Rob Packard

Author Archive

EU Medical Device Proposed Regulations: The “Scrunity Process”

Posted by Rob Packard on October 12, 2012

This blog discusses the “scrutiny process” of the proposed EU medical device regulations, whereby authorities can take a 2nd look at audit findings…

For those of you that are not familiar with the “Scrutiny Process,” I am referring specifically to Article 44 of the proposed EU regulations for medical devices. This process is first alluded to at the end of section 3.5 in the “Explanatory Memorandum” (i.e., the 13 pages preceding the proposal for the regulation of medical devices).

The U.S. already has a pre-market approval process that we fondly refer to as the PMA process. In response to the PIP scandal, the European Parliament’s ENVI Committee (Committee on the Environment, Public Health, and Food Safety) proposed a pre-market approval process as part of a press release issued on April 25, 2012. In response to this political pressure, the Commission has proposed a “Scrutiny Process” that involves the preparation of a Notified Body “Summary Evaluation Report,” and verification that the conformity assessment was adequate by the Coordinating Competent Authority.

A similar process is outlined in MEDEV 2.11/1 rev. 2, a guidance document regarding animal tissues, and the Commission Regulation (EU) No 722/2012 of August 8, 2012. The proposed scrutiny process allows competent authorities to take a “second look” and review the findings of the Notified Body that would be issuing a CE Certificate for these high-risk devices. The review process is supposed to be concluded within 60 days, but the review time limit is suspended if the Competent Authorities request additional information or product samples within the first 30 days.

In section 3.5 of the Explanatory Memorandum, the Commission states that this scrutiny process “should be the exception rather than the rule and should follow clear and transparent criteria.” The criteria for invoking the scrutiny process are defined in five points 5a) through 5e) of Article 44. The five points leave room for interpretation by Competent Authorities, and the medical device industry is concerned that the review process for Class IIb and Class III devices will be delayed by at least 60 days regularly. The process could easily be delayed by as much as six months when there are requests for additional information and samples.

The “Legislative Financial Statement” (i.e., – the 19 pages immediately following the proposal for the regulation of medical devices) defines a monitoring process for the scrutiny process in the “Indicator of results and impact” (Section 1.4.4). The risk of delaying access to the market for innovative devices is also identified in the “Risk(s) identified” (Section 2.2.1). Therefore, the need for a control mechanism is recognized in “Control method(s) envisaged” (Section 2.2.2). This will be the responsibility of the Commission to draft a guidance document to define the control method(s). Until industry has an opportunity to review such a guidance document, executives will continue to voice their concerns and apply their own political pressure to the European Parliament.

Tags: "Scrutiny Process", EU Medical Device Regulations

Posted in: CE Marking

Leave a Comment (0) →

13 Tips for Learning New Regulations

Posted by Rob Packard on October 3, 2012

Everyone learns through different methods. This blog discusses three levels of the learning pyramid and provides 13 tips for learning new regulations.

Last week I mentioned the draft EU regulations that were released, and I am still reading them. I am sure some of you have already finished at least one of the two regulations, but I am a slow reader. Sure I have skimmed the regulations, but I really need to read every word of the regulations several times before I have absorbed the bulk of the content. While I was reading during my lunch today, I was wondering how other regulatory experts learn new material. After all, there is nobody to take a course from yet, and a one hour webinar is not enough.

Some people like to listen to books on tape during their morning ride, but I think the market might be a little small for medical device regulations. We could use technology to convert the PDF format into an eBook format that can be read electronically to us on our commute to work. Still, I learn Standards visually rather than verbally.

“Never Stop Learning”

Last year I published a blog titled “Never Stop Learning.”

In that post, I presented a model for learning that I find helpful for explaining my philosophy for training people. The first level in my Learning Pyramid is to “Read and Understand.” I call this the “newbie” stage. That is the level most of us are at right now for the draft EU regulations. The next level of the Learning Pyramid is “Show and Tell.” A course or seminar related to the draft regulations would involve training telling us about the draft regulations, and showing us some PowerPoint slides to help us visualize the changes. I think the technical term for this type of torture is “Death by a Million PowerPoint Bullets.” If your instructor is thorough in their efforts to torture you, then you will conclude this training with a quiz to demonstrate training “effectiveness.”

If you are lucky, you will start using some of that new-found knowledge immediately after the course. If you just had your 400^th birthday, as I did last week, then you might have a little trouble remembering all the details you “learned” in that training course in a matter of weeks. Now, what can you do?

Look it up! Isn’t that what your teachers told you when you were growing up?

If you need to know what the proposed requirements are for Authorized Representative Agreements, you can use the search function in Adobe Reader to search for the word “agreement.” After just six clicks of the mouse, you will find where this is mentioned in Article 10 of the draft. As you read Article 10, you will rejoice! Instead of the 17-page voluminous guidance document identified as MEDDEV 2.5/10 (released in January of 2012), we now have 144 words with just four simple minimum requirements. This is streamlined.

Over the next year or two, I expect that most of the regulatory experts will gradually work their way up the Learning Pyramid to the top of the third level. This is the point where we can now claim competency.

So how do you become an expert? In order to achieve the mighty title of “Guru,” you must teach others. My blog, “Never Stop Learning,” explains how the action of teaching actually teaches the instructor as much as it teaches the student.

So what’s my point?

Don’t Be Normal

Skim the draft regulations now
Take a course on the regulations in 2013
Start revising procedures and technical documentation in 2014
Start developing an in-house training course on the new regulations in 2015
Finish training all the employees in 2016

Definitely Don’t Be Lazy

Wait for the final approval of the regulations in 2014
Take a webinar on the new regulations in 2015
Get a nonconformity for noncompliance in 2016
Hire a consultant to fix your procedures in 2017
Start looking for a course on the regulations in 2018

13 Tips For Learning New Regulations

1. Read and re-read the draft regulations now

2. Read blogs and discussion threads related to the draft regulations for the next couple of months

3. Take a webinar on the draft regulations this November 28^th (mark your calendar)

4. Draft a plan for revising procedures in 2013 and updating technical documentation in 2014

5. Get management approval for a training course in 2013 and resources to update procedures as per your plan

6. Take a course on the draft regulations in the first quarter of 2013; you should have quite a few questions now that you have a plan and resources

7. Make adjustments to your plan and execute it on schedule

8. Create a training program for the company just prior to final approval in late 2013

9. Make revisions to the procedures based upon feedback from trainees in your in-house course

10. Develop a detailed team plan for updating technical documentation

11. Retrain everyone and review the updated plan

12. Make updates to technical documentation in 2014 as a team

13. Be one of the first companies to get a CE certificate to the new regulations in 2015

Tags: learning, regulations

Posted in: ISO Certification

Leave a Comment (0) →

FDA Advice for Regulatory Submissions

Posted by Rob Packard on September 21, 2012

This blog reviews the importance of planning and communication with the FDA related to firms’ regulatory submissions. For the past two days, I was fortunate enough to attend a training seminar hosted by the FDA in Washington, DC. This was a “free” seminar (i.e., – travel expenses only). The session was split into two rooms. One room focused on drug regulations, and the other focused on device regulations. As my strength is a device, I spent most of my time listening to the speakers on the drug-side. Throughout the training, there was one common theme that was repeated by the speakers: Come Early, Be Loud, and Stay Late.

“Come Early”

The speakers recommend that companies plan their submissions well in advance and talk to the appropriate FDA project manager about their plans before starting clinical studies.

“Be Loud”

The speakers recommend that companies communicate with as many people as they can at FDA to ensure they have identified all the critical issues to address in the study design.

“Stay Late”

The speakers recommend that companies think ahead so that if (or when) things don’t go as planned, the clinical study results can be salvaged. In simple and more practical terms, every speaker emphasized the importance and value of consulting with the FDA, instead of guessing what type of data will be needed for submission. One of the other participants brought this up at lunch on the first day. He mentioned an example where the FDA agreed with a company on specific data that would be required for acceptance of an NDA. The company did exactly what the FDA said, and then the FDA requested more data. He later described another case where the FDA specified data, and the company refused to comply—but the FDA granted approval. This other participant and I both agreed that most companies are afraid to ask the FDA for agreement on what data is required because the company may not like the FDA’s answer.

My personal belief is that the FDA is better at identifying what data will be required than most companies because they have a broader perspective than companies do. There will always be exceptions, but my recommendation is to ask FDA’s opinion whenever you have a question—just ensure you do your homework before you ask an inane question that is already in their guidance documents. I believe this advice also applies to every regulatory agency in the world.

Tags: FDA regulatory submissions

Posted in: FDA

Leave a Comment (0) →

How to request FDA Device Classification information – 513(g) Alternative

Posted by Rob Packard on September 11, 2012

This blog provides a five-step process on how to request FDA device classification information. A screenshot of the FDA website for each step is included.

If your company is currently registering with the US FDA, you are probably reviewing the guidance document this month for the FY2013 user fees. On pages six and seven, there is a table of these fees, but you might have overlooked 513(g). Section 513(g) is a provision in the law that allows companies to request device classification information from the FDA.

For example, if your company was developing a new product, and you were having difficulty identifying the regulatory pathway, 513(g) is your friend. In my opinion, these fees are modest: $5,061 = Standard Fee, and $2,530 = Small Business Fee (updated for FY 2022). Most consultants will charge at least ten hours of consulting to identify the regulatory pathway for a company. I would charge quite a bit less because it takes me a lot less than ten hours. I still think the FDA’s pricing is a good deal because getting information directly from the source is always more valuable than an “expert.”

The US FDA has published a guidance document explaining the process for 513(g) requests. This guidance document was released on April 6, 2012 (updated in 2019). The guidance explains what information companies need to provide in order to submit a 513(g) request. The guidance also has a fantastic list of FDA resources on page five. These are the very same resources that the “experts” use—including yours truly.

Just as any good lawyer tries to avoid asking questions that they don’t already know the answer to, I recommend that you first try using these resources yourself. Once you think you know the answer, your request for classification information will be easier to organize.

Here’s how I would proceed to request FDA device classification information:

Step 1 – Are there similar devices on the market?

Identify another device similar to yours. If you can’t do this, you need serious help. You need a similar device that is already sold on the market to use as a predicate device. If you cannot identify a predicate, then you can’t use the 510(k) process—or you don’t know your competition. Either way, there are challenges to overcome. For example, if you are trying to launch a new topical adhesive made from cyanoacrylate—”Dermabond” might be the first predicate device that comes to mind.

Step 2 – Search the Registration Database for FDA Device Classification

Use the registration and listing database on the FDA website to find the company that manufacturers the device. The link for this is #4 on my helpful links page (updated). This link also will provide you with connections to the classification database—which you can use to find the classification for any device. However, the registration and listing database is less likely to lead you astray. When I type “Dermabond” into the field for the proprietary device name, I get a list of five different product listings.

Step 3 – Select one of the competitor links to identify the FDA Device Classification

Clicking on any one of these five will take you to a listing page for the corresponding company. On that page, you will find the three-letter product code that identifies the device classification and the applicable regulations for that device.

Step 4 – Your found the FDA Device Classification

Clicking on the three-letter product code (i.e., – “MPN” in our Dermabond example) takes you to the Product Classification page. This is where you will find that Dermabond, and other tissue adhesives, are Class II devices that require a 510(k) submission. Also, the Product Classification page identifies an applicable guidance document to follow for design verification and validation testing. This is also called the “Special Controls Document.”

Step 5 – TheTPLC Report lists all the recent 510(k) submissions

Click on the “TPLC Product Code Report” link. This link will provide you with a report of all the 510(k) ‘s recently granted to your competitors, problems customers have experienced with their products, and recalls for the past five years. This is extremely valuable information as a design input—as well as competitive information for your marketing team.

tplc total product life cycle report for mpn How to request FDA Device Classification information 513(g) Alternative

TPLC Report for Product Code “MPN” – Topical Adhesive

Tags: Device Classification, FDA

Posted in: FDA

10 FDA Inspection Strategies that DON’T Work

Posted by Rob Packard on August 30, 2012

If you were just notified of an FDA inspection and you don’t think you are ready, using tricks to hide your problems is a huge mistake. I have heard a few recommendations over the years for “secrets” to hide those problems. In this post, I share my favorite “secrets”–and why they DON’T work.

Here are my top 10 ways to make an FDA inspection worse:

10. Stalling when the investigator makes a request – This just irritates investigators. At best, the investigator will use the waiting time to identify additional documents to sample or to review the information you have provided more closely. At worst, the investigator will accuse the company of not cooperating with the inspection, and the investigator may return the following week with several more team members to help them. Whenever this occurred during a third-party audit that I conducted, I would move onto another area and interview someone. However, before I left the person that was slow to respond, I provided the person with a list of documents and records that I expected to be waiting for me upon my return. In extreme cases, I had to bluntly tell the management representative that I needed documentation more quickly. As an instructor, I teach auditors techniques for coping with this tactic.

9. Suggesting records for the investigator to sample – This is specifically forbidden in the case of third-party inspections and audits. The FDA has work instructions for identifying sample sizes, and samples are supposed to be selected randomly. In reality, samples are rarely random, and usually, the investigator is following a trail to a specific lot, part number, etc. When clients offered me samples, I tried to be polite and review the record they provided. However, I also would request several other records or follow a trail, as I have indicated above. Another approach I often use is to focus on high-risk items (i.e., – a risk-based approach to sampling). In general, you can expect the FDA investigators to sample more items than a registrar–and sample sizes are often statistically derived if the number of records is sufficiently large. When sample sizes are quite small, I recommend sampling 100% of the records since the previous inspection/audit. This is not always possible for third-party auditors, but internal auditors often can achieve this.

8. Outsourcing processes to subcontractors – The FDA recently reinstated the requirement for contract manufacturers and contract sterilizers to be registered with the FDA by October 1, 2012. Therefore, hiding manufacturing problems from the FDA by outsourcing manufacturing is increasingly more difficult to do. In addition, the FDA focuses heavily on supplier controls and validation of outsourced processes. Therefore, an investigator will identify high-risk processes performed by subcontractors and request documentation of process validation by that supplier. If the company does not have the validation reports, this could quickly escalate to a 483, and possibly a visit to the subcontractor.

7. Trying to correct problems during the inspection – This is what I like to call the document creation department. At one company I worked for, we noticed a mistake across several of the procedures and made a change overnight between the first and second days of the audit. When the auditor asked for the procedures in the morning, he asked, “Is the ink dry yet?” The auditor then proceeded to request records that demonstrated compliance with the newly minted procedures. As you might have guessed, this resulted in several nonconformities. When clients attempt to correct problems found by an investigator, the investigator typically will respond with the following statement, “I applaud you for taking immediate action to contain and correct the problem. However, you still need to perform an investigation of the root cause and develop a corrective action plan to prevent a recurrence. To do this investigation properly may take several days.” I also teach auditors to memorize this phrase.

6. Writing a letter to file – When companies make minor design changes, one of the most common approaches is to “write a letter to file.” This phrase indicates that the design team is adding a memo to the Design History File (DHF) that justifies why design validation is not required or why regulatory notification/approval is not required. The FDA used to publish a decision tree to help companies make these decisions. In fact, such a decision tree is still part of the Canadian significant change document. The FDA recently withdrew a draft document that eliminated many perceived opportunities to utilize the “letter to file” approach. However, the FDA will still issue a 483 to a company if the investigator can identify a change that required validation that was not done, or a 510(k) that was not submitted for a design change. In fact, the FDA looks explicitly for these types of issues when an investigator is doing a “for cause” inspection after a recall or patient death.

5. Shut it down – Not running a production line that has problems is an ideal strategy for hiding problems. However, the FDA and auditors will simply be forced to spend more time sampling and reviewing records of the problematic production line. If you need to shut a line down, ensure everything is identified as nonconforming, and carefully segregate rejected product from good product. You should also use these problem lines as an opportunity to show off your investigation skills and your ability to initiate CAPAs. If you simply forgot to validate a piece of equipment, or do some maintenance, take your lumps and keep production running. If you are a contract manufacturer, never shut it down without notifying the customer. If you do not tell your customer, you will get a complaint related to on-time delivery and a 483.

4. Storing all records off-site – I first heard about this tactic during an auditor course I was co-teaching. During the course, we had many reasons why the company should be able to provide the records in a timely manner. However, I have experienced this first-hand as a third-party auditor. When this happens, I do three things: 1) increase my sampling of records that are available, 2) carefully review supplier controls and supplier evaluation of the storage facility (assuming it is outsourced), and 3) verify that the company has a systematic means for tracking the location (i.e., – pallet and box) for every record sent to storage. FDA investigators will simply move along to another record and follow-up on their earlier request with a second visit, or a request to send a copy of the document to them after the inspection.

3. Identifying information as confidential – A company can claim information is confidential and may not be shared with the public. Still, very little information is “confidential” concerning the FDA or Notified Bodies. Therefore, this strategy rarely works. In fact, this will enrage most FDA investigators. In training courses, I train auditors to ask the auditee to redact confidential information. For example, a CAPA log may have confidential information in the descriptions, but the trend data on opening and closing dates are never confidential.

2. The FDA is not allowed to look at those records – Although this statement is technically true for internal audit reports and management reviews, the FDA always says that they can access this information through the CAPA system. What the FDA means is that there should always be evidence of CAPAs from internal audits and management reviews. If there is not, then this will quickly become a 483. Another person I met tells the story that when they agreed to share the management review records with the investigator, the inspector rarely issued a 483. When they refused to share the management review with the FDA, the inspection went quite badly from that point forth. I don’t agree with being vindictive, but it happens.

1. Show me where that is required – This is just silly. Investigators and auditors are trained on the regulations, while you are educated on your procedures. Spend your time and effort, figuring out how your procedures meet the regulations in some way. Challenging the investigator excites the investigator. We all like a challenge–and we rarely lose. One auditee tried this approach with me in front of their CEO. This experience allowed me to show off that I had memorized the clause in question–and the corresponding guidance document sections. I think the CEO realized quickly that the management representative was not qualified.

My final advice is to do your best to help the investigator do their job, and treat every 483 as “just an opportunity to improve.” Just ensure you submit a response in 14 days, or you will receive a Warning Letter too!

Tags: FDA inspection

Posted in: FDA

Using a Wiki for Document Control

Posted by Rob Packard on August 10, 2012

The author read an article on using Wiki’s for document control, and he shares a “genius idea that is coming of age.”

Procedures can always be improved, but our goal is to make better products—not better procedures. So what could possibly be so exciting about document control that I feel compelled to write another post about “blah, blah, blah?”

I read an article about using Wiki’s for document control.

A Wiki is just a collaborative environment where anyone can add, delete, and edit content. All changes are saved, and Wiki’s can be controlled—while simultaneously being available to everyone. The most famous of all Wiki’s is Wikipedia.

In 2009, Francisco Castaño (a.k.a. – Pancho) began a discussion thread to explain how his company was using a Wiki to manage their documentation system. In the last month, ASQ published an update on the status of Pancho’s Wiki process for document control.

Writing Procedures

In most companies, the process owner writes procedures, and other people in the company rarely comment on minor errors. In the most dysfunctional companies, the Quality Department writes the procedures for the rest of the company or outsources it to consultants. Reviewing and editing procedures should be the responsibility of everyone in the company. Still, I never considered the possibility of having everyone within the company edit procedures simultaneously—until I saw Pancho’s thread. Throughout the discussion, others have indicated that they also tried using Wiki’s to optimize content. This is a genius idea that is coming of age.

Many QMS consultants, including myself, have written procedures for clients. Sometimes this is part of the consulting business model. In these cases, the consultant writes a procedure once and edits it forever—while getting paid a modest fee each time a client asks for a “new” procedure. I often think that it would make more sense to do something like Linux developers have done—use the collaboration of QMS experts around the world to create a general procedure that is free to everyone. This is possible using Wiki’s that are publicly available.

Very soon (hopefully 2013), the responsibilities section of our procedures will fundamentally change. Instead of reading and understanding, everyone will be responsible for writing and editing (oh no, I’ll have to create a new learning pyramid).

Quality will no longer be responsible for writing procedures. Instead, the quality function can focus on monitoring, measuring, data analysis, and improvement of processes and products. The downside is that we will need fewer personnel in document control.

If you want to learn more about Wiki for document control, follow this thread I found on Elsmar Cove. It’s rich in content, and even the moderators have been forced to rethink their preconceptions.

You should also read two articles by Pancho:

Tags: Document Control, Wiki

Posted in: ISO Certification

Do you need to purchase the latest EN ISO 14971 version?

Posted by Rob Packard on August 1, 2012

It is not necessary to purchase the EN ISO 14971 version because you should already be compliant and amendments are sold separately.

Discussion about a risk management standard 1024x664 Do you need to purchase the latest EN ISO 14971 version?

If the above conversation sounds familiar, hopefully, this blog will help.

Note: This is a 2012 blog that will be updated and/or consolidated soon, but here’s a link for risk management training.

Question 1: What is the current version of EN ISO 14971?

Answer 1: EN 14971 was revised to 2012 on July 6, 2012. The previous 2009 version was withdrawn. The ISO version is not changing–just the EN version.

Question 2: What’s new in 2012?

Answer 2: Only the three Annexes related to harmonization with the three directives (MDD, AIMDD, and IVDD) were updated. The content of the Standard itself has not changed.

Question 3: Do I need to buy EN ISO 14971… which really hasn’t changed since 2007?

Answer 3: No…unless you still have the 2000 version. (just my personal opinion … not anyone else necessarily agrees)

Why you don’t need to buy the EN ISO 14971 version…

Historically, Annex ZA was the annex at the back of a Standard that would explain how it is harmonized with the European Directives. However, in 2009, Annex ZA was separated into ZA, ZB, and ZC. Each of these Annexes explained how the current version of ISO 14971 (then ISO 14971:2007) differs from each of the three directives. In addition, there was a correction to Figure 1 (i.e., – arrow in the wrong location). Neville Clarke provided a good summary of these minor changes that occurred in 2009. The European Commission was concerned with some of the differences between the 2009 Standard and the Directives. Therefore, the Standard has been updated to clarify these differences.

There are seven technical deviations from the Standard that are required for compliance with the European Directives. Marcelo Antunes is an expert on Standards, and he accurately describes these deviations as “weird” in a discussion thread on Elsmar Cove’s Forum. The deviation that seems to have caught the most attention is the requirement to reduce ALL risk to “as low as possible” (ALAP) rather than to a level that to “as low as reasonably practicable” (ALARP concept). The “ALAP” acronym was a joke, but it wouldn’t be the first time that something like this stuck (i.e., – SWAG).

An alternative approach to verifying compliance with EN ISO 14971

If you sleep with a label maker under your pillow, you should buy the new BS EN 14971:2012 version, so you can ensure that you are staying in compliance with each of these seven deviations and that you have considered the implications fully in your procedure for Risk Management. However, if you are a practical person that prefers not to upset the entire development team, I recommend a different approach.

1. Download a copy of the relevant Directive from the Europa Website

2. Using Adobe, search the entire Directive for the word “risk”:

AIMDD = 24 times

MDD = 55 times

IVDD = 34 times

3. Systematically review where the word “risk” is used to determine if you need to make adjustments for your CE Marked products. If you already have a CE Mark, there should be no changes required to your risk management documents. Your procedures might need clarification to observe the requirements of the Directive when there is a difference between the Standard and the Directive.

Last Question: What is your Notified Body auditor going to do?

Final Answer: I’m not sure, because every auditor is a little different in their approach. However, as an instructor, I would teach an auditor to ask open-ended questions, such as: “How did you determine if there is an impact upon your procedures and design documentation with regard to the updated Standard?” (i.e., – impact analysis). If the company provides an impact analysis and explains why the existing risk documentation and procedure should not change, I believe this meets the requirements for “equivalency with the State of the Art.”

Honestly, I haven’t seen one single company that was 100% in compliance with the “letter” of the Directives or the Standard. Sometimes, rational thought must overcome political compromises and irrational behaviors.

On the other hand, it’s always possible that these seven deviations, and the information on corrective action, will fundamentally change the way your company approaches risk management (I just dare you to bring it up in your next management review).

If you would like a second opinion, the Document Center’s Standard Forum says, “As you can see, this material is essential to conformance with the EN requirements and will make the purchase of the EN edition (BS EN ISO 14971 is the official English language edition) mandatory for medical device manufacturers certifying to the standard for sales in Europe.” FYI…Document Center’s Standard Forum sells Standards. You can buy this one from them for $324.

Tags: EN 14971:2012, ISO 14971

Posted in: ISO 14971:2019 (Risk Management)

Three Ways to Streamline the 510k Process

Posted by Rob Packard on June 26, 2012

The author proposes three ways to streamline the 510k process through self surveys, scorecards, and modular submissions.

Modular submissions are already used for PMA submissions. Self-surveys and scorecards are tools that most companies utilize to evaluate vendors. Why not implement these solutions to make 510k reviews more efficient?

A few weeks ago, I posted a blog about the Triage pilot program at the FDA. I received some great comments by email, and this blog discusses this subject more in-depth with some specific ideas for streamlining the 510k process. Here’s the argument for considering these three proven methods:

Self-Surveys

In my previous posting about the Triage pilot program, I suggested using the existing FDA traditional 510k screening checklist and converting this into a similar “SmartForm.” Another way to think of this concept is by comparing it with a “Self-Survey.” Companies send Self-surveys to suppliers to gather information about the supplier as justification for approving them; Elsmar Cove has some discussion threads specific to the supplier self-surveys if you are unfamiliar with this method of torture. The critical step in the design of surveys is to require the submitter to provide references to procedures and forms, or to explain why something is not applicable. BSI uses this same strategy for its auditor combined checklists. Instead of checking “yes/no,” the auditor must reference a page in their audit notes where the objective evidence of conformity or nonconformity can be found. A submitter should fill in the checklist, rather than an FDA reviewer because this forces the submitter to verify that everything required is included. Canada has a similar requirement called a “submission traceability table” for Medical Device License Applications (see Appendix A). Self-surveys also replace some of the tedious searchings by a reviewer with cross-referencing work by the submitter.

Scorecards

Another tool that supplier quality uses for supplier evaluations is the Scorecard: Elsmar Cove has a few discussion threads, including one with an example to download. For the 510 processes, I suggest developing scorecards for both the reviewer AND the submitter. The primary metrics for these scorecards would be on-time delivery and completeness of the submission for a submitter. “On-time delivery” requires advanced planning and communication of the submission with the FDA. This is important so that the FDA has adequate time before submission to identify the best reviewer(s) for the submission. The completeness of the submission should be 100% of a self-survey, SmartForm, or checklist used to prepare the submission. The primary metrics for the reviewer would be on-time completion and accuracy of the review.

The FDA already has target turn-around timescales for decisions (i.e., – 90 days), but there are different phases of review and multiple people the are involved in the reviews. Therefore, the measurement of reviewer time should be more granular. The accuracy of the reviewers should be validated by requiring all deficiencies to be re-evaluated by a peer or superior before involving the company. Submission sections without any findings should also be reviewed on a sampling basis as a double-check. Over time, the FDA should be able to use these scorecards to match up a reviewer with a submitter. It is critical that at least one of the parties is experienced, so we don’ t have the “blind leading the blind” situation. For those that are offended by the concept of a required second reviewer–get over it. Radiologists are periodically graded with images that are “red herrings.”

Modular Submissions

My third suggestion is to consider adopting some of the Premarket Approval (PMA) processes for the 510k process. In particular, pre-IDE meetings and modular submissions seem to be logical process improvements. There is typically one component of the submission that is a little behind the rest and can delay a submission. Under the current system, nothing is submitted or reviewed for a 510k, unless it is complete. However, it would enable companies to get new and improved products to market faster if submissions were modular. Validation, such as shelf-life and sterilization validation, is rarely the cause for a “Not Substantially Equivalent” (NSE) letter, but these tests are routinely the last few reports completed for submission.

Adopting a modular submission process for 510k would allow companies to submit sections of the submission as they are completed. This modular approach would alleviate the time pressure on both sides, and this proposed change should result in earlier product launch dates for the industry. The other component of this process is the pre-IDE Meeting. Before initiating a clinical study, companies will submit a plan for the study to the FDA. The intent is to obtain agreement on the validation testing that will be performed by the company–including the number of patients and the design of the clinical study. These meetings would also be valuable for 510k submissions where the company and the FDA need a forum to discuss what verification and validation testing will be required–especially for mixed-predicate devices and devices that are significantly different from a predicate device.

What do you think about these proposed changes to the 510k process?

Please share your own ideas for streaming the 510k process–including any comments regarding the FDA’s plans for change.

Tags: 510(k), 510(k) submission, Food & Drug Administration

Posted in: 510(k)

Leave a Comment (0) →

Auditing Design Controls – 7 Step Process

Posted by Rob Packard on June 23, 2012

This blog reviews seven steps for effectively auditing design controls utilizing the ISO 13485 standard and process approach to auditing.

turtle diagram for design controls Auditing Design Controls 7 Step Process

Third-party auditors (i.e., – a Notified Body Auditor) don’t always practice what we preach. I know this may come as a huge shock to everyone, but sometimes we don’t use the process approach. Auditing design controls is a good example of my own failure to follow was it true and pure. Instead, I use NB-MED 2.5.1/rec 5 as a checklist, and I sample Technical Files to identify any weaknesses. The reason I do this is that I want to provide as much value to the auditing client as possible without falling behind in my audit schedule.

Often, I would sample a new Technical File for a new product family that had not been sampled by the Technical Reviewer yet. My reason for doing this is that I could often find elements that are missing from the Technical File before the Technical Reviewer saw the file. This gives the client an opportunity to fix the deficiency before submission and potentially shortens the approval process. Since NB-MED documents are guidance documents, I could not write the client up for a nonconformity, unless they were missing a required element of the M5 version of the MDD (93/42/EEC as modified by 2007/47/EC). This is skirting the edge of consulting for a third- party reviewer, but I found it was a 100% objective way to review Technical Files. I also found I could review an entire Technical File in about an hour.

What’s wrong with this approach to auditing design controls?

This approach only tells you if the elements of a Technical File are present, but it doesn’t evaluate the design process. Therefore, I supplemented my element approach with a process audit of the design change process by picking a few recent design changes that I felt were high-risk issues. During the process audit of the design change process, I sampled the review of risk management documentation, any associated process validation documentation, and the actual design change approval records. If I had time, I looked for the following types of changes: 1) vendor change, 2) specification change, and 3) process change. By doing this, I covered the following clauses in ISO 13485:2016: 7.4 (purchasing), 7.3.9 (design changes), 7.5.6 (process validation), 7.1 (risk management), and 4.2.5 (control of records).

So what is my bastardized process approach to auditing design controls missing? Clauses 7.3.1 through 7.3.10 of ISO 13485:2016 are missing. These clauses are the core of the design and development process. To address this, I would like to suggest the following process approach:

Step 1 – Define the Design Process

Identify the process owner and interview them. Do this in their office–not in the conference room. Get your answers for steps 2-7 directly from them. Ask lots of open-ended questions to prevent “yes/no” responses.

Step 2 – Process Inputs

Identify how design projects are initiated. Look for a record of a meeting where various design projects were vetted and approved for internal funding. These are inputs into the design process. There should be evidence of customer focus, and some examples of corrective actions taken based upon complaints or service trend analysis.

Step 3 – Process Outputs

Identify where Design History Files (DHF) are stored physically or electronically, and determine how the DHF is updated as the design projects progress.

Step 4 – What Resources

This is typically the step of a process audit where their auditor needs to identify “what resources” are used in the process. However, only companies that have software systems for design controls have resources dedicated to Design and Development. I have indicated this in the “Turtle Diagram” presented above.

Step 5 – With Whom, Auditing Training Records

Identify which people are assigned to the design team for a design project. Sometimes companies assign great teams. In this case, the auditor should focus on the team members that must review and approve design inputs (see Clause 7.3.2) and design outputs (see Clause 7.3.3). All of these team members should have training records for Design Control procedures and Risk Management procedures.

Step 6 – Auditing Design Controls Procedures and Forms

Identify the design control procedures and forms. Do not read and review these procedures. Auditors never have the time to do this. Instead, ask the process owner to identify specific procedures or clauses within procedures where clauses in the ISO Standard are addressed. If the process owner knows exactly where to find what you are looking for, they’re training was effective, or they may have written the procedure(s). If the process owner has trouble locating the clauses you are requesting, spend more time sampling training records.

Step 7 – Process Metrics

Ask the process owner to identify some metrics or quality objectives they are using to monitor and improve the design and development process. This is a struggle for many process owners–not just design. If any metrics are not performing up to expectations, there should be evidence of actions being taken to address this. If no metrics are being tracked by the process owner, you might review schedule compliance.

Many design projects are behind schedule, and therefore this is an important metric for most companies. Now that you have completed your “Turtle Diagram,” if you have more time to audit the design process, you can interview team members to review their role in the design process. You could also sample-specific Technical Files as I indicated above. If you are performing a thorough internal audit, I recommend doing both. To learn more about using the process approach to auditing, you can register for our webinar on the topic.

Tags: auditing, Design controls, ISO 13485

Posted in: Design Control, ISO Auditing

Auditing Medical Device Software Vendors

Posted by Rob Packard on June 20, 2012

This blog presents some thoughts related to auditing medical device software companies.

Software medical devices are used to assist medical professionals. For example, radiologists use software with identifying areas of interest for medical imaging. Do you know how to audit a software company?

As a third-party auditor, I have had the pleasure of auditing software companies for CE Marking. When you audit a software company for the first time, this forces you to re-learn the entire ISO 13485 Standard. For example, if a company only produces software (i.e. software as a medical device or SaMD) there is very little to sample for incoming inspection and purchasing records. This is because the product is not physical—it’s software. Clauses of ISO 13485 related to sterility, implants, and servicing are also not applicable to software products. If the software is web-based, the shipping and distribution clauses (i.e., – 7.5.5) might present a challenge to an auditor as well.

The aspects of the ISO 13485 Standard that I found to be the most important to auditing software products were design controls and customer communication. Many auditors are trained in auditing the design and development of software, but very few auditors have experience auditing technical support call centers. When auditing a call center, most of the calls represent potential complaints related to software “bugs,” system incompatibilities with the operating system or hardware, and use errors resulting from the design of the user interface.

In most technical support call centers, the support person tries to find a work-around for problems that are identified. The problem with a “work-around” is that it is the opposite approach to the CAPA process. To meet ISO 13485 requirements, software companies must show evidence of monitoring and measuring these “bugs.” There must also be evidence of management identifying negative trends and implementing corrective actions when appropriate.

As an auditor, you should focus on how the company prioritizes “bugs” for corrective actions. Most software companies focus on the severity of software operations and the probability of occurrence. This is the wrong approach. Failure to operate is not the most severe result of medical device software failure. Medical device software can result in injury or death to patients. Therefore, it is critical to use a risk-based approach to the prioritization of CAPAs. This risk-based approach should focus on the severity of effects upon patients—not users. This focus on safety and performance is emphasized throughout the EU Medical Device Regulations and it is a risk management requirement in ISO 14971.

Tags: auditing, software vendor

Posted in: ISO Auditing

Leave a Comment (0) →

Page 23 of 26 «...10 20 21 222324 25...»