Robert Packard, Author at Medical Device Academy

Oct 27 2019

Private Labeled Devices with FDA Approval

This article explains the FDA regulations related to private labeled devices that are already 510k cleared and distributors want to import.

This article was initially inspired by a question asked on the Medical Devices Group website hosted by Joe Hage. Companies often ask about how to private labeled devices in the USA, because they are unable to find anywhere in the FDA regulations where private labeling of the device is described. The reason for this is because the FDA regulations for devices allow for the labeling to identify the distributor only—without any mention of the OEM manufacturer on the label. In contrast, most other countries have “own-brand labeling” regulations or regulations for private labeling devices. It is also important to remember that the FDA only approves devices through the pre-market approval (PMA) pathway. All other devices fall into one of three categories: 1) 510k exempt, 2) 510k cleared, or 3) De Novo classification request approved. Devices that fall into the third category will subsequently fall into category 1 or 2 after the FDA approves the classification request.

Questions about the private labeled devices process for FDA

Our distribution company is interested in getting a private labeled devices agreement with an OEM to sell a Class II medical device in the USA. The OEM has 510(k) clearance, and the only product change will be the company’s name and address on the label. There will be no change to the indications for use. Please answer the following questions:

Is it legal to eliminate all mention of the OEM from the device labeling?
Who is responsible for complaint handling and medical device reporting? OEM or private-labeled distributor?
What is the process to get this private label for the Class II device?
How can our distribution company avoid paying the FDA user fee?

Answer to the first question about private labeled devices

The FDA is unique in that they allow either the distributor or the manufacturer to be identified on the label, but both are not required. Therefore, if Joe Hage were the distributor, and you were the manufacturer, there are two legal options for the private labeled device: 1) “Distributed by Joe Hage”, or 2) “Manufactured for Joe Hage.”

The manufacturer is not required to be identified on the label. However, the OEM must be registered and listed with the FDA. If the OEM is outside the USA, then the distributor must register and list with the FDA as the initial importer and reference the K number when they complete the FDA listing. There is no approval required by the FDA. You will need a quality agreement defining the roles and responsibilities of each party, but that is all.

Answer to the second question about private labeled devices

The quality agreement must specify which company is responsible for complaint handling (21 CFR 820.198) and medical device reporting (21 CFR 803). In this situation, the OEM is the specification developer, as defined by the FDA. Therefore, the OEM will be responsible for reporting and execution of recalls. Therefore, even if the distributor with a private label agreement is identified as the “complaint file establishment,” the OEM will still need to obtain copies of the complaint information from the distributor, and determine if medical device reporting and/or corrections and removals are required (i.e., recalls).

Answer to the third question about private labeled devices

There is no formal process for “getting a private label.” The entire private label process is negotiated between the distributor and the OEM with no involvement of the FDA. However, in the listing of devices within the FDA FURLS database, all brand names of the device must be identified. Therefore, the OEM will need to add the new brand name used by the distributor to their listing for the 510(k) cleared product. However, the FDA does have the option to keep this information confidential by merely checking a box in the device listing form.

Answer to the fourth question about private labeled devices

If the distribution company is the initial importer of a device into the USA, then the distributor must be registered with the US FDA as the initial importer, and the distributor will need to pay the FDA user fee for the establishment registration. That user fee is $5,236 for FY 2020, and there is no small business discount for this fee. The only way to avoid paying the user fee is to have another company import the device, who is already registered with the FDA, and to distribute the product for that company. I imagine some logistics brokers might be acting as an initial importer for multiple distributors to help them avoid paying the annual FDA user fee for establishments. That company might also be providing US Agent services for multiple OEMs. However, I have not found a company doing this.

Is private labeling of device legal in the USA?

The FDA is unique in that they allow either the distributor or the manufacturer to be identified on the label, but both are not required. Therefore, if Joe Hage were the distributor, and you were the manufacturer, there are two legal options for the private label: 1) “Distributed by Joe Hage”, or 2) “Manufactured for Joe Hage.”

Who must register, list, and pay user fees for medical devices?

This question is frequently asked, and the table with the information was not visible on my mobile browser. Therefore, I copied the table from the FDA website and posted the information in the image below. The information is copied directly from the FDA website:

Registration and Listing Requirements for Domestic Establishments

Registration and Listing Requirements for Foreign Establishments

For products that are manufactured outside the USA, and imported into the USA, the initial importer is often the company identified on the label. There are two typical private labeling situations, but other possibilities exist:

If the initial importer owns the 510(k), then the manufacturer outside the USA is identified as the “contract manufacturer,” and the initial importer is identified as the “specifications developer.” Both companies must register their establishments with the FDA, and there needs to be a quality agreement between the two companies defining roles and responsibilities. The contract manufacturer outside the USA is not automatically exempt from reporting requirements and complaint handling. The contract manufacturer outside the USA may decide to label the product as a) “Manufactured by”, b) “Manufactured for”, or c) “Distributed by.” Options “a”, “b” and “c” would list the importer’s name because they own the 510(k), and they are the distributor. This situation often occurs when companies outside the USA want to sell a product in the USA, but they do not want to take on the responsibility of obtaining 510(k) clearance. These firms often believe this will exempt them from FDA inspections, but the FDA is increasingly conducting FDA inspections of contract manufacturers due to this private label situation.
If the manufacturer owns the 510(k), then the manufacturer outside the USA is identified as the “specifications developer” and the “manufacturer,” while the initial importer will be identified as the “initial importer.” The importer may also be specified as the complaint file establishment and/or repackager/relabeler in the FDA registration database. The manufacturer outside the USA will not be able to import the device into the USA without identifying an initial importer in the USA in the FDA FURLS database. The manufacturer outside the USA may decide to label the product as a) “Manufactured by”, b) “Manufactured for”, or c) “Distributed by.” Options “b” and “c” would list the importer’s name, while option “a” would list the manufacturer’s name. This situation often occurs when US companies want to be the distributor for a product made outside the USA, and the company wants a private labeled product. This also happens when the OEM wants the option to have multiple US distributors.

In both of the above private-label situations, the non-US firm must have a US Agent identified because the company is located outside the USA. The US Agent may be the initial importer, but this is not required. It could also be a consulting service that acts as your US Agent. The US Agent will be responsible for receiving communications from the FDA and confirming their role as US agents each year when the registration is renewed. Medical Device Academy offers this service to non-US clients we help obtain 510(k) clearance.

Follow-up questions

A Korean company, with a US distribution subsidiary, would like to private label a medical device with an existing 510(k) owned by another company in their name. Does the Korean company need a contract in place before private labeling? Does the US subsidiary and/or the Korean parent company need to be registered in the USA prior distribution of the private-labeled version of the device in the USA?

Rob’s response: Initially, it was unclear from the wording of the question as to whom is the 510(k) owner, which company will be on the label, who is doing the labeling, and who is doing the importing to the USA. The person asking Joe Hage this question tried clarifying their question via email, but we quickly switched to scheduling a phone call using my calendly link. I have reworded the question above, but here are some of the important details I learned during our phone call:

The person asking was already acting as the relabeler, repackager, and they were distributing the product in the USA. This person’s company is also registered with the FDA.
The device is 510(k) cleared by another US company, and there is no need to worry about the complications of an initial importer being identified for a product manufactured in the USA.

In this situation, the relabeler/repackager can relabel the product for the Korean company’s US subsidiary as long as there is a quality agreement in place for all three parties (i.e., relabeler, distributor, and manufacturer). There is no need for the Korean parent company to register with the FDA. There is no need for a new 510(k) submission, and the US subsidiary does not need to register with the FDA—as long as the quality agreement specifies that the US subsidiary will maintain records of distribution, facilitate recalls if required, and notify the manufacturer of any potential complaints and/or adverse events immediately. The manufacturer with 510(k) clearance will be responsible for complaint handling, medical device reporting, and execution of recalls according to the agreement. The relabeler will be responsible for maintaining records of each lot of product that is relabeled for the US subsidiary, and the relabeler must maintain distribution records that link the original manufacturer’s lot to the lot marked on the relabeled product.

If you have questions about the private labeling of your device, please contact us.

Private Labeled Devices with FDA Approval Read More »

Oct 9 2019

Integrating usability testing into your design process

1 Comment / Design Control, Usability / By Robert Packard

This article explains how you should be integrating usability testing into your design control process–especially formative usability testing.

Why you should be integrating usability testing into the design

We recently recorded an updated usability webinar and released a usability procedure (SYS-048) with help from Research Collective–a firm specializing in human factors testing. After listening carefully to the webinar, and reading through the new usability procedure, I felt we needed to update our combined design/risk management plan to specify formative testing during phase 3 and summative (validation) testing during phase 4 of the design process. This is necessary to ensure your usability testing is interwoven with your risk management process. Integrating usability testing into all phases of your design process is critical–especially design planning (phase 1), feasibility (phase 2), and development (phase 3).

Integrating usability testing into your design plan helps identify issues earlier

During the usability training webinar, Research Collective provided a diagram showing the various steps in the usability engineering process. The first five steps should be included in Phases 1 and 2 of your design process. Phase 1 of the design process is planning. In that phase, you should identify all of the usability engineering tasks that need to be performed during the design process and estimate when each activity will be performed. The first of these usability activities is the identification of usability factors related to your device. Identifying usability factors is performed during Phase 2 of your design process before hazard identification.

Indentifying Usability Issues 300x209 Integrating usability testing into your design process

Before performing hazard identification, which should include identifying potential use errors, you need to identify five key usability elements associated with your device:

prospective device users during all stages of use must be defined
use environments must be identified
user interfaces must be identified
known use errors with similar devices and previous generations of your device must be researched
critical tasks must be described in detail and analyzed for potential use errors

Defining users must include the following characteristics: physical condition, education, literacy, dexterity, experience, etc. Use environment considerations may consist of low lighting, extreme temperatures or humidity, or excessive uncontrolled motion (e.g., ambulatory devices). User interfaces may include keyboards, knobs, buttons, switches, remote controllers, or even a touch screen display.

Often the best reason for developing a new device is to address an everyday use error that is inherent to the design of your current device model or a competitor’s product. Therefore, a thorough review of adverse event databases and literature searches for potential use errors is an important task to perform before hazard identification. This review of adverse event data and literature searches of clinical literature are key elements of performing post-market surveillance, and now ISO 13485:2016 requires that post-market surveillance shall be an input to your design process.

Finally, the step-by-step process of using your device should be analyzed carefully to identify each critical user task. User tasks are defined as “critical” for “a user task which, if performed incorrectly or not performed at all, would or could cause serious harm to the patient or user, where harm is defined to include compromised medical care.” Not every task is critical, all critical tasks must be identified, and ultimately you need to verify that each critical task is performed correctly during your summative (validation) usability testing.

Evaluating Risk Control Options – Formative Usability Testing in Phase 3 (Development)

Once your design team has conducted hazard identification and identified your design inputs (i.e., design phase 2), you will begin to evaluate risks and compare various risk control options. Risk control option analysis requires testing multiple prototype versions to assess which design has the optimum benefit/risk ratio. This is an iterative process that involves screening tests. For any use risks you identify, formative usability testing should be performed. Sometimes the risk controls you implement will create new use errors or new risks of other types. In this case, you must compare the risks before implementing a risk control with risks created by the risk control.

Ideally, each design iteration will reduce the risks further until all risks have been eliminated. The international risk management standard (ISO 14971) states that risks shall be reduced as low as reasonably practicable (ALARP). However, the European medical devices regulations require risks to be reduced as far as possible, considering the state-of-the-art. For example, all small-bore connectors in the USA are now required to have unique connectors that are incompatible with IV tubing Luer lock connections to prevent potential use errors. That requirement is considered “state-of-the-art.” If your device is marketed in both the USA and Europe, you will need to reduce errors as far as possible–before writing warnings and precautions in your instructions for use.

Reaching the point where use errors cannot be reduced any further may require many design iterations, and each iteration should be subsequently evaluated with formative usability testing. Formative testing can be performed with prototypes, rather than production equivalents, but the formative testing conditions should also address factors such as the use environment and users with different levels of education and/or experience. Ultimately, if the formative testing is done well, summative (validation) testing will be a formality.

Risk Control Effectiveness During Phase 4 – Summative Usability Testing during Verification

Once your team freezes the design, you will need to conduct verification testing. This includes integrating usability testing into the verification testing process. Summative (validation) testing must be performed once your design is “frozen.” If you are developing an electrical medical device, then you will need to provide evidence of usability testing as part of your documentation for submission to an electrical safety testing lab for IEC 60601-1 testing. There is a collateral standard for usability (i.e., IEC 60601-1-6). For software as a medical device (SaMD), you will also be expected to conduct usability testing to demonstrate that the user interface does not create any user errors.

When you conduct summative (validation) testing, it is critical to make sure that you are using samples that are production equivalents rather than prototypes. Also, it is crucial to have your instructions for use (IFU) finalized. Any residual risks for use errors should be identified in the precautions section of your IFU, and the use of video is encouraged as a training aid to ensure use errors are identified, and the user understands any potential harm. When the summative testing is performed, there should be no deviations and no use errors. Inadequate identification of usability factors during Phase 2, or inadequate formative testing during Phase 3, is usually the root cause of failed summative testing. If your team prepared sufficiently in Phase 2 and 3, the Phase 4 results would be unsurprisingly successful.

Additional Training Resources for Usability Engineering

The following additional training resources for usability engineering may be helpful to you:

Integrating usability testing into your design process Read More »

Aug 27 2019

Hiking Expedition

Leave a Comment / News / By Robert Packard

On August 9, 2019, three generations of my family left Glastonbury, CT, on a two-week hiking expedition to complete three of the highest peaks in the USA.

Our plan for the hiking expedition was to hike four of the highest peaks. My father, Bob Packard (age 77), is trying to complete all 50 of the highest peaks in each of the United States. For this trip we planned to hike the following mountains:

Wheeler Peak – New Mexico
Kings Peak – Utah
Borah Peak – Idaho
Granite Peak – Montana

Bailey Packard (18), Noah Packard (20), Rob Packard (47), and Bob Packard (77) started on Friday, August 9, from Glastonbury, CT.

Start 300x225 Hiking Expedition — Glastonbury, CT

Then we drove West for a long time. On Saturday, August 10, we stopped at the Waffle House.

Waffle House 300x169 Hiking Expedition — Waffle House

Then we got back in the car.

Finally, on Sunday, August 11, we arrived at the base of Wheeler Peak. We decided to hike it that day despite not acclimating to the altitude and not sleeping in two days.

4 Bailey Base of Wheeler e1566919907502 225x300 Hiking Expedition — Bailey Packard

5 Noah Base of Wheeler e1566919966989 225x300 Hiking Expedition — Noah Packard

Wheeler Peak 1 300x225 Hiking Expedition — Wheeler Peak

Then we headed back across the ridge and down to the car. The evening we drove to Colorado and slept. The following morning, Monday, August 12, we drove through Colorado.

That evening we arrived at Henry’s Fork Trail Head in Utah several hours after dark. We pitched tents in the parking area and slept for the night. In the morning, Tuesday, August 13, we woke to ice on our tents. Then we began the long hike into the valley (see Bailey’s video above).

We were all carrying too much gear, and we needed some rest.

While we enjoyed the view of the valley.

Later we saw a couple of moose (Bailey got close enough for a selfie).

We slept the night just below Gun Sight Pass and then headed up Kings Peak in the morning of Wednesday, August 14.

Another spectacular view.

Then we headed back across the ridge (very challenging and exposed).

That afternoon Bailey got lost, but we found him back at the tents several hours later just before dark. Noah was exhausted and took a nap in the middle of the Gun Sight Pass. We all slept well and hiked back to the car in the morning of Thursday, August 15.

Then we drove to Idaho Falls, and we had all you can eat steak at Stockman’s.

We took at rest day on Friday, August 16. On Saturday, it was perfect weather, and we drove to Borah Peak in Idaho–just two hours Northwest from Idaho Falls. We arrived just after 6 am and began hiking as the sun rose.

Now I understand why Wheeler was rated a 1+ in difficulty. Kings Peak was rated a 2+ in difficulty, and Borah is 3+ in difficulty. There is a 2,000+ foot cliff on both sides of a goat path across a knife-edge. There is sharp, jagged shale everywhere and no trees. Winds are fierce, and it’s not a windy day. Temperatures were in the low 40s. I decided to “chicken out” just before we got to “Chicken Out Ridge.”

Where Rob Waited 300x225 Hiking Expedition — This is where Rob waited for the others.

The ice bridge was not expected, and dozens of weekend hikers with no experience were trying to crawl across the ice. Bailey used his knife for extra grip on the ice. Bob was almost knocked off the mountain by a falling boulder, and they made it to the peak waiting for Bailey’s pictures to be added later.

Then we all headed down the mountain.

The following day, Sunday, August 18, we drove home our feet were too sore to attempt Granite Peak. But along the way, we stopped on Monday, August 19 at Portillo’s for

20190819 173135 300x225 Hiking Expedition — Chocolate Cake Shake

Thank you for your support, and thank you to Noah and Bailey for joining my dad and me on this hiking expedition. These are memories we’ll never forget.

Hiking Expedition Read More »

Aug 1 2019

Auditing Technical Files

5 Comments / Auditing, Technical Files / By Robert Packard

This article explains what to look at and what to look for when you are auditing technical files to the new Regulation (EU) 2017/745 for medical devices.

Your cart is empty

On August 8th, 2019, we recorded a live webinar teaching you what to look at and what to look for when you are auditing technical files (a link for purchasing the webinar is at the end of this article). Technical files are the technical documentation required for CE Marking of medical devices. Most quality system auditors are trained on how to audit to ISO 13485:2016 (or an earlier version of that standard), but very few quality system auditors have the training necessary to audit technical files.

Why you’re not qualified to auditing technical files

If you are a lead auditor, you are probably a quality manager or a quality engineer. You have experience performing verification testing and validation testing, but you have not prepared a complete technical file yourself. You certainly can’t describe yourself as a regulatory expert. You are a quality system expert. A couple of webinars on the new European regulations are not enough to feel confident about exactly what the content and format of a technical file for CE marking should be.

Creating an auditing checklist

Most auditors attempt to prepare for auditing the new EU medical device regulations by creating a checklist. The auditor copies each section of the regulation into the left column of a table. Then the auditor plans to fill in the right-hand columns of the table (i.e., the audit checklist), with the records they looked at and what they looked for in the records. Unfortunately, if you have never created an Essential Requirements Checklist (ERC) before, you can only write in your audit notes that the checklist was completed and what the revision date is. How would you know if the ERC was correctly completed?

In addition to the ERC, now called the Essential Performance and Safety Requirements (i.e., Annex I of new EU regulations), you also need to audit all the Technical Documentation requirements (i.e., Annex II), all the Technical Documentation on Post-Market Surveillance (i.e., Annex III), and the Declaration of Conformity (i.e., Annex IV). These four annexes are 19 pages long. If you try to copy and paste each section into an audit checklist, you will have a 25-page checklist with more than 400 things to check. The result will be a bunch of checkboxes marked “Yes,” and your audit will add no value.

Audits are just samples

Every auditor is trained that audits are just samples. You can’t review 100% of the records during an audit. You can only sample the records as a “spot check.” The average technical file is more than 1,000 pages long, and most medical device manufacturers have multiple technical files. A small company might have four technical files. A medium-sized company might have 20 technical files, and a large device company might have over 100 files. (…and you thought the 177-page regulation was long.)

Instead of checking many boxes, “Yes,” you should look for specific things in your audit records. You also need a plan for what records to audit. Your plan should focus on the essential records and any problem areas identified during previous audits. You should always start with a list of the previous problem areas because there should be corrective actions that were implemented, and the effectiveness of corrective actions needs to be verified.

Which records are most valuable when auditing technical files?

I recommend selecting 5-7 records to sample. My choices would be: 1) the ERC checklist, 2) the Declaration of Conformity, 3) labeling, 4) the risk management file, 5) the clinical evaluation report, and 6) post-market surveillance reports, and 7) design verification and validation testing for the most recent design changes. You could argue that my choices are arbitrary, but an auditor can always ask the person they are planning to audit if these records would be the records that the company is most concerned about. If the person has other suggestions, you can change which records your sample. However, you don’t want to sample the same records every year. Try mixing it up each year by dropping the records that looked great the previous year, and adding a few new records to your list this year.

What to look for when auditing technical files

The first thing to look for when you audit records: has the record been updated as required? Some records have a required frequency for updating, while other records only need to be updated when there is a change. If the record is more than three years old, it is probably outdated. For clinical evaluation reports and post-market surveillance reports, the new EU regulations require updating these reports annually for implantable devices. For lower-risk devices, these reports should be updated every other year or once every three years at a minimum.

Design verification and design validation report typically only require revisions when a design change is made, but a device seldom goes three years without a single change–especially devices containing software. However, any EO sterilized product requires re-validation of the EO sterilization process at least once every two years. You also need to consider any process changes, supplier changes, labeling changes, and changes to any applicable harmonized standards.

Finally, if there have been any complaints or adverse events, then the risk management file probably required updates to reflect new information related to the risk analysis.

Which record should you audit first?

The ERC, or Essential Performance and Safety Requirements checklist, is the record you should audit first. First, you should verify that the checklist is organized for the most current regulations. If the general requirements end with section 6a, then the checklist has not been updated from the MDD to the new regulations–which contains nine sections in the general requirements. Second, you should make sure that the harmonized standards listed are the most current versions of standards. Third, you should ensure that the most current verification and validation reports are listed–rather than an obsolete reports.

More auditor training on technical files…

We recorded a live webinar intended to teach internal auditors and consultants how to perform a thorough audit of CE Marking Technical Files against the requirements of the new European regulations–Regulation (EU) 2017/745.

With access to this training webinar, we are also providing a native presentation slide deck, and an audit report template, including checklist items for each of the requirements in Annex I, II, III, and IV of the MDR.

We also provide an exam (i.e., a 10-question quiz) to verify training effectiveness for internal auditors performing technical file auditing. If you submit the completed exam to us by email in the native MS Word format, we will correct the exam and email you a training certificate with your corrected exam. If you have more than one person that requires a training certificate, we charge $49/exam graded–invoiced upon completion of grading.

Technical File Audit Report Auditing Technical Files

Technical File Auditing for Compliance with MDR

This webinar provides an audit report template and teaches auditors how to conduct technical file auditing for compliance with Regulation (EU) 2017/745.

Price: $129.00

In addition to this webinar on auditing technical files, other training webinars are available. For example, we have a webinar on risk management training. If your firm is preparing for compliance with the new MDR, you might also be interested in the following information provided on this website:

A CE Marking procedure including templates for the Essential Requirements, a Declaration of Conformity, and a Technical File Index.
A blog outlining how to create your Quality Plan for compliance with the MDR
A blog explaining three significant differences between the requirements of a Technical File for CE Marking and a 510(k) submission
An 8-part webinar-based course reviewing the requirements of Regulation (EU) 2017/745 and comparing the requirements with the MDD (93/42/EEC as modified by 2007/47/EC).

Please note: A link for logging into this Zoom webinar will be delivered to the email address provided in the shopping cart transaction. After verifying the transaction, please check your email for the login information. To view the available webinars, click here. If you cannot participate in the live Zoom webinar, a link for downloading the recording will be emailed to you.

Auditing Technical Files Read More »

Jul 25 2019

Accelerating design projects – one secret you haven’t heard

1 Comment / Design Control / By Robert Packard

This article identifies one overlooked secret to accelerating design projects that you can implement immediately, and it will work on every project.

You would love to cut a few weeks off the launch schedule for your device. If you had a magic wand, what would you wish for? The trick to accelerating design projects is not an unlimited budget, hiring ten more engineers, or paying a Nationally Recognized Testing Laboratory (NRTL) to only work for you.

I know a secret for accelerating design projects that will work, but first, you need to understand why projects take as long as they do. Yes, I worked on a few design teams, but I learned the most from watching companies make mistakes that created delays and cost them time. Sterility tests can not be made shorter, guinea pig maximization tests (GPMT) can’t be completed in four weeks, and your electrical safety testing report will not be delivered when the lab promised it would be.

Accelerating design projects by preventing testing delays

The primary source of delay is not that testing is delayed, but rather the testing is not started as early as it could be. Some managers believe that the solution is to use a Gantt chart. Unfortunately, Gantt charts are not a solution. Gantt charts are just tools for monitoring projects. There is much more to project management. If you forget to do just one test, your entire project will be delayed until that test is finished. Therefore, making sure you identify every required test is an essential early project task–even before you start designing your device. You also need to update the plan when things change.

Start with a generic template for your testing plan

Our firm has a template for a device testing plan that we use for every pre-submission request. Getting help in creating your testing plan is one of the most important reasons to hire our firm to help you with a pre-submission request. Surprisingly, our template is more comprehensive than most design plans. What makes our plan surprising is that it’s a generic testing plan that I created in 30 minutes. If you would like it, just email me at rob@13485cert.com. We also have an updated template for combined design and risk management plans.

I’m not suggesting that our plan template already includes every single safety and performance test. Our testing plan does not include everything. However, we spend several hours looking for applicable guidance documents and researching the testing requirements for your device. Then we add the requirements we find to your customized testing plan in the pre-submission request.

Basics of shortening the critical path

If your testing plan includes 100% of the safety and performance tests that you need, your project will still be unnecessarily delayed. The reason for the unnecessary delay is that you are not taking advantage of the three most important timing factors:

First, do every test in parallel that you can.
Second, identify any tests that must be done sequentially.
Third, protect your critical path from further delays.

If the three “tricks” I listed above are new to you, you might consider reading more about a single-minute exchange of die (SMED) techniques, and applying the theory of constraints to project management:

In summary, I gave you several clues to the one secret. But the one secret is simple and practical. You need someone on your team who only focuses on the testing plan. Usually, every person on a design team is multitasking, but none of us can focus when we are multitasking. As the design project manager, it would be impossible for you to focus on one task. You are a project manager of a design team, and managing a project team is inherently all about multitasking. Therefore, you need to give one person on your team the task of focusing on the testing plan throughout the entire project. It doesn’t have to be the same person during every phase of the project. In fact, by rotating who that person is, each person assigned this responsibility only needs to be dedicated for a short duration. This is a critical concept. One person must be focused on your testing plan, and that person must be dedicated to that task as long as they are responsible for focusing on your testing plan. You might even consider making a big deal out of it…

Managers are always looking for creative ways to motivate teams. Custom t-shirts are fun, you can quickly design a different t-shirt for each role on the team, everyone can wear their t-shirt to team meetings, and the testing plan t-shirt will identify who has the responsibility for focusing on the secret to completing the project on schedule. You can order one of these t-shirts from us for $15. I dare you to compare the cost of a few custom t-shirts with the other solutions you were considering.

Our Testing Plan is my life T-Shirt

Please click the button to confirm that you'd like to receive the t-shirt shown in the picture. Please let us know what size you would like (M, L, XL, 2XL, 3XL). Only white t-shirts available with black graphics. We also need your shipping address. Shipping via US Postal Service is FREE. If you want the t-shirt expedited, we can ship it via FedEx to you. We will invoice you for the cost of our FedEx shipping to your location.

Price: $15.00

Your cart is empty

If you liked this article, please share it. If you are interested in design control or risk management training, consider purchasing one of our webinars on those topics for your company.

Accelerating design projects – one secret you haven’t heard Read More »

Dec 31 2018

MDR Quality Plan – for EU Regulation 2017/745 Compliance

2 Comments / CE Marking / By Robert Packard

This article outlines an EU MDR quality plan for compliance with European Regulation 2017/745 for medical devices by the May 26, 2020 transition deadline.

Biggest MDR quality plan mistakes

Implementing an MDR quality plan is not just about updating your technical file and the procedures specific to CE Marking of medical devices. You need to make sure that you have planned to provide adequate resources for the successful implementation of your plan. Resources fall into four major categories, and all four should be addressed in a formal MDR quality plan that you have reviewed and approved during a management review meeting (i.e., ISO 13485:2016, Clause 5.6.3d). First, you need to provide adequate training. Second, you need to provide adequate equipment–such as UDI printing software and an electronic quality system database. Third, you need to provide adequate personnel. Fourth, you need to revise and update your quality system procedures.

European companies concentrated enormous resources in 2018 to prepare for the implementation of the EU Regulations in 2020. This may seem early, but most of those companies are realizing they should have started in 2017–immediately after Regulation 2017/745 was approved by the European Parliament and Council. In contrast, most companies in the USA were focusing on ISO 13485:2016 certification and MDSAP certification. Unfortunately, many CEOs were told that there is a “soft-transition,” and they have until 2024 to implement the new regulations. While it is true that most CE Certificates issued by notified bodies will be valid until their expiration date, and that date could be as late as May 25, 2024, it is not true that companies have until 2024 implement the new regulations. Quality system requirements in Article 10 of the MDR, and compliance with the MDR for economic operators, must be implemented by May 26, 2020. Any medical devices that are being reclassified will require full implementation by May 26, 2020, as well. Finally, notified bodies cannot renew 100% of the CE Certificates on May 25, 2020, to give manufacturers the full 4-year transition for certificates. Your certificate will expire based upon the certificate renewal cycle that is already established.

Required procedures for your EU MDR quality plan

You might not know that ISO 13485:2016 certification is not required for CE Marking of medical devices. Although ISO 13485 certification is the most popular way for companies to demonstrate quality system compliance with EU regulations, the actual requirement is to comply with the thirteen procedural requirements in Article 10 of EU Regulation 2017/745. Specifically, those thirteen procedures are:

Conformity assessment procedure / significant change procedure – SYS-025
Identification of safety and performance requirements (i.e., Essential Requirements Checklist) – FRM-038
Management responsibilities – SYS-003
Resource management, including suppliers – SYS-004 and SYS-011
Risk management – SYS-010
Clinical evaluation – SYS-041
Product realization, including design, production, and service – SYS-008, SYS-012, and SYS-013
UDI requirements – SYS-039
Post-market surveillance – SYS-019
Communication with competent authorities notified bodies and other economic operators – SYS-049 (new requirement)
Vigilance reporting, including serious incidents and field safety corrective actions – SYS-036 and SYS-020
Corrective and preventive actions – SYS-024
Monitoring and measurement of processes – SYS-017

Note: If you are interested in one of the procedures listed above that does not have a hyperlink, please contact me via email at rob@13485cert.com. The procedures are available, and the links will be provided during the next two weeks. The only exception is SYS-026. That is a new procedure in draft format, and it will be the subject of a future blog. Medical Device Academy will be revising each of the above procedures for compliance with EU Regulation 2017/745 in accordance with the MDR quality plan that we have outlined in this blog article. These procedures are all compliant with ISO 13485:2016, and updates for compliance with the EU MDR will be made available at no additional charge.

The priority of requirements for MDR quality plan

There are seven major changes required for compliance with the European Regulation 2017/745. These priorities are listed in order of highest to lowest effort and cost that will be required to comply, rather than the chronological order. First, some medical devices are being reclassified. Second, new CE certificates must be issued under the new conformity assessment processes. Third, technical documentation must be updated to meet Annex II of Regulation 2017/745. Fourth, post-market surveillance documentation must be updated to comply with Annex III of Regulation 2017/745. Fifth, specific documentation must be uploaded to the Eudamed. Specifically, manufacturers must upload UDI data, labeling, and periodic safety update reports (PSUR). Sixth, all economic operators must be registered with Eudamed and comply with Regulation 2017/745, or new economic operators will need to be selected. Seventh, quality system procedures will need to be updated to comply with Regulation 2017/745.

The implementation timeline for MDR quality plan

If any of your devices are being reclassified, you will need to implement all of the above changes before the May 26, 2020 transition date. For example, reusable medical instruments are currently Class I medical devices, and manufacturers utilize Annex VII of the MDD as the conformity assessment process. Under EU Regulation 2017/745, these reusable instruments will require notified body involvement to issue a CE Certificate. This is a lot of work to complete in 17 months (i.e., 513 days and counting), and notified bodies will have a large backlog of technical files to review for existing customers before they can review documentation for new customers.

If your company already has CE Certificates for your medical devices, and none of your devices are being reclassified, you will need to implement only the sixth and seventh items listed above before the May 26, 2020 deadline. Uploading information to Eudamed is likely to be extended beyond the May 26, 2020 deadline, and the transition may be staggered by risk classification–just as the US FDA did for UDI implementation in the USA. The second, third, and fourth changes listed above will require compliance before your existing CE Certificate(s) expire. The best-case scenario could be four (4) years after the transition deadline.

MDR Quality Plan – for EU Regulation 2017/745 Compliance Read More »

Nov 27 2018

Alternate 510k Pathway – Safety and Performance Based Pathway

3 Comments / 510(k) / By Robert Packard

Today the FDA released a press release announcing plans to implement an alternate 510k pathway called the “Safety and Performance Based Pathway.”

What is the current 510k pathway for clearance of medical devices?

The current version of the 510k pathway is defined in a guidance document on a substantial equivalence that was released on July 28, 2014. The pathway involves six questions that an FDA reviewer must answer before it can be determined whether a new device is equivalent to an existing device that is legally marketed in the USA. These are the six questions:

Is the predicate device legally marketed?
Do the devices have the same intended use?
Do the devices have the same technological characteristics?
Do different technological characteristics raise different questions of safety and effectiveness?
Are the methods of evaluating new/different characteristics acceptable?
Does the data demonstrate substantial equivalence?

Five (5) ways the FDA strengthened the current 510k pathway

Today the FDA released an 8-page presentation summarizing five (5) ways that the FDA strengthened the current 510k pathway during the past several years. The five ways are:

Increased expectations for the content of a 510k submission
Implementation of the refusal to Accept (RTA) policy
Improved consistency and thoroughness of the 510k review process
Elimination of the 510k pathway for Class III devices
Eliminated the use of > 1,000 unsafe devices as legal predicates

You may have been complaining that 510k requirements seem to change constantly. Now you have proof that the changes to the 510k pathway are part of a strategic plan implemented over the past decade. Lawyers may argue that the resulting regulations go well beyond the intent of the original 510k legislation. This is completely true. The cumulative effect of implementing dozens of 510k guidance documents is that the official interpretation of the 510k section of the Food and Drug Act now has little resemblance to the original legal intent.

The original intent of the 510k legislation was to allow competitors to copy an existing device that is legally marketed in the USA. Cumulative changes to a device that existed in 1976, eventually result in a completely new device. The word “equivalent” has been perverted to such an extent that thousands of devices now exist that do not even remotely resemble devices from 1976. The FDA recognized this around 2007, and the US device regulations began to “strengthen.”

What is the basis for the Alternate 510k Pathway?

The basis for the alternate 510k pathway is the submission of data that is safety and performance-based instead of comparison to an older predicate. In addition, the new pathway will enable you to make comparative claims by demonstrating that the new subject device meets or exceeds the safety and performance criteria. There is also a goal to use the pathway as a potential method of harmonizing the US medical device regulatory process with other global medical device regulations. The new process, combined with improved post-market surveillance, will complement the FDA’s work on NEST by allowing the FDA to rapidly require the implementation of risk controls to address identified safety issues.

What is the expected timeline for the implementation of the Alternate 510k Pathway?

The alternate 510k pathway has been in development for quite some time. Jeff Shuren first announced the plan to create the alternate 510k pathway at AdvaMed’s MedTech conference in San Jose, California, in September 2017. On Monday, December 11, 2017, the FDA announced that draft guidance would be released in Q1 of 2018. On April 12, 2018, the FDA finally released the draft guidance for public comment.

The FDA intends to release final guidance for the new alternate 510k pathway in early 2019. This pathway will initially be limited to “well-understood device types”–probably as a 510k pilot program. You can expect this new pathway to be released in a similar way to the Special 510k expansion pilot and the Quik 510k pilot. That final guidance will be released, and the pilot will begin immediately after the release of the guidance.

Is this new process likely to require significant changes to future 510k submissions?

The phrase “significant changes” is subjective, but if you look at the current 20 required sections of a 510(k) submission, there is only one section that would be required to change for the new alternate 510k pathway. Specifically, section 12 is currently used for a substantial equivalence comparison. This section would not be applicable under the alternate 510k pathway. Under the alternate 510k pathway, you can expect the FDA to require at least a summary of the safety and performance data to be submitted for approval of the subject device.

Another change you can expect is that all devices submitted under the alternate 510k pathway will be required to have a benefit-risk analysis in accordance with the corresponding FDA guidance. This new guidance was released on September 25, 2018, as a draft. However, a benefit-risk analysis is required for De Novo applications, CE Marking applications, and, logically, the FDA will also require this for 510k submissions that do not rely upon equivalence to the predicate device.

More Information on the Medical Device Safety Action Plan

The FDA created a webpage on its site, providing information about the Medical Device Safety Action Plan. The page includes several hyperlinks to documents with more information. Below are a few of the relevant links:

The FDA also indicated that a new guidance for De Novo applications would be released in a couple of weeks. Please subscribe to our blog, and you will receive notification of a blog in response to that guidance when it is released.

Alternate 510k Pathway – Safety and Performance Based Pathway Read More »

Nov 18 2018

Design Plan Template – with Risk Management

1 Comment / Design Control / By Robert Packard

This article defines the requirements for design and risk management planning that were used to create our new design plan template.

Why combine Design and Risk Management Plans into a Design Plan Template?

There are two primary reasons for combining your risk management plan with your design plan. The first reason is to reduce the number of documents you must maintain and control. The second reason is that there are different requirements for risk management during the design process and after the commercial release of a new product. Therefore, you will need one risk management during the design phase, and a second risk management plan after your product is released. You can achieve this by incorporating your risk management plan with your design plan and your post-market surveillance plan. Therefore, you only need to maintain two documents instead of four.

Six requirements for your design plan?

There are no specific design planning requirements in the new European MDR, but the requirements for design planning are specified in ISO 13485:2016, Clause 7.3.2. In the previous version of ISO 13485, the requirement for a design procedure and a design plan were combined into one clause (i.e., Clause 7.3.1). Now, these two requirements have been split into independent clauses. The requirement to manage the interfaces between various groups involved in the design project was removed from the requirements for design planning in the new version of the standard, but three additional requirements were added. The following sub-clauses did not change (although numbering changed):

7.3.2a) document the design and development stages
7.3.2c) document verification, validation and transfer activities required at each stage
7.3.2d) document responsibilities and authorities

The first new requirement in your design plan template

The first new requirement is in Clause 7.3.2b). You are required to document the design reviews required at each stage. This does not mean that a review is required at every stage, but your plan should specify at which stages you will conduct a review. At a minimum, a final design review is required for the commercial release of the device. My recommendation is to have a review at every stage for every project. If your design inputs have not changed from the previous version of the device, then the stage leading up to the approval of design inputs will be very short, and that design review meeting can be 30 minutes or less. If you make changes to your design control procedure in the middle of a project, I recommend that you maintain compliance with the existing procedure until the next design review. The design review gives you an excellent opportunity to document changes to the design procedure, design plan, and any other adjustments to the documentation that may require the completion of a new version of a form.

The second new requirement in your design plan template

The second new requirement is in Clause 7.3.2e). You are required to document methods of traceability between design inputs and outputs. This is a requirement that most companies do poorly. In theory, you can use a spreadsheet to list all the design inputs, and the adjacent column can list the corresponding design outputs. Many companies use an input / output / verification / validation (IOVV) diagram. You can also add the user’s needs to this diagram. The challenge with the method of documentation is that it is labor-intensive to make updates. You must update the references to inputs every time a standard is updated. The outputs must be updated every time a drawing or specification is changed. Every time you update a verification or validation testing report, the diagram must be updated too.

The third new requirement in your design plan template

The third new requirement is in Clause 7.3.2f). You are required to document the resources needed at each stage–including the necessary competence of personnel. In general, companies experiencing difficulties in documenting competency for personnel, but this requires that you document competency for each person on a design project for each stage. My recommendation is to keep it simple. Tables are usually the simplest way to document this type of information. For example, you can use a three-column table: 1) role, 2) responsibility, 3) competency requirements. In general, I recommend that anyone on your design team has training in design controls and risk management. However, training and competency are not equivalent. To demonstrate competency, you must have prior experience documented in that area.

What is required in a Risk Management Plan?

EN ISO 14971:2012 requires a risk management plan in Clause 3.4, but there are some subtle changes needed for compliance with the new draft ISO/DIS 14971. In addition, there are new requirements in Regulation (EU) 2017/745. Specifically, in Essential Requirement 3:

(a) establish and document a risk management plan for each device;
(b) identify and analyze the known and foreseeable hazards associated with each device;
(c) estimate and evaluate the risks associated with, and occurring during, the intended use and during reasonably foreseeable misuse;
(d) eliminate or control the risks referred to in point (c) in accordance with the requirements of Section 4;
(e) evaluate the impact of information from the production phase and, in particular, from the post-market surveillance system, on hazards and the frequency of occurrence thereof, on estimates of their associated risks, as well as on the overall risk, benefit-risk ratio, and risk acceptability; and
(f) based on the evaluation of the impact of the information referred to in point (e), if necessary, amend control measures in line with the requirements of Section 4.

In our previous blog on changes to the risk management process, we identified nine activities that should be included in your risk management plan:

Hazard identification
Risk estimation
Risk evaluation
Risk control option analysis
Risk control verification of effectiveness
Benefit/Risk analysis
Evaluation of overall residual risk
Risk management review
Production and post-production activities

How to purchase our new Design Plan Template

Medical Device Academy’s new design plan template is an associated form sold with the purchase of either of the following procedures: 1) Design Control Procedure (SYS-008), 2) Risk Management Procedure (SYS-010). You can also learn more about design control requirements by registering for our updated design controls training webinar.

Other Blogs About Design Controls

Medical Device Academy wrote the following blogs on the topic of design controls:

Other Webinars About Design Controls

The following webinars are available on the topic of design controls:

Design Plan Template – with Risk Management Read More »

Oct 22 2018

ISO 14971 Risk Management Updates in ISO/DIS 14971:2018

14 Comments / ISO 14971:2019 (Risk Management) / By Robert Packard

This article describes updates being made to the ISO 14971 Standard in the new draft version released for comment in July 2018.

There are two versions of ISO 14971 that are currently available. The first is the international version: ISO 14971:2007. The second is the European normative version: EN ISO 14971:2012. There is also a new draft being created by the TC210 committee for release in 2019.

Explanation of the different versions of the ISO 14971 standard

In 2000, the first edition of ISO 14971 was released as the international standard for risk management of medical devices. In 2007, the second edition of ISO 14971 was released. When new international standards are released, a European normative version is also released. The “European Norm” or EN version is intended to identify any gaps between the international standard and the requirements of the applicable European directives (i.e., the MDD, AIMD, and the IVDD). These gaps historically were included in the ZA annex at the end of the EN version. However, in 2009 this annex was split into three annexes (i.e., ZA, ZB, and ZC) to address each of the three directives separately. In reality, the 2009 annex only differed concerning the directive referenced. In 2012, a new EN version was released. This new standard included seven deviations, which were controversial. These deviations were intended to identify contradictions between the directives and the international standard, but the interpretations were not agreed with by companies or most of the Notified Bodies. Ultimately, the seven deviations were required to be addressed in the risk management files for any medical device that was CE Marked.

What changed between ISO 14971:2007 and ISO/DIS 14971:2018?

The TC210 working group assigned to update the ISO 14971 standard (JWG1) was tasked with improving guidance for the implementation of ISO 14971. Still, the committee was also tasked with making these improvements without changing the risk management process. Also, the committee was asked to move the informative annexes at the end of ISO 14971 from the standard to the guidance document ISO/TR 24971. Therefore, in July, the committee released a draft for comment and voting. Draft versions are identified with the prefix “ISO/DIS.” The ISO/DIS 14971 standard released in July has only three annexes: A) Rationale for the requirements, B) Risk management process for medical devices, and C) Fundamental risk concepts (formerly Annex E). The other seven annexes were moved to the draft of ISO/TR 24971. The reason stated for moving these Annexes to the guidance document was to make future revisions to the guidance easier to implement because it is a guidance rather than a standard. However, there were also some objectionable recommendations in the informative annexes that were the subject of deviation #3—ALARP from Annex D.8 vs. “As far as possible,” in the first indent of section 2 of Annex I in the MDD.

Although the committee was tasked to make improvements in the implementation of ISO 14971 without changing the process, the new draft has subtle changes in the process. Most of these changes can be identified quickly by reviewing the updated risk management flow chart provided in Figure 1. The updated flow chart now has two places where risks are evaluated. The first place is identical to the original Figure 1, but now the associated section is clarified to be specific to evaluating individual risks. The second place in the flow chart is new and specific to the evaluation of overall residual risks. The draft standard also states that different acceptability criteria and methods of evaluation may be used for each evaluation phase in the process. There have also been subtle changes to the names of process phases:

Section 7.4 is now “Benefit/Risk” analysis instead of “Risk/Benefit” analysis—although the draft flow chart does not reflect this.
Section 9 is now “Risk Management Review” instead of “Risk Management Report”
Section 10 is now “Production and post-production activities” instead of “Production and post-production information”

There is also more detail in the diagram under the phases for 1) risk analysis, 2) risk control, and 3) production and post-production activities.

Three new definitions are introduced in the draft standard: 3.2, benefit; 3.15, reasonably foreseeable misuse; and 3.28, state of the art. The section for identification of hazards, Clause 5.4, was reworded and expanded to consider the reasonably foreseeable sequences or combinations of events that can result in a hazardous situation. The draft standard now states that your risk management plan must also include a method to evaluate the overall residual risk and the criteria for the acceptability of the overall residual risk. In the section for risk estimation, Clause 5.5, the draft standard states that if the probability of the occurrence of harm cannot be estimated, the possible consequences shall be listed for use in the risk evaluation and risk control. The risk control option analysis priorities in section 7.1 are updated to match the new MDR, Regulation (EU) 2017/745, nearly exactly. In section 9, risk management reports were changed to risk management review, and the Clause now requires determining when to conduct subsequent reviews and when to update reports. This emphasizes the requirement to continuously update risk management documentation with input from production and post-production information. This mirrors the emphasis on continually updating post-market clinical follow-up in Regulation (EU) 2017/745, Annex XIV, Part B, Section 5, and continuously updating clinical evaluations in Regulation (EU) 2017/745, Annex XIV, Part A, Section 1.

Will ISO 14971:2019 address the 7 Deviations in EN ISO 14971:2012?

The new MDR, Regulation (EU) 2017/745, revised and clarified the wording of the essential requirements in the MDD. The MDR attempts to explain the requirements for risk management files of CE Marked products, but the MDR remains different from the requirements of ISO 14971. Unfortunately, because the ISO/DIS 14971 was not intended to change the risk management process of ISO 14971:2007, there will continue to be “deviations” between the MDR and standard.

Some people have tried to use ISO/TR 24971, the risk management guidance, as the official interpretation of how the risk management standard. However, the guidance is also a product of the TC210 committee, and it does not meet all requirements of the MDD or the MDR.

The new draft does, however, include changes that address some of the deviations in EN ISO 14971:2012. Below, each of the seven variations is listed, and hyperlinks are provided to other articles on each deviation.

Negligible Risks – The word “negligible” was only in one location in the body of the standard as a note referring to Annex D.8. In the draft, Annex D was removed and relocated to ISO/TR 24971, and the note was eliminated from Clause 3.4—now Clause 4.4 in the draft. The draft should fully resolve this deviation.
Risk Acceptability – Clause 7 was renumbered to Clause 8 in the draft. Still, the title of this Clause was also changed from “Evaluation of overall residual risk acceptability” to “Evaluation of overall residual risk.” However, if you read the Clause it still refers to determining the acceptability of risks. In note 2 of Annex ZA of the draft, it states that determining acceptable risk must comply with Essential Requirements 1, 2, 5, 6, 7, 8, 9, 11, and 12 of the Directive. The draft should fully resolve this deviation.
ALARP vs. “As far as possible” – The European Commission believes that the concept of “ALARP” implies economic considerations, and some companies have used economics as a reason for not implementing certain risk controls. ALARP was eliminated from the notes in the risk management plan clause and by moving Annex D.8 to ISO/TR 24971 and adding note 1 in Annex ZA. The draft should fully resolve this deviation.
Benefit/Risk Analysis – The contradiction in requirements between the International Standard and the MDD, as it relates to determining when a benefit/risk analysis must be conducted, has not been updated. The draft does not resolve this deviation. Companies that CE Mark products will need to perform a benefit/risk analysis for all residual risks and all individual risks—despite the wording of the standard.
Risk Control – The contradiction in requirements between the International Standard and the MDD, as it relates to determining when risk controls must be implemented. The International Standard gives companies the option to avoid the implementation of risk controls if the risk is acceptable. At the same time, the MDD requires that risk controls be implemented for all risks unless the risk controls create additional risks that increase risks, or the risk controls do not reduce risks further. The draft does not resolve this deviation. Companies that CE Mark products will need to implement risk controls for all individual risks—despite the wording of the standard.
Risk Control Options – The intent of Clause 6.2 in ISO 14971:2007 was likely to be the same as the MDD. However, the European Commission identified the missing word “construction” as being significant. Therefore, to prevent any misunderstandings, the TC210 committee copied the wording of Regulation (EU) 2017/745. The draft should fully resolve this deviation.
IFU Validation – Again, to prevent any misunderstandings, the TC210 committee copied the wording of Regulation (EU) 2017/745. However, the examples of information for safety (i.e., warnings, precautions, and contraindications) were not included. Hopefully, the final version of the 3^rd edition will consist of these examples. Clause 8, evaluation of overall residual risk, was also reworded to state, “the manufacturer shall decide which residual risks to disclose and what information is necessary to include in the accompanying documentation to disclose those residual risks.” The draft should fully resolve this deviation.

Recommendations for your Risk Management Process?

The most important consideration when establishing a risk management process for medical devices is whether you plan to CE Mark products. If you intend to CE Mark products, then you should write a procedure that is compliant with the current requirements of the MDD and future requirements of Regulation (EU) 2017/745. Therefore, the seven deviations should be addressed. Also, you need to maintain compliance with the current version of the standard.

I recommend creating a process based upon the newly updated process diagram in the latest draft. The process should begin with a risk management plan. For your plan, you may want to create a template and maintain it as a controlled document. It could also be part of your design and development plan template, but the plan should include each of the following risk management activities:

Hazard identification
Risk estimation
Risk evaluation
Risk control option analysis
Risk control verification of effectiveness
Benefit/Risk analysis
Evaluation of overall residual risk
Risk management review
Production and post-production activities

Your procedure should also be integrated with other processes, such as 1) design control, 2) post-marketing surveillance, and 3) clinical evaluation. Your procedure must indicate the priority for the implementation of risk control options. The best strategy for ensuring risk control priorities are compliant is to copy the wording of the new EU Regulations verbatim. Your process should include performing benefit/risk analysis. You should also define your process for risk management review. Your review process should specify when subsequent reviews will be done, and when your risk management report will be updated. Finally, you should identify a post-market surveillance plan for each device or device family, and use that post-market surveillance data as feedback in the risk management process.

The one element that appears to be weakly addressed in the body of the standard is the requirement for traceability of each hazard to the other aspects of the risk management process. Although traceability is mentioned in Clause 3.5 of the 2^nd edition, and Clause 4.5 of the draft 3^rd edition of ISO 14971, that is the only place is mentioned in the body of the standard. Traceability is mentioned several more times in Annex A, but the focus seems to be on the risk management file. Companies need more guidance on how to achieve this traceability. The appropriate place for this guidance is probably in ISO/TR 24971. Still, in order to maintain this documentation, a software database will likely be critical to maintaining traceability as changes are made during design iterations and after commercialization. This type of software tool is also needed to expedite the review of risk management documentation during a complaint investigation.

Which Risk Analysis Tool should you use?

In Annex G of ISO 14971:2007 and the EN 2012 version, there are five different risk analysis tools described. The word “described” is emphasized because informative annexes are not “recommended.” The committee that created the 2^nd edition of ISO 14971 wanted to provide several suggestions for possible risk analysis tools to consider. However, each tool has strengths and weaknesses. Additionally, the widespread use of the failure-mode-and-effects analysis (FMEA) tool in the automotive and aerospace industries has spread to the medical device industry, and companies seem to believe that regulators prefer the FMEA tool. This is not true. Companies should be trained in all of these tools, and training should consist of more than just reading Annex G, and the tools should be used where they are most beneficial. My recommendations are below:

Preliminary Hazard Analysis (PHA) – This process is critical during the development of design inputs. It is also the most underutilized analysis tool. I have not seen a single example of this tool written in a procedure by any medical device company. I believe this process should be continuously updated as part of training new design team members and should be both product and project-specific.
Fault-tree Analysis (FTA) – This process is a top-down approach to risk analysis. It is heavily utilized by transportation engineers when intersections are designed, and accidents are investigated. This tool depicts risk analysis pictorial as a tree of fault modes representing each possible root cause for failure. At each level of the tree, fault mode combinations are described with logical operators (i.e., AND, OR). The information displays the frequency of each fault mode quantitatively. Therefore, when you are investigating a complaint, the tree can be used to help identify possible fault modes that may have been the root cause of device failure. You may also be interested in the standard specific to Fault tree analysis (FTA): IEC 61025:2006.
Failure Mode and Effects Analysis (FMEA) – This process is a bottom-up approach to risk analysis. The automotive and aerospace industries heavily utilize it. This tool systematically lists all failure modes in groups organized by component. Risks are estimated based upon the severity of effect, probability of occurrence, and detectability. Over time, the FMEA process split into three tools: 1) process FMEA (pFMEA), 2) design FMEA (dFMEA), and 3) use FMEA (uFMEA). The first is ideal for analyzing and reducing risks associated with the manufacturing of devices. In particular, the detectability factor can be linked closely with process validation. The second evolved from the realization that the detection of a risk after the device is in the user’s hands does not reduce risk. A risk reduction only occurs if detectability is proactive. Therefore, this was stated in Annex G.4, and companies began to eliminate detectability and continued to use FMEA as their primary tool. Due to the widespread familiarity with the FMEA tool, usability FMEAs became popular for documenting risks associated with the use of a device. Unfortunately, the only real advantages of a dFMEA and uFMEA are familiarity with the tool. You may also be interested in the standard specific to FMEA: IEC 60812:2018.
Hazard and Operability Study (HAZOP) – In addition to the risks of using devices, there are also risks associated with the production of devices. Processes related to coating, cleaning, and sterilization are all processes that typically involve hazardous chemicals. The chemical and pharmaceutical industries use HAZAP as a tool to analyze these process risks and prevent injuries. You may also be interested in the standard specific to HAZOP: IEC 61882:2016.
Hazard Analysis and Critical Control Point (HACCP) – This process is primarily used by the food industry to prevent the spread of contaminated food supplies. Even though medical device manufacturers do not typically use it, it should be considered as a tool for managing the supply chain for devices. This model is useful when manufacturing is outsourced, or secondary processing is conducted at second and third-party suppliers. Since many FDA inspectors started in the food industry as inspectors, this is also a method that is supported by the FDA as a risk control process for outsourced processes.

How to document your risks?

For simple devices, risk management documentation is a burdensome task. For complex devices, a spreadsheet could include hundreds of lines or more than even one thousand individual lines. Also, the requirement for traceability requires additional columns in a table. Therefore, it becomes nearly impossible for you to include all the required information on a page that is 11 inches wide. If you expand your page to 17 inches wide, the size of your font will need to be very small. If you make a change, your spreadsheet can be challenging to update quickly. You could purchase a 43” widescreen TV for your monitor, or you can use dual monitors for your display, but changes remain challenging to implement without a mistake.

You need to stop relying upon spreadsheets. Use a database, and don’t use Microsoft Access. Purchase a database that is designed to document design controls and risk management traceability. If your company has software expertise, develop your software tool to do this. You should also design standardized templates for exporting your reports. By doing this, it will only take minutes to create an updated report when you make design changes. If you describe the risk management activities as notes in your software, the description of these activities can also be automatically converted into summary pages for each report summarizing that risk management activity. You can even prompt the user to answer questions in the software to populate a templated document. For example, you can prompt users to input subsequent updates of your risk management reviews, and that can be automatically converted into a summary paragraph. This reporting capability is especially helpful when responding to FDA review questions asking for cybersecurity risks.

Additional Training Resources for ISO 14971

The risk management training webinar has been completely rewritten for the second time (i.e. the first time was on October 19, 2018). The newest version will be a two-part webinar series. Part one of two will focus on Clauses 1 through 7.1 of the ISO 14971:2019 standard. Part two of two will focus on Clauses 7.2 through 10. We selected Clause 7.2 to begin the second part of this webinar series, because it marks the beginning of the verification of the risk controls your company has implemented (i.e. – Post “Design Freeze”). Part 1 will be hosted live on March 29, 2022 @ 9-10:30 am EDT, and Part 2 will be hosted live on April 5, 2022 @ 9-10:30 am EDT. Both sessions will be recorded if you are unable to participate in the live sessions.

SYS-010, Medical Device Academy’s Risk Management Procedure, is compliant with EN ISO 14971:2019. The procedure includes templates for documentation of design risk management and process risk management. The procedure is also compliant with ISO/TR 24971:2020 and Regulation (EU) 2017/745. Both the two-part risk management training webinar, and the risk management procedure, are included in Medical Device Academy’s turnkey quality system.

ISO 14971 Risk Management Updates in ISO/DIS 14971:2018 Read More »

Oct 7 2018

ISO 10993-1-2018 Biocompatibility – What’s new?

Leave a Comment / Biocompatibility / By Robert Packard

The new 5th edition of the biocompatibility standard, ISO 10993-1-2018, was released in August, and this article explains the changes and potential impact.

ISO 10993-1-2018 is the 5th edition of the biocompatibility standard for the evaluation of medical devices. The new version, released in August, replaces the 2009 version of the standard. I was unable to find a European version of this standard, but you can expect one to be made available very soon–probably before you read this article. If your company is CE Marking devices, once the European standard is released, you will be required to perform a gap analysis against the new standard and assess whether retesting is required for your products to remain compliant with CE Marking requirements.

The FDA has not yet added ISO 10993-1-2018 to the recognized standards database. Still, the FDA guidance on the use of ISO 10993-1, released in February 2016, already addressed most of the changes contained in the new 5th edition.

Overview of Changes in ISO 10993-1-2018

The 5th edition includes a foreword that explains the changes from the 4th edition. The 5th edition replaces the 4th edition (i.e., ISO 10993-1-2009), and it incorporates the correction that was made in 2010. The most significant changes from the previous version are:

Table A.1 in Annex A, Evaluation Tests for Consideration, was expanded with the addition of six new columns:
- “physical and/or chemical information”
- “material mediated pyrogenicity”
- “chronic toxicity”
- “carcinogenicity”
- “reproductive/developmental toxicity”
- “degradation”

Instead of tests to be conducted is identified with an “X,” the updated table now identifies endpoints to be considered with “E.” The only column containing an “X” is the column for physical and/or chemical information. This information is identified as a prerequisite for a risk assessment. The new Annex A is now five pages in length.
The 3-pages that were Annex B, “Guidance on the risk management process,” has been completely replaced with 13-pages from ISO TR 15499-2016, “Guidance on the conduct of biological evaluation within a risk management process.”
Twenty-one (21) new definitions for terms were added to the 5th edition–including “3.9 geometry device configuration,” “3.15 nanomaterial,” “3.16 non-contacting,” “3.17 physical and chemical information,” “3.25 toxicological threshold” and “3.26 transitory contact.”
Additional information on the evaluation of non-contacting medical devices and transitory-contacting medical devices was added.
Expansion of the standard to include evaluation of nanomaterials and absorbable materials. This consists of the addition of section B.4.3.3 in Annex B for guidance on pH and osmolality compensation for absorbable materials.
An additional reference to ISO 18562-1, -2, -3 and -4, for “Biocompatibility evaluation of breathing gas pathways in healthcare applications,” was added as well. However, the four standards in the ISO 18562 series should be purchased if you are conducting a biocompatibility evaluation for a device of this type (e.g., respiratory gas humidifiers).

There are also many minor changes in the 5th edition, but Annex C is almost identical to the previous version. The only change I noticed was the addition of “Preference may be given to GLP over non-GLP data” to clause C.2.3.

Correspondence with FDA Guidance on Use of ISO 10993-1-2018

Table A.1 in Annex A is quite similar to Table A.1 in the FDA guidance, and 100% of the columns match except the column for “physical and/or chemical information.” Although the FDA guidance does not have a column in the table indicating that physical and chemical characterization is required as a prerequisite for the risk assessment, it is very clear from the language in the guidance that information about the physical and chemical characteristics of the device “should be provided in sufficient detail for FDA to make an independent assessment during our review and arrive at the same conclusion.” FDA guidance also requires information about the surface properties of the finished device. The FDA included a section specific to “Submicron or Nanotechnology Components,” which is consistent with the ISO 10993-1-2018, where there references throughout the standard to ISO/TR 10993-22, guidance on nanomaterials. The FDA guidance does not, however, include guidance on pH and osmolality compensation for absorbable materials. The FDA guidance also does not include a reference to the ISO 18562 series of standards, but the FDA product classification database was updated in June to include a reference to the ISO 18562 series of standards when they were added to the database of recognized standards.

Correspondence with the European Directive and EU MDR

The 4th edition of the EN version has Table ZA.1 explaining the correlation between the standard and the European Directive. Specifically, Clauses 4, 5, 6 and 7 of the European Standard correspond to Annex I, Essential Requirements 7.1, 7.2 and 7.5 in the MDD. In the new Regulation (EU) 2017/745, these clauses correspond with Annex I, Essential Requirements 10.1, 10.2, and 10.4. Therefore, you should expect the European version of ISO 10993-1-2018 to include a table similar to Table ZA.1, but you should also anticipate that your evaluation of biological risks will need to be updated and additional testing may be required in order to remain compliant for any devices that are CE Marked.

Changes to the biological evaluation process in ISO 10993-1-2018

As in the previous version of the biocompatibility standard, Figure 1 is a decision tree that follows the biological evaluation process outlined in the standard. At first glance, the updated Figure 1 appears to be essentially unchanged. However, even though the updated figure has the same shape and the same number of elements, there are subtle changes. For example, the potential effects of geometry are emphasized in the ISO 10993-1-2018. The more significant change in the process is at the end. Where it used to say, “Testing and/or justification for omitting suggested tests,” the updated figure now includes a reference to Annex A under those words. Where it used to say, “Perform Biological Evaluation,” the updated figure now says, “Perform Toxicological Risk Assessment (Annex B).”

Annex B is where the most visible changes are found in the ISO 10993-1-2018. For example, in the previous version of the biocompatibility standard, there was a reference to creating a prospective biological evaluation plan as part of the risk management plan. In the 5th edition, clause B.2.2 outlines the Biological Evaluation Plan–which is sometimes referred to by its acronym of “BEP” by third-party testing labs.

In addition, clause B.4 provides guidance for biological evaluation. This guidance is directly copied from ISO/TR 10993-22, but it answers the frequently asked question of “how do you perform a biological evaluation.” The necessary steps of the biological evaluation, which have not changed, are:

Material characterization (B.4.1)
Collection of existing data (B.4.2)
Device testing considerations (B.4.3)
Biological safety assessment (B.4.4)

However, the guidance provides details for each step, as well as general guidance on when changes may require a re-evaluation of biological safety, GLPs, and biocompatibility evaluation documentation. In general, the focus of ISO 10993-1-2018 is now on the evaluation of toxicological data in Annex B, rather than passing a few required tests that were previously identified in Table A.1.

Will ISO 10993-1-2018 Require you to Retest for Biocompatibility?

In general, I do not expect that the changes to ISO 10993-1-2018 will require extensive retesting for your company. However, you can expect a significant amount of rewriting of your biological evaluation report to be required. Now you will need to more fully characterize the physical and chemical characteristics of your device, and you will need to provide a more comprehensive biological safety assessment–including an evaluation of toxicological data for each chemical including in the formulation of your device. It’s possible that you may even identify certain chemicals in the material formulation that prevent you from using a material–even though the material may have passed all biocompatibility tests in the past. I will also need to update one of my articles on biocompatibility and a biocompatibility webinar.

ISO 10993-1-2018 Biocompatibility – What’s new? Read More »

Author name: Robert Packard