Learn why you need to start with software validation documentation before you jump into software development.
When do you create software validation documentation for a medical device or IVD?
At least once a week, I speak with the founder of a new MedTech company that developed a new software application as a medical device (SaMD). The founder will ask me to explain the process for obtaining a 510(k), and they want help with software validation documentation. Many people I speak with have never even heard of IEC 62304.
Even though they already have a working application, usually, validation documentation has not even been started. Although you can create all of your software validation documentation after you create a working application, certain tasks are important to perform before you develop software code. Jumping into software development without the foundational documentation will not get your device to market faster. Instead, you will struggle to create documentation retroactively, and the process will be slower. In the end, the result will be a frustrating delay in the launch of your device.
What are the 11 software validation documents required by the FDA?
In 2005 the FDA released a guidance document outlining software validation documentation content required for a premarket submission. There were 11 documents identified in that guidance:
What the FDA guidance fails to explain is that some of these documents need to be created before software development begins, or your software validation documentation will be missing critical design elements. Therefore, it is important to create a software development plan that schedules activities that result in those documents at the right time. In contrast, four of the eleven documents can wait until your software development is complete.
Which of the software validation documents can wait until the end?
The level of concern only determines what documents the FDA wants to review in a submission rather than what documents are needed for a design history file. In fact, the level of concern (LOC) document is no longer required as a separate document in premarket submissions using the FDA eSTAR template because the template already incorporates the questions that document your LOC. The revision level history document is simply a summary of revisions made to the software during the development process, and that document can be created manually or automatically at the end of the process, or the revision level history can be a living document that is created as changes are made. The traceability matrix can also be a living document created as changes are made, but its only purpose is to act as a tool to provide traceability from hazards to software requirements, to design specifications, and finally to verification and validation reports. Other software tools, such as Application Lifecycle Management (ALM) Software, are designed to ensure the traceability of every hazard and requirement throughout the entire development process. Finally, unresolved anomalies should only be documented at the time of submission. The list may be incomplete until all verification and validation testing is completed, and the list should be the shortest at the time of submission.
What documentation will be created near the end of development?
The software design specification (SDS) is typically a living document until your development process is completed, and you may need to update the SDS after the initial software release to add new features, maintain interoperability with software accessories, or change security controls. The SDS can not begin, however, until you have software requirements and the basic architecture defined. The verification and validation activities are discrete documents created after each revision of the SDS and must therefore be one of the last documents created–especially when provided to the FDA as a summary of the verification and validation efforts.
Which validation documents do you need first?
At the beginning of software development, you need a procedure(s) that defines your software development process. That procedure should have a section that explains the software development environment–including how patches and upgrades will be controlled and released. If you don’t have a quality system procedure that defines your development process, then each developer may document their coding and validation activities differently. That does not mean that you can’t improve or change the procedure once development has begun, but we recommend limiting the implementation of a revised procedure when making major software changes and discussing how revisions will be implemented for any work that remains in progress or has already been completed.
When do the remaining software validation documents get created?
The remaining four software validation documents required for a premarket submission to the FDA are:
Software hazard analysis
Software requirements specification (SRS)
Architecture design chart
Your development process will be iterative, and therefore, you should be building and refining these four documents iteratively in parallel with your software code. At the beginning of your project, your design plan will need a brief software description. Your initial software description needs to include the indications for use, a list of the software’s functional elements, and the elements of your user specification (i.e., intended patient population, intended users, and user interface). If you are using lean startup methodology, the first version of your device description will be limited to a minimal viable product (MVP). The target performance of the MVP should be documented as an initial software requirements specification (SRS). This initial SRS might only consist of one requirement, but the SRS will expand quickly. Next, you need to perform an initial software hazard analysis to identify the possible hazards. It is important to remember that software hazards are typically hazardous situations and are not limited to direct physical harm. For each potential hazard you identify in your hazard analysis, you will need a software requirement to address each hazard, and each requirement needs to be added to your SRS. As your software becomes more complex by adding software features, your device description needs to be updated. As you add functions and requirements to your software application, your SRS will need updates too. Finally, your development team will need a tool to track data flow and calculations from one software function to the next. That tool is your architecture design chart, and you will want to organize your SRS to match the various software modules identified in your architecture diagram. This phase is iterative and non-linear, you will always have failures, and typically a team of developers will collaborate virtually. Maintaining a current version of the four software documents is critical to keeping your development team on track.
How do you perform a software hazard analysis?
One of the most important pre-requisite tasks for software developers is conducting a hazard analysis. You can develop an algorithm before you write any code, but if you start developing your application to execute an algorithm before you perform a software hazard analysis, you will be missing critical software requirements. Software hazard analysis is different from traditional device hazard analysis because software hazards are unique to software. A traditional device hazard analysis consists of three steps: 1) answering the 37 questions in Annex A of ISO/TR 24971:2020, 2) systematically identifying hazards by using Table C1 in Annex C of ISO 14971:2019, and 3) reviewing the risks associated with previous versions of the device and similar competitor devices. A software hazard analysis will have very few hazards identified from steps 1 and 2 above. Instead, the best resource for software hazard analysis is IEC/TR 80002-1:2009. You should still use the other two standards, especially if you are developing software in a medical device (SiMD) or firmware, but IEC/TR 80002-1 has a wealth of tables that can be used to populate your initial hazards analysis and to update your hazard analysis when you add new features.
How do you document your hazard analysis?
Another key difference between a traditional hazard analysis and a software hazard analysis is how you document the hazards. Most devices use a design FMEA (dFMEA) to document hazards. The dFMEA is a bottom-up method for documenting your risk analysis by starting with device failure modes. Another tool for documenting hazards is a fault tree diagram.
A fault tree is a top-down method for documenting your risk analysis, where you identify all of the potential causes that contribute to a specific failure mode. Fault tree diagrams lend themselves to complaint investigations because complaint investigations begin with the identification of the failure (i.e., complaint) at the top of the diagram. For software, the FDA will not allow you to use the probability of occurrence to estimate risks. Instead, software risk estimation should be limited to the severity of the potential harm. Therefore, a fault tree diagram is generally a better tool for documenting software risk analysis and organizing your list of hazards. You might even consider creating a separate fault tree diagram for each module of your software identified in the architecture diagram. This approach will also help you identify the potential impact of any software hazard by looking at the failure at the top of the fault tree. The higher the potential severity of the software failure, the more resources the software team needs to apply to developing software risk controls and verifying risk control effectiveness for the associated fault tree.
Learn how to create a UDI procedure for compliance with the FDA and EU regulatory requirements for UDI compliance.
Your cart is empty
A Unique Device Identifier or UDI is required for all in vitro diagnostics (IVD) and devices in the USA and Europe as a tool for identifying the manufacturer, the device or IVD itself, and production-related details such as the date of manufacture and the lot number. To comply with these UDI requirements, you will need a UDI procedure compliant with the US regulations (i.e., 21 CFR 830 and parts of 21 CFR 801). To comply with European regulations, you will need a UDI procedure compliant with Article 24 and Annex VI of the IVDR and Article 27 and Annex VI of the MDR. The video below provides an overview of Medical Device Academy’s UDI procedure.
What’s included in our UDI Procedure?
The UDI procedure complies with ISO 13485:2016 as well as the European and US regulations. The procedure includes the following list of documents:
SYS-039 A D5 UDI Requirements Procedure
FRM-016 A D1 FDA UDI Checklist
FRM-017 A D2 EU UDI Checklist
We are including a training webinar explaining the FDA’s UDI System and the native presentation slide deck, and we will provide an exam (i.e., a 10-question quiz) to verify training effectiveness. If you submit the completed exam to us by email in the native MS Word format, we will correct the exam and email you a training certificate with your corrected exam. The FDA website also provides information about the UDI system. We also provide email notifications of free updates to the procedure and forms when we update the procedure to comply with new and revised regulations.
SYS-039 UDI Requirements Procedure, Webinar and Exam Bundle
SYS-039, UDI Requirements Procedure Bundle; This training includes our procedure for UDI Requirements and the FDA template for the GUDID data elements. You will also receive a link to download our slide deck and webinar recording on UDI labeling. We also provide a 10 question quiz on the FDA’s UDI requirements and a training certificate when you complete the quiz and submit it to Medical Device Academy for grading.
What is a UDI?
UDI stands for ‘Unique Device Identifier.’ This is a two-part identification code that is used as part of the FDA’s Unique Device Identifier System. The FDA issued its final rule on Unique Device Identifier Systems on September 24, 2013, with an effective date of December 23, 2013. The full 44-page document can be viewed on the Federal Register Website.
The idea or concept of having an identifier unique to each medical device is not a flashy new concept and has been in use in other industries for many years now. A UDI could be comparable to a VIN and license plates for vehicles or even social security numbers and driver’s license numbers in people. The idea is that there is a trackable piece of information that identifies individual types of medical devices.
The Two Parts of a UDI
A UDI includes two parts. One is the ‘Device Identifier’ or DI, and the other is the ‘Production Identifier’ or PI. The DI portion is the ‘Device Identifier.’ This portion of the UDI is mandatory and serves to identify the labeler and the specific model of the labeled device. Once the DI has been assigned, it is permanent and cannot be changed. Every variable of the device will require its own DI. For example, if multiple sizing options were produced for a device, then each size available would require a DI. Other variances, such as color and cosmetic or ergonomic design differences, also require separate DI numbers.
The ‘Production Identifier’ or PI and unlike the device identifier the PI identifies one of several pieces of information. I feel the best way to explain what information the PI provides is to directly quote the FDA itself.
“a production identifier (PI), a conditional, variable portion of a UDI that identifies one or more of the following when included on the label of a device:
the lot or batch number within which a device was manufactured;
the serial number of a specific device;
the expiration date of a specific device;
the date a specific device was manufactured;
the distinct identification code required by §1271.290(c) for a human cell, tissue, or cellular and tissue-based product (HCT/P) regulated as a device.” (FDA, UDI Basics 2015).
If a company were to produce multiple batches or lots of a device, the DI would remain the same, but the PI would be different for each batch produced.
Your UDI must be provided in two separate formats. One is a plain text version that is simply an alphanumeric code that correlates with the information that it is trying to convey. This is a DI/PI code that must be labeled on the packaging of your medical device or, in some cases, on the device itself.
A second format is a form that is AIDC compatible. AIDC stands for ‘Automatic Identification and Data Capture’. AIDC collects your information without having to manually enter all of your data. Generally, this is some type of barcode or QR code.
You can see examples of AIDC technology in our daily lives. Some of the most common examples are barcodes, as mentioned above, and magnetic strips and chips as we see in our credit and debit cards. RFID, Optical Scanners, and other various biometrics are also included as some of the less common AIDC methods.
For more information on AIDC technology in general, you can follow the 3rd party website.
Your UDI should be located on your device label. This is a general rule, but the FDA has multiple exemptions and alternatives based on the device use and classification. The UDI’s are required to be directly marked on the devices themselves should they be intended to be used more than once and be reprocessed before each use.
If you are writing a UDI procedure for your company, double-check that your device does not fall under any of the FDA’s exceptions.
An example of one of the exceptions that may apply to your device is, “If your device is Class I, you may use a Universal Product Code (UPC) to serve as the UDI on the device label and package. In addition, the UDI on your class I devices is not required to include a PI.” (FDA, Small Entity Compliance Guide, 2014).
Packaging Levels for UDI
Each ‘package level’ also requires a new DI. For example, if your medical device were an insulin syringe that you sold in packages of 10 and bulk in packages of 100, each would need an individual ‘Device Identifier’. This does not mean that each package of 10 or 100 needs its own DI. These are not a lot or batch numbers. These numbers are for the user’s information, so shipping materials such as pallets and shrink wrap do not require DI/PI labeling. However, different models or any substantial updates to the medical device will need its DI.
As long as your syringe is only sold as an individual syringe, the UDI and labeling are compliant. As soon as an additional packaging level is introduced, an additional UDI is required. Using the same syringe example, if the syringes are also sold in packages that contain five of your already labeled medical devices, that package needs its UDI number. Another UDI would be required if the syringes were sold in packages of ten, twenty-five, or fifty. Every level of packaging that the device is sold in requires a UDI.
What is not considered an additional packaging level? Measures to protect your products during shipping are not considered additional packaging levels. This includes palletizing and wrapping your products to protect them from damage during shipping. Pallets, shipping containers, and trailers do not require a UDI.
Updated Products and UDI’s
UDI’s are specific to individual models of products and devices. As each packaging level or product variance, such as size offered, requires a UDI, so does each device change and upgrade. Say you launched your device 2 years ago and, based on consumer feedback, decided to make some changes to your device. The new version of your device is now no longer the same as the one that had the previous UDI issued to it.
You would now need a UDI for the essentially ‘new product’. You will also need to address the same compliance requirements for packaging levels and variances as you did with the original product. As you update your product, be aware that you may also need to update your UDI.
UDI date format requirements
The date format on device labels should be in the ‘International Standard’, which consists of Year-Month-Day as opposed to what would normally be seen in the United States, which is Month-Day-Year. For example, the date for April 18, 2018, would need to be written 2018-04-18.
This format would need to be used on your labeling for things such as the manufacture and expiration date of your product or device.
For UDI labels, the compliance date for implementing the International Date Standard will be the same as the compliance dates for UDI/AIDC.
Compliance Dates for Class I and Unclassified Devices.
Below is the FDA’s UDI Compliance Dates Table.
To extend the compliance dates for lower-risk medical devices, the FDA plans to issue a guidance document to provide an enforcement discretion policy for labeling, GUDID data submission, standard date formatting, and direct mark requirements for class I and unclassified devices, as indicated in Figure 1 below. This enforcement discretion policy would not apply to class I or unclassified implantable, life-supporting, or life-sustaining devices1 because labelers of these devices must already comply with UDI requirements.
Type of Device
Label (21 CFR 801.20), GUDID Submission (21 CFR Part 830, subpart E), and Standard Date Format (21 CFR 801.18) Requirements
Direct Mark (21 CFR 801.45) Requirements
Class 1 devices2
September 24, 2020
September 24, 2022
September 24, 2020
September 24, 2022
1 For implantable, life-supporting or life-sustaining devices of all classes, the compliance date for all UDI requirements and the standard date format requirement (21 CFR 801.18) was September 24, 2015. 2 Class I CGMP-exempt devices are excepted from UDI requirements. 21 CFR 801.30(a)(2)
Compliance Dates Established by FDA in Conjunction with UDI Final Rule
1 year after publication of the final rule (September 24, 2014)
The labels and packages of class III medical devices and devices licensed under the Public Health Service Act (PHS Act) must bear a UDI. § 801.20. Dates on the labels of these devices must be formatted as required by § 801.18. Data for these devices must be submitted to the GUDID database. § 830.300. A 1-year extension of this compliance date may be requested under § 801.55; such a request must be submitted no later than June 23, 2014. Class III stand-alone software must provide its UDI as required by § 801.50(b).
2 years after publication of the final rule (September 24, 2015)
A device that is a life-supporting or life-sustaining device that is required to be labeled with a UDI must a bear UDI as a permanent marking on the device itself if the device is intended to be used more than once and intended to be reprocessed before each use. § 801.45. Stand-alone software that is a life-supporting or life-sustaining device must provide its UDI as required by § 801.50(b).
Data for implantable, life-supporting, and life-sustaining devices that are required to be labeled with a UDI must be submitted to the GUDID database. § 830.300.
3 years after publication of the final rule (September 24, 2016)
Class III devices required to be labeled with a UDI must bear a UDI as a permanent marking on the device itself if the device is a device intended to be used more than once and intended to be reprocessed before each use. § 801.45.
The labels and packages of class II medical devices must bear a UDI. § 801.20. Dates on the labels of these devices must be formatted as required by § 801.18. Class II stand-alone software must provide its UDI as required by § 801.50(b).
Data for class II devices that are required to be labeled with a UDI must be submitted to the GUDID database. § 830.300.
5 years after publication of the final rule (September 24, 2018)
A class II device that is required to be labeled with a UDI must bear a UDI as a permanent marking on the device itself if the device is a device intended to be used more than once and intended to be reprocessed before each use. § 801.45.
The labels and packages of class I medical devices and devices that have not been classified into class I, class II, or class III must bear a UDI. § 801.20. Dates on the labels of all devices, including devices that have been excepted from UDI labeling requirements, must be formatted as required by § 801.18.
Data for class I devices and devices that have not been classified into class I, class II, or class III that are required to be labeled with a UDI must be submitted to the GUDID database. § 830.300. Class I stand-alone software must provide its UDI as required by § 801.50(b).
7 years after publication of the final rule (September 24, 2020)
Class I devices, and devices that have not been classified into class I, class II, or class III that are required to be labeled with a UDI, must a bear UDI as a permanent marking on the device itself if the device is a device intended to be used more than once and intended to be reprocessed before each use. § 801.45.
Compliance dates for all other provisions of the final rule. Except for the provisions listed above, FDA requires full compliance with the final rule as of the effective date that applies to the provision.
UDI Quality System Requirements
To comply with both Part 803.22 Medical Device Reporting and 820.198 Quality System Regulation, the documentation of UDI numbers included on device labeling is either required specifically or applicable to fulfill specific documentation and reporting requirements.
CFR 21 Chapter I Sub Chapter H Medical Devices Part 803.33 Medical Device Reporting
“(a) You must submit to us an annual report on Form FDA 3419. You must submit an annual report by January 1, of each year. You may obtain this form from the following sources:
(iv) Product model, catalog, serial, and lot number and unique device identifier (UDI) that appears on the device label or on the device package.”
For handling complaints as part of your quality system, inclusion of the UDI in your record of investigation is a specifically listed portion of device identifications and control numbers needed for reporting and record keeping.
Quality System Regulation Sub Part M Records 820.198
“(e) When an investigation is made under this section, a record of the investigation shall be maintained by the formally designated unit identified in paragraph (a) of this section. The record of investigation shall include:
(1) The name of the device;
(2) The date the complaint was received;
(3) Any unique device identifier (UDI) or universal product code (UPC), and any other device identification(s) and control number(s) used;”
All UDIs are required to be issued under a system operated by an FDA-accredited “Issuing Agency”. At the time of writing this, the FDA currently only has three FDA-accredited IA’s. They are GS1, HIBCC, and the ICCBBA. The UDI rule provides a process through which an agency would seek FDA accreditation. specifies the information that the applicant must provide to FDA and the criteria FDA will apply in evaluating applications.
To seek accreditation by the FDA as a UDI issuing agency, your UDI procedure must define the process outlined in the 21 CFR 830 Subpart C. This specifies the information that must be provided to the FDA as well as the FDA evaluation criteria. The FDA also asks that agencies seeking an initial accreditation contact the FDA directly at email@example.com.
UDI Procedure for Labelers
Labelers are ultimately the ones that are responsible for complying with the FDA’s UDI labeling requirements. Are you a labeler? In most cases, but not always, the brand owner is typically the labeler.
The FDA defines a labeler as “(1) Any person who causes a label to be applied to a device with the intent that the device will be commercially distributed without any subsequent replacement or modification of the label; and
(2) Any person who causes the label of a device to be replaced or modified with the intent that the device will be commercially distributed without any subsequent replacement or modification of the label, except that the addition of the name of, and contact information for, a person who distributes the device, without making any other changes to the label, is not a modification for the purposes of determining whether a person is a labeler” (FDA, Webinar UDI 101)
Distributors add contact information only
A distributor may add their contact information to a label. As long as they are not altering the label in any other way. Alterations made to the label beyond this may constitute a change in who exactly is the labeler of the product.
Do UDI requirements apply to Foreign device manufacturers?
UDI labeling rules apply to all medical devices sold within the United States and Europe. Therefore, even if your company is located outside the US or Europe, you will need a UDI procedure, and you must comply with the UDI regulations to distribute products in these two markets.
GUDID Requirements for your UDI Procedure
GUDID stands for Global Unique Device Identification Database. This database is a reference catalogue that is open for viewing by the public for every medical device with an ‘identifier’. This database can be accessed through AccessGUDID. Unlike submission, which requires an account, AccessGUDID may be accessed by anyone.
Under the UDI Rule, the FDA requires labelers who have medical devices that are labeled with a UDI to submit their device to the GUDID. If you are wondering if your device has such a labeler, we referenced above that the FDA considered the labeler to be “the person who causes a label to be applied to a device, or who causes the label to be modified, with the intent that the device will be introduced into interstate commerce without any subsequent replacement or modification of the label; in most instances, the labeler would be the device manufacturer, but the labeler may be a specification developer, a single-use device reprocessor, a convenience kit assembler, a repackager, or a relabeler.”
The GUDID is created with data about devices according to the compliance timeline table shared above and is published in conjunction with the UDI rule. The GUDID only contains the device identifier, which is the primary key to obtaining device information in the GUDID database. Production Identifiers are not submitted or stored in the GUDID.
Learn how to become ISO 13485 certified while avoiding the stress that tortures other quality system managers.
Your cart is empty
What is ISO 13485?
ISO 13485 is an international standard for quality management systems that is specific to the medical device industry. ISO 13485:2016 is the most recent version of the standard, and it has become the blueprint for medical device company quality systems globally. If your company wants to design, manufacture, or distribute medical devices you should consider becoming ISO 13485 certified.
Yes, you need to maintain a copy of the ISO 13485 standard as a “document of external origin.” This is needed for reference when you are making updates to procedures in your quality system. If you are looking for the best place to purchase a copy of the ISO 13485:2016 standard, we recommend the Estonian Centre for Standardisation and Accreditation. If you purchase a copy, we recommend selecting the option for a multi-user license so the standard can be used by more than one person in your company and printed. The only difference between the EN ISO version and the International ISO version is that the EN ISO version includes harmonization Annex ZA for compliance with the EU MDR and Annex ZB for compliance with the EU IVDR. This version is also referred to as A11:2021. Here’s a copy of the text from the beginning of the Standard:
“This Estonian standard EVS-EN ISO 13485:2016/A11:2021 consists of the English text of the European standard EN ISO 13485:2016/A11:2021. This standard has been endorsed with a notification published in the official bulletin of the Estonian Centre for Standardisation and Accreditation. Date of Availability of the European standard is 08.09.2021. The standard is available from the Estonian Centre for Standardisation and Accreditation.”
Medical Device Academy’s experience with ISO 13485 training
Rob Packard created his first quality system in the Spring of 2004. In October of 2009, after successfully managing quality systems for three different medical device manufacturers, Rob joined BSI as a Lead Auditor and instructor. In April of 2010, he purchased the 13485cert.com URL and he began to help companies implement quality systems as a consultant (while continuing to audit and train 140 days per year for BSI). In 2011 his medical device blog postings began as a way to help medical device companies. In 2012, Rob began building a library of quality system procedures for a turn-key quality system and selling the procedures from the Medical Device Academy website. Dozens and dozens of consulting clients have successfully achieved ISO 13485 certification with Medical Device Academy’s turnkey quality system procedures, and hundreds of quality systems were audited and/or improved. This ISO 13485 training webinar is also included as part of our turnkey quality system.
Projected Changes for 2023
On February 23, 2022, the FDA published a proposed rule for medical device quality system regulation amendments. The FDA planned to implement amended regulations within 12 months, but the consensus of the device industry is that a transition of several years would be necessary. In the proposed rule, the FDA justifies the need for amended regulations based on the “redundancy of effort to comply with two substantially similar requirements,” creating inefficiencies. The FDA also provided estimates of projected cost savings resulting from the proposed rule. What is completely absent from the proposed rule is any mention of the need for modernization of device regulations.
The QSR is 26 years old, and the regulation does not mention cybersecurity, human factors, or post-market surveillance. Risk is only mentioned once by the regulation, and software is only mentioned seven times. The FDA has “patched” the regulations with guidance documents, but there is a desperate need for new regulations that include critical elements. The FDA has “patched” the regulations through guidance documents, but there is a desperate need for new regulations that include critical elements. The transition of quality system requirements for the USA from 21 CFR 820 to ISO 13485:2016 will force regulators to establish policies for compliance with each of these quality system elements. Companies that do not already have ISO 13485 certification should be proactive by 1) updating their quality system to comply with the standard and 2) adopting the best practices outlined in the following related standards:
AAMI/TIR57:2016 – Principles For Medical Device Security – Risk Management
IEC 62366-1:2015 – Medical devices — Part 1: Application of usability engineering to medical devices
ISO/TR 20416:2020 – Medical devices — Post-market surveillance for manufacturers
ISO 14971:2019 – Medical Devices – Application Of Risk Management To Medical Devices
IEC 62304:2015 – Medical Device Software – Software Life Cycle Processes
ISO/TR 80002-1:2009 – Medical device software — Part 1: Guidance on the application of ISO 14971 to medical device software
ISO/TR 80002-2:2017 – Medical device software — Part 2: Validation of software for medical device quality systems
Previous versions of the ISO 13485 webinars
This 2-part webinar has been previously recorded three different times. Our previous webinar on the 2003 version of ISO 13485 was split into two parts: Stage 1 and Stage 2. That first webinar was recorded in 2015. The webinars were updated in 2016 and again in 2018. We followed the same format, 2-part Stage 1 and Stage 2, for all of the subsequent ISO 13485 training webinars. The Stage 1 webinar focuses on the following processes:
Quality System Documentation
The Stage 2 webinar on the rest of the standard, including but not limited to:
Customer Related Processes
The most recent version of ISO 13485 webinars
The webinars explaining the requirements for ISO 13485 were last updated for 2020. Anyone that purchases these webinars will receive free access to updated versions of the ISO 13485 training webinars. If you are making a new purchase of these two training webinars, the webinars are only being sold as a bundle for $258. You get:
access to the Stage 1 webinar recorded July 24, 2020
access to the Stage 2 webinar recorded July 28, 2020
native slide decks for both webinars
This pair of ISO 13485 training webinars explain precisely what you need to do to implement a quality system compliant with ISO 13485. After you create your own plan (a free template is provided with a subscription), then you can show the recording of these two webinars to your management team so they can implement your plan in the next several months. All deliveries of content will be sent via Aweber emails to confirmed subscribers.
Webinar duration & format
Webinars were hosted live via Zoom in 2020. The Stage 1 webinar was 64 minutes, and the duration of the Stage 2 webinar was 82 minutes. When you purchase this webinar bundle, you will receive a link to download both recorded webinars from our Dropbox folder. In addition, you will receive links to download the native slide deck for each webinar from Dropbox.
Purchase the ISO 13485 training bundle
ISO 13485:2016 Training Webinars – Stage 1 & Stage 2
The webinars explaining the requirements for ISO 13485 were last updated for 2020. Anyone that purchases these webinars will receive free access to updated versions of the ISO 13485 training webinars. If you are making a new purchase of these two training webinars, the webinars are only being sold as a bundle for $258. You get:
1 – access to the Stage 1 webinar recorded July 24, 2020
2 – access to the Stage 2 webinar recorded July 28, 2020
3 – native slide decks for both webinars
Exam and Training Certificate available
Exam – ISO 13485:2016 update
This is a 20 question quiz with multiple choice and fill in the blank questions. The completed quiz is to be submitted by email to Rob Packard as an MS Word document. Rob will provide a corrected exam with explanations for incorrect answers and a training effectiveness certificate for grades of 70% or higher.
There is a big difference between being ISO 13485 certified and being compliant with ISO 13485:2016, the medical devices quality management systems standard. Anyone can claim compliance with the standard. Certification, however, requires that an accredited certification body has followed the requirements of ISO 17021:2015, and they have verified that your quality system is compliant with the standard. To maintain that certification, you must maintain your quality system’s effectiveness and endure both annual surveillance audits and a re-certification audit once every three years.
Step 1 – Planning for ISO 13485 certification
There are six steps in the ISO 13485 certification process, but that does not mean there are only six tasks. The first step in every quality system is planning. Most people refer to the Deming Cycle or Plan-Do-Check-Act (PDCA) Cycle when they describe how to implement a quality system. However, when you are implementing a full quality system, you need to break the “doing” part of the PDCA cycle into many small tasks rather than one big task. You also can’t implement a quality system alone. Quality systems are not the responsibility of the quality manager alone. Implementing a quality system is the responsibility of everyone in top management.
Below you will find seven tasks listed. I did NOT identify these nine tasks as “Steps” in the ISO 13485 certification process, because these tasks are typically repeated for each process in your quality system. Most quality systems are implemented over time, and the scope of the quality system usually grows. Therefore, you are almost certain to have to perform all of the following nine tasks multiple times–even after you receive the initial ISO 13485 certification. As the saying goes, “How do you eat an elephant? One bite at a time.” Therefore, avoid the inevitable heartburn caused by trying to do too much at one time. Implement your quality system one “bite” at a time.
Task 1 – Purchase applicable standards
The first task in implementing an ISO 13485 quality system is to purchase a copy of the ISO 13485:2016 standard, such as the MDSAP Companion Document. You will also need other applicable medical device standards. Some of these standards are general standards that apply to most, if not all, medical devices, such as ISO 14971:2019 for risk management. There are also guidance documents that explain how to use these general standards, such as ISO/TR 24971:2020, and guidance on how to apply ISO 14971:2019. Finally, there are testing standards that identify testing methods and acceptance criteria for things such as biocompatibility and electrical safety. You will need to monitor these standards for new and revised versions. When these standards are updated, you will need to identify the revised standard and develop a plan for addressing the changes.
When you purchase a standard, be sure to buy an electronic version of the standard so you can search the standard for keywords efficiently. You should also consider purchasing a multi-user license for the standard because every manager in your company will need to look up information in the standard. Alternatively, you could buy a paper copy of the standard and locate the standard where everyone in your company can access it. Often I am asked what the difference is between the EN version of the standard and the ISO version of the standard. “EN” is an abbreviation meaning European Standards or “European Norms,” which is based upon the literal translation from the French (i.e., “normes”) and German (i.e. “norm”) languages. “ISO” versions are international standards. In general, the body of the standard is typically identical but harmonized EN standards for medical devices include annexes ZA, ZB, and ZC that identify any deviations from the requirements in three medical device directives (i.e., MDD, AIMD, and IVDD).
Task 2 – Identify which processes are applicable
Clause 1 of ISO 13485 is specific to the scope of a quality system. ISO 9001, the general quality system standard, allows you to “exclude” any clause from your quality system certification. However, ISO 13485 will only allow you to exclude design controls (i.e., clause 7.3). Other clauses within ISO 13485 may be identified as “non-applicable” based upon the nature of your medical device or service. You must also document the reason for non-applicability in your quality manual. Typically, the following clauses are common clauses identified for non-applicability:
Clause 4.1.6 – quality system software
Clause 6.4 – work environment
Clause 7.5.2 – cleanliness of the product
Clause 7.5.3 – installation
Clause 7.5.4 – servicing
Clause 7.5.5 – sterile devices
Clause 7.5.6 – process validation
Clause 7.5.7 – sterilization validation
Clause 188.8.131.52 – implantable devices
Clause 7.5.10 – customer property
Clause 8.3.4 – rework
Task 3 – Assign a process owner to each process
The third task is to assign a process owner to each of the processes in your quality system. Typically, you create a master list of each of the required processes. Usually, the assignments are made to managers in the company who may delegate some or all of a specific process. You should expect most managers to be responsible for more than one process because there are 28 required procedures in ISO 13485:2016, but most companies have fewer than ten people when they first implement a quality system.
Task 4 – Prioritize and schedule the implementation of each process
The fourth task is to identify which processes need to be created first and to schedule the implementation of procedures from first to last. You can and should build flexibility into the schedule, but some procedures are needed at the beginning. For example, you need document control, record control, and training processes to manage all of your other procedures. You also need to implement the following processes to document your Design History File (DHF): 1) design controls, 2) risk management, 3) software development (if applicable), and 4) usability. Therefore, these represent the seven procedures that most companies will implement as early as possible. Procedures such as complaint handling, medical device reporting, and advisory notice procedures are usually reserved for last. These procedures are last because they are not needed until you have a medical device in use.
Task 5 – Create forms, flowcharts, and procedures for each process
Forms create the structure for records in your quality system, and a well-designed form can reduce the need for lengthy explanations in a procedure or work instruction. Therefore, you should consider developing forms first. The form should include all required information that is specified in the applicable standard or regulations, and the cells for that information should be presented in the order that the requirements are listed in the standard. You might even consider numbering the cells of the form to provide an easy cross-reference to the corresponding section of the procedure. Once you create a form, you might consider creating a flowchart next. Flowcharts provide a visual representation of the process. You might consider including numbers in the flow chart that cross-reference to the form as well.
Once you have created a form and a flowchart, you are now ready to write your quality system procedure. Many sections are typically included in a procedure template. It is recommended that you use a template to ensure that none of the basic elements of a procedure are omitted. You might also consider adding two sections that are uncommon to a procedure: 1) risk analysis of the procedure with the identification of risk controls to prevent risks associated with the procedure, and 2) a section for monitoring and measurement of the process to objectively measure the effectiveness of the process. These metrics are the best sources of preventive actions, and some of the metrics might be potential quality objectives to be identified by top management.
Task 6 – Perform a gap analysis of each procedure
Most companies rely upon internal audits to catch missing elements in their procedures. However, audits are intended to be a sampling rather than a 100% comprehensive assessment. Therefore, when a draft procedure is being reviewed and approved for the first time, or a major re-write of a procedure is conducted, a thorough gap analysis should be done before the approval of the draft procedure. Matthew Walker created an article explaining how to conduct a gap analysis of procedures. In addition, Matthew has been gradually adding cross-references to ISO 13485:2016 requirements in each procedure. He is color-coding the cross-referenced clauses in blue font as well. This makes it much easier for auditors to verify that a procedure is compliant with the regulations with minimal effort. The success of these two methods has taught us the importance of conducting a gap analysis of all new procedures.
Task 7 – Train applicable personnel for each process
You are required to document the training requirements for each person or each job in your company. Documentation of training requirements may be in a job description or within a procedure. In addition to defining who should be trained, you also need to identify what type of training should be provided. We recommend recording your training to ensure that new future employees receive the same training. This will ensure consistency. You are also required to maintain records of the training. You must verify that the training was effective, and you need to check whether the person is competent in performing the tasks. This training may require days or weeks to complete. Therefore, you may want to start training people several weeks before your procedure is approved. Alternatively, you can swap the order of tasks and conduct training after the procedure approval. If that approach is taken, then the procedure should indicate the date the procedure becomes effective–typical 30 days after approval to allow time for training.
Task 8 – Approve the procedure
Approval of a procedure may be accomplished by signing and dating the procedure itself, while another approach is to create a document that lists all the procedures and forms being approved at one time. The second method is the method we use in our turn-key quality system. Companies can review and approve as many procedures at one time as they wish. Since this process needs to be defined to ensure that all of the procedures you implement are approved, the document control process is typically the first procedure that companies will approve in a new quality system. The second procedure generally is for the control of records. Then the next procedures implemented will typically be focused on the documentation of design controls: design controls, risk management, usability testing, and software development. The last procedures to be approved are typically complaint handling, medical device reporting, and recalls. These procedures are left for last because you don’t need them until you are selling your medical device.
Task 9 – Start using the procedure and generating records
The last task required for the implementation of a new quality system is to start using the procedures to generate records. All of the procedures will need records before the process can be verified to be effective. Records can be paper-based, or the records can be electronic. Whichever format you use for the record retention needs to be communicated to everyone in the company through your Control of Records procedure and/or within each procedure. If you include the information in each procedure, the records of each procedure should be listed in the procedure, and the location where those records are stored should be identified. Generally, there is no specific minimum number of records to have for a certification audit, but you should have at least a few records for each process that you implement.
Step 2 – Conducting your first internal audit
The purpose of the internal audit is to verify the effectiveness of the quality system and to identify nonconformities before the certification body auditor finds them. To successfully achieve this secondary objective, it is essential to have a more rigorous internal audit than you expect for the certification audit. Therefore, the internal audit should be of equal duration or longer in duration than the certification audit. The internal audit should not consist of a desktop review of procedures. Reviewing procedures should be part of gap analysis (i.e., task 6 above) that is conducted on draft procedures before they are approved. Internal audits should utilize the process approach to auditing, and the auditor should apply a risk-based approach (i.e., focus on those processes that are most likely to contribute to the nonconforming products, result in a complaint, or cause severe injuries and death).
After your internal audit, you will receive an internal audit report from the auditor. You should also expect findings from the internal auditor, and you should expect opportunities for improvement (OFI) to be identified. Experienced auditors can typically identify the root cause of a nonconformity more quickly than most process owners. Therefore, it is recommended for each process owner and subject matter expert to review nonconformities with the auditor and discuss how the nonconformity should be investigated. The root cause must be correctly identified during the CAPA process, and the effectiveness check must be objective to ensure that problems do not recur.
Step 3 – Initiating corrective actions
Corrective actions should be initiated for each internal audit finding immediately, to make sure the findings are corrected and prevented from repeat occurrence before the Stage 1 audit. It will take a minimum of 30 days to implement the most corrective actions. Depending upon the scheduling of the internal audit, there may not be sufficient time to complete the corrective actions. However, you should at least initiate a CAPA for each finding, perform an investigation of the root cause, and begin to implement corrective actions.
Also, to take corrective actions related to internal audit findings, you should look for internal audits from other sources. The diagram below shows several different sources of potential corrective and preventive actions.
Monitoring and measuring each process is the best source of preventive actions, while internal audits are typically the best source of corrective actions. Any quality problems identified during validation are also excellent sources of corrective actions because the validation can be repeated as a method of demonstrating that the corrective actions are effective. However, your ISO 13485 certification auditor will focus on non-conforming products, complaints, and services as the most critical sources of corrective actions. These three sources are prioritized because these three sources have the greatest potential for resulting in a serious injury, death, or recall if corrective actions are not implemented to prevent problems from recurring.
Step 4 – Conducting your first management review
In addition to completing a full quality system audit before your stage 1 audit, you are also expected to complete at least one management review. To make sure that you have inputs for each of the 12 requirements in the ISO 13485:2016 standard, it is recommended to conduct your management review only after you have completed your full quality system audit and initiated some corrective actions. If possible, you should also conduct supplier audits for any contract manufacturers or contract sterilizers. It is recommended to use a template for that management review that is organized in the order of the required inputs to ensure that none of the necessary inputs are skipped. Quality objectives will need to be established long before the management review so that the top management team has sufficient time to gather data regarding each of the quality objectives. Also, you should consider delegating the responsibility for creating the various slides for each input to different members of top management. This will ensure that everyone invited to the meeting is engaged in the process, and it will spread the workload for meeting preparation across multiple people.
At the end of the meeting, top management will need to create a list of action items to be completed before the next management review meeting. Meeting minutes will need to be documented for the meeting, including the list of action items and each of the four required outputs of the management review process. We recommend using the notes section of a presentation slide deck to document the meeting minutes related to each slide. Then the slide deck can be converted into notes pages and saved as a PDF. The PDF notes pages will be your final meeting minutes for the management review. An example of one of these notes pages is provided in the figure below.
One of the more common non-value-added findings by auditors is when an auditor issues a nonconformity because you do not have your next internal audit and your next management review scheduled–even though each may have occurred only a month prior to the Stage 1 audit. Therefore, we recommend that you document your next 12-month cycle for internal audits and schedule your next management review as action items in every management review meeting. The schedule can be adjusted if needed, but this allows top management to emphasize various areas in internal audits that may need improvement. You might even set a quality objective to conduct a minimum of three management reviews per year at the end of your first management review.
Step 5 – Stage 1, Initial ISO 13485 Certification Audit
In 2006, the ISO 17021 Standard was introduced for assessing certification bodies. This is the standard that defines how certification bodies shall go about conducting your initial certification audit, annual surveillance of your quality system, and the re-certification of your quality system. In the past, certification bodies would typically conduct a “desktop” audit of your company before the on-site visit to make sure that you have all the required procedures. However, ISO 17021 requires that certification bodies conduct a Stage 1 audit that assesses the readiness of your company before conducting a Stage 2 audit. Therefore, even if the Stage 1 audit is conducted remotely, the certification body is expected to interview process owners and sample records to verify that the quality system has been implemented. Certification body auditors will also typically verify that your company has conducted a full quality system audit and at least one management review. Finally, the auditor will usually select a process such as corrective action and preventive action (CAPA) to make sure that you are identifying problems with the quality system and taking appropriate measures to address those problems.
Your goal for the Stage 1 audit should not be perfection. Instead, your focus is to make sure that there are no “major” nonconformities. The term “major” used to have a specific definition:
Absence of a documented procedure or process
Release of nonconforming product
Repeat nonconformities (not possible during a Stage 1)
Under the MDSAP, the grading system for nonconformities now uses a numbering system for grading nonconformities: “Nonconformity Grading System for Regulatory Purposes and Information Exchange Study Group 3 Final Document GHTF/SG3/N19:2012.” Any nonconformity is graded on a scale of one to four, and then two potential escalation rules are applied. If any nonconformities are graded as a four or a 5, then the auditor must assess whether a five-day notice to Regulatory Authorities is required. A five-day notice is required in either of the following situations: 1) one or more findings grading of “5”; or 2) three or more findings graded as “4.” If your Stage 1 audit results in a five-day notice, then you are not ready for your Stage 2 audit. For example, a complete absence of two required procedures in clauses 6.4 through 8.5 of ISO 13485:2016 would result in two findings with a grading of “4.” This would not result in a five-day notice, but the absence of a third required procedure would result in a five-day notice.
The duration of your Stage 1 audit will be one or two days, but a 1.5-day audit is quite common for MDSAP Stage 1 audits. The reason for the 1.5-day Stage 1 audit is that it is challenging to assess readiness for Stage 2 in one day, and if the total duration of Stage 1 and Stage 2 is 5.5 days, then the Stage 2 audit could be completed in four days. The four-day audit is more convenient than a three-day audit for a two-person audit team.
After your Stage 1 audit, you will receive an audit report, and you should expect findings. You should initiate corrective actions for each finding immediately, to make sure the findings are corrected and prevented from repeat occurrence before the Stage 2 audit. The duration between the audits is typically about 4-6 weeks. That does not leave much time for you to initiate a CAPA, perform an investigation of the root cause, and implement corrective action. At a minimum, you must submit a corrective action plan for each finding to your MDSAP auditing organization (AO) within 15 calendar days of receiving the finding. For any findings graded as a “4” or higher, you will need to provide evidence of implementing the corrective action plan to the AO within 30 calendar days of receiving the finding. You are also unlikely to have enough time to conduct an effectiveness check prior to the Stage 2 audit.
Step 6 – Stage 2, Initial ISO 13485 Certification Audit
The Stage 2 initial ISO 13485 certification audit will verify that all regulatory requirements have been met for any market you plan to distribute in. The auditor will complete an MDSAP checklist that includes all of the regulatory requirements for each of the countries that recognize MDSAP: 1) the USA, 2) Canada, 3) Brazil, 4) Austria, and 5) Japan. The auditor will also sample records from every process in your quality system to verify that the procedures and processes are fully implemented. This audit will typically be at least four days in duration unless multiple auditors are working in an audit team.
The audit objectives for the Stage 2 ISO 13485 certification audit specifically include evaluating the effectiveness of your quality system in the following areas:
Applicable regulatory requirements
Product and process-related technologies
All procedures will be reviewed for compliance with ISO 13485:2016 and the applicable regulations. The auditor will also sample records from each process. If the auditor identifies any nonconformities during the audit, it is important to record the findings and begin planning corrective actions immediately. If you have any questions regarding the expectations for the investigation of the root cause, corrections, corrective actions, and effectiveness checks, you should ask the auditor during the audit or the closing meeting. At a minimum, you must submit a corrective action plan for each finding to your MDSAP auditing organization (AO) within 15 calendar days of receiving the finding. For any findings graded as a “4” or higher, you will need to provide evidence of implementing the corrective action plan to the AO within 30 calendar days of receiving the finding. The auditor will not be able to recommend you for ISO 13485 certification until your corrective action plans are accepted.
If you receive a finding with a grading of “5,” or three or more findings graded as “4,” then the MDSAP auditor is required to issue a five-day notification to the regulators. The auditor will also need to return to your facility for a follow-up audit to close as many findings as they can. It is not necessary to eliminate all of the findings in order to be recommended for ISO 13485 certification, but the grading of the findings must be reduced to at least a “3” before recommending the company for certification. The number of findings also determines whether the auditor recommends your company for certification.
In addition to reviewing the findings and conclusions of the audit during the closing meeting, the auditor will also review the plan for the annual surveillance and re-certification with you. Each certification cycle is three years in duration. There will be two surveillance audits of approximately one-third the duration of the combined duration of stage 1 and stage 2 initial certification audits, and the first surveillance audit must be completed within 12 months of the initial certification audit. In the third year, there will be a re-certification audit for two-thirds of the duration of the combined duration of stage 1 and stage 2 initial certification audits. The initial ISO 13485 certificate will be issued with a three-year expiration, and the certificate is typically received about one month after the acceptance of your corrective action plan.
There are no stupid questions, and we can save your weeks of wasted time if you just ask for help. We are always looking for new ideas for blogs, webinars, and videos on our YouTube channel. If you have any general questions about obtaining ISO 13485:2016 certification, please email Rob Packard firstname.lastname@example.org. If you have a suggestion for new ISO 13485 training materials, you can also use our “Suggestion Box.” You can also schedule an initial free consultation with Rob using his calendly link.
This article provides an overview of the new 510k electronic submission guidance document that the FDA released in September 2022.
What’s included in the 510k electronic submission guidance?
As with any FDA guidance, there is an introduction and background regarding the reason for the new 510k electronic submission guidance document (i.e., eSTAR guidance). In the scope section, the FDA specifies that this document is specific to 510k submissions using the eSTAR template. The FDA has plans to release a similar De Novo submission guidance for using the eSTAR template. In the “Significant Terminology” section of the guidance, the FDA provides definitions for each of the different types of submissions: eCopy, eSubmitter, etc. Then the next to last section of the electronic submission guidance, the FDA provides a table outlining all of the sections of the new eSTAR template. The table is reproduced later in this article. If you are interested in a tutorial on completing each section outlined in the table, we recommend purchasing Medical Device Academy’s 510(k) Course. The last section of the eSTAR guidance indicates the timing for compliance with the new guidance.
What is the deadline for compliance with the guidance?
In this new 510k electronic submission guidance document, the FDA indicates that using the eSTAR template and compliance with the eSTAR guidance is voluntary until October 1, 2023. Therefore, after FY 2023, all 510k submissions must be submitted as an eSTAR submission instead of using the older traditional 510k submission format. The FDA also provides a hyperlink for requesting a Customer Collaboration Portal (CCP) account.
What’s missing from this 510k submission guidance?
The new 510k electronic submission guidance does not provide information regarding the receipt date for electronic submissions made through the new customer collaboration portal (CCP) created by CDRH. The image below is a screen capture of the current CCP upload webpage. It includes the following statement, “Send your submission before 16:00 ET on a business day for us to process it the same day.” This statement was added sometime in August or September, but the FDA has not released a detailed explanation. This statement makes it clear that the FDA is not promising to process a submission the “same day” if the submission is received after 4:00 pm ET. However, “processed” does not have the same meaning as “receipt date.”
Another element missing from this new guidance is a reference to human factors documentation. For any devices that have a user interface that is different from the predicate device, and for software devices, the FDA requires documentation of your human factors process to make sure that differences in the user interface do not result in new or different risks when compared to the predicate device. The 2016 FDA guidance for human factors has not been updated, but FDA reviewers continue to issue deficiencies related to the objective evidence provided in a 510k for human factors validation.
The FDA must be consistent in the wording for “Hours for Receipt of Submission” because this affects submissions at the end of the fiscal year, but it also affects any submissions with a deadline for response to an RTA Hold, AI Response, and IDE submissions. The CDER and CBER divisions of the FDA address the need for defining the date of receipt in a guidance document specific to this topic, “Providing Regulatory Submissions in Electronic Format–Receipt Date.” Below is a screen capture copied from page 4 of the guidance.
Another element missing from this new guidance is a reference to human factors documentation. For any devices that have a user interface that is different from the predicate device, and for software devices, the FDA requires documentation of your human factors process to make sure that differences in the user interface do not result in new or different risks when compared to the predicate device. The 2016 FDA guidance for human factors has not been updated, but FDA reviewers continue to issue deficiencies related to the objective evidence provided in a 510k for human factors validation.
What are the new sections for a 510k submission?
In 2019, the FDA released a guidance document on the “Format of Traditional and Abbreviated 510(k)s.” That guidance outlines the 20 sections of a traditional 510k submission that have been used for decades. However, the new 510k electronic submission guidance has no numbering for the sections of the eSTAR template, and there are 22 sections instead of 20 sections. Several of the new sections are elements of the current FDA submission cover sheet (i.e., FDA Form 3514), and some sections exist in the 2019 guidance that were eliminated, such as: “Class III Summary and Certification.” Therefore, Medical Device Academy is recreating 100% of our 510k training webinars to explain how our 510k templates are used with the 510k eSTAR template and how to fill in the PDF form. To prevent confusion between the two formats, we are using letters for each section in the eSTAR template instead of numbers (i.e., A-V instead of 1-20). Table 1 from the new eSTAR guidance is reproduced below for your information.
Identification of key information that may be useful to FDA in the initial processing and review of the 510(k) submission, including content from current Form FDA 3514, Section A.
Cover Letter / Letters of Reference
Attach a cover letter and any documents that refer to other submissions.
Information on submitter and correspondent, if applicable, consistent with content from current Form FDA 3514, Sections B and C.
Information on prior submissions for the same device included in the current submission, such as submission numbers for a prior not substantially equivalent (NSE) determination, prior deleted or withdrawn 510(k), Q-Submission, Investigational Device Exemption (IDE) application, premarket approval (PMA) application, humanitarian device exemption (HDE) application, or De Novo classification request.
Identification of voluntary consensus standard(s) used, if applicable. This includes both FDA-recognized and nonrecognized consensus standards.
Identification of listing number if listed with FDA.
Descriptive information for the device, including a description of the technological characteristics of the device including materials, design, energy source, and other device features, as defined in section 513(i)(1)(B) of the FD&C Act and 21 CFR 807.100(b)(2)(ii)(A). Descriptive information also includes a description of the principle of operation for achieving the intended effect and the proposed conditions of use, such as surgical technique for implants; anatomical location of use; user interface; how the device interacts with other devices; and/or how the device interacts with the patient.
Information on whether the device is intended to be marketed with accessories.
Identification of the proposed indications for use of the device. The term indications for use, as defined in 21 CFR 814.20(b)(3)(i), describes the disease or condition the device will diagnose, treat, prevent, cure, or mitigate, including a description of the patient population for which the device is intended.
Identification of the classification regulation number that seems most appropriate for the subject device, as applicable.
Predicates and Substantial Equivalence
Identification of a predicate device (e.g., 510(k) number, De Novo number, reclassified PMA number, classification regulation reference, if exempt and limitations to exemption are exceeded, or statement that the predicate is a preamendments device).
Submission of proposed labeling in sufficient detail to satisfy the requirements of 21 CFR 807.87(e). Generally, if the device is an in vitro diagnostic device, the labeling must also satisfy the requirements of 21 CFR 809.10. Additionally, the term “labeling” generally includes the device label, instructions for use, and any patient labeling. See “Guidance on Medical Device Patient Labeling.”
For in vitro diagnostic devices: Provide analytical performance, comparison studies, reference range/expected values, and clinical study information.
Inclusion of any literature references, if applicable.
Inclusion of additional administrative forms applicable to the submission, including but not limited to a general summary of submission/executive summary (recommended), a Truthful and Accuracy Statement, and a 510(k) Summary or statement.
Amendment/Additional Information (AI) response
Inclusion of responses to Additional Information requests.
Important information in the eSTAR guidance
In Table 1 above, there are 14 hyperlinks to various FDA guidance documents. These links are extremely helpful when you have questions about a specific question. Unfortunately, the 510k electronic submission guidance document will quickly become out-of-date as guidance documents are updated and are made obsolete. In particular, one of the A-list final guidance documents planned for FY 2023 is the FDA cybersecurity guidance. We expect that guidance to be updated and released any day.
What do you look at and look for when you are auditing risk management files to ISO 14971 and the new Regulation (EU) 2017/745?
Your cart is empty
Next week, November 15th @ Noon EST, you will have the opportunity to watch a live webinar teaching you what to look at and what to look for when you are auditing risk management files to Regulation (EU) 2017/745 and ISO 14971. Risk Management Files are one of the essential requirements of technical documentation required for CE Marking of medical devices. Most quality system auditors are trained on how to audit to ISO 13485:2016 (or an earlier version of that standard), but very few quality system auditors have the training necessary to audit risk management files.
Why you are not qualified to audit risk management files
Being a qualified lead auditor is not enough to audit the risk management process. When you are auditing a risk management file, you need risk management training and lead auditor training. To audit the risk management process, you will also need training on applicable guidance documents (i.e., ISO/TR 24971:2020) and applicable regulations (i.e., Regulation 2017/745 and/or Regulation 2017/746). There may also be device-specific guidance documents that specify known risks and risk controls that are considered state-of-the-art.
Creating an audit agenda
Once you have scheduled an audit of risk management files, and assigned a lead auditor, then the lead auditor needs to create an audit agenda. The audit can be a desktop audit that is performed remotely, or it can be an on-site audit. Regardless of the approach, the audit should include interviewing participants in the risk management process documented in the risk management file. As a rule of thumb, I expect a minimum of 30 minutes to be spent interviewing the process owner and one or more other participants. Then I spend an additional 60 minutes of auditing time reviewing documents and records.
Your audit agenda should specify the following items at a minimum:
the method of auditing to be used,
date(s) of the audit,
the duration of the audit,
the location of the audit, and
the auditing criteria.
The auditor(s) and the auditee participants should be identified in the audit agenda. Finally, you should specify which documents and records are required for audit preparation. These documents will be used to help identify audit checklist questions and to determine a sampling plan for the audit. At a minimum, you will need a copy of the risk management procedure and a list of the risk management files that are available to audit. You may also want to request the audit plan for each of those risk management files.
What did you look at and look for during your risk management audit?
When you audit the risk management process, you could take any of the following approaches or a combination of more than one. You could audit the process according to the risk management procedure. You could audit the process according to the risk management plan(s) for each risk management file. You could audit using the process approach to auditing. Finally, you could audit in accordance with specific requirements in the ISO 14971:2019 standard and applicable regulations (i.e., Regulation 2017/745). Regardless of which approach you take, your audit notes and the audit report should identify which documents and records you sampled and what you looked for in each document. Providing only a list of the documents is not enough detail.
Creating an auditing checklist for risk management files
Auditors with limited experience are taught to create an audit checklist by creating a table that includes each of the requirements of the audit criteria. For a risk management file, this would include a list of each of the requirements in ISO 14971 for a risk management file (i.e., Clause 9???). However, this approach is more like the approach that you should be using for a gap analysis. The better approach for creating an audit checklist for risk management files is to start by creating a turtle diagram. In the “process inputs” section (i.e., step 2 of 7), you would add questions derived from your review of the risk management plan(s). In the “process outputs” section (i.e., step 3 of 7), you would add questions specific to the risk management report and other records required in a risk management file. In the “with whom” section (i.e., step 5 of 7), you would add questions related to training and competency. You might also identify additional people involved in the risk management process, other than the process owner, to interview as a follow-up trail. In the “how done” section (i.e., step 6 of 7), you would add questions specific to the procedure and forms used for the risk management process. Finally, in the “metrics” section (i.e., 7 of 7), you would verify that the company is conducting risk management reviews and updating risk management documentation in accordance with the risk management procedure and individual risk management plan(s).
Audits are just samples
Just because you can generate a lot of questions for an audit checklist does not mean that you are required to address every question. Audits are intended to be a “spot check” to verify the effectiveness of a process. You should allocate your auditing resources based on the importance of a process and the results of previous audits. I recommend approximately three days for a full quality system audit, and approximately 90-minutes should be devoted to a process unless it is the design control process (i.e., Clause 7.3 of ISO 13485) which typically requires three to four hours due to the importance and complexity of the design controls process. Therefore, you should schedule approximately 30 minutes to interview people for the risk management process and approximately 60 minutes should be reserved for reviewing documents and records. With this limited amount of time, you will not be able to review every record or interview everyone that was involved in the risk management process. This is why auditors always remind auditees that an audit is just a sampling.
Which records are required in a risk management file?
The contents of a risk management file is specified in ISO 14971:2019, Clause 4.5. There are only four bullets in that section, but the preceding sentence says, “In addition to the requirements of other clauses of this document.” Therefore, your risk management file should address all of the requirements in ISO 14971:2019. What I recommend is a virtual risk management folder for each risk management file. As the auditor, you should also request a copy of the risk management policy and procedure. An example of what this would look like is provided below. The numbers in front of each subfolder correspond to the sub-clause or clause for that requirement in ISO 14971:2019.
Which records are most valuable when auditing risk management files?
As an auditor, I typically focus on three types of targets when auditing any process. First, I will sample any corrective actions implemented in response to previous audit findings. Second, will sample documents and records associated with any changes made to the process. Changes would also include any changes that were made to individual risk management files or the creation of a new risk management file. Finally, my third target for audit sampling is any item that I feel is at risk for safety or performance failures. The severity of the safety or performance failure is also considered when prioritizing audit sampling. In the context of a risk management file, I always verify that production and post-production activities are being conducted as planned. I try to verify that risk analysis documentation was reviewed for the need to update the documentation in response to complaints and adverse events.
More auditor training on risk management files
We are recording a live webinar intended to teach internal auditors and consultants how to perform a thorough audit of risk management files against the requirements of the new European Regulation (EU) 2017/745 and ISO 14971.
Auditing Risk Management Files
In this new webinar, you will learn how to conduct a process audit of risk management files. You will learn what to look at and what to look for in order to verify compliance with Regulation (EU) 2017/745 and ISO 14971:2019. The webinar will be approximately one hour in duration. Attendees will be invited to participate in the live webinar and receive a copy of the native slide deck. Anyone purchasing after the live event will receive a link to download the recording of the live event and the native slide deck.
In addition to this webinar on auditing risk management files, we also have other risk management training webinars available. The webinar on auditing risk management files will be hosted live on November 15, 2022 @ Noon EST (incorrect in the live video announcement).
The FDA Breakthrough Device Designation was created in 2015 to expedite device access for life-threatening and debilitating diseases.
What is the FDA Breakthrough Device Designation?
The FDA Breakthrough Device Designation is a formal identification by the US FDA that a device in development should be expedited for patient access because it has a reasonable chance of providing more effective treatment than the standard of care for the treatment or diagnosis of life-threatening or irreversibly debilitating human disease or conditions.
To be granted breakthrough status, your device must also meet at least one of the following four secondary criteria:
Represents Breakthrough Technology
No Approved or Cleared Alternatives Exist
Offers Significant Advantages over Existing Approved or Cleared Alternatives
Device Availability is in the Best Interest of Patients
Once the FDA has designated your device as a breakthrough device, all future communications with the FDA related to that device should be identified with the Q-sub reference number assigned to your breakthrough request.
What are the benefits of receiving the designation?
The breakthrough designation helps the FDA identify new technology to focus on in order to expedite access to novel devices that will save lives and treat debilitating diseases. It takes the FDA longer to review these devices because they may raise novel scientific and regulatory issues. Therefore, the FDA prioritizes 510k and De Novo submissions for breakthrough devices over other 510k and De Novo submissions, and the FDA’s senior management is involved in the review process. The average review time for the seventeen 510k cleared breakthrough devices was 155 days*. This may not seem like an expedited review, but the average review time for 510k cleared devices that require additional testing data is almost 270 days. The average review time for the twenty De Novo Classification Requests designated as breakthrough devices was 251 days*. This represents a significant improvement compared to the average De Novo Decision timeline of 338 days for 2019-2022.
*Metrics updated on 10/31/2022 with data through 9/30/2022
Breakthrough Device Designation by the FDA also has a benefit concerning reimbursement. Typically new technology is not covered by CMS for the first two years. Specifically, the Centers for Medicare and Medicaid Services (CMS) typically takes two years to establish qualification for public reimbursement coverage in the USA. In contrast, private insurers are inconsistent in their coverage because Medicare Administrative Contractor (MAC) is divided into 13 different US regions, each making independent coverage decisions case-by-case. When you receive Breakthrough Device Designation, you receive immediate coverage through CMS until traditional coverage takes effect. This interim coverage period allows your company to establish the clinical benefits of your device so that you can apply for payment and coding to establish long-term reimbursement coverage.
Mechanisms of Expedited FDA Review
In addition to identifying breakthrough devices for priority review and involving the FDA’s senior management, the FDA also offers four other mechanisms for improving the review time. First, the FDA offers “Sprint discussions.” A “Sprint” discussion allows the FDA and the company to discuss a single topic and reach an agreement in a set time period (e.g., 45 days). The FDA provides an example of a Sprint discussion similar to a pre-submission meeting, but the overall timeline is half the duration of the FDA’s target MDUFA V decision goals.
The second mechanism for improving the review time is a Data Development Plan (DDP). Using this mechanism, the FDA will work with the company to finalize the non-clinical and clinical testing plans for the breakthrough device. This may include starting clinical testing earlier while deferring certain non-clinical testing.
The third mechanism for improving the review time is Clinical Protocol Agreement. In this scenario, the FDA will interactively review changes to clinical protocols rather than conducting a protocol acceptance review first. Therefore, the time required to review and approve a clinical protocol change is less, and the sponsor can complete their clinical studies in less time.
The fourth mechanism for improving the review time is a prioritized pre-submission review. If a company prefers to discuss multiple issues in one meeting rather than conducting Sprint discussions on single topics, then the FDA will prioritize pre-submission review. The prioritized pre-submission will be tracked as an interactive review with a shorter timeline than other pre-submission meeting requests.
How do you apply to the FDA for Breakthrough Designation?
To receive the designation, you must prepare a Breakthrough Device Designation request and submit it to the FDA Document Control Center (DCC) as an eCopy. The eCopy can be done via FedEx or through the new Customer Collaboration Portal (CCP) launched by the FDA in 2022. Your application could consist of a single document, but we recommend at least three documents: 1) a formal request outlining how your device meets the criteria for breakthrough designation, 2) a detailed device description, and 3) preliminary clinical data demonstrating the feasibility of your device delivering performance claimed in your request for designation. There are no user fees associated with the application for breakthrough designation, and you are not prevented from submitting other types of submissions in parallel with the breakthrough designation request, such as a pre-submission or investigational device exemption (IDE).
When should you apply to the FDA?
If the FDA denies an initial breakthrough designation request, the company may re-submit a request at a later date. Therefore, companies should submit requests as soon as they can provide preliminary clinical data to demonstrate the feasibility of the device’s claimed performance. Therefore, a breakthrough designation request would typically be submitted at the conclusion of an Early Feasibility Study (EFS), which allows a maximum of ten clinical subjects.
How many companies have received Breakthrough Designation from the FDA?
Since the start of the Breakthrough Designation program in 2015, the FDA has granted 728 devices Breakthrough Device Designation*. CDRH, the device division of the FDA, granted 722, while CBER, the biologics division of the FDA, granted 6*. The breakthrough designation, however, does not guarantee FDA market authorization. Only 56 of the breakthrough designations have resulted in market authorization so far. Two of the 56 devices were reviewed by CBER. Of the remaining 54 devices, 16 devices received 510k clearance, 18 De Novo Classification Requests were granted, and 20 PMAs were approved*. Given the number of submissions received each year, only 10-15% of De Novo and PMA submissions are also Breakthrough Devices. In contrast, only about 0.1% of 510k submissions are also Breakthrough Devices.
*Metrics updated on 10/31/2022 with data through 9/30/2022
The new FDA goal is to review De Novo submissions within 150 days for 70% of De Novo submissions, but how long does it take now?
What is an FDA De Novo submission?
An FDA De Novo submission is an application submitted to the FDA for creating a new device product classification. There are three classifications of devices by the FDA: Class 1, Class 2, and Class 3. Class 1 devices are the lowest-risk devices, and they only require general controls. Class 2 devices are moderate-risk devices that require “Special Controls,” and Class 3 are high-risk devices that require Pre-Market Approval (i.e., PMA). De Novo applications can only be submitted for Class 1 and Class 2 devices, and most of the De Novo submissions require clinical data to demonstrate that the clinical benefits of the new device classification outweigh the risks of the device to patients and users.
What is the FDA’s goal for a decision timeline?
Initially, the FDA required that Class 2 devices must be first submitted as a 510k submission. If the device did not meet the criteria for a 510k, then the company could re-submit a De Novo Classification Request to the FDA. On July 9, 2012, the regulations were revised to allow companies to submit De Novo Classification Requests directly. This makes sense because some devices have novel indications for use, and submission of a 510k would be a complete waste of time in money. For example, the first SARS-COV-2 test had to be submitted as a De Novo by Biofire to obtain permanent approval for the test instead of emergency use authorization (EUA).
On October 4, 2021, the FDA published a final rule for the review timeline of De Novo Classification Requests. This new regulation identified the review clock for a De Novo as 120 calendar days. Even though 120 days is 30 days longer than the FDA review clock for a 510k, the actual timeline to review De Novo submissions was much longer.
Every five years, when Congress reauthorizes user fee funding of the FDA, new MDUFA goals are established. The draft MDUFA performance goals (which impact FDA funding) were published recently. The specific performance goal to review De Novo submissions is:
FDA will issue a MDUFA decision within 150 FDA Days for 70% of De Novo requests.
There are two problems with this goal. First, the term “FDA Days” is based on calendar days minus the number of days the submission was placed on hold, and we don’t have any visibility into the number of days submissions are placed on hold. In the past, submissions could be placed on hold multiple times during the Refusal to Accept (RTA) screening process, and the “FDA Days” is reset to zero days each time the company receives an RTA hold letter. In addition, even after the submission is finally accepted, the FDA places the submission on hold when they request additional information (i.e., AI Hold). RTA and AI Hold periods can last up to 180 days, and during the Covid-19 pandemic, companies were allowed to extend this up to 360 days.
The second problem with the MDUFA goal is that we only have visibility into the outcome of De Novo submissions that were granted. More than 60 De Novo submissions are submitted each year, but the number of De Novo Classification Requests granted ranged between 21 and 30 over the past three years. Therefore, the 50%+ of De Novo applications denied could skew the % of De Novo that meets the MDUFA goal.
What is the FDA track record in reviewing a De Novo?
Every CEO I speak with asks the same question: “How long does the FDA review take?” In preparation for a webinar I taught about De Novo Classification Requests in 2019, I researched the latest review timelines for De Novo submissions. I expected the review timelines to be close to 150 calendar days because the FDA decision goal was 150 FDA days. The 150-day goal was set in 2018 when Congress approved MDUFA IV. The 2019 data held two surprises:
only 21 De Novo requests were granted in 2019, and
the average review timeline was 307 calendar days (i.e., the range was 108 days to 619 days).
FDA days are not the same as calendar days. Only 23.8% of De Novo submissions were reviewed within 150 calendar days. The FDA doesn’t calculate the number of FDA days as calendar days, but there is no way to know how much time each De Novo spent on hold publicly. Upon seeing the announcement of a new decision goal for MDUFA V on October 5, 2022, I decided to revisit my previous analysis.
*Only 9+ months of data for 2022, because data was collected on October 17, 2022.
We can blame the Covid-19 pandemic for the slower review timelines during the past few years, but you would expect a longer average duration in 2020 if that was the root cause of the FDA’s failure to achieve the MDUFA IV target of 150 calendar days. You would also expect 2021 to have the longest review timelines. Instead, the review timelines are the slowest for 2022. The number of De Novo submissions remains small, and therefore it is hard to be conclusive regarding the root cause of the failure to reach the 150-day decision goal. In addition, the percentage of De Novo applications granted within 150 calendar days was lowest in 2021, as you would expect if the reason for delays is primarily due to the Covid-19 pandemic.
Is there any good news?
The FDA is allowing the new eSTAR templates to be used for De Novo Classification Requests. These new electronic submission templates standardize the format of all 510k and De Novo submissions for FDA reviewers. The eSTAR also forces companies to answer all questions in the FDA reviewer’s checklist to ensure the submission is complete and accurate before the new submission is submitted to the FDA.
The new eSTAR templates were first used in 2021, and our firm has observed shorter overall review timelines and fewer deficiencies identified by FDA reviewers when they submit an “Additional Information Hold” (AI Hold) to companies.
How can the FDA improve De Novo timelines?
The FDA, industry, and Congress seem to be taking the same approach pursued five years ago to improve the review timeline for De Novo submission. MDUFA V authorized additional user fees for De Novo submissions (i.e., 17.8% increase), and the FDA will be authorized to hire additional employees each year during MDUFA V if the performance goals are met. However, there are three other options that the FDA and industry should have seriously considered during the FDA-industry negotiations.
The first option that should have been considered is to allow third-party reviewers to review the elements of a De Novo that are identical to a 510k submission:
electrical safety testing
benchtop performance testing
animal performance testing
human factors engineering
The above approach would require blended pricing where the FDA charges a smaller user fee than a Standard De Novo user fee, and the third-party reviewer charges a smaller fee than a 510k. The combined cost would be higher than the FDA Review of a De Novo, but this would reduce the number of hours the FDA needs to complete their review of a De Novo, and it would allow for pricing that is much lower than the De Novo standard user fee for qualified small businesses.
A second approach would be to pilot a modular review approach. A modular review would be similar to modular reviews for PMA submissions. In a modular review, the FDA can review most submission sections and provide feedback before the human clinical performance data is available. This would not help the few De Novo submissions that do not include human clinical performance data, but this would have a profound positive impact on most De Novo projects. First, the FDA would be able to complete the review of all sections in the submission except the human clinical performance data without delaying the final De Novo decision. Second, a successful review of non-clinical data by the FDA would give investors more confidence to fund pivotal clinical studies required to complete the De Novo submission.
A third approach would be for the FDA to force manufacturers to submit testing plans and protocols as pre-submissions to the FDA. This approach would give the FDA more familiarity with each device and the testing plan before reviewing the data. This approach would also reduce the hours FDA reviewers spend reviewing data that doesn’t meet the requirements and writing deficiencies. This approach would also give investors more confidence to fund De Novo projects for all V&V testing.
MDUFA V is the agreement between the FDA and the medical device industry to fund the review of medical device submissions by the FDA.
What is MDUFA V?
The Medical Device User Fee and Modernization Act (MDUFMA or MDUFA) is a set of agreements between the Food and Drug Administration (FDA) and the medical device industry to provide funds for the Office of Device Evaluations (ODE) to review medical device submissions. FDA user fees were first authorized via MDUFMA in 2002 for FY 2003. Each MDUFA reauthorization has lasted five years, and FY 2023 will be the 21st year.
How are the MDUFA V user fees decided?
Section 738A(b)(1) of the FD&C Act requires that FDA consult with a range of stakeholders, including representatives from patient and consumer advocacy groups, healthcare professionals, and scientific and academic experts, in developing recommendations for the next MDUFA five-year cycle. The FDA initiated the reauthorization process by holding a public meeting on October 27, 2020, where stakeholders and other public members were allowed to present their views on the reauthorization. The following is a list of the four industry groups represented in the MDUFA V negotiations with the FDA:
The FD&C Act further requires that FDA continue meeting with the representatives of patient and consumer advocacy groups at least once every month during negotiations with the regulated industry to continue discussions of stakeholder views on the reauthorization and their suggestions for changes.
What are FDA user fees?
At the very core of it, the FDA user fees fund the FDA Office of Device Evaluation (ODE) budget. Without these user fees, the FDA cannot begin reviewing a medical device submission. This includes 510k, PMA, and De Novo submissions. Before the FDA assigns a reviewer to your submission, you must pay the appropriate device user fee in full unless eligible for a waiver or exemption. If you pay the user fee by credit card, you will need to allow a few extra days for the user fee to clear. Otherwise, your submission will be placed on “User Fee Hold.” Small businesses may qualify for a reduced fee. The FDA will announce the user fees for FY 2024 in a Federal Register notice next August 2023.
When does MDUFA V take effect?
Our team regularly checked the announcement of the MDUFA V user fees from August until last week’s announcement. The announcement of the FY 2023 user fees was delayed because Congress did not approve the MDUFA reauthorization until the last week of September. The new user fees were originally expected to take effect on October 1, 2022, but the announcement of actual user fees for 2022 was announced on October 5, 2022. This was two months later than expected.
Why was MDUFA V delayed, and will it happen again?
MDUFA V was delayed because the user fee reauthorization requires an act of Congress. The House of Representatives approved the Food and Drug Amendments of 2022 on June 8, 2022. However, the Senate did not file a bill until after the August recess. There were also differences between the legislation proposed by the House and the Senate. Therefore, to ensure that the FDA did not have to furlough employees when MDUFA IV funding expired, a temporary reauthorization was approved and signed by the President on September 30, 2022. The short-term continuing resolution is a temporary stopgap to continue funding the FDA until December 16, 2022. However, the continuing resolution covers funding for medical device user fees through September 30, 2027. Therefore, the device industry can expect the FDA to continue to operate regardless of the outcome of temporary policies that expire this December. Still, similar delays occurred with previous MDUFA reauthorization, and we expect more of the same US partisan politics between August 2027 and the November 2027 election.
How much did MDUFA V user fees increase?
The increase is dependent upon the fee type. Annual registration fees are increasing by 14.47% (i.e., $5,672 to $6,493). The MDUFA V user fees increased by a stupendous amount (+55.90%) from $12,745 to $19,870 for the 510k user fees. Yikes! De Novo Classification Requests increased by 17.79% from $112,457 to $132,464. Other submissions increased by similar amounts. For more details, check out the table below (also posted on our homepage).
FDA User Fee FY 2023 represents a 55.90% increase in the 510(k) user fee
Do user fees ever decrease?
If we lived in a magical world where gas prices dropped and stayed low, the inflation-adjusted pricing would decrease for FDA user fees. That has happened once, but I fit into skinny jeans once too.
Why is August 1st important?
August 1st is the first day the FDA starts to accept Small Business Certification Requests for the new fiscal year. That means any small business that wants to keep small business status needs to reapply, and any new business that qualifies for small business status must also apply. The importance of applying for small business status is how much you could save on your submission. The FDA will complete its review of the Small Business Certification Request within 60 calendar days of receipt. Upon completion of the review by the FDA, the FDA will send you a decision letter with your small business designation number or a justification for denial.
Does small business status expire?
Yes, small business status expires. The small business status expires on September 30 of the fiscal year it is granted. A new MDUFA Small Business Certification Request must be submitted and approved each fiscal year to qualify as a small business. If you forget to reapply for small business status on August 1, you can reapply anytime during the year. Still, you will temporarily lose small business status from October 1 until the qualification is renewed. The good news is there is no fee associated with the submission of a Small Business Certification Request. For more information, please visit our webpage dedicated to small business qualifications.
Do you need help completing your initial FDA registration and listing for a medical device? Watch our video to learn how.
The two most common situations for when a company needs to register its establishment with the FDA are 1) when the company is a contract manufacturer and producing a finished device for the first time, and 2) when the company is a specifications developer that recently received a 510k and is about to begin distribution of the newly cleared product. If your company is a specification developer, and you have not yet submitted your first 510k, then you must complete your Medical Device User Fee Cover Sheet first. If you have already received 510k clearance, or your device is exempt from 510k clearance, this article and the associated video will help you complete your FDA registration and listing.
Small Business Status does not apply to FDA registration
Most first-time 510k submissions are from small companies. If your company has gross receipts of less than $100 million, you should apply for status as a small business by completing FDA Form 3602 (for US-based companies) or FDA Form 3602A (for foreign companies)–along with your company’s tax return for the previous year. You should apply every year on August 1st. The qualification process takes 60 days, and you never know when you might need to submit a 510k for a device modification. Qualifying for small business status saves substantially on FDA submission fees. The FDA’s review and decision regarding your application for small business status require 60 days, and the status expires each year on September 30th. If you want additional information about small business qualifications, we created a webpage dedicated to this topic.
Medical Device User Fee Amendment (MDUFA)
A few weeks before you submit your first 510k to the FDA, it is recommended that you create a new account for the user fee website and make your Device Facility User Fee (DFUF) payment. This is the website you must access to pay the 510k submission fee. If you are taking advantage of small business status, you will need the Small Business Decision Number you received in the FDA decision letter in response to FDA Form 3602A. Small and large businesses should follow the directions in the guidance document to set up a new MDUFA account.
Once the user fee account has been created, you need to complete a 510k user fee cover sheet. The FDA provides instructions on how to complete the cover sheet. Payment must be submitted to the FDA as well, and the FDA offers multiple ways to pay the user fee for FDA registration.
After you submit your 510k and receive your 510k clearance letter, you may now begin the marketing and distribution of a product. Once a company starts distributing a new product, the company has 30 days to register the facility and list each device with the FDA. Before registering with the FDA, you must also make a second DFUF payment for the establishment registration fee of $5,672 (the Establishment Registration User Fee increases annually). There is no discount for small business status when paying the FDA registration fee, and the fee is not prorated. Discounts are only available for submission fees (e.g., the 510k user fee). The FDA registration fee must be paid for each facility registered between October 1 and December 31. Your registration will become inactive if renewal fees are not paid on time.
FDA Registration and Listings System (FURLS) Database
The FURLS database is a separate database where companies register facilities and list devices with the FDA. The FURLS account ID and password used for FDA registration of your facility is separate from the user name and password for the user fee website used for the DFUF payment. After you pay the annual registration user fee, you will receive the following information via email: Payment Identification Number (PIN) and Payment Confirmation Number (PCN). You will need this information to complete the registration in the FURLS database.
To create a new FURLS account, you access the following website. This new account should only be created if your company does not already have an account, and the person creating the account should be a trusted manager with the authority to designate sub-accounts when needed. Creating a new account will result in issuing an account ID, and you will need to select a password during the process. You need this information for logging into the system in the future. The FDA also has an account management page if you already have an FDA registration and listing account and need help managing it or making changes.
FDA Registration and Listing – Additional Resources
The FDA created a webpage explaining medical device FDA registration and listing, but the following page is the place I recommend that most companies begin reading. If you want Medical Device Academy to help you with FDA registration, we offer this free of charge to our 510k submission clients and turnkey quality system clients. New clients, and clients that have not hired us for a 510k or quality system, can hire us as a US Agent and/or help with registration and listing by using our calendly link for registration and listing assistance.
If you want additional training on registering and listing your facility with the FDA, please visit the updated CDRH Learn webpage: (Click on “Start Here/The Basics”). The FDA offers a “post-test” and certificate for anyone completing the post-test. I recommend completing this training before setting up a new account and anyone responsible for updating the FDA registration and listing information.
Finally, we can use the new FDA CCP to eliminate FedEx shipments, and 100% of your submissions will be electronic through the portal.
July 2022 Update for the FDA eCopy process
The FDA created a Customer Collaboration Portal (CCP) for medical device manufacturers. Originally, the portal’s purpose was to provide a place where submitters can track the status of their submissions and verify the deadlines for each stage of the submission review process. Last week, on July 19, the FDA emailed all active FDA CCP account holders that they can upload both FDA eCopy and FDA eSTAR files to the portal 100% electronically. Since our consulting team sends out submissions daily, everyone on the team was able to test the new process. If you have a CCP account, you no longer need to ship submissions via FedEx to the Document Control Center (DCC).
FDA CCP step-by-step uploading process
When you are uploading an FDA eCopy for medical device submission to the Document Control Center (DCC), using the new FDA CCP, the following steps are involved:
Click on the “+” symbol on the left panel of the webpage (if you hover over the “+” symbol, you will see “Send a submission”)
Select your desired upload format (pre-submissions, meeting minutes, breakthrough device designations, and withdrawal letters must be submitted as an eCopy)
Click on the “Next” button that appears below the selection formats once a format is selected
Drag & drop your single “.zip” file here, or browse for it.
Click on “Send” button to complete the uploading process.
Verify that the FDA CCP site gives you a confirmation for the successful uploading of your submission.
FDA Q&A about the new FDA CCP Submission Uploading Process
Medical Device Academy Question: Who will be permitted to use the FDA CCP to upload submissions for the DCC? FDA Response: We will first offer this feature in batches to people like you who already use CCP so we can study its performance. We will then refine it and make it available to all premarket submitters.
Medical Device Academy Question: What do you need to use the FDA CCP? FDA Response: You don’t need to do anything to participate since you already use CCP. We will email you again when you can start sending your next submissions online.
Medical Device Academy Question: Suppose another consultant asks me to submit an eSTAR or eCopy for them, or I do this for a member of my consulting team. Is there any reason I cannot upload the submission using my account even though the other person is the official submission correspondent and their name is listed on the cover letter? FDA Response: The applicant and correspondent information of the submission is still used when logging the submission in. The submitter (i.e., the person uploading the submission) is not used in any part of the log-in process. The submission portal is essentially replacing snail mail only; once the DCC loads the submission, whether it be from a CD or an online source, the subsequent process is identical to what it used to be, for now.
Medical Device Academy Question: Is there any type of eCopy that would not be appropriate for this electronic submission process (e.g., withdrawal letters, MAF, or breakthrough device designations)? FDA Response: You can use the eCopy option to submit anything that goes to the DCC, so all your examples are fair game, though interactive review responses would still be emailed to the reviewer.
Medical Device Academy Question: How can I get help from the FDA? FDA Response: If you have questions, contact us at CCP@fda.hhs.gov.