months to prepare, and everyone worked hard to help prepare the company. Now is the time to celebrate with your family. Everyone should go home on time and get a good night’s rest. Positive attitudes and relaxation are as crucial as all the work that has been completed. I learned this lesson the hard way during my first ISO 13485 Certification in 2004. We received certification, but I don’t recommend letting your boss turn purple with rage during the audit–it might be career-limiting.

I have only made the mistake of staying up late the night before on one other occasion–and the client was not recommended for certification at the end of the Stage 2 audit. Fortunately, the auditor was able to schedule a follow-up audit within a few weeks, and we were able to address all the open issues at that time. The client received their ISO 13485 certificate and CE Certificate within three months of starting the project, and the certificates were just in time for an important trade show in Germany.

Additional training resources to prepare for ISO 13485:2016 certification

If you are interested in learning more about ISO Certification, please download Medical Device Academy’s whitepaper and watch our six-part webinar training certification course for ISO 13485:2016 certification preparation.

Stage 2 audit preparation for ISO 13485 certification – Part 2 Read More »

Stage 2 Audit – How to Prepare (Part 1 of 2)

1 Comment / ISO Certification / By / , , ,

This blog teaches you how to prepare for a stage 2 audit on your pathway to ISO 13485 certification, and this blog is part 1 of 2.last prep Stage 2 Audit How to Prepare (Part 1 of 2)

Stage 2 Audit

If you are not sure what ISO 13485 is, please consider our 2-part training webinar on the topic. Health Canada requires ISO 13485 certification as a requirement for all Medical Device License Applications, and most companies choose ISO 13485 certification as their method for demonstrating conformity to the requirements of the European Medical Device Regulations (MDR)–instead of a special MDD audit.

To achieve ISO 13485 certification, you must successfully complete a Stage 1 and Stage 2 certification audit with your chosen certification body. If you are interested in an overview of this certification process, you can download Medical Device Academy’s white paper on this topic, or you can watch a webinar we recorded recently on 6 steps to ISO 13485 Certification.

Management Processes are covered during the Stage 1 and Stage 2 audit

The Stage 1 audit is typically a one-day audit where the auditor is evaluating your readiness for the Stage 2 audit. The auditor will review your Quality Manual, and your procedures (19 are required) to ensure compliance with ISO 13485. Also, the auditor will sample records from critical processes to assess your readiness for the Stage 2 audit. Typically, these processes will be:

  1. Management Review
  2. CAPA
  3. Internal Auditing

After you complete the Stage 1 audit, you may have a few nonconformities identified by the auditor. Responding to these nonconformities is the first step in preparing for your Stage 2 certification audit. You need to initiate a CAPA for each of the auditor’s findings and begin implementation before the Stage 2 audit. Typically, you will have about six weeks to implement these actions. This is not usually enough time to complete your CAPAs because you need more time before you can verify the effectiveness of corrective actions.

Preparing CAPA Records is critical for your Stage 2 audit

In preparation for your Stage 2 audit, prepare for the auditor to review any CAPAs that you completed since the Stage 1 audit–especially if you have evidence of completing an effectiveness check. You may think this is unnecessary because the auditor previously reviewed CAPAs during Stage 1. However, you probably received a nonconformity related to your CAPA process (almost everyone does), and you should expect auditors to review your CAPA process during every audit.

CAPA Effectiveness Graph 300x218 Stage 2 Audit How to Prepare (Part 1 of 2)Each CAPA record you present should be provided in a separate folder as a paper, hardcopy. The paper, hardcopy makes it easier for the auditor to review. The folder should include documentation of the investigation, a concise statement of the root cause, and copies of records for all corrections and corrective actions implemented. Corrective actions include procedure revisions and training records. If there is a quantitative measurement of effectiveness, include a graph of current progress with the record. Ideally, the graph will be one of your quality objectives. The graph to the right is an example.

Production Process Controls will get the auditor out of the conference room 

Every company has at least some production and process controls implemented before the Stage 2 certification audit. Most auditors and inspectors spend too much time in conference rooms reviewing paperwork and too little time interviewing people that are performing work. However, many companies also outsource production activities. Therefore, unless you have a software product, you can expect your auditor to review incoming inspection activities. The auditor is also likely to review the finished device inspection, storage, and distribution. If the auditor is thorough, they will also follow the trail from inspection activities to calibration activities, nonconforming materials, and data analysis.

Design Controls

If your company is a contract manufacturer, then you probably are excluding design controls (ISO 13485, Section 7.3) from the scope of your Quality System. However, if you are a manufacturer that performs design and development, then it is an element of the quality system that warrants special attention. During the Stage 1 certification audit, the auditor reviewed only your Design Control procedure. During Stage 2, the auditor will look for evidence of implementing design controls. Therefore, even if your company has not completed your first design project, the auditor will still want to see some evidence of implementation. The auditor will expect at least one design plan to be written, and at least one design review should be completed.

If you are familiar with the FDA Quality System Inspection Technique (QSIT) process for inspection, you might have noticed that this blog is divided into the same subsections identified in the QSIT Manual.

Stage 2 Audit – How to Prepare (Part 1 of 2) Read More »

Where to Focus Your Medical Device Complaint Handling Training

2 Comments / Complaint Handling / By / , , ,

%name Where to Focus Your Medical Device Complaint Handling Training

Medical Device Academy performed data analysis of FDA 483s for 2013 and identified four areas of focus for your medical device complaint handling training. 

One of the challenges of creating a strong training curriculum is the need for practical examples. This is why there are lots of stories about real-life companies and products in every Medical Device Academy training event. We learn more from our painful mistakes than we do from our success stories. When you recall a product, report deaths involving a product your company made, or if you receive a Warning Letter—these are events that we will never forget.

Medical Device Academy recently posted a blog (http://bit.ly/outsourcing-complaints) about complaint handling, because this is one of the most common areas identified in FDA Form 483s and Warning Letters. Therefore, if you are trying to develop training on the topic of complaint handling (i.e., 21 CFR 820.198), then you should look for examples from your competitor’s mistakes. The following is a list of places you should look:

  1. Past inspection reports issued to your company by the FDA
  2. Any inspection reports or Warning Letters about your competitors that become public
  3. Other Warning Letters that mention complaint handling as an issue

Here’s an example of the type of 483 observation you might find: “Failure to adequately establish and maintain procedures for receiving, reviewing, and evaluating complaints by a formally designated unit, as required by 21 CFR 820.198(a).”

The example above identifies five different problems with a complaint process:

  1. You need a procedure 
  2. You need to designate a complaint handling unit
  3. You need to define the process for receiving complaints
  4. You need to define the process for reviewing complaints
  5. You need to define the process for evaluating complaints

21 CFR 820.198 is a prescriptive requirement in the regulations. Therefore, you not only need to create a procedure specifically for complaint handling, but you also need to ensure each element of the requirement is satisfied. This is important because FDA inspectors will verify that your procedure includes each element.

Medical Device Academy performed data analysis of FDA inspection reports for FY2013 (http://bit.ly/Form483-FY2013) to identify other common mistakes related to complaint handling. The data analysis of FDA inspection reports for FY2013 identified that there are 15 individual citations related to complaint handling that the FDA identified using the TURBO EIR System (http://bit.ly/FDA483s). The table below summarizes the frequencies of these 15 sub-sections that were referenced in citations during FY2013 under the complaint handling category: 

483 Where to Focus Your Medical Device Complaint Handling Training

Medical Device Complaint Handling Training: 4 Critical Areas of Focus

The above table identifies several other sub-sections that present problems for companies. Based on the data analysis, your company should also be training your complaint handling unit in the following four critical areas:

  1. Maintaining complaint files
  2. Reviewing and evaluating complaints for the need to perform an investigation
  3. Documenting complaint investigations in your complaint files
  4. Determining whether a complaint is reportable under 21 CFR 803

The fourth area is one of the most important because these complaints involve injury, death, and product malfunction. Therefore, you might consider reviewing the TPLC database (http://bit.ly/FDATPLC) for MDRs. The best data to review is data for the same product codes that your company distributes, but reviewing any MDRs can teach your employees which types of incidents need to be reported. This area will also receive increased scrutiny with the recent changes to 21 CFR Part 803 (http://bit.ly/udpated-21CFR803).

Where to Focus Your Medical Device Complaint Handling Training Read More »

Labeling risk controls – Deviation #7 in EN ISO 14971:2012

3 Comments / ISO 14971:2019 (Risk Management) / By / , ,

Requirements for the Instructions for Use and labeling as labeling risk controls for medical devices in ISO 14971.

Residual Risks Labeling risk controls Deviation #7 in EN ISO 14971:2012This article reviews the requirements for Instructions for Use and labeling as risk controls in the risk management standard for medical devices: ISO 14971. Specifically, the impact of the seventh deviation identified in the EN ISO 14971 Standard is reviewed. This is the 7th and final blog in our EN ISO 14971:2012 risk management series. If you would like additional, risk management training, we have a training webinar.

Why are labeling risk controls not effective?

Labeling, instructions, and warnings are required for medical devices. Unfortunately, the information provided by manufacturers is not effective at preventing hazardous situations and foreseeable misuse–especially if the user throws the paper leaflet in the garbage 10 seconds after the box is opened. Since the information provided to the user and patients is not effective in preventing harm, the European Commission indicated that this information (i.e. labeling risk controls) should not be attributed to risk reduction.

Labeling risk controls do not quantitatively reduce risks

The European Commission is not suggesting that your company should stop providing directions or warning users of residual risks. This deviation intends to identify incorrect risk estimation procedures. For example, if you are using Failure Mode And Effects Analysis (FMEA), (see Annex G.4 of the risk management standard) to estimate risk for a new product, you should not be listing labeling risk controls as the primary risk control. Clause 6.2 of the ISO 14971 Standard correctly identifies “information for safety” provided by the manufacturer as risk controls. Still, the effectiveness of labeling risk controls is so poor that you should not estimate that the implementation of labeling and IFUs reduces risks.

In Clause 2.15 of the ISO 14971 Standard, residual risk is defined as “risk remaining after risk control measures have been taken.” However, I prefer the following definition, which incorporates the concept of clinical evidence, design validation, and post-market surveillance:

“Residual risks are risks that remain: 1) after implementation of risk controls, 2) when products are used for new indications for use, 3) when products are used for wider user and patient populations, 4) when products are misused, and 5) when products are used for periods of time longer than the duration of pre-market clinical studies.”

The second essential requirement (ER2) states that users shall be informed of residual risks, but the conclusion that “information about residual risks cannot be a risk control” is incorrect. The most important wording in the deviation is “the information given to the users does not reduce the (residual) risk any further.” Failure to reduce risks any further is due to the lack of effectiveness of risk controls. Validation of risk control effectiveness should be performed during design validation, but validation will be limited to a small group of users and patients.

Risk management reports & post-market surveillance planning

In your risk management report, risk control options analysis should be summarized. Instead of evaluating risk acceptability before implementing risk controls, risk controls should be implemented, and any residual risks should be identified. A benefit/risk analysis must be performed for each residual risk and the overall residual risks. If the conclusion is that the benefits of the device outweigh the residual risks, then the device can be commercially released.

At the time of the final design review and commercial release, a Post-Market Surveillance (PMS) plan should be developed that includes an updated risk management plan. The updated risk management plan should specifically address how to estimate residual risks and verify the effectiveness of information provided to users and patients. Verification of risk control effectiveness should be part of the design verification and validation activities, but verification of effectiveness should also be part of ongoing PMS.

To facilitate future updates of your risk management report, you may want to organize risk controls into the following categories (in this order):

  1. Design elements (highly effective)
  2. Materials of construction (highly effective)
  3. Methods of manufacture (highly/moderately effective)
  4. Protective measures & alarms (moderately effective)
  5. Information provided to users & patients (least effective)

Each of the above risk controls will need to be addressed by your PMS plan.

Labeling risk controls – Deviation #7 in EN ISO 14971:2012 Read More »

How to Identify New and Revised European Medical Device Regulations

1 Comment / CE Marking / By / , ,

%name How to Identify New and Revised European Medical Device RegulationsThis blog offers tips and information for locating the latest European medical device regulations for your next management review meeting. 

There are two primary websites to check for new and revised European Medical Device Regulations. The first location is the Europa website, where the three “New Approach” directives and proposed European Medical Device Regulations (EMDR) can be found. There is also a webpage on the Europa website for guidance documents. The following website is managed by Team-NB–a group of Notified Bodies.

Europa Website for Locating European Medical Device Regulations

When you  check the Europa website for new and revised medical device regulations, the three most important pages to check are:

  1. http://bit.ly/EUrevisions – On-going revision of the medical device directives.
  2. http://bit.ly/EU-current-legislation – Current medical device directives
  3. http://bit.ly/MEDDEV – Guidance MEDDEVs

The first page provides periodic updates on the status of the proposed EMDR. The most recent update on this page was September 26, 2012. If you are following this carefully, and you understand the European legislative process, then you know that there was a vote by the ENVI committee reviewing the EU Commission’s proposal in September 2013. You also would know that the Plenary Vote on the proposal occurred in October 2013. Now, the European Parliament has mandated that the rapporteurs negotiate a final text with the Council–which is going slower than Parliament would like.

The second page has the current legislation. It is not always obvious if amendments have been made. Therefore, you need to review each of the directives to see if it is applicable. The last significant change to the MDD was the M5 version on March 21, 2010 (i.e., amendment 2007/47/EC to 93/42/EEC). There was a commission implementing regulation on September 4, 2013. Two amendments were released in 2012: 1) electronic instructions for use, and 2) medical devices manufactured with tissues of animal origin.

Finally, the third page lists each of the guidance MEDDEV documents. This list also identifies the date of the most recent version for each MEDDEV. The most recent change was to the vigilance reporting guidance document in January 2013.

Team-NB Website

The website for Team-NB is http://bit.ly/Team-NB. On the home page, there is a navigation bar listing archived documents by year. In 2012, there were nine documents released. Several of these documents are related to the PIP Scandal (http://bit.ly/MHRAReport), which is now old news, but there was one guidance document discussing the transition plans for IEC 60601-1. There were another 12 documents released in 2013. The four most recent documents are confidentiality statements, and five are auditor attestations. Therefore, there are only three new documents of importance to manufacturers:

  1. http://bit.ly/Team-NB-eIFU – guidance on the implementation of electronic Instructions For Use (eIFU)
  2. http://bit.ly/CoCNBV3 – 3rd version of the Notified Body Code of Conduct
  3. http://bit.ly/Team-NB-IEC62304 – FAQs for the implementation of EN 62304

The first document explains two positions from Team-NB. The first position identifies labeling requirements and the use of harmonized symbols for companies implementing eIFUs. The second position indicates that implementation of eIFUs is considered a significant change in the QMS that requires:

  1. Notified Body notification before implementation, and
  2. a list of documents needed by Notified Bodies as objective evidence of readiness for implementation.

The code of conduct includes important details about how the Notified Bodies plan to change the auditing process and qualification of certification auditors to address concerns of the European Council. This includes specific interpretations as to the duration of audits, the duration of an initial Design Dossier review, and the initial plan for unannounced audits by Notified Bodies.

The third document contains 73 frequently asked questions and the response to these questions by Team-NB. There are also four annexes. The 73 questions are organized into the following seven sections:

  1. Scope of EN 62304
  2. Placing Software as a MEDICAL DEVICE on the Market
  3. Life-cycle Processes
  4. Risk Assessment and Risk Management
  5. Classification and Segregation
  6. Specifications, Testing, and Tools
  7. SOUP and Legacy Software

Next Steps

Review each source of information and determine if the document impacts your organization’s quality system and procedures. This gap analysis should be performed by someone familiar with the specific process(es) addressed by the regulations. The most likely actions to be taken are:

  1. initiate specific changes to existing procedures
  2. create new procedures, or
  3. initiate a quality plan for more substantial changes to your quality system

If you need more help preparing for your management review, here’s a link to a free webinar I recorded: http://bit.ly/Clause5-6. You will also receive a management review slide deck.

How to Identify New and Revised European Medical Device Regulations Read More »

Scroll to Top