An auditor quit, and you need some audit scheduling options to complete your audit schedule by the end of the year. Sound familiar?
What will happen if you don’t finish your audit schedule by December 31?
It’s October 14, and there are 78 days left in 2025. You have four supplier audits and three internal audits to complete. Unfortunately, one of the lead auditors on your team just resigned. It will probably take a couple of months to fill the position. Top management wants to know how you are going to complete the audit schedule on time. Before you panic, ask yourself one question: “What will happen if you don’t finish your audit schedule by December 31?”
Opening a CAPA takes time and resources, but top management should never make the situation worse by reprimanding (or firing) someone because of an audit finding. If an employee is not doing their job, the quality system’s monitoring and measurement should identify the problem before the audit. Disciplinary action is not a corrective action. Top Management is responsible for providing the resources to maintain the effectiveness of the quality system. Regardless of why the audit schedule was not completed, the quality system needs to be robust enough to withstand the resignation of a single employee. Top management needs to temporarily reassign the former employee’s responsibilities to other employees and/or seek outside help. It may even be necessary to reschedule some activities, such as audits. Top management needs alternatives, including audit scheduling options, so they can create a transition plan while a replacement is recruited or promoted from within. That transition plan also needs to be documented.
Using a risk-based approach to audit scheduling
Not all audits are equally important. If you have seven audits (i.e., two second-party and three first-party audits) left to complete, first evaluate the importance of each audit and assess the risks of delaying any of them. Any routine audits can be rescheduled. Just update your audit schedule to reflect new dates for the routine audits. Non-routine audits include: 1) supplier qualification, 2) investigation of supplier nonconformities, 3) CAPA effectiveness checks, and 4) investigation of internal processes with quality problems. If your incomplete scheduled audits were non-routine, they should be prioritized. Below is a list of audit scheduling options to consider:
Consider other ways to qualify a new supplier than auditing (e.g., check references, review certifications, rely on a third-party audit report)
Hire a consultant to conduct audits (both first and second party audits)
Consider other ways to verify the effectiveness of a CAPA (e.g., quantitative acceptance criteria in a process validation report or process metrics compared before and after implementation of corrective actions)
Place the product associated with suppliers or processes under quarantine until audits can be conducted.
Conduct remote audits or reduce audit duration to complete them with fewer resources.
There are some fantastic cartoons and jokes about doing more with less, but if you intend to complete seven audits before the end of the year, you might need some help.
Training more auditors can increase your audit scheduling options.
Seventy-eight days might not be enough time to train a new auditor and complete all seven audits, but you can complete lead auditor training, and the newly trained auditor can help. If you are assigning a new auditor to conduct an audit, we recommend assigning them to conduct virtual audits via teleconference recordings (e.g., Zoom). These audits could be supplier audits or internal audits. This would allow an experienced lead auditor to review the recordings after the audit is completed. If the experienced auditor identifies any gaps or audit trails that should have been pursued, they can review the recordings with the auditor-in-training to identify follow-up actions if needed and to help them learn from their mistakes before their next audit. Historically, new lead auditors required a “shadow” to observe them during training. Today, we can use virtual auditing, and the observer’s feedback is actually better.
What if you need more auditors?
As we mentioned above, you can train new lead auditors. However, if you have one or more auditors who are qualified as lead auditors, you can schedule team audits instead. It takes less time to train an audit team member than it does to train a lead auditor. In a team audit, the audit can be completed more quickly. A team audit is an excellent solution for internal audits, because supplier audits usually require a single auditor. Adding a second auditor to a supplier audit would not save significant time, because travel to the supplier is still required. For an internal audit, the audit duration can be reduced from 3 or 4 days to 1.5 or 2 days. It is also possible to conduct partial internal audits that take less than a day.
Consider changing the duration of your audit schedule.
The last quarter of the year is historically hectic for everyone — especially quality assurance auditors. Therefore, we try to avoid scheduling audits near the end of the year. It’s much easier to schedule audits in the first quarter of the year (i.e., January – March). Another audit scheduling option is to create an 18-month schedule rather than a 12-month one. As stated in the YouTube video embedded above, an 18-month audit schedule ensures that several months are remaining in your audit schedule at any time.
Did you consider scheduling remote supplier audits?
If you were only planning on-site supplier audits, considering remote supplier audits expands your audit scheduling options. Remote audits are always permitted for first- and second-party audits, but they are most effective when on-site audits of the supplier have been conducted previously. However, a remote audit is not the same as asking a supplier to complete a survey. ISO 19011:2018 provides guidance on remote auditing in the annexes. For a remote audit, you should still sample the same number of records—if not more. You should conduct interviews by phone, Zoom, or some similar technology. You should analyze any available data to help identify which processes appear to be effective and which need improvement. Suppose you are performing a remote audit for the first time. In that case, I recommend focusing on the same processes you would not generally audit in a conference room, rather than on those you would typically audit where they occur—such as production controls. Regardless of which method you use, you should always request data.
Metrics to consider for your quality auditing process
In parallel with your efforts to catch up on your audit schedule, top management should consider implementing a process metric for “on-time delivery” of audits and audit reports. This is an effective metric for managing an audit program, and it is especially important to monitor it when you have turnover among trained lead auditors. If any auditor or audit report is delivered late, investigate the reasons for the audit being overdue. If the occurrence was preventable, then I recommend initiating additional countermeasures to improve the audit process. This might include opening a CAPA. This will have two effects. First, your third-party auditors will see that you have identified the problem and taken appropriate corrective action(s). If you also discuss this during a Management Review, this information can be used effectively to change the grading of an audit finding to a “minor” or to potentially eliminate the finding altogether. Second, it will ensure that this doesn’t occur again.
This article explains how to prepare a regulatory pathway analysis and an investor pitch deck for a MedTech startup.
Regulatory Pathway Case Study
This article uses two case study examples to explain how to determine the correct regulatory pathway for your medical device through the US FDA. One of the case study examples is bipolar forceps for use with an electrosurgical generator. A picture of the forceps is provided above. The second case study example is resin for repairing dentures. Rather than providing the second example in detail, we provided the information as we would summarize it in an investor pitch deck. You can also download the pitch deck template at the end of the article.
What is the regulatory pathway for your device?
Every consultant likes to answer this type of question with the answer, “It depends.” Well, of course, it depends. If there were only one answer, you could Google that question, and you wouldn’t need to pay a regulatory consultant to answer the question. A more helpful response is to start by asking five qualifying questions:
Does your product meet the definition of a device?
The first question is important because some products are not regulated as medical devices. If your product does not diagnose, treat, or monitor a medical condition, it may not be considered a device. For example, the product might be considered a general wellness product or clinical decision support software. In addition, some products have a systemic mode of action, and these products are typically categorized as a drug rather than a device–even if the product includes a needle and syringe.
The intended purpose of the device directly impacts the product classification and regulatory pathway
The intended purpose of a product is the primary method used by the US FDA to determine how a product is regulated. This also determines which group within the FDA is responsible for reviewing your product’s submission. The US regulations use the term “intended use” of a device, but the decision is based upon the “indications for use,” which are more specific. To understand the difference, we created a video that explains it.
Devices intended for very small patient populations fall into a rare regulatory pathway.
Even regulatory consultants sometimes forget to ask how many people need your product annually, but population size determines the regulatory pathway. Any patient population of less than 8,000 patients annually in the USA is eligible for a humanitarian device exemption, which offers a special regulatory pathway and pricing constraints. If your product is intended for a population of <8,000 people annually, your device could qualify for a humanitarian device exemption, and the market is small enough that there may not be any similar products on the market.
If your device is equivalent to a competitor product, you may be eligible for 510(k) clearance.
If similar products are already on the US market, determining the regulatory pathway is much easier. We can look up the competitor product(s) in the FDA’s registration and listing database. In most cases, you must follow the same pathway your competitors took, and the FDA database will tell us your regulatory pathway.
The FDA divides devices into three risk classifications (i.e., Class 1, 2, and 3)
If all the products on the US market have different indications for use, or the technological characteristics of your product differ from those of other devices, then you need to categorize the risks associated with your product. For low-risk devices, general controls may be adequate. For medium-risk devices, the FDA requires special controls. For the highest-risk devices, the FDA typically requires a clinical study, a panel review of your clinical data, and pre-market approval (PMA).
What is the US FDA regulatory pathway for your device?
The generic term used for regulator authorization is “approval,” but the US FDA reserves this term for Class 3 devices with a Premarket Approval (PMA) submission. The reason for this is that only these submissions include a panel review of clinical data to support the safety and effectiveness of the device. Approval is limited to ~30 devices each year, and approximately 1,000 devices have been approved through the PMA process since 1976, when the US FDA first began regulating medical devices.
Most Class 2 devices are submitted to the FDA as Premarket Notifications or 510k submissions. This process is referred to as “510k clearance,” because clinical data is usually not required with this submission, and there is no panel review of safety and effectiveness data. A 510 (k) was originally planned as a rare pathway that would only be used by devices that are copies of other devices already sold on the market. However, the 510 (k) pathway became the de facto regulatory pathway for 95% or more of devices sold in the USA.
For moderate and high-risk devices that are intended for rare patient populations (i.e., <8,000 patients per year in the USA), the humanitarian device exemption process is the regulatory pathway.
Class 1 devices typically do not require a 510k submission; most of these devices are exempt from design controls, and some are exempt from quality system requirements. These devices still require listing on the FDA registration and listing database; however, there is no FDA review to ensure that you have correctly classified and labeled Class 1 devices.
How do you find a predicate for your 510k submission?
As stated above, one of the most critical questions is, “Is there a similar product already on the market?” For our example of bipolar forceps, the answer is “yes.” There are approximately 169 bipolar forceps that have been 510k cleared by the FDA since 1976. If you are developing new bipolar forceps, you must prepare a 510k submission. The first step of this process is to verify that a 510k submission is the correct pathway and to find a suitable competitor product to use as a “predicate” device. A predicate device is a device that meets each of the following criteria:
it is legally marketing in the USA
it has indications for use that are equivalent to your device
the technological characteristics are equivalent to your device
There are two search strategies we use to verify the product classification of a new device and to find a suitable predicate device. The first strategy is to use the free, public databases provided by the FDA. Ideally, you instantly think of a direct competitor that sells bipolar forceps for electrosurgery in the USA (e.g., Conmed bipolar forceps). You can use the registration and listing database to find a suitable predicate in this situation. First, you type “Conmed” into the database search tool for the name of the company, and then you type “bipolar forceps” in the data search tool for the name of the device.
If you are unaware of any competitor products, you will need to search using the product classification database instead. Unfortunately, this approach will result in no results if you use the terms “bipolar” or “forceps.” Therefore, you will need to be more creative and use the word “electrosurgical,” which describes a broader product classification that encompasses both monopolar and bipolar surgical devices, which come in various sizes and shapes, including bipolar forceps. The correct product classification is seventh out of 31 search results.
The most significant disadvantage of the FDA databases is that they can only be searched separately. The search is also a Boolean-type search rather than using natural language algorithms that we all take for granted. The second strategy is to use a licensed database (e.g., Basil Systems).
Searching these databases is more efficient, and the software will provide additional information that the FDA website does not offer, such as a predicate tree, review time, and models listed under each 510k number are provided below:
What does the predicate tree look like for the predicate device you selected?
How to create an investor pitch deck.
A pitch deck is brief. You want to generate interest and encourage questions from the audience. If the audience specifies a time limit, practice your pitch until you can “hit the post.” For Project MedTech, the target is a 6-minute pitch. Replace the image with your own and be creative with your image cropping. Replace our logo with your own. Replace “Medical Device Academy, Inc.” with your company name. Replace “MedTech Pitch Deck” with the name of the group or person you are pitching.
Management Team
No need to label every slide. It should be obvious that this is your management team. Remember to focus on the relevant background, rather than everything. It’s just a brief summary, and this might be an opportunity to use the morph transition function to zoom in on each photo, name, and title as you say something NOT IN THE SLIDE about each of the people on the team. Consider a little self-deprecating humor (i.e., how each of them compensates for your weaknesses). The presenter does not need to talk about themselves because the quality of the pitch speaks volumes.
Competitor Devices
In general, use very few words. The focus of the presentation should be on the presenter, not reading the slides. After all, you submit a slide deck, but you want the opportunity to pitch investors. Black backgrounds with a few high contrast words is easy to read and won’t detract from the you—the presenter. In this slide, “a story” is highlighted to emphasize an important point and to show you how a dash of yellow draws attention to what’s important. “[Dentures]” should be replaced by the common name for your type of device. Don’t make potential investors think too hard. Your selection of pictures will help demonstrate that you know who your competitors are (i.e., competitive analysis). “We have no competition” is a mistake, because that means the market doesn’t exist yet, or it is too small to attract any competitors.
Subject Device
The ideal picture will immediately explain what makes your device unique and show investors what problem(s) you solved. If you can demonstrate this quickly in a presentation or video, do it. Vocal variety can also be used very effectively here by quietly telling the audience how your product is unique (i.e., it’s a secret). Concluding that secret with a silent 6-second pause is LOUDER than yelling. For example, you could whisper: “Our dentures won’t fall out.”
What stage of development is your device?
We don’t want the history of the universe. We need to know where you are, when you plan to submit to the FDA, and when you expect to start generating revenue. Adding the date of a patent or provisional patent with the document # is a clever way to say that you have a patent without wasting time with the words. The addition of the Q-sub number adds credibility. If you are conducting clinical studies, it is essential to note the cost of these studies, as they can be significant. If you are prepared to identify reimbursement milestones, add them. Resist building this out to two slides if you are a start-up. You should have revenues already if you need two slides.
After providing a timeline with regulatory milestones, investors will expect you to explain the regulatory pathway of your device.
How do you create a regulatory pathway strategy for medical devices?
The best strategy for obtaining 510k clearance is to select a predicate device with the same indications for use that you want and was recently cleared by the FDA. Therefore, you will need to review FDA Form 3881 for each of the potential predicate devices you find for your device. In the case of the bipolar forceps, there are 169 devices to choose from; however, FDA Form 3881 is not available for 100% of those devices, as the FDA database only displays FDA Form 3881 and the 510(k) Summary for devices cleared since 1996. Therefore, you should select a device cleared by the FDA within the past ten years, unless there are no equivalent devices with recent clearance.
Note: The FDA no longer uses FDA Form 3881 in the FDA PreSTAR or eSTAR, but a similar section exists in both submission templates.
In addition to identifying the correct product classification code for your device and selecting a predicate device, you will also need to develop a testing plan for verifying and validating your device. For electrosurgical devices, there is an FDA special controls guidance that defines the testing requirements and the content required for a 510k submission. Once you have developed a testing plan, confirm that the FDA agrees with your regulatory strategy and testing plan in a pre-submission meeting.
What type of 510k submission is required for your device?
There are three types of 510k submissions:
Special 510k – 30-day review target timeline
Abbreviated 510k – 90-day review target timeline (requires summary reports and use of recognized consensus standards)
Traditional 510k – 90-day review target timeline
The special 510k pathway is intended for minor device modifications from the predicate device. However, this pathway is only eligible to your company if your company also submitted the predicate device. Originally, it was only permitted to submit a Special 510k for modifications that required the review of one functional area. However, the FDA recently completed a pilot study evaluating if more than one functional area could be reviewed. The FDA determined that up to three functional areas could be reviewed. However, the FDA determines whether they can complete the review within 30 days or if you need to convert your Special 510k submission to a Traditional submission. Therefore, you should also discuss the submission type with the FDA in a pre-submission meeting if you are unsure whether the device modifications will allow the FDA to complete the review in 30 days.
In 2019, the FDA updated the guidance document for Abbreviated 510k submissions. However, this pathway requires that the manufacturer use recognized consensus standards for the testing, and the manufacturer must provide a summary document for each test report. The theory is that abbreviated reports require less time for the FDA to review than full test reports. However, if you do not provide sufficient information in the summary document, the FDA will place your submission on hold and request additional information. This occurs in nearly 100% of abbreviated 510k submissions. Therefore, there is no clear benefit for manufacturers to take the time to write a summary for each report in the 510k submission. This also explains why less than 2% of submissions were abbreviated submission types in 2022.
The traditional type of 510k is the most common type of 510k submission used by manufacturers, and this is the type we recommend for all new device manufacturers.
What is the regulatory pathway?
You don’t have to explain this. You could say, “This is a Class 2 device in the USA that requires a 510(k) submission. We have already identified a potential predicate, and we expect to submit our 510(k) in February.” If you don’t know the pathway this clearly, you should read our blog: https://medicaldeviceacademy.com/regulatory-pathway/. For most devices, we can answer this question in minutes. There are ~4,000 510(k) submissions each year, ~60 De Novo Submissions, and ~25 new PMAs (not including supplements). HDEs are even more rare. Therefore, if you plan to submit a De Novo application, you should already have a pre-submission or 513(g) classification request from the FDA to support it. Pre-subscriptions are always in the best interest of investors because they reduce the risk of having to repeat testing.
What is the expected FDA review timeline?
The FDA review timeline is variable. The target is 90 days for FDA review, but your submission can be placed on hold for various reasons. Therefore, historical data is the best indicator of the likely review timeline. The median review timeline is most likely. I only use data since 2012, as the RTA process, implemented in 2012, was a significant change to the FDA process. The eSTAR is a change in format, but it has made the process faster and more predictable. Basil Systems is the best tool for estimating the FDA review timeline and performing searches, but it’s only affordable for consultants who do this work daily and for large firms. The denture repair resin had 116 devices, but the example below for biopolar forceps has 2,263.
The two slides above in our MedTech investor pitch deck template are the only ones that specifically address the regulatory pathway. Another advantage of the Basil Systems software is that its database is lightning-fast, whereas the FDA database is a free government database (i.e., not quite as fast). Basil Systems also provides information that is hard to find in other places, such as the model number:
Wouldn’t having the model numbers for every device listed in the US FDA database be helpful?
Fundraising efforts
Keep it simple. You aren’t sharing your CAP table, and if you aren’t confident when asking for money, nobody will give it to you.
Use of funds
You need to explain where 80% of your money is going (not 100%). This is intended for potential investors, not an annual shareholder meeting or board meeting. You can always offer to answer more detailed questions after the presentation. To pay your salary is a horrible reason for using funds (suck it up and eat ramen), and to cover cash flow is the second-worst use of investor funds (that’s what loans are for). Sales, marketing, and developing sales channels are a good use of funds, but you have to be experienced in do this and have a specific plan you are prepared to defend. You also need to know who your potential suppliers will be, or you will not be prepared for fundraising. You need to have quotes in hand and be ready to spend that money.
Business model
Most companies present a 5-year P&L Projection in graph form, and they all look the same: “A Hockey Stick.” Nobody can accurately predict a P&L summary before they have a product that is ready to sell. Therefore, if you are raising Round A, please describe your business model in simple terms (i.e., cost of goods sold and pricing model). For market size, don’t tell us you have a billion-dollar market. Instead, be specific about number of customers and how many devices they use per year. That will make it REAL. For the market share %, you need to do better than…”if we just capture 1% of the market,” and 10% is not a conservative market share for a start-up. 1-10 units is conservative.
Contact us
Make it easy for people to contact you. You might not have your own YouTube channel, but you should have everything else on this page. No excuses!
Click on the button below for a copy of Medical Device Academy’s investor pitch deck template.
This blog describes best practices for communicating audit findings during an audit, in the closing meeting, and in the audit report.
Would you like to be surprised by an auditor with a major nonconformity? Of course not! Nobody likes that kind of surprise. However, do you know how to effectively communicate your audit findings during the audit, in the closing meeting, and in your audit report?
Audit findings should be communicated at the time the objective evidence is gathered, and it should be clearly stated whether you think the finding is a nonconformity or an opportunity for improvement. Give the auditee an opportunity to correct you.
Audit Finding Example
If you are auditing the process for creating a medical device file, and you are unable to find evidence of product specifications (i.e., ISO 13485:2016, Clause 4.2.3b), then you should restate the requirement and explain why this is a nonconformity. It may be a nonconformity because that requirement is not included in the procedure or index for your medical device file. It may be a nonconformity because the product specification is obsolete and needs to be updated. It may be a nonconformity because you were unable to find the product specification anywhere in the device master record (DMR) index or technical file index. You might also be surprised to learn that product specifications are included in the product user manual, but the process owner forgot that because they were very nervous. The morning after the audit, the process owner may be prepared to show you exactly what you were looking for, including procedural requirements and training.
How do you respond when findings are resolved
Some auditors are irritated when they spend time following the audit trail, and after they have taken the time to write a nonconformity, the auditee finally produces the evidence requested. Some auditors say, “It’s too late. You were unable to provide the record when it was requested.” That’s not a value-added finding. The right approach is to say, “Excellent! Now we don’t need to issue a nonconformity or investigate the root cause for a missing product specification.” You might also add, “As a follow-up to this audit, consider ways you can make the product specifications and other required technical documentation easier to find during an audit.” If a similar scenario is repeated during the audit, you might consider writing an OFI beginning with the word “Consider.” However, be careful of suggesting solutions. Medical Device Academy adds cross-references to requirements in each procedure, but that is time-consuming and not required.
How to grade an audit finding
In our example above, if evidence of the product specification was not found, that would be a nonconformity. If several other requirements in the medical device file were not available, it would still be a nonconformity. Some people would grade a single lapse as a “minor,” but if multiple requirements are missing they would grade the finding as a “major.” This is not enough to deserve the grading of a “major” but grading subjectivity is difficult to avoid. The specification might exist, but it was accidentally omitted from the file. The specification might not be documented for the file sampled, but it may be easily identified for other product files. The specification might only be missing, because a new employee forgot it and the file was not thoroughly reviewed yet. Therefore, the auditor should consider the missing element an “audit trail.” They should review previous audit reports for similar nonconformities, sample additional requirements, sample other files, and review training records before determining the grading.
Why do the GHTF and MDSAP guidance documents use quantitative grades?
In 2012, the Global Harmonization Task Force (GHTF) published a guidance document for grading auditing findings. That guidance proposed a quantitative scoring system with a range of 1-5. Initially, I thought this system was overly complicated. Later, the Medical Device Single Audit Program (MDSAP) adopted the same quantitative scoring system. Since many of our clients adopted MDSAP, we had to learn the MDSAP audit approach and we had to learn how to grade audit findings quantitatively. After using the new system, I realized that the quantitative approach was faster because the objective grading reduced the time required to make a decision on the grade of the finding.
Direct and indirect impact on product safety and performance
Experienced auditors have most of ISO 13485 memorized, and they usually know which requirements are included in Clauses 4.1-6.3, and which requirements are found later in the standard. Therefore, identifying whether the finding is “direct” or “indirect” is easy. Clauses 4.1-6.3 are indirect clauses, with the exception of 4.2.3 which is direct. There is also one exception to the direct clauses; Clause 8.2.4 is the only clause within Clauses 6.4-8.5.3 that is indirect. It would be easy to persuade someone that there should be additional exceptions, but it would just make the process slower and subjective. Using the clause number for each requirement to determine the initial scoring makes the process faster and more reliable.
When do escalation rules apply?
There are three escalation rules to consider when grading a nonconformity in the GHTF or MDSAP audit approach. The image below is included in our CAPA form to help remind people of the scoring. The first rule is specific to a repeat nonconformity in the past three (3) years. The second escalation rule is controversial because many people believe the absence of a procedure or records should be sufficient by itself to escalate a finding. However, it’s just a grade, and if the finding is escalated, we want there to be no doubt that the process is not able to meet the requirements. The final escalation rule is the most serious because shipping nonconforming products requires implementation of a recall or field service corrective action (FSCA). Medical Device Academy applies these same three escalation rules when deciding whether a finding is a “major” if a client does not use the MDSAP audit scoring system. This ensures that our grading is objective and it is based on international guidance. We use this same scoring system for internal auditing, supplier auditing, and CAPAs.
Audit findings must include more than nonconformities
In the paragraphs above, we discussed the grading of nonconformities; however, reporting audit findings involves more than just grading nonconformities. ISO 19011:2011 is the official guidance document for auditors of Quality Management Systems, and ISO 13485 is the quality system standard for medical device manufacturers. Section 6.4.2 of this Standard explains best practices for an opening meeting.
Method of reporting audit findings, including grading, if any
Conditions under which the audit may be terminated
Time and place of the closing meeting
How to deal with possible findings during the audit
System for feedback from the auditee on findings or conclusions of the audit
Process for complaints and appeals
The opening meeting is the ideal opportunity to outline how you and your team will present audit findings and to clarify that you will discuss both the strengths and weaknesses of the quality system verbally in the closing meeting and in the audit report. If the auditee is new to auditing, you might even explain the three-part structure of how nonconformities are written.
Conditions for Termination
The option to terminate an audit is typically reserved for a certification audit where multiple major nonconformities are identified, and there is no point in continuing. Termination is highly discouraged because it is better to be aware of all minor and major nonconformities immediately, rather than waiting until the certification audit is rescheduled. The certification body will charge you for their time anyway.
Another reason for termination is when an auditor acts unreasonably or inappropriately. This is rare, but it happens. If the audit is terminated, you should communicate this to upper management at both the certification body and the company, regardless of which side of the table you sit on. For FDA inspections, this is not an option. For audits performed by Notified Bodies, there is the possibility of suspension of a certificate in response to audit termination. Therefore, I always recommend appealing after the fact, instead of termination. Appealing also works for FDA inspections.
Closing Meeting
The closing meeting should be conducted as scheduled, and the time/location should be communicated to upper management in the audit agenda and during the opening meeting. Top management won’t be happy about nonconformities, but failure to communicate when the closing meeting will be conducted will irritate them further. You should also ensure that a teleconference invitation is set up in advance for the closing meeting, allowing top management to participate remotely if necessary.
At the closing meeting, the auditee should never be taken by surprise. If an issue remains unfulfilled at the closing meeting, the auditee should expect a minor nonconformity—unless the issue warrants a major nonconformity. Since a minor nonconformity can result from a single lapse in fulfilling a requirement, it is challenging for an auditee to argue that an issue does not warrant a minor nonconformity. Typically, the argument is that you are not consistent with other auditors. The most common response to that issue is, “Audits are just a sample, and previous auditors may not have seen the same objective evidence.” The more likely scenario, however, is that the previous auditor interprets the requirements, rather than reviewing them with the client and ensuring both parties agree before a finding is issued.
If a finding is major, the auditee should have very few questions. Additionally, I often find that the reason for a major nonconformity is a lack of management commitment to address the root cause of the problem. Issuing a major nonconformity is sometimes necessary to get management’s attention.
Regardless of the grading, all audit findings will require a corrective action plan—even an FDA warning letter requires a CAPA plan. Therefore, a major nonconformity is not a disaster. You just need to create a more urgent plan for action.
How to deal with audit findings
All guides and auditees should be informed of potential findings at the time an issue is identified. This is important so that an auditee has the opportunity to clarify the evidence being presented. Often, nonconformities result from miscommunication between the auditor and the auditee. This often occurs when the auditor lacks a thorough understanding of the process being audited. It is a tremendous waste of time for both sides when this occurs. If there is an actual nonconformity, it is also important to gather as much objective evidence as possible for the auditor to write a thorough finding and for the auditee to prepare an appropriate corrective action plan in response to the discovery.
Feedback from the Auditee
As an auditor, I encourage auditees to provide honest feedback directly to me and to management, so that I can continue to improve. If you are providing feedback about an internal auditor or a supplier auditor, you should always give feedback directly to the person before going to their superior. You are both likely to work together in the future, and you should give the person every opportunity to hear the feedback firsthand.
When providing feedback from a third-party certification audit, you should know that there will be no negative repercussions against your company if you complain directly to the certification body. At most, the certification body will assign a new auditor for future audits and investigate the need for taking action against the auditor. In all likelihood, any action taken will be “retraining.” I never fired somebody for a single incident—unless they broke the law or did something unsafe. The key to providing feedback, however, is to be objective. Give specific examples in your complaint, and avoid personal feelings and opinions.
Complaints and appeals of audit findings
As an auditor, one of the most important (and difficult) things to learn is how to issue a nonconformity—especially a major. This is typically done at the closing meeting of an audit; however, the closing meeting is not where the process of issuing the nonconformity begins. Issuing a nonconformity starts in the opening meeting.
As the auditee, you should ask for the contact information of the certification body during the opening meeting. Ask with a smile—just in case you disagree, and so you can provide feedback (which might be positive). As the auditor, you should always provide the certification body’s contact information (if they are a third-party auditor). If you are conducting a supplier audit or an internal audit, you probably know the auditor’s boss, and there is perhaps no formal complaint or appeals process. In the case of a supplier audit, the customer is always right—even when they are wrong.
Additional Auditor Training
If you would like to learn more about auditing methods and best practices, consider registering for our Lead Auditor Training Course.
Watch a series of videos (shorts) with Rob Packard getting a turtle diagram tattoo on his arm in Atlantic City at Boardwalk Ink.
Tattoo timing and preparation
Boardwalk Ink was busy on Saturday when Tifany was getting her tattoo, but on Sunday, there were very few customers. The end of September is the beginning of the “off-season” for Atlantic City, and most of the boardwalk was closed on Monday. Therefore, Sunday afternoon turned out to be the ideal time for a tattoo. We started around 2:30 p.m., when the previous tattoo was completed. So I had plenty of time to sleep in, have breakfast, and drink an iced caramel coffee at Rita’s. We expected the session to last about 3 hours, and the timing worked out perfectly to go out for dinner once the tattoo was completed.
Selecting a tattoo artist
There are other tattoo parlors in Atlantic City, and the artists at Boardwalk Ink are not the only ones. In this case, I watched Tifany get her tattoo of a seagull. Jordan was very fast, her tattoo came out great, and she had no complaints. You should always watch the tattoo artist at work if you are trying to select a new artist, but it really helps to know the person they are tattooing. Just in case you were wondering, there are applicable regulations, and an agreement was signed.
Taking a break…
Jordan and I both needed to take breaks because our muscles were starting to cramp. The bright blue ink is from the stencil that Jordan used. As he created outlines, he was adding ink over the stencils. The stencil can be removed with rubbing alcohol.
The outlining of the text of the turtle diagram tattoo is complete.
The longest part of the process was the outlining of the lettering and the turtle. Once that was completed, the turtle was filled in with color, and the letters were highlighted to provide some depth.
The turtle diagram tattoo is done.
Jordan (@brutalnoodles) finished the tattoo around 6:00 p.m. ET. The arm was wrapped to keep it clean, and the wrap came off on Wednesday morning. It looks great and healed beautifully.
Proper video of the final turtle diagram tattoo
Always ask the tattoo artist to do a video of the tattoo when you are done. They do this all the time, and Jordan did an awesome job on the slow-motion video close-up. I’m not able to get the exact angle of shots on my own arm.
Was it worth the pain and permanent image on my arm?
Absolutely. We have been in love with the image of this particular turtle for several years, and we wanted to incorporate it into our turtle diagrams. The resulting image was exactly what we wanted, and we have already used it in several training materials we are creating for our lead auditor course that is launching in December. I expect this turtle diagram will be used hundreds of times over the years, and I have no reason to regret getting it tattooed (it’s my fourth).
Regarding the pain, Jordan did a great job of minimizing it. My fingers falling asleep and tingling was the most painful part, but getting tattooed generally seems to bother me less than most people. In fact, I fell asleep during one tattoo session at the Philadelphia Convention Center.
Learn how to apply the process approach when auditing design controls and discover how audit checklists fail to identify problems.
Examples of auditing design controls with an audit checklist:
Audit checklists list each requirement in a standard or regulation. When auditing design controls, an audit checklist lists each of the ten subsections of the ISO 13485:2016 standard. For example, here are potential audit checklist questions for the first three subsections:
Clause 7.3.1 – Which procedure(s) defines your design control process?
Clause 7.3.2 – What is the design plan for your new product? When was the plan last updated?
a) What are the phases of your project plan?
b) In which phases are design reviews planned?
c) In which project phases are verification, validation, and design transfer activities performed?
d) Who is responsible for approval of design changes during the project? Who is responsible for updating the design plan as the project progresses?
e) How do you demonstrate traceability between hazards, design inputs, design outputs, and testing requirements?
f) What equipment and software do you use? What are the training requirements for your design team?
Clause 7.3.3 – How do you document design inputs? When were the design inputs reviewed and approved?
a) What are the performance requirements? What are the safety requirements? What are the usability requirements?
b) What are the applicable regulatory requirements and standards?
c) Which hazards have you identified?
d) Which design requirements were transferred from a previous design of your device?
e) How do you ensure that essential principles of safety and performance are met?
How can you improve the first question on the checklist?
The problem with the above questions is that they do not evaluate linkages with other processes. For example, when you ask what procedure(s) defines the design control process (e.g., SYS-008, Design Control Procedure and SYS-006, Change Control Procedure), you can also ask the revision of that procedure(s). The record associated with that document change can be used to evaluate the effectiveness of the document control process. For example, were all the job functions that reviewed and approved the previous version of the procedure represented during the review and approval of the current revision? The procedure itself can also be reviewed to make sure that it includes the appropriate elements for a procedure (e.g., scope, references, roles/responsibilities, description of the process, revision history, etc.). This approach to verifying the effectiveness of the document control process can be applied to every procedure within every process.
What are the problems with using an audit checklist?
An audit checklist is always based on the same regulation or standard. Therefore, when establishing a quality system, using an audit checklist is ideal preparation for the initial certification audit. However, if internal auditors ask the same questions during every audit, then auditees begin to anticipate the questions. Anything not included in the audit checklist may be overlooked. For example, when auditing design controls, there are no requirements for supplier controls mentioned in Clause 7.3. Therefore, an audit checklist will not include any questions about the qualification of suppliers that support design and development (e.g., software developers), as those requirements are already addressed in Clause 7.4.2 (i.e., purchasing information).
Another problem with using audit checklists is that auditors may rely too heavily on the checklist as a crutch. Auditors are supposed to plan the audit agenda based on the importance of areas and the results of previous audits. If the auditor relies solely on the checklist, each clause is assigned equal importance — regardless of its importance or the results of previous audits. Auditors also need to verify compliance with all applicable standards. Creating a checklist for risk management (i.e., ISO 14971), software lifecycle management (i.e., IEC 62304), usability engineering (i.e., IEC 62366), and information technology security management (i.e., ISO 27001) would be extremely time-consuming, and auditors would not be able to complete all of the checklist questions. Auditors require a more efficient method to assess the effectiveness of a process and verify compliance with requirements.
Basics of the process approach to auditing
The process approach to auditing is different. Instead of creating a checklist that is specific to the requirements for each process in the standard, the process approach relies on asking seven basic questions and then following the audit trails presented by the answers to those questions. The tool we use to help us remember the seven questions is a “turtle diagram.” The shape of the turtle has seven elements:
body (description of the processes)
head (inputs to the process)
tail (outputs from the process)
leg #1 (what equipment and software is required)
leg #2 (who performs the process)
leg #3 (what procedures and forms are used in the process)
leg #4 (which metrics are used to monitor the process)
The diagram below uses the image of a turtle to remind you of the seven elements, but we added the subclauses from ISO 13485 that are related to auditing design controls. A brief summary of how these subclauses are related is provided in the video above; more details on each part of the turtle diagram are provided below, specifically for design controls.
Step 1 – Describe the process
The first step in creating a process audit is to identify the process owner and conduct an interview with them. We recommend doing this in their office, not in the conference room, for three reasons:
Auditor effectiveness will improve if you periodically get up and walk around, because it will make you more alert.
Conference rooms isolate auditors from daily operations, and the auditor may not gain an appreciation for where people perform their work or the proximity of the design team leader to the rest of the team.
Auditees will be more relaxed in their office when being interviewed than they would be in a conference room.
After the process owner provides a brief description of the process, try to get answers to steps 2-7 directly from them in the same interview. Asking open-ended questions to prevent “yes/no” responses will be helpful. You also need a comprehensive understanding of the design control process before interviewing other team members or requesting design records.
Step 2 – Inputs
Even when auditors use the process approach to auditing, this part of the turtle diagram is frequently incomplete when auditing design controls. The obvious answer is to review the auditee’s approval of design inputs. This is a required record for design controls in Clause 7.3.3; however, it is not the only process input for design controls. As stated in Clause 7.3.3, “These inputs shall include…c) applicable output(s) of risk management.” Additionally, Clause 8.2.1 states, “The information gathered in the feedback process shall serve as potential input into risk management for monitoring and maintaining the product requirements as well as the product realization or improvement processes.” Therefore, both risk management and post-market feedback should be included as inputs to the design process. Using the process approach when auditing design controls will show you if the interactions between the risk management process, post-market surveillance process, and the design control process are adequate. Other inputs that should be considered for the design control process include regulatory requirements, such as:
Common Specifications (EU)
General Safety & Performance Requirements
Applicable Safety and Performance Standards
Applicable FDA Guidance
Step 3 – Outputs
Most auditors do an excellent job of covering the process outputs when auditing design controls (or any process), as the outputs typically include records, and auditors document which records they reviewed in their audit report. For the design controls process, the Design History File (DHF) (i.e., Clause 7.3.10) is the primary record sampled, and the Device Master Record (DMR) is the second most commonly sampled record. With the changes to the FDA requirements for the QMSR, auditors will be looking for a Medical Device File (i.e., Clause 4.2.3) instead; however, the records should remain the same, with just a new name. If the device is CE marked, there should also be a technical file or a technical file index.
Step 4 – What Resources
A critical part of auditing is to verify that a process is not only documented but also implemented. To implement any process, equipment, or software will likely be necessary. For the implementation of design controls, most companies utilize quality system software to manage documents and records for each design project. For example, Grand Avenue Software could be used for managing the medical device file (i.e., Clause 4.2.3), and AdaptivRisk may be used for managing the risk management file. There may also be some calibrated testing equipment that requires validation, calibration, and maintenance. Therefore, this step in the turtle diagram usually involves the following ISO 13485 clauses:
Clause 7.5.6 – process validation
Clause 6.3 – infrastructure (i.e., maintenance)
Clause 7.6 – monitoring of measurement equipment (i.e., calibration)
This is typically the step of a process audit where the auditor needs to identify “what resources” are used in the process. However, only companies that have software systems for design controls have resources dedicated to Design and Development. I have indicated this in the “Turtle Diagram” presented above.
Step 5 – Who
The next step in the process approach to auditing design controls is to identify who is assigned to the design team for a design project. Sometimes companies assign large teams. In this case, the auditor should focus on the team members who must review and approve design inputs (see Clause 7.3.2) and design outputs (see Clause 7.3.4). All team members should have training records (i.e., Clause 6.2) for Design Control procedures and Risk Management procedures. However, if the device includes software and internet connectivity, some members of the design team will require additional training on specific standards and protocols. It is also necessary to outsource processes that cannot be performed by the manufacturer, such as software development, cybersecurity testing, biocompatibility testing, and EMC testing. For these outsourced processes, the company must document the supplier’s qualification and establish a written agreement with that supplier (i.e., Clause 7.4.2). Examples of agreements could be a supplier quality agreement, a consulting contract, or a signed GLP testing protocol.
Step 6 – Standard Operating Procedures (SOPs) or “How done”
Auditors using the process approach to auditing often discover ineffective processes when they expand the scope of design controls beyond the scope of the design control procedure. The design team leader will identify the design control procedure(s) and forms. However, the auditor should also request copies of the risk management procedure and other related procedures. The other procedures may have different process owners, and the design team leader may not be adequately trained in those procedures. The auditor should not read and review these procedures. Auditors never have the time to do this. Instead, ask the process owner to identify specific procedures or clauses within procedures where clauses in the ISO Standard are addressed. If the process owner knows exactly where to find what you are looking for, they’re training was effective, or they may have written the procedure(s). If the process owner has trouble locating the clauses you are requesting, spend more time sampling training records. You may also want to ask if there is another person who is more familiar with the procedure. This step of the process approach is also when you should be sampling records of document control (i.e., Clause 4.2.4).
Step 7 – Metrics
The seventh step of the turtle diagram is typically where the auditor discovers the most value-added findings. The auditor will ask the process owner to identify some metrics (i.e., Clause 8.2.5) or quality objectives (i.e., Clause 5.4.1) they are using to monitor and improve the design and development process. This is a struggle for many process owners — not just the design team leader. If any metrics are not performing up to expectations, there should be evidence of actions being taken to address this. If the process owner is not tracking metrics, you may want to review how closely the actual project schedule aligns with the design project plan. Design projects are frequently delayed because the design team either does not request quotes early enough or does not involve the supply chain manager soon enough, or both. There is also considerable benefit derived from conducting retrospective reviews at the end of design phases and at the project’s conclusion. The team will identify changes in time estimates that should be considered for future design projects or other ongoing projects.
Supplementary questions for auditing design controls
After all seven steps of the turtle diagram are complete, the process audit is not yet complete. The auditor needs to sample records and follow audit trails to ensure thoroughness. Therefore, additional records need to be sampled. We recommend sampling design changes because this is where inspectors and third-party auditors will typically focus. These external auditors will be looking for design changes that need regulatory approval and may not have been submitted for market authorization. The auditor may also sample using a risk-based approach when sampling design changes. In particular, we recommend looking for the following types of changes: 1) vendor change, 2) specification change, and 3) process change. By doing this, the audit will also cover the following clauses in ISO 13485:2016: 7.4 (purchasing), 7.3.9 (design changes), 7.5.6 (process validation), 7.1 (risk management), and 4.2.5 (control of records). If you would like to learn more about design changes, please watch our Design Changes Webinar.
Record sampling for auditing design controls
FDA inspectors and third-party auditors have similar approaches to auditing design controls. Both will begin by reviewing your procedure to verify that it includes all of the required elements of ISO 13485:2016, Clause 7.3. Next, they will sample a recent design project that was completed and request a copy of the design history file (DHF). Many design projects are behind schedule, and therefore, this is an important metric for most companies. Now that you have completed your “Turtle Diagram,” if you have more time, you can conduct interviews with team members to review their roles in the design process. You could also sample-specific Technical Files, as I indicated above. If you are performing a thorough internal audit, I recommend doing both. To learn more about using the process approach to auditing, you can register for our webinar on the topic.
The process approach to auditing is demonstrated using Turtle Diagrams as a tool instead of using traditional auditor checklists.
ISO 9001 Quality System Principles
ISO 9001 is the general quality system standard that was created in 1994. The ISO 9001 standard forms the basis for all other international quality system standards–including ISO 13485. There are seven quality system principles that form the basis of ISO 9001:
Customer Focus
Leadership
Engagement of People
Process Approach
Improvement
Evidence-based Decision Making
Relationship Management
Is there more than one method of auditing?
There are several different approaches to conducting an audit:
Regulatory checklist
Procedural approach
Element approach
Contract audit
Product audit
Process approach
Each of these approaches to auditing is a valid approach. However, each approach has benefits and disadvantages. Therefore, an audit program manager should be knowledgeable of each approach when they are making recommendations to top management with regard to the audit program schedule.
Regulatory Checklist
The most common method of auditing is to use a regulatory checklist. This is the approach used by certification bodies for the Medical Device Single Audit Program (MDSAP). For each regulatory requirement or standard, there is a row in a checklist. This approach is also known as the element approach, because each clause or section of the applicable requirement constitutes an “element.” The requirements are in the left column, and the requirement is usually referenced (e.g., clause number). The subsequent columns of the checklist are intended to document which documents and records the auditor reviewed. The last column of the checklist is where the auditor documents what they looked for in those documents and records.
Each audit checklist is based on a standard or regulation. Therefore, if there are multiple applicable standards and regulations, multiple checklists would be needed to use this approach exclusively. The biggest disadvantage of this approach is that auditors use the checklist as a crutch and will ask only the questions on the checklist. The greatest benefit of this approach is that auditors can verify that all the requirements of a standard or regulation have been met. This is generally the best approach for internal auditing just prior to an initial certification audit (i.e., Stage 1 and Stage 2).
Procedural approach to auditing
The procedural approach to auditing is similar to the element approach. However, a checklist does not need to be created in advance, and for supplier audits, it is not practical to invest the time in creating a checklist for a supplier’s procedures. In the procedural approach, the auditor reviews the procedure and identifies important elements of the procedure to verify are being performed. Often, this is achieved by making a copy of the procedure and highlighting requirements in the procedure to verify.
A contract audit is also similar to a procedural audit, but instead of using a procedure as the basis for the requirements, a supplier contract is used instead. If the supplier contract includes a quality agreement with all of the quality system and regulatory requirements defined, this approach may duplicate all requirements of a regulatory checklist. The biggest disadvantage of this approach is that it is unable to identify failures in the interactions between processes. This approach is ideal as an audit of a new or revised procedure, but the auditor may need to supplement this approach with the process approach to identify gaps in those interactions.
What is a product audit?
Product auditing involves auditing everything associated with a single product or product family. This is typically done when a new product is being launched, and the medical device manufacturer wants to audit manufacturing processes prior to launch (or a supplier if the manufacturing is outsourced). The auditor may review anything in the device master record (DMR – 21 CFR 820.181 in FDA QSR) or medical device file (MDF – ISO 13485:2016, Clause 4.2.3).
Product audits are also the approach used for unannounced audits. Unannounced auditors verify that the devices being manufactured and inspected match the drawings and specifications in the technical documentation that is approved for CE Marking. This verification includes inspection and testing methods for product release. Certification body auditors and FDA inspectors are both trained to focus on design changes, inspection methods, and especially the final test of devices prior to release. This focus is a risk-based approach where auditors sample the most important processes. If you are conducting a product audit, we recommend mirroring this approach.
What is the process approach to auditing?
The process approach is just a different way of organizing audits. Instead of auditing by clause, procedure, or product, you audit each process. Typical processes include:
The process approach to auditing is preferred over all other methods for two reasons. First, the process approach identifies linkages between processes as inputs and outputs. Therefore, if there is a problem with communication between departments, the process approach will expose it. If only a procedural audit is performed, the lack of communication to the next process is often overlooked.
Second, the process approach is a more efficient way to cover all the clauses of a standard than auditing each clause individually (i.e., the element approach). My rationale for the claim of greater efficiency is simple. There are 34 required procedures in the ISO 13485 Standard, but there are only 12 processes identified above. The “missing” procedures are incorporated into each process audit.
For example, each process audit requires a review of both the records as input and the outputs. In a process audit, training records can be sampled for each employee interviewed during the audit as part of an audit trail. Finally, nonconforming materials can be identified and sampled at incoming inspection, in assembly processes, during final inspection, during packaging, and even during shipment. The tool we use to teach the process approach is the “Turtle Diagram.” The diagram below illustrates the origin of the name.
Interviewing with the Process Approach
The first skill to teach a new auditor is how to interview. Each process approach audit should begin with interviewing the process owner. The process owner and the name of the process are typically documented in the center of the turtle diagram. Next, most auditors will ask, “Do you have a procedure for ‘x process’?” This is a weak auditing technique because it is “closed-ended” or yes/no. Closed-ended questions do little to gather objective evidence. Instead, start your interview with this simple request: “Please describe the process?” A process description gives you a general overview of the process if you are unfamiliar with it.
After receiving a general overview, try asking this question: “How do you know howto start the process?” Inspectors know that there is material for incoming inspection because raw materials are in the quarantine area. Companies use visual systems, electronic materials requisition and planning (MRP) systems, and paper-based systems to notify QC inspectors that the product is ready to be inspected. As an auditor, you are looking for a record to trigger the inspection process. A follow-up question is, “What are the outputs of the inspection process?” Once again, auditors need documents and records to review. Sampling inspection records and any associated records (e.g., certificates of analysis) are records the auditor samples to verify the effectiveness of the inspection process (i.e., Clause 7.4.3) and the process for control of records (i.e., Clause 4.2.4). The process approach allows the auditor to verify compliance with two clauses simultaneously.
The next step of the process approach is to “determine what resources are used by incoming inspection.” This includes gauges used for measurement, cleanliness of the work environment, etc. This portion of the process approach is where an auditor can review calibration, gowning procedures, and software validation. After “With What Resources,” the auditor then needs to identify all the incoming inspectors on all shifts. From this list, the auditor should select people to interview and follow up with a request for training records.
The sixth step is to request procedures and forms. Many auditors believe that they need to read the procedure. However, if a company has long procedures, this could potentially waste valuable time. Instead, you can ask the inspector to show you where to find various regulatory requirements in the procedures. This approach has the added benefit of forcing the inspector to demonstrate they are trained in the procedures—a more effective assessment of competency than reviewing a training record.
Challenging Process Owners
The seventh and final step of the turtle diagram seems to challenge process owners the most. This is where the auditor should review department quality objectives and assess if the department objectives are linked with company quality objectives. Manufacturing often measures first pass yield and reject rates, but every process can be measured. If the process owner doesn’t measure performance, how does the process owner know that all the required work is getting done? The seventh step is also where the auditor can sample and review the monitoring and measurement of processes, and the trend analysis can be verified to be input into the CAPA process.
In my brief description of the process approach, I used the incoming inspection process. I typically choose this process for training new auditors because it is a process that is quite similar in almost every company, and it is easy to understand. More importantly, however, the incoming inspection process does an effective job of covering more clauses of the Standard than most audits. Therefore, new auditors get an appreciation for how almost all the clauses can be addressed in one process audit. If you are interested in learning more about Turtle Diagrams and the process approach to auditing, please register for our webinar on the process approach to auditing.
The article reviews FDA guidance documents released in the past 90 days and provides links to those guidance.
For anyone responsible for monitoring new and revised regulatory requirements, you should check the FDA website for new and revised guidance documents at least once every month. If you are not familiar with these FDA resources, here are the links for two of the FDA web pages:
Medical Device Academy will be updating this post weekly. We will also be updating training webinars and procedures associated with these guidance documents. The intent of this review is to help quality system auditors, quality managers, and other personnel responsible for regulatory affairs. It is difficult to stay current with the FDA regulations, and we are trying to make this easier.
New Final FDA Guidance Documents (Q3 2025)
There have been three new final FDA guidance documents released in Q3 2025:
There have been no new draft FDA guidance documents released since January 2025 due to a shift in federal policy.
Animal Studies for Dental Bone Grafting Material Devices
This guidance is specific to dental bone grafting material devices. This guidance was originally issued as a draft on March 29, 2024. The devices included within the scope of the guidance are limited to the class II bone grafting material devices regulated under 21 CFR 872.3930 with the following product codes: LYC, NPM, and NUN.
Predetermined Changed Control Plan for AI-Enabled Device Software Functions
This guidance is specific to device software functions (i.e., SiMD or SaMD) that is enabled with artificial intelligence (AI). This guidance was originally issued December 4, 2024. The FDA is issuing this guidance to provide recommendations for predetermined change control plans (PCCPs) tailored to artificial intelligence (AI)-enabled devices. The guidance is intended to support iterative improvement through modifications to AI-enabled devices while continuing to provide a reasonable assurance of device safety and effectiveness.
Medical Device User Fee – Small Business Qualification and Determination
This guidance is specific to small businesses (i.e., companies with annual revenue of less than $100 million). The small business qualification must be renewed each year. Most small businesses we work with fail to submit the form early enough to take advantage of this deduction, or the companies have difficulty gathering the tax records required for the application. You can download the applicable forms and guidance from our website using the links provided below (Updated July 2025):
Link to FDA Form 3602N for US Companies, Subsidiaries, Parent Companies, and Foreign Companies (New July 2025 Universal Form)
Medical Device Academy has a web page dedicated to this process and we can help you complete the application and submit it as a consulting service if needed.
If you would like to receive email notifications where there are new or revised FDA guidance documents, please sign-up for our Lead Auditor Training course. Anyone that purchases the course will receive email notification of updates. They will also receive access to new and revised training to help them audit new and revised regulations as they are released.
In the eSTAR and PreSTAR, the FDA inquires whether a request for designation (RFD) is associated with your device.
What is a request for designation (RFD)?
A request for designation is a formal request to the Office of Combination Products (OCP), where you request that OCP assign the agency division that will have jurisdiction over a combination product. In 21 CFR 3.7, the FDA outlines the information required in an RFD submission. The FDA encourages RFD submitters to review the agency’s guidance prior to submitting an RFD. It irritates the FDA when you don’t read the guidance and ask questions that are clearly answered within it. Read the guidance first (we provided links below).
What is a combination product?
Before you submit a request for designation, you need to understand what a combination product is. The term combination product includes:
A product comprised of two or more regulated components, i.e., drug/device, biologic/device, drug/biologic, that are physically, chemically, or otherwise combined or mixed and produced as a single entity;
Two or more separate products packaged together in a single package or as a unit and comprised of drug and device products, device and biological products, or biological and drug products;
A drug, device, or biological product packaged separately that, according to its investigational plan or proposed labeling, is intended for use only with an approved individually specified drug, device, or biological product where both are required to achieve the intended use, indication, or effect and where upon approval of the proposed product the labeling of the approved product would need to be changed, e.g., to reflect a change in the intended use, dosage form, strength, route of administration, 9or significant change in dose; or
Any investigational drug, device, or biological product packaged separately that, according to its proposed labeling, is for use only with another individually specified investigational drug, device, or biological product where both are required to achieve the intended use, indication, or effect.
Information regarding the drug/biologic constituent part of the combination product may be needed and accounted for throughout the various sections of your premarket submission. In addition, as described in Product Stability documentation, medicinal substance refers to the drug/biologic constituent part of the combination product as defined in 21 CFR 3.2(e).
How do you write a request for designation (RFD)?
We recommend that you always start with a pre-request for designation (pre-RFD). Once you have feedback from the FDA, then you will be ready to write your request for designation (RFD). The FDA published two guidance documents related to RFDs:
the regulatory identity or classification of a product as a drug, device, biological product, or combination product, and/or
whether CBER, CDER, or CDRH will regulate the product if it is a non-combination product, or
which of those Agency Centers will have primary jurisdiction for a premarket submission of a combination product.
The FDA’s target review time is 60 days for providing the information requested, but a pre-RFD is not a tracked metric with budget impact. Therefore, you should set expectations with your senior management team and investors at approximately 90 days–just like the 513(g) submissions.
21 CFR §3.7 – Request for Designation (copied from eCFR)
(a) Who should file: the sponsor of:
Any combination product the sponsor believes is not covered by an intercenter agreement; or
Any product where the agency component with primary jurisdiction is unclear or in dispute.
(b) When to file: a sponsor should file a request for designation before filing any application for premarket review, whether an application for marketing approval or a required investigational notice. Sponsors are encouraged to file a request for designation as soon as there is sufficient information for the agency to make a determination.
(c) What to file: an original and two copies of the request for designation must be filed. The request for designation must not exceed 15 pages, including attachments, and must set forth:
The identity of the sponsor, including company name and address, establishment registration number, company contact person and telephone number.
A description of the product, including:
Classification, name of the product and all component products, if applicable;
Common, generic, or usual name of the product and all component products;
Proprietary name of the product;
Identification of any component of the product that already has received premarket approval, is marketed as not being subject to premarket approval, or has received an investigational exemption, the identity of the sponsors, and the status of any discussions or agreements between the sponsors regarding the use of this product as a component of a new combination product.
Chemical, physical, or biological composition;
Status and brief reports of the results of developmental work, including animal testing;
Description of the manufacturing processes, including the sources of all components;
Proposed use or indications;
Description of all known modes of action, the sponsor’s identification of the single mode of action that provides the most important therapeutic action of the product, and the basis for that determination.
Schedule and duration of use;
Dose and route of administration of drug or biologic;
Description of related products, including the regulatory status of those related products; and
Any other relevant information.
The sponsor’s recommendation as to which agency component should have primary jurisdiction based on the mode of action that provides the most important therapeutic action of the combination product. If the sponsor cannot determine with reasonable certainty which mode of action provides the most important therapeutic action of the combination product, the sponsor’s recommendation must be based on the assignment algorithm set forth in § 3.4(b) and an assessment of the assignment of other combination products the sponsor wishes FDA to consider during the assignment of its combination product.
(d) Where to file: all communications pursuant to this subpart shall be addressed to the attention of the product jurisdiction officer. Such a request, in its mailing cover should be plainly marked “Request for Designation.” Concurrent submissions of electronic copies of Requests for Designation may be addressed to combination@fda.gov.
The FDA User Fees for FY 2026, October 1, 2025 – September 30, 2026, were released on Thursday, July 31, 2025.
What are FDA User Fees?
At the very core of it, the FDA user fees fund the FDA Office of Device Evaluation (ODE) budget. Without these user fees, the FDA cannot begin reviewing a medical device submission. This includes 510k, PMA, and De Novo submissions. Before the FDA assigns a reviewer to your submission, you must pay the appropriate device user fee in full unless eligible for a waiver or exemption. If you pay the user fee by credit card, you must allow a few extra days for the user fee to clear. Otherwise, your submission will be placed on “User Fee Hold.” Small businesses may qualify for a reduced fee. The FDA announced the FY 2026 FDA User Fees on July 31, 2025. The FDA will announce the user fees for FY 2027 in a Federal Register notice next August 2026.
What are the FDA User Fees for FY 2026?
Is there a small business discount for the establishment registration?
Certain small businesses certified through the small business designation (SBD) program may qualify for a waiver for the registration fee if the business and its affiliates:
have gross receipts and sales of no more than $1 million USD,
can demonstrate paying the registration fee would represent a financial hardship (for example, proof the business is in active bankruptcy), and
has proof of a prior year’s payment of the registration fee.
How much did user fees increase for FY 2026?
The increase in FDA user fees from FY 2025 to FY 2026 was 7.12%, except the annual FDA Registration fee, which increased by 23.1% to $11,423. There are three components to the increase:
Base Fee = a statutory base fee for each FDA user fee
Standard Fee = an inflation-adjusted statutory base fee
Adjusted Fee = adjusted fee to meet revenue target
The reason for each component for the user fees is described in the Federal Register.
When does the FY 2026 increase take effect?
Each year the new FDA user fees take effect on the 1st day of the FDA’s new fiscal year (i.e., October 1). You cannot pay the annual registration fee for FY 2026 until October 1, 2026, and the last day you can submit under the FY 2025 user fee pricing is Tuesday, September 30, 2025. For the submission to be accepted under the current fiscal year, the submission must be uploaded to the Customer Collaboration Portal (CCP) no later than 4:00 p.m. ET on the 30th.
What do you do if you have already paid the FY 2025 price?
If you already paid the FY 2025, and your submission is received after 4:00 p.m. ET on September 30, 2025, you must complete FDA Form 3914 for an FDA user fee payment transfer request. You will also need to pay the difference in user fees (i.e., 7.12%). If your submission is received before the FY 2025 user fee is transferred and you have paid the difference in user fees, your submission will be placed on a user fee hold. If you paid the FY 2025 user fee and are not ready to transfer your previously paid user fee to FY 2025 (and pay the difference), you can request an FDA user fee refund by filling in an online form.
What is the annual registration fee for FY 2026 due?
The annual establishment registration user fee can be paid any time between October 1 and December 31. If you pay late, there is no penalty, but your registration status will be inactive, and you cannot submit new device submissions or import products to the USA. If you are not yet distributing any devices in the USA, you are not required to have your establishment registered, and establishment registration is not required before submitting a new device submission. If you are not required to register yet, when you are paying the user fee for a new device submission on the Device Facility User Fee (DFUF) website, you will click the “Yes” button because there is no “N/A” option for the question below.
Is the annual FDA registration fee prorated?
Annual registration payments are not prorated when you are paying in the middle or even near the end of the year for your initial registration. Therefore, you will need to consider if the revenues you expect to gain before the end of the current fiscal year are worth the registration cost. If you need any help with annual registration or you need a US Agent, we offer these consulting services.
This blog provides a deep dive into the newest version of the FDA eSTAR, version 5.5, released on February 12, 2025.
Why did the FDA release the new eSTAR version as v5.5 instead of v6.0?
A major version update consists of policy changes, regulatory changes, or major changes to the template and will be denoted by a major version number increment (e.g. 5.4 to 6.0). A minor version update will consist of other changes and will be denoted by a minor version number increment (e.g. 5.4 to 5.5). If there are policy or regulatory changes, a new major version of the eSTAR is made before the implementation date, and the previous version of the eSTAR is removed. As an example, the FDA updated v4.3 to v4.4 to enable PMA content, updates to the international pilot of the eSTAR with Health Canada, and implementation of cybersecurity documentation requirements are considered major changes that trigger the need for a major version update (i.e., 5.0) instead of a minor version update (i.e., 4.4). These changes apply to the IVD eSTAR and the non-IVD eSTAR. If you are generally unfamiliar with the FDA eSTAR, please visit our 510k course page.
What is the deadline for using v5.5?
Version 5.4 of the FDA eSTAR, both the nIVD and IVD versions, may continue to be used until v6.0 is eventually released. In fact, any v5.x may be used until v6.0 is released. Any submissions that are submitted with an expired version (v4.x) of the eSTAR will be rejected. If you have already uploaded information to an older version of the template, you will need to scroll to the bottom of the eSTAR and export the data to an HTML file. Then you import the HTML file into the newer version of the eSTAR. Any attachments you made to the older version of the template will not be exported, and you will have to attach all of the attachments to the new template.
PMA content is enabled in the new FDA eSTAR
Previous versions of the FDA eSTAR included the functionality for premarket approval (PMA) submissions, but in version 5.0 the FDA finally enabled this functionality. 510k submissions have three types: 1) Traditional, 2) Abbreviated, and 3) Special. PMA submissions also have different types. There are two types of PMA submissions for a new device: traditional and modular. Unfortunately, the FDA eSTAR is not intended for PMAs using the modular approach. For Class 3 devices, the FDA has more stringent controls over changes than Class 1 and 2 devices. Therefore, a PMA supplement is required for the following types of changes to PMA-approved devices:
new indications for use;
labeling changes;
facility changes for manufacturing or packaging;
changes in manufacturing methods;
changes in quality control procedures;
changes in sterilization procedures;
changes in packaging;
changes in the performance or design specifications, and
extension of the expiration date.
There are several types of PMA supplements, but only three types of supplements can use the FDA eSTAR: 1) Panel-Track, 2) 180-Day, and 3) Real Time. To determine which type of PMA supplement you should use, the FDA published guidance for modifications to devices subject to the premarket approval process.
PMA Content
The following sections in the FDA eSTAR are specific to PMA submission content requirements:
Quality Management System Information
Facility Information
Post-Market Study (PMS) Plans
Attach an exclusion statement, or an Environmental Assessment Report in accordance with 21 CFR 814.20(b)(11)
Health Canada is conducting a pilot with the FDA eSTAR
Health Canada’s FDA eSTAR pilot is now full with a total of 10 participants (originally only 9 were planned). The pilot will test the use of eSTAR for applications submitted to Health Canada. The results of the pilot should be complete soon, and then we expect an extension of the pilot to a broader number of applicants. We heard rumors that the HC eSTAR was overly complicated. Hopefully, future versions are simplified.
Were there any changes to the EMC testing section?
EMC Labeling questions were consolidated into a single question instead of four because only one citation is usually provided in this section. A copy of the older version is provided below.
The updated version 5.0 is shown below and has only one question, but the help text was changed.
Does the FDA eSTAR now require more cybersecurity documentation?
We have updated our cybersecurity work instruction (WI-007) to address the updated FDA guidance for cybersecurity documentation. The revisions were completed earlier this month, and you can purchase the updated templates on our website. We have also been telling our subscribers to anticipate a significant revision to the FDA eSTAR template when this happens. The release of the updated eSTAR version took a little over two months, and the change resulted in a three-page section dedicated to cybersecurity documentation. The previous versions of the template included a requirement for documentation of cybersecurity risk management and a cybersecurity management plan/plan for continuing support. The following documents must be attached in this section if cybersecurity applies to your device:
risk management – report (attach)
risk management – threat model (attach)
list of threat methodology (text box)
verification that the threat model documentation includes (yes/no dropdown):
global system view
Multi-patient harm view
Updateability/patchability view
Security use case views
cybersecurity risk assessment (attach)
page numbers where methodology and acceptance criteria are documented (text box)
verification that the risk assessment avoids using probability for the likelihood assessment and use exploitability instead (yes/no dropdown)
software bill of materials or SBOM (attach)
software level of support and end-of-support date for each software component (attach)
operating system and version used (text box)
safety and security assessment of vulnerabilities (attach)
assessment of any unresolved anomalies (attach)
data from monitoring cybersecurity metrics (attach)
information about security controls (attach)
page numbers where each security control is addressed (text box):
Authentication controls
Authorization controls
Cryptography controls
Code, data, and execution integrity controls
Confidentiality controls
Event detection and logging controls
Resiliency and recovery controls
Firmware and software update controls
architecture views (attach)
cybersecurity testing (attach)
page numbers where cybersecurity labeling is provided (text box)
Sterility section changes include an updated question on EO residuals
In the sterility section of the FDA eSTAR there was a question about sterilant residues. Specifically, the question was “What are the maximum levels of sterilant residual that remain on the device?” The space provided for entering the information was small as well.
Now the question is reworded to: “What are the maximum levels of sterilant residuals that remain on the device, and what is your explanation for why those levels are acceptable for the device type and the expected duration of patient contact?” No change was made to the help text for this question.
In addition to the changes in the sterility section regarding EO residuals, the FDA also modified the dropdown menu and the help text for pyrogenicity testing. There were options for “LAL” and “Rabbit Test” separately, but now these are combined into “LAL and Rabbit Pyrogen Test.” In addition, the following help text was added: “If you previously conducted rabbit testing on these materials, please either: 1) reference this testing according to the submission number in your attached Pyrogenicity documentation and specifically cite the attachment(s) and page number(s) where the testing is found in that submission, or 2) attach your previous test report.”
What is the deadline for using v5.0?
Many clients say that they get an error message when they try to open the FDA eSTAR template. This is because they are opening the eSTAR from a PDF viewer instead of Adobe Acrobat Pro.
Some people want to save money by using the free Adobe Acrobat Reader software instead, but this will not allow you to complete the eSTAR properly. Therefore, the FDA added a Popup message if Adobe Acrobat Reader is used.
How are devices with a breathing gas pathway evaluated for biocompatibility?
In the screen capture below, I have intentionally selected “Surface Device: Mucosal Membrane” as the type of tissue contact for a breathing gas pathway device because the device will have a mouthpiece placed in your mouth (i.e., mucosal membrane). This is a common mistake. In version 5.0 of the FDA eSTAR, the FDA clarifies that these devices should be evaluated as “externally communicating” and the tissue contact is “tissue/bone/dentin.” Specifically, the tissue contact is the lungs. For this reason, the FDA added the help text shown below in the JavaScript Window regarding the applicability of ISO 18562-1, -2, -3, and -4.
Additional questions and guidance will appear when you click on the individual blue boxes shown above. For the blue box labeled “Subacute/Subchronic,” you will find additional help text regarding the ISO 18562 standards. Similar help text is found when you click the blue box labeled “Acute Systemic & Pyrogenicity.”
What is a cross-section change reminder?
One of the minor changes made in this FDA eSTAR version is the addition of “cross-section change reminders” to the help text in the device description section. This is not meant to help you avoid answering questions in your submission, because if you are missing a section of the submission because you answered “No” instead of “Yes” the FDA reviewer will identify this error during the Technical Review process. This will result in your submission being placed on hold and the review time clock will be reset to zero days when you resubmit with the corrections made. The screen capture below shows an example of one of these cross-section change reminders.
What changes were made to the clinical testing section of the FDA eSTAR?
The clinical testing section will now display when using PDF-XChange Editor, but we recommend only using Adobe Acrobat Pro to edit the FDA eSTAR. This change is a bug fix, and it is specific to the nIVD eSTAR. The IVD eSTAR and the nIVD eSTAR both include a clinical testing section within the performance testing section, but the performance testing section is found in the FDA eSTAR before the electrical safety and EMC testing section, while the performance testing section is found after the electrical safety and EMC testing section. If your company is planning to submit clinical data in a future FDA submission, we have the following recommendations:
conduct a pre-submission teleconference to ask questions about your clinical study protocol before IRB submission or ethics review board submission
before you submit the pre-sub meeting request, look at what general clinical information the FDA wants for a De Novo or PMA submission in the FDA eSTAR
Note: The clinical section shown above is only found in the FDA eSTAR if you select a De Novo or PMA submission. If you submit a 510k submission with clinical data, the clinical section will be abbreviated as shown below.
template when this happens. The release of the updated eSTAR version took a little over two months, and the change resulted in a three-page section dedicated to cybersecurity documentation. The previous versions of the template included a requirement for documentation of cybersecurity risk management and a cybersecurity management plan/plan for continuing support. The following documents must be attached in this section if cybersecurity applies to your device:
