On March 29, if there is a No Deal Brexit from the EU, how will currently CE Marked medical devices be regulated in the UK?
In an article written by Sofia Petkar and published by The Sun, a UK News Company, the No Deal Brexit is described as “A no-deal British departure from the European Union means leaving without formal arrangements for the future relationship.”
Common Questions about No Deal Brexit
The above quote raises many questions regarding the medical device industry worldwide, not just concerning Great Britain and the European Union.
Would this mean that a no-deal exit would leave all of the British medical devices in an unregulated market?
Would current EU regulations no longer apply?
What about current EU approved devices, are they no longer approved for use in Britain?
Is there now a doom and gloom scenario where care providers have to find bandages and gauze from underground back alley dealers in trench coats!?!?!?
Would devices that normally need CE Marking now need to go through a separate process to be available in Britain? Would this apply to current CE Marked devices as well, or is there a grandfather period/clause?
Will Britain now have its own separate vigilance and reporting standards?
Basically will Britain have a compatible medical device regulatory system to the current European union one or will devices be regulated wholly independent of each other?
What the UK Department of Health says
If there is a No Deal Brexit, the UK would no longer be part of the EU regulatory network, and device manufacturers would need to submit medical device regulatory information directly to MHRA. The Uk’s Department of Health and Social Care updated their Guidance Document on January 3, 2019. The Guidance Document, How medicines, medical devices and clinical trials would be regulated if there’s no Brexit deal, summarizes what will happen to medical device regulations after March 29 if a deal is not reached.
The UK will recognize CE Marked medical devices, but formal UK presence at EU committees in respect of devices will cease.Should recognition of CE Marked devices change in future, adequate time will be provided for businesses to implement any changed new requirements. The UK will comply with all key elements of the Medical Devices Regulation (MDR) and the In Vitro Diagnostic Regulations (IVDR), which will apply in the EU from May 2020 and 2022 respectively. The ‘Implications’ section of the guidance document explains it in this manner:
“The EU (Withdrawal) Act will ensure that existing EU rules are converted into UK law at the moment of exit, with changes where necessary to make sure the rules work in the UK. Where this is needed, we’ll give adequate time for business to implement any new requirements. Additionally, where possible, we’ll be making use of the information we already have to complete administrative tasks for continuity of work and licences.
There are a number of changes where a UK approach will be required. Some of these are set out below. Other areas and further detail on some of the areas included here will be covered by consultation in the early autumn.”
As much as the guidance does not provide definitive answers about the future, the guidance confirms that CE Marked devices will also be permitted in the post-Brexit UK market. UK recognition of CE Marked devices could change in the future, but the promise is made to allow “adequate time will be provided” for any required implementation. UK compliance with the MDR, and the IVDR is also stated in the guidance. More good news in that this means that the UK medical device industry will remain somewhat stable for the near term.
Implications identified in the MHRA guidance
The following implications of a No Deal Brexit are explained briefly in the MHRA guidance:
UK-based notified bodies will no longer be able to assess conformity of devices, and MHRA will no longer be able to assess those notified bodies.
MHRA will continue to perform its own post-market surveillance of medical devices, but MHRA will be able to make its own decision over marketing of devices in the UK–regardless of EU decisions.
Clinical studies conducted in the UK are managed nationally, and that will continue. However, MHRA is improving processes to enable closer relationships with ethics committees and allowing a single application and national decision.
Although legal representatives may continue to be based in the EU or EEA, an individual in the UK will need to have overall responsibility for the trial.
Mutual Recognition Agreements, Decentralized Procedures and Centralized Procedures are all possible outcomes of the Brexit, but MRHA will publish more information in the coming months.
This article outlines an EU MDR quality plan for compliance with European Regulation 2017/745 for medical devices by the May 26, 2020 transition deadline.
Biggest MDR quality plan mistakes
Implementing an MDR quality plan is not just about updating your technical file and the procedures specific to CE Marking of medical devices. You need to make sure that you have planned to provide adequate resources for successful implementation of your plan. Resources fall into four major categories, and all four should be addressed in a formal MDR quality plan that you have reviewed and approved during a management review meeting (i.e., ISO 13485:2016, Clause 5.6.3d). First, you need to provide adequate training. Second, you need to provide adequate equipment–such as UDI printing software and an electronic quality system database. Third, you need to provide adequate personnel. Fourth, you need to revise and update your quality system procedures.
European companies concentrated enormous resources in 2018 to prepare for implementation of the EU Regulations in 2020. This may seem early, but most of those companies are realizing they should have started in 2017–immediately after Regulation 2017/745 was approved by the European Parliament and Council. In contrast, most companies in the USA were focusing on ISO 13485:2016 certification and MDSAP certification. Unfortunately, many CEOs were told that there is a “soft-transition” and they have until 2024 to implement the new regulations. While it is true that most CE Certificates issued by notified bodies will be valid until their expiration date, and that date could be as late as May 25, 2024, it is not true that companies have until 2024 implement the new regulations. Quality system requirements in Article 10 of the MDR, and compliance with the MDR for economic operators, must be implemented by May 26, 2020. Any medical devices that are being reclassified will require full implementation by May 26, 2020 as well. Finally, notified bodies cannot renew 100% of the CE Certificates on May 25, 2020 to give manufacturers the full 4-year transition for certificates. You certificate will expire based upon the certificate renewal cycle that is already established.
Required procedures for your EU MDR quality plan
You might not know that ISO 13485:2016 certification is not actually required for CE Marking of medical devices. Although ISO 13485 certification is the most popular way for companies to demonstrate quality system compliance with EU regulations, the actual requirement is to comply with the thirteen procedural requirements in Article 10 of EU Regulation 2017/745. Specifically, those thirteen procedures are:
Note: If you are interested in one of the procedures listed above that does not have a hyperlink, please contact me via email at email@example.com. The procedures are available, and the links will be provided during next two weeks. The only exception is SYS-026. That is a new procedure in draft format, and it will be the subject of a future blog. Medical Device Academy will be revising each of the above procedures for compliance with EU Regulation 2017/745 in accordance with the MDR quality plan that we have outlined in this blog article. These procedures are all compliant with ISO 13485:2016, and updates for compliance with the EU MDR will be made available at no additional charge.
Priority of requirements for MDR quality plan
There are seven major changes required for compliance with the European Regulation 2017/745. These priorities are listed in order of highest to lowest effort and cost that will be required to comply, rather than the chronological order. First, some medical devices are being reclassified. Second, new CE certificates must be issued under the new conformity assessment processes. Third, technical documentation must be updated in order to meet Annex II of Regulation 2017/745. Fourth, post-market surveillance documentation must be updated in order to comply with Annex III of Regulation 2017/745. Fifth, specific documentation must be uploaded to the Eudamed. Specifically, manufacturers must upload UDI data, labeling and periodic safety update reports (PSUR). Sixth, all economic operators must be registered with Eudamed and comply with Regulation 2017/745 or new economic operators will need to be selected. Seventh, quality system procedures will need to be updated to comply with Regulation 2017/745.
Implementation timeline for MDR quality plan
If any of your devices are being reclassified, you will need to implement all of the above changes prior to the May 26, 2020 transition date. For example, reusable medical instruments are currently Class I medical devices, and manufacturers utilize Annex VII of the MDD as the conformity assessment process. Under EU Regulation 2017/745, these reusable instruments will require notified body involvement to issue a CE Certificate. This is a lot of work to complete in 17 months (i.e., 513 days and counting), and notified bodies will have a large backlog of technical files to review for existing customers before they will be able review documentation for new customers.
If your company already has CE Certificates for your medical devices, and none of your devices are being reclassified, you will need to implement only the sixth and seventh items listed above before the May 26, 2020 deadline. Uploading information to Eudamed is likely to be extended beyond the May 26, 2020 deadline and the transition may be staggered by risk classification–just as the US FDA did for UDI implementation in the USA. The second, third and fourth changes listed above will require compliance before your existing CE Certificate(s) expire. Best-case scenario, this could be four (4) years after the transition deadline.
Today the FDA released a press release announcing plans to implement a alternate 510k pathway called the “Safety and Performance Based Pathway.”
What is the current 510k pathway for clearance of medical devices?
The current version of the 510k pathway is defined in a guidance document on substantial equivalence that was released on July 28, 2014. The pathway involves six questions that an FDA reviewer must answer before it can be determined whether a new device is equivalent to an existing device that is legally marketed in the USA. These are the 6 questions:
Is the predicate device legally marketed?
Do the devices have the same intended use?
Do the devices have the same technological characteristics?
Do the different technological characteristics raise different questions of safety and effectiveness?
Are the methods of evaluating new/different characteristics acceptable?
Does the data demonstrate substantial equivalence?
Five (5) ways the FDA strengthened the current 510k pathway
Today the FDA released an 8-page presentation summarizing five (5) ways that the FDA strengthened the current 510k pathway during the past several years. The five ways are:
Increased expectations for the content of a 510k submission
Improved consistency and thoroughness of the 510k review process
Elimination of the 510k pathway for Class III devices
Eliminated the use of > 1,000 unsafe devices as legal predicates
You may have been complaining that 510k requirements seem to change constantly. Now you have proof that the changes to the 510k pathway are part of a strategic plan implemented over the past decade. Lawyers may argue that the resulting regulations go well beyond the intent of the original 510k legislation. This is completely true. The cumulative effect of implementing dozens of 510k guidance documents is that the official interpretation of the 510k section of the Food and Drug Act now has little resemblance to the original legal intent.
The original intent of the 510k legislation was to allow competitors to copy an existing device that is legally marketed in the USA. Cumulative changes to a device that existed in 1976, eventually results in a completely new device. The word “equivalent” has been perverted to such an extent that thousands of devices now exist that do not even remotely resemble devices from 1976. The FDA recognized this around 2007, and the US device regulations began to “strengthen.”
What is basis for the Alternate 510k Pathway?
The basis for the alternate 510k pathway is submission of data that is safety and performance based instead of comparison to an older predicate. In addition, the new pathway will enable you to make comparative claims by demonstrating that the new subject device meets or exceeds the safety and performance criteria. There is also a goal to use the pathway as a potential method of harmonizing the US medical device regulatory process with other global medical device regulations. The new process, combined with improved post-market surveillance, will complement the FDA’s work on NEST by allowing the FDA to rapidly require implementation of risk controls to address identified safety issues.
What is the expected timeline for implementation of the Alternate 510k Pathway?
The alternate 510k pathway has been in development for quite some time. Jeff Shuren first announced the plan to create the alternate 510k pathway at AdvaMed’s MedTech conference in San Jose, California in September 2017. On Monday, December 11, 2017, the FDA announced that a draft guidance would be released in Q1 of 2018. On April 12, 2018 the FDA finally released the draft guidance for public comment.
The FDA intends to release a final guidance for the new alternate 510k pathway in early 2019. This pathway will initially be limited to “well-understood device types”–probably as a 510k pilot program. You can expect this new pathway to be released in a similar way to the Special 510k expansion pilot and the Quik 510k pilot. That final guidance will be released, and the pilot will begin immediately after release of the guidance.
Is this new process likely to require significant changes to future 510k submissions?
The phrase “significant changes” is subjective, but if you look at the current 20 required sections of a 510(k) submission, there is only one section that would be required to change for the new alternate 510k pathway. Specifically, section 12 is currently used for a substantial equivalence comparison. This section would not be applicable under the alternate 510k pathway. Under the alternate 510k pathway, you can expect the FDA to require at least a summary of the safety and performance data to be submitted for approval of the subject device.
Another change you can expect is that all devices submitted under the alternate 510k pathway will be required to have a benefit-risk analysis in accordance with the corresponding FDA guidance. This new guidance was released on September 25, 2018 as a draft. However, a benefit-risk analysis is required for De Novo applications, CE Marking applications and it is logical that the FDA will also require this for 510k submissions that do not rely upon equivalence to predicate device.
More Information on the Medical Device Safety Action Plan
The FDA created a webpage on its site providing information about the Medical Device Safety Action Plan. The page includes several hyperlinks to documents with more information. Below are a few of the relevant links:
The FDA also indicated that a new guidance for De Novo applications will be released in a couple of weeks. Please subscribe to our blog, and you will receive notification of a blog in response to that guidance when it is released.
This article defines the requirements for design and risk management planning that were used to create our new design plan template.
Why combine Design and Risk Management Plans into a Design Plan Template?
There are two primary reasons for combining your risk management plan with your design plan. The first reason is to reduce the number of documents you must maintain and control. The second reason is that there are different requirements for risk management during the design process and after commercial release of a new product. Therefore, you will need one risk management during the design phase, and a second risk management plan after your product is released. You can achieve this by incorporating your risk management plan with your design plan and your post-market surveillance plan. Therefore, you only need to maintain two documents instead of four.
Six requirements for your design plan?
There are no specific design planning requirements in the new European MDR, but the requirements for design planning are specified in ISO 13485:2016, Clause 7.3.2. In the previous version of ISO 13485, the requirement for a design procedure and a design plan were combined into one clause (i.e., Clause 7.3.1). Now these two requirements have been split into independent clauses. The requirement to manage the interfaces between various groups involved in the design project was removed from the requirements for design planning in the new version of the standard, but three additional requirements were added. The following sub-clauses did not change (although numbering changed):
7.3.2a) document the design and development stages
7.3.2c) document verification, validation and transfer activities required at each stage
7.3.2d) document responsibilities and authorities
First new requirement in your design plan template
The first new requirement is in Clause 7.3.2b). You are required to document the design reviews required at each stage. This does not mean that a review is required at every stage, but your plan should specify at which stages you will conduct a review. At a minimum, a final design review is required for commercial release of the device. My recommendation is to have a review at every stage for every project. If you design inputs have not changed from the previous version of the device, then the stage leading up to the approval of design inputs will be very short, and that design review meeting can be 30 minutes or less. If you make changes to your design control procedure in the middle of a project, I recommend that you maintain compliance with the existing procedure until the next design review. The design review gives you a great opportunity to document changes to the design procedure, design plan and any other adjustments to documentation that may require completion of a new version of a form.
Second new requirement in your design plan template
The second new requirement is in Clause 7.3.2e). You are required to document methods of traceability between design inputs and outputs. This is a requirement that most companies do poorly. In theory, you can use a spreadsheet to list all the design inputs and the adjacent column can list the corresponding design outputs. Many companies use an input / output / verification / validation (IOVV) diagram. You can also add user needs to this diagram. The challenge with method of documentation is that it is labor intensive to make updates. You must update the references to inputs every time a standard is updated. The outputs must be updated every time a drawing or specification is changed. Every time you update a verification or validation testing report, the diagram must be updated too.
Third new requirement in your design plan template
The third new requirement is in Clause 7.3.2f). You are required to document the resources needed at each stage–including the necessary competence of personnel. In general, companies experiencing difficulties in documenting competency for personnel, but this requires that you document competency for each person on a design project for each stage. My recommendation is to keep it simple. Tables are usually the simplest way to document this type of information. For example, you can use a three-column table: 1) role, 2) responsibility, 3) competency requirements. In general, I recommend that anyone on your design team has training on design controls and risk management. However, training and competency are not equivalent. In order to demonstrate competency, you must have prior experience documented in that area.
What is required in a Risk Management Plan?
EN ISO 14971:2012 requires a risk management plan in Clause 3.4, but there are some subtle changes needed for compliance with the new draft ISO/DIS 14971. In addition, there are new requirements in Regulation (EU) 2017/745. Specifically, in Essential Requirement 3:
(a) establish and document a risk management plan for each device;
(b) identify and analyse the known and foreseeable hazards associated with each device;
(c) estimate and evaluate the risks associated with, and occurring during, the intended use and during reasonably foreseeable misuse;
(d) eliminate or control the risks referred to in point (c) in accordance with the requirements of Section 4;
(e) evaluate the impact of information from the production phase and, in particular, from the post-market surveillance system, on hazards and the frequency of occurrence thereof, on estimates of their associated risks, as well as on the overall risk, benefit-risk ratio and risk acceptability; and
(f) based on the evaluation of the impact of the information referred to in point (e), if necessary amend control measures in line with the requirements of Section 4.
In our previous blog on changes to the risk management process, we identified 9 activities that should be included in your risk management plan:
This article describes updates being made to the ISO 14971 Standard in the new draft version released for comment in July 2018.
There are two versions of ISO 14971 that are currently available. The first is the international version: ISO 14971:2007. The second is the European normative version: EN ISO 14971:2012. There is also a new draft being created by the TC210 committee for release in 2019.
Explanation of the different versions of the ISO 14971 standard
In 2000, the first edition of ISO 14971 was released as the international standard for risk management of medical devices. In 2007, the second edition of ISO 14971 was released. When new international standards are released, a European normative version is also released. The “European Norm” or EN version is intended to identify any gaps between the international standard and the requirements of the applicable European directives (i.e., the MDD, AIMD and the IVDD). These gaps historically were included in the ZA annex at the end of the EN version. However, in 2009 this annex was split into three annexes (i.e., ZA, ZB and ZC) to address each of the three directives separately. In reality, the 2009 annex only differed with regard to the directive referenced. In 2012, a new EN version was released. This new standard included 7 deviations which were controversial. These deviations were intended to identify contradictions between the directives and the international standard, but the interpretations were not agreed with by companies or most of the Notified Bodies. Ultimately, the 7 deviations were required to be addressed in the risk management files for any medical device that was CE Marked.
What changed between ISO 14971:2007 and ISO/DIS 14971:2018?
The TC210 working group assigned to update the ISO 14971 standard (JWG1) was tasked with improving guidance for implementation of ISO 14971, but the committee was also tasked with making these improvements without changing the risk management process. In addition, the committee was asked to move the informative annexes at the end of ISO 14971 from the standard to the guidance document ISO/TR 24971. Therefore, in July the committee released a draft for comment and voting. Draft versions are identified with the prefix “ISO/DIS.” The ISO/DIS 14971 standard released in July has only three annexes: A) Rationale for the requirements, B) Risk management process for medical devices, and C) Fundamental risk concepts (formerly Annex E). The other 7 annexes were moved to the draft of ISO/TR 24971. The reason stated for moving these Annexes to the guidance document was to make future revisions to the guidance easier to implement, because it is a guidance rather than a standard. However, there were also some objectionable recommendations in the informative annexes that were the subject of deviation #3—ALARP from Annex D.8 vs. “As far as possible” in the first indent of section 2 of Annex I in the MDD.
Although the committee was tasks to make improvements in the implementation of ISO 14971 without changing the process, the new draft has subtle changes in the process. Most of these changes can be identified quickly by reviewing the updated risk management flow chart provided in Figure 1. The updated flow chart now has two places where risks are evaluated. The first place is identical the original Figure 1, but now the associated section is clarified to be specific to evaluating individual risks. The second place in the flow chart is new, and specific to evaluation of overall residual risks. The draft standard also states that different acceptability criteria and methods of evaluation may be used for each evaluation phase in the process. There have also been subtle changes to the names of process phases:
Section 7.4 is now “Benefit/Risk” analysis instead of “Risk/Benefit” analysis—although the draft flow chart does not reflect this.
Section 9 is now “Risk Management Review” instead of “Risk Management Report”
Section 10 is now “Production and post-production activities” instead of “Production and post-production information”
There is also more detail in the diagram under the phases for: 1) risk analysis, 2) risk control, and 3) production and post-production activities.
Three new definitions are introduced in the draft standard: 3.2, benefit; 3.15, reasonably foreseeable misuse; and 3.28, state of the art. The section for identification of hazards, Clause 5.4, was reworded and expanded to consider the reasonably foreseeable sequences or combinations of events that can result in a hazardous situation. The draft standard now states that your risk management plan must also include a method to evaluate the overall residual risk and the criteria for acceptability of the overall residual risk. In the section for risk estimation, Clause 5.5, the draft standard states that if the probability of the occurrence of harm cannot be estimated, the possible consequences shall be listed for use in the risk evaluation and risk control. The risk control option analysis priorities in section 7.1 are updated to match the new MDR, Regulation (EU) 2017/745, nearly exactly. In section 9, risk management reports were changed to risk management review and the clause now requires determining when to conduct subsequent reviews and when to update reports. This emphasizes the requirement to continuously update risk management documentation with input from production and post-production information. This mirrors the emphasis on continuously updating post-market clinical follow-up in Regulation (EU) 2017/745, Annex XIV, Part B, Section 5; and continuously updating clinical evaluations in Regulation (EU) 2017/745, Annex XIV, Part A, Section 1.
Will ISO 14971:2019 address the 7 Deviations in EN ISO 14971:2012?
The new MDR, Regulation (EU) 2017/745, revised and clarified the wording of the essential requirements in the MDD. The MDR attempts to clarify the requirements for risk management files of CE Marked products, but the MDR remains different from the requirements of ISO 14971. Unfortunately, because the ISO/DIS 14971 was not intended to change the risk management process of ISO 14971:2007, there will continue to be “deviations” between the MDR and standard.
Some people have tried use ISO/TR 24971, the risk management guidance, as the official interpretation of how the risk management standard. However, the guidance is also a product of the TC210 committee, and it does not meet all requirements of the MDD or the MDR.
The new draft does, however, include changes that address some of the deviations in EN ISO 14971:2012. Below, each of the 7 deviations are listed and hyperlinks are provided to other articles on each individual deviation.
Negligible Risks – The word “negligible” was only in one location in the body of the standard as a note referring to Annex D.8. In the draft, Annex D was removed and relocated to ISO/TR 24971, and the note was eliminated from Clause 3.4—now Clause 4.4 in the draft. This deviation should be fully resolved by the draft.
Risk Acceptability – Clause 7 was renumbered to Clause 8 in the draft, but the title of this clause was also changed from “Evaluation of overall residual risk acceptability” to “Evaluation of overall residual risk.” However, if you read the Clause it still refers to determining acceptability of risks. In note 2 of Annex ZA of the draft, it states that determining acceptable risk must be in compliance with Essential Requirements 1, 2, 5, 6, 7, 8, 9, 11 and 12 of the Directive. This deviation should be fully resolved by the draft.
ALARP vs. “As far as possible” – The European Commission believes that the concept of “ALARP” implies economic considerations, and some companies have used economics as a reason for not implementing certain risk controls. ALARP was eliminated from the notes in the risk management plan clause and by moving Annex D.8 to ISO/TR 24971 and adding note 1 in Annex ZA. This deviation should be fully resolved by the draft.
Benefit/Risk Analysis – The contradiction in requirements between the International Standard and the MDD, as it relates to determining when a benefit/risk analysis must be conducted has not been updated. This deviation is not resolved by the draft. Companies that CE Mark products will need to perform a benefit/risk analysis for all residual risks and all individual risks—despite the wording of the standard.
Risk Control – The contradiction in requirements between the International Standard and the MDD, as it relates to determining when risk controls must be implemented. The International Standard gives companies the option to avoid implementation of risk controls if the risk is acceptable, while the MDD requires that risk controls be implemented for all risks unless the risk controls create additional risks that increase risks or the risk controls do not actually reduce risks further. This deviation is not resolved by the draft. Companies that CE Mark products will need to implement risk controls for all individual risks—despite the wording of the standard.
Risk Control Options – The intent of Clause 6.2 in ISO 14971:2007 was likely to be the same as the MDD. However, the European Commission identified the missing word “construction” as being significant. Therefore, to prevent any misunderstandings, the TC210 committee copied the wording of Regulation (EU) 2017/745. This deviation should be fully resolved by the draft.
IFU Validation – Again, to prevent any misunderstandings, the TC210 committee copied the wording of Regulation (EU) 2017/745. However, the examples of information for safety (i.e., warnings, precautions and contraindications) were not included. Hopefully, the final version of 3rd edition will include these examples. Clause 8, evaluation of overall residual risk, was also reworded to state, “the manufacturer shall decide which residual risks to disclose and what information is necessary to include in the accompanying documentation in order to disclose those residual risks.” This deviation should be fully resolved by the draft.
Recommendations for your Risk Management Process?
The most important consideration when establishing a risk management process for medical devices is whether you plan to CE Mark products. If you intend to CE Mark products, then you should write a procedure that is compliant with the current requirements of the MDD and future requirements of Regulation (EU) 2017/745. Therefore, the 7 deviations should be addressed. In addition, you need to maintain compliance with the current version of the Standard.
I recommend creating a process based upon the new updated process diagram in the new draft. The process should begin with a risk management plan. For you plan, you may want to create a template and maintain it as a controlled document. It could also be part of your design and development plan template, but the plan should include each of the following risk management activities:
Risk control option analysis
Risk control verification of effectiveness
Evaluation of overall residual risk
Risk management review
Production and post-production activities
Your procedure should also be integrated with other processes, such as: 1) design control, 2) post-marketing surveillance, and 3) clinical evaluation. Your procedure must clearly indicate the priority for implementation of risk control options. The best strategy for ensuring risk control priorities are compliant is to copy the wording of the new EU Regulations verbatim. Your process should include performing benefit/risk analysis. You should also define your process for risk management review. Your review process should specify when subsequent reviews will be done and when your risk management report will be updated. Finally, you should identify a post-market surveillance plan for each device, or device family, and use that post-market surveillance data as feedback in the risk management process.
The one element that appears to be weakly addressed in the body of the standard is the requirement for traceability of each hazard to the other elements of the risk management process. Although traceability is mentioned in Clause 3.5 of the 2nd edition, and Clause 4.5 of draft 3rd edition of ISO 14971, that is the only place is mentioned in the body of the standard. Traceability is mentioned several more times in Annex A, but the focus seems to be on the risk management file. Companies need more guidance on how to achieve this traceability. The appropriate place for this guidance is probably in ISO/TR 24971, but in order to maintain this documentation it is likely that a software database will be critical to maintaining traceability as changes are made during design iterations and after commercialization. This type of software tool is also need to expedite the review of risk management documentation during complaint investigation.
Which Risk Analysis Tool should you use?
In Annex G of ISO 14971:2007, and the EN 2012 version, there are five different risk analysis tools described. The word “described” is emphasized, because informative annexes are not “recommended.” The committee that created the 2nd edition of ISO 14971 wanted to provide several suggestions for possible risk analysis tools to consider. However, each tool has strengths and weaknesses. Additionally, the widespread use of the failure-mode-and-effects analysis (FMEA) tool in the automotive and aerospace industries has spread to the medical device industry and companies seem to believe that regulators prefer the FMEA tool. This is not true. Companies should be trained in all of these tools, training should consist of more than just reading Annex G and the tools should be used where they are most beneficial. My personal recommendations are below:
Preliminary Hazard Analysis (PHA) – This process is absolutely critical during development of design inputs. It is also the most underutilized analysis tool. I have not seen a single example of this tool written in a procedure by any medical device company. I believe this process should be continuously updated as part of training new design team members and should be both product and project specific.
Fault-tree Analysis (FTA) – This process is a top-down approach to risk analysis. It is heavily utilized by transportation engineers when intersections are designed, and accidents are investigated. This tool depicts risk analysis pictorial as a tree of fault modes representing each possible root cause for failure. At each level of the tree, fault mode combinations are described with logical operators (i.e., AND, OR). The information displays frequency of each fault mode quantitatively. Therefore, when you are investigating a complaint, the tree can be used to help identify possible fault modes that may have been the root cause of device failure. You may also be interested in the standard specific to Fault tree analysis (FTA): IEC 61025:2006.
Failure Mode and Effects Analysis (FMEA) – This process is a bottom-up approach to risk analysis. It is heavily utilized by the automotive and aerospace industries. This tool systematically lists all failure modes in groups organized by component. Risks are estimated based upon severity of effect, probability of occurrence and detectability. Over time, the FMEA process split into three tools: 1) process FMEA (pFMEA), 2) design FMEA (dFMEA), and 3) use FMEA (uFMEA). The first is ideal for analyzing and reducing risks associated with manufacturing of devices. In particular, the detectability factor can be linked closely with process validation. The second evolved from the realization that detection of a risk after the device is in the user’s hands does not actually reduce risk. A risk reduction only occurs if detectability is proactive. Therefore, this was stated in Annex G.4 and companies began to eliminate detectability and continued to use FMEA as their primary tool. Due to the widespread familiarity with the FMEA tool, usability FMEAs became popular for documenting risks associated with use of a device. Unfortunately, the only real advantages of a dFMEA and uFMEA are familiarity with the tool. You may also be interested in the standard specific to FMEA: IEC 60812:2018.
Hazard and Operability Study (HAZOP) – In addition to the risks of using devices, there are also risks associated with the production of devices. Processes related to coating, cleaning and sterilization are all processes that typically involve hazardous chemicals. The chemical and pharmaceutical industries use HAZAP as a tool to analyze these process risk and prevent injuries. You may also be interested in the standard specific to HAZOP: IEC 61882:2016.
Hazard Analysis and Critical Control Point (HACCP) – This process is primarily used by the food industry to prevent the spread of contaminated food supplies. Even though it is not typically used by medical device manufacturers, it should be considered as a tool for managing the supply chain for devices. This model is useful when manufacturing is outsourced, or secondary processing is conducted at second and third-party suppliers. Since many FDA inspectors started in the food industry as inspectors, this is also a method that is supported by the FDA as a risk control process for outsourced processes.
How to document your risks?
For simple devices, risk management documentation is a burdensome task. For complex devices, a spreadsheet could include hundreds of lines or more than even one thousand individual lines. In addition, the requirement for traceability requires additional columns in a table. Therefore, it becomes nearly impossible for you to include all the required information on a page that is 11 inches wide. If you expand your page to 17 inches wide, the size of your font will need to be very small. If you make a change, your spreadsheet can be difficult to update quickly. You could purchase a 43” widescreen TV for your monitor, or you can use dual monitors for your display, but changes remain difficult to implement without a mistake.
You need to stop relying upon spreadsheets. Use a database, and don’t use Microsoft Access. Purchase a database that is designed to document design controls and risk management traceability. If your company has software expertise, develop your own software tool to do this. You should also design standardized templates for exporting your reports. By doing this, it will only take minutes to create an updated report when you make design changes. If you describe the risk management activities as notes in your software, the description of these activities can also be automatically converted into summary pages for each report summarizing that risk management activity. You can even prompt the user to answer questions in the software to populate a templated document. For example, you can prompt users to input subsequent updates of your risk management reviews and that can be automatically converted into a summary paragraph. This reporting capability is especially helpful when responding to FDA review questions asking for cybersecurity risks.
Additional Training Resources for ISO 14971
The risk management training webinar was being completely rewritten to address changes proposed in the new draft of ISO 14971 (i.e., ISO/DIS 14971) released in July 2018 and European requirements for compliance with Regulation (EU) 2017/745. The webinar was live on October 19, 2018; but it was recorded for anyone that was unable to participate in the live session.
SYS-010, Medical Device Academy’s Risk Management Procedure, is compliant with EN ISO 14971:2012. The procedure includes templates for documentation of design risk management and process risk management. However, we are rewriting the procedure for compliance with ISO/DIS 14971:2018 and Regulation (EU) 2017/745. The new version of the procedure will be available on or before October 26, 2018. The procedure is temporarily available at a discounted pre-order price, but the cost will increase to $299 once the new version is available.
The new 5th edition of the biocompatibility standard, ISO 10993-1-2018, was released in August and this article explains the changes and potential impact.
ISO 10993-1-2018 is the 5th edition of the biocompatibility standard for evaluation of medical devices. The new version, released in August, replaces the 2009 version of the standard. I was unable to find a European version of this standard, but you can expect one to be made available very soon–probably before you read this article. If your company is CE Marking devices, once the European standard is released you will be required to perform a gap analysis against the new standard and assess whether retesting is required for your products in order to remain compliant with CE Marking requirements.
The 5th edition includes a foreword that explains the changes from the 4th edition. The 5th edition replaces the 4th edition (i.e., ISO 10993-1-2009), and it incorporates the correction that was made in 2010. The most significant changes from the previous edition are:
Table A.1 in Annex A, Evaluation Tests for Consideration, was expanded with the addition of six new columns:
“physical and/or chemical information”
“material mediated pyrogenicity”
In addition, instead of tests to be conducted being identified with an “X,” the updated table now identifies endpoints to be considered with “E.” The only column containing an “X” is the column for physical and/or chemical information. This information is identified as a prerequisite for a risk assessment. The new Annex A is now 5 pages in length.
The 3-pages that were Annex B, “Guidance on the risk management process,” has been completely replaced with 13-pages from ISO TR 15499-2016, “Guidance on the conduct of biological evaluation within a risk management process.”
Twenty-one (21) new definitions for terms were added to the 5th edition–including “3.9 geometry device configuration,” “3.15 nanomaterial,” “3.16 non-contacting,” “3.17 physical and chemical information,” “3.25 toxicological threshold” and “3.26 transitory contact.”
Additional information on the evaluation of non-contacting medical devices and transitory-contacting medical devices was added.
Expansion of the standard to include evaluation of nanomaterials and absorbable materials. This includes addition of section B.4.3.3 in Annex B for guidance on pH and osmolality compensation for absorbable materials.
An additional reference to ISO 18562-1, -2, -3 and -4, for “Biocompatibility evaluation of breathing gas pathways in healthcare applications,” was added as well. However, the four standards in the ISO 18562 series should be purchased if you are conducting a biocompatibility evaluation for a device of this type (e.g., respiratory gas humidifiers).
There are also many minor changes in the 5th edition, but Annex C is almost identical to the previous version. The only change I noticed was the addition of “Preference may be given to GLP over non-GLP data,” to clause C.2.3.
Correspondence with FDA Guidance on Use of ISO 10993-1-2018
Table A.1 in Annex A is quite similar to Table A.1 in the FDA guidance, and 100% of the columns match except the column for “physical and/or chemical information.” Although, the FDA guidance does not have a column in the table indicating that physical and chemical characterization is required as a prerequisite for the risk assessment, it is very clear from the language in the guidance that information about the physical and chemical characteristics of the device “should be provided in sufficient detail for FDA to make an independent assessment during our review and arrive at the same conclusion.” The FDA guidance also requires information about the surface properties of the finished device. The FDA included a section specific to “Submicron or Nanotechnology Components,” which is consistent with the ISO 10993-1-2018 where there references throughout the standard to ISO/TR 10993-22, Guidance on nanomaterials. The FDA guidance does not, however, include guidance on pH and osmolality compensation for absorbable materials. The FDA guidance also does not include a reference to the ISO 18562 series of standards, but the FDA product classification database was updated in June to include reference to the ISO 18562 series of standards when they were added to the database of recognized standards.
Correspondence with the European Directive and EU MDR
The 4th edition of the EN version has Table ZA.1 explaining the correlation between the standard and the European Directive. Specifically, Clauses 4, 5, 6 and 7 of the European Standard correspond to Annex I, Essential Requirements 7.1, 7.2 and 7.5 in the MDD. In the new Regulation (EU) 2017/745, these clauses correspond with Annex I, Essential Requirements 10.1, 10.2 and 10.4. Therefore, you should expect the European version of ISO 10993-1-2018 to include a table similar to Table ZA.1, but you should also anticipate that your evaluation of biological risks will need to be updated and additional testing may be required in order to remain compliant for any devices that are CE Marked.
Changes to the biological evaluation process in ISO 10993-1-2018
As in the previous version of the biocompatibility standard, Figure 1 is a decision tree that follows the biological evaluation process outlined in the standard. At first glance, the updated Figure 1 appears to be essentially unchanged. However, even though the updated figure has exactly the same shape and the same number of elements, there are subtle changes. For example, the potential effects of geometry is emphasized in the ISO 10993-1-2018. The more significant change in the process is at the end. Where it used to say, “Testing and/or justification for omitting suggested tests,” the updated figure now includes a reference to Annex A under those words. Where it used to say, “Perform Biological Evaluation,” the updated figure now says, “Perform Toxicological Risk Assessment (Annex B)”.
Annex B is where the most visible changes are found in the ISO 10993-1-2018. For example, in the previous version of the biocompatibility standard, there was a reference to creating a prospective, biological evaluation plan as part of the risk management plan. In the 5th edition, clause B.2.2 outlines the Biological Evaluation Plan–which is sometimes referred to by its acronym of “BEP” by third-party testing labs.
In addition, clause B.4 provides guidance for biological evaluation. This guidance is directly copied from ISO/TR 10993-22, but it answers the frequently asked question of “how do you perform a biological evaluation.” The basic steps of the biological evaluation, which have not changed, are:
Material characterization (B.4.1)
Collection of existing data (B.4.2)
Device testing considerations (B.4.3)
Biological safety assessment (B.4.4)
However, the guidance provides details for each step, as well as general guidance on when changes may require re-evaluation of biological safety, GLPs and biocompatibility evaluation documentation. In general, the focus of ISO 10993-1-2018 is now on the evaluation of toxicological data in Annex B, rather than passing a few required tests that were previously identified in Table A.1.
Will ISO 10993-1-2018 Require you to Retest for Biocompatibility?
In general, I do not expect that the changes to ISO 10993-1-2018 will require extensive retesting for your company. However, you can expect a significant amount of rewriting of your biological evaluation report to be required. Now you will need to more fully characterize the physical and chemical characteristics of your device, and you will need to provide a more comprehensive biological safety assessment–including an evaluation of toxicological data for each chemical including in the formulation of your device. It’s possible that you may even identify certain chemicals in the material formulation that prevent you from using a material–even though the material may have passed all biocompatibility tests in the past. I will also need to update one of my own articles on biocompatibility and a biocompatibility webinar.
There are 38 product classification codes that the FDA selected for the Quik 510k Pilot program to evaluate version 3 of the eSubmitter software.
What are the three (3) advantages of the new Quik 510k pilot program?
There are three (3) advantages of using the eSubmitter software as part of the Quik 510k pilot. The first advantage of using the eSubmitter software is that the refusal to accept (RTA) process will be eliminated. This change is huge, because nearly 50% of submissions are rejected during the RTA screening process. The hope is that the eSubmitter software will prevent companies from submitting submissions that are missing required content, and therefore the RTA process will not be needed. However, we have seen many submissions placed on hold for technicalities rather than sub-standard submissions. Therefore, it will be fascinating to see the FDA reported outcomes from the Quik 510k pilot.
The second advantage of using the eSubmitter software is that the reviews will be interactive. This means that reviewers are not expected to have any additional information (AI) requests. This also means that submitters will need to respond to questions from reviewers quickly. For example, I have received a call on Friday afternoon after 5:00pm EDT asking if I could make a revision to document and email that document to the reviewer by Monday morning. This is an extreme example, but 48-72 hours is typical for a required turn-around during interactive reviews.
The third advantage of using the eSubmitter software is that the FDA is targeting completion of their 510k review within 60 days. This 30-day reduction may seem huge, but the FDA already cut 15 days off their review timeline by eliminating the RTA screening. Second, the FDA picked 38 product classification codes that should not have difficulty reviewing in 60 days. Not all product classifications have the same amount of testing data required, and I do not expect the FDA to be able to review all product classification codes in 60 days–even with eSubmitter.
Although the Quik 510k pilot mentioned that submissions would be zipped, eSubmitter is also designed for electronic submissions through an electronic submissions gateway (ESG). An ESG has the added advantage that you will not need to ship your submission via FedEx. This advantage will gain you only a maximum of 24 hours, but I wish I had those 24 hours last week. Every year, in the last week of September, all the small businesses with small business qualification try to submit their 510k prior to end of the fiscal year (i.e., September 30). This year I had four clients that were in this position. One was unable to get the data they needed to complete their submission prior to September 30. The other three were making last minute changes up until the afternoon of Thursday, September 27. One of those submissions was extremely challenging, because the submission included video files that exceeded 1GB in total. Therefore, I called CDRH’s eCopy Program Coordinators at 240-402-3717. They were extremely helpful. They said that it would be best to provide two identical eCopies, or to save the MISC FILES and STATISTICAL DATA folders on a separate flash drive. The reason for this is that very large submissions can take days to upload into the CDRH database. Therefore, the picture below shows you what my final solution was for the three submissions this week. The De Novo submission had to be split.
What our firm has done to take advantage of the Quik 510k pilot
If you have a product with any of the 38 product classification codes listed above, and you need to submit a 510k in the next 6 months, you are very fortunate. Your submission will be prioritized by the FDA and you are likely to be able to get your device cleared in 60 days or less. Our firm is very anxious to take part in this pilot because the FDA intends to require the eSubmitter software for all submissions in the future, and we expect other product classification codes to be added to the pilot over time. We process dozens of 510k submissions each year and mastering the nuances of the software is critical to our continued success. I already downloaded the software and installed it onto my computer. I also created a complete submission as a test. eSubmitter saved several hours in the preparation of a 510(k) from the typical 40 hours the process takes. Therefore, I expect implementation of new eSubmitter software to a triple win for the FDA, clients and our firm. In fact, I plan to request that the FDA add De Novo submissions next to this pilot. The reason is that De Novo submissions typically have more content and the content is more variable. I think this would be an extremely challenging test for eSubmitter, and the relatively small volume of De Novo submissions would limit the impact upon FDA resources.
Changes to eCopy Requirements in 2018
In 2017, the FDA indicated that eSubmitter software was going to be revised and it would be approximately 2 years before companies would be able to submit a 510k electronically to the FDA. Until then, companies must ship an electronic eCopy and a paper copy to the FDA Document Control Center (DCC). The eCopy guidance states, “An eCopy is accompanied by a paper copy of the signed cover letter and the complete paper submission.” However, the FDA’s eCopy guidance has not been updated since December 3, 2015. There are some unofficial changes to the policy, and the FDA no longer requires the complete paper submission. Instead, you can submit an eCopy accompanied by a paper copy of the signed cover letter.
Before February 2018, we would print 1,000+ pages for each 510k submission, pack two 3” three-ring binders in 12”x12”x6” ULine boxes and ship the box to the FDA overnight via FedEx. We typically would charge $400 for this eCopy service. After the unofficial policy change, all of our 510k submissions consist of a paper copy of the cover letter and an eCopy on a USB flash drive. We only charge $150 for the FDA eCopy service, and 100% of our eCopy submissions have been uploaded without problems this year.
What is the difference between creating an eCopy and submitting with eSubmitter (cited from FDA website)?
There are four differences between eSubmitter and eCopies:
An eSubmission package contains PDF attachments and XML file types. The XML files are intended for CDRH IT systems to process the application. Reviewers will not see these XML files.
The parts of the eCopy guidance that describe the structure of a 510(k) submission will not apply to the Quik Review Program Pilot.
An eSubmission is organized according to the layout of the template, which places administrative documents (e.g., Form 3674, the 510(k) Summary, the Truthful and Accurate statement) at the end of the submission because their applicability is determined based on the answers to questions in the body of the template (e.g., Form 3674 is only required if the applicant indicates clinical data are included).
Electronic signatures are used in the submission (e.g., on the Truthful and Accurate statement), rather than physical signatures.
eSubmitter Template Options
For device 510k submissions, the FDA’s eSubmitter gives you three options:
Template Version 1.3, for In Vitro Diagnostic 510k submissions to CDRH only, allows you to create a 510k submission and the eSubmitter software will package your submission in a specially formatted zip folder that you can save to a compact disc (CD), digital video disc (DVD) or flash drive. Then the you must print a paper copy of your signed cover letter and ship the eCopy created by eSubmitter with your paper copy of the cover letter to the FDA DCC.
Template Version 1.2.1, for Non-In Vitro Diagnostic 510k submissions that are among the 1,000+ other product classifications not included in the Quik 510k pilot (CDRH: Medical Device eCopies), you can create a 510k submission and the eSubmitter software will package your submission in a folder for you. You can then copy the contents of that folder to a compact disc (CD), digital video disc (DVD) or flash drive. Then the you must print a paper copy of your signed cover letter and ship the eCopy created by eSubmitter with your paper copy of the cover letter to the FDA DCC.
Template Version 3.2, for Non-In Vitro Diagnostic 510k submissions that are among the 38 product classification codes that are listed above for the Quik 510k pilot program. This allows you to create a 510k submission and the eSubmitter software will package your submission in a specially formatted zip folder that you can save to a compact disc (CD), digital video disc (DVD) or flash drive. Then the you must print a paper copy of your signed cover letter and ship the eCopy created by eSubmitter with your paper copy of the cover letter to the FDA DCC. This template is unique to the Quik 510k pilot program. There is a red bar that appears at the top of the screen:
“This template should only be used to construct a submission if you are submitting it as part of the Quick Review Pilot. All others may use the content of this template as a reference to aid in constructing an eCopy. If you are not part of the Quick Review Pilot, do not construct a submission with this template, it will be rejected.”
When you create your own eCopy, then you will need to create a volume based or non-volume based submission in accordance with the eCopy guidance. The volume folders and/or files are saved to a compact disc (CD), digital video disc (DVD) or flash drive. Then the you must print a paper copy of your signed cover letter and ship the eCopy you created with your paper copy of the cover letter to the FDA DCC.
Warning: If you are using Windows 10, and you save your eCopy or eSubmitter zip folder on a flash drive, Windows 10 will automatically create a hidden system folder titled “System Information Volume.” This folder is created as a security feature to enable you to recover accidentally deleted content. However, this folder results in an error when the FDA attempts to upload your submission automatically. Therefore, you must remove this hidden system folder. Instructions for this can be found on our website page about eCopy hidden system files.
A third party review is the review of a 510(k) that has been submitted directly to a third party rather than the FDA themselves. Back in 1997 as part of the FDA Modernization Act or FDAMA the ‘Accredited Persons Program’ was created. This allowed the FDA to accredit persons, or ‘third parties’ to conduct the primary review of certain 510(k) submissions. One of the goals of this program was to be able to make the submission and review process faster and more efficient.
The third party review is not a full alternative to submitting a 510(k) to the FDA. Third parties are authorized by the FDA to conduct the primary review of specific types of devices only. Only certain devices are eligible for third party review. The FDA keeps a database of those devices here in one of their medical devices databases (http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfThirdParty/current.cfm).
The use of a third party review also does not bypass the FDA. The third party is only conducting the primary review of the 510(k) and then forwarding the submission, the review of the submission and the post review recomendation to the FDA. The FDA then has a 30 day timeline to issue a final determination of the submission.
How many 510(k) submissions use a third party review?
In 2016, I did an analysis of 510(k) submissions reviewed by the general and plastic surgery panel. I reviewed submissions that received clearance between January 1, 2015 and August 10, 2016. Of the 690 510(k) clearances that were issued by the panel, only nine (9) were submitted for third party review. Although third party reviewers were responsible for only 1.3% of the submissions I reviewed, there are other device classifications with higher percentages of reviews being conducted by third party reviewers. In fact, there were a total of 114 submissions that were issued 510(k) clearance through a third party review process during that period.
For this article, I reviewed the 3,023 510(k) clearances that were issued in the past 12 months (i.e., May 23, 2016 through May 23, 2017). Only 75 of the 510(k) submissions issued (2.5%) were submitted for third party review. Of these 75 submissions, the average review time by the FDA (after the third party review is completed) was 46 days. Since the average review time for the FDA of a traditional 510(k) is 183 days (based upon my data analysis from 2016), third party review can potentially reduce your 510(k) clearance timeline by months.
Why do only 2.5% of 510(k) submitters utilize a third party review?
Originally, my theory was that only a limited number product classification codes are eligible for third party review. The FDA is trying to expand the third party review program, but 44% of third party reviews are for the radiology panel. Another 13% were for the general hospital panel, and 13% more of the reviews were for the cardiovascular panel. Finally, less than 7% were reviewed for the dental panel. The remaining 17 submissions were reviewed for other panels. A closer look at the product classification codes shows that there are only a few product codes within these panels that are being reviewed by third parties.
I also had a second theory for why so few submitters are using third parties. As I reviewed the actual 510(k) summaries for these 75 submissions, I noticed there were only four (4) companies listed as third party reviewers in the last 12 months:
Center for Measurement Standards of Industrial in Taiwan = 1 submission
2018 Updated- FDA’s reporting of the first three quarters of 2018
Compared with the above information the first three quarter reportings for 2018 list a total of more third party reviewers. Currently in the quarterly reports from the FDA there are the following 3rd party reviewers:
AABB = 5 or less
Center for Measurement Standards of Industrial (CMSI) = 5 or less
New York State Department of Health (NYSDOH) = 5 or less
Nordic Institute of Dental Materials (NIOM) = 5 or less
As of Quarter Three there have been a total of 53 Third Party 510(k) Submissions Accepted. A majority of these completed by Regulatory Technology Services, LLC, and Third Party Review Group, LLC (TPRG). 36, and 13 respectively. All of the others have 5 or less but these numbers may increase once the fourth quarter report is released.
When should you chose a third party review instead of submitting directly to the FDA?
Always check the 510(k) database to see if third party reviewers were used for your product’s classification code. Ideally, a third party reviewer has been involved in a device that is in the same product classification and possibly that device would be a suitable predicate for you to select for your 510(k) submission. If your search yields no results, your device may not be eligible for a third party review. However, you can always contact one of the four third party reviewers listed above.
In general, the third party review process is an excellent way to shorten your 510(k) clearance timeline by months. The cost is significantly more than the FDA user fee. However, faster time to market is almost always worth the increased fee. Therefore, if a third party review is available I recommend taking advantage of this option.
Do you need help?
Medical Device Academy offers aregulatory pathway analysis service for $1,500. For those of you that are only interested in the US market, rather than including the EU and Canada, the cost for this service is only $750. Do you need help identifying the product classification for your device, determining the required performance testing and selecting a predicate device? We can do this for you in one week or less. Do you need an expedited review? We can also determine if your product is eligible for third party review and obtain a quote for you.
This article identifies the requirements for purchasing controls and supplier qualification procedures, as well as best practices for implementation.
Sourcing suppliers in the medical device industry is not as simple as going on the internet and finding your material and purchasing it. As part of a compliant quality management system, purchasing controls must be in place to ensure that quality product and materials are going into your device, and that any service providers that your company uses in the production of your product or within your quality management system are qualified.
ISO 13485 Requirements
In light of that, ISO 13485:2016, sections 7.4.1 Purchasing process, 7.4.2 Purchasing information, and section 7.4.3 Verification of purchased product outline the purchasing requirements. The following are requirements for the evaluation and selection of suppliers:
The organization must have established criteria for the evaluation and selection of suppliers.
The criteria need to evaluate the supplier’s ability to provide product that meet the requirements.
It needs to take into consideration the performance of the supplier.
It must consider the criticality and the effect that purchased product may have on the quality of the medical device.
The level of supplier assessment and monitoring should be proportionate to the level of risk associated with the medical device.
Maintaining Purchasing Controls
To start, in the most basic sense, purchasing controls involve procedures that ensure you are only purchasing from suppliers who can meet your specifications and requirements. The best way to keep track of your qualified suppliers is to maintain an Approved Supplier List (ASL). You should only purchase product or services that affect your product or quality management system from companies on the ASL (you would not necessarily need to qualify things like office supplies or legal assistance through purchasing controls).
When used effectively, the Approved Supplier List can be a great tool to manage the key facets of purchasing control, and keep track of supplier monitoring. Items that you can capture on the ASL include:
Scope of Approved Supplies
Status of Approval (Approved, Pending, Unapproved, etc.)
Supplier Certification and expiry dates
Date of Last Review
Date of Next Review
The first step in your purchasing procedure should involve checking to see if the supplier is under active approved status on the ASL. The second step will be to ensure that you are purchasing an item/service that is within the scope of approval of that supplier. If you have not approved the supplier, or the intended purchase is beyond the scope of that supplier, your purchaser will need to go through the necessary channels to add the supplier to the ASL, or modify their scope on the ASL.
Supplier Qualification Criteria
As required by the FDA, the level of supplier assessment should be proportionate to the level of risk associated with the medical device. The FDA is not prescriptive about the use of specific qualifications or assessments for different types of suppliers, so that is up to your company to determine. This is a somewhat grey area, but based on years working with companies and suppliers, as well as participating in FDA and ISO 13485 audits, there are some general expectations of vendor qualifications that we have observed and would recommend.
It is good practice to have a form or template that guides your supplier evaluation process. Using input from engineering and QA to first determine the level of risk and the requirements of that supplier, and then base your qualification plan on that information. If you have a higher risk supplier who may be supplying a critical component to your device, or providing a critical service such as sterilization, then your qualification process will be much more involved.
Here is an example of two different levels of criteria based on the type of supplier (the intent is not for the following items to be rules, and your company is responsible for determining the adequate acceptance criteria for suppliers, but this is a general example of what you may expect).
Critical Custom Component Supplier
ISO 13485 Certification
On-site audit of supplier’s facility
Provides Certificates of Analysis (CoA)
Written agreement that the supplier will communicate with the company regarding any changes that could affect their ability to meet requirements and specifications.
You validate a production sample and it meets requirements
Non-Critical Consumable Supplier
Product available that meets the needs of the company.
An associate has previously used by an associate who recommends the supplier.
Adequate customer service, returns allowed.
Additional Function of Supplier Evaluation Forms
The supplier evaluation form can also be used as the plan to assign responsibility and track completion and results during the initial evaluation, and can also include the plan for ongoing monitoring and control of the supplier. This evaluation form should be maintained as a quality record, and auditors will frequently ask to see supplier evaluations.
Are Supplier Audits Required as Purchasing Controls?
Also valuable, supplier audits may be included as part of an evaluation plan for a new supplier, the change of scope of a supplier, a routine audit as part of ongoing monitoring, or as part of a non-conformity investigation of a high-risk product. While it is not required by ISO 13485, nor does the FDA does specify in the CFR that you must audit suppliers, it is a very good idea to audit your critical suppliers. If an auditor or FDA inspector sees evidence that your current purchasing controls are inadequate, performing supplier audits may be forced as a corrective action.
Beyond that, you can gain so much value, and gather countless clues and important information in an audit that you just cannot get without paying your critical supplier a visit. You can see where they plan to/are making/cleaning/sterilizing/storing your product. Talk to the people on the line, are they competent and trained? Does the company maintain their facility well? How secure is it? Do they maintain adequate records and traceability? Have there been any non-conformities relating to your product that have been detected? Etc.
Supplier audits should also include evaluation of the procedures, activities, and records of the supplier that could have an impact on the product or service they are providing your company. If it is not the first audit of the company, you should be sure to review the previous audit report findings, and ensure the company has addressed any nonconformities, review supplier performance data, information about any changes that may have occurred at the supplier since your last visit, etc.
Record Maintenance and Ongoing Evaluation of Suppliers
No matter the method of supplier qualification, it is best practice to maintain supplier files that contain useful information relative to the supplier that may include:
The original supplier qualification form
Subsequent performance evaluations
Expanded scope qualifications
Current contact information
Copies of any non-conforming material reports related to the supplier, etc.
ISO 13485 requires monitoring and re-evaluation of suppliers, and maintaining detailed supplier files will assist in meeting this requirement, and will help in the feedback system to identify and recurring problems or issues with a supplier. On a planned basis, whether that is annually, or every order (dependent on the criticality of the product), your company should conduct a formal supplier evaluation to determine whether the supplier has continued to meet requirements – In general, annual supplier reviews are standard. Additionally, you must specific this frequency in your procedure (auditors will look for what period you specify in your procedure, and then will check your ASL to make sure all of your suppliers have been reviewed within that timeframe).
During the supplier evaluation, if you find there have been issues, you need to determine and weigh the risks associated with staying with that supplier, and document that in the supplier file. If you determine the supplier should no longer be qualified, then you must also indicate on the ASL that the company no longer approves of the supplier.
Making the Purchase
When you have verified your supplier is approved on the ASL, you are authorized to purchase product. Engineering is usually responsible for identifying the product specifications, requirements for product acceptance, and adequacy of specified purchasing requirements prior to communication to the supplier. The specifications may be in the form of drawings or written specifications. Additional information communicated to the supplier should also include, as applicable, an agreement between your company and the supplier that the supplier will notify you prior to the implementation of changes relating to the product that could affect its ability to meet specified purchasing requirements. When the first batch of product is received from a particular supplier, it is a good idea to verify that the product performs as intended before entering into production with a new material or component.
From time to time, you may encounter issues with a supplier. Sources of nonconformity include incoming inspections, production nonconformities, final inspection, or customer complaints. It is important that you notify your supplier the nonconformity and record their response and assessment. Depending on the level of criticality of the vendor, it is reasonable to require them to perform a root cause analysis to determine and alleviate the cause of failure. You should also request documentation of an effectiveness check to ensure the supplier has taken corrective actions. You should maintain copies of supplier nonconformity reports in the supplier file, and discuss nonconformities during ongoing supplier evaluations.
If the supplier does not cooperate or fails to address the nonconformity in an acceptable manner, or if there is a pattern of nonconformities with the vendor, then you should disqualify the supplier, and indicate that the supplier is “not approved” on the ASL.
Purchasing Controls Procedures You Might Need
Medical Device Academy developed a Supplier Qualification Procedure, Purchasing Procedure, and associated forms that will meet purchasing controls regulatory requirements for ISO 13485:2016 and 21 CFR 820.50. These procedures will help you ensure that goods and services purchased by your company meet your requirements and specifications. If you have any questions or would like help in developing a custom procedures or work instructions that meet your company’s unique needs, please feel free to email me, or schedule a call to discuss.
This article reviews four of the top reasons for why other companies feel requesting 510k pre-sub meetings is a waste of time, but you can’t afford to.
It only takes my team 8-10 hours to prepare a 510k pre-sub request. The FDA does not charge you a cent for requesting 510k pre-sub meetings, and a pre-sub should be part of every design plan. But most companies are resistant to requesting 510k pre-sub meetings. Here are the top 4 reasons why companies tell me they don’t need to request a meeting:
It’s too late for requesting 510k pre-sub meetings
If you are less than a week away from submitting a 510k, it is too late for requesting 510k pre-sub meetings. The FDA target for scheduling a 510k pre-sub meeting is 60-75 days from the date your request was submitted. That’s 10-11 weeks. Most companies tell me that they plan to submit a 510k within weeks or a couple of months, but most of the companies take several months and frequently there is a delay that requires 6 months or more. For example, what if your device fails EMC testing, and you have to change the design and retest for both EMC and electrical safety? At best you will have an 8-week delay. If you submit request next week, and everything goes as you plan, you can always withdraw your request for the pre-sub. If you encounter a delay for any reason, suddenly it’s not too late.
Our design is not finalized yet
I believe that waiting until your design is almost complete is the number one reason why companies wait too long to request 510k pre-sub meetings. If they wait too long, then the previous reason for not requesting a meeting takes over. The ideal time to submit a pre-sub request is 75 days before you approve your design outputs (i.e., design freeze). However, very few people are that precise in their design planning and execution. You should try to target sometime after you approve your design inputs, but before you approve your design outputs. As long as you submit an update to your pre-sub request 2 weeks before the meeting, the FDA will accept it. Also, you can always schedule a date that is later than 75 days if you realize you requested the meeting too early.
We don’t want to be bound by what the FDA says in the 510k pre-sub meeting
510k pre-sub meetings are “non-binding.” That means that the FDA can change their mind, but it also means you don’t have to do everything the FDA says in a 510k pre-sub meeting. If you don’t ask a question about testing requirements, that doesn’t mean that the FDA does not have any testing requirements. The FDA knows what previous companies have submitted for testing better than you do, and they may be in the process of evaluating a draft special controls guidance. If you ask questions, you will have better insights into what the FDA expects. Understanding FDA expectations helps you write better rationales for testing or test avoidance. You also might learn about deadlines for implementation of new testing requirements that you might be able to avoid. Finally, you can ask the FDA about possible testing options you are considering if your most optimistic testing plans are denied by the FDA.
There is already a guidance document for our device
Not all device classifications have a guidance document explaining what information should be submitted in a pre-market 510k submission. However, there almost one hundred Class II Special Controls Guidance Documents. Therefore, there is a good chance that the FDA published special controls as part of the regulation for your device or as a guidance document. As part of the special controls, the FDA defines what performance testing is required for your device. If you already know what testing is required, then the value in requesting 510k pre-sub meetings is diminished. But at least three other key benefits remain.
First, you can verify that the predicate you plan to use for comparative testing is not going to be a problem. Although, the FDA can’t tell you which predicate to pick, the FDA can tell you if there is a problem with the predicate you have selected. This is especially important if the product is not currently registered and listed, because you may not know if the device was withdrawn from the market after it was cleared.
Second, not all testing standards are prescriptive. Many tests, have testing options that require you to make a decision. Input from the FDA may be valuable in making choices between various performance testing options Sometimes you even forgo testing and provide a rationale instead. FDA feedback on any rationale for not doing testing is critical to prevent delays and requests for additional information later.
Third, there are many different FDA representatives that participate in 510k pre-sub meetings. The lead reviewer will invite specialists and the branch chief to the meeting. Each of these specialists can answer questions during a pre-submission meeting that they are not able to answer during the actual review process. You also have the opportunity to get feedback from the branch chief–who has insight from all the previous devices that were cleared with your product classification. Your lead reviewer is not likely to be as experienced as the branch chief, and may only have been working at the FDA for months. Your request for the 510k pre-sub meeting will help an inexperienced lead reviewer as much as it will help your company.
Learning More about 510k Pre-sub Meetings
On Thursday, February 22 there will be a free webinar offered on the topic of 510k pre-sub meetings. We had 50 people register for the webinar in the first day it was announced, and we have already answered more than a dozen related questions. If you are planning to submit a 510k this year, this webinar will show you exactly how to prepare your own request for a 510k pre-sub. You will even receive copies of all of our templates for free.