eSTAR draft guidance is here, and wicked eSubmitter is dead.

I hated the the FDA eSubmitter template which was discontinued May 30, 2021. Finally we have eSTAR draft guidance for the new eSTAR template.

eSTAR draft guidance button eSTAR draft guidance is here, and wicked eSubmitter is dead.

History of 510k electronic submissions

The FDA has experimented with a multitude of pilot 510k submission programs over the years to streamline and improve the 510k submission content, formatting, and to facilitate a faster review process. The Turbo 510k program was one of the first successful pilot programs. In 2012 I wrote one of my first blogs about how to improve the 510k process. In September 2018, the FDA launched the “Quality in 510k Review Program Pilot” for certain devices using the eSubmitter electronic submission template. The goal of the this pilot program was to enable electronic submissions instead of requiring manufacturers to deliver USB flash drives to the FDA Document Control Center (DCC). I hated the eSubmitter template, and the FDA finally discontinued availability of the eSubmitter template on May 30, 2021. During the past 15 years, the FDA gradually streamlined the eCopy process too. Originally we had to submit one complete hardcopy, averaging 1,200 pages per submission, and one CD containing an electronic “eCopy.” Today, the current process involves a single USB flash drive and a 2-page printed cover letter, but today’s eCopy must still be shipped by mail or courier to the DCC.

eSTAR Pilot Program is Launched

During the 15-year evolution of the FDA eCopy, CDRH was trying to develop a reliable process for electronic submissions of a 510k. CBER, the biologics division of the FDA, has already eliminated the submission of eCopy submissions and now 100% of biologics submissions must be submitted through an electronic submissions gateway (ESG). In February 2020, CDRH launched a new and improved 510k template through the electronic Submission Template And Resource (eSTAR) Pilot Program. The eSTAR templates include benefits of the deceased eSubmitter template, but CDRH has incorporated additional benefits:

  • the templates use Adobe Acrobat Pro instead of a proprietary application requiring training;
  • support for images and messages with hyperlinks;
  • support for creation of Supplements and Amendments;
  • availability for use on mobile devices as a dynamic PDF;
  • ability to add comments to the PDF; and
  • the content and logic mirrors checklists used by CDRH reviewers.

Medical Device Academy’s experience with the eSTAR Templates

Every time the FDA has released a new template for electronic submissions we have obtained a copy and tried populating the template with content from one of our 510k submissions. Unfortunately, all of the templates have been slower to populate that the Word document templates that our company uses every day. On May 16 we conducted an internal training for our team on the eSTAR submission templates, and we published that training as a YouTube Video (see embedded video below). Then nine days later the FDA released updates to the eSTAR templates (version 0.7). The new eSTAR templates are available for non-IVD and IVD products (ver 0.7 updated May 27, 2021).

Sharon Morrow submitted our first eSTAR template to the FDA in August and we experienced no delays with the 510k submission during the initial uploading to the CDHR database, there was no RTA screening process, and CDRH did not identify any issues during their technical screening process. Shoron’s first eSTAR submission is now in interactive review, which is a better outcome than 95%+ of our 510k submissions. I have several other eSTAR submissions that are almost ready to submit as well. The other 510k consultants on our team are also working on their first eSTAR submissions.

Finally the CDRH releases an FDA eSTAR draft guidance

On September 29, 2021 the FDA released the new eSTAR draft Guidance for 510k submissions. This is a huge milestone because there have not been any draft guidance documents created for pilot programs. The draft indicates that the comment period will last 60 days (i.e. until November 28, 2021). However, the draft also states that the guidance will not be finalized until a date for requiring electronic submissions (i.e. submission via an ESG) is identified. The draft indicates that this will be no later than September 30, 2022. Once the guidance is finalized, there will be a transition period of at least one year where companies may submit via an ESG or by physical delivery to the FDA DCC.

Are there any new format or content requirements in the FDA eSTAR draft guidance?

There are no new format or content requirements in the eSTAR draft guidance, but the eSTAR template itself has several text boxes that must be filled in with summary information that is not specified in the guidance for format and content of a 510k. The information requested for the text boxes is a brief summary of non-confidential information contained in the attachments of the submission. Therefore, these boxes can information that would normally be in the overview summary documentst that are typically included at the beginning of each section of a 510k. If your overview documents do not already have this information, then you may have some additional work to do in order to complete the eSTAR templates. An example of one of these text boxes is provided below:

Summary of electrical mechanical and thermal testing eSTAR draft guidance is here, and wicked eSubmitter is dead.

Another example of additional content required by the eSTAR templates is references to page numbers. Normally the FDA reviewer has to search the submission for information that is required in their regulatory review checklist. In the new templates the submitter is now asked to enter the page numbers of each attachment where specific information can be found. The following is an example of this type of request for a symbols glossary:

Reference to symbols glossary in labeling eSTAR draft guidance is here, and wicked eSubmitter is dead.

Are there any changes to the review timelines for a 510k in the eSTAR draft guidance?

The eSTAR draft guidance indicates that a technical screening will be completed in 15 calendar days instead of conducting a RTA screening. I believe that the technical screening is less challenging than the RTA screening, but the FDA has not released a draft of the technical screening criteria or a draft checklist. I would imagine that the intent was to streamline the process and reduce the workload of reviewers performing a technical screening, but we only have guesses regarding the substance of the technical review and so far our performance is 100% passing (i.e. 1 of 1). The next step in the 510k review process is a substantive review. Timelines for the substantive review are not even mentioned in the new draft guidance, but the FDA usually has the review clock details in Table 1 (MDUFA III performance goals) and Table 2 (MDUFA IV performance goals) of the FDA guidance specific to “Effect on FDA Review Clock and Goals.” In both tables, the goal is 60 calendar days, and our first eSTAR submission completed the substantive review in 60 days successfully. The 180-day deadline for responding to an additional information (AI) request has not changed in the eSTAR draft guidance, but our first submission is now interactive review. I believe this suggests that companies may have a higher likelihood of having an interactive review with their CDRH lead reviewer instead of being placed upon AI Hold, but we won’t have enough submissions reviewed by the FDA to be sure until the end of Q1 2022.

Register for our new webinar on the FDA eSTAR draft guidance

We hosted a live webinar on Thursday, October 21, 2021 @ Noon EDT. The webinar was approximatley 37 minutes in duration. In this webinar we shared the lessons learned from our initial work with the eSTAR template. Anyone that registers for our webinar will also receive a copy of our table of contents template that we updated for use with the eSTAR templates. Unlike a 510k eCopy, an eSTAR template does not require a table of contents but we still use a table of contents to communicate the status of the 510(k) project with our clients. Finally, we reviewed the eSTAR draft guidance in detail. If you would like to receive our new eSTAR table of content template and an invitation to our live webinar, please complete the registration form below.

About the Author

Rob Packard 150x150 eSTAR draft guidance is here, and wicked eSubmitter is dead.
Robert Packard is a regulatory consultant with 25+ years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Robert was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certification. From 2009-2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Robert’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone 802.258.1881 or email. You can also follow him on Google+LinkedIn or Twitter.

Posted in: 510(k), eSTAR

Leave a Comment (0) →

Software Service Provider Qualification and Management

What is your company’s approach to qualifying a software service provider and managing software-as-a-service (SaaS) for cybersecurity?

The need for qualifying and managing your software service provider

Most of the productivity gains of the past decade are related to the integrartion of software tools into our business processes. In the past, software licenses were a small part of corporate budgets and the most critical software tools helped to manage material requirements planning (MRP) functions and customer relationship management (CRM). Today, there are software applications to automate every business process. Failure of a single software service provider, also known as “Software-as-a-Service” or (Saas), can paralyze your entire business. In the past, business continuity plans focused on labor, power, inventory, records, and logistics. Today our business continuity plans also need to expand for the inclusion of software service providers, internet bandwidth, websites, email, and cybersecurity. This new paradigm is not specific to the medical device industry. The medical device industry has become more dependent upon its supply chain due to the ubiquity of outsourcing, and what happens to other industries will eventually filter its way into this little collective niche we share. With that in mind, how do we qualify and manage a software service provider?

Threats to software service providers (Kaseya Case Study)

Two years ago the WannaCry ransomeware attack affected 200,000 computers, 150 countries, and more than 80 hospitals.

Wana Decrypt0r screenshot Software Service Provider Qualification and Management

Kaseya isn’t a hospital. Kaseya is a software service provider company. So why is this example relevant to the medical device industry?

The ransomware attack on Kaseya was severe enough that both CISA and the FBI got involved, and it compromised some Managed Service Providers (MSPs) and downstream customers. This supply chain ransomeware attack even has its own Wikipedia page. The attack prompted Kaseya to shut down servers temporarily. None of this is a critique of Kaseya or their actions. They were merely the latest high-profile victim of a cyberattack in the news. Now cybercriminals are attacking your supply chain. We want to emphasize the concepts and considerations of this type of attack as it pertains to your business.

What supplier controls do you require for a software service provider?

If you are a manufacturer selling a medical device under the jurisdiction of the U.S. FDA, you need to comply with 21 CFR 820.50 (i.e. purchasing controls). The FDA requires an established and maintained procedure to control how you are ensuring what your company buys meets the specified requirements of what you need. Many device manufacturers only consider suppliers that are making physical components, but a software service provider may be critical to your device if your device includes software or interacts with a software accessory. A software service provider may also be involved with quality system software, clinical data management, or your medical device files. Do you purchase software-as-a-service or rely upon an MSP for cloud storage?

You need to determine if your software service provider is involved in document review or approval, controlling qulaty records, Protected Health Information (PHI), or electronic signature requirements. You don’t need a supplier quality agreement for all of the off-the-shelf items your company purchases. For example, it would be silly to have Sharpie sign a supplier quality agreement because you occasionally purchase a package of highlighters. On the other hand, if you are relying upon Docusign to manage 100% of your signed quality records, you need to know when Docusign updates its software or has a security breach. You should also be validating Docusign as a software tool, and there should be a back-up of your information.

21 CFR 820.50 requires that you document supplier evaluations to meet specified and quality requirements per your “established and maintained” procedure. The specified requirements for this supplier might include the following:

  • How much data storage do you need?
  • How many user accounts do you need?
  • Do you need to unique electronic IDs for each user?
  • Do you need tech support for the software service?
  • Is the software accessed with an internet browser, or is the software application-based, or both?
  • How much does this software service cost?
  • Is the license a one time purchase? Or is it a subscription?

The quality requirements for a supplier like this may look more like these questions;

  • How is my information backed up?
  • Can I restore previous file revisions in the case of corruption?
  • How can I control access to my information?
  • Can I sign electronic documents? If yes, is it 21 CFR Part 11 compliant?
  • Does this supplier have downstream access to my information? (can the supplier’s suppliers see my stuff?)
  • Do I manage PHI? If so, can this system be made HIPAA compliant? What about HITECH?
  • What cybersecurity practices does this supplier utilize?
  • How are routine patches and updates communicated to me?

A risk-based approach to supplier quality management

ISO 13485:2016 requires that you apply a risk-based approach to all processes, including supplier quality management. A risk-based approach should be applied to suppliers providing both goods and services. For example, you may order shipping boxes and contract sterilization services. Both companies are suppliers, but in this example the services provided by the contract sterilizer is associated with a much higher risk than the shipping box supplier. Therefore, it makes sense that you would need to exercise greater control over the sterilizer. A software service providers are much like a contract sterilizer. SaaS is not tangible but the service provided may have a high level of risk and potential impact on your quality management system. Therefore, you need to determine the risk associated with SaaS before you can evaluate, control, and monitor a software service supplier.

First you need to document the qualification of a new supplier. It would be nice if your cloud service provider had a valid ISO 13485:2016 certification. You would then have an objectively demonstratable record of their process controls and know that they are routinely audited to maintain that certification. They would also understand and expect to undergo 2nd party supplier audits because they operate in the medical device industry. Alternatively, a software service provider may have an ISO 9001:2015 certification. This is a  general quality system certification that may be applied to all products or services. In the absence of quality system certification, you can audit a potential supplier. For some suppliers, this makes sense. However, many companies that are outside of the medical device industry do not even have a quality system because it is not required or typical of their industry. For the ones that do, though, you can likely leverage their existing certifications and accreditations.

Cybersecurity standards you should know

Most cloud service providers will not have ISO 13485 certification, because it is a quality management standard specific to the medical device industry. However, you might look for some combination of the following ISO standards that may be relevant to a software service provider:

  • ISO/IEC 27001 Information Technology – Security Techniques – Information Security Management Systems – Requirements
  • ISO/IEC 27002:2013 Information Technology. Security Techniques. Code Of Practice For Information Security Controls
  • ISO/IEC 27017:2015 Information Technology. Security Techniques. Code Of Practice For Information Security Controls Based On ISO/IEC 27002 For Cloud Services
  • ISO/IEC 27018:2019 Information Technology – Security Techniques – Code Of Practice For Protection Of Personally Identifiable Information (PII) In Public Clouds Acting As PII Processors
  • ISO 22301:2019 Security And Resilience – Business Continuity Management Systems – Requirements
  • ISO/IEC 27701:2019 Security Techniques. Extension to ISO/IEC 27001 and ISO/IEC 27002 For Privacy Information Management. Requirements And Guidelines

Does your software service provider have SOC reports?

%name Software Service Provider Qualification and Management

The acronym “SOC” stands for Service Organization Control, and these reports were established by the American Institute of Certified Public Accountants. SOC reports are internal controls that an organization utilizes and each report is for a specific subject. SOC reports apply to varying degrees for SaaS and MSP Suppliers

The SOC 1 Report focuses on Internal Controls over Financial Reporting. Depending on what information you need to store on the cloud, this report could be more applicable to the continuity of your overall business than specifically to your quality management system.

The SOC 2 Report addresses what level of controls an organization places on the five Trust Service Criteria: 1) Security, 2) Availability, 3) Processing Integrity, 4) Confidentiality, and 5) Privacy. As a medical device manufacturer, these areas would touch on control of documents, control of records, and process validation, among other areas of your quality system. Some suppliers may not share a SOC 2 report with you, because of the amount of confidential detail provided in the report.

The SOC 3 Report will contain much of the same information that the SOC 2 Report contains. They both address the five Trust Service Criteria. The difference is the intended audiences of the reports. The SOC 3 is a general use report expected to be shared with others or publicly available. Therefore, it doesn’t go into the same intimate level of detail as the SOC 2 report. Specifically, information regarding what controls a system utilizes is very brief if identified at all compared to the description and itemized list of controls in the SOC 2 Report.

Others ways to qualify and manage your software service provider

SOC reports will help paint a picture of the organization you are trying to qualify. You will also need to evaluate the supplier on an on-going basis. It is essential to know if the supplier is subject to routine audits and inspections to maintain applicable certifications and accreditations. For example, if their ISO certificate lasts for three years, you should know that you should follow up with your supplier for their new certificate at least every three years. On the other hand, if they lose certification, it may signify that the supplier can’t meet your needs any longer and you should find a new supplier.

There is a long list of standards, certifications, accreditations, attestations, and registries that you can use to help qualify a SaaS or MSP supplier. One such registry is maintained by Cloud Security Alliance (i.e. the CSA STAR registry). “STAR” is an acronym standing for Security, Trust, Assurance, and Risk. CSA describes the STAR registry in their own words as:

“STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM) and CAIQ. Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires.”

Some of the questions your supplier qualification process should be asking about your SaaS and MSP suppliers include:

  • Why do I need this software service?
  • Which standards, regulations, or process controls need to be met?
  • What is required for qualifying a suppliers providing SaaS or an MSP?
  • How will you monitor a software service provider?

ISO certification, SOC reports, and the CSA STAR registry are supplier evaluation tools you can use supplier qualification and monitoring. When you use these tools, make sure that you ask open ended questions instead of close-ended questions. Our webinar on supplier qualification provides several examples of how to convert your “antique” yes/no questions into value-added questions.

Are your suppliers qualified Supplier Evaluation Tools Software Service Provider Qualification and Management

Your software service provider should be able to provide records and metrics demonstrating effectiveness of their cybersecurity plans. Below are three examples of other types of records you might request:

  • Cloud Computing Compliance Controls Catalogue or “C5 Attestation Report”
  • System Security Plan for Controlled Unclassified Information in accordance with NIST publication SP 800-171
  • Privacy Sheild Certification to EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield

The priacy shield certification may be especially important for companies with CE Marked devices in order to comply with the European Union’s General Data Protection Regulation (GDPR) or Regulation 2016/679.

A final consideration for supplier qualification is, “Who are the upstream suppliers?” It is essential to know if you new supplier or their suppliers will have access to Protected Health Information (PHI). Since you have less control of your supplier’s subcontractors, you may need to evaluate how your supplier manages their supply chain and which general cybersecurity practices your supplier’s subcontractors adhere to.

Additional cybersecurity, software validation, and supplier quality resources

For more resources on cybersecurity, software validation, and supplier quality management please check out the following resources:

Learn how to quickly perfect your 510k cybersecurity documentation rvp 8 12 2021 Software Service Provider Qualification and Management

Posted in: Cybersecurity, Software Verification and Validation, Supplier Quality Management

Leave a Comment (1) →

How can you encourage more customer feedback and exciting engagement?

How can you encourage more customer feedback and exciting engagement?

We desperately need to find a way to get more customer feedback and suggestions for product improvement, but what is the best way to do that?

Surveys rarely have a high response rate, but we need to gather customer feedback. Therefore, we created this blog posting as a living document of how we are trying to gather customer feedback. Specifically, we are looking for more customer feedback and better engagement with us. We don’t just want YouTube subscribers to like our videos, we want you to share our videos with other people in your company so they can learn about quality and regulatory too. We don’t just want you to register for a free webinar and watch the recording when you get a chance. We want to you to add a question when you register and please interrupt us during our live webinars to clarify anything you don’t understand. Finally, we want you to give us suggestions for improving our procedures, writing new blogs, and recording new training webinars and videos. Tell us what you want.

Using the headline analyzer to attract more customer feedback

We have a page on our website for a “suggestion box” where we are asking people to provide suggestions for new and improved procedures, blogs, webinars, and videos. But the last time someone filled in the form on that page is October 16, 2019. We desperately need to find a way to get more engagement from you in the form of suggestions. The first approach to gathering feedback is to send out email notification to our current 1,057 blog subscribers by posting this blog. To improve our chances for you to open an email about this blog, we optimized the headline using the CoSchedule Headline Analyzer. The first version of the headline scored a 75, while 70 is the minimum threshold for a worthy title. Our second attempt included the emotional word “exciting” and the new result scored an 83 (see below). Normally it requires 20+ tries before we achieve a headline score higher than 80, but today was a good day. We decided to stop at 83 and focus on other elements of this posting.

  1. How can you encourage more customer feedback? (75)
  2. How can you encourage more customer feedback and exciting engagement? (83)

Screen capture of headline analyzer How can you encourage more customer feedback and exciting engagement?

A picture says 1,000 words

A great thumbnail or featured picture often helps improve click through rates for video, but pictures also communicate more information than words alone. Pictures can communicate the temperature, directions, speed you are moving, and even emotions. Ideally, a combination of a picture with a short caption does the most. The layout of your picture matters too. For example, the featured image above originally had just 6 images grouped together. To communicate that we were trying to decide which icon best communicated the concept of a suggestion box, we separated each icon image with a blue border. To help people identify the different images, we used letters under each icon image. We could have used numbers, but then people might have replied with phrases like “#2 was my 1st choice,” instead of “B was my 1st choice.” To make it clear that the far right icon image was our current icon, we used the word “current” instead of a letter. Finally, we used a bright yello text box at the top of the featured image to communicate instructions for polling of the various icon images.

In the end, we didn’t feel that the suggestion box icons were very attractive. In fact, icons in general are boring. Therefore, we hired an artist to create some concept sketches for other ideas that would communicate “please take the opportunity to give us your suggestion.” The three concepts we liked most were a wishing well, a coffee filter, and an open door with a suggestion doormat that opens into space. We selected the door as our favorite and added some details to create the final image you see now on our webpage. Specifically, we wanted the doormat to appear more three-dimensional, we wanted to incorporate Medical Device Academy’s logo, and we wanted a better focal point in the space beyond the door. Therefore, the artist created three different versions of a moon (crescent, partial, and full). The partial moon was our final choice.

A video is 1,000+ pictures

Full-frame video typically ranges from 24-60 frames per second (FPS). Therefore, there are at least 1,000 pictures in 42 seconds of video. Therefore, the five-and-half-minute video below is giving you much more information than you read above in a lot less time. The video walks you through the evolution of our suggestion box (all 24 versions). This is why we recommend recording a training video to every single medical device company we work with. This is also why our website has steadily been increasing the number of videos we procedure and publish on our YouTube channel.

A call to action increases customer feedback and engagement

Gathering customer feedback requires just as much marketing as selling a medical device. Typically, near the end of your presentation you will include a call to action. The call to action is intended to persuade customers to take immediate action. The call to action will create a sense of urgency. Sometimes a series of small calls to action will precede a final larger call to action. In our case, we are just trying to get suggestions from you regarding what quality and regulatory training materials we should develop next. We are asking you for advice on what our customers want to learn. In return we will develop the training materials you want. The better your questions are, the better our training materials will become. This strategy of offering valuable information to customers develops trust, and this has been our company’s primary marketing strategy since the beginning.

Button Art 1 How can you encourage more customer feedback and exciting engagement?

Click on the button above.

Try using a call-to-action button

If you want more engagement, you need to increase your click-through rate (CTR) first. Campaign Monitor conducted a test to which call-to-action performs best. They found a call-to-action button helped increase the CTR by 28%. We took this concept one step further, we used the headline analyzer tool to optimize the wording of the call-to-action button. The wording we used in the call-to-action button above scored an 86, while “click here” scored a dismal 28 and “click the button” only scored 31. We are also trying a contrarion approach to the design of the button. Instead of using bright colors that modern advertisers have trained us to ignore, we used a light grey background with Palatino Linotype font to optimize readability. We also used a small caption to make sure your subconscious knows what to do.

Campaign Monitor How can you encourage more customer feedback and exciting engagement?

Posted in: Customer Feedback

Leave a Comment (0) →

How much does a 510k cost?

How much does a 510k cost is the most common question I receive from customers, and there are three parts to the cost of a 510k.

If you want to save $9,559 on your 510k cost of submission to the FDA, you need to listen to ALL of this video and follow every single step in the process. Most of our clients forget one of the steps and end up paying full price for their 510k.

There are three parts to the 510k cost of submission:

  1. Testing
  2. Submission Preparation
  3. FDA User Fees

Highest cost is testing

The testing cost is the biggest cost, but I think the average is around $100K for our clients. The more you can do in-house, the lower the testing costs will be. Biocompatibility testing for a non-invasive device might be only $13,000, but a long-term implant can cost as much as $100,000 for the implantation studies. Sterilization validation testing depends upon the method of sterilization and whether you are doing a single-lot method or a full validation. Typical costs for EO sterilization validation are around $15,000, and then you should add several thousand more for the shelf-life testing.

For devices that are powered and/or have software, you will need to perform software validation in accordance with IEC 62304 ed 1.1 (2015). There are also five FDA guidance documents that apply:

  1. General Principles of Software Validation; Final Guidance for Industry and FDA Staff (January 2002)
  2. Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices (May 2005)
  3. Guidance for Industry, FDA Reviewers and Compliance on Off-The-Shelf Software Use in Medical Devices (September 2019)
  4. Guidance for Industry and Food and Drug Administration Staff Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (October 2014)
  5. Guidance for Industry, FDA Reviewers and Compliance on Postmarket Management of Cybersecurity in Medical Devices (December 2016)

You can do all of the software validation in-house, but some firms choose to outsource the validation of software. In the long-term you need to learn this, and it pays to hire an expert in IEC 62304 to help your team learn how to document software validation if you have not done this before. Typically, software validation documentation will be between 300 and 1,000 pages in length.

Electrical safety and EMC testing are often the most expensive part of the testing process for our customers. EMC testing should always be done first to make sure that you can pass the immunity and emissions testing. If you have to modify the device to pass the EMC testing, then you will need to repeat any electrical safety testing. The total cost of this testing is typically $50-60K.

Performance testing is the last part of the testing process. Performance testing should be performed on sterile and aged products if your product requires sterility and you are claiming a shelf-life. Most of the testing is benchtop testing only to demonstrate performance. This includes simulated use testing (e.g. summative usability testing), cadaver testing, and computer modeling. Benchtop performance testing is typically tens of thousands of dollars to complete, but you might be able to do the testing in-house. If animal testing is required, this typically costs around $100K. Finally, if a human clinical study is required (i.e. ~10% of 510k submissions). Then you should expect to spend between $250K and $2.5 million. Some simple clinical studies (e.g. IR thermometers) cost less than $100K, but these resemble benchtop performance testing in many ways.

Second highest cost is the cost of submission preparation

Medical Device Academy has two different options for preparation consulting fees. Your first option is hourly consulting fees. The second option is a flat fee. In August 2021, we are charging $3,500 for pre-submission preparation and $13,100 for 510(k) submission preparation. Therefore, the total cost is $16,600 if you need to request a pre-submission meeting.

510k cost #3 is the cost of the FDA user fee

You have three options for your FDA user fees. The first option is to avoid the FDA altogether and submit to a third-party reviewer. We only recommend one third-party reviewer, because the other companies do not have sufficient experience to have predictable review times and positive outcomes. The quote we received recently was $13,600. If you submit directly to the FDA, the standard user fee is $12,745. If you apply for small business status, and the FDA grants you that status for the fiscal year you are submitting, then the user fee is $3,186.

FY 2022 FDA User Fees for the 510k cost How much does a 510k cost?

Reduce 510k cost by applying for small business status

Every medical device company that has revenues of less than $100 million annually can apply, but you must apply each year. There is no application fee, but you need to complete FDA Form 3602 if you are a US firm. The form must be completed for each subsidiary too. FDA Form 3602A must be completed for foreign firms, and the national tax authority must verify the accuracy of your income statement on the form in order to submit to the FDA. If your national tax authority refuses to sign the form you can provide a justification, but I don’t know anyone that has successfully done this yet. The qualification review by the FDA requires 60 days. Therefore, you should apply every year in August for the next fiscal year (October 1, 2021 – September 30, 2022 is FY 2022). The form will request that you include your Organization ID #. A Dun & Bradstreet Number (DUNS #) is also required if your firm is located outside the USA. Finally, you need to attach a copy of your tax return. Therefore, you must file your tax return–even if your firm had a loss or had no revenues. You can also take advantage of R&D tax credits in the USA or Canada if you are a start-up device company developing a new device.

About the Author

Rob Packard 150x150 How much does a 510k cost?

Rob Packard is a regulatory consultant with 25+ years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Robert was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certification. From 2009-2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Robert’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone 802.258.1881 or email. You can also follow him on Google+LinkedIn or Twitter.

Posted in: 510(k)

Leave a Comment (0) →

Does your FDA inspection plan need to be proactive first?

Does your FDA inspection plan need to be proactive first?

Maybe you need an FDA inspection plan. Does everyone in your company know what they need to do when FDA inspectors arrive at your facility?

Be proactive and don’t just let FDA inspections happen. You need to have an FDA inspection plan, and that plan needs to cover the roles and responsbilities for everyone. Below we have a list of 15 items that are in our FDA inspection work instruction (WI-009). If you already have a plan, try using the following checklist to assess your readiness for the next next inspection:

  1. What will you ask and do when your FDA inspector calls the Friday before the inspection?
  2. Who should be contacted by the FDA inspector if you are on vacation?
  3. How will you communicate to the rest of your company that an FDA inspection is planned for Monday morning?
  4. Who will greet the FDA inspector upon arrival, and what should they do?
  5. Which conference room will the FDA inspector spend most of their time in?
  6. Who will be in the conference room with you and the FDA inspector?
  7. How will you track document and records requests, and how will you communicate that information to others?
  8. How will you retrieve documents and records requested by the FDA inspector?
  9. Who will conduct a tour of the facility with the FDA inspector and how will the tour be managed?
  10. When quality issues are identified, how will you respond?
  11. What will you do for lunches during the inspection?
  12. Who will attend the closing meeting with the FDA inspector?
  13. Should you “promise to correct” 483 inspection observations identified by the FDA?
  14. How and when will you repsond to the inspector with corrective action plans?
  15. If your company is outside of the USA, what should you do differently to prepare?

What will you ask and do when your FDA inspector calls the Friday before the inspection?

Most people begin their FDA inspection plan with the arrival of the inspector. However, you should consider including earlier events in your plan. Such as closure of previous 483 inspection observations, scheduling of mock-FDA inspections in your annual audit schedule, and details of how to interact with the inspector when they contact you just before an inspection. Most inspections will be conducted by a single inspector, but occasionally inspectors will be training another inspector. In this situation you can count on them following the QSIT manual more carefully, and you are more likely to receive an FDA 483 inspection observation. In the worst-case scenario, the lead inspector will split up from the trainee, and they will “tag-team” your company. This is not proper FDA procedure, but you should be prepared for that possibility. Therefore, make sure you ask the inspector if they are going to be alone or with another inspector when you speak with them on the phone. You should also get their name and phone number. You may even want to consider reviewing FDAZilla Store for details about your FDA inspector’s past inspection 483s and warning letters. Immediately after the call with the inspector, you should reserve a conference room(s) for the inspection and cancel your other meetings for the week. You should also verify that the person that contacted you is really from the FDA. You can do this by looking up their contact information on the Health and Human Services Directory. Your inspector should have a phone number and email you can verify on that directory.

Who should be contacted by the FDA inspector if you are on vacation?

You should always have a back-up designated for speaking with FDA inspectors, handling MDR reporting, and initiating recalls when you are on vacation. These are critical tasks that require timely actions. You can’t expect inspectors, MDRs, or recalls to wait you to get back in the office. It doesn’t matter what the reason is. Weddings, funerals, and ski trips should not be rescheduled. You need a back-up, and often that person is the CEO or President of your company. Make sure you have a strong systems in place (i.e. an FDA inspection plan, an MDR procedure, and a recall procedure). Whomever is your back-up needs to be trained and ready for action. This is also the purpose of conducting a mock-FDA inspection, including examples of MDRs in your medical device reporting procedure, and conducting mock recalls. This ensures you and your back-up are trained effectively. 

How will you communicate to the rest of your company that an FDA inspection is planned for Monday morning?

Most companies have an emergeny call list as part of their business continuity planning, and after the past 18 months of living with a Covid-19 pandemic your firm should certainly have a business continuity plan. Your FDA inspection plan should leverage that process. Contact the same people and notify them of when the FDA inspector is coming. If you are unable to find a conference room available for the inspection (i.e. see below), then ask the manager(s) that reserved the designated room for FDA inspections to relocate to another conference room for the week. Make sure you tell them who the inspector will be, and you might even be able to provide a photo of the inspector (try seraching LinkedIn). Make sure that you remind everyone to smile, and to listen carefully to the question asked. Everyone should be trained to answer only the questions asked, and nobody should run and hide. There should also be no need to stop your operations just because an inspector is visiting. You might even include the name of the inspector on a “Welcome Board” if your company has one at the entryway or in public areas. The more an FDA inspection appears as “routine” the better your outcome will be.

Who will greet the FDA inspector upon arrival, and what should they do?

By the time an FDA inspector(s) actually arrives at your company, all of the managers in your company should already been notified of the inspection and a conference room should be reserved for the inspection. Therefore, when the person that is greeting people in the lobby comes to work on Monday morning, you (or their supervisor) need to communicate with them and make sure that they are prepared for arrival. There are four things that should be communicated:

  1. the name of the inspector(s) that are arriving
  2. the list of managers that should be notified when the inspector(s) arrives (possibly identical to the buisness continuity call list)
  3. the conference room that is reserved for the inspection

If the person greeting the inspector(s) is also going to escort them to the conference room and help them get set-up, then they will need additional instructions. If that escorting inspectors to the conference room and helping them get set-up is delegated to a different person, then the following considerations should be included in that person’s instructions:

  1. the location of bathrooms and emergency exit instructions in case of a fire
  2. the information for wireless connectivity
  3. recommendations for seating in the conference room based upon the expected participants (see below)

It is important that an escort for the inspectors is able to bring the inspector(s) to the conference room as quickly as possible. They should not be expected to wait more than a few minutes for an escort.

Does your FDA inspection plan identify a specific room for the inspector? Is there a back-up?

Some companies have a specific room that is designated for inspections and 3rd party certification audits. If your comapny can do that, it will be very helpful because it reduces the decision making that is required immediatley prior to the inspection. Having a specific room for the inspection also eliminates the need to tell everyone else in the company where the inspector will be. Instead the location of the inspection can be in the work instruction or written FDA inspection plan. You shouldn’t need a back-up plan if there is a specific room designated for an FDA inspection, but our firm has a client that will be hosting three notified body auditors simultaneouly for three days. In that situation, you might need more than one room. 

Does your FDA inspection plan have assigned seating?

You might think that it really doesn’t matter where people sit in a conference room, but you will probably want consider the layout of charging cords and the flow of interviewees requested by the inspector. In your conference room, you will need room for at least the following people:

  1. the inspector(s)
  2. the management representative (i.e. you)
  3. a scribe
  4. an interviewee

If there is an inspector and a trainee, you will probably want to seat them together to facilitate them working together. You as the Management Representative also need to be in the room, and it may help for you to sit next to the scribe to facilitate communication between you and to make it easier for them to hand you documents after the scribe logs the documents into their notes. The scribe should probably sit closest to the door, because they will be receiving documents, logs, and records that are brought to the room. You will also need one more seat next to you, and probaby accross from the inspector(s), for interviewees. This person will rotate as different processes are reviewed. I also recommend having a location in the middle of the table for an “in box” where documents, logs, and records for the inspector are placed after being logged in. A second location in the middle of the table can be used for a “discard pile” as you finish using your copy of each document, log, and record. You may refer back to these copies later. The “discard pile” should be 100% copies rather than originals. Originals should never be brought into the room with the inspector.

Who is the scribe in your FDA inspection plan?

The perfect scribe would know the quality system well and they would have the typing skills of a professional stenographer. You might have someone that is an executive assistant in your company or a paralegal that could do this job, but you might also have a document control specialist that fits this requirement. Some companies will even hire a temp for the duration of the inspection that has this type of skill, but a temp is unlikely to know the jargon and quality system requirements well. I have taken on the role of scribe many times for my clients, because I type fast and know their quality system. I also don’t want to interferre with the inspection process. As scribe I can answer questions and offer suggestions when appropriate, but most of my time is spent taking notes and communicating by instant messenger with company members that are outside of the inspection room.

You should seriously consider using an application such as Slack as a tool for communication during the inspection. Then anyone in your company that needs to know the status of the inspection can be provided access to the Slack channel for the inspection. This can also act as your record of requests from the inspector. It’s even possible for people on the Slack channel to share pictures of documents to confirm that they have identified the document being requested. You could even invite someone to speak remotely with the inspector via Slack with Zoom integration. All the scribe needs to do is share the Zoom app with a larger display in the same conference room so the inspector can see it too.

Does your FDA inspection plan include provisions for  document and record retrieval?

The most important part of document and record retrieval during an FDA inspection is to remember that inspectors should never receive the original document. Ideally, a copier would be located immediately outside of the conference room and three copies would be made of every document before it enters the inspection room. The originals can be stored next to the copier until someone has time to return them to the proper storage location. The three copies should all be stamped “uncontrolled documents” to differentiate them from the originals. When the three copies are brought into the room, they should be handed to the scribe. The scribe should log the time the copies were delivered in the Slack channel. Then the copies should be handed to you, the Management Representative. You should skim the document to make sure that the correct document was received. Then one copy would be given to the inspector and another copy would be made available to the interviewee. If only two copies are needed, the extra copy can be placed in the “discard pile.”  Even if your system is 100% electronic, I recommend printing copies for the inspection. The paper copies are easier for inspectors to review, and it eliminates the ability for the inspector to hunt around your electronic document system. In this situation, the scribe may do all of the printing.

Does your FDA inspection plan indicate who will conduct a tour of the facility with the FDA inspector and how will the tour be managed?

I’m surprised by the number of companies that don’t seem to have a map of their facility. Medical device manufacturing facilities should have two kinds of facility maps. One should identify where pest control monitoring stations are located, and the second should indicate your evacuation route to exit the building. All guests should be shown the evacuation route map, probably within the first 30 minutes of arrival. The second map will be requested by the inspector eventually if you conduct manufacturing at your facility. Therefore, it would be helpful to use one or both of these facility maps as a starting point for creating a map of the route that inspectors should be taken on during a tour. I prefer to start with where raw materials enter the facility, and then I follow the process flow of material until we reach finished goods storage and shipping. If you can do this without back-tracking multiple times, then that will probalby be the preferred route. The purpose of planning the route out in advance is to help estimate how long the tour will take, and to make sure there is consistency. If someone starts the tour, and then another person takes over the tour, the new person should be aware of what the next location is and what areas have not been observed yet. There may also be safety reasons for avoiding certain areas during a tour and asking the inspector to observe those areas from a distance. Welding processes, for example, often fall into this safety category.

When quality issues (i.e. FDA 483 inspection observations) are identified, is this covered by your FDA inspection plan?

Third party certificaton body auditors will typically make you aware of nonconformities as they are identified, but FDA inspectors often will hold off on identifying 483 inspection observations until the end of the inspection in a closing meeting. However, you can typically identify several areas that may result in a 483 inspection observation during the inspection. You and the manager of that area may want to consider initiating a draft CAPA plan for each of these quality issues before the closing meeting. This would give you an opportunity to demonstrate making immediate corrections and you might be able to get feedback from the inspector on your root cause analysis and corrective action plan before the closing meeting. Sometimes this will result in an inspector identifying low-risk quality issues verbally instead of writing them out on FDA Form 483. I find the best way to make sure CAPA plans are initiated early is to have a debrief each day after the inspector leaves. All of the managers involved in the inspection should participate, and the debrief can be done virtually or in person. Virtually may be necessary, because often managers need to leave work before the inspector ends for the day. You should consider including this in your FDA inspection plan as well.

Does your FDA inspection plan include plans for daily lunches?

If your facility is located outside the USA, skip this paragraph and go to the section below about companies located outside the USA. If your company is locagted inside the USA, you can be certain that the FDA inspector will not eat lunch at your facility. They will leave for lunch on their own, and then they will return after lunch. Therefore, you may not have control of the timing of a lunch break but you will have time to take one. Most managers use the lunch break as a time to catch-up on emails. However, I think it makes more sense to change your email settings to “out of office.” You can indicate that you are hosting an audit and you will answer questions as a batch that evening or then next morning. You might use the lunch break to take a walk and relax, you might have  short debrief meeting with other managers, and you might spend some time preparing documents, logs, and records that the inspector may have requested before they left. Most inspectors use this strategy of asking for a list of documents and records in advance. This is also a good strategy to learn as an internal auditor or supplier auditor. If you have a back-room team that is supporting you, don’t make them wait for a break. Have someone in your company take their lunch orders or arrange for a catered buffet lunch. This will keep your support team happy, and you should definitely remember to include lunch for the team and changing your email settings to “out of office” in your FDA inspection plan.

Does your FDA inspection plan state who will attend the closing meeting?

Most companies have every manager that was in the opening meeting attend the closing meeting. This is ok, but it is important for anyone that might need to initiate a CAPA to be present in the meeting so that they can ask the inspector for clarification if needed. Scheduling a closing meeting should be part of your FDA inpsection plan. However, the past 18 months of the Covid-19 pandemic has taught us that we can attend this type of meeting remotely via Zoom. Therefore, we recommend letting the managers go home early if they are no longer needed as auditees. Instead, ask them to call in for a Zoom meeting at the time the FDA inspector estimates for review of the 483 inspection observations with the company.

Should you “promise to correct” 483 inspection observations identified by the FDA?

During the closing meeting the FDA inspector will review 483 inspection observations with you and any of the other managers present at the closing meeting. The inspector will ask if you promise to correct the 483 inspection observations that were identified. You should confirm that you will, and the FDA inspector will add this to the Annotations in the Observations section of FDA Form 483 that you will recive at the closing meeting. By stating this, you are agreeing to create a corrective action plan for each of the 483 inspection observations. You could change you mind later, but the better approach is to perform a thorough investigation of the 483 inspection observation first. If you determine that corrective action is not required, you can explain this in your CAPA plan and provide data to support it. The only likely reason for not correcting an observation is that you determined the incorrect information was provided to the inspector. In that case, you may need to do some retraining or organize your records better as a corrective action to prevent recurrence in a future inspection. You might even make modifications to your work instruction for “Conducting an FDA Inspection” (i.e. FDA inspection plan).

How and when will you repsond to the inspector with corrective action plans?

Your FDA inspection plan should include details on how respond to FDA 483 inspection observations and when the response must be submitted by. The FDA inspector will give you instructions for submission of your corrective action plans by email to the applicable email address for your region of the country. This email address and contact information should be added to your work instruction as an update after the first inspection if you are not sure in advance. You should respond with a copy of your CAPAs with 15 business days. Regardless of what the inspector told you, there is always a possibility that the outcome of your inspection could be “Official Action Indicated.” This is because the inspector’s supervisor makes the final decision on whether a Warning Letter will be issued and regarding the approval of the final inspection report. You should also confirm what the 15-day deadline is, because your state’s holidays may be different from the US Federal holidays.

If your company is outside of the USA, what should you do differently to prepare?

The US FDA only has jurisdiction over companies that are located in the USA. Therefore, if your company is registered with the FDA, you can only be inspected if you agree to host the FDA inspector when they contact you. FDA inspectors will contact foreign firms 6-8 weeks in advance, and they will typically give you a couple of weeks to choose from. After you confirm the dates for the inspection, then they will make their travel plans. Therefore, you will know exactly when the FDA inspection is schedulea and you will have more than month to prepare. Therefore, you should do four things differently:

  1. You should send the FDA inspector directions from the airport to your facility and provide recommendations for potential hotels to stay at. Ideally the hotels you recommend will provide transportation from the airport and managers that are speak passable English). The hotels should be appropriate for business travel–not royalty. If it is convenient, you may even offer to pick-up the inspector at the hotel each day to ensure they have no problems with local transportation.
  2. You should offer to provide lunches for the inspector during the inspection. This should not be considered entertainment. The purpose is make sure the inspector has lunch (i.e. a light meal or snacks) and drinks (i.e. water and coffee) during the inspection so that they do not have to negotiate local traffic, struggle with ordering food in a language they don’t know, and to eliminate delays associate with having lunch off-site. Make sure you remember to ask about food allergies and dietary restrictions. You might even follow-up with a draft menu to obtain confirmation that your proposed menu is appropriate.
  3. You should schedule a mock-FDA inspection immediately to verify that everyone is prepared and to identify any CAPAs that need to initiated before the FDA inspector finds the problems.
  4. During the first day of the inspection, you may consider asking the inspector if they would like to go out for dinner one of the evenings with a couple of people from your company or if they would like any recommendations for restaurants to eat at. If you are not familiar with US customs and international travel, ask the hotel concierge for advice. When you are out to dinner, the conversation should remain professional and if you normally drink alcohol at dinner you may want to consider the “BOB” compaign in the Netherlands as a role model. 

How are you going to train everyone in your company?

You need an easy way to train everyone in your company. Why not give them a video to watch? Next Monday, July 26, 2021 @ Noon EDT, we are hosting a webinar on how to prepare for an FDA inspection. It is a live webinar where you will be able to ask questions, and we are bundling the webinar with our new work instruction for “Conducting an FDA Inspection” (WI-009). If you register for the webinar, you will receive access to the live webinar, you will receive the native slide deck, and you will receive a copy of the work instruction. You can use the work instruction as an FDA inspection plan template for your company. The webinar will be recorded for anyone that is unable to attend the live session. You will be sent a link to download the recording to watch it as many times as you wish, and we recommend that you use the webinar as training for the rest of your company. If you register for the webinar prior to August 3, 2021, you can use the discount code “Alysha” during checkout to save 50% (i.e. $149.50 instead of $299).

Posted in: FDA

Leave a Comment (1) →

Are you a little curious, or fascinated by competitive warning letters?

Are you a little curious, or fascinated by competitive warning letters?

Did you know you can download competitor inspectional observations to learn which quality issues are likely to result in warning letters?


Not long ago the FDA published their Inspectional Observation Data Sets. They are Excel spreadsheets of the dreaded 483 inspection observations and warning letters that the FDA issues after performing inspection of manufacturers. There is a spreadsheet for each of the following topic areas, and we will take a look at the ‘Devices’ observations. A post-mortem data analysis or speculative data autopsy if you will… What can we learn when examining an FDA inspection observation?


  • Biologics
  • Drugs
  • Devices
  • Human Tissue for Transplantation
  • Radiological Health
  • Parts 1240 and 1250
  • Foods (includes Dietary Supplements)
  • Veterinary Medicine
  • Bioresearch Monitoring
  • Special Requirements
  • Total number of inspections and 483s


These are nonconformities written by the FDA to the Code of Federal Regulations, so there won’t be any statistics for ISO 13485:2016 or Regulation (EU) 2017/745. There will be lots of findings under the ‘QSR’ or 21 CFR 820. The good news, unlike an ISO Standard, is that the Code of Federal Regulations is publicly available online for free. It isn’t a pay-to-play game and we can share the full text of the requirement without violating any copyright licensing agreements. 


The top 10 areas for inspection observations and warning letters are: 


  1. CAPA procedures
  2. Complaint procedures
  3. Medical Device Reporting
  4. Purchasing Controls
  5. Nonconforming Product
  6. Process Validation
  7. Quality Audits
  8. Documentation of CAPA actions and results
  9. Training
  10. Device Master Record


Corrective and preventive action is the most common reason for warning letters

The winning quality system requirement that resulted in the most 483 inspection observations and warning letters was for Corrective and Preventive Actions under 21 CFR 820.100(a). This finding is listed when a manufacturer fails to establish a CAPA procedure or the procedure is inadequate. This finding was cited 165 times. In addition, CAPA activities or their results were not documented or were not documented adequately a total of 32 times under 21 CFR 820.100(b). This gives us a grand total of 197 observations for the CAPA process.


Corrective and preventive actions are either fixing an identified problem and making sure it doesn’t happen again, or stopping a potential problem from happening in the first place. It is both the reactive and proactive response for quality issues and product non-conformance. The text of the requirement is:


§820.100 Corrective and preventive action.
(a) Each manufacturer shall establish and maintain procedures for implementing corrective and preventive action. The procedures shall include requirements for:
(1) Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems;
(2) Investigating the cause of nonconformities relating to product, processes, and the quality system;
(3) Identifying the action(s) needed to correct and prevent recurrence of nonconforming product and other quality problems;
(4) Verifying or validating the corrective and preventive action to ensure that such action is effective and does not adversely affect the finished device;
(5) Implementing and recording changes in methods and procedures needed to correct and prevent identified quality problems;
(6) Ensuring that information related to quality problems or nonconforming product is disseminated to those directly responsible for assuring the quality of such product or the prevention of such problems; and
(7) Submitting relevant information on identified quality problems, as well as corrective and preventive actions, for management review.
(b) All activities required under this section, and their results, shall be documented.


We can see that under section (a) the requirement is that there is an established and maintained process control with a numerical list of required inputs and outputs of that process. The process control is easy, use a procedure. You have to establish a procedure and you have to maintain it. That is one part of the first 165 observations.


The second part is that the procedure needs to be ‘adequate’. That means that bullets (1)-(7) need to be addressed within that procedure. For example number (2) is “Investigating the cause of nonconformities relating to product, processes, and the quality system;”. This means that the procedure should be explaining not only that your quality system will be doing that investigation, but who will be doing it and how they will be doing it. 


“The cause of nonconformities shall be investigated”, may not be an adequate process control. Yes, it addressed the need for a root cause evaluation, but does it do that adequately? 


“The RA/QA Manager will complete or assign a staff member to complete the root cause evaluation of Corrective Actions utilizing methods such as a ‘5-Why Analysis’ by filling in section 2. Of the CAPA report form.” This wording is much closer to what is needed in a procedure. It explains who is doing what, roughly how they might do it, where that activity gets documented and identifies the record that the activity produces.


Which brings us to the extra 32 findings where the activities and their results either weren’t documented or were done so poorly. This is why identifying the input (Root Cause Analysis) and the output (Section 2. of the CAPA report) are important. It allows you, the inspector or an auditor to trace from the procedure to the record that part of the process produces to demonstrate conformity. 


As the age old saying goes, “if it isn’t documented, it didn’t happen”. That record should show that yes you did a root cause analysis (the activity) and what the conclusion of that analysis was (the results of that activity). These types of records are so vital to your quality system that there is an entire process dedicated to the control of records. I’ll give you a hint, it is Subpart-M of the QSR. 


This is also a great segway to show how the processes go hand in hand and CAPA is interrelated to Document Control, Record Control, and your Quality System Record. Your system processes will continually wrap back around to each other in this manner. For example, CAPAs are a required input into your Management Review process so if you don’t have a CAPA procedure you aren’t performing adequate management reviews. 


A note on other systems

If your quality system is also ISO 13485:2016 compliant, Corrective Actions and Preventive Actions are separate items under separate sub-clauses. Corrective Actions are in 8.5.2., and Preventive Actions are in 8.5.3. Meaning if you have a mature quality system that has never had a preventive action, then your CA might be fine, but the PA of that process may be inadequate.


An industry standard for CAPAs is applying a risk based approach, and we have an entire webinar dedicated to the subject! How to create a risk-based CAPA process


Complaints are the second most common reason for warning letters

%name Are you a little curious, or fascinated by competitive warning letters?


The silver medal goes to complaints. Much like CAPA the biggest issue is no, or inadequate complaint handling procedures. This specific finding was cited 139 times (overall complaint handling has more but this specific issue was the most cited). Not to sound like a broken record but again, complaint handling is a specific process that requires an ‘established and maintained procedure”.


As a procedure it has to exist, it has to be maintained, and each process has requirements for inputs and outputs that must be outlined. Complaint handling is a little bit different in the QSR in that there isn’t a ‘complaint’ sub-part. Complaints are under Sub-Part M- Records, specifically 21 CFR 820.198 Complaint Files. 


To compare, Complaints in accordance with ISO 13485:2016 are under Measurement Analysis and Improvement, specifically Sub-clause 8.2.2. Complaint Handling. It is sandwiched in between Feedback and Reporting to Regulatory Authorities. That had to have been done on purpose because those processes are inherently intertwined and their inputs and outputs directly feed into each other:


§820.198 Complaint files.
(a) Each manufacturer shall maintain complaint files. Each manufacturer shall establish and maintain procedures for receiving, reviewing, and evaluating complaints by a formally designated unit. Such procedures shall ensure that:
(1) All complaints are processed in a uniform and timely manner;
(2) Oral complaints are documented upon receipt; and
(3) Complaints are evaluated to determine whether the complaint represents an event which is required to be reported to FDA under part 803 of this chapter, Medical Device Reporting.


This sub-section of ‘Records’ may be less intuitive than what we saw under CA/PA. We can see that we have to maintain complaint files. We also need a procedure that covers receipt, review, and evaluation of complaints. Then we have to name a formally designated complaint handling unit to do all of that. 


Further we need to make sure that complaints are handled uniformly and efficiently. It should be a cookie cutter process with a known timeline. Every complaint goes through the same review and evaluation within a specific time period. If it takes six months to review a complaint, that definitely is not a ‘timely manner’. 


Not every complaint will be sent to you via certified mail with ‘Complaint’ written across the top in big BOLD letters. Sometimes people will simply tell you about a complaint they have verbally and your process needs to define how it is addressing these verbal communications. Otherwise your FDA inspection observation will be written, and you run the risk of receiving warning letters.


This of course begs the question, what is a complaint? How will I know if I received one? Fortunately 21 CFR 820.3 provides us with definitions, one of them being what exactly a complaint is “(b) Complaint means any written, electronic, or oral communication that alleges deficiencies related to the identity, quality, durability, reliability, safety, effectiveness, or performance of a device after it is released for distribution.”.


There is no quiz at the end of this but I would caution you that this will probably be on the test. Anytime you ask a question like that and the regulation provides a definition for it, then it’s a good idea to include that definition within your procedure. This is a way to make sure that there is uniformity in the understanding of a procedure. If you miss a complaint because you didn’t realize that it was a complaint then your process is not effective. Eventually an auditor will pick up on the deficiencies in the process, document a finding and you will be doing a CAPA to fix it.   


Every complaint needs to be reviewed, but not every complaint needs to be investigated. This was a much less cited issue (5). You are allowed to decide that an investigation isn’t needed. However, if you do then you must keep a record of why you decided that and name the person responsible for that decision. 


That isn’t carte’ blanche to just write off investigations whenever you want. There are some things that require an investigation and there is no accepted rationale for not performing one. An example is when there is a possible failure of a device, it’s labeling or packaging to meet any of their specifications. Those need to be investigated without exception. What your system is allowed to do though is if you have already done an investigation and you received related similar complaints, there is no need to repeat the same investigation for every complaint. 


An important concept of complaint handling is that you should be triaging your complaints as you receive them. There are certain types of complaints that must be reported to the FDA. More information is actually found under 21 CFR 803, not the 820 that we have been examining. These special complaints need to be identifiably separate from your normal run of the mill complaints. These complaints specifically need a determination of; 


  • Whether the device failed to meet specifications;
  • Whether the device was being used for treatment or diagnosis; and
  • The relationship, if any, of the device to the reported incident or adverse event.


Outside of those special reportable complaints, all investigations have certain required outputs. By addressing every complaint in a uniform repeatable manner, this can be boiled down to a form. In fact creating a specific complaint form makes sure that all of the required information has been documented. Each record of an investigation by your formally designated complaint handling unit has to be include;


  • The name of the device;
  • The date the complaint was received;
  • Any unique device identifier (UDI) or universal product code (UPC), and any other device identification(s) and control number(s) used;
  • The name, address, and phone number of the complainant;
  • The nature and details of the complaint;
  • The dates and results of the investigation;
  • Any corrective action taken; and
  • Any reply to the complainant.


Some companies and corporations sprawl across the globe and have many sites all over the place. Not every manufacturer is limited to containing all of their operations within a single building. There are times where the formally designated complaint handling unit may be somewhere other than where the manufacturing is taking place. That is acceptable as long as communication between the two is reasonably acceptable. The manufacturer needs access to the records of the complaint investigations performed. Just as everything must be documented, all of that documentation must be producible as well. If not, your inspector will produce FDA 483 inpsection observations and warning letters.  


If the complaint handling unit is outside of the United States the records have to be accessible in the United states from either the place where the manufacturers records are normally kept or at the initial distributor. 


Complaint Handling and vigilance reporting are topics that we often find stuck together like velcro. We find them so interelated that we have a combined Complaint Handling and Vigilance Reporting Webinar.


Medical Device Reporting is the third most common reason for warning letters

The bronze medal recipient shows a drop in sheer numbers of FDA inspection observations. A total of 68 were written for the fiscal year of 2020, and these findings have a high likelihood of resulting in warning letters because these incidents may involve serious injuries and death. We are slowing down, but this is still a topic that gets an FDA inspection observation almost every week.


But again part of the issue is no, or bad procedures to control this process. Not to be confused with the (EU) MDR since as an industry we love acronyms so much, Medical Device Reporting is referenced within the Quality System Requirements of 21 CFR 820. We took a peek above in Complaint Handling. What makes this unique is that MDR actually lives in 21 CFR 803 Medical Device Reporting. What makes it even more special is that Part 803 is further broken down into sub-parts. 


We will take a look at Sub-part E which is the reporting requirements for manufacturers. Medical Device Reporting is a process and as such needs a procedure to control it and that procedure must be maintained. 


Some key points to capture is that there are reporting timelines that are measured in calendar days from when you become aware of information that reasonably suggests that one of your devices;


(1) May have caused or contributed to a death or serious injury or
(2) Has malfunctioned and this device or a similar device that you market would be likely to cause or contribute to a death or serious injury, if the malfunction were to recur


There are some crucial takeaways. First, the clock starts ticking down calendar days, not work days, and holidays count. You can’t hold off reporting that your device killed someone because it’s around the holidays and over a few weekends. 


Second, is that reporting timelines vary, generally between 5 and 30 calendar days. That means it is important to know the specific timeline for the type of report you are making and what the authority having jurisdiction requires for a timeline. The FDA may differ from Health Canada which in turn may differ from the EU, etc. 


Third is that the bar to meet is what would be ‘reasonably known’, and that is somewhat of an ambiguous requirement open to interpretation.


They help clarify this with,


(i) Any information that you can obtain by contacting a user facility, importer, or other initial reporter;
(ii) Any information in your possession; or
(iii) Any information that you can obtain by analysis, testing, or other evaluation of the device.


The first two are usually not an issue, but the one that tends to get less attention is deeper analysis, testing or evaluation of the device. Due diligence is required here to make sure that you actually do know the information that should be ‘reasonably known’ to you. 


The burden of investigation and root cause determination is placed squarely on the shoulders of the manufacturers and that is a process that can take some time. What happens when the reporting timely is fast approaching but your investigation won’t be finished before the clock runs out? The short answer is to report it anyway.


The longer answer is to report what information you do have with an explanation of why the report doesn’t have all of the required information. Then explain what you did to try to get all of the information, and file a supplemental or follow-up report later to fill in the gaps. Only having a partial report ready is not an excuse to miss the reporting deadline. It is however, the perfect excuse to get an FDA inpsection observation or warning letters.

Posted in: CAPA, FDA

Leave a Comment (0) →

Smile, because you should never be scared of a surprise FDA inspector

Smile, because you should never be scared of a surprise FDA inspector

If you have a surprise FDA inspector visit, you should never be scared because there is no difference between the best and worst-case outcome.

Why are you scared of an FDA inspector?

There are a number of reasons why you might be scared of an FDA inspector, but if you keep reading you will learn why 95% of your fear is self-induced. A small percentage of device manufacturers evaluate the performance of quality managers based upon the outcome of FDA inspections, but you have no control over whom the FDA Office of Regulatory Affairs (ORA) assigns to perform your inspection. If your company belongs to this 5% minority, you need to change top management’s approach to regulators or you need to find a new employer. For the majority of us, we are scared of embarrassment, failure, or being “shut down.”

There are rare examples of where the FDA has taken action to stop the distribution of medical devices, but this is only done as a last resort. Usually companies cooperate with the FDA with the hope of being able to resolve quality issues and resume distribution after corrective actions are implemented. Not only is this type of action rare, there will be a prior visit to your facility and prior written communication from ORA before you receive a warning letter–let alone removal of your company’s device(s) from the market. You can’t pass or fail an FDA inspection. The FDA inspector is verifying compliance with the FDA Quality System Regulation (i.e. 21 CFR 820) as well as the requirements for medical device reporting (i.e. 21 CFR 803), reports of corrections and removals (i.e. 21 CFR 806), investigational device exemptions (i.e. 21 CFR 812), and unique device identification (UDI). FDA inspectors only have time to sample your records, and with any sampling plan there is always uncertainty. When you do receive an FDA 483 inspection observation you should not consider it to be a condemnation of your company. Likewise, an absence of 483 observations is not a reason to celebrate.

Why you should not be embarrassed when you receive a 483 from an FDA inspector

The most irrational response to an FDA 483 inspection oberservation is embarrassment. Our firm specializes in helping start-up medical device companies get their first product to market. This includes providing training and helping them to implement a quality system. When our clients have their first FDA inspection, it is not uncommon to receive an FDA Form 483 inspection observation. Start-ups have limited resources, limited experience, and most of the employees have never participated in an FDA inspection before. Experience matters, and immature quality systems have only a limited number of records to sample. Any mistakes are easy for an inspector to find.

Instead of feeling embarrassed, acknowledge and embrace your inexperience. For example, during the opening meeting with an FDA inspector you might say, “We are a new company, and this is our first FDA inspection. I am also a first-time quality manager. If you find anything that we are doing incorrectly, please let us know and we will make immediate corrections and start working on our CAPA plan.” You can say this with a smile :), and you can genuinely mean what you said because it’s true.

Anticipation is always worse than reality

Another reason you are scared of an FDA inspection is because you don’t know exactly when the inspection will be. Only Class III PMA devices, and a few Class II De Novo devices with novel manufacturing processes, require a pre-approval inspection. For the rest of the Class II devices, ORA prioritizes inspections based upon risk. There are a few companies prioritized for inspection within the first six months of registration, such as reprocessors of single-use devices and contract sterilizers. For the rest of the Class II device manufacturers, your first inspection should be approximately two years after your company registers with the FDA. If you are located outside the USA (OUS), your first inspection might take three years to schedule. Finally, for Class I device manufacturers and contract manufacturers, you are unlikely to ever be inspected by the FDA. If you didn’t know what the typical timeline was for ORA to schedule your first inspection, you probably just breathed a HUGE sigh of relief when you read this paragraph.

Even if you already knew the approximate timeline and priorities for FDA inspections, it’s normal to feel a little anxiety when the date of your first visit is unknown. Your boss and the rest of top management are probably feeling just as much anxiety as you are, or even more if they have no idea what the timeline and priorities are. You should make sure that everyone in your company understands what they are supposed to do during an FDA inspection, and if you forget to tell them you might cause a lot of unneeded drama when they find out an FDA inspector is in the front lobby. Preparing for an FDA inspection is no different from conducting a firedrill. Everyone should know the procedure, and you should practice (i.e. conduct a mock-FDA inspection). Practice ensures that everyone knows what to do during the first 30 minutes of an FDA inspection, and nobody in your company will panic when an FDA inspector actually arrives.

Let’s define “surprise” visits by an FDA inspector

A surprise visit from an FDA inspector is extremely rare, but in the USA inspectors will call on Friday to confirm that your company will be open the following Monday for an inspection. The FDA has jurisdiction over medical device manufacturers located in the USA, and they are not required to give advanced notice. However, inspectors need time to prepare in advance for their inspection–just like a ISO 13485 auditor. Therefore, before an inspector will arrive on-site for a routine (Level 2) inspection, the inspector will first make a courtesy call to the official correspondent identified in your establishment registration.

What happens when an FDA inspector travels outside the USA

In the case of OUS medical device manufacturers, the FDA inspector does not have jurisdiction. Therefore, they will contact the official correspondent 6-8 weeks in advance to schedule an inspection. Inspectors will typically make contact via email, and you may be given a couple of weeks to choose from for the FDA inspection. The duration off your inspection should be 4.5 days. The inspector will arrive on Sunday, and the inspection will begin on Monday morning. The inspector has four major process areas to cover, and Friday morning will be focused on generating a preliminary report of 483 inspection observations. The reason why you can predict this OUS routine with a degree of certainty is two-fold: 1) these are government workers following a procedure, and 2) the FDA inspector needs time to get to the airport for their flight home.

What is the outcome of a FDA inspection?

FDA inspections have three possible outcomes:

  1. No action indicated – there were no FDA 483 inspection observations identified by the FDA inspector
  2. Voluntary action indicated – there was at least one FDA 483 inspection observation identified by the FDA inspector, and the FDA inspector requests submission of a CAPA plan to prevent recurrence
  3. Official action indicated – there was at least one FDA 483 inspection observation identified by the FDA inspector, and the FDA inspector requires submission of a CAPA plan to prevent recurrence; if a plan is not received in 15 business days, a warning letter will automatically be generated on the 16 day

Even in the rare instances with there is “no action indicated” (i.e. best case scenario), I have always noticed one or more things during and FDA inspection that were overlooked and we needed to be initiate a new corrective action plan(s). In the other two possible scenarios, the FDA inspector identified the need for one or more corrective action plans. Therefore, regardless of whether you FDA inspection results in the best-case scenario or the worst-case, you will always need to initiate a new corrective action plan(s).

If the outcome is always a CAPA, what should you do?

Give your FDA inspector a big smile and say, “We are a new company, and this is our first FDA inspection. I am also a first-time quality manager. If you find anything that we are doing incorrectly, please let us know and we will make immediate corrections and start working on our CAPA plan.” Making sure that you have a genuine smile is just as important as what you say. Smiling will relax you and the anxiety and stress you are feeling will gradually melt away. Smiling will encourage the FDA inspector to trust you. Maybe your smile will even be contagious.

If you need help responding to an FDA 483 inspection observation, or you want to conduct a mock-FDA inspection, please use our calendly app to schedule a call with a member of our team. We are also hosting a live webinar on FDA inspections on July 26, 2021 @ Noon EDT.

About the Author

Rob Packard 150x150 Smile, because you should never be scared of a surprise FDA inspector

Robert Packard is a regulatory consultant with 25+ years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Robert was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certification. From 2009-2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Robert’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone 802.258.1881 or email. You can also follow him on Google+LinkedIn or Twitter.

Posted in: FDA

Leave a Comment (1) →

How to pass the FDA Refusal to Accept (RTA) Screening Process

How to pass the FDA Refusal to Accept (RTA) Screening Process

This article helps you understand how to pass the FDA Refusal to Accept (RTA) screening process 510k submissions – updated Sept 2019 version.

Refusal to Accept How to pass the FDA Refusal to Accept (RTA) Screening Process

What is an RTA Checklist?

The “RTA” in RTA Checklist stands for Refuse to Accept. The FDA uses this tool to determine if your 510(k) submissions will be accepted or not for a substantive review. Accepted, not approved because this is simply a verification that the required information is included in your submission. As stated in the 2019 FDA guidance document for the FDA’s Refuse to Accept Policy for 510(k)s “a minimum threshold of acceptability and should be accepted for substantive review.”(Ref.1). That does a nice job summarizing the RTA checklist. It is a tool used to help assess whether or not your submission contains the required information to continue with a more thorough review of the contents of the submission itself. 

What does the Refusal to Accept (RTA) policy apply to?

The Refusal to Accept (RTA) policy applies to all 510k submissions. The RTA checklist or more checklists apply specifically to each 510(k) submission type:

  • Traditional 510k
  • Abbreviated 510k
  • Special 510k

There is a different RTA checklist for each submission type. The checklists can be found within the Refuse to Accept Policy for 510(k)s guidance document. Specifically, in the PDF document that the FDA reissued on September 13, 2019, the checklists can be found in the following areas:

  • Traditional 510k – Appendix A. Page 20 (numbered page 21)
  • Abbreviated 510k – Appendix B. Page 55 (numbered page 56)
  • Special 510k – Appendix C. Page 91 (numbered page 92 )

Note that in the title of the checklist it is referred to as an ‘acceptance checklist.’ It is not called the RTA checklist until you get to the footer of the page. It is also listed as an acceptance checklist on the FDA website. The best way to think of the process is as preliminary screening by the FDA. 

What does the FDA look at during the Refusal to Accept (RTA) screening process?

During the screening process, the assigned RTA screener will review 510k submission and try to identify all of the requirements listed in the applicable RTA checklist. The person screening your submission is required to answer “yes,” “no,” or “n/a” to the questions in the checklist. This person must also enter the document and the page where the information can be found in the submission. Finally, if an element required by the refusal to accept (RTA) checklist cannot be found, then the screener adds a comment at the end of that section in the checklist. The comment will state what your deficiency is and it may even identify a guidance document that can help you address the issue. If you are missing requirements, you will receive an email from the RTA screener with the completed RTA checklist attached. We call this an “RTA Hold” letter. If your submission is not rejected, then your 510k is administratively complete and you will receive an automated email indicating that your submission was accepted and the substantive review will now begin.

Refusal to Accept (RTA) Time Frame

As stated in the guidance document the Refusal to Accept policy includes “an early review against specific acceptance criteria and to inform the submitter within the first 15 calendar days after receipt of the submission if the submission is administratively complete, or if not, to identify the missing element(s).” (Ref. 1). If the assigned screening person is unable to complete the process within 15 calendar days, then you will receive an automated email stating that they were unable to complete the RTA checklist within 15 calendar days and your submission is automatically moved to the substantive review stage of the 510k review process.

Taking the time to perform your own gap analysis before you submit could avoid a simple error. For example, if you forget to include the signed Truthful and Accuracy Statement in your submission it could take 15 days to be notified of that missing element. The person screening your submission could email you to provide this missing element in an interactive review to avoid placing your submission on hold, but they are not required to give you a chance to provide this interactively by email. If you do receive an RTA Hold letter, you might be able to correct missing elements on the same day, but the 510k review clock is automatically reset when your 510k is placed on RTA Hold. There will be another 15-day refusal to accept (RTA) screening of your submission when you respond to an RTA Hold letter.

What to do with the information in the comments of the RTA checklist?

The RTA checklist is the criteria that your submission is being evaluated against. If your submission has deficiencies during the initial review against the RTA Checklist, the FDA will refuse to accept it and the substantive review will not begin until those deficiencies have been corrected. Since the FDA does not hide what they are looking for, or how they will evaluate your submission, use that to your advantage. Assuming that you have correctly determined the type of 510k submission you have, perform a gap analysis of your submission against the RTA checklist. Either perform these actions in-house, or hire an outside consultant to do them for you, but make sure you don’t make the mistake of trying to check your own work because you will miss something. 

Scope of the FDA Refusal to Accept Guidance Document

The scope of the FDA guidance document that is provided for the benefit of the FDA personnel that are reviewing your submission and not specifically for the 510k submitter. It is also for the purpose of providing a loose framework for systematically reviewing submissions in a consistent manner. This ensures all submissions receive equal nonbiased treatment. There are some things that this guidance document does not address or alter by its own admission. One of those things is the “substantial equivalence decision-making process once the submission has been accepted for review.” The refusal to accept (RTA) guidance also does not address FDA user fees. Other guidance documents address those issues.

What are the most common reasons for FDA refusal of your 510k submission?

Although there are dozens of reasons (43 to be exact) why the FDA could reject your submission in the 35-page RTA checklist, most of the refusals (~80%) result from a small percentage (~20%) of reasons. The most common is that your submission is poorly organized. Either you did not provide a table of contents, your submission is not organized in accordance with the sections outlined in the guidance, or the pages of your submission are not properly numbered. When you are trying to review a 1,200-page submission, poor organization is extremely irritating and wastes the reviewer’s time. If it were my decision, I would refuse to complete the entire checklist until you gave me a properly organized submission.

The second most common reason for refusal is the submission of a device description that is not adequate. The FDA needs more detail than most companies provide for the device description because they need to understand what the differences are between your device and the predicate device. This includes much more than just the indications for use. Who are the intended patients and users? What is the intended environment of use? What are the materials for patient-contacting components? What is the source of power for your device? Which design features does your device include when compared to the predicate? What is the user interface for your device? Which accessory devices are needed with your device? You can even make the mistake of being inconsistent in your submission by not repeating the content in the device description in other sections of the 510k submission. It is important to duplicate certain content verbatim in other documents such as the 510k summary, the executive summary, the substantial equivalence comparison, and the instructions for use. Paraphrasing and summarizing certain information will not work.

The third most common reason for refusal of your submission is likely to be related to software validation documentation. In addition to complying with the recognized IEC 62304 standard, you also need to comply with the five software guidance documents that the FDA has published. The FDA and 3rd-party reviewers use an 11-item checklist based upon the 2005 FDA guidance document on software validation documentation. In addition, if your device has any of the following 5 elements, your submission must also comply with the two FDA guidance documents on cybersecurity:

  1. Cloud communication
  2. Network connection (active or not)
  3. Wireless communication in any form
  4. USB/serial ports/removable media
  5. Software upgrades (this includes patches)

Finally, biocompatibility is the one testing section of your 510k submission that is most likely to result in refusal to accept by the FDA out of the seven sections requiring testing reports. There are several reasons why biocompatibility results in more refusals than the other six testing sections. First, the FDA requirements go above and beyond the requirements of the ISO 10993-1 standard. Second, the FDA requires that you submit full testing reports for biocompatibility while you can submit summaries for other sections (e.g. sterilization validation). Third, many submitters try to provide a rationale for why testing is not required for their device, but the FDA has very stringent requirements for the use of a biological risk assessment or a biocompatibility certification statement in lieu of testing.

Do you have to follow the RTA checklist exactly?

You can, but you are also not bound by it. Like all guidance documents they “contain nonbinding recommendations”. The checklist is released as part of a guidance document, so it is a guidance and not a regulatory requirement. That being said, if your submission is missing an element in the checklist, your 510k submission will be considered administratively incomplete unless you provide a clear explanation as to why the checklist element is not applicable to your submission or you explain how you meet the 510k submission requirement in another way.

Medical devices vary wildly and there is no one size fits all approach. The FDA recognizes that and includes some wiggle room that gives them some discretion in reviewing submissions. However, 100% of the 3,500+ submissions received each year are screened using the refusal to accept (RTA) checklist and the screening person’s job is to verify that your submission meets the criteria. As it says in the guidance document:  

“The purpose of the 510(k) acceptance review is to assess whether a submission is administratively complete, in that it includes all of the information necessary for FDA to conduct a substantive review. Therefore, the submission should not be accepted and should receive an RTA designation if one or more of the items noted as RTA items in the checklist are not present and no explanation is provided for the omission(s). However, during the RTA review, FDA staff has the discretion to determine whether missing checklist items are needed to ensure that the submission is administratively complete to allow the submission to be accepted. FDA staff also has the discretion to request missing checklist items interactively from submitters during the RTA review. Interaction during the RTA review is dependent on the FDA staff’s determination that outstanding issues are appropriate for interactive review and that adequate time is available for the submitter to provide supporting information and for FDA staff to assess responses. If one or more items noted as RTA items on the Acceptance Checklist are not present, FDA staff conducting the acceptance review should obtain management concurrence and notify the designated 510(k), contact person, electronically that the submission has not been accepted. “ (Ref. 1).

The portion above notes that explanations may be provided for omitted portions of the submission. So, the answer to the question is that no, you do not have to follow the RTA checklist exactly. However, if you should purposefully omit a section you should provide an explanation and your rationale justifying why the omission is appropriate for your individual device and 510(k) submission. Again, just because you have included an alternative approach or justification does not automatically mean it will be accepted. The FDA personnel that are conducting the acceptance review will judge whether or not your deviation is acceptable.

What if your 510k submission is refused?

If your submission is refused you will be provided with a copy of the completed RTA checklist and each of the deficiencies you must address will be highlighted. Sometimes there will be an attachment to the checklist that has additional issues that are not in the RTA checklist, but the reviewer thinks you may need to address later. You might also see comments that are not highlighted. These are suggestions from the reviewer that you may or may not choose to address.

There is a 180-day timeline for response to an RTA Hold letter. The response must be submitted to the CDRH Document Control Center (DCC) as an eCopy, and the response must be received within 180 days. If the response is not received within 180 days, your submission will be automatically withdrawn on the 181st day. Your response may not be piecemeal. You must address all of the issues in the RTA checklist or your submission will be placed on RTA Hold again (i.e. RTA2). If you are not sure how to organize your response, a previous blog posting and YouTube video address this topic directly.

About the Author

20190531 005146 150x150 How to pass the FDA Refusal to Accept (RTA) Screening ProcessMatthew Walker – QMS, Risk Management, Usability Testing, Cybersecurity

Matthew came to us with a regulatory background that focused on OSHA and NFPA regulations when he was a Firefighter/EMT. Since we kidnapped him from his other career, he now works in Medical Device Quality Management Systems, Technical/Medical Writing, and is a Lead Auditor. Matthew has updated all of our procedures for  He is currently a student in Champlain College’s Cybersecurity and Digital Forensics program, and we are proud to say that he is also a member of both the Golden Keys and Phi Theta Kappa Honor Societies! Matthew participates as a member of our audit team and has a passion for risk management and human factors engineering. Always the mad scientist, Matthew pairs his professional life in regulatory affairs with hobbies in the culinary arts as he also holds a Butchers/Meat Cutters certificate from Vermont Technical College.


Connect on Linkedin:

Posted in: 510(k), FDA

Leave a Comment (0) →

How is your response to an Additional Information Request different from an RTA response?

How is your response to an Additional Information Request different from an RTA response?

A poor RTA response will cause a two-week delay, but an additional information request only gets one chance to avoid the dreaded NSE letter.

An Additional Information Request (i.e. AI Request) is typically received just before the 60th day in a 90-day 510k review, while a Refusal to Accept (RTA) Hold is typically received on the 15th day. If your response to your first RTA Hold (i.e. RTA1) is inadequate, the reviewer will issue another RTA Hold letter (i.e. RTA2) and your 510(k) review clock will be reset to 0 days. You will have another 180-days to respond to RTA2, and issues identified in an RTA Hold are usually easy to address. Most RTA Hold issues also have one or more guidance documents that are available to help you to obtain an RTA Accept letter. You can always request a submission-in-review (SIR) meeting to clarify what information the reviewer needs to address the RTA deficiencies too. If you want to learn more about responding to an RTA Hold, please read last week’s blog. The rest of this article is specific to responding to requests for additional information.

What happens after 60 days during a 510k review?

On the 60th day of the 510k review clock, or a few days prior to the 60th day, the lead reviewer must determine if they need to issue an Additional Information (AI) Request. The alternative to an AI Request is for the lead reviewer to issue a letter indicating that you have entered the Interactive Review Phase. This only happens if the reviewer believes they can make a decision regarding substantial equivalence in the next 30 days. If the decision is to issue an Interactive Review Letter, then the lead reviewer believes that only minor issues remain and there is only the need for interactive email responses between the lead reviewer and the submitter. An interactive review is the ideal outcome of the substantive review process but it rarely happens.

If you receive an Additional Information Request, what are your options?

The AI letter will indicate that you have 10 days to request a clarification meeting with the reviewer. The wording of this section of the AI letter is provided below:

“FDA is offering a teleconference within 10 calendar days from the date on this letter to address any clarification questions you may have to pertain to the deficiencies. If you are interested in a teleconference, please provide (1) proposed dates and (2) a list of your clarification questions via email at least 48 hours before the teleconference to the lead reviewer assigned to your submission. We would like to emphasize that the purpose of the meeting is to address specific clarification questions. The teleconference is not intended for the review of new information, test methods, or data; these types of questions could be better addressed via a Submission Issue Q-Submission (Q-Sub). For additional information regarding Q-Subs, please refer to the Guidance for Industry and FDA Staff on Medical Devices: Requests for Feedback and Meetings for Medical Device Submissions at”

If you wait too long to request the teleconference, then FDA will require you to submit a formal pre-sub meeting request or “Submission in Review” (SIR) meeting request. If you request a SIR meeting within 60 days of receiving an AI Request, the FDA will schedule a SIR meeting with you within three weeks of receiving the request–assuming resources are available. If you wait longer than 60 days to request the SIR meeting, then the FDA will default to their normal target of 60-75 days for scheduling a pre-sub meeting. For example, if you submit your SIR meeting request on day 75, and the FDA takes 75 days to schedule the meeting, you will be granted your SIR meeting at 150 days and you will only have 30 days remaining to respond to the AI Request before your submission is automatically withdrawn.

Therefore, it is important to request a clarification meeting immediately after you receive the AI Request. While you are waiting for your clarification meeting, you should immediately begin preparing any draft testing protocols that you want the FDA to provide feedback on during a SIR meeting. Then after you have the clarification meeting, you should submit your SIR meeting request and include any draft testing protocols you have prepared. This may include a statistical sampling rationale, a proposed statistical analysis method, a summative usability testing protocol, or a draft protocol for some additional benchtop performance testing. The FDA can review examples of preliminary data, a protocol, or a proposed method of analysis. The FDA cannot, however, provide a determination of substantial equivalence.

The Most Common Mistakes in Responding to an Additional Information Request

Most companies make the mistake of asking the lead review if they provide specific additional information, “Will this be sufficient to obtain 510(k) clearance?” Unfortunately, the FDA is not able to provide that answer until the company has submitted the additional information and the FDA review team has had time to review it thoroughly. This is done only when the submitter delivers an FDA eCopy to the Document Control Center at CDRH, and the review team is able to review the information. This new information is assigned a supplement number (e.g. S001), and it will typically require three weeks to review the information. Then the lead reviewer may request minor modifications to the labeling, instructions for use, or the 510k summary. This request is an interactive request, and the submitter must respond within a very short period (e.g. 48 hours), and the wording of the request may be “Please provide the above information by no later than COB tomorrow.”

FYI: “COB” means “close of business.” Wow. The FDA loves acronyms.

Best Practices in Responding to an Additional Information Request

If you receive an AI request on a Friday afternoon, 58 days after your initial submission, you should immediately request a clarification teleconference with the FDA reviewer for the following week. The only exception is if you only have minor deficiencies that you feel are completely understood. During the days leading up to the clarification teleconference, your team should send a list of clarification questions to the lead reviewer and begin drafting a response memo with a planned response to each deficiency. After the clarification meeting, you will have approximately 6-7 weeks to submit a SIR meeting request. However, you should not wait that long. Your team should make every effort to submit your SIR meeting request within 2-3 weeks. If the FDA takes 3 weeks to schedule your meeting, then you will have used approximately 6 weeks of your 26 weeks to respond to the AI Request.

In your SIR meeting request, you should always try to provide examples or sample calculations to make sure the FDA review team understands what you are proposing to submit in your supplement. For example, the FDA reviewers do not have enough time to review your entire use-related risk analysis (URRA) in a SIR meeting request. However, you can provide an example of how you plan to document a couple of use-related risks. Then you can show how these risks would translate into critical tasks. Finally, you could provide a draft summative usability testing protocol for FDA feedback. The FDA review team doesn’t have enough time available to review much more. You will only have one hour for your SIR meeting.

How to Prepare Your Response

In section “V” of the FDA guidance on deficiency responses, the FDA recommends that you restate the issue identified by the reviewer in your response. Next, your response should include one of the following:

  1. the information or data requested, or
  2. an explanation of why the issue is not relevant, or
  3. alternate information with an explanation of why the information you are providing addresses the issue.

Before you respond to an AI Request, you should look up any FDA guidance documents referenced in the AI Hold letter to make sure that you address each requirement in the applicable FDA guidance document(s).

The most important technique to learn when you are responding to regulators is to organize your response in a tabular format that is numbered in exactly the same order that the request was made. Typically there will also be sub-parts to certain issues. In that case, you should duplicate the numbers and/or letters of each sub-part and segregate each sub-part in a different row of the table. Personally, I like to alternate the color of the font I use in the table to make it even more obvious which information is a restatement of the reviewer’s comment and which information is the company’s response to the AI Request.

Why you don’t get a second chance to respond to an AI Request

Once you respond to an AI Request, and the DCC receives your FDA eCopy, the FDA review clock will then resume the countdown to 90 days. In our example above, you received the AIR Request on the 58th day. The FDA must review everything you submitted and make a final substantial equivalence decision before the 83rd day because they still need to submit their recommendations to senior management in their branch. If any changes to the labeling, instructions for use, or the 510k are required, you should receive those requests several days before (i.e. 76-83 days). You can respond to interactive requests via email, and then the final SE decision will be made. If you do not respond to all of the deficiencies in the AI Request, the FDA reviewer will not have enough time to request that you address the remaining gaps and finish their review. Therefore, an incomplete AI Response will certainly result in a non-substantial equivalence (NSE) letter.

If you need to respond to an additional information request from the FDA reviewer, we can review your planned response to identify potential gaps. If you need help please use our calendly app to schedule a call with a member of our team.

About the Author

Rob Packard 150x150 How is your response to an Additional Information Request different from an RTA response?

Robert Packard is a regulatory consultant with 25+ years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Robert was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certification. From 2009-2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Robert’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone 802.258.1881 or email. You can also follow him on Google+LinkedIn or Twitter.

Posted in: 510(k)

Leave a Comment (0) →

What are the secrets to success in responding to an FDA RTA Hold?

What are the secrets to success in responding to an FDA RTA Hold?

When an FDA reviewer places your 510k on RTA Hold, there are secrets you can learn to improve your chances of a successful response.

Test your knowledge about the FDA RTA Hold process

Did you know that approximately 50% of 510(k) submissions are placed on RTA Hold? Did you know that you can be placed on RTA Hold multiple times for the same submission? Did you know that the 90-day review clock is reset to “0” when you submit your response? Do you know how to respond to the FDA when the reviewer is incorrect? Did you know that you can avoid the RTA screening process for any 510(k) submission if you use the correct template? Every year there are more than 1,000 submissions placed on RTA Hold, but did you know there is an FDA guidance specifically telling you how to respond to deficiencies? You can learn the secrets to responding to an FDA RTA Hold just by reading this article.

What is an FDA RTA Hold?

When the FDA receives a Traditional 510k submission FDA eCopy, the eCopy is uploaded to the FDA system within hours of the submission being received. If the eCopy does not meet the eCopy format requirements, then the submission will be placed upon eCopy Hold. The official correspondent will receive an automated email indicating that the submission is on eCopy Hold, and the submitter will be asked to correct the submission format to meet the eCopy submission requirements and provide a replacement eCopy. If the FDA user fee has not cleared, then the submission will be placed on User Fee Hold. It is possible to be placed on eCopy Hold and User Fee Hold at the same time.

If your eCopy is accepted, then a reviewer is assigned to screen your submission for compliance with the FDA Refusal to Accept (RTA) policy. The reviewer has 14 days to complete this review, and on the 15th day the reviewer must do one of three things: 1) issue a RTA Hold letter to the submitter, 2) issue an RTA Acceptance letter to the submitter, or 3) issue a letter that states the RTA screening was not completed on-time and the submission was automatically accepted. If your receive an RTA Hold letter, it will be via email from the reviewer and the RTA Checklist will be attached. In the checklist, there will some items highlighted in yellow and deficiencies will be noted in those sections. The reviewer may add additional comments to the checklist, but you are only required to respond to the highlighted sections. The process that the reviewer follows for RTA screening is defined in the FDA guidance for the Refusal to Accept process, and the guidance includes a checklist for traditional, abbreviated, and special 510k submissions. Some companies will fill in these checklists themselves and submit a copy of the checklist with the 510k submission. This is intended to help the reviewer identify where all of the requirements in the RTA checklist can be found. Third-party reviewers require that the company complete the RTA checklist and provide it to them with the eCopy.

How many times can you be placed on hold for the same submission?

Technically there is no limit to the number of times a submission can be placed on RTA Hold, and our firm has seen a few submissions placed on RTA Hold twice in a row. The first RTA Hold is referred to as RTA1, and the response to that RTA Hold is referred to as the first supplement (i.e. K123456/S001). If a second RTA Hold is issued, that hold is RTA2, and the response to that RTA Hold is referred to as the second supplement (i.e. K123456/S002). A response to an eCopy Hold is referred to as an amendment (i.e. K123456/A001).

What happens to the 90-day review clock when you are placed on RTA Hold?

When the FDA reviewer places your submission on RTA Hold, the 90-day review clock is automatically reset. Therefore, even if you respond to an RTA Hold on the same day you receive the RTA Hold, and your submission is received the next day, the “real” review timeline is now 106 days instead of 90. If your submission is placed on RTA Hold twice, then the “real” review timeline is now 122 days instead of 90. If the lead reviewer of your 510k requests additional information, this is referred to as an “AI Request.” We will address this in a future blog, but an AI Request does not reset the review timeline. The AI Request, however, will increase the review timeline. Although we rarely have an RTA Hold, we almost always have an AI Request. This is why our average submission is approximately 125 days (i.e. ~30 days are required to respond to the AI Request.

How should you respond if the FDA reviewer is incorrect?

The average 510(k) submission has grown over time from 300 pages to more than 1,200 pages, but the FDA review “clock” is still 90 days and the RTA screening is limited to 15 days. Therefore, it is not reasonable for you to expect the reviewer to understand and absorb every detail of your submission. If the reviewer can’t find the information they are looking for quickly, the reviewer may state that they could not find the information in the submission or that you did not provide it. If the information is found in the submission, you should provide a reference to the section of the submission, including the document and page number, in your RTA response. You may even choose to quote the information in your response memo if it is brief.

Other times the reviewer may not understand why certain information is not relevant to your submission. In this case, you should restate why the information requested is not relevant. You may want to review relevant FDA guidance documents that explain how to justify why information is not required.  For example, if you did not provide biocompatibility testing reports for some of the endpoints that are identified in ISO 10993-1:2018, then you should either provide a detailed biological risk assessment in accordance with the FDA guidance on the use of ISO 10993-1, or you should provide a biocompatibility certification statement.

If you are not sure why the FDA reviewer stated the information you provided is not acceptable, you might try calling or emailing the reviewer to ask for clarification. If you do this, be respectful of their time and be brief. You should identify who you are (you must be the official submission correspondent to speak with the reviewer), you should identify which submission you are contacting the reviewer about (they are working on many simultaneously), you should restate the issue identified by the reviewer (it may have been an issue of another member of the review team), and then you should indicate where the information can be found in the submission. If they believe this addresses the issue, then they will instruct you to provide that information in an RTA response. If the information does not address the issue, usually they will explain why. Your chances of receiving an email response are also better than speaking to the person on the phone–especially during the Covid-19 pandemic.

FDA eSTAR submissions are not subjected to the RTA screening process

When you use the FDA eSTAR submission instead of creating an eCopy, your submission should already meet all of the RTA screening requirements. The eSTAR includes automation to validate that the submission is administratively complete and therefore the reviewer does not need to do an RTA screening of an eSTAR submission. Therefore, most companies should realize a shorter overall 510k clearance timelines, because they will only have an AI Request and the review clock will not be reset.

Does the FDA offer any guidance on how to respond to deficiencies?

When the FDA writes deficiencies, the reviewer is supposed to follow the FDA guidance for deficiency content and format. However, the RTA checklist deficiencies typically are shorter and may not be as clear as a deficiency in additional information (AI) requests or non-substantial equivalence (NSE) letters. The first part of the deficiency is a reference to the information that was provided by the submitter (i.e. section, page number, or table). In an RTA checklist, each deficiency is provided in the comments section at the end of the section of the checklist. Therefore, if you have a deficiency related to your device description, the deficiency will be written at the end of the device description section of the RTA checklist. The comment will be highlighted in yellow, and there will be a checkbox next to the specific checklist item indicating that the requirement was not met. In the far-right column of the checklist, there will be a reference to the page of the submission where the deficiency can be found.

In the comment there reviewer should explain why the current information does not meet the requirement of the RTA checklist. The reviewer should also clarify the relevance of the deficiency with regard to the substantial equivalence determination. For the example of a deficiency related to your device description, usually, the issue is that your submission has inconsistencies between the various submissions or there is insufficient detail about your device. At the end of the comment, the reviewer should provide an explicit request for the information needed to address the RTA Hold.

In section “V” of the FDA guidance on deficiency responses, the FDA recommends that you restate the issue identified by the reviewer in your response. Next, your response should include one of the following:

  1. the information or data requested, or
  2. an explanation of why the issue is not relevant, or
  3. alternate information with an explanation of why the information you are providing addresses the issue.

Before you respond to an RTA Hold, you should look up any FDA guidance documents referenced in the RTA Checklist to make sure that you address each requirement in the applicable FDA guidance document(s).

The most important technique to learn when you are responding to regulators is to organize your response in a tabular format that is numbered in exactly the same order that the request was made. Typically there will also be sub-parts to certain issues. In that case, you should duplicate the numbers and/or letters of each sub-part and segregate each sub-part in a different row of the table. Personally, I like to alternate the color of the font I use in the table to make it even more obvious which information is a restatement of the reviewer’s comment and which information is the company’s response to the RTA Hold.

Regardless of how well your response is organized, you must respond within 180 days. On the 181st day, your submission will be automatically withdrawn. The agency has granted extensions of an additional 180 days during the Covid-19 pandemic, but that will end and you should verify if you can obtain an extension from the reviewer rather than assume that this will happen. If the 180th day is on a weekend or US holiday, the Document Control Center (DCC) at the FDA will not receive your submission until the next business day. Therefore, you will need to ship your submission earlier to ensure the delivery is received on time. Since most companies are shipping their RTA response via FedEx or UPS to the FDA, you also will want to make sure you take into account customs clearance for international shipments and local holidays where you are. If you are shipping from the UK, for example, you can’t expect FedEx to ship on a British holiday. If you need help with printing and shipping your RTA response, Medical Device Academy offers an eCopy print and ship service for $99/eCopy (including the overnight FedEx fee).

If your 510k submission was placed on RTA Hold by the FDA, we can help you respond to the deficiencies identified by the FDA reviewer. We can also review your planned response to identify potential gaps. If you need help please use our calendly app to schedule a call with a member of our team.

About the Author

Rob Packard 150x150 What are the secrets to success in responding to an FDA RTA Hold?

Robert Packard is a regulatory consultant with 25+ years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Robert was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certification. From 2009-2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Robert’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone 802.258.1881 or email. You can also follow him on Google+LinkedIn or Twitter.

Posted in: 510(k)

Leave a Comment (2) →
Page 1 of 28 12345...»