11 Steps to Obtaining CMDCAS Certification: Part I

  • 11 steps CMDCAS partI 11 Steps to Obtaining CMDCAS Certification: Part I11 Steps to Obtaining CMDCAS Certification-Part I” focuses on the process of verifying the classification, selecting a registrar, and more.

Step 1: Verify Classification

There are four device risk classifications in Canada: I, II, III, and IV. If your device is Class I, then you can work with a distributor in Canada that has an establishment license. However, if your device is Class II, III, or IV, then ISO 13485 certification with CMDCAS is required as a prerequisite for a Canadian Medical Device License Application. Therefore, before you waste time and money on upgrading your ISO 13485 certification to include CMDCAS, you should ensure that your device is Class II-IV.

Each country has slightly different regulations. Often the risk classification is different between the two countries. However, in the following example, the classification is identical. If a device is an active, therapeutic device, then the device is typically classified as Class 2, as per Rule 9 of the CMDR. The rule and the rationale are identical to the EU classification of Class IIa, per rule 9 in Annex IX of the MDD. A manufacturer can confirm this classification by sending an email to the Device Licensing Division, asking them to confirm the classification rationale. Including a copy of the draft, IFU is recommended, so that Health Canada is aware of the intended use when they are verifying your classification rationale. Verification typically is completed within ten days, and there is no charge. If you need help determining the classification, please contact Rob Packard.

Step 2: Health Canada recognizes a verified Registrar

The process for becoming a CMDCAS auditor is one of the most challenging examinations that I have ever taken (http://bit.ly/Instructor-Effectiveness). However, the process of becoming a recognized registrar for CMDCAS is even more challenging. Health Canada acknowledges only 15 registrars. Therefore, ensure that your registrar is on the list first http://bit.ly/RecognizedRegistrars.

If you are selecting a critical subcontractor (i.e., “subcontractors in charge of processes which are essential for ensuring compliance with legal requirements”), you should verify that the company has a registrar that is recognized by Health Canada, as well. If not, this may result in the need for additional scrutiny of the critical subcontractor by the registrar–including the potential for an audit. If you need help selecting a registrar from the 15 recognized registrars, you should read our blog on this topic: http://bit.ly/SelectingRegistrar.

If your registrar is not one of these 15, then you will either need a second registrar, or you will need to transfer to a new registrar. The transfer process is a little different from each registrar. Still, generally, the new registrar must review previous audit reports, your certificate, and any corrective actions that are associated with the previous regulatory audit. This is typically completed in a one day audit that may be on-site or remotely conducted. The next step is to obtain a quote.

Step 3: Obtaining a Quote for CMDCAS Certification

Every registrar I know has a long application form that needs to be completed before they can provide a quote for CMDCAS certification. You will need company information about the various locations for each site covered by the quality system certificate–including the number of people, shifts, and types of activities conducted at each location. If you already have ISO 13485 certification, the quotation will be for an extension to the scope of the original quality system certification. An extension to scope audit is typically one day in duration. Upon successful completion of the audit, your company is recommended for CMDCAS certification, and the existing ISO 13485 certificate is replaced with a CMDCAS Certificate. For some companies, the scope of activities requires that you maintain your original certificate and the new CMDCAS certificate.

Once you obtain your quote(s) for upgrading to CMDCAS, then you must schedule your audit. Typically, auditors are booked at least 90 days in advance. Since the process of making upgrades to your quality system takes no more than 90 days, I don’t recommend waiting to make changes. Just go ahead and schedule the audit, and now you have a real deadline for everyone to work toward.

Part 2 of this article will explain the changes you need to make to the quality system to prepare for your CMDCAS audit.

11 Steps to Obtaining CMDCAS Certification: Part I Read More »

How to reconcile the conflict between ISO 13485 and ISO 9001

This blog explains how to reconcile the conflict between ISO 13485 and ISO 9001, and discusses whether you should maintain dual certification.

how to reconcile diverging standards How to reconcile the conflict between ISO 13485 and ISO 9001

What is the conflict between ISO 13485 and ISO 9001?

The previous version of ISO 13485 was released in 2003. That standard was written following the same format and structure as the overall quality system standard at the time (i.e., ISO 9001:2000). In 2008, there was an update to the ISO 9001 standard, but the changes were minor, only clarified a few points, and the periodic review of ISO 13485 in 2008 determined there was not a need to update 13485 at that time. Unfortunately, the proposed structure of the ISO 9001 standard was radically different, and this forces companies with dual certification to reconcile the conflict between ISO 13485 and ISO 9001.

On December 1-5, 2014, the working group for the revision of ISO 13485 (i.e., TC 210 WG1), met at AAMI’s Standards week to review the comments and prepare a first Draft International Standard (DIS). We should have some updates on the progress of the DIS later in December, but hopefully, the news will not be delayed in publication until 2016. The following is a summary of the status before last that meeting.

Updated ISO 13485 and ISO 9001 Standards Being Released

In 2015, there will be a new international version of ISO 9001 released. This new version will have dramatic changes to the standard–including the addition of a new section on risk management and the adoption of the new High-Level Structure (HLS) changing from 9 sections to 11. The ISO 13485 standard is also anticipated to have a new international version released in 2015, but the ISO 13485 standard will maintain the current HLS with nine sections. The timing of the ISO 9001:2015 release and the ISO 13485:2015 release will likely be around the same time (Correction: the ISO 13485:2016 standard was released in February 2016). Both standards are expected to have a three-year transition period for implementation. The combination of the three-year transition and lessened requirements in the new version of ISO 9001 for a structured quality manual should allow most manufacturers to wait until the ISO 13485 release before they begin drafting a quality plan for compliance with the new standards. Some of my clients have already indicated that they may drop their ISO 9001 certification when it expires, instead of changing their quality system to comply with the ISO 9001:2015 requirements. However, my clients will not have the ability to allow their ISO 13485 certification to lapse. Will Health Canada be updating GD210 and continue to require ISO 13485 certification for medical device licensing? What should companies do?

Update on the reconciliation of ISO 13485:2016 and ISO 9001:2015 on May 29, 2020:

  • GD210 was never updated, and instead, it was replaced by MDSAP
  • ISO 13485:2016 certification, under the MDSAP program, is required for Canadian Medical Device Licensing
  • Many device companies have dropped the ISO 9001 certification.

Recommendations

From the experience of preparing for the ISO 13485:2016 and ISO 9001:2015 releases, I learned that obtaining draft versions of the standards before publication is invaluable. I was able to use the drafts to help prepare quality plans for the transition. Second, companies need to train their management teams and auditors on the differences between the current and the new standards to enable a gap analysis to be completed. Any manager that is responsible for a procedure required by the current version of a standard should receive training specific to the changes to understand how they will meet the requirements for documented information. Most companies will need to improve their risk management competency (which was updated again in December 2019). I recommend that companies begin drafting their quality plans and enter discussions with their certification body for quality system changes as early as possible. I also recommend that medical device companies maintain a quality manual structure that follows the ISO 13485:2016 standard rather than the ISO 9001:2015 standard. Following ISO 13485:2016 will help everyone locate information faster.

There is also specific text in the introduction of ISO 9001:2015 that states it is not the intent of the standard to imply the need to align your quality management system to the clause structure of the standard. Companies that maintain ISO 9001 certification should consider including cross-references between the two standards in their quality manual.

Historical Note

There are also European National (EN) versions of each standard (e.g., EN ISO 13485:2012). The EN versions are harmonized with the EU directives, but the content of the body or normative sections of the standards are identical. Historically, the differences were explained in Annex ZA, which was the last Annex in the EN version of the standard. In 2009 the harmonization annex for ISO 14971 (i.e., the medical device risk management standard) was split into three parts to match up with the three directives for medical devices (i.e., the MDD, AIMD, and IVDD). The new annexes (i.e., ZA, ZB, and ZC) were moved to the front of the EN version of the standard. The changes to ISO 14971 consisted of a correction and the change to Annex ZA. In 2012, there were new harmonization annexes created for ISO 13485 to follow the same format that was used for the EN ISO 14971 annexes. It is expected that these “zed” annexes will be released with a new EN version of the standard shortly after the international standard is published.

How to reconcile the conflict between ISO 13485 and ISO 9001 Read More »

Medical Device Validation Document Resources

This blog provides a list of medical device validation resources and explains how to create your resource list.

medical device academy valdiation resources Medical Device Validation Document Resources

The first step to understanding how to conduct successful validations are always to read and re-read the requirements of the documents below:

  • 21 CFR 820.30(g)
  • 21 CFR 820.75
  • ISO 13485, Clause 7.3
  • ISO 13485, Clause 7.5.2

Unfortunately, we sometimes need to consult a reference guide that explains aspects of the requirements.

Max Sherman (http://bit.ly/MaxSherman) is finishing a new handbook on design and process validation that will be published through RAPS. The following is a list of resources for the process and design validation that I am submitting for publication in the book. Many of these resources are free, and these are the resources I use to learn and teach principles of validation.

  1. GHTF/SG3/N99-10:2004 – Process Validation Guidance (http://bit.ly/N99-10)
  2. ISO 14969 – ISO Guidance document for ISO 13485 (http://bit.ly/iso14969)
  3. 13485 Plus – CSA Guidance document for ISO 13485 (http://bit.ly/13485Plus)
  4. AAMI The Quality System Compendium: Bundled Set of Textbook & CD (http://bit.ly/AAMI-Store)
  5. The preamble to the QSR (http://bit.ly/QSR-preamble)
  6. ICH Q2: Validation of Analytical Procedures: Text and Methodology (http://bit.ly/Q2-Analytical-Validation)
  7. FDA Guidance for Part 11: Electronic Records (http://bit.ly/Part11Guidance)
  8. FDA Guidance for Software Validation (http://bit.ly/FDA-Software-Validation)
  9. FAQs about Implementation of IEC 62304:2006 (http://bit.ly/Team-NB-IEC62304)

In addition to these resources, you may also need additional resources for design validation. Here are some examples of design validation resources I use in my design controls training “tool kit:”

  1. http://bit.ly/do-it-by-design
  2. http://bit.ly/DesignControlGuidance

As regulatory affairs professional, it is critical to maintain a list of the most current standards and an organized list of links to those standards. I used to keep a list of favorites in my web browser for this purpose, but my database now exceeds the utility of “favorites.” Now, I use my webpage for this purpose. You can do this yourself by creating a free WordPress blog, and having one of the webpages to the blog be specifically to maintain a list of applicable Standards. Here’s a link to my webpage that I share: http://bit.ly/RA-Resources

 

Medical Device Validation Document Resources Read More »

Software Design Validation – FDA Requirements

What are the FDA software design validation requirements for software as a medical device (SaMD) and software in a medical device (SiMD).qsit Software Design Validation   FDA Requirements

If your product has software, then the investigator is instructed by the FDA QSIT Inspection Manual to consider reviewing software validation. Since inadequate software validation causes many quality problems with devices, you should be shocked if an investigator doesn’t review the software validation of a device containing software. Software-containing devices are also the only devices that manufacturers are required to submit a risk analysis for when submitting premarket notifications (i.e., 510k submissions).

Software Design Validation

Validation confirms that a device meets the user needs. Software validation is no different. Unfortunately, “software design validation” is also the term that we use to mean software design and development–which includes software verification activities and software validation activities. The software verification activities consist of unit testing, integration testing, and system testing. In software verification, we are verifying that each requirement of the software design specification (SDS) meets the requirements of the software requirements specification (SRS). In contrast, software validation involves simulated use or actual use testing of the software to confirm that it meets the user needs of the software. The “device” is the final complete software program in the operating environment in which it is intended to be used (i.e., operating system and hardware), and the “user needs” may be defined as system-level requirements in the SRS or as the intended purpose of the software in the software description.

To facilitate the validation of software, a traceability matrix is typically used to facilitate the construction of validation protocols. The traceability matrix will identify each requirement in the left-hand column of the matrix. The columns to the right of the requirements should include the following:

  1. hazard identification
  2. the potential severity of harm
  3. P1 – the probability of occurrence
  4. P2 – the probability of occurrence resulting in harm
  5. risk controls
  6. design outputs or references to the code modules that are responsible for each requirement
  7. references to verification and validation testing for each risk control
  8. estimation of residual risks
  9. risk/benefit analysis of each risk and overall risk
  10. traceability to information disclosed to users and patients or residual risks

Since the failure of each module can easily result in multiple failure modes, the above approach to documenting design requirements and risk analysis is generally more effective than using an FMEA. This approach also has the benefit of lending itself to assessing risk each time new complaints, service reports, and other post-market surveillance information is gathered.

The use of a traceability matrix also lends itself to the early stages of debugging software modules and unit validation. Each software design requirement will typically have a section of code (i.e., a software module) that is associated with it. That module will be validated initially as a standalone unit operation to verify that it performs the intended function. In addition to verifying the correct function, the software validation protocol should also verify that the embedded risk controls catch incorrect inputs to the module for that module. The correct error code should be generated, and applicable alarms should be triggered.

Finally, after each requirement has been verified, the entire software program must be validated as well. When changes are made, the module and program as a whole must be re-validated. Inspectors and auditors will specifically review changes made in recent versions to verify that revalidation of the entire program was performed–not just unit testing. You must also comply with IEC 62304, medical device software – software lifecycle processes. This is required for CE Marking as a harmonized standard and recognized by the US FDA. One of the implications of applying IEC 62304 is that you must consider the risk of using software of unknown pedigree or provenance (SOUP).

Software Risk Analysis

Each requirement of the software design validation requirements document will typically have a risk associated with it if the software fails to perform that requirement. These risks are quantified concerning the severity of harm and the probability of occurrence of harm. The likelihood of occurrence of harm has two factors: P1 and P2, as defined in Annex E of ISO 14971:2007 (see our updated risk management training).

P1 is the probability of occurrence, and for software, we have two factors. First, the situation must occur that will trigger a failure of the software. Second, does the software have a design risk control that prevents harm or provides a warning of the potential for harm? P2 is the probability that occurrence will result in harm; P2 has one factor. P2 is determined by evaluating the likelihood that failure will result in harm if the risk control is not 100% effective.

An investigator reviewing the risk assessment should verify that risk has been estimated for each software design requirement. There should be harm identified for each software design requirement, or the traceability matrix should indicate that no harm can result from failure to meet the software design requirement. Next, the risk assessment should indicate what the risk controls are for each requirement identified with the potential for harm. In accordance with ISO 14971, design risk controls should be implemented first to eliminate the possibility of harm. Wherever it is impossible to eliminate the possibility of harm, a protective measure (i.e., an alarm) should be used.

Each risk control must be verified for effectiveness as part of the software validation. Also, the residual risk for each potential harm is subject to a risk/benefit analysis in accordance with EN ISO 14971:2012, Annex ZA Deviation #4. The international version, ISO 14971:2007 (which is recognized by the US FDA and Health Canada), allows companies to limit a risk/benefit analysis to only unacceptable risks. Therefore, the European requirement (i.e., EN ISO 14971:2012) is more stringent. Companies that intend to CE Mark medical devices should comply with the EN version of the risk management standard instead of the international version for risk management.

Software Design Validation – FDA Requirements Read More »

FDA QSIT Inspection of Design Validation: Part I-Non-Software

qsit FDA QSIT Inspection of Design Validation: Part I Non SoftwareThis article reviews FDA QSIT inspection requirements of design validation and is specific to devices that do not contain software.

In the FDA QSIT Manual (http://bit.ly/QSITManual), the word “validation” appears in the QSR 78 times. This exceeds the frequency of the name “verification,” “production,” “corrective” and the acronym “CAPA.” The word “validation” is almost as frequent as the word “management”–which appears 80 times in the QSIT Manual. The section of the QSIT Manual specific to design validation is pages 35-40.

The FDA selects only one product or product family when they are inspecting design controls. Therefore, if you keep track of which products have already been inspected by the agency, you can often predict the most likely product for the investigator to select during the next inspection. The number of MDRs and recalls reported will have an impact on the investigator’s selection. Class, I devices are not selected.

The QSIT Manual instructs inspectors to verify that acceptance criteria were specified before conducting design validation activities and that the validation meets the user needs and intended uses. There should also be no remaining discrepancies from the design validation. Inspectors must verify that all validation activities were performed using initial production devices or production equivalents. The last item to verify is that design changes were controlled–including performing design validation of the changes.

Risk Analysis

Risk analysis is seldom reviewed in great detail–except software risk analysis. However, when a nonconforming product is reworked, it is required to review the adverse effects of rework. QSIT inspectors will expect you to document this review of risks. Investigators will also expect risks to be reviewed and updated in accordance with trend analysis of complaints, service reports, and nonconformities. Finally, when companies assess the need to report recalls, the FDA expects to see a health hazard evaluation to be completed (http://bit.ly/HHE-Form). A detailed review of risk analysis is uncommon in QSIT inspections but receives greater emphasis in the review of CE marking applications.

Predetermined Acceptance Criteria

Investigators reviewing your design validation protocols will specifically look at the acceptance criteria for testing you perform. Investigators are looking for two things. First, were the acceptance criteria met without deviation? Second, was the protocol approved before knowing the results (i.e., was this a prospective design validation protocol?). In certain areas, there are also known risks associated with products that the investigators will look for. For example, in sterilization validation, the investigator will verify that the validation was performed to the most current version of the standard and that the validation has addressed the most common pitfalls of sterilization. For example:

  • Have the most challenging devices been identified?
  • Has performance been validated at the maximum sterilization dose?

User Needs & Intended Uses are Met

In the area of user needs and intended uses, there are few problems with the initial launch of devices for the intended use. Problems typically arise when companies expand the intended use to new patient populations and new intended uses. When this occurs, there may be unique user needs and risks that need to be evaluated. Therefore, the FDA periodically reviews claims made by companies in marketing communications to ensure that claims do not stray beyond the cleared intended use of the device. This will sometimes be identified as a 483 inspection observation. In some instances, the FDA will issue a warning letter to a company that continues to market a device for uncleared indications.

Initial Production Devices or Production Equivalents

When investigators review validation protocols and reports, the documentation must include traceability to the production lot(s) of the device. Investigators may even request a copy of the Device History Record (DHR) for the production lot used for validation. If a production lot is not used, then the design validation documentation must disclose how the product differs from production lots, and why the results are acceptable. The samples used should be subjected to the final test/inspection requirements. If final test/inspection requirements are not yet established, samples should be retained, so that they can be inspected at a later date. Without this traceability, you may have to repeat your design validation with a production lot.

Validation of Design Changes

Far too many hours are wasted writing justifications for why re-validation is not required. I recommend that re-validation of design be performed for any design change if all three of the following criterion are not met:

  1. a sound scientific rationale can be provided with references
  2. the logic does not require a subject matter expert to understand it
  3. quantitative analysis is possible to analyze the risk impact

Many design validations require simulated use with a physician. Companies should obtain as much user feedback as possible before launching a device. Therefore, any re-validation that requires simulated use and user feedback should be a priority over writing a rationale for not conducting re-validation.

FDA QSIT Inspection of Design Validation: Part I-Non-Software Read More »

The Three Biggest Changes in the Latest 510k Guidance

510k pmn The Three Biggest Changes in the Latest 510k GuidanceThis blog describes the three most prominent changes in the latest 510k guidance document released on July 28, 2014.

This recently issued guidance (http://bit.ly/Substantial-Equiv-Guidance) for evaluating Substantial Equivalence (SE) is well written and informative, with well-chosen and written examples. For newbies to 510ks, this is the place to start. The guidance includes background information about the 510k process and links to other documents. If you are an experienced professional, this is a must-read insight into the FDA’s current approach. Use it to guide your strategy for your next submission, and make it as easy as possible for the reviewer to reach a decision of SE for your device.


Change #1: 510k Flowchart

The 1986 flowchart guiding the decision of SE was updated and re-formatted to improve clarity. A substantial part of the guidance explains the thinking process that guides a reviewer at each decision step. If you are in the middle of preparing a submission, as I am, then the guidance provides an opportunity to review your work against current FDA thinking and training and adjust your submission to align with the FDA.


Change #2: Predicate Selection

Much has already been written about how this document may alter your selection of a predicate device. The FDA clarifies that split predicates (one for intended use equivalence, another for technological equivalence) have been ruled out. The FDA also recently released another guidance document to assist with performing a benefit/risk analysis (http://bit.ly/SE-Benefit-RIsk) when you are developing a device with a different technology than the predicate. The checklist below is intended to help you review your submission when you have already chosen an appropriate predicate.

  1. If you are using multiple predicates, have you stated which one is your primary predicate, the one that is most similar to your device? The FDA must find your device substantially equivalent to one other device.
  2. Are you using secondary predicates only when you are combining features, have more than one intended use, or have additional indications for use?
  3. Is the intended use the same as that for the predicates? Carefully compare your Intended use and the Indications for use with those of the predicates. If they are worded differently, have you explained how they are nevertheless the same?
  4. Have you provided a rationale for your choice of predicates in a way that aligns with the guidance?
  5. Is your SE table organized such that the secondary predicates only support the additional indications for use?
  6. Has your predicate been involved in a design-related recall?
  7. Double-check the Indications for Use statement in your labeling. Regulations state that the determination of the same intended use must be made against the labeling, not against what you say in the submission. Of course, what is in the submission should match the labeling.
  8. Have you included a copy of the labeling for the predicate device, e.g., the user manual?
  9. Does your Description section have sufficient information about the technical characteristics? The FDA is quite specific about what they want to see. Check your Description against the lists on page 19, and at (http://bit.ly/510k-Content) and in any device-specific guidance.
  10. Does your SE table identify similarities and differences in technological characteristics in a structured way?
  11. Do you make it clear why each of the differences does not pose a significant safety or effectiveness concern?
  12. Clinical performance data. Do the examples in the guidance suggest that you might need clinical evidence after all?
  13. If you are using an animal study, does it comply with applicable parts of GLP regulation (http://bit.ly/21-CFR-58)? This was already flagged in the RTA checklist (http://bit.ly/FDA-RTA-Policy). If the RTA reviewer can’t tick those boxes for question 39, then your submission won’t make it through the review.

Change #3: 510k Summary Template

Eleven pages, a quarter of the guidance document, are devoted to the 510k Summary, which will be posted on the FDA website. The guidance states that “FDA intends to verify the accuracy and completeness of the information included in a 510(k) Summary.” Your reviewer will have been so instructed. There is no change to the regulatory requirements for the Summary, but anyone who has combed through these while searching for a predicate will know that many Statements are incomplete. 

The FDA states that their focus on the Summary is in the interests of transparency, and they are making their point quite clearly in this guidance. As well as explaining each requirement, an example is provided. Therefore, I will be using Appendix C as a template for my 510k Summary.

The Three Biggest Changes in the Latest 510k Guidance Read More »

Technical File Conversion – 5 gaps to avoid

Technical File conversion from a 510k submission is easy, but five elements are missing from a 510k that you will need to add.MDA techinical file blog Technical File Conversion   5 gaps to avoid

This blog, Technical File Conversion, offers practical courses of action to consider related to this topic. Below are five parts of a technical file you are likely to be missing in your 510k documents:

  1. Technical File Conversion Requires Clinical Evidence The FDA states that clinical data is unnecessary for most devices cleared by the 510k process. The MD Regulation (Annex II) requires a clinical evaluation to be performed and the evaluation report to be part of the technical file. Once formulated, the report becomes “clinical evidence” of the safety and performance of the medical device for demonstrating conformity with the relevant General Safety and Performance Requirements (GSPRs).

Here’s how to fill this gap using five steps offered by MEDDEV 2.7.1 Rev. 3:

  1. Identify the GSPRs requiring clinical support. (e.g., the device “shall not compromise the clinical condition or the safety of patients, or the safety and health of users” and “any risks which may be associated with their use constitute acceptable risks when weighed against the benefits to the patient.”
  2. Identify and “data pool” existing clinical data relevant to the device and its intended use. This should include any available post-marketing data on the same or similar device. But it may also comprise data from clinical trials or clinical use of a previous generation or even a substantially similar device. Finally, if you are utilizing standard methodologies in your device, it may be possible to use data showing conformity to recognized standards.
  3. Evaluate the data to determine if it’s suitable for establishing the safety and performance of your device. Even some generally unusable studies may produce relevant data. It is vital to perform this evaluation systematically. You might draw a chart listing the relevant ERs on the left and indicate the data source supporting or contradicting it to the right. The evaluation must objectively consider both positive and negative data.
  4. Generate any clinical data still needed. Consider methods other than a clinical trial for generating this missing data, e.g., “Data Pull” existing field data of the same or similar devices that may not yet have been ‘pulled’ through your PMS/RM Post-Production Infosystems. If data is unavailable, you may have no choice in generating it through a small-scale clinical trial. If so, keep it small, focused on the questions at hand, and statistically significant.
  5. “Bring all the clinical data together” to reach conclusions about your device’s clinical safety and performance. Essentially, conduct a benefit-risk analysis. Involve qualified team members: e.g., experts in medical conditions and device technology.

Now sum it up in a report.

  1. General Safety and Performance Requirements Checklist – This central component of the technical file is based on Annex I of the MDR and IVD, respectively. There is no such review in a 510k.

Develop a checklist based on the principles in GHTF N68:2012 containing all of the following columns for each ER:

  • Applicable? – y/n; Is the requirement applicable? If not, why.
  • The method used to demonstrate conformity –harmonized standard, Common Specification (CS), etc…?
  • Specific Standards or CS applied.
  • Evidence of conformity  
  • The controlled document/s demonstrating fulfillment of the ER.
  1. Technical File Conversion Requirest Post-Market Surveillance– The FDA requires PMS activities only if it is mandated due to safety concerns and for Class III or devices with Humanitarian Device Exemptions (HDEs). A PMS plan must then be submitted. Manufacturers may not yet have formulated such a plan.

No worries. If you perform your RM activities in compliance with ISO 14971, you will have an RMP or separate system, including a plan for observations, assessment, and action (ISO 14971:2019 § ten). Reference this in your technical file. What about the PMCF report?  Well, if you’ve performed post-market surveillance, develop one. OTechnical File conversion from a 510k submission is easy, but five elements are missing from a 510k that you will need to add. Otherwise, see the next item below.

  1. Technical File Conversion includes a risk management report

While not required by the FDA in your 510k submission, you most likely have fulfilled this ISO 14971 requirement. Reference it in your technical file. Ensure you also confirm in the report that appropriate methods are in place to obtain production and post-production information. If detailed enough, you can also reference the report as a PMCF report.

  1. Risk class/applicable classification rule (based on Annex VII of the MDR) – FDA defines Classes I through III, which are not parallel to Classes 1, IIa, IIb, or III in the EU MDR.

Using either of the latter systems, identify the relevant rule, and classify your device—document in your technical file.

If you have finished your 510k technical file conversion, you might want to perform a technical file audit before submission to your notified body.

Technical File Conversion – 5 gaps to avoid Read More »

Nonconforming Materials Disposition

Nonconforming materials disposition can be simplified into four categories: scrap, return to supplier, rework, and use as is.

Sorting Disposition of Scrap Nonconforming Materials Disposition

Nonconforming materials disposition

In our previous blog, we focused on requirements to identify and segregate non-conforming materials. Once nonconformities are labeled and locked in your quarantine cage, what do you do next? The next step in the process of determining nonconforming materials disposition. The most common dispositions are:

  • Scrap
  • Return to Supplier (RTS)
  • Rework
  • Use As Is (UAI)

Some companies also have dispositions of sort and repair. The sort is not a disposition and often creates confusion for anyone auditing records of nonconforming materials. Sorting is the process that you must perform when a lot of material fails to meet acceptance criteria. Still, some of the individual units within the lot meet the acceptance criteria. In this scenario, the following sequence of events is recommended.

Sorting nonconforming materials

First, the lot is segregated from a conforming product, and an NCR number is assigned. Next, the lot is 100% inspected for the defect, and the results of the inspection are recorded on the inspection record. It is important to record the specific number of non-conforming units on the NCR record–not the total amount inspected. The final step is to release a conforming product back into the production process or warehouse, and the Material Review Board (MRB) will disposition the units identified as non-conforming.

If identifying a non-conforming product requires an inspection method that is not typically performed, then the inspection plan needs to be corrected, or a corrective action plan is needed. New and unforeseen defects may indicate a process change, a change in the raw materials, or inadequate training of personnel at your company or your supplier. An investigation of the root cause is needed, and it is recommended to consider documenting this investigation as an internal CAPA or a Supplier Corrective Action Request (SCAR).

Material Review Board (MRB) determines the nonconforming materials disposition

Most companies have a “Material Review Board” (MRB) that is responsible for making the decision related to the disposition of non-conforming material. Typically, the MRB will be scheduled once per week to review the most recent nonconformities. The board usually consists of a cross-functional team, such as:

  • Quality Assurance
  • Research & Development
  • Manufacturing
  • Supply Chain
  • Regulatory

The reason for a cross-functional team is to review the potential adverse effects of rework and potential risks associated with a UAI disposition. If rework is required, the cross-functional team will typically have the necessary expertise to create a rework instruction and to review and approve that rework instruction–including any additional inspections that may be required beyond the standard inspection work instructions.

Scrap

If the material is going to be scrapped, there is no risk to patients or users. Therefore, the entire MRB team should not be required to scrap products. Because there may be a cost associated with a scrap of non-conforming products, it is recommended that someone from accounting and a quality assurance representative approve scrap dispositions. Other departments should be notified of scrap, but a trend analysis of all non-conforming products should be reviewed by each department and by top management during management reviews. Auditors and FDA inspectors, specifically, will be looking for evidence of statistical analysis of non-conforming material trends and the implementation of appropriate corrective actions.

Return to Supplier (RTS)

Returning non-conforming material to the supplier that produced it is the most common disposition, but the trend of RTS should continuously be improving. If the trend of RTS is not improving, your supplier qualification process or your supplier control may be inadequate. The best way to ensure that the trend is improving is to initiate a SCAR. Some companies automatically wait until they have a trend of non-conforming material before initiating a SCAR. However, if you wait until a defect occurs twice, you are doubling the number of nonconformities for that root cause. If you wait until a defect occurs three times, you are tripling the non-conformities. For this disposition, there also does not need to be approval from the entire MRB. Typically, only someone from the supply chain management and quality assurance are needed to return non-conforming products to a supplier.

Note: You should not always wait until there is a “trend” to request supplier corrective action.

Rework

Almost every auditor looks for a specific phrase in the procedure for Control of Nonconforming Material: “The MRB will review and document the potential adverse effects of rework.” Most companies are doing this, but the procedures often do not specifically state this requirement, and rework instructions are often missing any specific inspection instructions that have been added to reduce risks associated with the rework process. Repeating the normal inspection criteria is seldom adequate for reworked product because the rework process typically results in different defects.

Another phrase that auditors and inspectors are looking for is the requirement to document the rework instructions and to have the instructions reviewed and approved by the same functions that reviewed and approved the normal production process. This requirement is often not specifically stated in the procedure, and FDA 483 inspection observations are commonly issued for this oversight.

Use As Is (UAI)

The UAI disposition should be rare. When I see a large number of NCRs with a disposition of UAI, I expect one of two reasons for this situation. First, the NCRs are for cosmetic defects where the acceptance criteria are too subjective and inspectors need clear guidelines regarding acceptable blemishes and unacceptable nonconformities. The visual inspection guides used during solder joint inspection for printed circuit boards are an excellent example of best practices for clearly defining visual inspection criteria. Personally, I prefer to use a digital camera to take pictures of representative “good” and “bad” parts. Then I create a visual inspection chart with a green, smiley face for “good” and a red, frowny face for “bad.” The best inspection charts identify the proper inspection equipment and quantitative acceptance criteria with pictures and symbols instead of words.

The second reason for a larger percentage of UAI dispositions is that the product specifications exceed the design inputs. For example, if a threaded rod needs to be at least 1” long, but 1.25” long is acceptable, then you should not approve a drawing with a specification of 1.00” +/- 0.05”. Often, the legend of drawings will define a default tolerance that is unnecessary. A more appropriate specification would be 1.13” +/- 0.12”. No matter how much work it is to specifically define tolerances for each dimension on a drawing, the work required to do this at the time of initial drawing approval is much less than the work required to justify a UAI disposition. FDA inspectors will consider a UAI disposition as a potentially adulterated or misbranded product, and a formal Health Hazard Evaluation (HHE) may be required to justify the reason why the product is not recalled.

Regardless of the disposition of the product, the decision for disposition should be a streamlined process that is not delayed unnecessarily. In order to ensure that your non-conforming material dispositions are effective and processed in a timely manner, our next blog in the series about control of non-conforming materials will focus on process interactions, monitoring and measuring of non-conforming product and when to initiate a CAPA or SCAR to prevent more NCRs.

Nonconforming Materials Disposition Read More »

What is the mdsap pilot?

This article explains what is the MDSAP pilot, and how is the pilot program likely to impact medical device manufacturers.

robs mdsap logo What is the mdsap pilot?

The acronym “MDSAP” stands for “medical device single audit program.” This is a three-year pilot program that began on January 1, 2014. Regulatory bodies are attempting to use a single regulatory audit to meet the requirements for all countries. The MDSAP pilot is one of the direct results of medical device regulatory bodies forming the new International Medical Device Regulators Forum (IMDRF) organization (http://bit.ly/imdrf).

The FDA’s Kim Trautman is the working group chairperson for IMDRF. There is a limited amount of information on the IMDRF webpage (http://bit.ly/imdrf-mdsap), but you can find more information on the US FDA website (http://bit.ly/MDSAP). Four countries are currently participating in the MDSAP pilot:

Japan is an official observer for the program, with the participation of both their device agency (http://bit.ly/Japan-MHLW) and pharmaceutical agency (http://bit.ly/Japan-PMDA). China and Europe are also represented in the mdsap working group at the IMDRF.

Currently, there are 15 recognized registrars for the CMDCAS (http://bit.ly/CMDCAS-webinar) program for medical device companies that want to obtain a medical device license in Canada. Health Canada plans to participate in the mdsap pilot for three years, and then the MDSAP program will become a mandatory replacement for the CMDCAS certification program in 2017.

How will auditors approach MDSAP audits?

The current CMDCAS audit program benefits significantly from Health Canada’s alignment of the Canadian Medical Device Regulations (CMDR) with the ISO 13485 Standard used by third-party auditors. The tool that Health Canada uses to ensure that auditors are consistent is the GD210 audit checklist (http://bit.ly/GD210Guidance). The MDSAP will need to harmonize the regulations of Canada, Australia, Brazil, and the USA. This may seem like an impossible task, but Notified Bodies and consultants have been using multi-national regulatory comparison checklists for years to ensure that all the applicable regulations are covered during audits.

Auditors currently relying primarily upon audit checklists should quickly adapt to the MDSAP with longer lists. However, those third-party auditors that are now using the process approach will need to study the comparison checklists being developed carefully. The process approach will still be the best approach for auditing. Still, auditors will need to be familiar with a larger number of requirements for step in the population of their turtle diagrams (http://bit.ly/Process-Approach).

I recommend looking at what aerospace and automotive auditors do. Auditees are expected to create and maintain process flow charts for each process, but the auditors will also compare previous versions they created in past audits. This makes the process much more efficient–except the first time they create the diagrams.

How will MDSAP audits be different?

The biggest difference between the current CMDCAS audits and the MDSAP will be the duration of audits. SGS indicated on its website (http://bit.ly/MDSAP-SGS) that manufacturers should expect these audits to be 35-100% longer in duration. The typical ISO 13485 audit might be two days, and CMDCAS might add no additional time or as much as a half-day to the duration. However, the MDSAP program will require gathering objective evidence for Australian, Brazilian, and U.S. regulations. Even if this only added a half-day for each country, the combined effect would be four days instead of two and one-half days.

At first glance, this may seem to be a burden, but this should be a relief. Currently, manufacturers might have a CMDCAS audit every year, an FDA inspection every other year, and they are still waiting for an ANVISA inspection so that they can launch a product in Brazil. Instead of a worst-case scenario of three audits/inspections in one year, the MDSAP program will enable companies to schedule a single audit to address each major market at one time. When Japanese and Europeans adopt the MDSAP as well, then companies will realize an even greater overall reduction in the number of audit days each year.

How important will the MDSAP pilot be?

Historically, Health Canada is the only country that made ISO 13485 certification mandatory. However, making ISO 13485 certification mandatory essentially made ISO 13485 a global prerequisite for medical device manufacturers–which has not happened with ISO 9001 certification. Health Canada indicated that it intends to make the MDSAP program mandatory at the end of the 3-year pilot. If Health Canada makes MDSAP audits mandatory, MDSAP may become the new defector auditing standard globally.

In addition to the impact of Health Canada, Brazil has agreed to accept the MDSAP audits instead of initial audits by ANVISA. The current backlog of ANVISA audits more than a year, and companies have resorted to filing lawsuits against ANVISA to get to the “top of the list.” Therefore, all of the companies on the waiting list are likely to jump at the opportunity to participate in the MDSAP pilot.

Let me know if you want to understand specifics about the MDSAP program. Please submit your suggestions for future blogs to http://bit.ly/QA-RA-Suggestion-Box

What is the mdsap pilot? Read More »

UDI Implementation-Why You Need to Begin Today

udi UDI Implementation Why You Need to Begin Today

In this blog, “UDI Implementation-Why You Need to Begin Today,” the author provides reasons why you should begin your implementation today and the benefits of doing so.

I have taken you through what UDI is, what you need to do to meet its compliance dates, and in the last few blogs, written about the steps you need to take to implement UDI in your organization. With the September 24, 2014 deadline looming, labelers of Class III devices and stand-alone software should be well on their way with implementation. But what about you who label implantable, life-sustaining, life-supporting (9/24/15 deadline), Class II (9/24/16 deadline), or Class I (9/24/18 deadline) devices? Should you wait or begin now?

UDI – Good Business Sense

There are many reasons why implementing UDI makes very good business sense. Two overriding reasons are increased revenues and lower costs. The healthcare industry has been using Automated Identification and Data Capture (AIDC) technology for a number of years. FDA has required since 2004, drug manufacturers use barcodes (NDC number) on their  labels. Now, they require device manufacturers (labelers) use Unique Device Identifiers (UDI) on their medical device labels. 

Hospitals and Group Purchasing Organizations (GPOs) have been at the forefront of persuading many medical device manufacturers to adopt UI for the devices they label. GPOs are now at the point of mandating manufacturers to implement UI to continue and/or obtain contracts to sell their devices to GPO hospital members. Even with that significant pressure, many manufacturers have resisted implementing UI. Of course, now, they will have no choice.

UDI Implementation-Why You Need to Begin Today

Manufacturers who have implemented UI have seen increased revenues and decreased costs. Their hospital/GPO customers view them as “easy-to-do” business with, resulting not only in an increase of sales of contracted devices but also of non-contracted devices. Hospitals must implement systems to reduce their costs. UDI is such a system. It will permit hospitals to manage their inventories better, reducing or eliminating product duplication, as well as realizing improved inventory tracking.

The use of product barcodes will allow hospitals to charge patients more accurately for the devices they use while hospitalized. Manufacturers have also been able to increase the speed to market for a new device compliant with UI, and by adding it to their existing GPO contracts. This can increase the new device’s exposure to the market very quickly.

Becton Dickinson Implementation

The March 2011 Edition of Healthcare Purchasing News published an article by Karen Conway that describes Becton, Dickinson, and Company (BD) Resource Optimization and Innovation (ROi) experiences implementing UI (GS1’s Global Trade Identification Number). Dennis Black (BD) and Alex Zimmerman (ROi) describe the positive impact implementing UI had on their businesses.  They were able to document a 30% reduction in accounts payable days outstanding. Other findings included:

  • 73% reduction in errors on customer orders
  • fewer stock-outs
  • greater process efficiency
  • fewer calls to customer service
  • better charge compliance

All are excellent reasons to start UDI implementation now.

Regulatory Affairs will also benefit from implementing UDIs. Improving the recall process will help reduce costs through easier tracking of which customers to contact, versus what is typically a very arduous and time-consuming process today. Starting now will also allow you to control the pace of the required changes to your organization, and collect data needed to submit to GUDID. This regulation will put your organization under a tremendous amount of pressure without having to deal with the crisis of a short implementation window.

The most common mistake I have seen organizations make is poor planning around UDI implementation. They significantly underestimate the amount of time it will take to implement UDI, the amount of change that will occur within the organization to be compliant, and being able to manage the ongoing requirements of UDI. These issues are compounded for multi-site organizations, where project planning is critical. 

Earlier in this blog, I mentioned hospitals using barcodes to charge fees for devices used by patients. This information will be added to the patient’s electronic health record. From there, this information will work its way into large population databases, such as claim data. Manufacturers will ultimately be able to use this claim data to identify new potential intended uses for products, and thereby expand their target markets.

Implementing UDI now makes good business sense. Why wait and put your organization in jeopardy?

UDI Implementation-Why You Need to Begin Today Read More »

Scroll to Top