MDR Quality Plan – for EU Regulation 2017/745 Compliance

This article outlines an EU MDR quality plan for compliance with European Regulation 2017/745 for medical devices by the May 26, 2020 transition deadline.

Days until MDR Transition 1024x126 MDR Quality Plan   for EU Regulation 2017/745 Compliance

Biggest MDR quality plan mistakes

Implementing an MDR quality plan is not just about updating your technical file and the procedures specific to CE Marking of medical devices. You need to make sure that you have planned to provide adequate resources for the successful implementation of your plan. Resources fall into four major categories, and all four should be addressed in a formal MDR quality plan that you have reviewed and approved during a management review meeting (i.e., ISO 13485:2016, Clause 5.6.3d). First, you need to provide adequate training. Second, you need to provide adequate equipment–such as UDI printing software and an electronic quality system database. Third, you need to provide adequate personnel. Fourth, you need to revise and update your quality system procedures.

European companies concentrated enormous resources in 2018 to prepare for the implementation of the EU Regulations in 2020. This may seem early, but most of those companies are realizing they should have started in 2017–immediately after Regulation 2017/745 was approved by the European Parliament and Council. In contrast, most companies in the USA were focusing on ISO 13485:2016 certification and MDSAP certification. Unfortunately, many CEOs were told that there is a “soft-transition,” and they have until 2024 to implement the new regulations. While it is true that most CE Certificates issued by notified bodies will be valid until their expiration date, and that date could be as late as May 25, 2024, it is not true that companies have until 2024 implement the new regulations. Quality system requirements in Article 10 of the MDR, and compliance with the MDR for economic operators, must be implemented by May 26, 2020. Any medical devices that are being reclassified will require full implementation by May 26, 2020, as well. Finally, notified bodies cannot renew 100% of the CE Certificates on May 25, 2020, to give manufacturers the full 4-year transition for certificates. Your certificate will expire based upon the certificate renewal cycle that is already established.

Required procedures for your EU MDR quality plan

You might not know that ISO 13485:2016 certification is not required for CE Marking of medical devices. Although ISO 13485 certification is the most popular way for companies to demonstrate quality system compliance with EU regulations, the actual requirement is to comply with the thirteen procedural requirements in Article 10 of EU Regulation 2017/745. Specifically, those thirteen procedures are:

  1. Conformity assessment procedure / significant change procedure – SYS-025
  2. Identification of safety and performance requirements (i.e., Essential Requirements Checklist) – FRM-038
  3. Management responsibilities – SYS-003
  4. Resource management, including suppliers – SYS-004 and SYS-011
  5. Risk management – SYS-010
  6. Clinical evaluation – SYS-041
  7. Product realization, including design, production, and service – SYS-008, SYS-012, and SYS-013
  8. UDI requirements – SYS-039
  9. Post-market surveillance – SYS-019
  10. Communication with competent authorities notified bodies and other economic operators – SYS-049 (new requirement)
  11. Vigilance reporting, including serious incidents and field safety corrective actions – SYS-036 and SYS-020
  12. Corrective and preventive actions – SYS-024
  13. Monitoring and measurement of processes – SYS-017

Note: If you are interested in one of the procedures listed above that does not have a hyperlink, please contact me via email at rob@13485cert.com. The procedures are available, and the links will be provided during the next two weeks. The only exception is SYS-026. That is a new procedure in draft format, and it will be the subject of a future blog. Medical Device Academy will be revising each of the above procedures for compliance with EU Regulation 2017/745 in accordance with the MDR quality plan that we have outlined in this blog article. These procedures are all compliant with ISO 13485:2016, and updates for compliance with the EU MDR will be made available at no additional charge.

The priority of requirements for MDR quality plan

There are seven major changes required for compliance with the European Regulation 2017/745. These priorities are listed in order of highest to lowest effort and cost that will be required to comply, rather than the chronological order. First, some medical devices are being reclassified. Second, new CE certificates must be issued under the new conformity assessment processes. Third, technical documentation must be updated to meet Annex II of Regulation 2017/745. Fourth, post-market surveillance documentation must be updated to comply with Annex III of Regulation 2017/745. Fifth, specific documentation must be uploaded to the Eudamed. Specifically, manufacturers must upload UDI data, labeling, and periodic safety update reports (PSUR). Sixth, all economic operators must be registered with Eudamed and comply with Regulation 2017/745, or new economic operators will need to be selected. Seventh, quality system procedures will need to be updated to comply with Regulation 2017/745.

The implementation timeline for MDR quality plan

If any of your devices are being reclassified, you will need to implement all of the above changes before the May 26, 2020 transition date. For example, reusable medical instruments are currently Class I medical devices, and manufacturers utilize Annex VII of the MDD as the conformity assessment process. Under EU Regulation 2017/745, these reusable instruments will require notified body involvement to issue a CE Certificate. This is a lot of work to complete in 17 months (i.e., 513 days and counting), and notified bodies will have a large backlog of technical files to review for existing customers before they can review documentation for new customers.

If your company already has CE Certificates for your medical devices, and none of your devices are being reclassified, you will need to implement only the sixth and seventh items listed above before the May 26, 2020 deadline. Uploading information to Eudamed is likely to be extended beyond the May 26, 2020 deadline, and the transition may be staggered by risk classification–just as the US FDA did for UDI implementation in the USA. The second, third, and fourth changes listed above will require compliance before your existing CE Certificate(s) expire. The best-case scenario could be four (4) years after the transition deadline.

MDR Quality Plan – for EU Regulation 2017/745 Compliance Read More »

Alternate 510k Pathway – Safety and Performance Based Pathway

Today the FDA released a press release announcing plans to implement an alternate 510k pathway called the “Safety and Performance Based Pathway.”

Alternate 510k Pathway Safety and Performance Based Pathway Alternate 510k Pathway   Safety and Performance Based Pathway

What is the current 510k pathway for clearance of medical devices?

The current version of the 510k pathway is defined in a guidance document on a substantial equivalence that was released on July 28, 2014. The pathway involves six questions that an FDA reviewer must answer before it can be determined whether a new device is equivalent to an existing device that is legally marketed in the USA. These are the six questions:

  1. Is the predicate device legally marketed?
  2. Do the devices have the same intended use?
  3. Do the devices have the same technological characteristics?
  4. Do different technological characteristics raise different questions of safety and effectiveness?
  5. Are the methods of evaluating new/different characteristics acceptable?
  6. Does the data demonstrate substantial equivalence?

Five (5) ways the FDA strengthened the current 510k pathway

Today the FDA released an 8-page presentation summarizing five (5) ways that the FDA strengthened the current 510k pathway during the past several years. The five ways are:

  1. Increased expectations for the content of a 510k submission
  2. Implementation of the refusal to Accept (RTA) policy
  3. Improved consistency and thoroughness of the 510k review process
  4. Elimination of the 510k pathway for Class III devices
  5. Eliminated the use of > 1,000 unsafe devices as legal predicates

You may have been complaining that 510k requirements seem to change constantly. Now you have proof that the changes to the 510k pathway are part of a strategic plan implemented over the past decade. Lawyers may argue that the resulting regulations go well beyond the intent of the original 510k legislation. This is completely true. The cumulative effect of implementing dozens of 510k guidance documents is that the official interpretation of the 510k section of the Food and Drug Act now has little resemblance to the original legal intent.

The original intent of the 510k legislation was to allow competitors to copy an existing device that is legally marketed in the USA. Cumulative changes to a device that existed in 1976, eventually result in a completely new device. The word “equivalent” has been perverted to such an extent that thousands of devices now exist that do not even remotely resemble devices from 1976. The FDA recognized this around 2007, and the US device regulations began to “strengthen.”  

What is the basis for the Alternate 510k Pathway?

The basis for the alternate 510k pathway is the submission of data that is safety and performance-based instead of comparison to an older predicate. In addition, the new pathway will enable you to make comparative claims by demonstrating that the new subject device meets or exceeds the safety and performance criteria. There is also a goal to use the pathway as a potential method of harmonizing the US medical device regulatory process with other global medical device regulations. The new process, combined with improved post-market surveillance, will complement the FDA’s work on NEST by allowing the FDA to rapidly require the implementation of risk controls to address identified safety issues.

What is the expected timeline for the implementation of the Alternate 510k Pathway?

The alternate 510k pathway has been in development for quite some time. Jeff Shuren first announced the plan to create the alternate 510k pathway at AdvaMed’s MedTech conference in San Jose, California, in September 2017. On Monday, December 11, 2017, the FDA announced that draft guidance would be released in Q1 of 2018. On April 12, 2018, the FDA finally released the draft guidance for public comment.

The FDA intends to release final guidance for the new alternate 510k pathway in early 2019. This pathway will initially be limited to “well-understood device types”–probably as a 510k pilot program. You can expect this new pathway to be released in a similar way to the Special 510k expansion pilot and the Quik 510k pilot. That final guidance will be released, and the pilot will begin immediately after the release of the guidance.

Is this new process likely to require significant changes to future 510k submissions?

The phrase “significant changes” is subjective, but if you look at the current 20 required sections of a 510(k) submission, there is only one section that would be required to change for the new alternate 510k pathway. Specifically, section 12 is currently used for a substantial equivalence comparison. This section would not be applicable under the alternate 510k pathway. Under the alternate 510k pathway, you can expect the FDA to require at least a summary of the safety and performance data to be submitted for approval of the subject device.

Another change you can expect is that all devices submitted under the alternate 510k pathway will be required to have a benefit-risk analysis in accordance with the corresponding FDA guidance. This new guidance was released on September 25, 2018, as a draft. However, a benefit-risk analysis is required for De Novo applications, CE Marking applications, and, logically, the FDA will also require this for 510k submissions that do not rely upon equivalence to the predicate device.

More Information on the Medical Device Safety Action Plan

The FDA created a webpage on its site, providing information about the Medical Device Safety Action Plan. The page includes several hyperlinks to documents with more information. Below are a few of the relevant links:

The FDA also indicated that a new guidance for De Novo applications would be released in a couple of weeks. Please subscribe to our blog, and you will receive notification of a blog in response to that guidance when it is released.

Alternate 510k Pathway – Safety and Performance Based Pathway Read More »

Design Plan Template – with Risk Management

This article defines the requirements for design and risk management planning that were used to create our new design plan template.

Design Plan Template Graphic 1024x194 Design Plan Template   with Risk Management

Why combine Design and Risk Management Plans into a Design Plan Template?

There are two primary reasons for combining your risk management plan with your design plan. The first reason is to reduce the number of documents you must maintain and control. The second reason is that there are different requirements for risk management during the design process and after the commercial release of a new product. Therefore, you will need one risk management during the design phase, and a second risk management plan after your product is released. You can achieve this by incorporating your risk management plan with your design plan and your post-market surveillance plan. Therefore, you only need to maintain two documents instead of four.

Six requirements for your design plan?

There are no specific design planning requirements in the European MDR, but the requirements for design planning are specified in ISO 13485:2016, Clause 7.3.2. In the previous version of ISO 13485, the requirement for a design procedure and a design plan were combined into one clause (i.e., Clause 7.3.1). Now, these two requirements have been split into independent clauses. The requirement to manage the interfaces between various groups involved in the design project was removed from the requirements for design planning in the new version of the standard, but three additional requirements were added. The following sub-clauses did not change (although numbering changed):

  • 7.3.2a) document the design and development stages
  • 7.3.2c) document verification, validation and transfer activities required at each stage
  • 7.3.2d) document responsibilities and authorities

The first new requirement in your design plan template

The first new requirement is in Clause 7.3.2b). You are required to document the design reviews required at each stage. This does not mean that a review is required at every stage, but your plan should specify at which stages you will conduct a review. At a minimum, a final design review is required for the commercial release of the device. My recommendation is to have a review at every stage for every project. If your design inputs have not changed from the previous version of the device, then the stage leading up to the approval of design inputs will be very short, and that design review meeting can be 30 minutes or less. If you make changes to your design control procedure in the middle of a project, I recommend that you maintain compliance with the existing procedure until the next design review. The design review gives you an excellent opportunity to document changes to the design procedure, design plan, and any other adjustments to the documentation that may require the completion of a new version of a form.

The second new requirement in your design plan template

The second new requirement is in Clause 7.3.2e). You are required to document methods of traceability between design inputs and outputs–including your risk controls. This is a requirement that most companies do poorly. In theory, you can use a spreadsheet to list all the design inputs, and the adjacent column can list the corresponding design outputs. Many companies use an input / output / verification / validation (IOVV) diagram. You can also add the user’s needs to this diagram. The challenge with the method of documentation is that it is labor-intensive to make updates. You must update the references to inputs every time a standard is updated. The outputs must be updated every time a drawing or specification is changed. Every time you update a verification or validation testing report, the diagram must be updated too.

The third new requirement in your design plan template

The third new requirement is in Clause 7.3.2f). You are required to document the resources needed at each stage–including the necessary competence of personnel. In general, companies experiencing difficulties in documenting competency for personnel, but this requires that you document competency for each person on a design project for each stage. My recommendation is to keep it simple. Tables are usually the simplest way to document this type of information. For example, you can use a three-column table: 1) role, 2) responsibility, 3) competency requirements. In general, I recommend that anyone on your design team has training in design controls and risk management. However, training and competency are not equivalent. To demonstrate competency, you must have prior experience documented in that area.

What is required in a Risk Management Plan?

EN ISO 14971:2019 requires a risk management plan in Clause 4.4. In addition, there are requirements in Regulation (EU) 2017/745. Specifically, in Essential Requirement 3:

  • (a) establish and document a risk management plan for each device;
  • (b) identify and analyze the known and foreseeable hazards associated with each device;
  • (c) estimate and evaluate the risks associated with, and occurring during, the intended use and during reasonably foreseeable misuse;
  • (d) eliminate or control the risks referred to in point (c) in accordance with the requirements of Section 4;
  • (e) evaluate the impact of information from the production phase and, in particular, from the post-market surveillance system, on hazards and the frequency of occurrence thereof, on estimates of their associated risks, as well as on the overall risk, benefit-risk ratio, and risk acceptability; and
  • (f) based on the evaluation of the impact of the information referred to in point (e), if necessary, amend control measures in line with the requirements of Section 4.

In our previous blog on changes to the risk management process, we identified nine activities that should be included in your risk management plan:

  1. Hazard identification
  2. Risk estimation
  3. Risk evaluation
  4. Risk control option analysis
  5. Risk control verification of effectiveness
  6. Benefit/Risk analysis
  7. Evaluation of overall residual risk
  8. Risk management review
  9. Production and post-production activities

How to purchase our new Design Plan Template

Medical Device Academy’s new design plan template is an associated form sold with the purchase of either of the following procedures: 1) Design Control Procedure (SYS-008), 2) Risk Management Procedure (SYS-010). You can also learn more about design control requirements by registering for our updated design controls training webinar.

Other Blogs About Design Controls

Medical Device Academy wrote the following blogs on the topic of design controls:

Other Webinars About Design Controls

The following webinars are available on the topic of design controls:

Design Plan Template – with Risk Management Read More »

ISO 14971 Risk Management Updates in ISO/DIS 14971:2018

This article describes updates being made to the ISO 14971 Standard in the new draft version released for comment in July 2018.

There are two versions of ISO 14971 that are currently available. The first is the international version: ISO 14971:2007. The second is the European normative version: EN ISO 14971:2012. There is also a new draft being created by the TC210 committee for release in 2019.

Explanation of the different versions of the ISO 14971 standard

In 2000, the first edition of ISO 14971 was released as the international standard for risk management of medical devices. In 2007, the second edition of ISO 14971 was released. When new international standards are released, a European normative version is also released. The “European Norm” or EN version is intended to identify any gaps between the international standard and the requirements of the applicable European directives (i.e., the MDD, AIMD, and the IVDD). These gaps historically were included in the ZA annex at the end of the EN version. However, in 2009 this annex was split into three annexes (i.e., ZA, ZB, and ZC) to address each of the three directives separately. In reality, the 2009 annex only differed concerning the directive referenced. In 2012, a new EN version was released. This new standard included seven deviations, which were controversial. These deviations were intended to identify contradictions between the directives and the international standard, but the interpretations were not agreed with by companies or most of the Notified Bodies. Ultimately, the seven deviations were required to be addressed in the risk management files for any medical device that was CE Marked.

What changed between ISO 14971:2007 and ISO/DIS 14971:2018?

The TC210 working group assigned to update the ISO 14971 standard (JWG1) was tasked with improving guidance for the implementation of ISO 14971. Still, the committee was also tasked with making these improvements without changing the risk management process. Also, the committee was asked to move the informative annexes at the end of ISO 14971 from the standard to the guidance document ISO/TR 24971. Therefore, in July, the committee released a draft for comment and voting. Draft versions are identified with the prefix “ISO/DIS.” The ISO/DIS 14971 standard released in July has only three annexes: A) Rationale for the requirements, B) Risk management process for medical devices, and C) Fundamental risk concepts (formerly Annex E). The other seven annexes were moved to the draft of ISO/TR 24971. The reason stated for moving these Annexes to the guidance document was to make future revisions to the guidance easier to implement because it is a guidance rather than a standard. However, there were also some objectionable recommendations in the informative annexes that were the subject of deviation #3—ALARP from Annex D.8 vs. “As far as possible,” in the first indent of section 2 of Annex I in the MDD.

Although the committee was tasked to make improvements in the implementation of ISO 14971 without changing the process, the new draft has subtle changes in the process. Most of these changes can be identified quickly by reviewing the updated risk management flow chart provided in Figure 1. The updated flow chart now has two places where risks are evaluated. The first place is identical to the original Figure 1, but now the associated section is clarified to be specific to evaluating individual risks. The second place in the flow chart is new and specific to the evaluation of overall residual risks. The draft standard also states that different acceptability criteria and methods of evaluation may be used for each evaluation phase in the process. There have also been subtle changes to the names of process phases:

  • Section 7.4 is now “Benefit/Risk” analysis instead of “Risk/Benefit” analysis—although the draft flow chart does not reflect this.
  • Section 9 is now “Risk Management Review” instead of “Risk Management Report”
  • Section 10 is now “Production and post-production activities” instead of “Production and post-production information”

There is also more detail in the diagram under the phases for 1) risk analysis, 2) risk control, and 3) production and post-production activities.

Three new definitions are introduced in the draft standard: 3.2, benefit; 3.15, reasonably foreseeable misuse; and 3.28, state of the art. The section for identification of hazards, Clause 5.4, was reworded and expanded to consider the reasonably foreseeable sequences or combinations of events that can result in a hazardous situation. The draft standard now states that your risk management plan must also include a method to evaluate the overall residual risk and the criteria for the acceptability of the overall residual risk. In the section for risk estimation, Clause 5.5, the draft standard states that if the probability of the occurrence of harm cannot be estimated, the possible consequences shall be listed for use in the risk evaluation and risk control. The risk control option analysis priorities in section 7.1 are updated to match the new MDR, Regulation (EU) 2017/745, nearly exactly. In section 9, risk management reports were changed to risk management review, and the Clause now requires determining when to conduct subsequent reviews and when to update reports. This emphasizes the requirement to continuously update risk management documentation with input from production and post-production information. This mirrors the emphasis on continually updating post-market clinical follow-up in Regulation (EU) 2017/745, Annex XIV, Part B, Section 5, and continuously updating clinical evaluations in Regulation (EU) 2017/745, Annex XIV, Part A, Section 1.

Will ISO 14971 2019 eliminate the deviations ISO 14971 Risk Management Updates in ISO/DIS 14971:2018

Will ISO 14971:2019 address the 7 Deviations in EN ISO 14971:2012?

The new MDR, Regulation (EU) 2017/745, revised and clarified the wording of the essential requirements in the MDD. The MDR attempts to explain the requirements for risk management files of CE Marked products, but the MDR remains different from the requirements of ISO 14971. Unfortunately, because the ISO/DIS 14971 was not intended to change the risk management process of ISO 14971:2007, there will continue to be “deviations” between the MDR and standard.

Some people have tried to use ISO/TR 24971, the risk management guidance, as the official interpretation of how the risk management standard. However, the guidance is also a product of the TC210 committee, and it does not meet all requirements of the MDD or the MDR.

The new draft does, however, include changes that address some of the deviations in EN ISO 14971:2012. Below, each of the seven variations is listed, and hyperlinks are provided to other articles on each deviation.

  1. Negligible Risks – The word “negligible” was only in one location in the body of the standard as a note referring to Annex D.8. In the draft, Annex D was removed and relocated to ISO/TR 24971, and the note was eliminated from Clause 3.4—now Clause 4.4 in the draft. The draft should fully resolve this deviation.
  2. Risk Acceptability – Clause 7 was renumbered to Clause 8 in the draft. Still, the title of this Clause was also changed from “Evaluation of overall residual risk acceptability” to “Evaluation of overall residual risk.” However, if you read the Clause it still refers to determining the acceptability of risks. In note 2 of Annex ZA of the draft, it states that determining acceptable risk must comply with Essential Requirements 1, 2, 5, 6, 7, 8, 9, 11, and 12 of the Directive. The draft should fully resolve this deviation.
  3. ALARP vs. “As far as possible” – The European Commission believes that the concept of “ALARP” implies economic considerations, and some companies have used economics as a reason for not implementing certain risk controls. ALARP was eliminated from the notes in the risk management plan clause and by moving Annex D.8 to ISO/TR 24971 and adding note 1 in Annex ZA. The draft should fully resolve this deviation.
  4. Benefit/Risk Analysis – The contradiction in requirements between the International Standard and the MDD, as it relates to determining when a benefit/risk analysis must be conducted, has not been updated. The draft does not resolve this deviation. Companies that CE Mark products will need to perform a benefit/risk analysis for all residual risks and all individual risks—despite the wording of the standard.
  5. Risk Control – The contradiction in requirements between the International Standard and the MDD, as it relates to determining when risk controls must be implemented. The International Standard gives companies the option to avoid the implementation of risk controls if the risk is acceptable. At the same time, the MDD requires that risk controls be implemented for all risks unless the risk controls create additional risks that increase risks, or the risk controls do not reduce risks further. The draft does not resolve this deviation. Companies that CE Mark products will need to implement risk controls for all individual risks—despite the wording of the standard.
  6. Risk Control Options – The intent of Clause 6.2 in ISO 14971:2007 was likely to be the same as the MDD. However, the European Commission identified the missing word “construction” as being significant. Therefore, to prevent any misunderstandings, the TC210 committee copied the wording of Regulation (EU) 2017/745. The draft should fully resolve this deviation.
  7. IFU Validation – Again, to prevent any misunderstandings, the TC210 committee copied the wording of Regulation (EU) 2017/745. However, the examples of information for safety (i.e., warnings, precautions, and contraindications) were not included. Hopefully, the final version of the 3rd edition will consist of these examples. Clause 8, evaluation of overall residual risk, was also reworded to state, “the manufacturer shall decide which residual risks to disclose and what information is necessary to include in the accompanying documentation to disclose those residual risks.” The draft should fully resolve this deviation.

Recommendations for your Risk Management Process?

The most important consideration when establishing a risk management process for medical devices is whether you plan to CE Mark products. If you intend to CE Mark products, then you should write a procedure that is compliant with the current requirements of the MDD and future requirements of Regulation (EU) 2017/745. Therefore, the seven deviations should be addressed. Also, you need to maintain compliance with the current version of the standard.

I recommend creating a process based upon the newly updated process diagram in the latest draft. The process should begin with a risk management plan. For your plan, you may want to create a template and maintain it as a controlled document. It could also be part of your design and development plan template, but the plan should include each of the following risk management activities:

  1. Hazard identification
  2. Risk estimation
  3. Risk evaluation
  4. Risk control option analysis
  5. Risk control verification of effectiveness
  6. Benefit/Risk analysis
  7. Evaluation of overall residual risk
  8. Risk management review
  9. Production and post-production activities

Your procedure should also be integrated with other processes, such as 1) design control, 2) post-marketing surveillance, and 3) clinical evaluation. Your procedure must indicate the priority for the implementation of risk control options. The best strategy for ensuring risk control priorities are compliant is to copy the wording of the new EU Regulations verbatim. Your process should include performing benefit/risk analysis. You should also define your process for risk management review. Your review process should specify when subsequent reviews will be done, and when your risk management report will be updated. Finally, you should identify a post-market surveillance plan for each device or device family, and use that post-market surveillance data as feedback in the risk management process.

The one element that appears to be weakly addressed in the body of the standard is the requirement for traceability of each hazard to the other aspects of the risk management process. Although traceability is mentioned in Clause 3.5 of the 2nd edition, and Clause 4.5 of the draft 3rd edition of ISO 14971, that is the only place is mentioned in the body of the standard. Traceability is mentioned several more times in Annex A, but the focus seems to be on the risk management file. Companies need more guidance on how to achieve this traceability. The appropriate place for this guidance is probably in ISO/TR 24971. Still, in order to maintain this documentation, a software database will likely be critical to maintaining traceability as changes are made during design iterations and after commercialization. This type of software tool is also needed to expedite the review of risk management documentation during a complaint investigation.

Which Risk Analysis Tool should you use?

In Annex G of ISO 14971:2007 and the EN 2012 version, there are five different risk analysis tools described. The word “described” is emphasized because informative annexes are not “recommended.” The committee that created the 2nd edition of ISO 14971 wanted to provide several suggestions for possible risk analysis tools to consider. However, each tool has strengths and weaknesses. Additionally, the widespread use of the failure-mode-and-effects analysis (FMEA) tool in the automotive and aerospace industries has spread to the medical device industry, and companies seem to believe that regulators prefer the FMEA tool. This is not true. Companies should be trained in all of these tools, and training should consist of more than just reading Annex G, and the tools should be used where they are most beneficial. My recommendations are below:

  1. Preliminary Hazard Analysis (PHA) – This process is critical during the development of design inputs. It is also the most underutilized analysis tool. I have not seen a single example of this tool written in a procedure by any medical device company. I believe this process should be continuously updated as part of training new design team members and should be both product and project-specific.
  2. Fault-tree Analysis (FTA) – This process is a top-down approach to risk analysis. It is heavily utilized by transportation engineers when intersections are designed, and accidents are investigated. This tool depicts risk analysis pictorial as a tree of fault modes representing each possible root cause for failure. At each level of the tree, fault mode combinations are described with logical operators (i.e., AND, OR). The information displays the frequency of each fault mode quantitatively. Therefore, when you are investigating a complaint, the tree can be used to help identify possible fault modes that may have been the root cause of device failure. You may also be interested in the standard specific to Fault tree analysis (FTA): IEC 61025:2006.
  3. Failure Mode and Effects Analysis (FMEA) – This process is a bottom-up approach to risk analysis. The automotive and aerospace industries heavily utilize it. This tool systematically lists all failure modes in groups organized by component. Risks are estimated based upon the severity of effect, probability of occurrence, and detectability. Over time, the FMEA process split into three tools: 1) process FMEA (pFMEA), 2) design FMEA (dFMEA), and 3) use FMEA (uFMEA). The first is ideal for analyzing and reducing risks associated with the manufacturing of devices. In particular, the detectability factor can be linked closely with process validation. The second evolved from the realization that the detection of a risk after the device is in the user’s hands does not reduce risk. A risk reduction only occurs if detectability is proactive. Therefore, this was stated in Annex G.4, and companies began to eliminate detectability and continued to use FMEA as their primary tool. Due to the widespread familiarity with the FMEA tool, usability FMEAs became popular for documenting risks associated with the use of a device. Unfortunately, the only real advantages of a dFMEA and uFMEA are familiarity with the tool. You may also be interested in the standard specific to FMEA: IEC 60812:2018.
  4. Hazard and Operability Study (HAZOP) – In addition to the risks of using devices, there are also risks associated with the production of devices. Processes related to coating, cleaning, and sterilization are all processes that typically involve hazardous chemicals. The chemical and pharmaceutical industries use HAZAP as a tool to analyze these process risks and prevent injuries. You may also be interested in the standard specific to HAZOP: IEC 61882:2016.
  5. Hazard Analysis and Critical Control Point (HACCP) – This process is primarily used by the food industry to prevent the spread of contaminated food supplies. Even though medical device manufacturers do not typically use it, it should be considered as a tool for managing the supply chain for devices. This model is useful when manufacturing is outsourced, or secondary processing is conducted at second and third-party suppliers. Since many FDA inspectors started in the food industry as inspectors, this is also a method that is supported by the FDA as a risk control process for outsourced processes.

How to document your risks?

For simple devices, risk management documentation is a burdensome task. For complex devices, a spreadsheet could include hundreds of lines or more than even one thousand individual lines. Also, the requirement for traceability requires additional columns in a table. Therefore, it becomes nearly impossible for you to include all the required information on a page that is 11 inches wide. If you expand your page to 17 inches wide, the size of your font will need to be very small. If you make a change, your spreadsheet can be challenging to update quickly. You could purchase a 43” widescreen TV for your monitor, or you can use dual monitors for your display, but changes remain challenging to implement without a mistake.

You need to stop relying upon spreadsheets. Use a database, and don’t use Microsoft Access. Purchase a database that is designed to document design controls and risk management traceability. If your company has software expertise, develop your software tool to do this. You should also design standardized templates for exporting your reports. By doing this, it will only take minutes to create an updated report when you make design changes. If you describe the risk management activities as notes in your software, the description of these activities can also be automatically converted into summary pages for each report summarizing that risk management activity. You can even prompt the user to answer questions in the software to populate a templated document. For example, you can prompt users to input subsequent updates of your risk management reviews, and that can be automatically converted into a summary paragraph. This reporting capability is especially helpful when responding to FDA review questions asking for cybersecurity risks.

Additional Training Resources for ISO 14971

The risk management training webinar has been completely rewritten for the second time (i.e. the first time was on October 19, 2018). The newest version will be a two-part webinar series. Part one of two will focus on Clauses 1 through 7.1 of the ISO 14971:2019 standard. Part two of two will focus on Clauses 7.2 through 10. We selected Clause 7.2 to begin the second part of this webinar series, because it marks the beginning of the verification of the risk controls your company has implemented (i.e. – Post “Design Freeze”). Part 1 will be hosted live on March 29, 2022 @ 9-10:30 am EDT, and Part 2 will be hosted live on April 5, 2022 @ 9-10:30 am EDT. Both sessions will be recorded if you are unable to participate in the live sessions.

SYS-010, Medical Device Academy’s Risk Management Procedure, is compliant with EN ISO 14971:2019. The procedure includes templates for documentation of design risk management and process risk management. The procedure is also compliant with ISO/TR 24971:2020 and Regulation (EU) 2017/745. Both the two-part risk management training webinar, and the risk management procedure, are included in Medical Device Academy’s turnkey quality system

ISO 14971 Risk Management Updates in ISO/DIS 14971:2018 Read More »

ISO 10993-1-2018 Biocompatibility – What’s new?

The new 5th edition of the biocompatibility standard, ISO 10993-1-2018, was released in August, and this article explains the changes and potential impact.

ISO 10993 1 2018 Retest ISO 10993 1 2018 Biocompatibility   What’s new?

ISO 10993-1-2018 is the 5th edition of the biocompatibility standard for the evaluation of medical devices. The new version, released in August, replaces the 2009 version of the standard. I was unable to find a European version of this standard, but you can expect one to be made available very soon–probably before you read this article. If your company is CE Marking devices, once the European standard is released, you will be required to perform a gap analysis against the new standard and assess whether retesting is required for your products to remain compliant with CE Marking requirements.

The FDA has not yet added ISO 10993-1-2018 to the recognized standards database. Still, the FDA guidance on the use of ISO 10993-1, released in February 2016, already addressed most of the changes contained in the new 5th edition.

Overview of Changes in ISO 10993-1-2018

The 5th edition includes a foreword that explains the changes from the 4th edition. The 5th edition replaces the 4th edition (i.e., ISO 10993-1-2009), and it incorporates the correction that was made in 2010. The most significant changes from the previous version are:

  • Table A.1 in Annex A, Evaluation Tests for Consideration, was expanded with the addition of six new columns:
    • “physical and/or chemical information”
    • “material mediated pyrogenicity”
    • “chronic toxicity”
    • “carcinogenicity”
    • “reproductive/developmental toxicity”
    • “degradation”
  • Instead of tests to be conducted is identified with an “X,” the updated table now identifies endpoints to be considered with “E.” The only column containing an “X” is the column for physical and/or chemical information. This information is identified as a prerequisite for a risk assessment. The new Annex A is now five pages in length.
  • The 3-pages that were Annex B, “Guidance on the risk management process,” has been completely replaced with 13-pages from ISO TR 15499-2016, “Guidance on the conduct of biological evaluation within a risk management process.”
  • Twenty-one (21) new definitions for terms were added to the 5th edition–including “3.9 geometry device configuration,” “3.15 nanomaterial,” “3.16 non-contacting,” “3.17 physical and chemical information,” “3.25 toxicological threshold” and “3.26 transitory contact.”
  • Additional information on the evaluation of non-contacting medical devices and transitory-contacting medical devices was added.
  • Expansion of the standard to include evaluation of nanomaterials and absorbable materials. This consists of the addition of section B.4.3.3 in Annex B for guidance on pH and osmolality compensation for absorbable materials.
  • An additional reference to ISO 18562-1, -2, -3 and -4, for “Biocompatibility evaluation of breathing gas pathways in healthcare applications,” was added as well. However, the four standards in the ISO 18562 series should be purchased if you are conducting a biocompatibility evaluation for a device of this type (e.g., respiratory gas humidifiers).

There are also many minor changes in the 5th edition, but Annex C is almost identical to the previous version. The only change I noticed was the addition of “Preference may be given to GLP over non-GLP data” to clause C.2.3.

Correspondence with FDA Guidance on Use of ISO 10993-1-2018

Table A.1 in Annex A is quite similar to Table A.1 in the FDA guidance, and 100% of the columns match except the column for “physical and/or chemical information.” Although the FDA guidance does not have a column in the table indicating that physical and chemical characterization is required as a prerequisite for the risk assessment, it is very clear from the language in the guidance that information about the physical and chemical characteristics of the device “should be provided in sufficient detail for FDA to make an independent assessment during our review and arrive at the same conclusion.” FDA guidance also requires information about the surface properties of the finished device. The FDA included a section specific to “Submicron or Nanotechnology Components,” which is consistent with the ISO 10993-1-2018, where there references throughout the standard to ISO/TR 10993-22, guidance on nanomaterials. The FDA guidance does not, however, include guidance on pH and osmolality compensation for absorbable materials. The FDA guidance also does not include a reference to the ISO 18562 series of standards, but the FDA product classification database was updated in June to include a reference to the ISO 18562 series of standards when they were added to the database of recognized standards.

Correspondence with the European Directive and EU MDR

The 4th edition of the EN version has Table ZA.1 explaining the correlation between the standard and the European Directive. Specifically, Clauses 4, 5, 6 and 7 of the European Standard correspond to Annex I, Essential Requirements 7.1, 7.2 and 7.5 in the MDD. In the new Regulation (EU) 2017/745, these clauses correspond with Annex I, Essential Requirements 10.1, 10.2, and 10.4. Therefore, you should expect the European version of ISO 10993-1-2018 to include a table similar to Table ZA.1, but you should also anticipate that your evaluation of biological risks will need to be updated and additional testing may be required in order to remain compliant for any devices that are CE Marked.

Changes to the biological evaluation process in ISO 10993-1-2018

As in the previous version of the biocompatibility standard, Figure 1 is a decision tree that follows the biological evaluation process outlined in the standard. At first glance, the updated Figure 1 appears to be essentially unchanged. However, even though the updated figure has the same shape and the same number of elements, there are subtle changes. For example, the potential effects of geometry are emphasized in the ISO 10993-1-2018. The more significant change in the process is at the end. Where it used to say, “Testing and/or justification for omitting suggested tests,” the updated figure now includes a reference to Annex A under those words. Where it used to say, “Perform Biological Evaluation,” the updated figure now says, “Perform Toxicological Risk Assessment (Annex B).”

Annex B is where the most visible changes are found in the ISO 10993-1-2018. For example, in the previous version of the biocompatibility standard, there was a reference to creating a prospective biological evaluation plan as part of the risk management plan. In the 5th edition, clause B.2.2 outlines the Biological Evaluation Plan–which is sometimes referred to by its acronym of “BEP” by third-party testing labs.

In addition, clause B.4 provides guidance for biological evaluation. This guidance is directly copied from ISO/TR 10993-22, but it answers the frequently asked question of “how do you perform a biological evaluation.” The necessary steps of the biological evaluation, which have not changed, are:

  1. Material characterization (B.4.1)
  2. Collection of existing data (B.4.2)
  3. Device testing considerations (B.4.3)
  4. Biological safety assessment (B.4.4)

However, the guidance provides details for each step, as well as general guidance on when changes may require a re-evaluation of biological safety, GLPs, and biocompatibility evaluation documentation. In general, the focus of ISO 10993-1-2018 is now on the evaluation of toxicological data in Annex B, rather than passing a few required tests that were previously identified in Table A.1.

Will ISO 10993-1-2018 Require you to Retest for Biocompatibility?

In general, I do not expect that the changes to ISO 10993-1-2018 will require extensive retesting for your company. However, you can expect a significant amount of rewriting of your biological evaluation report to be required. Now you will need to more fully characterize the physical and chemical characteristics of your device, and you will need to provide a more comprehensive biological safety assessment–including an evaluation of toxicological data for each chemical including in the formulation of your device. It’s possible that you may even identify certain chemicals in the material formulation that prevent you from using a material–even though the material may have passed all biocompatibility tests in the past. I will also need to update one of my articles on biocompatibility and a biocompatibility webinar.

ISO 10993-1-2018 Biocompatibility – What’s new? Read More »

Quik 510k Pilot – Explanation of Quik 510k Pilot

There are 38 product classification codes that the FDA selected for the Quik 510k Pilot program to evaluate version 3 of the eSubmitter software.

510k Quik Pilot Product Codes 1 Quik 510k Pilot   Explanation of Quik 510k Pilot

What are the three (3) advantages of the new Quik 510k pilot program?

There are three (3) advantages of using the eSubmitter software as part of the Quik 510k pilot.  The first advantage of using the eSubmitter software is that the refusal to accept (RTA) process will be eliminated. This change is enormous because nearly 50% of submissions are rejected during the RTA screening process. The hope is that the eSubmitter software will prevent companies from submitting submissions that are missing required content, and therefore the RTA process will not be needed. However, we have seen many submissions placed on hold for technicalities rather than sub-standard submissions. Consequently, it will be fascinating to see the FDA reported outcomes from the Quik 510k pilot.

The second advantage of using the eSubmitter software is that the reviews will be interactive. This means that reviewers are not expected to have any additional information (AI) requests. This also means that submitters will need to respond to questions from reviewers quickly. For example, I have received a call on Friday afternoon after 5:00 pm EDT asking if I could revise to document and email that document to the reviewer by Monday morning. This is an extreme example, but 48-72 hours is typical for a required turn-around during interactive reviews.

The third advantage of using the eSubmitter software is that the FDA is targeting completion of their 510k review within 60 days. This 30-day reduction may seem huge, but the FDA already cut 15 days off its review timeline by eliminating the RTA screening. Second, the FDA picked 38 product classification codes that should not have difficulty reviewing in 60 days. Not all product classifications have the same amount of testing data required, and I do not expect the FDA to be able to review all product classification codes in 60 days–even with eSubmitter.

Although the Quik 510k pilot mentioned that submissions would be zipped, eSubmitter is also designed for electronic submissions through an electronic submissions gateway (ESG). An ESG has the added advantage that you will not need to ship your submission via FedEx. This advantage will gain you only a maximum of 24 hours, but I wish I had those 24 hours last week. Every year, in the last week of September, all the small businesses with small business qualifications try to submit their 510k before the end of the fiscal year (i.e., September 30). This year I had four clients that were in this position. One was unable to get the data they needed to complete their submission before September 30. The other three were making last-minute changes up until the afternoon of Thursday, September 27. One of those submissions was extremely challenging because the submission included video files that exceeded 1GB in total. Therefore, I called CDRH’s eCopy Program Coordinators at 240-402-3717. They were accommodating. They said that it would be best to provide two identical eCopies or to save the MISC FILES and STATISTICAL DATA folders on a separate flash drive. The reason for this is that very large submissions can take days to upload into the CDRH database. Therefore, the picture below shows you what my final solution was for the three submissions this week. The De Novo submission had to be split.

20180927 121031 Quik 510k Pilot   Explanation of Quik 510k Pilot

What our firm has done to take advantage of the Quik 510k pilot

If you have a product with any of the 38 product classification codes listed above, and you need to submit a 510k in the next six months, you are very fortunate. The FDA will prioritize your submission, and you are likely to be able to get your device cleared in 60 days or less. Our firm is very anxious to take part in this pilot because the FDA intends to require the eSubmitter software for all submissions in the future, and we expect other product classification codes to be added to the pilot over time. We process dozens of 510k submissions each year, and mastering the nuances of the software is critical to our continued success. I already downloaded the software and installed it onto my computer. I also created a complete submission as a test. eSubmitter saved several hours in the preparation of a 510(k) from the typical 40 hours the process takes. Therefore, I expect the implementation of new eSubmitter software to a triple win for the FDA, clients, and our firm. I plan to request that the FDA add De Novo submissions next to this pilot. The reason is that De Novo submissions typically have more content, and the content is more variable. I think this would be an extremely challenging test for eSubmitter, and the relatively small volume of De Novo submissions would limit the impact upon FDA resources.

Changes to eCopy Requirements in 2018

In 2017, the FDA indicated that eSubmitter software was going to be revised, and it would be approximately two years before companies would be able to submit a 510k electronically to the FDA. Until then, companies must ship an electronic eCopy and a paper copy to the FDA Document Control Center (DCC). The eCopy guidance states, “An eCopy is accompanied by a paper copy of the signed cover letter and the complete paper submission.” However, the FDA’s eCopy guidance has not been updated since December 3, 2015. There are some unofficial changes to the policy, and the FDA no longer requires the complete paper submission. Instead, you can submit an eCopy accompanied by a paper copy of the signed cover letter.

Before February 2018, we would print 1,000+ pages for each 510k submission, pack two 3” three-ring binders in 12”x12”x6” ULine boxes and ship the box to the FDA overnight via FedEx. We typically would charge $400 for this eCopy service. After the unofficial policy change, all of our 510k submissions consist of a paper copy of the cover letter and an eCopy on a USB flash drive. We only charge $150 for the FDA eCopy service, and 100% of our eCopy submissions have been uploaded without problems this year.

What is the difference between creating an eCopy and submitting it with eSubmitter (cited from FDA website)?

There are four differences between eSubmitter and eCopies:

  1. An eSubmission package contains PDF attachments and XML file types. The XML files are intended for CDRH IT systems to process the application. Reviewers will not see these XML files. 
  2. The parts of the eCopy guidance that describe the structure of a 510(k) submission will not apply to the Quik Review Program Pilot.
  3. An eSubmission is organized according to the layout of the template, which places administrative documents (e.g., Form 3674, the 510(k) Summary, the Truthful and Accurate statement) at the end of the submission because their applicability is determined based on the answers to questions in the body of the template (e.g., Form 3674 is only required if the applicant indicates clinical data are included).
  4. Electronic signatures are used in the submission (e.g., on the Truthful and Accurate statement), rather than physical signatures.

eSubmitter Template Options

For device 510k submissions, the FDA’s eSubmitter gives you three options:

  1. Template Version 1.3, for In Vitro Diagnostic 510k submissions to CDRH only, allows you to create a 510k submission and the eSubmitter software will package your submission in a specially formatted zip folder that you can save to a compact disc (CD), digital video disc (DVD) or flash drive. Then you must print a paper copy of your signed cover letter and ship the eCopy created by eSubmitter with your paper copy of the cover letter to the FDA DCC.
  2. Template Version 1.2.1, for Non-In Vitro Diagnostic 510k submissions that are among the 1,000+ other product classifications not included in the Quik 510k pilot (CDRH: Medical Device eCopies), you can create a 510k submission and the eSubmitter software will package your submission in a folder for you. You can then copy the contents of that folder to a compact disc (CD), digital video disc (DVD), or flash drive. Then you must print a paper copy of your signed cover letter and ship the eCopy created by eSubmitter with your paper copy of the cover letter to the FDA DCC.
  3. Template Version 3.2, for Non-In Vitro Diagnostic 510k submissions that are among the 38 product classification codes that are listed above for the Quik 510k pilot program. This allows you to create a 510k submission, and the eSubmitter software will package your submission in a specially formatted zip folder that you can save to a compact disc (CD), digital video disc (DVD), or flash drive. Then you must print a paper copy of your signed cover letter and ship the eCopy created by eSubmitter with your paper copy of the cover letter to the FDA DCC. This template is unique to the Quik 510k pilot program. There is a red bar that appears at the top of the screen:

“This template should only be used to construct a submission if you are submitting it as part of the Quick Review Pilot. All others may use the content of this template as a reference to aid in constructing an eCopy. If you are not part of the Quick Review Pilot, do not construct a submission with this template, it will be rejected.”

When you create your eCopy, then you will need to create a volume-based or non-volume based submission in accordance with the eCopy guidance. The volume folders and/or files are saved to a compact disc (CD), digital video disc (DVD), or flash drive. Then you must print a paper copy of your signed cover letter and ship the eCopy you created with your paper copy of the cover letter to the FDA DCC.

Warning Symbol Quik 510k Pilot   Explanation of Quik 510k PilotWarning: If you are using Windows 10, and you save your eCopy or eSubmitter zip folder on a flash drive, Windows 10 will automatically create a hidden system folder titled “System Information Volume.”  This folder is created as a security feature to enable you to recover accidentally deleted content. However, this folder results in an error when the FDA attempts to upload your submission automatically. Therefore, you must remove this hidden system folder. Instructions for this can be found on our website page about eCopy hidden system files.

Quik 510k Pilot – Explanation of Quik 510k Pilot Read More »

Purchasing Controls and Supplier Qualification

This article identifies the requirements for purchasing controls and supplier qualification procedures, as well as best practices for implementation.

Suppler qualification 1024x377 Purchasing Controls and Supplier Qualification

Purchasing Controls

Sourcing suppliers in the medical device industry is not as simple as going on the internet and finding your material and purchasing it. As part of a compliant quality management system, purchasing controls must be in place to ensure that quality products and materials are going into your device and that any service providers that your company uses in the production of your product or within your quality management system are qualified.

ISO 13485 Requirements

In light of that, ISO 13485:2016 sections 7.4.1 Purchasing process, 7.4.2 Purchasing information, and section 7.4.3 Verification of purchased product outline the purchasing controls for medical device manufacturers. The following are requirements for the evaluation and selection of suppliers:

  • The organization must have established criteria for the evaluation and selection of suppliers.
  • The criteria need to evaluate the supplier’s ability to provide a product that meets the requirements.
  • It needs to take into consideration the performance of the supplier.
  • It must consider the criticality and the effect that the purchased product may have on the quality of the medical device.
  • The level of supplier assessment and monitoring should be proportionate to the level of risk associated with the medical device.

Maintaining Purchasing Controls

To start, in the most basic sense, purchasing controls involve procedures that ensure you are only purchasing from suppliers who can meet your specifications and requirements. The best way to keep track of your qualified suppliers is to maintain an Approved Supplier List (ASL). You should only purchase products or services that affect your product or quality management system from companies on the ASL (you would not necessarily need to qualify things like office supplies or legal assistance through purchasing controls).

When used effectively, the Approved Supplier List can be a great tool to manage the key facets of purchasing control and keep track of supplier monitoring. Items that you can capture on the ASL include:

  • Supplier Name
  • Scope of Approved Supplies
  • Contact Information
  • Status of Approval (Approved, Pending, Unapproved, etc.)
  • Qualification Criteria
  • Supplier Certification and expiry dates
  • Monitoring Requirements/Activities
    • Date of Last Review
    • Date of Next Review

The first step in your purchasing procedure should involve checking to see if the supplier is under active approved status on the ASL. The second step will be to ensure that you are purchasing an item/service that is within the scope of approval of that supplier. If you have not approved the supplier, or the intended purchase is beyond the scope of that supplier, your purchaser will need to go through the necessary channels to add the supplier to the ASL or modify their scope on the ASL.

Supplier Qualification Criteria

As required by the FDA, the level of supplier assessment should be proportionate to the level of risk associated with the medical device. The FDA is not prescriptive about the use of specific qualifications or assessments for different types of suppliers, so that is up to your company to determine. This is a somewhat grey area but based on years working with companies and suppliers, as well as participating in FDA and ISO 13485 audits, there are some general expectations of vendor qualifications that we have observed and would recommend.

It is good practice to have a form or template that guides your supplier evaluation process. Using input from engineering and QA to first determine the level of risk and the requirements of that supplier, and then base your qualification plan on that information. If you have a higher risk supplier who may be supplying a critical component to your device, or providing a critical service such as sterilization, then your qualification process will be much more involved.

Here is an example of two different levels of criteria based on the type of supplier (the intent is not for the following items to be rules, and your company is responsible for determining the adequate acceptance criteria for suppliers, but this is a general example of what you may expect).

  • Critical Custom Component Supplier
    • ISO 13485 Certification
    • On-site audit of supplier’s facility
    • References
    • Provides Certificates of Analysis (CoA)
    • A written agreement that the supplier will communicate with the company regarding any changes that could affect their ability to meet requirements and specifications.
    • You validate a production sample, and it meets requirements
  • Non-Critical Consumable Supplier
    • Product available that meets the needs of the company.
    • An associate has previously used by an associate who recommends the supplier.
    • Adequate customer service returns allowed.

Additional Function of Supplier Evaluation Forms

The supplier evaluation form can also be used as the plan to assign responsibility and track completion and results during the initial evaluation. It can also include the plan for ongoing monitoring and control of the supplier. This evaluation form should be maintained as a quality record, and auditors will frequently ask to see supplier evaluations.

Are Supplier Audits Required as Purchasing Controls?

Also valuable, supplier audits may be included as part of an evaluation plan for a new supplier, the change of scope of a supplier, a routine audit as part of ongoing monitoring, or as part of a nonconformity investigation of a high-risk product. While it is not required by ISO 13485, nor does the FDA does specify in the CFR that you must audit suppliers, it is a very good idea to audit your critical suppliers. If an auditor or FDA inspector sees evidence that your current purchasing controls are inadequate, performing supplier audits may be forced as a corrective action.

Beyond that, you can gain so much value, and gather countless clues and important information in an audit that you just cannot get without visiting your critical supplier. You can see where they plan to/are making/cleaning/sterilizing/storing your product. Talk to the people on the line, are they competent and trained? Does the company maintain their facility well? How secure is it? Do they maintain adequate records and traceability? Have there been any nonconformities relating to your product that have been detected? Etc.

Supplier audits should also include evaluation of the procedures, activities, and records of the supplier that could have an impact on the product or service they are providing your company. If it is not the first audit of the company, you should be sure to review the previous audit report findings and ensure the company has addressed any nonconformities, review supplier performance data, information about any changes that may have occurred at the supplier since your last visit, etc.

Record Maintenance and Ongoing Evaluation of Suppliers

No matter the method of supplier qualification, it is best practice to maintain supplier files that contain useful information relative to the supplier that may include:

  • The original supplier qualification form
  • Supplier certificates
  • References
  • Audit reports
  • Subsequent performance evaluations
  • Expanded scope qualifications
  • Supplier communications
  • Current contact information
  • Copies of any non-conforming material reports related to the supplier, etc.

ISO 13485 requires monitoring and re-evaluation of suppliers, and maintaining detailed supplier files will assist in meeting this requirement, and will help in the feedback system to identify and recurring problems or issues with a supplier. On a planned basis, whether that is annually, or every order (dependent on the criticality of the product), your company should conduct a formal supplier evaluation to determine whether the supplier has continued to meet requirements – In general, annual supplier reviews are standard. Additionally, you must specify this frequency in your procedure (auditors will look for what period you specify in your procedure, and then will check your ASL to make sure all of your suppliers have been reviewed within that timeframe).

During the supplier evaluation, if you find there have been issues, you need to determine and weigh the risks associated with staying with that supplier, and document that in the supplier file. If you determine the supplier should no longer be qualified, then you must also indicate on the ASL that the company no longer approves of the supplier.

Making the Purchase

When you have verified your supplier is approved on the ASL, you are authorized to purchase a product. Engineering is usually responsible for identifying the product specifications, requirements for product acceptance, and adequacy of specified purchasing requirements before communication to the supplier. The specifications may be in the form of drawings or written specifications. Additional information communicated to the supplier should also include, as applicable, an agreement between your company and the supplier that the supplier will notify you before the implementation of changes relating to the product that could affect its ability to meet specified purchasing requirements. When the first batch of product is received from a particular supplier, it is a good idea to verify that the product performs as intended before entering into production with new material or components.

Supplier Nonconformity

From time to time, you may encounter issues with a supplier. Sources of nonconformity include incoming inspections, production nonconformities, final inspection, or customer complaints. You must notify your supplier of the nonconformity and record their response and assessment. Depending on the level of criticality of the vendor, it is reasonable to require them to perform a root cause analysis to determine and alleviate the cause of failure. You should also request documentation of an effectiveness check to ensure the supplier has taken corrective actions. You should maintain copies of supplier nonconformity reports in the supplier file, and discuss nonconformities during ongoing supplier evaluations.

If the supplier does not cooperate or fails to address the nonconformity in an acceptable manner, or if there is a pattern of nonconformities with the vendor, then you should disqualify the supplier, and indicate that the supplier is “not approved” on the ASL.

Purchasing Controls Procedures You Might Need

Medical Device Academy developed a Supplier Qualification Procedure, Purchasing Procedure, and associated forms that will meet purchasing controls regulatory requirements for ISO 13485:2016 and 21 CFR 820.50. These procedures will help you ensure that goods and services purchased by your company meet your requirements and specifications. If you have any questions or would like help in developing a custom procedure or work instructions that meet your company’s unique needs, please feel free to email me or schedule a call to discuss.

Purchasing Controls and Supplier Qualification Read More »

Biocompatibility testing questions answered in pre-submission requests

This article is a copy of my responses to someone that submitted biocompatibility testing questions in preparation for a 510k pre-submission webinar.

510k pre submission webinar February 22 for LinkedIn.jpg 1024x459 Biocompatibility testing questions answered in pre submission requests

Can you please answer the following questions related to biocompatibility for a 510k pre-submission meeting request?

This was the request by a person that registered for a 510k pre-submission webinar that was recorded in February 2018. The person asked some great questions that are very similar to other clients I work with. They also requested the biocompatibility testing questions in a way that did not divulge any confidential information–other than to indicate they live in Germany. Therefore, I am sharing my email response with you. Please register for this webinar and submit your questions. Questions are entered in an open text box, and you have room to ask multiple questions.

Biocompatibility testing question #1: Does the FDA now already ask for the AET (Analytical evaluation threshold) for chemical analyses?

This is exactly the type of biocompatibility testing questions you should be asking in a 510k pre-submission meeting. If you ask, “What biocompatibility testing is required for a 510k?” You will only receive a reference to the FDA guidance for biocompatibility. A better approach is to ask a biocompatibility testing lab to provide a Biological Evaluation Plan (BEP). Then you can submit your plan as part of the 510k pre-submission meeting request and include this question regarding the section of the BEP where you explain how you intend to perform chemical characterization of your device and how you intend to determine whether the materials represent risks related to sub-acute toxicity and sub-chronic toxicity endpoints.

Biocompatibility testing question #2: How can I avoid time-consuming genotoxicity studies for FDA?

Typically if you perform the “Big 3” (i.e., cytotoxicity, irritation, and sensitization), and then you perform chemical characterization, you are often able to prepare a Biological Evaluation Report to explain why there are no identified compounds in the chemical characterization that would warrant performing the genotoxicity studies. This is also often true for acute toxicity testing and sub-chronic toxicity testing. This often saves > $10K. To verify the FDA will accept this approach, you will typically provide a biological evaluation plan (BEP) as part of your pre-submission request. Your biocompatibility testing questions should specifically reference your BEP.

Question #3: And how can I face FDA with a cytotoxic wound dressing but which passed irritation, sensitization, genotox, and pyrogenicity tests?

I had a product that contained aluminum. Aluminum is cytotoxic to the cell line that is used in the cytotoxicity testing. However, aluminum does not have a high level of toxicity for the route of administration for that product. You should identify the reason why your product is cytotoxic and then explain why the device is no toxic for the intended use and duration of contact. This would normally be part of that BEP mentioned above.

Biocompatibility testing question #4: Which genotoxicity tests are state of the art for the FDA?

There are three ways to determine that. One is to look in the recognized standards database on the FDA website. The second is to review the FDA guidance on biocompatibility and application of ISO 10993-1. Finally, you can ask the FDA about the suitability of another test you want to perform during a pre-sub. If they prefer a different test, they will say so in an email response, and they are available for discussion by conference call during the pre-sub meeting to clarify their response.
I did not answer this question outright, because biocompatibility requirements change over time. This is also true for other verification testing standards. In fact, for one 510k project, I had seven different standards change just before submission. During a pre-submission meeting, the FDA should make you aware of coming changes to these tests. Also, better biocompatibility testing labs are aware of the changes before they are implemented. This is because the lab managers participate in the committees that revise and update international standards.

Will the meeting be recorded since I live in Germany?

Yes, all of my webinars are recorded. You will receive an email with a link for downloading the recording within 24 hours of completing the original live webinar or at the time of purchase if you are purchasing one of our previously recorded webinars. You can also schedule calls with me as a follow-up using the following link: http://calendly.com/13485cert/30min.

Biocompatibility testing questions answered in pre-submission requests Read More »

Risk Management Requirements – 510k vs DHF

What are the differences between 510k risk management requirements and risk management requirements for your Design History File (DHF)?

Risk management requirements integration with design

Last week I presented a free webinar on how to combine risk management with design controls when planning to submit a 510k. Many questions were asking what the design control and risk management requirements are for a 510k.

What are the 510k design control requirements?

There is no specific part of the regulations stating what the 510k design control requirements are. However, some aspects of the DHF are required as 510k design control documentation, but not necessarily in the exact form as maintained in the DHF. For example, Design Inputs and Design Outputs are presented as applicable recognized standards and design specifications, while others will remain precisely the same (i.e., verification and validation test reports).

What are the Risk Management Requirements in a 510k?

For 510k submissions, the only risk management requirements are the inclusion of risk documentation for devices containing software of at least moderate level risk. There are some exceptions to this as well, though, based on a few special control guidance documents—especially when the submission type is an abbreviated 510k. This is article identifies which of the DHF and RMF elements are 510k design control requirements and 510k risk management requirements.

Quality system requirements for design controls

Design Controls are identified in 21 CFR 820.30. Every manufacturer of any Class II or Class III devices and certain Class I devices (Class I devices with software, tracheobronchial suction catheters, surgeon gloves, protective restraints, radionuclide applicators, radionuclide teletherapy devices) need to control design per this regulation. The requirement for a Design History File is item j) and states:

“Each manufacturer shall establish and maintain a DHF for each type of device. The DHF shall contain or reference the records necessary to demonstrate that the design was developed following the approved design plan and the requirements of this part.”

The “requirements of this part” refer to the other bullets in 21 CFR 820.30 which can be summarized as:

a) Establish and maintain procedures to control the design of a device.

b) Design and Development Planning – Each manufacturer shall establish a plan that describes the design and development activities and defines responsibilities for implementation.

c) Design Inputs – Manufacturers need to ensure design requirements relating to a device are appropriate and address the intended use of the device.

d) Design Outputs – Design outputs need to be documented in terms that allow an adequate evaluation of conformance to design input requirements. Design outputs that are essential for the proper functioning of the device should be identified.

e) Design Review – Formal documented reviews of design results should be planned and conducted at appropriate stages of device development.

f) Design Verification – Design verification confirms that the design output meets the design input requirements.

g) Design Validation – Design validation shall be performed under defined operating conditions on initial production units or their equivalents. It shall ensure that devices conform to defined user needs and meet the intended use of the device.

h) Design Transfer – Design transfer documentation shall ensure that the device design is correctly translated into production specifications.

i) Design Changes – changes should be identified, documented, validated/verified, reviewed, and approved before their implementation.

The Design History File is intended to be a repository of the records required to demonstrate compliance with your design plan and design control procedures. While companies are required to create and maintain this documentation according to the FDA regulation, not all of the documentation will be reviewed as part of the 510k. The following table compares the elements that comprise a DHF with the 510k design control requirements.

DHF Element 510k Design Control Requirements
Design Plan Not Required
User Needs & Design Inputs

Declaration of Conformity

User needs are design requirements that require design validation (e.g., adequacy of user training, and safety/performance of the device for the indications for use). Some design inputs will appear in the form of standards in the FDA eSTAR template. If you are declaring conformity with these standards, a Declaration of Conformity is automatically created in the FDA eSTAR template.

Design Outputs

Device Description (Section 11)

The Device Description lists the specifications of the device, and your Design Outputs document will help populate the Device Description. This can include drawings, pictures, or written specifications that describe your device.

Labeling

Proposed Labeling (Section 13)

The labeling is usually considered part of the Design Outputs within the DHF and is included specifically in the labeling section of the 510(k) submission. This includes both the Instructions for Use and any Package Labeling.

Verification and Validation Protocols

Not Required

You do not have to include the protocols, but the reviewer may ask to see them if they have any questions when reviewing the reports.

Verification and Validation Reports

Sterilization (Section 14)

Biocompatibility (Section 15)

Software (Section 16)

Electrical Safety and EMC (Section 17)

Bench Performance Testing (Section 18)

Animal Performance Testing (Section 19)

Clinical Performance Testing (Section 20)

Of course, not all of these sections will be applicable to every device. Still, you should include all relevant validation test reports within your submission in the appropriate part of the 510k. Typically, each of these sections will have a cover sheet that outlines the reports that are included within the section, and then you can just include the report from the DHF in its entirety behind the cover sheet in that section.

Process Validation Only required for sterilization validation typically, but there are exceptions for novel materials and coatings
Work Instructions Not Required for 510k
Design Review Meeting Minutes Not Required for 510k
Design Trace Matrix Only required for software
Risk Management File Sometimes – See Risk Management File Table Below
Post-Market Surveillance Plan Not Required, but a few exceptions for high-risk devices
Clinical Data Summary Required only if used to demonstrate safety and efficacy
Regulatory Approval It Will result from 510k Clearance, so nothing is to be included in the 510k submission.

510k Risk Management Requirements

Regarding the FDA regulations for risk management, there is a requirement under the Design Validation section of 21 CFR 820.30 that states:

“Design validation shall include software validation and risk analysis, where appropriate.”

For FDA compliance and CE Marking, both recognize ISO 14971 as the standard for risk management. FDA recognizes ISO 14971:2007 whereas EN ISO 14971:2012 is the European National version for CE Marking. Rob Packard wrote an article describing the contents of the risk management file as well as the specific differences in the requirements between the FDA and CE Marking with regard to ISO 14971.

For your 510k submission, the FDA only requires risk management documentation to be included if the product contains software, and the risk is at least a level of “moderate concern”. There are some other cases when risk management is required by special controls guidance documents, but even when it is required, you only have to submit your risk analysis. The table below describes the risk management requirements in greater detail.

RMF Element 510k Risk Management Requirement
Risk Management Plan Not Required
Hazard Identification

510ks with Software Only (Section 16)

Hazard Identification is only required for devices that have a software component. It is not required for most other devices.

Risk Assessment

510(k)s with Software (Section 16)

Certain Special Controls Guidance

The Risk Assessment is only required to be included in your device contains software, or if a special controls guidance document specifically requires a risk assessment. It is not required for other 510ks.

Risk Control Option Analysis Software and Certain Special Controls Guidance
Risk Control Verification and Validation

Sterilization (Section 14)

Biocompatibility (Section 15)

Software (Section 16)

Electrical Safety and EMC (Section 17)

Bench Performance Testing (Section 18)

Animal Performance Testing (Section 19)

Clinical Performance Testing (Section 20)

This will not be any additional or special documentation specific to Risk Management and was already included in the DHF breakdown above. Still, the verification and validation also relate to risk management in ensuring that the risks have been adequately mitigated.

Risk-Benefit Analysis

Not Required for 510(k)

Risk-Benefit analyses are only required for De Novo applications, Humanitarian Device Exemptions, and PMAs.

Informing Users and Patients of the Risks

Labeling (Section 13)

Part of the risk management will appear in the Labeling section of the 510k as warnings, contraindications, and precautions within the Instructions for Use and Package Labeling.

Risk Management Report Not Required

Special Controls Guidance Documents with Risk Management Requirements

Your first step in preparing your 510k submission is to search the FDA Guidance Document Database to determine if there is an applicable guidance document for your device. You can read another blog we wrote to explain Special Controls Guidance documents, and how to determine if one applies to your device. The following list provides examples of Class II Special Controls Guidance documents that require risk analysis to be included within the 510k:

When there are 510k risk management requirements, the special controls guidance document will typically state, “We recommend that the summary report contain:

An identification of the Risk Analysis method(s) used to assess the risk profile in general as well as the specific device’s design and the results of this analysis. (Refer to Section 6 for the risks to health generally associated with the use of this device that the FDA has identified.)

Discussion of the device characteristics that address the risks identified in this class II special controls guidance document, as well as any additional risks identified in your risk analysis.”

The special controls guidance will also identify risks to health that have been identified for products of that type, which you should be sure to include in your risk analysis as appropriate.

More Information on Design Control and Risk Management Requirements

Hopefully, you are now able to determine which elements of your DHF are 510k design control requirements and which elements of your RMF are 510k risk management requirements. If you would like more information about how to implement design controls and risk management within your product development process, please consider registering for one of our training webinars:

If you need any further information or specific assistance with your 510k submission, please feel free to send me an email at mary@fdaecopy.com or schedule a call with our principal consultant, Rob Packard. He can answer any of your medical device regulatory questions.


Click here to schedule a 15 minute call 300x62 Risk Management Requirements   510k vs DHF

Risk Management Requirements – 510k vs DHF Read More »

Cybersecurity FDA Guidance for Devices with Software and Firmware

This article reviews the 2014 FDA guidance for premarket and post-market cybersecurity of medical devices with software and firmware—including requirements for reporting field corrections and removals.

Cybersecurity with custom aspect ratio Cybersecurity FDA Guidance for Devices with Software and Firmware

Hospitals, home health systems, and medical devices are more connected now than ever. The automatic communication between medical devices and network systems is improving efficiency and accuracy in the world of healthcare. Medical devices are capable of more computing, analysis, reporting, and automation to improve the speed and quality of patient care. There are even devices that consist only of software (i.e. software as a medical device or SaMD). Along with technological advances, new risks and concerns are also introduced. The risk of hackers exploiting vulnerabilities in networks and software is inevitable. The FDA introduced guidance for both pre-market and post-market cybersecurity to assist manufacturers in developing effective controls to protect patients and users. Cybersecurity protection requires Identification, Protection, Detection, Response, and Recovery.

The first step is incorporating processes and procedures to improve device cybersecurity into your quality management system. You should have a specific cybersecurity plan (i.e. security risk management plan) to outline the steps necessary to ensure a safe and secure medical device. In addition, your software development team will need cybersecurity training. The only medical device guidance document specific to cybersecurity is currently AAMI TIR57:2016.

Identify Cybersecurity Risks

The key to understanding and assessing the cybersecurity risks involved with your device begin in the early stages of design development. At the start of the risk management process, you need to identify the essential safety and performance requirements of the device. You need to identify any potential cybersecurity vulnerabilities that could impact safety or performance, as well as the specific harms that could result if the vulnerability was exploited. In assessing the specific vulnerabilities, the FDA recommends using the Common Vulnerability Scoring System (CVSS). There is a CVSS calculator available online through NIST. The overall score is calculated based on different factors such as attack vector (local, adjacent network, network), access complexity (high, medium, low), authentication (multiple, single, none), the impact of confidentiality (none, partial, complete), exploitability (unproven that exploit exists, proof of concept code, functional exploit exists), remediation level (official fix, temporary fix, workaround, unavailable), collateral damage potential (low, medium, high), etc. This score is used in the hazard analysis in determining the level of risk.

Cybersecurity Protection

The process of assessing the exploitability and harms can also assist in determining mitigations that can be implemented to reduce the cybersecurity risk. During the design process, the FDA expects you to implement as many protections as practicable. Protections include:

  • Limit Access to Trusted Users
    • Password protection strengthened password requirements
    • User authentication
    • Layered privileges based on user role
  • Limit Access to Tampering
    • Physical locks on devices and/or communication ports
    • Automatic timed methods to terminate sessions
  • Ensure Trusted Content
    • Restrict software or firmware updates to authenticated code
    • Systematic procedures for authorized users to download software and firmware only from the manufacturer
    • Ensure capability of secure data transfer, use of encryption

Cybersecurity Detection

The FDA also requires you to implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during regular use. You should develop and provide information to the end-user concerning appropriate actions to take upon the detection of a cybersecurity event. Methods for retention and recovery should be provided to allow recovery of device configuration by an authenticated privileged user.

If you include off-the-shelf (OTS) software in your device, you are responsible for the performance of the software as part of the device. All software changes to address cybersecurity vulnerabilities of the OTS software need to be validated. You need to maintain a formal business relationship with the OTS vendor to ensure timely notification of any information concerning quality problems or corrective actions. Sometimes you will need to involve the OTS vendor to correct cybersecurity vulnerabilities.

Post-Market Surveillance

Once you complete the hazard analysis, mitigation implementation, validations, and has deployed their device for use – your activities shift to post-market management. Several QMS tools can assist in the cybersecurity processes post-market, including complaint handling, quality audits, corrective and preventive action, ongoing risk analysis, and servicing. A critical component of every cybersecurity program is the monitoring of cybersecurity information sources to assist in the identification and detection of risk. You should maintain contact with third-party software suppliers for the identification of new vulnerabilities, updates, and patches that come available.

There are many sources that companies should follow for information relating to cybersecurity, including independent security researchers, in-house testing, software or hardware suppliers, healthcare facilities, and Information Sharing and Analysis Organizations (ISAO). Involvement in ISAOs is strongly recommended by the FDA and reduces your reporting burden if an upgrade or patch is required post-market. ISAOs share vulnerabilities and threats that impact medical devices with their members. They share and disseminate cybersecurity information and intelligence pertaining to vulnerabilities and threats spanning many technology sectors, and are seen as an integral part of your post-market cybersecurity surveillance program.

Response and Recovery

If you identify a cybersecurity vulnerability, there are remediation and reporting steps that need to occur. Remediation may involve a software update, bug fixes, patches, “defense-in-depth” strategies to remove malware, or covering an access port to reduce the vulnerability. Uncontrolled risks should be remediated as soon as possible and must be reported to the FDA according to 21 CFR 806. Certain circumstances remove the reporting requirement. The decision flowchart below can be used to determine the reporting requirements.

Cybersecurity software change decision tree Cybersecurity FDA Guidance for Devices with Software and Firmware

In addition to reporting corrections and removals, the FDA identifies specific content to be included in PMA periodic reports regarding vulnerabilities and risks. If you have a Class III device, you should review that section thoroughly to ensure annual report compliance.

If a device contains software or firmware, cybersecurity will be an important component of the risk management processes, and continual cybersecurity management will be necessary to ensure the ongoing safety and effectiveness of your device. If you need more help with cybersecurity risk management of your medical device, please schedule a free 30-minute call with Medical Device Academy by clicking on the link below.

Click here to schedule a 15 minute call 300x62 Cybersecurity FDA Guidance for Devices with Software and Firmware

Cybersecurity FDA Guidance for Devices with Software and Firmware Read More »

Scroll to Top