Do you need help completing your initial FDA registration and listing for a medical device? Watch our video to learn how.
The two most common situations for when a company needs to register its establishment with the FDA are 1) when the company is a contract manufacturer and producing a finished device for the first time, and 2) when the company is a specifications developer that recently received a 510k and is about to begin distribution of the newly cleared product. If your company is a specification developer, and you have not yet submitted your first 510k, then you must complete your Medical Device User Fee Cover Sheet first. If you have already received 510k clearance, or your device is exempt from 510k clearance, this article and the associated video will help you complete your FDA registration and listing.
Small Business Status does not apply to FDA registration
Most first-time 510k submissions are from small companies. If your company has gross receipts of less than $100 million, you should apply for status as a small business by completing FDA Form 3602 (for US-based companies) or FDA Form 3602A (for foreign companies)–along with your company’s tax return for the previous year. You should apply every year on August 1st. The qualification process takes 60 days, and you never know when you might need to submit a 510k for a device modification. Qualifying for small business status saves substantially on FDA submission fees. The FDA’s review and decision regarding your application for small business status require 60 days, and the status expires each year on September 30th. If you want additional information about small business qualifications, we created a webpage dedicated to this topic.
Medical Device User Fee Amendment (MDUFA)
A few weeks before you submit your first 510k to the FDA, it is recommended that you create a new account for the user fee website and make your Device Facility User Fee (DFUF) payment. This is the website you must access to pay the 510k submission fee. If you are taking advantage of small business status, you will need the Small Business Decision Number you received in the FDA decision letter in response to FDA Form 3602A. Small and large businesses should follow the directions in the guidance document to set up a new MDUFA account.
Once the user fee account has been created, you need to complete a 510k user fee cover sheet. The FDA provides instructions on how to complete the cover sheet. Payment must be submitted to the FDA as well, and the FDA offers multiple ways to pay the user fee for FDA registration.
After you submit your 510k and receive your 510k clearance letter, you may now begin the marketing and distribution of a product. Once a company starts distributing a new product, the company has 30 days to register the facility and list each device with the FDA. Before registering with the FDA, you must also make a second DFUF payment for the establishment registration fee of $5,672 (the Establishment Registration User Fee increases annually). There is no discount for small business status when paying the FDA registration fee, and the fee is not prorated. Discounts are only available for submission fees (e.g., the 510k user fee). The FDA registration fee must be paid for each facility registered between October 1 and December 31. Your registration will become inactive if renewal fees are not paid on time.
FDA Registration and Listings System (FURLS) Database
The FURLS database is a separate database where companies register facilities and list devices with the FDA. The FURLS account ID and password used for FDA registration of your facility is separate from the user name and password for the user fee website used for the DFUF payment. After you pay the annual registration user fee, you will receive the following information via email: Payment Identification Number (PIN) and Payment Confirmation Number (PCN). You will need this information to complete the registration in the FURLS database.
To create a new FURLS account, you access the following website. This new account should only be created if your company does not already have an account, and the person creating the account should be a trusted manager with the authority to designate sub-accounts when needed. Creating a new account will result in issuing an account ID, and you will need to select a password during the process. You need this information for logging into the system in the future. The FDA also has an account management page if you already have an FDA registration and listing account and need help managing it or making changes.
FDA Registration and Listing – Additional Resources
The FDA created a webpage explaining medical device FDA registration and listing, but the following page is the place I recommend that most companies begin reading. If you want Medical Device Academy to help you with FDA registration, we offer this free of charge to our 510k submission clients and turnkey quality system clients. New clients, and clients that have not hired us for a 510k or quality system, can hire us as a US Agent and/or help with registration and listing by using our calendly link for registration and listing assistance.
If you want additional training on registering and listing your facility with the FDA, please visit the updated CDRH Learn webpage: (Click on “Start Here/The Basics”). The FDA offers a “post-test” and certificate for anyone completing the post-test. I recommend completing this training before setting up a new account and anyone responsible for updating the FDA registration and listing information.
Finally, we can use the new FDA CCP to eliminate FedEx shipments, and 100% of your submissions will be electronic through the portal.
July 2022 Update for the FDA eCopy process
The FDA created a Customer Collaboration Portal (CCP) for medical device manufacturers. Originally, the portal’s purpose was to provide a place where submitters can track the status of their submissions and verify the deadlines for each stage of the submission review process. Last week, on July 19, the FDA emailed all active FDA CCP account holders that they can upload both FDA eCopy and FDA eSTAR files to the portal 100% electronically. Since our consulting team sends out submissions daily, everyone on the team was able to test the new process. If you have a CCP account, you no longer need to ship submissions via FedEx to the Document Control Center (DCC).
FDA CCP step-by-step uploading process
When you are uploading an FDA eCopy for medical device submission to the Document Control Center (DCC), using the new FDA CCP, the following steps are involved:
Click on the “+” symbol on the left panel of the webpage (if you hover over the “+” symbol, you will see “Send a submission”)
Select your desired upload format (pre-submissions, meeting minutes, breakthrough device designations, and withdrawal letters must be submitted as an eCopy)
Click on the “Next” button that appears below the selection formats once a format is selected
Drag & drop your single “.zip” file here, or browse for it.
Click on “Send” button to complete the uploading process.
Verify that the FDA CCP site gives you a confirmation for the successful uploading of your submission.
FDA Q&A about the new FDA CCP Submission Uploading Process
Medical Device Academy Question: Who will be permitted to use the FDA CCP to upload submissions for the DCC? FDA Response: We will first offer this feature in batches to people like you who already use CCP so we can study its performance. We will then refine it and make it available to all premarket submitters.
Medical Device Academy Question: What do you need to use the FDA CCP? FDA Response: You don’t need to do anything to participate since you already use CCP. We will email you again when you can start sending your next submissions online.
Medical Device Academy Question: Suppose another consultant asks me to submit an eSTAR or eCopy for them, or I do this for a member of my consulting team. Is there any reason I cannot upload the submission using my account even though the other person is the official submission correspondent and their name is listed on the cover letter? FDA Response: The applicant and correspondent information of the submission is still used when logging the submission in. The submitter (i.e., the person uploading the submission) is not used in any part of the log-in process. The submission portal is essentially replacing snail mail only; once the DCC loads the submission, whether it be from a CD or an online source, the subsequent process is identical to what it used to be, for now.
Medical Device Academy Question: Is there any type of eCopy that would not be appropriate for this electronic submission process (e.g., withdrawal letters, MAF, or breakthrough device designations)? FDA Response: You can use the eCopy option to submit anything that goes to the DCC, so all your examples are fair game, though interactive review responses would still be emailed to the reviewer.
Medical Device Academy Question: How can I get help from the FDA? FDA Response: If you have questions, contact us at CCP@fda.hhs.gov.
Your CAPA procedure is the most important SOP. It forces you to investigate quality problems and take actions to prevent nonconformity.
Your cart is empty
CAUTION: Read the story in the next few paragraphs before you implement any purchased procedure
During a recent internal audit, I noticed that the client was not meeting one of the requirements of their CAPA procedure. Specifically, the procedure indicated that all CAPA plans must be written within seven calendar days of initiating the CAPA. Despite this requirement in their procedure, the client was indicating that CAPA plans were due within 30 calendar days on their CAPA form.
This example is a minor nonconformity, but the reason why this client was not following their procedure is more interesting. The procedure was 100% compliant with FDA regulations, but the procedure did not match how the company performed the process. The procedure and the process MUST match.
This client purchased their CAPA procedure from another consultant, changed the title, and had everyone in the company “read and understand” the procedure for training.
Make sure your CAPA procedure is clear and concise
Procedures are often unclear because the author is more familiar with the process than the intended audience for the procedure. An author may abbreviate a step or skip it altogether. As an author, you should use an outline format and match your CAPA form exactly. There should be nothing extra in the procedure, and nothing left out. Medical Device Academy’s updated CAPA procedure is only six pages and the CAPA form is four pages.
SYS-024 Corrective and Preventive Action (CAPA) Procedure, Form, and Log
SYS-024 – Medical Device Academy’s newly updated CAPA procedure is a 6-page procedure. Your purchase will also include our CAPA form (FRM-009), and our CAPA log (LST-005). The procedure is compliant with ISO 13485:2016, 21 CFR 820.100, SOR 98/282, and the EU MDR. You will also receive free updates in the future. We are currently distributing our 16th version of the procedure.
CAPA procedure writing recommendations
Procedures are often unclear because the author is an expert with more experience than the intended audience. An author may abbreviate a step or skip it altogether. As an author, you should use an outline format and match your CAPA form exactly. There should be nothing extra in the procedure, and nothing left out. Before writing your own CAPA procedure, consider following these 7 steps:
Design your CAPA form first
Identify which steps in your process are most important and specify how these steps will be monitored (i.e., risk-based approach)
Write a procedure that follows your CAPA form and includes instructions for monitoring and measuring your CAPA process
Conduct group CAPA training using the draft version of your form and procedure
Make revisions to the form and procedure to clarify steps the trainees had difficulty with
Ask the trainees to review the revised form and procedure
Make final revisions and route the procedure for approval
The specific order of steps is essential to creating a CAPA procedure—or any procedure. Writing a procedure that matches the form used with that procedure helps people understand the tasks within a process. Throughout the rest of this article, we describe each of the nine steps of Medical Device Academy’s CAPA procedure (SYS-024). The actual CAPA form (FRM-009) sold with SYS-024 is more complex than 9 steps, but a more complex form is needed to make sure every sub-task is documented in your CAPA records.
Review nonconformities, including complaints, to determine if a CAPA is needed (Step 1)
If I am auditing a CAPA process, and almost all the CAPAs are resulting from auditor findings, then I know the client is not adequately reviewing other sources of potential quality issues. When I took my first CAPA training course, the image below was drawn on a flip chart by Kim Trautman. I have used this image in all of my CAPA training for other people since. I think this provides a good visual representation of the most common sources of new CAPAs. Although the number of CAPAs from each source will never be equal, you should review all of these data sources for quality issues periodically.
CAPA procedure step 2 – Describe and reference the quality issue
The next step is to copy and paste your quality issue directly into the CAPA record and add a reference to the source. This step of the CAPA procedure is not a specific requirement of the ISO 13485 standard or the FDA regulations. However, describing and referencing quality issues in your CAPA record is a practical requirement. The person assigned to investigate the root cause of the quality issue needs to know what the source of the quality issue is, and when you are trying to close a complaint or audit report you will find it helpful to cross-reference the two records. For example, the CAPA might be related to the fifth nonconformity in your second internal audit report for 2022 (e.g. IA 220205).
Copy & Paste into your CAPA Record
Attribution: Icons were copied and pasted from Flaticon.com.
Step 3 – Perform a root cause analysis
Why can’t we fix our mistakes the first time? We are doomed to repeat mistakes when we fail to identify the root cause or causes. The person you assign to investigate a quality issue must be trained to perform a thorough root cause analysis. Successful root cause analysis depends upon four things:
Courage to admit that your process is broken
Learning more than one tool for analyzing problems
Practicing the use of root cause analysis tools
Sampling enough records (or testing enough product)
The common belief is that people fail to identify the root cause because they need root cause training (#2) or more practice (#3). However, most people fail because they stop sampling or testing too soon. I typically recommend that companies sample at least twice as many records as the suspected problem frequency. For example, if a complaint occurs 1% of the time, you should review 200 records before you can be sure you identified that root cause. If you are correct, you will only find the quality issue twice in the 200 records. However, a review of 200 records often reveals that the quality problem is more common than you originally estimated and there is more than one cause of device malfunction.
CAPA procedure step 4 – Do you need a new CAPA?
After you have successfully completed a root cause analysis, you now need to determine if a new CAPA is needed. If there is already a CAPA that is open for the same quality issue, you can use the existing CAPA as justification for not conducting corrective actions. In this case, you should include a cross-reference in the new CAPA record to the existing CAPA record. You should also document containment measures and corrections.
In both the existing CAPA record and your new CAPA record you should also be documenting your risk evaluation of your CAPA. In the latest update to our CAPA procedure, we changed the method of risk evaluation to match the MDSAP grading process for nonconformities. A copy of this section is provided in the image below.
In the CAPA procedure, we state that any risk score of 4 or 5 requires the implementation of a CAPA. If any of the escalation rules apply to the risk score, you should implement a CAPA regardless of the total risk score. This is our recommendation for a method of risk evaluation, but there is no standard telling you that you must do it this way. However, we believe this method of calculation is more likely to be consistent because it is based on the MDSAP grading guidelines.
If no escalation rules apply to your risk score, it may be possible to implement containment and corrections only. If your action plan includes only containment and corrections, we recommend that you monitor the quality issue as a process metric or quality objective to identify future occurrences. If you are evaluating a new CAPA that appears to have the same root cause as an existing CAPA, you may need to update the risk score of the existing CAPA to a higher number based on the escalation rules. Escalation may impact your corrective action plan, and it should certainly affect the prioritization of your existing CAPA.
Plan and document your corrective actions, including updating documentation (Step 5)
The biggest mistake you can make in this stage of the CAPA process is to spend too much time planning your corrective actions. “Take action and document it” is the essence of this step in the CAPA procedure. If you spend all of your time planning, then you will never take action. The CAPA plan can and should be edited. Therefore, if you know a procedure needs revision, start revising the procedure immediately. You can always add more corrective actions to your corrective action plan after you write the procedure, but you need to start writing. The second biggest mistake you can make during this stage is failing to document the actions you take. If you don’t document your actions, it’s a rumor, not a record.
Do your planned actions adversely affect regulatory compliance or safety and performance? (Step 6)
One of the required actions for a CAPA is to update your procedure(s) to reflect any process improvements to eliminate the root cause. When you update procedures, you need to make sure procedural changes do not create a regulatory compliance issue. We do this by inserting a cross-reference to each regulatory requirement in our procedures. The cross-reference is then color-coded and we add a symbol for people that are color blind. Symbols also facilitate electronic searches for regulatory requirements.
If corrective actions you implement involve design changes you will need to repeat design verification and design validation to make sure design changes do not impact safety and performance. If corrective actions change your manufacturing or service processes, you will need to repeat process validation to make sure that the process changes do not impact compliance with your design specifications. These recertification and revalidations steps are frequently forgotten, and they represent the biggest challenge for review and approval of design and process changes (described in the video below).
Perform an effectiveness check – Step 7 of your CAPA procedure
Most people verify CAPA effectiveness by verifying that all the actions planned were completed, but this is not a CAPA effectiveness check. An effectiveness check should use quantitative data from your investigation of the root cause as a benchmark. Then you should verify that the performance after corrective actions is implemented resulted in a decrease in the frequency of the quality problem, a decrease in the severity of the quality problem, or both. Ideally, a process re-validation was performed because validation protocols are required to include quantitative acceptance criteria for success.
Step 8 – Record your CAPA results
You are required to record each step of your CAPA procedure in a CAPA record (FRM-009). Therefore, we created a form that is organized in the order of the CAPA process, and then we wrote the CAPA procedure to match the organization of the form. The biggest mistake we see is that the CAPA owner does not update the record to include all of the details until the CAPA plan is completely implemented. This is a mistake. You should be documenting actions when they are taken. When you gather new information, and you need to update your root cause investigation or your corrective action plan, you are allowed to modify the record. You just need to have a system that allows you to keep track of revisions. This is often referred to as an “audit trail.” If you have a paper-based system, you will need to sign and date the document each time you make an addition. If you revise previous entries, you will need to revise and reprint the CAPA record, and then you will need to sign and date the revised and reprinted CAPA record. Ideally, you will have an electronic system with an audit trail, but software budgets are not infinite.
CAPA procedure step 9 – Close the CAPA record
The last step in the CAPA procedure is to close your CAPA record. As with most quality system records, the person responsible for the process should review and approve each record for closure with a signature and date. If the person assigned to the CAPA left sections incomplete or made mistakes in completing the CAPA form, the person that made the mistake should be instructed to correct the mistake, identify that they made a correction, and identify the date of the correction. If a CAPA is not effective, then a cross-reference to the new CAPA that is opened should be documented in the older CAPA record.
If you are interested in more training on CAPA, you might be interested in purchasing Medical Device Academy’s Risk-Based CAPA webinar. 99% of companies hold off on their training until a procedure is officially released as a controlled document. In my experience, however, these procedures seem to have a lot of revisions made immediately after the initial release. New users ask simple questions that identify sections of procedures that are unclear or were written out of sequence. Therefore, you should always conduct at least one training session with users prior to the final review and approval of a procedure. This will ensure that the final procedure is right the first time, and it will give those users some ownership of the new procedure.
After you train your initial group, and after you make the edits they recommended, ask those trainees to review and edit your changes to the procedure. Sometimes we don’t completely understand what someone is describing, and sometimes maybe only half-listening. Going back to those people to verify that you accurately interpreted their feedback is the most important step for ensuring that users accept your new procedure.
After you approve your new CAPA procedure, make sure everyone in your company is trained on the final version of the procedure. CAPA is a critical process (i.e., “the heart”) in your quality system. Everyone should understand it. You should also provide extra CAPA training for department managers, such as root cause analysis trainingbecause they will be responsible for implementing CAPAs assigned to their department. You can use this 7-step process for any procedure, but ensure you use it for the most important process of all—your corrective and preventive action process. Thank you for reading to the end of this article. Spaz and I thank you for your support.
ISO 14971:2019 includes a requirement for top management to define and document a risk management policy, but do you have one?
Your risk management procedure is not your risk management policy
ISO 14971:2019 includes a requirement for a risk management policy and a risk management procedure. The word procedure is defined (Clause 3.13), a “specified way to carry out an activity or a process,” but there is no definition for policy. Both of these words begin with the letter “p,” but they are not the same. There is no guidance for a risk management policy in either of the European device regulations for CE Marking and there is no guidance in the US FDA’s regulations. In fact, there is not even a specific cause of the international risk management standard that is specific to the requirement for a risk management policy. The word “policy” only appears in ISO 14971 seven times, but the last occurrence provides the best explanation:
Appendix A2.4.2 states that “because [ISO 14971] does not define acceptable risk levels, top management is required to establish a policy on how acceptable risks will be determined.”
If someone responsible for risk management activities does not understand this distinction, this shows that risk management training may not be adequate.
Can you have a different policy for each product family?
The purpose of the policy is to establish how the acceptability of risks will be determined. However, not all devices have the same benefit-risk ratio. Therefore, if you have product families with high and low risks, then you should address this in your policy with specific criteria for each device family or create a separate risk management policy for each product family. For example, if your company is focused on designing and developing products for diabetics, you will not have the same benefit-risk profile for a Class 2 glucose reader and lancet for Type 2 diabetics that you have for an automated Class 3 insulin pumps for Type 1 diabetics. In general, separate criteria within one policy are preferred over separate policies to reduce the number of documents that must be managed.
Is there a required format for a risk management policy?
The ISO 14971:2019 standard does not include a specific format or content requirement for your risk management policy. Instead, information about the format and content of a risk management policy is provided in Annex C of ISO/TR 24971:2020. This is a guidance document, and therefore you can choose an alternate approach if you provide a justification for its equivalence. If you choose the approach recommended in Annex C, the following elements should be included:
factors and considerations for determining acceptable risk;
approaches to risk control;
requirements for approval and review.
You can download Medical Device Academy’s template for a risk management policy (POL-005) by completing the form below.
What are the factors for determining acceptable risk?
There are four possible factors to consider when determining your risk management policy:
Applicable regulatory requirements;
Relevant international standards;
And stakeholder concerns.
An example of regulatory requirements being applied to the determination of acceptable risks is the special controls defined in 21 CFR 880.5730 for insulin pumps. The special controls requirements outlined by the FDA specify design inputs as well as verification and validation requirements. The requirements are also organized into systems that comprise an insulin pump. For the digital interface requirements, the regulation specifies:
secure pairing to external devices;
secure data communication between the pump and connected devices;
sharing of state information between devices;
ensuring the pump continues to operate safely when receiving data that is outside of the boundary limits that are specified as inputs;
a detailed process and procedure for sharing pump interface specifications with connected devices.
The hazard implied by the fourth requirement above is that the pump will stop without warning or deliver the incorrect amount of insulin if the data from a continuous glucose sensor is outside of the input specifications. This design input is then addressed by a software design specification established by your company. To verify that your software risk controls are adequate, you will need to execute a verification protocol that automatically inputs a series of values that are outside of the boundary limits specified. Every time a change is made to the software, these boundary limits will need to be re-verified as part of your automated regression analysis to make sure software changes did not have an unintended effect on the device.
For software and use-related hazards, you will not be able to estimate the probability of occurrence of harm. Therefore, you shall assess the acceptability of risks based upon the severity of harm alone. Risk acceptability criteria shall be recorded in your risk management plan and the criteria shall align with your risk management policy. Ideally, these criteria are based upon international standards. For the example of an interoperable insulin pump, the following international standards are applicable:
ISO 14971, application of risk management to medical devices
IEC 62366-1, application of usability engineering to medical devices
IEC 62304, medical device software – software lifecycle processes
For the state-of-the-art, there are three examples provided in the ISO/TR 24971 guidance for how to this relates to your risk management policy:
“Leakage currents of the medical device are state of the art, demonstrated by compliance to the limits and tests regarding leakage current of IEC 60601-1.
Dose accuracy of the delivery device are state of the art, as demonstrated by compliance to the limits and tests regarding dose accuracy of ISO 11608-1.
Protection against mechanical failure caused by impact is on the same level as or better than a similar medical device, as demonstrated by comparative test such as drop test.”
Stake holder concerns is the fourth factor to consider when creating your risk management policy. Stakeholder concerns may be identified in clinical literature. However, the current trend is an emphasis on patient-reported outcome (PRO) data and post-market surveillance. Post-market surveillance is a requirement in ISO 13485, Clause 8.2.1. However, the new European MDR and IVDR have new requirements for post-market surveillance data in the technical documentation. Health Canada updated the medical device regulations to include post-market surveillance summary reports, and even the FDA is trying to develop methods for using real-world data and real-world evidence to make regulatory decisions.
Approaches to risk acceptability
The European device regulations require that a benefit/risk analysis be conducted for all risks and the overall residual risk of your device. The EU regulations also do not permit risk acceptability to consider economic impact. The EU regulations also require that risks are reduced as far as possible. Therefore, if your company is seeking CE Marking, there is only one acceptable approach suggested in ISO/TR 24971, Annex C.2: “reducing risk as far as possible without adversely affecting the benefit-risk ratio.” This is also the approach specified in our risk management procedure (SYS-010).
Requirements for review and approval of the risk policy
Requirements for approval and review of the risk management policy should be specified in the policy itself. This should specify who needs to approve that the policy is acceptable and how often the policy needs to be reviewed. Section 4.2.2 of ISO 14971 also requires that top management review the risk management process for its effectiveness. In general, we recommend that this review of the risk management process be incorporated into the management review process. Therefore, we also believe that this would be the ideal time to review the risk management policy. Generally, this is more frequently than is typically required, but if your risk management process is being reviewed for effectiveness then you have all of the necessary inputs available to review the policy as well.
A CAPA Board is a team responsible for making sure that all CAPAs are completed on time and the actions taken are effective.
Many of the medical device companies we work with have to open a CAPA for their CAPA process because they fail to implement all the actions that were planned, they fail to implement corrective actions as scheduled, or the actions implemented fail to be effective. When we investigate any process, we typically see one of five common root causes:
top management is not committed to the CAPA process (we can’t fix this)
procedures and/or forms are inadequate
people responsible do not have sufficient training
management oversight of the process is neglected
there are not enough resources to do the work
Creating a CAPA Board can address four of these potential root causes, but the CAPA Board needs to understand how to work effectively.
Creating a CAPA Board shows a commitment to quality
Sometimes top management only pays lip service to quality. Top management’s actions demonstrate that quality is a cost-center, and they do not view quality as contributing to the revenue of the company. Instead, quality is viewed as a “necessary evil” like death and taxes. If this describes your company, sharpen your resume and find a new job. Quality is essential to selling medical devices and quality is the responsibility of everyone in the company. The Management Representative is responsible for “ensuring promotion and awareness” (see Clause 5.5.2c of ISO 13485) of regulatory and quality system requirements. This person should be training others on how to implement best practices in quality system management. One person or one department should never be expected to do most of the work related to the quality system.
A CAPA Board should be a cross-functional team of managers that help each other maintain an effective CAPA process. This means: 1) corrections are completed on time, 2) corrective and preventive actions are completed on time, and 3) each CAPA is effective. In order to do this consistently, the CAPA Board needs to work together as a team on the CAPA process. The CAPA Board doesn’t look for someone to blame. Instead, the CAPA Board rotates their responsibilities regularly, everyone is cross-trained on the roles within the CAPA Board, and the team passes tasks from one person or department that is overloaded to another person or department that has the resources to complete the tasks effectively and on time. A professional team must anticipate holes in task coverage, and someone on the team needs to communicate to the rest of the team which hole they are addressing. You can’t wait until the coverage gap is obvious and then have everyone jump into action. If you do this, your effectiveness will resemble a soccer team of 9-year-olds.
Is your CAPA procedure the root cause?
In most companies, the problem is not the CAPA procedure. Clauses 8.5.2 and 8.5.3 of ISO 13485 are quite specific about each step of the CAPA process, and therefore it is easy to write a procedure that includes all of the required elements. The CAPA procedure is also one of the first procedures that auditors and inspectors review, and therefore any deficiencies in your procedure are usually addressed after one or two audits. If you feel that your CAPA procedure needs improvement, the above link explains how to write a better CAPA procedure. You might also consider asking everyone that is responsible for the CAPA process to provide suggestions on how to improve your procedure to streamline the process and clarify the instructions. The best approach is to have a small group (i.e. 3 to 5 people) of middle-level managers, from different departments, assigned to a CAPA Board with the responsibility of improving the CAPA process and procedure. If you have a large company, you might consider rotating people through the CAPA Board each quarter instead of having a larger group.
Does your CAPA Board have sufficient training?
Everyone can benefit from more training–even instructors will periodically engage in refresher training. Before someone is assigned to work on a CAPA, that person needs to be trained. Nobody should be assigned to a CAPA Board unless they are prepared to become an expert in the CAPA process. Some companies will only require people to sign a training record that states they read and understood the CAPA procedure. However, you must also demonstrate that your training was effective and the person is competent at the task assigned. Therefore, we recommend training people on CAPAs by training them with a CAPA training webinar and evaluating the effectiveness of the training by having each person complete a quiz. The use of a training webinar will ensure that each employee receives the same training, and the quiz will provide objective evidence that they understood the training (i.e. it was effective). If you have a CAPA Board, each person on the board should be involved in your CAPA training, and it is their responsibility to make sure people in their department have been trained effectively.
Competency is the hardest thing to demonstrate for any task. You can do this by verifying that the person has performed this task in one or more prior jobs (e.g. resume). If the person does not have evidence of working on CAPAs in their previous employment, then you will need someone that is already competent in the CAPA process to observe each person completing CAPAs and providing feedback. Once each person has demonstrated successful completion of multiple CAPAs, then the expert can attest to their competency in a training record with references to each of the successful CAPAs that were completed. If you are the person assigning a CAPA or individual tasks to people, do not assign the role of investigation, or writing the CAPA, to anyone that has not already demonstrated competency unless you are assessing them for competency. Everyone on the CAPA Board should either already be competent in the CAPA process or another expert on the CAPA Board should be in the process of training them to become a CAPA expert.
CAPA Boards are responsible for management oversight of the CAPA process
The most common method for management oversight of the CAPA process is to discuss the status of CAPAs at a Management Review. This information can be presented by the Management Representative, but assigning the presentation of CAPA status to another person on your CAPA Board will delegate some of the Management Review tasks and gives other people practice at presenting to a group. Some companies only conduct a Management Review once per year, but this makes it impossible to review CAPAs that were initiated immediately after a Management Review unless the CAPA takes more than a year to implement. Even if your company conducts quarterly Management Reviews, the review of CAPA status during a Management Review should focus on the most important issues rather than discuss every CAPA in detail. The impact on safety, the impact on product performance, and the economic impact of a specific CAPA are all criteria for deciding which CAPAs to discuss during a Management Review.
The CAPA Board needs a metric or metrics for monitoring the effectiveness of the CAPA process. The simplest metric is to monitor the average aging of CAPAs. If that average is steadily rising week after week, then new CAPAs are not being initiated, and existing CAPAs are not being closed. You can also measure the time to write a CAPA plan and the time to perform an investigation or monitor the on-time completion of tasks. The most important thing is for someone to take action when these metrics are not aligned with your quality objectives for the CAPA process. Taking action after 90 days of neglect is not good enough. You need to be monitoring the CAPA process weekly, and you need to take action proactively. Therefore, your CAPA Board needs to meet weekly and you need to show evidence in your CAPA records of what actions were taken by the CAPA Board.
Who should be assigned to the CAPA Board?
Top management does not need to be directly involved in the CAPA Board. Top management already reviews the status of CAPAs during Management Reviews. In a small company (i.e. < 20 people) you might have no choice but to have the same people that are assigned to your CAPA Board also be members of top management. As your company gets larger, you should assign middle-level managers and people that are new to management as members of the CAPA Board. Participating in the CAPA Board will teach those managers to work together as a team to achieve shared company goals and to persuade their peers to help them. The experience of working on a CAPA Board will also expose less experienced managers to other departments outside of their expertise. Ideally, participation in the CAPA Board will build friendships between peers that might not speak to one another. Each CAPA represents a team-building opportunity. The team needs to find a way to pool its resources to complete CAPAs on time and effectively. It is also important to rotate the assignment to the CAPA Board so that eventually all of your middle-level managers are trained in the CAPA process and each of them has been evaluated on their demonstration of team leadership and effectiveness in working with peers cooperatively. In large companies, it is common to assign one member of top management to the CAPA Board to show that top management is supportive of the CAPA process and to provide authorization for additional resources and funding for actions when needed. The top management representative should also be rotated to make sure that all of the top management remains competent in the CAPA process.
How does the CAPA Board manage the CAPA process?
The CAPA Board should never be blaming an individual or department for the lack of CAPA success. The CAPA Board should be anticipating when a CAPA is falling behind schedule or might not be as effective as it should be. Nobody on the team should be afraid to voice their opinion or to make a suggestion. Each member of the team has the responsibility of asking for help when they need it and asking for help as early as possible. The CAPA assignments should be shared between the team members, and one person should be responsible for chairing the meetings. If everyone is experienced in participating in CAPA Boards, then the role of the chairperson can be rotated each week. If one or more team members are inexperienced, the person on the CAPA Board assigned to training them should be teaching them how to participate in the meetings and prepare them for acting as chairperson.
Every CAPA Board meeting should have a planned agenda and meeting minutes. Every open CAPA should be discussed during the meeting, but the amount of time devoted to each CAPA should be adjusted for the risk of the CAPA failing to be completed on time or failing to be effective. If a CAPA is going smoothly, the discussion might only last seconds. Any discussion or actions planned that are specific to a CAPA should be documented in the individual CAPA record as well as the meeting minutes. This will ensure that the CAPA records are maintained as required by the ISO 13485 standard and the regulations.
Formative usability testing is not a regulatory requirement, but it is necessary if you want to successfully develop medical devices.
What is the difference between formative and summative usability testing?
“Formative” tests are any usability tests that you perform during the development process, while “summative” testing is the final usability testing you perform to validate that your chosen user interface is effective. Many design teams perform formative testing of one kind or another without even realizing that is what they are doing. Unfortunately, design teams often forget to document the testing they performed during prototyping and product development. Formative usability testing probably always existed as part of product development, but not everyone recognizes the term and identifies the work they have done as “formative.” The most important reason for documenting formative usability testing is to identify which user interface designs failed and why so that future design teams can learn from your failures.
Why don’t more companies do usability testing?
Everyone likes to believe they can skip steps in the learning process, but some lessons can only be learned the hard way. When a medical device design team is developing a user interface for a new product, they need to learn which designs will fail and why before they can fully understand how to design the best user interface for the device. Therefore, most design and development teams will select a user interface that they are familiar with or they see used by a competitor product. The team will not always test the proposed design solution, because they have no reason to believe that the chosen interface will fail. Unfortunately, this can lead to failure later in the design process. Then the team will need to backtrack and repeat the evaluation of various interface designs.
What is the best approach?
“Fail small and fail fast” is the best advice for anyone performing formative usability testing. Instead of writing a lengthy protocol and recruiting 10 subjects to evaluate your proposed user interface, you might consider building a couple of different prototypes and asking two or three people which prototype they prefer and why? Another simple question is, “Tell me what you think of this design?” Iterative formative testing over time with different users is better than one single testing session with a lot of users. It is also better to start collecting formative usability testing data as early in the development process as possible. Gathering data earlier in the process will ensure that users direct the development of your device instead of the design team developing a new device in a direction that is not preferred by users.
When during the design process should formative testing be planned?
Formative testing should be planned during the development phase of the design process. During this phase, medical device manufacturers evaluate multiple design solutions as risk controls for their devices. Use-related risks should be included in this, and the formative usability testing is intended to identify which user interface will do the best job of eliminating the use errors. It is important to evaluate these potential user interfaces and to verify that there are no use errors that the design team overlooked during this phase of the design. This is also the phase of design when the instructions for use are developed and user training is developed. All of this formative usability testing should be completed prior to your design freeze and the start of the verification and validation testing.
What are the different types of formative testing?
Formative usability testing can be used as a pilot for your summative usability testing protocol prior to scheduling the final testing. However, there are many other types of formative testing. The most common reason for doing this testing is to identify any potential use errors that were not originally identified in your user-related risk analysis (URRA). Another type of testing is to simulate use of the device to make sure that every user task is identified in the instructions for use. Finally, design teams will conduct formative usability testing to develop training materials for training new users on how to properly use your medical device.
Which types of formative tests are the most useful?
Use-related risks are difficult to identify unless you conduct simulated use testing with your device. Therefore, you need to get your device in the hands of your intended users, in the intended use environment, and ask them to simulate the use of the device. It is not critical to evaluate a specific number of users. Two or three users might be enough, but simulated use by intended users in the intended use environment is essential to give you the information you need regarding potential use errors. It is also important to avoid “leading” the users. Instead of asking users to perform a specific task, ask users to show you how they would use the device. Ask them what they like about the device, and ask them what they don’t like about the device. Ask users what they think about the device, and ask them how it compares to other devices they are already using.
Who should you recruit for your formative usability testing?
You should start your human factors process by defining the intended user of your device and by defining if there is more than one user group. You then should recruit subjects that are within this user group(s). You can use employees or friends to help you with initial feedback about the usability of your device’s user interface. However, what seems intuitive to one person may be the opposite for other people with different experiences. Even the sequence of steps in which users perform the same tasks can impact usability. Therefore, be very cautious about relying upon data collected only from subjects that are outside your intended user group. Most companies disregard this advice because they are unsure of how to recruit their intended users. However, if your company has difficulty identifying intended users for testing, you will also have difficulty marketing and selling your device later. This struggle may be an indicator that you need to involve marketing and salespeople that can get your prototypes in the hands of the intended users.
How should you document formative studies?
When you are performing summative usability testing you already know exactly what your use-related risks are and you have a list of critical tasks that you are trying to verify users can perform without use errors. Because these tasks are clearly defined, it is easier to write a protocol and it is easier to design data collection forms for study moderators to use. In contrast, when you are conducting formative usability testing you are trying to identify use errors that you are not already aware of. Therefore, it is much harder to write a detailed protocol and design a data collection form. For this reason, it is critical to capture the data with video recordings. This is a safety measure you are taking to ensure that you will not miss valuable use errors or use tasks that you had not already identified. The use of video to record data allows the moderator to focus on observation and interviewing users with open-ended questions. This will generate the most value for your design team during the development process.
Where is testing performed?
While the design team is developing the list of design inputs for your new device, the team must create a definition for the intended users and the intended use environment. The formative usability testing and summative testing should be conducted in the intended use environment or you will need to simulate that use environment. If you are struggling to figure out how to simulate the intended use environment, you should systematically identify the characteristics of the intended use environment. These characteristics include temperature, humidity, ambient noise, other equipment that is present, the number of people present, and the dimensions of the space. If you have a room available with temperature and humidity control, you can add ambient noise by recording the intended use environment. You can rent equipment, or you can place objects of the same size in the space. You can also identify the workspace restrictions by taping the floor to establish boundaries for the simulation. By adding these characteristics to a simulated environment, you open the possibilities for additional places that can be used for formative usability testing.
What will happen if you skip formative testing?
If you skip formative usability testing, you will increase the possibility of failing your summative usability testing. If this happens, then your summative testing becomes your formative usability testing. After you fail, you will need to revise your testing protocol and repeat the study. Another possibility is that you will fail to identify a potential use error. If the FDA identifies this use error you will need to repeat your testing. If the use error is never identified, then you may end up with complaints or medical device reporting of use errors. In extreme cases, this could result in serious injuries or death.
Process monitoring is required but do you know whether monitoring every procedure is required by the FDA QSR or ISO 13485?
One of the elements that Medical Device Academy has incorporated into each procedure we created in our turnkey quality system is a section titled, “monitoring and measurement.” The purpose of this section is to force each process owner to identify a process metric for monitoring every procedure. In some cases, we suggest a metric that would be appropriate for most companies establishing a new quality system. In other procedures, we use the following default text:
Where are the requirements for process monitoring in 21 CFR 820?
Some of the companies that have purchased our turnkey quality system have asked, “Is it required to monitor and measure something in every procedure?” In general, it is not a specific requirement to have a metric specified in each procedure. In fact, if your quality system is not ISO 13485 certified, there are actually only a few places where the US FDA requires monitoring. The FDA does not have a section specific to monitoring and measurement of processes, but there is a section of the regulations specific to statistical techniques (i.e. 21 CFR 820.250). However, it does not state in the QSR that statistical analysis is required for all processes. In fact, there are only six instances where the word “statistical” is used:
21 CFR 820.100(a)(1) – “Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems;”
21 CFR 820.200(b) – “Each manufacturer shall analyze service reports with appropriate statistical methodology in accordance with § 820.100.”
21 CFR 820.250 – “(a) Where appropriate, each manufacturer shall establish and maintain procedures for identifying valid statistical techniques required for establishing, controlling, and verifying the acceptability of process capability and product characteristics. (b) Sampling plans, when used, shall be written and based on a valid statistical rationale. Each manufacturer shall establish and maintain procedures to ensure that sampling methods are adequate for their intended use and to ensure that when changes occur the sampling plans are reviewed. These activities shall be documented.” Note: the other two instances are the title of 21 CFR 820.250.
The word “monitoring” is equally rare (i.e. 4x) in the QSR:
21 CFR 820.70(a) – “Each manufacturer shall develop, conduct, control, and monitor production processes to ensure that a device conforms to its specifications…Where process controls are needed…(2) Monitoring and control of process parameters and component and device characteristics during production.”
21 CFR 820.75(b) – “Each manufacturer shall establish and maintain procedures for monitoring and control of process parameters for validated processes to ensure that the specified requirements continue to be met…(2) For validated processes, the monitoring and control methods and data, the date performed, and, where appropriate, the individual(s) performing the process or the major equipment used shall be documented.”
Where are the requirements for process monitoring in ISO 13485:2016?
ISO 13485:2016 has a section specific to monitoring and measurement of processes (i.e. Clause 8.2.5). In addition, the word “monitoring” occurs 52 times in the standard and there are 60 incidents of some variant or the exact word. , but there is a section of the regulations specific to statistical techniques (i.e. 21 CFR 820.250). However, it does not state in the QSR that statistical analysis is required for all processes. In fact, there are only six instances where the word “statistical” is used. There are four Clause headings that actually include the word monitoring:
Clause 7.6, Control of monitoring and measuring equipment
Clause 8.2, Monitoring and measurement
Clause 8.2.5, Monitoring and measurement of processes
Clause 8.2.6, Monitoring and measurement of product
In Clause 1, Scope, and Clause 4.1.5, the Standard states that any outsourced processes remain the responsibility of the company and must be accounted for in the quality system by monitoring, maintaining, and controlling the processes.
Monitoring of risk is included in the definition of “risk management” in the Standard (i.e. Clause 3.18).
Clause 4.1.3 states that the organization shall, “b) ensure the availability of resources and information necessary to support the operation and monitoring of these processes…d) monitor, measure as appropriate, and analyze these processes.”
Clause 4.2.3 states that the contents of the Medical Device File (i.e. MDR or TF), shall include, “d) procedures for measuring and monitoring.”
Monitoring and measurement of processes and product are required inputs to the Management Review in Clauses 5.6.2e) and f).
Clause 6.4.1 requires a procedure for monitoring the work environment if it can have an effect on product quality.
Clause 7.1 requires the company to consider including monitoring in product realization planning.
Clause 7.4.1 requires a plan for monitoring suppliers.
Clause 7.5.1 requires monitoring production and service, including the monitoring of process parameters and product characteristics.
Clause 7.5.6 requires monitoring of validated process parameters.
Clause 7.5.8 requires identification of status with regard to product monitoring and measurement (i.e. inspection status).
Clause 7.6 requires monitoring and measurement of calibrated devices and validation of any computer software used to monitor calibrated devices.
Clause 8.1 states that companies shall plan and implement monitoring and measurement of processes.
Clause 8.2 is titled, “Monitoring and measurement.”
Clause 8.2.1 requires monitoring of customer feedback.
Clause 8.2.5 requires monitoring of processes to ensure planned results are achieved.
Clause 8.2.6 requires monitoring of products to ensure product requirements have been met.
Clause 8.4 requires data analysis of monitoring data from at least six different processes:
Conformity to product requirements
Characteristics and trends of processes and products, including opportunities for improvement
Service reports, as appropriate
In summary, while not every single clause that requires a procedure includes a requirement for monitoring, there are a number of processes where the requirement to monitor the process is explicitly stated.
Why do all of our procedures include the requirement for metrics?
Medical Device Academy expanded the requirement for monitoring to all procedures for five reasons:
Quality objectives must be “established at relevant functions and levels within the organization.” Therefore, establishing monitoring requirements for each procedure ensures that top management has metrics for every process and a lack of data is never an excuse for not establishing a new quality objective when improvement is needed.
If every procedure has a requirement for monitoring, then employees don’t have to remember which processes require monitoring and which processes do not explicitly require monitoring.
The process approach to auditing includes metrics of the process as one of the seven items that are included in every process turtle diagram, and therefore, including metrics for each procedure facilitates the process approach to auditing.
If a company does not have a process metric already established, it is often difficult to perform an investigation of the root cause of quality issues. If a metric is already being monitored for the process, this facilitates the investigation of the root cause and you can use the baseline monitoring data to help you establish effectiveness criteria for the corrective action.
Finally, most companies struggle to identify preventive actions as required by Clause 8.5.3, and we have found that data analysis of monitoring data is the best source of identifying new preventive actions.
What are the disadvantages when you monitor and measure something in every procedure?
The primary reason for resistance to identifying a metric for monitoring in every procedure is that it will increase the workload for the employees responsible for that process. However, monitoring of data does not always increase workload. In fact, when process data is recorded in real-time on a run chart it is often possible to identify a trend much earlier than when data is simply recorded and subjected to monitoring.
Example #1: The automatic tracking of toner in a printer tells HP when to ship you a new toner cartridge before you need it. This ensures that there is no loss in productivity because you never run out of ink or the ability to print documents.
Example #2: Companies will use project management software (e.g. Asana) to monitor labor utilization. This will help identify when a specific resource is nearing capacity. When this occurs, the project manager can add time buffers to prerequisite steps and adjust the starting date of the resource-limited tasks to an earlier starting date. This ensures that more time is available to finish the task or to take advantage of resource availability at an earlier date.
Example #3: Monitoring the revision date for procedures helps the document control process owner identify procedures that should be evaluated for the need to be revised and updated. Often this is articulated as a quality objective of reviewing and updating all procedures within 2 years. This also ensures that procedures remain current and compliant with regulatory requirements.
What are the advantages of monitoring every procedure?
The phrase “what gets measured gets managed” is a popular business philosophy that implies measuring employee activity increases the likelihood that employees will complete a task or perform it well. In contrast, if a process is not monitored, employees may assume that it is not important and the tasks may be skipped or completely forgotten. Setting quantitative goals is also sometimes integrated with economic incentives or bonuses that are granted to individuals and teams.
FDA transition from QSR to ISO 13485
The US FDA is planning its transition from 21 CFR 820 to ISO 13485 as the quality system criteria. This will force companies to make adjustments to their quality systems and increase the amount of process monitoring performed. My general advice is to work with employees that are performing tasks to identify streamlined methods for monitoring those tasks without being overly burdensome. Then you and the employees you manage can analyze the data together and identify opportunities for improvement. When you do this, experiment with manual methods using whiteboards and paper charts that are visible in public areas first. Only implement automated solutions after you have optimized the data being collected and the frequency of data collection, and remember that not every process will benefit from automated statistical process control. Sometimes the simple approach is best.
Learn how to become ISO 13485 certified while avoiding the stress that tortures other quality system managers.
Your cart is empty
What is ISO 13485?
ISO 13485 is an international standard for quality management systems that is specific to the medical device industry. ISO 13485:2016 is the most recent version of the standard, and it has become the blueprint for medical device company quality systems globally. If your company wants to design, manufacture, or distribute medical devices you should consider becoming ISO 13485 certified.
Yes, you need to maintain a copy of the ISO 13485 standard as a “document of external origin.” This is needed for reference when you are making updates to procedures in your quality system. If you are looking for the best place to purchase a copy of the ISO 13485:2016 standard, we recommend the Estonian Centre for Standardisation and Accreditation. If you purchase a copy, we recommend selecting the option for a multi-user license so the standard can be used by more than one person in your company and printed. The only difference between the EN ISO version and the International ISO version is that the EN ISO version includes harmonization Annex ZA for compliance with the EU MDR and Annex ZB for compliance with the EU IVDR. This version is also referred to as A11:2021. Here’s a copy of the text from the beginning of the Standard:
“This Estonian standard EVS-EN ISO 13485:2016/A11:2021 consists of the English text of the European standard EN ISO 13485:2016/A11:2021. This standard has been endorsed with a notification published in the official bulletin of the Estonian Centre for Standardisation and Accreditation. Date of Availability of the European standard is 08.09.2021. The standard is available from the Estonian Centre for Standardisation and Accreditation.”
Medical Device Academy’s experience with ISO 13485 training
Rob Packard created his first quality system in the Spring of 2004. In October of 2009, after successfully managing quality systems for three different medical device manufacturers, Rob joined BSI as a Lead Auditor and instructor. In April of 2010, he purchased the 13485cert.com URL and he began to help companies implement quality systems as a consultant (while continuing to audit and train 140 days per year for BSI). In 2011 his medical device blog postings began as a way to help medical device companies. In 2012, Rob began building a library of quality system procedures for a turn-key quality system and selling the procedures from the Medical Device Academy website. Dozens and dozens of consulting clients have successfully achieved ISO 13485 certification with Medical Device Academy’s turnkey quality system procedures, and hundreds of quality systems were audited and/or improved. This ISO 13485 training webinar is also included as part of our turnkey quality system.
Fast-forward to 2022
Medical Device Academy is currently helping multiple device manufacturers implement their first quality system for compliance–including SaMD, electromedical devices, implants, and IVD devices. We have turnkey quality systems for the US FDA, European MDR, and MDSAP, and we are finishing our most recent turnkey system for compliance with the European IVDR. We have four qualified lead auditors as employees and three subcontractors that are ISO 13485 lead auditors. Our current turnkey quality system clients are located in countries all over the world, including Finland, Japan, Australia, France, and Canada.
Previous versions of the ISO 13485 webinars
This 2-part webinar has been previously recorded three different times. Our previous webinar on the 2003 version of ISO 13485 was split into two parts: Stage 1 and Stage 2. That first webinar was recorded in 2015. The webinars were updated in 2016 and again in 2018. We followed the same format, 2-part Stage 1 and Stage 2, for all of the subsequent ISO 13485 training webinars. The Stage 1 webinar focuses on the following processes:
Quality System Documentation
The Stage 2 webinar on the rest of the standard, including but not limited to:
Customer Related Processes
The most recent version of ISO 13485 webinars
The webinars explaining the requirements for ISO 13485 were last updated for 2020. Anyone that purchases these webinars will receive free access to updated versions of the ISO 13485 training webinars. If you are making a new purchase of these two training webinars, the webinars are only being sold as a bundle for $258. You get:
access to the Stage 1 webinar recorded July 24, 2020
access to the Stage 2 webinar recorded July 28, 2020
native slide decks for both webinars
This pair of ISO 13485 training webinars explain precisely what you need to do to implement a quality system compliant with ISO 13485. After you create your own plan (a free template is provided with a subscription), then you can show the recording of these two webinars to your management team so they can implement your plan in the next several months. All deliveries of content will be sent via Aweber emails to confirmed subscribers.
Webinar duration & format
Webinars were hosted live via Zoom in 2020. The Stage 1 webinar was 64 minutes, and the duration of the Stage 2 webinar was 82 minutes. When you purchase this webinar bundle, you will receive a link to download both recorded webinars from our Dropbox folder. In addition, you will receive links to download the native slide deck for each webinar from Dropbox.
Purchase the ISO 13485 training bundle
ISO 13485:2016 Training Webinars – Stage 1 & Stage 2
The webinars explaining the requirements for ISO 13485 were last updated for 2020. Anyone that purchases these webinars will receive free access to updated versions of the ISO 13485 training webinars. If you are making a new purchase of these two training webinars, the webinars are only being sold as a bundle for $258. You get:
1 – access to the Stage 1 webinar recorded July 24, 2020
2 – access to the Stage 2 webinar recorded July 28, 2020
3 – native slide decks for both webinars
Exam and Training Certificate available
Exam – ISO 13485:2016 update
This is a 20 question quiz with multiple choice and fill in the blank questions. The completed quiz is to be submitted by email to Rob Packard as an MS Word document. Rob will provide a corrected exam with explanations for incorrect answers and a training effectiveness certificate for grades of 70% or higher.
There is a big difference between being ISO 13485 certified and being compliant with ISO 13485:2016, the medical devices quality management systems standard. Anyone can claim compliance with the standard. Certification, however, requires that an accredited certification body has followed the requirements of ISO 17021:2015, and they have verified that your quality system is compliant with the standard. To maintain that certification, you must maintain your quality system’s effectiveness and endure both annual surveillance audits and a re-certification audit once every three years.
Step 1 – Planning for ISO 13485 certification
There are six steps in the ISO 13485 certification process, but that does not mean there are only six tasks. The first step in every quality system is planning. Most people refer to the Deming Cycle or Plan-Do-Check-Act (PDCA) Cycle when they describe how to implement a quality system. However, when you are implementing a full quality system, you need to break the “doing” part of the PDCA cycle into many small tasks rather than one big task. You also can’t implement a quality system alone. Quality systems are not the responsibility of the quality manager alone. Implementing a quality system is the responsibility of everyone in top management.
Below you will find seven tasks listed. I did NOT identify these nine tasks as “Steps” in the ISO 13485 certification process, because these tasks are typically repeated for each process in your quality system. Most quality systems are implemented over time, and the scope of the quality system usually grows. Therefore, you are almost certain to have to perform all of the following nine tasks multiple times–even after you receive the initial ISO 13485 certification. As the saying goes, “How do you eat an elephant? One bite at a time.” Therefore, avoid the inevitable heartburn caused by trying to do too much at one time. Implement your quality system one “bite” at a time.
Task 1 – Purchase applicable standards
The first task in implementing an ISO 13485 quality system is to purchase a copy of the ISO 13485:2016 standard, such as the MDSAP Companion Document. You will also need other applicable medical device standards. Some of these standards are general standards that apply to most, if not all, medical devices, such as ISO 14971:2019 for risk management. There are also guidance documents that explain how to use these general standards, such as ISO/TR 24971:2020, and guidance on how to apply ISO 14971:2019. Finally, there are testing standards that identify testing methods and acceptance criteria for things such as biocompatibility and electrical safety. You will need to monitor these standards for new and revised versions. When these standards are updated, you will need to identify the revised standard and develop a plan for addressing the changes.
When you purchase a standard, be sure to buy an electronic version of the standard so you can search the standard for keywords efficiently. You should also consider purchasing a multi-user license for the standard because every manager in your company will need to look up information in the standard. Alternatively, you could buy a paper copy of the standard and locate the standard where everyone in your company can access it. Often I am asked what the difference is between the EN version of the standard and the ISO version of the standard. “EN” is an abbreviation meaning European Standards or “European Norms,” which is based upon the literal translation from the French (i.e., “normes”) and German (i.e. “norm”) languages. “ISO” versions are international standards. In general, the body of the standard is typically identical but harmonized EN standards for medical devices include annexes ZA, ZB, and ZC that identify any deviations from the requirements in three medical device directives (i.e., MDD, AIMD, and IVDD).
Task 2 – Identify which processes are applicable
Clause 1 of ISO 13485 is specific to the scope of a quality system. ISO 9001, the general quality system standard, allows you to “exclude” any clause from your quality system certification. However, ISO 13485 will only allow you to exclude design controls (i.e., clause 7.3). Other clauses within ISO 13485 may be identified as “non-applicable” based upon the nature of your medical device or service. You must also document the reason for non-applicability in your quality manual. Typically, the following clauses are common clauses identified for non-applicability:
Clause 4.1.6 – quality system software
Clause 6.4 – work environment
Clause 7.5.2 – cleanliness of the product
Clause 7.5.3 – installation
Clause 7.5.4 – servicing
Clause 7.5.5 – sterile devices
Clause 7.5.6 – process validation
Clause 7.5.7 – sterilization validation
Clause 126.96.36.199 – implantable devices
Clause 7.5.10 – customer property
Clause 8.3.4 – rework
Task 3 – Assign a process owner to each process
The third task is to assign a process owner to each of the processes in your quality system. Typically, you create a master list of each of the required processes. Usually, the assignments are made to managers in the company who may delegate some or all of a specific process. You should expect most managers to be responsible for more than one process because there are 28 required procedures in ISO 13485:2016, but most companies have fewer than ten people when they first implement a quality system.
Task 4 – Prioritize and schedule the implementation of each process
The fourth task is to identify which processes need to be created first and to schedule the implementation of procedures from first to last. You can and should build flexibility into the schedule, but some procedures are needed at the beginning. For example, you need document control, record control, and training processes to manage all of your other procedures. You also need to implement the following processes to document your Design History File (DHF): 1) design controls, 2) risk management, 3) software development (if applicable), and 4) usability. Therefore, these represent the seven procedures that most companies will implement as early as possible. Procedures such as complaint handling, medical device reporting, and advisory notice procedures are usually reserved for last. These procedures are last because they are not needed until you have a medical device in use.
Task 5 – Create forms, flowcharts, and procedures for each process
Forms create the structure for records in your quality system, and a well-designed form can reduce the need for lengthy explanations in a procedure or work instruction. Therefore, you should consider developing forms first. The form should include all required information that is specified in the applicable standard or regulations, and the cells for that information should be presented in the order that the requirements are listed in the standard. You might even consider numbering the cells of the form to provide an easy cross-reference to the corresponding section of the procedure. Once you create a form, you might consider creating a flowchart next. Flowcharts provide a visual representation of the process. You might consider including numbers in the flow chart that cross-reference to the form as well.
Once you have created a form and a flowchart, you are now ready to write your quality system procedure. Many sections are typically included in a procedure template. It is recommended that you use a template to ensure that none of the basic elements of a procedure are omitted. You might also consider adding two sections that are uncommon to a procedure: 1) risk analysis of the procedure with the identification of risk controls to prevent risks associated with the procedure, and 2) a section for monitoring and measurement of the process to objectively measure the effectiveness of the process. These metrics are the best sources of preventive actions, and some of the metrics might be potential quality objectives to be identified by top management.
Task 6 – Perform a gap analysis of each procedure
Most companies rely upon internal audits to catch missing elements in their procedures. However, audits are intended to be a sampling rather than a 100% comprehensive assessment. Therefore, when a draft procedure is being reviewed and approved for the first time, or a major re-write of a procedure is conducted, a thorough gap analysis should be done before the approval of the draft procedure. Matthew Walker created an article explaining how to conduct a gap analysis of procedures. In addition, Matthew has been gradually adding cross-references to ISO 13485:2016 requirements in each procedure. He is color-coding the cross-referenced clauses in blue font as well. This makes it much easier for auditors to verify that a procedure is compliant with the regulations with minimal effort. The success of these two methods has taught us the importance of conducting a gap analysis of all new procedures.
Task 7 – Train applicable personnel for each process
You are required to document the training requirements for each person or each job in your company. Documentation of training requirements may be in a job description or within a procedure. In addition to defining who should be trained, you also need to identify what type of training should be provided. We recommend recording your training to ensure that new future employees receive the same training. This will ensure consistency. You are also required to maintain records of the training. You must verify that the training was effective, and you need to check whether the person is competent in performing the tasks. This training may require days or weeks to complete. Therefore, you may want to start training people several weeks before your procedure is approved. Alternatively, you can swap the order of tasks and conduct training after the procedure approval. If that approach is taken, then the procedure should indicate the date the procedure becomes effective–typical 30 days after approval to allow time for training.
Task 8 – Approve the procedure
Approval of a procedure may be accomplished by signing and dating the procedure itself, while another approach is to create a document that lists all the procedures and forms being approved at one time. The second method is the method we use in our turn-key quality system. Companies can review and approve as many procedures at one time as they wish. Since this process needs to be defined to ensure that all of the procedures you implement are approved, the document control process is typically the first procedure that companies will approve in a new quality system. The second procedure generally is for the control of records. Then the next procedures implemented will typically be focused on the documentation of design controls: design controls, risk management, usability testing, and software development. The last procedures to be approved are typically complaint handling, medical device reporting, and recalls. These procedures are left for last because you don’t need them until you are selling your medical device.
Task 9 – Start using the procedure and generating records
The last task required for the implementation of a new quality system is to start using the procedures to generate records. All of the procedures will need records before the process can be verified to be effective. Records can be paper-based, or the records can be electronic. Whichever format you use for the record retention needs to be communicated to everyone in the company through your Control of Records procedure and/or within each procedure. If you include the information in each procedure, the records of each procedure should be listed in the procedure, and the location where those records are stored should be identified. Generally, there is no specific minimum number of records to have for a certification audit, but you should have at least a few records for each process that you implement.
Step 2 – Conducting your first internal audit
The purpose of the internal audit is to verify the effectiveness of the quality system and to identify nonconformities before the certification body auditor finds them. To successfully achieve this secondary objective, it is essential to have a more rigorous internal audit than you expect for the certification audit. Therefore, the internal audit should be of equal duration or longer in duration than the certification audit. The internal audit should not consist of a desktop review of procedures. Reviewing procedures should be part of gap analysis (i.e., task 6 above) that is conducted on draft procedures before they are approved. Internal audits should utilize the process approach to auditing, and the auditor should apply a risk-based approach (i.e., focus on those processes that are most likely to contribute to the nonconforming products, result in a complaint, or cause severe injuries and death).
After your internal audit, you will receive an internal audit report from the auditor. You should also expect findings from the internal auditor, and you should expect opportunities for improvement (OFI) to be identified. Experienced auditors can typically identify the root cause of a nonconformity more quickly than most process owners. Therefore, it is recommended for each process owner and subject matter expert to review nonconformities with the auditor and discuss how the nonconformity should be investigated. The root cause must be correctly identified during the CAPA process, and the effectiveness check must be objective to ensure that problems do not recur.
Step 3 – Initiating corrective actions
Corrective actions should be initiated for each internal audit finding immediately, to make sure the findings are corrected and prevented from repeat occurrence before the Stage 1 audit. It will take a minimum of 30 days to implement the most corrective actions. Depending upon the scheduling of the internal audit, there may not be sufficient time to complete the corrective actions. However, you should at least initiate a CAPA for each finding, perform an investigation of the root cause, and begin to implement corrective actions.
Also, to take corrective actions related to internal audit findings, you should look for internal audits from other sources. The diagram below shows several different sources of potential corrective and preventive actions.
Monitoring and measuring each process is the best source of preventive actions, while internal audits are typically the best source of corrective actions. Any quality problems identified during validation are also excellent sources of corrective actions because the validation can be repeated as a method of demonstrating that the corrective actions are effective. However, your ISO 13485 certification auditor will focus on non-conforming products, complaints, and services as the most critical sources of corrective actions. These three sources are prioritized because these three sources have the greatest potential for resulting in a serious injury, death, or recall if corrective actions are not implemented to prevent problems from recurring.
Step 4 – Conducting your first management review
In addition to completing a full quality system audit before your stage 1 audit, you are also expected to complete at least one management review. To make sure that you have inputs for each of the 12 requirements in the ISO 13485:2016 standard, it is recommended to conduct your management review only after you have completed your full quality system audit and initiated some corrective actions. If possible, you should also conduct supplier audits for any contract manufacturers or contract sterilizers. It is recommended to use a template for that management review that is organized in the order of the required inputs to ensure that none of the necessary inputs are skipped. Quality objectives will need to be established long before the management review so that the top management team has sufficient time to gather data regarding each of the quality objectives. Also, you should consider delegating the responsibility for creating the various slides for each input to different members of top management. This will ensure that everyone invited to the meeting is engaged in the process, and it will spread the workload for meeting preparation across multiple people.
At the end of the meeting, top management will need to create a list of action items to be completed before the next management review meeting. Meeting minutes will need to be documented for the meeting, including the list of action items and each of the four required outputs of the management review process. We recommend using the notes section of a presentation slide deck to document the meeting minutes related to each slide. Then the slide deck can be converted into notes pages and saved as a PDF. The PDF notes pages will be your final meeting minutes for the management review. An example of one of these notes pages is provided in the figure below.
One of the more common non-value-added findings by auditors is when an auditor issues a nonconformity because you do not have your next internal audit and your next management review scheduled–even though each may have occurred only a month prior to the Stage 1 audit. Therefore, we recommend that you document your next 12-month cycle for internal audits and schedule your next management review as action items in every management review meeting. The schedule can be adjusted if needed, but this allows top management to emphasize various areas in internal audits that may need improvement. You might even set a quality objective to conduct a minimum of three management reviews per year at the end of your first management review.
Step 5 – Stage 1, Initial ISO 13485 Certification Audit
In 2006, the ISO 17021 Standard was introduced for assessing certification bodies. This is the standard that defines how certification bodies shall go about conducting your initial certification audit, annual surveillance of your quality system, and the re-certification of your quality system. In the past, certification bodies would typically conduct a “desktop” audit of your company before the on-site visit to make sure that you have all the required procedures. However, ISO 17021 requires that certification bodies conduct a Stage 1 audit that assesses the readiness of your company before conducting a Stage 2 audit. Therefore, even if the Stage 1 audit is conducted remotely, the certification body is expected to interview process owners and sample records to verify that the quality system has been implemented. Certification body auditors will also typically verify that your company has conducted a full quality system audit and at least one management review. Finally, the auditor will usually select a process such as corrective action and preventive action (CAPA) to make sure that you are identifying problems with the quality system and taking appropriate measures to address those problems.
Your goal for the Stage 1 audit should not be perfection. Instead, your focus is to make sure that there are no “major” nonconformities. The term “major” used to have a specific definition:
Absence of a documented procedure or process
Release of nonconforming product
Repeat nonconformities (not possible during a Stage 1)
Under the MDSAP, the grading system for nonconformities now uses a numbering system for grading nonconformities: “Nonconformity Grading System for Regulatory Purposes and Information Exchange Study Group 3 Final Document GHTF/SG3/N19:2012.” Any nonconformity is graded on a scale of one to four, and then two potential escalation rules are applied. If any nonconformities are graded as a four or a 5, then the auditor must assess whether a five-day notice to Regulatory Authorities is required. A five-day notice is required in either of the following situations: 1) one or more findings grading of “5”; or 2) three or more findings graded as “4.” If your Stage 1 audit results in a five-day notice, then you are not ready for your Stage 2 audit. For example, a complete absence of two required procedures in clauses 6.4 through 8.5 of ISO 13485:2016 would result in two findings with a grading of “4.” This would not result in a five-day notice, but the absence of a third required procedure would result in a five-day notice.
The duration of your Stage 1 audit will be one or two days, but a 1.5-day audit is quite common for MDSAP Stage 1 audits. The reason for the 1.5-day Stage 1 audit is that it is challenging to assess readiness for Stage 2 in one day, and if the total duration of Stage 1 and Stage 2 is 5.5 days, then the Stage 2 audit could be completed in four days. The four-day audit is more convenient than a three-day audit for a two-person audit team.
After your Stage 1 audit, you will receive an audit report, and you should expect findings. You should initiate corrective actions for each finding immediately, to make sure the findings are corrected and prevented from repeat occurrence before the Stage 2 audit. The duration between the audits is typically about 4-6 weeks. That does not leave much time for you to initiate a CAPA, perform an investigation of the root cause, and implement corrective action. At a minimum, you must submit a corrective action plan for each finding to your MDSAP auditing organization (AO) within 15 calendar days of receiving the finding. For any findings graded as a “4” or higher, you will need to provide evidence of implementing the corrective action plan to the AO within 30 calendar days of receiving the finding. You are also unlikely to have enough time to conduct an effectiveness check prior to the Stage 2 audit.
Step 6 – Stage 2, Initial ISO 13485 Certification Audit
The Stage 2 initial ISO 13485 certification audit will verify that all regulatory requirements have been met for any market you plan to distribute in. The auditor will complete an MDSAP checklist that includes all of the regulatory requirements for each of the countries that recognize MDSAP: 1) the USA, 2) Canada, 3) Brazil, 4) Austria, and 5) Japan. The auditor will also sample records from every process in your quality system to verify that the procedures and processes are fully implemented. This audit will typically be at least four days in duration unless multiple auditors are working in an audit team.
The audit objectives for the Stage 2 ISO 13485 certification audit specifically include evaluating the effectiveness of your quality system in the following areas:
Applicable regulatory requirements
Product and process-related technologies
All procedures will be reviewed for compliance with ISO 13485:2016 and the applicable regulations. The auditor will also sample records from each process. If the auditor identifies any nonconformities during the audit, it is important to record the findings and begin planning corrective actions immediately. If you have any questions regarding the expectations for the investigation of the root cause, corrections, corrective actions, and effectiveness checks, you should ask the auditor during the audit or the closing meeting. At a minimum, you must submit a corrective action plan for each finding to your MDSAP auditing organization (AO) within 15 calendar days of receiving the finding. For any findings graded as a “4” or higher, you will need to provide evidence of implementing the corrective action plan to the AO within 30 calendar days of receiving the finding. The auditor will not be able to recommend you for ISO 13485 certification until your corrective action plans are accepted.
If you receive a finding with a grading of “5,” or three or more findings graded as “4,” then the MDSAP auditor is required to issue a five-day notification to the regulators. The auditor will also need to return to your facility for a follow-up audit to close as many findings as they can. It is not necessary to eliminate all of the findings in order to be recommended for ISO 13485 certification, but the grading of the findings must be reduced to at least a “3” before recommending the company for certification. The number of findings also determines whether the auditor recommends your company for certification.
In addition to reviewing the findings and conclusions of the audit during the closing meeting, the auditor will also review the plan for the annual surveillance and re-certification with you. Each certification cycle is three years in duration. There will be two surveillance audits of approximately one-third the duration of the combined duration of stage 1 and stage 2 initial certification audits, and the first surveillance audit must be completed within 12 months of the initial certification audit. In the third year, there will be a re-certification audit for two-thirds of the duration of the combined duration of stage 1 and stage 2 initial certification audits. The initial ISO 13485 certificate will be issued with a three-year expiration, and the certificate is typically received about one month after the acceptance of your corrective action plan.
There are no stupid questions, and we can save your weeks of wasted time if you just ask for help. We are always looking for new ideas for blogs, webinars, and videos on our YouTube channel. If you have any general questions about obtaining ISO 13485:2016 certification, please email Rob Packard email@example.com. If you have a suggestion for new ISO 13485 training materials, you can also use our “Suggestion Box.” You can also schedule an initial free consultation with Rob using his calendly link.
On April 8, 2022, the FDA released a new draft cybersecurity guidance document to replace the 2018 draft that the industry does not support.
Why was the draft cybersecurity guidance created?
Due to the ubiquitous nature of software and networked devices in the medical industry, the impact of cybersecurity attacks is becoming more frequent and more severe. The WannaCry Ransomeware Attack is just one example of this global cybersecurity issue. The FDA is responding to the need for stronger cybersecurity controls by issuing a new draft cybersecurity guidance for 2022.
The first four paragraphs of the introduction explain why we need this, and WannaCry is mentioned in the second paragraph of the background section. This new guidance is only a draft, but this is the FDA’s third attempt at regulating the cybersecurity of medical devices. The first guidance was finalized in 2014. That’s the 9-page guidance we currently have in effect. The guidance mentions risk 11 times and there is no mention of testing requirements or a bill of materials (BOM). The 2018 draft guidance (24-pages) met with resistance from the industry for a lot of reasons. One of the reasons mentioned by Suzanne Schwartz in an interview is the inclusion of a cybersecurity bill of materials (CBOM). The industry felt it would be too burdensome to disclose all of the hardware elements that are related to cybersecurity. Therefore, the FDA rewrote the 2018 draft and released a new draft on April 8, 2022 (49-pages).
You might have expected the FDA to soften its requirements in the face of resistance from industry, but the new draft does not appear to be less robust. It is true that the CBOM was replaced by a software bill of materials (SBOM). However, the SBOM must be electronically readable and it must include:
the asset(s) where the software resides;
the software component name;
the software component version;
the software component manufacturer;
the software level of support provided through monitoring and maintenance from the software component manufacturer;
the software component’s end-of-support date; and
any known vulnerabilities.
You can be sure that the medical device industry will view providing an SBOM as a hefty burden. After all, a machine-readable SBOM is more complex than UDI labeling requirements. An SBOM will not fit on the “Splash Screen” for anyone’s software application. Companies may provide documentation through the company website with a link in their software to that information. The format of the information could be in the “Manufacturer Disclosure Statement for Medical Device Security (MDS2).” However, MDS2 is a 349-line item Excel spreadsheet to be used as a checklist (i.e. quite a bit longer than the GUDID data elements spreadsheet), and it took the FDA eight years to complete the transition for the UDI Final Rule (i.e. 2013 – 2021).
The 2018 draft cybersecurity guidance document from the FDA required a cybersecurity bill of materials (CBOM). CBOM was defined as “a list that includes but is not limited to commercial, open source, and off-the-shelf software and hardware components that are or could become susceptible to vulnerabilities.” Therefore, the FDA’s change from a CBOM to an SBOM eliminated the requirement to disclose the hardware components. Despite the change in disclosure requirements, manufacturers will still be expected to monitor potential hardware vulnerabilities to cybersecurity attacks. It should also be noted that the language in the PATCH Act (a new bill submitted to the House of Representatives and to the Senate for ensuring the cybersecurity of medical devices) specifically requires manufacturers “to furnish a software bill of materials as required under section 524B (relating to ensuring the cybersecurity).”
Structure of the draft cybersecurity guidance
The 2022 draft cybersecurity guidance organizes the requirements into four major principles:
cybersecurity as part of device safety and the quality system regulations
designing for security
The draft cybersecurity guidance recommends the implementation of a Secure Product Development Framework (SPDF). However, there is not much detail provided in the guidance for a SPDF. In the past, the term for this type of process was referred to as a Secure Software Development Lifecycle (i.e. Secure SDLC). However, in February 2022, the NIST Computer Security Resource Center (CSRC) released version 1.1 of the Secure SDLC guidance which is now titled “Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities.” This guidance provides guidance on the implementation of best practices for reducing the risk of software vulnerabilities because existing standards for managing the software development lifecycle do not explicitly address software security (e.g. IEC 62304-1:2015). The SSDF recommends implementing a core set of high-level secure software development practices that can be integrated into your SDLC process. Your software development team will also require cybersecurity training.
Design for security is the second principle of the draft cybersecurity guidance
Under this new draft cybersecurity guidance, the FDA will be evaluating the cybersecurity of devices based on the ability of the device to provide and implement the following security objectives:
Authenticity, which includes integrity;
Secure and timely updatability and patchability.
Transparency of cybersecurity information is for users
The draft cybersecurity guidance seeks to give device users more information pertaining to the device’s cybersecurity controls, potential risks, and other relevant information. This information will be in the form of an SBOM that is electronically readable. This information shall include disclosure of 1) known vulnerabilities or risks, 2) information to securely configure and update devices, and 3) communication interfaces and third-party software.
In addition to providing an SBOM, the FDA draft cybersecurity guidance includes requirements for cybersecurity labeling in section VI(A). There are 15 specific labeling requirements identified by the FDA for sharing with device users to improve the transparency of cybersecurity information. The first of these requirements is recommendations from the manufacturer for cybersecurity controls appropriate for the intended use environment (e.g., antimalware software, use of a firewall, password requirements). This first labeling requirement is identical to the 2018 draft guidance. Several of the other requirements are copied from the 2018 draft guidance, but others are new and/or reworded cybersecurity labeling requirements.
FDA Submission Documentation Requirements
The 2022 FDA draft cybersecurity guidance includes requirements for FDA submission documentation. Submission documentation must include a security risk management plan and report. The draft cybersecurity guidance explains on page 13 (numbered 9) that “performing security risk management is a distinct process from performing safety risk management as described in ISO 14971:2019.” Therefore, instead of using your safety risk management process, your software development team will need to have a different risk management process for software security. Details on the content for security risk management plans and reports can be found in AAMI TIR57:2016 – Principles for medical device security—Risk management. Appendix 2 also provides guidance for the inclusion of a) call flow diagrams, and b) information details for an architecture view.
Cybersecurity testing requirements for your FDA submission
The biggest impact of this new draft guidance may be the requirement for testing. The 2014 guidance has no testing requirement, the 2018 draft guidance mentioned testing 5 times in a few bullet points, but this new draft guidance mentions testing 43 times. The testing requirements for cybersecurity risk management verification include:
This guidance also includes a paragraph with multiple bullets of requirements for each of the four types of testing. This would essentially double the size and scope of the current software section for a 510k submission, and manufacturers will need to create new procedures and templates for their cybersecurity risk management process. For example, penetration testing requirements include the following elements:
Independence and technical expertise of testers,
Scope of testing,
Duration of testing,
Testing methods employed, and
Test results, findings, and observations.
Differences between the cybersecurity guidance documents
The following table provides a high-level overview comparing the four cybersecurity guidance documents released by the FDA, including the 2016 guidance on post-market management of cybersecurity:
Vulnerability management plans
The FDA draft cybersecurity guidance document also has a requirement for manufacturers to develop a plan for identifying and communicating vulnerabilities to device users after the release of the device. The FDA requires this plan to be included in your device submission. The vulnerability management plan should include the following information (in addition to the requirements of the 2016 guidance for postmarket cybersecurity management):
Sources, methods, and frequency for monitoring for and identifying vulnerabilities (e.g. researchers, NIST NVD, third-party software manufacturers, etc.);
Periodic security testing to test identified vulnerability impact;
Timeline to develop and release patches;
Patching capability (i.e. rate at which update can be delivered to devices);
Description of their coordinated vulnerability disclosure process; and
Description of how manufacturer intends to communicate forthcoming remediations, patches, and updates to customers.
What’s the next step for the draft cybersecurity guidance?
In March the “Protecting and Transforming Cyber Health Care Act of 2022 (PATCH Act)” was introduced to the House of Representatives and the Senate. The goal of the PATCH Act is to enhance medical device security by requiring manufacturers to create a cybersecurity risk management plan for monitoring and addressing potential postmarket cybersecurity vulnerabilities. The FDA seeks comments on the draft cybersecurity guidance through July 7, 2022. Given the support of the new bill in the House of Representatives and Congress, it is likely that the FDA will get the support it needs for this new guidance.
90% of usability testing submitted to the FDA is unacceptable and the root cause is simply a failure to understand the human factors process.
If you submitted no usability testing to the FDA in your 510(k) submission, it would be obvious why the FDA reviewer identified usability as a major deficiency. However, you spent tens of thousands of dollars on usability testing that delayed the 510(k) submission by six months. Despite all of the time and money your company invested in the human factors process, it appears that you need to start over and repeat the entire process again. The CEO is furious, and he wants you to show him where in the 49-page FDA guidance it says that you have to do things differently.
Benefits from the human factors process
Use errors result in serious injuries and death
Easy to use products sell
You will prevent delays in regulatory approval
Why was your rationale for no usability testing rejected?
Unlike CE Marking technical files, the FDA does not require a usability engineering file for all products. Instead, the FDA determines if usability testing is required based upon a comparison of your device’s user interface and a competitor’s user interface (i.e. predicate device user interface). If the user interface is identical, then usability testing may not be required. Instead, your company should be able to write a rationale for not doing usability testing based upon equivalence with the predicate device. If there are differences in your user interface, you will need to provide use-related risk analysis (URRA), identify critical tasks, implement risk controls, and provide verification testing to demonstrate the effectiveness of the risk controls. Even if your device is “easier to use” or “simpler”, you still need to provide the documentation to support this claim in your submission. The FDA also does not allow comparative claims in your marketing for 510(k) cleared devices. Comparative claims require the support of clinical data.
What is the 10-step human factors process?
Define human factors for your device or IVD
Identify use errors
Conduct a URRA
Perform a critical task analysis
Conduct a risk control option analysis
Conduct formative usability testing
Implement risk controls
Conduct summative usability testing
Prepare HFE/UE documentation
Collect post-market surveillance data specific to use errors
There is a YouTube video describing these 10 steps at the bottom of this blog posting.
Why is formative testing needed?
Observational study to identify unforeseen use errors
Observational study to evaluate risk control options
What are the other types of studies?
Development of indications for use
Development of training materials
Why is the human factors process crazy expensive to outsource?
Human factors consultants need time to learn about your device
Consultants are more conservative because they cannot afford to fail
Justifying your choice of risk controls is difficult because you started too late
Your instructions for use (IFU) are inadequate
Consultants need to explain the human factors process to you
Recruiting subjects is marketing (which may not be their expertise)
You are paying for infrastructure (specialized testing facilities)
This is a team effort that requires many consulting hours collectively
Why was your Usability Engineering File refused?
Your company provided an application failure modes and effects analysis (aFMEA) to support your justification that residual risks are acceptable. The FDA guidance suggests using risk analysis tools such as an FMEA or fault-tree analysis, but deficiency letters from FDA reviewers recommend a use-related risk analysis (URRA) format that is totally different.
Example of a URRA Table provided by the FDA for the Human Factors Process
The primary problem with using an FMEA or Fault-Tree risk analysis tool is that these tools involve estimation of the severity of harm and the probability of occurrence of harm, while the FDA does not feel it is appropriate to estimate the probability of occurrence of harm. Instead, the FDA instructs companies to assume that use errors will occur and to implement risk controls to mitigate those risks (see URRA example above). Although “mitigation” is unlikely, and use risks will only be reduced, this is the approach the FDA wants companies to use. In addition, the FDA expects your company to provide traceability of risk control implementation to each use-related risk you identified and the FDA expects documentation of verification testing (i.e. usability testing) that shows your risk controls are effective. Finally, the FDA (and ISO 14971, Clause 10) expects you to collect and perform a trend analysis of use errors. Any use errors that are reported should be evaluated for the need to implement additional corrective actions to prevent future use errors. Blaming “user error” is not an acceptable approach.
You provided risk analysis and human factors testing in your 510(k) submission, but the FDA reviewer said you need to identify critical tasks and provide traceability to each critical task in your summative validation report. – Critical tasks are specifically mentioned in section 3.2 of the FDA guidance on applying human factors and usability engineering–and a total of 49 times throughout the guidance. However, “critical tasks” are not mentioned even once in ISO 14971:2019 or ISO/TR 24971:2020. The term “critical tasks” is not even found in IEC 62366-1:2015. There is mention of “tasks”, and “task” is a formal definition (i.e. Definition 3.14, “Task – one or more USER interactions with a MEDICAL DEVICE to achieve a desired result”). Therefore, companies that are familiar with the ISO Standards and CE Marking process frequently need training on the FDA requirements for the human factors process. After receiving training, then your company will be prepared to modify your usability engineering file documentation to comply with the FDA requirements for human factors.
You completed a summative validation protocol, but the FDA disagrees with your definition of user groups. – Each user has a different level of experience, training, and competency. Therefore, if you define the intended user population too broadly (e.g. healthcare practitioners), the FDA may not accept your summative usability testing. This is the reason that the human factors process begins with defining the human factors for your IVD or device. Radiologists, for example, have the following training pathway:
graduate from medical school;
complete an internship;
pass state licensing exam;
complete a residency in radiology;
become board certified; and
complete an optional fellowship.
Therefore, if you are developing imaging software, you need to make sure your user group includes radiologists that cover the entire range of competencies. In addition, most radiology images are taken by radiology technicians and then reviewed by the radiologist. Therefore, radiology technicians should be considered a completely different user group due to the differences in experience, training, and competency when compared to a radiologist. This simple example doubles the number of users needed because you have two user groups instead of one.
You evaluated 15 users, but the FDA reviewer is asking you to evaluate a larger number of users based upon a special controls guidance document. – The FDA guidance on human factors testing specifies a minimum of 15 users for each user group–not a minimum of 15 users. Therefore, for a device that is for Rx-only and OTC use, you will have at least two user groups that need to be evaluated independently. In addition, some devices have special controls guidance documents that specify usability testing requirements. For example, an OTC blood glucose meter must pass a 350-person lay-user study. Covid-19 self-tests are expected to pass a 30-person lay-user study as another example.
Your usability study was conducted in Australia, but the FDA insists that your usability study must be repeated in the USA. – Most people think of language being the primary difference between two countries, and therefore the author of a study protocol may not perceive any difference between the USA and Australia, Ireland, Canada, or the UK. However, this lack of ability to identify differences between cultural norms shows our own ignorance of cultural differences. International travelers learn quickly about the differences in the interface used for electrical outlets between the USA and other countries. There are also more subtle differences between cultures, such as in which direction do you toggle a light switch to turn on a light, up or down? For devices that are used in a hospital environment, it is critical to understand how your device will interact with other devices and how different hospital protocols might impact human factors.
The FDA reviewer indicated that your usability engineering file does not assess the ability of laypersons to self-select whether your OTC device is appropriate for them. – Devices and IVD devices may have contraindications or indications for use that are specific to an intended patient population or intended user population. In these cases, the user of the device or IVD needs to be able to “self-select” as included or excluded from use. The ability to self-select should be assessed as part of any OTC usability study. The ability to identify suitable and unsuitable patients for treatment is also a common criterion for a usability study involving prescription devices where a physician is the subject of the study.
The FDA reviewer indicated that you did not provide raw data collected by the study moderator. – Data collected during a human factors study is usually subjective in nature, and the FDA may want to conduct their own review and analysis of your data. Therefore, you cannot provide only a testing report that summarizes the results of your study. You must also provide the raw data for the study. It is permitted to provide the data in a tabular format that has been transcribed from paper case report forms or was recorded electronically. You should also consider scanning any paper forms for permanent retention or retaining the paper forms in case there is any question of accuracy in the transcription of the data collected. Finally, it is best practice to record videos of the study participants performing each task and answering interview questions. This will help in filling any gaps in the notes recorded by the moderator, and the recording provides additional objective evidence of the study results.
The FDA reviewer indicated that your study is not valid, because the training provided by moderators was not scripted and training decay was not considered in the design of the study. – Summative usability testing requires that users complete all of the critical tasks identified in your critical task analysis without assistance. It is permitted to provide training to the user prior to conducting the study if the device or IVD is for prescription use and healthcare practitioners are responsible for providing instruction to the user. However, any training provided must be scripted in advance and approved as part of the summative usability testing protocol. This ensures that every subject in the study receives consistent training. Unfortunately, the FDA may still not be satisfied with the design of your study if you do not allow sufficient time to pass between the time that training is provided to the user and when the subject uses the device or IVD for the first time. In general, one hour is the minimum amount of time that should pass between providing user training and when the device or IVD is used for the first time. This is referred to as “training decay” and the duration of time between your scripted training and the user performing critical tasks for the first time should be specified in your summative usability protocol. One solution to address both issues is to provide a video of the instructions to each subject 24-hours in advance of participation in the study.
Additional resources for the human factors process and usability testing