This article defines the requirements for design and risk management planning that were used to create our new design plan template.
Why combine Design and Risk Management Plans into a Design Plan Template?
There are two primary reasons for combining your risk management plan with your design plan. The first reason is to reduce the number of documents you must maintain and control. The second reason is that there are different requirements for risk management during the design process and after commercial release of a new product. Therefore, you will need one risk management during the design phase, and a second risk management plan after your product is released. You can achieve this by incorporating your risk management plan with your design plan and your post-market surveillance plan. Therefore, you only need to maintain two documents instead of four.
Six requirements for your design plan?
There are no specific design planning requirements in the new European MDR, but the requirements for design planning are specified in ISO 13485:2016, Clause 7.3.2. In the previous version of ISO 13485, the requirement for a design procedure and a design plan were combined into one clause (i.e., Clause 7.3.1). Now these two requirements have been split into independent clauses. The requirement to manage the interfaces between various groups involved in the design project was removed from the requirements for design planning in the new version of the standard, but three additional requirements were added. The following sub-clauses did not change (although numbering changed):
7.3.2a) document the design and development stages
7.3.2c) document verification, validation and transfer activities required at each stage
7.3.2d) document responsibilities and authorities
First new requirement in your design plan template
The first new requirement is in Clause 7.3.2b). You are required to document the design reviews required at each stage. This does not mean that a review is required at every stage, but your plan should specify at which stages you will conduct a review. At a minimum, a final design review is required for commercial release of the device. My recommendation is to have a review at every stage for every project. If you design inputs have not changed from the previous version of the device, then the stage leading up to the approval of design inputs will be very short, and that design review meeting can be 30 minutes or less. If you make changes to your design control procedure in the middle of a project, I recommend that you maintain compliance with the existing procedure until the next design review. The design review gives you a great opportunity to document changes to the design procedure, design plan and any other adjustments to documentation that may require completion of a new version of a form.
Second new requirement in your design plan template
The second new requirement is in Clause 7.3.2e). You are required to document methods of traceability between design inputs and outputs. This is a requirement that most companies do poorly. In theory, you can use a spreadsheet to list all the design inputs and the adjacent column can list the corresponding design outputs. Many companies use an input / output / verification / validation (IOVV) diagram. You can also add user needs to this diagram. The challenge with method of documentation is that it is labor intensive to make updates. You must update the references to inputs every time a standard is updated. The outputs must be updated every time a drawing or specification is changed. Every time you update a verification or validation testing report, the diagram must be updated too.
Third new requirement in your design plan template
The third new requirement is in Clause 7.3.2f). You are required to document the resources needed at each stage–including the necessary competence of personnel. In general, companies experiencing difficulties in documenting competency for personnel, but this requires that you document competency for each person on a design project for each stage. My recommendation is to keep it simple. Tables are usually the simplest way to document this type of information. For example, you can use a three-column table: 1) role, 2) responsibility, 3) competency requirements. In general, I recommend that anyone on your design team has training on design controls and risk management. However, training and competency are not equivalent. In order to demonstrate competency, you must have prior experience documented in that area.
What is required in a Risk Management Plan?
EN ISO 14971:2012 requires a risk management plan in Clause 3.4, but there are some subtle changes needed for compliance with the new draft ISO/DIS 14971. In addition, there are new requirements in Regulation (EU) 2017/745. Specifically, in Essential Requirement 3:
(a) establish and document a risk management plan for each device;
(b) identify and analyse the known and foreseeable hazards associated with each device;
(c) estimate and evaluate the risks associated with, and occurring during, the intended use and during reasonably foreseeable misuse;
(d) eliminate or control the risks referred to in point (c) in accordance with the requirements of Section 4;
(e) evaluate the impact of information from the production phase and, in particular, from the post-market surveillance system, on hazards and the frequency of occurrence thereof, on estimates of their associated risks, as well as on the overall risk, benefit-risk ratio and risk acceptability; and
(f) based on the evaluation of the impact of the information referred to in point (e), if necessary amend control measures in line with the requirements of Section 4.
In our previous blog on changes to the risk management process, we identified 9 activities that should be included in your risk management plan:
This article describes updates being made to the ISO 14971 Standard in the new draft version released for comment in July 2018.
There are two versions of ISO 14971 that are currently available. The first is the international version: ISO 14971:2007. The second is the European normative version: EN ISO 14971:2012. There is also a new draft being created by the TC210 committee for release in 2019.
Explanation of the different versions of the ISO 14971 standard
In 2000, the first edition of ISO 14971 was released as the international standard for risk management of medical devices. In 2007, the second edition of ISO 14971 was released. When new international standards are released, a European normative version is also released. The “European Norm” or EN version is intended to identify any gaps between the international standard and the requirements of the applicable European directives (i.e., the MDD, AIMD and the IVDD). These gaps historically were included in the ZA annex at the end of the EN version. However, in 2009 this annex was split into three annexes (i.e., ZA, ZB and ZC) to address each of the three directives separately. In reality, the 2009 annex only differed with regard to the directive referenced. In 2012, a new EN version was released. This new standard included 7 deviations which were controversial. These deviations were intended to identify contradictions between the directives and the international standard, but the interpretations were not agreed with by companies or most of the Notified Bodies. Ultimately, the 7 deviations were required to be addressed in the risk management files for any medical device that was CE Marked.
What changed between ISO 14971:2007 and ISO/DIS 14971:2018?
The TC210 working group assigned to update the ISO 14971 standard (JWG1) was tasked with improving guidance for implementation of ISO 14971, but the committee was also tasked with making these improvements without changing the risk management process. In addition, the committee was asked to move the informative annexes at the end of ISO 14971 from the standard to the guidance document ISO/TR 24971. Therefore, in July the committee released a draft for comment and voting. Draft versions are identified with the prefix “ISO/DIS.” The ISO/DIS 14971 standard released in July has only three annexes: A) Rationale for the requirements, B) Risk management process for medical devices, and C) Fundamental risk concepts (formerly Annex E). The other 7 annexes were moved to the draft of ISO/TR 24971. The reason stated for moving these Annexes to the guidance document was to make future revisions to the guidance easier to implement, because it is a guidance rather than a standard. However, there were also some objectionable recommendations in the informative annexes that were the subject of deviation #3—ALARP from Annex D.8 vs. “As far as possible” in the first indent of section 2 of Annex I in the MDD.
Although the committee was tasks to make improvements in the implementation of ISO 14971 without changing the process, the new draft has subtle changes in the process. Most of these changes can be identified quickly by reviewing the updated risk management flow chart provided in Figure 1. The updated flow chart now has two places where risks are evaluated. The first place is identical the original Figure 1, but now the associated section is clarified to be specific to evaluating individual risks. The second place in the flow chart is new, and specific to evaluation of overall residual risks. The draft standard also states that different acceptability criteria and methods of evaluation may be used for each evaluation phase in the process. There have also been subtle changes to the names of process phases:
Section 7.4 is now “Benefit/Risk” analysis instead of “Risk/Benefit” analysis—although the draft flow chart does not reflect this.
Section 9 is now “Risk Management Review” instead of “Risk Management Report”
Section 10 is now “Production and post-production activities” instead of “Production and post-production information”
There is also more detail in the diagram under the phases for: 1) risk analysis, 2) risk control, and 3) production and post-production activities.
Three new definitions are introduced in the draft standard: 3.2, benefit; 3.15, reasonably foreseeable misuse; and 3.28, state of the art. The section for identification of hazards, Clause 5.4, was reworded and expanded to consider the reasonably foreseeable sequences or combinations of events that can result in a hazardous situation. The draft standard now states that your risk management plan must also include a method to evaluate the overall residual risk and the criteria for acceptability of the overall residual risk. In the section for risk estimation, Clause 5.5, the draft standard states that if the probability of the occurrence of harm cannot be estimated, the possible consequences shall be listed for use in the risk evaluation and risk control. The risk control option analysis priorities in section 7.1 are updated to match the new MDR, Regulation (EU) 2017/745, nearly exactly. In section 9, risk management reports were changed to risk management review and the clause now requires determining when to conduct subsequent reviews and when to update reports. This emphasizes the requirement to continuously update risk management documentation with input from production and post-production information. This mirrors the emphasis on continuously updating post-market clinical follow-up in Regulation (EU) 2017/745, Annex XIV, Part B, Section 5; and continuously updating clinical evaluations in Regulation (EU) 2017/745, Annex XIV, Part A, Section 1.
Will ISO 14971:2019 address the 7 Deviations in EN ISO 14971:2012?
The new MDR, Regulation (EU) 2017/745, revised and clarified the wording of the essential requirements in the MDD. The MDR attempts to clarify the requirements for risk management files of CE Marked products, but the MDR remains different from the requirements of ISO 14971. Unfortunately, because the ISO/DIS 14971 was not intended to change the risk management process of ISO 14971:2007, there will continue to be “deviations” between the MDR and standard.
Some people have tried use ISO/TR 24971, the risk management guidance, as the official interpretation of how the risk management standard. However, the guidance is also a product of the TC210 committee, and it does not meet all requirements of the MDD or the MDR.
The new draft does, however, include changes that address some of the deviations in EN ISO 14971:2012. Below, each of the 7 deviations are listed and hyperlinks are provided to other articles on each individual deviation.
Negligible Risks – The word “negligible” was only in one location in the body of the standard as a note referring to Annex D.8. In the draft, Annex D was removed and relocated to ISO/TR 24971, and the note was eliminated from Clause 3.4—now Clause 4.4 in the draft. This deviation should be fully resolved by the draft.
Risk Acceptability – Clause 7 was renumbered to Clause 8 in the draft, but the title of this clause was also changed from “Evaluation of overall residual risk acceptability” to “Evaluation of overall residual risk.” However, if you read the Clause it still refers to determining acceptability of risks. In note 2 of Annex ZA of the draft, it states that determining acceptable risk must be in compliance with Essential Requirements 1, 2, 5, 6, 7, 8, 9, 11 and 12 of the Directive. This deviation should be fully resolved by the draft.
ALARP vs. “As far as possible” – The European Commission believes that the concept of “ALARP” implies economic considerations, and some companies have used economics as a reason for not implementing certain risk controls. ALARP was eliminated from the notes in the risk management plan clause and by moving Annex D.8 to ISO/TR 24971 and adding note 1 in Annex ZA. This deviation should be fully resolved by the draft.
Benefit/Risk Analysis – The contradiction in requirements between the International Standard and the MDD, as it relates to determining when a benefit/risk analysis must be conducted has not been updated. This deviation is not resolved by the draft. Companies that CE Mark products will need to perform a benefit/risk analysis for all residual risks and all individual risks—despite the wording of the standard.
Risk Control – The contradiction in requirements between the International Standard and the MDD, as it relates to determining when risk controls must be implemented. The International Standard gives companies the option to avoid implementation of risk controls if the risk is acceptable, while the MDD requires that risk controls be implemented for all risks unless the risk controls create additional risks that increase risks or the risk controls do not actually reduce risks further. This deviation is not resolved by the draft. Companies that CE Mark products will need to implement risk controls for all individual risks—despite the wording of the standard.
Risk Control Options – The intent of Clause 6.2 in ISO 14971:2007 was likely to be the same as the MDD. However, the European Commission identified the missing word “construction” as being significant. Therefore, to prevent any misunderstandings, the TC210 committee copied the wording of Regulation (EU) 2017/745. This deviation should be fully resolved by the draft.
IFU Validation – Again, to prevent any misunderstandings, the TC210 committee copied the wording of Regulation (EU) 2017/745. However, the examples of information for safety (i.e., warnings, precautions and contraindications) were not included. Hopefully, the final version of 3rd edition will include these examples. Clause 8, evaluation of overall residual risk, was also reworded to state, “the manufacturer shall decide which residual risks to disclose and what information is necessary to include in the accompanying documentation in order to disclose those residual risks.” This deviation should be fully resolved by the draft.
Recommendations for your Risk Management Process?
The most important consideration when establishing a risk management process for medical devices is whether you plan to CE Mark products. If you intend to CE Mark products, then you should write a procedure that is compliant with the current requirements of the MDD and future requirements of Regulation (EU) 2017/745. Therefore, the 7 deviations should be addressed. In addition, you need to maintain compliance with the current version of the Standard.
I recommend creating a process based upon the new updated process diagram in the new draft. The process should begin with a risk management plan. For you plan, you may want to create a template and maintain it as a controlled document. It could also be part of your design and development plan template, but the plan should include each of the following risk management activities:
Risk control option analysis
Risk control verification of effectiveness
Evaluation of overall residual risk
Risk management review
Production and post-production activities
Your procedure should also be integrated with other processes, such as: 1) design control, 2) post-marketing surveillance, and 3) clinical evaluation. Your procedure must clearly indicate the priority for implementation of risk control options. The best strategy for ensuring risk control priorities are compliant is to copy the wording of the new EU Regulations verbatim. Your process should include performing benefit/risk analysis. You should also define your process for risk management review. Your review process should specify when subsequent reviews will be done and when your risk management report will be updated. Finally, you should identify a post-market surveillance plan for each device, or device family, and use that post-market surveillance data as feedback in the risk management process.
The one element that appears to be weakly addressed in the body of the standard is the requirement for traceability of each hazard to the other elements of the risk management process. Although traceability is mentioned in Clause 3.5 of the 2nd edition, and Clause 4.5 of draft 3rd edition of ISO 14971, that is the only place is mentioned in the body of the standard. Traceability is mentioned several more times in Annex A, but the focus seems to be on the risk management file. Companies need more guidance on how to achieve this traceability. The appropriate place for this guidance is probably in ISO/TR 24971, but in order to maintain this documentation it is likely that a software database will be critical to maintaining traceability as changes are made during design iterations and after commercialization. This type of software tool is also need to expedite the review of risk management documentation during complaint investigation.
Which Risk Analysis Tool should you use?
In Annex G of ISO 14971:2007, and the EN 2012 version, there are five different risk analysis tools described. The word “described” is emphasized, because informative annexes are not “recommended.” The committee that created the 2nd edition of ISO 14971 wanted to provide several suggestions for possible risk analysis tools to consider. However, each tool has strengths and weaknesses. Additionally, the widespread use of the failure-mode-and-effects analysis (FMEA) tool in the automotive and aerospace industries has spread to the medical device industry and companies seem to believe that regulators prefer the FMEA tool. This is not true. Companies should be trained in all of these tools, training should consist of more than just reading Annex G and the tools should be used where they are most beneficial. My personal recommendations are below:
Preliminary Hazard Analysis (PHA) – This process is absolutely critical during development of design inputs. It is also the most underutilized analysis tool. I have not seen a single example of this tool written in a procedure by any medical device company. I believe this process should be continuously updated as part of training new design team members and should be both product and project specific.
Fault-tree Analysis (FTA) – This process is a top-down approach to risk analysis. It is heavily utilized by transportation engineers when intersections are designed, and accidents are investigated. This tool depicts risk analysis pictorial as a tree of fault modes representing each possible root cause for failure. At each level of the tree, fault mode combinations are described with logical operators (i.e., AND, OR). The information displays frequency of each fault mode quantitatively. Therefore, when you are investigating a complaint, the tree can be used to help identify possible fault modes that may have been the root cause of device failure. You may also be interested in the standard specific to Fault tree analysis (FTA): IEC 61025:2006.
Failure Mode and Effects Analysis (FMEA) – This process is a bottom-up approach to risk analysis. It is heavily utilized by the automotive and aerospace industries. This tool systematically lists all failure modes in groups organized by component. Risks are estimated based upon severity of effect, probability of occurrence and detectability. Over time, the FMEA process split into three tools: 1) process FMEA (pFMEA), 2) design FMEA (dFMEA), and 3) use FMEA (uFMEA). The first is ideal for analyzing and reducing risks associated with manufacturing of devices. In particular, the detectability factor can be linked closely with process validation. The second evolved from the realization that detection of a risk after the device is in the user’s hands does not actually reduce risk. A risk reduction only occurs if detectability is proactive. Therefore, this was stated in Annex G.4 and companies began to eliminate detectability and continued to use FMEA as their primary tool. Due to the widespread familiarity with the FMEA tool, usability FMEAs became popular for documenting risks associated with use of a device. Unfortunately, the only real advantages of a dFMEA and uFMEA are familiarity with the tool. You may also be interested in the standard specific to FMEA: IEC 60812:2018.
Hazard and Operability Study (HAZOP) – In addition to the risks of using devices, there are also risks associated with the production of devices. Processes related to coating, cleaning and sterilization are all processes that typically involve hazardous chemicals. The chemical and pharmaceutical industries use HAZAP as a tool to analyze these process risk and prevent injuries. You may also be interested in the standard specific to HAZOP: IEC 61882:2016.
Hazard Analysis and Critical Control Point (HACCP) – This process is primarily used by the food industry to prevent the spread of contaminated food supplies. Even though it is not typically used by medical device manufacturers, it should be considered as a tool for managing the supply chain for devices. This model is useful when manufacturing is outsourced, or secondary processing is conducted at second and third-party suppliers. Since many FDA inspectors started in the food industry as inspectors, this is also a method that is supported by the FDA as a risk control process for outsourced processes.
How to document your risks?
For simple devices, risk management documentation is a burdensome task. For complex devices, a spreadsheet could include hundreds of lines or more than even one thousand individual lines. In addition, the requirement for traceability requires additional columns in a table. Therefore, it becomes nearly impossible for you to include all the required information on a page that is 11 inches wide. If you expand your page to 17 inches wide, the size of your font will need to be very small. If you make a change, your spreadsheet can be difficult to update quickly. You could purchase a 43” widescreen TV for your monitor, or you can use dual monitors for your display, but changes remain difficult to implement without a mistake.
You need to stop relying upon spreadsheets. Use a database, and don’t use Microsoft Access. Purchase a database that is designed to document design controls and risk management traceability. If your company has software expertise, develop your own software tool to do this. You should also design standardized templates for exporting your reports. By doing this, it will only take minutes to create an updated report when you make design changes. If you describe the risk management activities as notes in your software, the description of these activities can also be automatically converted into summary pages for each report summarizing that risk management activity. You can even prompt the user to answer questions in the software to populate a templated document. For example, you can prompt users to input subsequent updates of your risk management reviews and that can be automatically converted into a summary paragraph. This reporting capability is especially helpful when responding to FDA review questions asking for cybersecurity risks.
Additional Training Resources for ISO 14971
The risk management training webinar was being completely rewritten to address changes proposed in the new draft of ISO 14971 (i.e., ISO/DIS 14971) released in July 2018 and European requirements for compliance with Regulation (EU) 2017/745. The webinar was live on October 19, 2018; but it was recorded for anyone that was unable to participate in the live session.
SYS-010, Medical Device Academy’s Risk Management Procedure, is compliant with EN ISO 14971:2012. The procedure includes templates for documentation of design risk management and process risk management. However, we are rewriting the procedure for compliance with ISO/DIS 14971:2018 and Regulation (EU) 2017/745. The new version of the procedure will be available on or before October 26, 2018. The procedure is temporarily available at a discounted pre-order price, but the cost will increase to $299 once the new version is available.
The new 5th edition of the biocompatibility standard, ISO 10993-1-2018, was released in August and this article explains the changes and potential impact.
ISO 10993-1-2018 is the 5th edition of the biocompatibility standard for evaluation of medical devices. The new version, released in August, replaces the 2009 version of the standard. I was unable to find a European version of this standard, but you can expect one to be made available very soon–probably before you read this article. If your company is CE Marking devices, once the European standard is released you will be required to perform a gap analysis against the new standard and assess whether retesting is required for your products in order to remain compliant with CE Marking requirements.
The 5th edition includes a foreword that explains the changes from the 4th edition. The 5th edition replaces the 4th edition (i.e., ISO 10993-1-2009), and it incorporates the correction that was made in 2010. The most significant changes from the previous edition are:
Table A.1 in Annex A, Evaluation Tests for Consideration, was expanded with the addition of six new columns:
“physical and/or chemical information”
“material mediated pyrogenicity”
In addition, instead of tests to be conducted being identified with an “X,” the updated table now identifies endpoints to be considered with “E.” The only column containing an “X” is the column for physical and/or chemical information. This information is identified as a prerequisite for a risk assessment. The new Annex A is now 5 pages in length.
The 3-pages that were Annex B, “Guidance on the risk management process,” has been completely replaced with 13-pages from ISO TR 15499-2016, “Guidance on the conduct of biological evaluation within a risk management process.”
Twenty-one (21) new definitions for terms were added to the 5th edition–including “3.9 geometry device configuration,” “3.15 nanomaterial,” “3.16 non-contacting,” “3.17 physical and chemical information,” “3.25 toxicological threshold” and “3.26 transitory contact.”
Additional information on the evaluation of non-contacting medical devices and transitory-contacting medical devices was added.
Expansion of the standard to include evaluation of nanomaterials and absorbable materials. This includes addition of section B.4.3.3 in Annex B for guidance on pH and osmolality compensation for absorbable materials.
An additional reference to ISO 18562-1, -2, -3 and -4, for “Biocompatibility evaluation of breathing gas pathways in healthcare applications,” was added as well. However, the four standards in the ISO 18562 series should be purchased if you are conducting a biocompatibility evaluation for a device of this type (e.g., respiratory gas humidifiers).
There are also many minor changes in the 5th edition, but Annex C is almost identical to the previous version. The only change I noticed was the addition of “Preference may be given to GLP over non-GLP data,” to clause C.2.3.
Correspondence with FDA Guidance on Use of ISO 10993-1-2018
Table A.1 in Annex A is quite similar to Table A.1 in the FDA guidance, and 100% of the columns match except the column for “physical and/or chemical information.” Although, the FDA guidance does not have a column in the table indicating that physical and chemical characterization is required as a prerequisite for the risk assessment, it is very clear from the language in the guidance that information about the physical and chemical characteristics of the device “should be provided in sufficient detail for FDA to make an independent assessment during our review and arrive at the same conclusion.” The FDA guidance also requires information about the surface properties of the finished device. The FDA included a section specific to “Submicron or Nanotechnology Components,” which is consistent with the ISO 10993-1-2018 where there references throughout the standard to ISO/TR 10993-22, Guidance on nanomaterials. The FDA guidance does not, however, include guidance on pH and osmolality compensation for absorbable materials. The FDA guidance also does not include a reference to the ISO 18562 series of standards, but the FDA product classification database was updated in June to include reference to the ISO 18562 series of standards when they were added to the database of recognized standards.
Correspondence with the European Directive and EU MDR
The 4th edition of the EN version has Table ZA.1 explaining the correlation between the standard and the European Directive. Specifically, Clauses 4, 5, 6 and 7 of the European Standard correspond to Annex I, Essential Requirements 7.1, 7.2 and 7.5 in the MDD. In the new Regulation (EU) 2017/745, these clauses correspond with Annex I, Essential Requirements 10.1, 10.2 and 10.4. Therefore, you should expect the European version of ISO 10993-1-2018 to include a table similar to Table ZA.1, but you should also anticipate that your evaluation of biological risks will need to be updated and additional testing may be required in order to remain compliant for any devices that are CE Marked.
Changes to the biological evaluation process in ISO 10993-1-2018
As in the previous version of the biocompatibility standard, Figure 1 is a decision tree that follows the biological evaluation process outlined in the standard. At first glance, the updated Figure 1 appears to be essentially unchanged. However, even though the updated figure has exactly the same shape and the same number of elements, there are subtle changes. For example, the potential effects of geometry is emphasized in the ISO 10993-1-2018. The more significant change in the process is at the end. Where it used to say, “Testing and/or justification for omitting suggested tests,” the updated figure now includes a reference to Annex A under those words. Where it used to say, “Perform Biological Evaluation,” the updated figure now says, “Perform Toxicological Risk Assessment (Annex B)”.
Annex B is where the most visible changes are found in the ISO 10993-1-2018. For example, in the previous version of the biocompatibility standard, there was a reference to creating a prospective, biological evaluation plan as part of the risk management plan. In the 5th edition, clause B.2.2 outlines the Biological Evaluation Plan–which is sometimes referred to by its acronym of “BEP” by third-party testing labs.
In addition, clause B.4 provides guidance for biological evaluation. This guidance is directly copied from ISO/TR 10993-22, but it answers the frequently asked question of “how do you perform a biological evaluation.” The basic steps of the biological evaluation, which have not changed, are:
Material characterization (B.4.1)
Collection of existing data (B.4.2)
Device testing considerations (B.4.3)
Biological safety assessment (B.4.4)
However, the guidance provides details for each step, as well as general guidance on when changes may require re-evaluation of biological safety, GLPs and biocompatibility evaluation documentation. In general, the focus of ISO 10993-1-2018 is now on the evaluation of toxicological data in Annex B, rather than passing a few required tests that were previously identified in Table A.1.
Will ISO 10993-1-2018 Require you to Retest for Biocompatibility?
In general, I do not expect that the changes to ISO 10993-1-2018 will require extensive retesting for your company. However, you can expect a significant amount of rewriting of your biological evaluation report to be required. Now you will need to more fully characterize the physical and chemical characteristics of your device, and you will need to provide a more comprehensive biological safety assessment–including an evaluation of toxicological data for each chemical including in the formulation of your device. It’s possible that you may even identify certain chemicals in the material formulation that prevent you from using a material–even though the material may have passed all biocompatibility tests in the past. I will also need to update one of my own articles on biocompatibility and a biocompatibility webinar.
There are 38 product classification codes that the FDA selected for the Quik 510k Pilot program to evaluate version 3 of the eSubmitter software.
What are the three (3) advantages of the new Quik 510k pilot program?
There are three (3) advantages of using the eSubmitter software as part of the Quik 510k pilot. The first advantage of using the eSubmitter software is that the refusal to accept (RTA) process will be eliminated. This change is huge, because nearly 50% of submissions are rejected during the RTA screening process. The hope is that the eSubmitter software will prevent companies from submitting submissions that are missing required content, and therefore the RTA process will not be needed. However, we have seen many submissions placed on hold for technicalities rather than sub-standard submissions. Therefore, it will be fascinating to see the FDA reported outcomes from the Quik 510k pilot.
The second advantage of using the eSubmitter software is that the reviews will be interactive. This means that reviewers are not expected to have any additional information (AI) requests. This also means that submitters will need to respond to questions from reviewers quickly. For example, I have received a call on Friday afternoon after 5:00pm EDT asking if I could make a revision to document and email that document to the reviewer by Monday morning. This is an extreme example, but 48-72 hours is typical for a required turn-around during interactive reviews.
The third advantage of using the eSubmitter software is that the FDA is targeting completion of their 510k review within 60 days. This 30-day reduction may seem huge, but the FDA already cut 15 days off their review timeline by eliminating the RTA screening. Second, the FDA picked 38 product classification codes that should not have difficulty reviewing in 60 days. Not all product classifications have the same amount of testing data required, and I do not expect the FDA to be able to review all product classification codes in 60 days–even with eSubmitter.
Although the Quik 510k pilot mentioned that submissions would be zipped, eSubmitter is also designed for electronic submissions through an electronic submissions gateway (ESG). An ESG has the added advantage that you will not need to ship your submission via FedEx. This advantage will gain you only a maximum of 24 hours, but I wish I had those 24 hours last week. Every year, in the last week of September, all the small businesses with small business qualification try to submit their 510k prior to end of the fiscal year (i.e., September 30). This year I had four clients that were in this position. One was unable to get the data they needed to complete their submission prior to September 30. The other three were making last minute changes up until the afternoon of Thursday, September 27. One of those submissions was extremely challenging, because the submission included video files that exceeded 1GB in total. Therefore, I called CDRH’s eCopy Program Coordinators at 240-402-3717. They were extremely helpful. They said that it would be best to provide two identical eCopies, or to save the MISC FILES and STATISTICAL DATA folders on a separate flash drive. The reason for this is that very large submissions can take days to upload into the CDRH database. Therefore, the picture below shows you what my final solution was for the three submissions this week. The De Novo submission had to be split.
What our firm has done to take advantage of the Quik 510k pilot
If you have a product with any of the 38 product classification codes listed above, and you need to submit a 510k in the next 6 months, you are very fortunate. Your submission will be prioritized by the FDA and you are likely to be able to get your device cleared in 60 days or less. Our firm is very anxious to take part in this pilot because the FDA intends to require the eSubmitter software for all submissions in the future, and we expect other product classification codes to be added to the pilot over time. We process dozens of 510k submissions each year and mastering the nuances of the software is critical to our continued success. I already downloaded the software and installed it onto my computer. I also created a complete submission as a test. eSubmitter saved several hours in the preparation of a 510(k) from the typical 40 hours the process takes. Therefore, I expect implementation of new eSubmitter software to a triple win for the FDA, clients and our firm. In fact, I plan to request that the FDA add De Novo submissions next to this pilot. The reason is that De Novo submissions typically have more content and the content is more variable. I think this would be an extremely challenging test for eSubmitter, and the relatively small volume of De Novo submissions would limit the impact upon FDA resources.
Changes to eCopy Requirements in 2018
In 2017, the FDA indicated that eSubmitter software was going to be revised and it would be approximately 2 years before companies would be able to submit a 510k electronically to the FDA. Until then, companies must ship an electronic eCopy and a paper copy to the FDA Document Control Center (DCC). The eCopy guidance states, “An eCopy is accompanied by a paper copy of the signed cover letter and the complete paper submission.” However, the FDA’s eCopy guidance has not been updated since December 3, 2015. There are some unofficial changes to the policy, and the FDA no longer requires the complete paper submission. Instead, you can submit an eCopy accompanied by a paper copy of the signed cover letter.
Before February 2018, we would print 1,000+ pages for each 510k submission, pack two 3” three-ring binders in 12”x12”x6” ULine boxes and ship the box to the FDA overnight via FedEx. We typically would charge $400 for this eCopy service. After the unofficial policy change, all of our 510k submissions consist of a paper copy of the cover letter and an eCopy on a USB flash drive. We only charge $150 for the FDA eCopy service, and 100% of our eCopy submissions have been uploaded without problems this year.
What is the difference between creating an eCopy and submitting with eSubmitter (cited from FDA website)?
There are four differences between eSubmitter and eCopies:
An eSubmission package contains PDF attachments and XML file types. The XML files are intended for CDRH IT systems to process the application. Reviewers will not see these XML files.
The parts of the eCopy guidance that describe the structure of a 510(k) submission will not apply to the Quik Review Program Pilot.
An eSubmission is organized according to the layout of the template, which places administrative documents (e.g., Form 3674, the 510(k) Summary, the Truthful and Accurate statement) at the end of the submission because their applicability is determined based on the answers to questions in the body of the template (e.g., Form 3674 is only required if the applicant indicates clinical data are included).
Electronic signatures are used in the submission (e.g., on the Truthful and Accurate statement), rather than physical signatures.
eSubmitter Template Options
For device 510k submissions, the FDA’s eSubmitter gives you three options:
Template Version 1.3, for In Vitro Diagnostic 510k submissions to CDRH only, allows you to create a 510k submission and the eSubmitter software will package your submission in a specially formatted zip folder that you can save to a compact disc (CD), digital video disc (DVD) or flash drive. Then the you must print a paper copy of your signed cover letter and ship the eCopy created by eSubmitter with your paper copy of the cover letter to the FDA DCC.
Template Version 1.2.1, for Non-In Vitro Diagnostic 510k submissions that are among the 1,000+ other product classifications not included in the Quik 510k pilot (CDRH: Medical Device eCopies), you can create a 510k submission and the eSubmitter software will package your submission in a folder for you. You can then copy the contents of that folder to a compact disc (CD), digital video disc (DVD) or flash drive. Then the you must print a paper copy of your signed cover letter and ship the eCopy created by eSubmitter with your paper copy of the cover letter to the FDA DCC.
Template Version 3.2, for Non-In Vitro Diagnostic 510k submissions that are among the 38 product classification codes that are listed above for the Quik 510k pilot program. This allows you to create a 510k submission and the eSubmitter software will package your submission in a specially formatted zip folder that you can save to a compact disc (CD), digital video disc (DVD) or flash drive. Then the you must print a paper copy of your signed cover letter and ship the eCopy created by eSubmitter with your paper copy of the cover letter to the FDA DCC. This template is unique to the Quik 510k pilot program. There is a red bar that appears at the top of the screen:
“This template should only be used to construct a submission if you are submitting it as part of the Quick Review Pilot. All others may use the content of this template as a reference to aid in constructing an eCopy. If you are not part of the Quick Review Pilot, do not construct a submission with this template, it will be rejected.”
When you create your own eCopy, then you will need to create a volume based or non-volume based submission in accordance with the eCopy guidance. The volume folders and/or files are saved to a compact disc (CD), digital video disc (DVD) or flash drive. Then the you must print a paper copy of your signed cover letter and ship the eCopy you created with your paper copy of the cover letter to the FDA DCC.
Warning: If you are using Windows 10, and you save your eCopy or eSubmitter zip folder on a flash drive, Windows 10 will automatically create a hidden system folder titled “System Information Volume.” This folder is created as a security feature to enable you to recover accidentally deleted content. However, this folder results in an error when the FDA attempts to upload your submission automatically. Therefore, you must remove this hidden system folder. Instructions for this can be found on our website page about eCopy hidden system files.
A third party review is the review of a 510(k) that has been submitted directly to a third party rather than the FDA themselves. Back in 1997 as part of the FDA Modernization Act or FDAMA the ‘Accredited Persons Program’ was created. This allowed the FDA to accredit persons, or ‘third parties’ to conduct the primary review of certain 510(k) submissions. One of the goals of this program was to be able to make the submission and review process faster and more efficient.
The third party review is not a full alternative to submitting a 510(k) to the FDA. Third parties are authorized by the FDA to conduct the primary review of specific types of devices only. Only certain devices are eligible for third party review. The FDA keeps a database of those devices here in one of their medical devices databases (http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfThirdParty/current.cfm).
The use of a third party review also does not bypass the FDA. The third party is only conducting the primary review of the 510(k) and then forwarding the submission, the review of the submission and the post review recomendation to the FDA. The FDA then has a 30 day timeline to issue a final determination of the submission.
How many 510(k) submissions use a third party review?
In 2016, I did an analysis of 510(k) submissions reviewed by the general and plastic surgery panel. I reviewed submissions that received clearance between January 1, 2015 and August 10, 2016. Of the 690 510(k) clearances that were issued by the panel, only nine (9) were submitted for third party review. Although third party reviewers were responsible for only 1.3% of the submissions I reviewed, there are other device classifications with higher percentages of reviews being conducted by third party reviewers. In fact, there were a total of 114 submissions that were issued 510(k) clearance through a third party review process during that period.
For this article, I reviewed the 3,023 510(k) clearances that were issued in the past 12 months (i.e., May 23, 2016 through May 23, 2017). Only 75 of the 510(k) submissions issued (2.5%) were submitted for third party review. Of these 75 submissions, the average review time by the FDA (after the third party review is completed) was 46 days. Since the average review time for the FDA of a traditional 510(k) is 183 days (based upon my data analysis from 2016), third party review can potentially reduce your 510(k) clearance timeline by months.
Why do only 2.5% of 510(k) submitters utilize a third party review?
Originally, my theory was that only a limited number product classification codes are eligible for third party review. The FDA is trying to expand the third party review program, but 44% of third party reviews are for the radiology panel. Another 13% were for the general hospital panel, and 13% more of the reviews were for the cardiovascular panel. Finally, less than 7% were reviewed for the dental panel. The remaining 17 submissions were reviewed for other panels. A closer look at the product classification codes shows that there are only a few product codes within these panels that are being reviewed by third parties.
I also had a second theory for why so few submitters are using third parties. As I reviewed the actual 510(k) summaries for these 75 submissions, I noticed there were only four (4) companies listed as third party reviewers in the last 12 months:
Center for Measurement Standards of Industrial in Taiwan = 1 submission
2018 Updated- FDA’s reporting of the first three quarters of 2018
Compared with the above information the first three quarter reportings for 2018 list a total of more third party reviewers. Currently in the quarterly reports from the FDA there are the following 3rd party reviewers:
AABB = 5 or less
Center for Measurement Standards of Industrial (CMSI) = 5 or less
New York State Department of Health (NYSDOH) = 5 or less
Nordic Institute of Dental Materials (NIOM) = 5 or less
As of Quarter Three there have been a total of 53 Third Party 510(k) Submissions Accepted. A majority of these completed by Regulatory Technology Services, LLC, and Third Party Review Group, LLC (TPRG). 36, and 13 respectively. All of the others have 5 or less but these numbers may increase once the fourth quarter report is released.
When should you chose a third party review instead of submitting directly to the FDA?
Always check the 510(k) database to see if third party reviewers were used for your product’s classification code. Ideally, a third party reviewer has been involved in a device that is in the same product classification and possibly that device would be a suitable predicate for you to select for your 510(k) submission. If your search yields no results, your device may not be eligible for a third party review. However, you can always contact one of the four third party reviewers listed above.
In general, the third party review process is an excellent way to shorten your 510(k) clearance timeline by months. The cost is significantly more than the FDA user fee. However, faster time to market is almost always worth the increased fee. Therefore, if a third party review is available I recommend taking advantage of this option.
Do you need help?
Medical Device Academy offers aregulatory pathway analysis service for $1,500. For those of you that are only interested in the US market, rather than including the EU and Canada, the cost for this service is only $750. Do you need help identifying the product classification for your device, determining the required performance testing and selecting a predicate device? We can do this for you in one week or less. Do you need an expedited review? We can also determine if your product is eligible for third party review and obtain a quote for you.
This article identifies the requirements for purchasing controls and supplier qualification procedures, as well as best practices for implementation.
Sourcing suppliers in the medical device industry is not as simple as going on the internet and finding your material and purchasing it. As part of a compliant quality management system, purchasing controls must be in place to ensure that quality product and materials are going into your device, and that any service providers that your company uses in the production of your product or within your quality management system are qualified.
ISO 13485 Requirements
In light of that, ISO 13485:2016, sections 7.4.1 Purchasing process, 7.4.2 Purchasing information, and section 7.4.3 Verification of purchased product outline the purchasing requirements. The following are requirements for the evaluation and selection of suppliers:
The organization must have established criteria for the evaluation and selection of suppliers.
The criteria need to evaluate the supplier’s ability to provide product that meet the requirements.
It needs to take into consideration the performance of the supplier.
It must consider the criticality and the effect that purchased product may have on the quality of the medical device.
The level of supplier assessment and monitoring should be proportionate to the level of risk associated with the medical device.
Maintaining Purchasing Controls
To start, in the most basic sense, purchasing controls involve procedures that ensure you are only purchasing from suppliers who can meet your specifications and requirements. The best way to keep track of your qualified suppliers is to maintain an Approved Supplier List (ASL). You should only purchase product or services that affect your product or quality management system from companies on the ASL (you would not necessarily need to qualify things like office supplies or legal assistance through purchasing controls).
When used effectively, the Approved Supplier List can be a great tool to manage the key facets of purchasing control, and keep track of supplier monitoring. Items that you can capture on the ASL include:
Scope of Approved Supplies
Status of Approval (Approved, Pending, Unapproved, etc.)
Supplier Certification and expiry dates
Date of Last Review
Date of Next Review
The first step in your purchasing procedure should involve checking to see if the supplier is under active approved status on the ASL. The second step will be to ensure that you are purchasing an item/service that is within the scope of approval of that supplier. If you have not approved the supplier, or the intended purchase is beyond the scope of that supplier, your purchaser will need to go through the necessary channels to add the supplier to the ASL, or modify their scope on the ASL.
Supplier Qualification Criteria
As required by the FDA, the level of supplier assessment should be proportionate to the level of risk associated with the medical device. The FDA is not prescriptive about the use of specific qualifications or assessments for different types of suppliers, so that is up to your company to determine. This is a somewhat grey area, but based on years working with companies and suppliers, as well as participating in FDA and ISO 13485 audits, there are some general expectations of vendor qualifications that we have observed and would recommend.
It is good practice to have a form or template that guides your supplier evaluation process. Using input from engineering and QA to first determine the level of risk and the requirements of that supplier, and then base your qualification plan on that information. If you have a higher risk supplier who may be supplying a critical component to your device, or providing a critical service such as sterilization, then your qualification process will be much more involved.
Here is an example of two different levels of criteria based on the type of supplier (the intent is not for the following items to be rules, and your company is responsible for determining the adequate acceptance criteria for suppliers, but this is a general example of what you may expect).
Critical Custom Component Supplier
ISO 13485 Certification
On-site audit of supplier’s facility
Provides Certificates of Analysis (CoA)
Written agreement that the supplier will communicate with the company regarding any changes that could affect their ability to meet requirements and specifications.
You validate a production sample and it meets requirements
Non-Critical Consumable Supplier
Product available that meets the needs of the company.
An associate has previously used by an associate who recommends the supplier.
Adequate customer service, returns allowed.
Additional Function of Supplier Evaluation Forms
The supplier evaluation form can also be used as the plan to assign responsibility and track completion and results during the initial evaluation, and can also include the plan for ongoing monitoring and control of the supplier. This evaluation form should be maintained as a quality record, and auditors will frequently ask to see supplier evaluations.
Are Supplier Audits Required as Purchasing Controls?
Also valuable, supplier audits may be included as part of an evaluation plan for a new supplier, the change of scope of a supplier, a routine audit as part of ongoing monitoring, or as part of a non-conformity investigation of a high-risk product. While it is not required by ISO 13485, nor does the FDA does specify in the CFR that you must audit suppliers, it is a very good idea to audit your critical suppliers. If an auditor or FDA inspector sees evidence that your current purchasing controls are inadequate, performing supplier audits may be forced as a corrective action.
Beyond that, you can gain so much value, and gather countless clues and important information in an audit that you just cannot get without paying your critical supplier a visit. You can see where they plan to/are making/cleaning/sterilizing/storing your product. Talk to the people on the line, are they competent and trained? Does the company maintain their facility well? How secure is it? Do they maintain adequate records and traceability? Have there been any non-conformities relating to your product that have been detected? Etc.
Supplier audits should also include evaluation of the procedures, activities, and records of the supplier that could have an impact on the product or service they are providing your company. If it is not the first audit of the company, you should be sure to review the previous audit report findings, and ensure the company has addressed any nonconformities, review supplier performance data, information about any changes that may have occurred at the supplier since your last visit, etc.
Record Maintenance and Ongoing Evaluation of Suppliers
No matter the method of supplier qualification, it is best practice to maintain supplier files that contain useful information relative to the supplier that may include:
The original supplier qualification form
Subsequent performance evaluations
Expanded scope qualifications
Current contact information
Copies of any non-conforming material reports related to the supplier, etc.
ISO 13485 requires monitoring and re-evaluation of suppliers, and maintaining detailed supplier files will assist in meeting this requirement, and will help in the feedback system to identify and recurring problems or issues with a supplier. On a planned basis, whether that is annually, or every order (dependent on the criticality of the product), your company should conduct a formal supplier evaluation to determine whether the supplier has continued to meet requirements – In general, annual supplier reviews are standard. Additionally, you must specific this frequency in your procedure (auditors will look for what period you specify in your procedure, and then will check your ASL to make sure all of your suppliers have been reviewed within that timeframe).
During the supplier evaluation, if you find there have been issues, you need to determine and weigh the risks associated with staying with that supplier, and document that in the supplier file. If you determine the supplier should no longer be qualified, then you must also indicate on the ASL that the company no longer approves of the supplier.
Making the Purchase
When you have verified your supplier is approved on the ASL, you are authorized to purchase product. Engineering is usually responsible for identifying the product specifications, requirements for product acceptance, and adequacy of specified purchasing requirements prior to communication to the supplier. The specifications may be in the form of drawings or written specifications. Additional information communicated to the supplier should also include, as applicable, an agreement between your company and the supplier that the supplier will notify you prior to the implementation of changes relating to the product that could affect its ability to meet specified purchasing requirements. When the first batch of product is received from a particular supplier, it is a good idea to verify that the product performs as intended before entering into production with a new material or component.
From time to time, you may encounter issues with a supplier. Sources of nonconformity include incoming inspections, production nonconformities, final inspection, or customer complaints. It is important that you notify your supplier the nonconformity and record their response and assessment. Depending on the level of criticality of the vendor, it is reasonable to require them to perform a root cause analysis to determine and alleviate the cause of failure. You should also request documentation of an effectiveness check to ensure the supplier has taken corrective actions. You should maintain copies of supplier nonconformity reports in the supplier file, and discuss nonconformities during ongoing supplier evaluations.
If the supplier does not cooperate or fails to address the nonconformity in an acceptable manner, or if there is a pattern of nonconformities with the vendor, then you should disqualify the supplier, and indicate that the supplier is “not approved” on the ASL.
Purchasing Controls Procedures You Might Need
Medical Device Academy developed a Supplier Qualification Procedure, Purchasing Procedure, and associated forms that will meet purchasing controls regulatory requirements for ISO 13485:2016 and 21 CFR 820.50. These procedures will help you ensure that goods and services purchased by your company meet your requirements and specifications. If you have any questions or would like help in developing a custom procedures or work instructions that meet your company’s unique needs, please feel free to email me, or schedule a call to discuss.
This article reviews four of the top reasons for why other companies feel requesting 510k pre-sub meetings is a waste of time, but you can’t afford to.
It only takes my team 8-10 hours to prepare a 510k pre-sub request. The FDA does not charge you a cent for requesting 510k pre-sub meetings, and a pre-sub should be part of every design plan. But most companies are resistant to requesting 510k pre-sub meetings. Here are the top 4 reasons why companies tell me they don’t need to request a meeting:
It’s too late for requesting 510k pre-sub meetings
If you are less than a week away from submitting a 510k, it is too late for requesting 510k pre-sub meetings. The FDA target for scheduling a 510k pre-sub meeting is 60-75 days from the date your request was submitted. That’s 10-11 weeks. Most companies tell me that they plan to submit a 510k within weeks or a couple of months, but most of the companies take several months and frequently there is a delay that requires 6 months or more. For example, what if your device fails EMC testing, and you have to change the design and retest for both EMC and electrical safety? At best you will have an 8-week delay. If you submit request next week, and everything goes as you plan, you can always withdraw your request for the pre-sub. If you encounter a delay for any reason, suddenly it’s not too late.
Our design is not finalized yet
I believe that waiting until your design is almost complete is the number one reason why companies wait too long to request 510k pre-sub meetings. If they wait too long, then the previous reason for not requesting a meeting takes over. The ideal time to submit a pre-sub request is 75 days before you approve your design outputs (i.e., design freeze). However, very few people are that precise in their design planning and execution. You should try to target sometime after you approve your design inputs, but before you approve your design outputs. As long as you submit an update to your pre-sub request 2 weeks before the meeting, the FDA will accept it. Also, you can always schedule a date that is later than 75 days if you realize you requested the meeting too early.
We don’t want to be bound by what the FDA says in the 510k pre-sub meeting
510k pre-sub meetings are “non-binding.” That means that the FDA can change their mind, but it also means you don’t have to do everything the FDA says in a 510k pre-sub meeting. If you don’t ask a question about testing requirements, that doesn’t mean that the FDA does not have any testing requirements. The FDA knows what previous companies have submitted for testing better than you do, and they may be in the process of evaluating a draft special controls guidance. If you ask questions, you will have better insights into what the FDA expects. Understanding FDA expectations helps you write better rationales for testing or test avoidance. You also might learn about deadlines for implementation of new testing requirements that you might be able to avoid. Finally, you can ask the FDA about possible testing options you are considering if your most optimistic testing plans are denied by the FDA.
There is already a guidance document for our device
Not all device classifications have a guidance document explaining what information should be submitted in a pre-market 510k submission. However, there almost one hundred Class II Special Controls Guidance Documents. Therefore, there is a good chance that the FDA published special controls as part of the regulation for your device or as a guidance document. As part of the special controls, the FDA defines what performance testing is required for your device. If you already know what testing is required, then the value in requesting 510k pre-sub meetings is diminished. But at least three other key benefits remain.
First, you can verify that the predicate you plan to use for comparative testing is not going to be a problem. Although, the FDA can’t tell you which predicate to pick, the FDA can tell you if there is a problem with the predicate you have selected. This is especially important if the product is not currently registered and listed, because you may not know if the device was withdrawn from the market after it was cleared.
Second, not all testing standards are prescriptive. Many tests, have testing options that require you to make a decision. Input from the FDA may be valuable in making choices between various performance testing options Sometimes you even forgo testing and provide a rationale instead. FDA feedback on any rationale for not doing testing is critical to prevent delays and requests for additional information later.
Third, there are many different FDA representatives that participate in 510k pre-sub meetings. The lead reviewer will invite specialists and the branch chief to the meeting. Each of these specialists can answer questions during a pre-submission meeting that they are not able to answer during the actual review process. You also have the opportunity to get feedback from the branch chief–who has insight from all the previous devices that were cleared with your product classification. Your lead reviewer is not likely to be as experienced as the branch chief, and may only have been working at the FDA for months. Your request for the 510k pre-sub meeting will help an inexperienced lead reviewer as much as it will help your company.
Learning More about 510k Pre-sub Meetings
On Thursday, February 22 there will be a free webinar offered on the topic of 510k pre-sub meetings. We had 50 people register for the webinar in the first day it was announced, and we have already answered more than a dozen related questions. If you are planning to submit a 510k this year, this webinar will show you exactly how to prepare your own request for a 510k pre-sub. You will even receive copies of all of our templates for free.
The following is a copy of my responses to someone that submitted biocompatibility testing questions in preparation for the 510k pre-submission webinar that I am hosting Thursday, February 22 @ 4pm EST.
Can you please answer the following biocompatibility testing questions?
This was the request by a person that registered for my live webinar next Thursday. The person asked some great questions that are very similar to other clients I work with. They also asked the biocompatibility testing questions in a way that did not divulge any confidential information–other than to indicate they live in Germany. Therefore, I am sharing my email response with you. Please register for this webinar and submit your own questions. Questions are entered in an open text box, and you have room to ask multiple questions.
1. Does the FDA now already ask for the AET (Analytical evaluation threshold) for chemical analyses?
I’m not an analytical chemist. That would be an awesome question for Thor Rollins at Nelson Labs. He is giving a 1-day workshop on bicompatibility testing on March 20:
2. How can I avoid time consuming genotox studies for FDA?
Typically if you perform the “Big 3” (i.e., cytotox, irritation and sensitization), and then you perform chemical characterization, you are often able to prepare a Biological Evaluation Report to explain why there are no identified compounds in the chemical characterization that would warrant performing the genotox studies. This is also often true for the acute toxicity testing and sub-chronic toxicity testing. In order to verify the FDA will accept this approach, you will typically provide a biological evaluation plan (BEP) as part of your pre-submission request. This often saves > $10K.
3. And how can I face FDA with a cytotoxic wound dressing but which passed irritation, sensitization, genotox and pyrogenicity tests?
I had a product that contained aluminum. Aluminum is cytotoxic to the cell line that is used in the cytotoxicity testing. However, aluminum does not have a high level of toxicity for the route of administration for that product. You should identify the reason why your product is cytotoxic and then provide an explanation why the device is no toxic for the intended use and duration of contact. This would normally be part of that BEP mentioned above.
4. Which genotox tests are state of the art for the FDA?
There are three ways to determine that. One is to look in the recognized standards database on the FDA website. Second is to review the FDA guidance on biocompatibility and application of ISO 10993-1. Finally, you can ask the FDA about the suitability of another test you want to perform during a pre-sub. If they prefer a different test, they will say so in an email response and they are available for discussion by conference call during the pre-sub meeting to clarify their response.
Note: I did not answer this question outright, because biocompatibility testing (and all verification testing) requirements change over time. In fact, for one 510k project I had 7 different standards change just prior to submission. During a pre-submission meeting, the FDA should make you aware of coming changes to these tests. Also, the better biocompatibility testing labs, such as Nelson Labs, are also aware of the changes before they are implemented. This is because personnel like Thor Rollins personally get involved in the revision of standards.
5. Will the meeting be recorded since I live in Germany?
Yes, all of my webinars are recorded. I will email you a link for downloading it and you will receive that email in the morning after the webinar. You can also schedule calls with me as a follow-up using the following link:
In addition to the 1-day seminar by Thor Rollins on biocompatibility testing (March 20), we are also offering a 2-day 510k workshop at the same Embassy Suites Hotel in Las Vegas. The cost is $995 (discount for multiple attendees). Here’s the link for registration–or email firstname.lastname@example.org and I can invoice your company.
This article identifies strategic implications of the FDA user fee increase for FY 2018 that was published by the FDA last week.
You didn’t know the FDA user fee increased?
In August, the FDA publishes the new FDA user fee schedule for the next fiscal year, which begins on October 1. Last year the FDA published an updated small business guidance document in early August that included the fee schedule. This year, the release of the FY 2018 FDA user fee schedule was delayed until the end of August, because the re-authorization of user fees was not approved until August 18, 2017.
The MDUFA IV user fee schedule was negotiated in October of 2016, and the new user fee schedule proposed to increase the user fees to $999.5 million. That negotiated plan called for an increase in standard fees for 510k submissions while keeping small business fees lower. The final enacted MDUFA IV user fees follows this plan. There is a significant difference between PMA fees and 510k fees in the new fee schedule. There was a 33% increase for all PMA-related standard and small business fees. However, standard 510k fees increased by 125%, while small business fees for a 510k increased by 13%. The establishment registration fees increased by 37%, and there is still no discounted registration fee for small businesses. Finally, the biggest change is there will now be a fee for De Novo applications.
Implications of the De Novo FDA user fee increase
Congress authorized the MDUFA III fees in 2012 for five years, and there were no fees associated with De Novo applications. In 2012, the Food and Drug Administration Safety and Innovation Act (FDASIA) also streamlined the De Novo application process. The purpose of having no fees, and for streamlining the process, was to encourage medical device innovation. However, only 40% of De Novo application reviews were completed within 150 days during 2015 and 2016. The balance of the applications required 200 to 600+ days to complete. Negotiations between the FDA and industry in 2016 resulted in an agreement to trade an increase in FDA user fees for a decrease in the review time required for 510k clearance. However, the FDA also committed to decreasing the De Novo application review time to less than 150 days as follows:
Unfortunately, the agreed FDA user fee for De Novo applications in MDUFA IV for FY 2018 are $93,229 as a standard fee and $23,307 for small businesses. During the past 5 years, during MDUFA III, companies that felt they had a potential De Novo application would try to persuade the FDA that a borderline 510k submission should be a De Novo application instead. However, under MDUFA IV you will be more likely to persuade the FDA that a borderline classification should be considered for a 510k submission instead of a De Novo application.
In addition, you should plan your De Novo application more carefully than you might have for a free application. Pre-submission meeting requests should always be submitted during the development process, and these pre-sub requests should be submitted at least 90 days prior to your design freeze. Special consideration should also be devoted to risk analysis and gathering preliminary data to demonstrate the effectiveness of the risk controls you select to ensure that the clinical benefits of your device outweigh the residual risks of the device after implementing risk controls. Ideally, you will gather enough evidence to create a draft special controls guidance document to submit to the FDA as a supplement to your pre-submission meeting.
If you are planning a De Novo application for FY 2018, you should expect your FDA reviewer to pay special attention to ensuring that there are no unnecessary delays in the review process. You should also monitor the FDA recent final guidance webpage for release of a final guidance document for De Novo applications. The draft guidance was released on August 14, 2014. Creating a final guidance will probably be priority for FY 2018.
Implications of the 510k FDA user fee increase
The standard FDA user fee for a 510k increased 125% from $4,690 to $10,566. However, the absolute dollar amount of a 510k submission is still less than cost of biocompatibility testing or sterilization validation. Therefore, the increase should not significantly decrease the number of submissions. However, the small business fee has only been increased by 13%. Therefore, if you are a small business (i.e., income < $100 million), you should complete an application for small business qualification as soon as you can (i.e., October 1, 2017) to make sure that you are eligible for the discounted fee when you submit your next 510k submission. If you need help preparing your small business qualification form, there will be a webinar on this topic Friday, September 8, 2017.
When you are planning a 510k submission, you should also determine if your device product classification is eligible for third party review. In the past, the increased cost of the third party review made submission of a 510k to a third party reviewer unattractive. However, the fees for third party reviews range from $9,000 to $12,000 typically. Therefore, its possible that there may be no difference in the fee for a third party review unless your company is a qualified small business.
Implications of establishment registration FDA user fee increase
The increase in the annual establishment registration fee is 37% for medical device firms to $4,624. If you are already registered as a medical device firm, you should increase your annual budget for the establishment registration fee accordingly. If you are about to launch a new product, remember that you are required to register and list your product within 30 days of distribution of your product. Therefore, if shipments are going to begin in September, you don’t need to register until October (i.e., after the start of the new fiscal year). Therefore, you may be able to avoid paying the FY 2017 establishment registration and only pay the FY 2018 establishment registration. This would not be the case for foreign firms that need to import the product prior to distribution.
What you can do about the FDA user fee increase now
You may not be able to change the user fee schedule for FY 2018, but there are three things you can do now to improve your situation. First, if you are a small business, you can speak to your accounting department and get them to provide a copy of the FY 2016 tax return so that you can complete the small business qualification form on October 1. Second, you should contact Regulatory Technology Services and the Third Party Review Group to obtain a quote for a third party review of your 510k submission instead of submitting directly to the FDA. Third, you should add a reminder to your calendar for August 1, 2018 to start reviewing the FDA website and other sources for a FY 2019 FDA user fee schedule.
Learning how to submit a small business qualification form
If you have not completed a small business qualification form before, you can learn how to prepare your application for small business qualification by registering for my webinar on Friday, September 8, 2017.
This article compares the risk management requirements for a 510k submission with the risk management requirements for your design history file (DHF).
Risk Management Requirements and Design Control Requirements
Last week I presented a free webinar on how to combine risk management with design controls, when planning to submit a 510k. There were many questions asking what the design control and risk management requirements are for a 510k.
What are the Design Control Requirements in a 510k?
There is no specific part of the the regulations stating what the 510k design control requirements are. However, certain elements of the DHF are required as 510k design control documentation, but not necessarily in the exact form as maintained in the DHF. For example, Design Inputs and Design Outputs are presented as applicable recognized standards and design specifications, while others will remain exactly the same (i.e., verification and validation test reports).
What are the Risk Management Requirements in a 510k?
For 510k submissions, the only risk management requirements are the inclusion of risk documentation for devices containing software of at least moderate level risk. There are some exceptions to this as well though, based on a few special control guidance documents—especially when the submission type is an abbreviated 510k. This is article identifies which of the DHF and RMF elements are 510k design control requirements and 510k risk management requirements.
510k Design Control Requirements
Design Controls are identified in 21 CFR 820.30. Every manufacturer of any class II or class III devices, and certain class I devices (class I devices with software, tracheobronchial suction catheters, surgeon gloves, protective restraints, radionuclide applicators, radionuclide teletherapy devices) need to control design per this regulation. The requirement for a Design History File is item j) and states:
“Each manufacturer shall establish and maintain a DHF for each type of device. The DHF shall contain or reference the records necessary to demonstrate that the design was developed in accordance with the approved design plan and the requirements of this part.”
The “requirements of this part” refers to the other bullets in 21 CFR 820.30 which can be summarized as:
a) Establish and maintain procedures to control design of device.
b) Design and Development Planning – Each manufacturer shall establish a plan that describes the design and development activities, and defines responsibilities for implementation.
c) Design Inputs – Manufacturers need to ensure design requirements relating to a device are appropriate and address the intended use of the device.
d) Design Outputs – Design outputs need to be documented in terms that allow an adequate evaluation of conformance to design input requirements. Design outputs that are essential for the proper functioning of the device should be identified.
e) Design Review – Formal documented reviews of design results should be planned and conducted at appropriate stages of device development.
f) Design Verification – Design verification confirms that the design output meets the design inputs requirements.
g) Design Validation – Design validation shall be performed under defined operating conditions on initial production units or their equivalents, and shall ensure that devices conform to defined user needs and meet the intended use of the device.
h) Design Transfer – Design transfer documentation shall ensure that the device design is correctly translated into production specifications.
i) Design Changes – changes should be identified, documented, validated/verified, reviewed and approved before their implementation.
The Design History File is intended to be a repository of the records required to demonstrate compliance with your design plan and design control procedures. While companies are required to create, and maintain this documentation according to the FDA regulation, not all of the documentation will be reviewed as part of the 510k. The following table compares the elements that comprise a DHF with the 510k design control requirements.
510k Design Control Requirements
Cover Sheet (Section 1) and
Declaration of Conformity (Section 9)
Some design inputs will appear in the form of standards in FDA Form 3514 (Cover Sheet) and in the Declaration of Conformity FDA Form 3654 (Standards Data Report)
Device Description (Section 11)
The Device Description lists the specifications of the device, and your Design Outputs document will help populate the Device Description. This can include drawings, pictures, or written specifications that describe your device.
Proposed Labeling (Section 13)
The labeling is usually considered part of the Design Outputs within the DHF, and is included specifically in the labeling section of the 510(k) submission. This includes both the Instructions for Use and any Package Labeling.
Verification and Validation Protocols
You do not have to include the protocols, but the reviewer may ask to see them if they have any questions when reviewing the reports.
Verification and Validation Reports
Sterilization (Section 14)
Biocompatibility (Section 15)
Software (Section 16)
Electrical Safety and EMC (Section 17)
Bench Performance Testing (Section 18)
Animal Performance Testing (Section 19)
Clinical Performance Testing (Section 20)
Of course, not all of these sections will be applicable for every device, but you should include all relevant validation test reports within your submission in the appropriate section of the 510k. Typically, each of these sections will have a cover sheet that outlines the reports that are included within the section, and then you can just include the report from the DHF in its entirety behind the cover sheet in that section.
Only required for sterilization validation typically, but there are exceptions for novel materials and coatings
Not Required for 510k
Design Review Meeting Minutes
Not Required for 510k
Design Trace Matrix
Only required for software
Risk Management File
Sometimes – See Risk Management File Table Below
Post-Market Surveillance Plan
Not Required, but a few exceptions for high risk devices
Clinical Data Summary
Required only if used to demonstrate safety and efficacy
Will result from 510k Clearance, so nothing to be included in 510k submission.
510k Risk Management Requirements
Regarding the FDA regulations for risk management, there is a requirement under the Design Validation section of 21 CFR 820.30 that states:
“Design validation shall include software validation and risk analysis, where appropriate.”
For the purposes of FDA compliance and CE Marking, both recognize ISO 14971 as the standard for risk management. FDA recognizes ISO 14971:2007 whereas EN ISO 14971:2012 is the European National version for CE Marking. Rob Packard wrote an article describing the contents of the risk management file as well as the specific differences in the requirements between the FDA and CE Marking with regard to ISO 14971.
For the purposes of your 510k submission, the FDA only requires risk management documentation to be included if the product contains software and the risk is at least a level of “moderate concern”. There are some other cases when risk management is required by special controls guidance documents, but even when it is required you only have to submit your risk analysis. The table below describes the risk management requirements in greater detail.
510k Risk Management Requirement
Risk Management Plan
510ks with Software Only (Section 16)
Hazard Identification is only required for devices that have a software component. It is not required for most other devices.
510(k)s with Software (Section 16)
Certain Special Controls Guidance
The Risk Assessment is only required to be included if your device contains software, or if a special controls guidance document specifically requires risk assessment. It is not required for other 510ks.
Risk Control Option Analysis
Software and Certain Special Controls Guidance
Risk Control Verification and Validation
Sterilization (Section 14)
Biocompatibility (Section 15)
Software (Section 16)
Electrical Safety and EMC (Section 17)
Bench Performance Testing (Section 18)
Animal Performance Testing (Section 19)
Clinical Performance Testing (Section 20)
This will not be any additional or special documentation specific to Risk Management, and was already included in the DHF breakdown above, but the verification and validation also relate back to risk management in ensuring that the risks have been adequately mitigated.
Risk Benefit Analysis
Not Required for 510(k)
Risk Benefit analyses are only required for De Novo applications, Humanitarian Device Exemptions and PMAs.
Informing Users and Patients of Risks
Labeling (Section 13)
Part of the risk management will appear in the Labeling section of the 510k as warnings, contraindications, and precautions within the Instructions for Use and Package Labeling.
Risk Management Report
Special Controls Guidance Documents with Risk Management Requirements
Your first step in preparing your 510k submission is to search the FDA Guidance Document Database to determine if there is an applicable guidance document for your device. You can read another blog we wrote to explain Special Controls Guidance documents, and how to determine if one is applicable to your device. The following list provides examples of Class II Special Controls Guidance documents that require risk analysis to be included within the 510k:
When there are 510k risk management requirements, the special controls guidance document will typically state, “We recommend that the summary report contain:
An identification of the Risk Analysis method(s) used to assess the risk profile in general as well as the specific device’s design and the results of this analysis. (Refer to Section 6 for the risks to health generally associated with the use of this device that FDA has identified.)
Discussion of the device characteristics that address the risks identified in this class II special controls guidance document, as well as any additional risks identified in your risk analysis.”
The special controls guidance will also identify risks to health that have been identified for products of that type, which you should be sure to include in your risk analysis as appropriate.
More Information on Design Control and Risk Management Requirements
Hopefully, you are now able to determine which elements of your DHF are 510k design control requirements and which elements of your RMF are 510k risk management requirements. If you would like more information about how to implement design controls and risk management within your product development process, please consider registering for one of our training webinars:
If you need any further information or specific assistance with your 510k submission, please feel free to send me an email at email@example.com or schedule a call with our principal consultant, Rob Packard who can answer any of your medical device regulatory questions.