Blog

What is UDI and Why It Matters

udi 2 300x162 What is UDI and Why It MattersIn this blog, “What is UDI and Why It Matters,” the author reviews the fundamentals of UDI, FDA’s Final Rule applications, and its global significance. 

FDA’s Final Rule (Federal Register – UDI Definition) states a Unique Device Identifier (UDI) is a code that sufficiently identifies a medical device throughout its distribution and use. The UDI is comprised of a static component, “Device Identifier” (DI), and a dynamic component, “Production Identifier” (PI). 

The DI itself is made up of your Labeler Identification Code and a code that pinpoints the specific version or model of that device. PI, on the other hand, includes manufacturing information for that specific device, such as lot or batch number, serial number, expiration date, or manufacturing date (both in YYYY-MM-DD format).

Human cells, tissues, or cellular or tissue-based product (HCT/P) regulated as a medical device requires the use of the ISBT-128 format UDI. The UDI Final rule requires medical device labels to contain a UDI, unless exempt or provides for an exception or alternative placement. The UDI must be both human-readable and in a form that uses automatic identification and data capture (AIDC) technology. 

Reprocessed and Single-Use Devices

Medical devices that are both used more than once by intention and reprocessed by intention must have the UDI directly marked on the device. The Final Rule details exceptions to this requirement (Federal Register – Direct Marking Requirement). UDI does not need to be on individual single-use devices. Instead, it needs to be located on the next higher package. For example, non-sterile exam gloves would require a UDI on the box label, not each glove. 

This section of the rule stipulates individual single-use devices, all of which are the same version or model, must be distributed together in a single device package, is intended to be stored in that device packaging until removed for use, and is not intended for individual sale.  However, it does not apply to implanted devices, which require a UDI on the package of the individual device. Federal Register – Single-use Device 

Stand-Alone Software

Stand-Alone Software that is regulated as a medical device, must also bear a UDI. The software version should be included in the production identifier. If the software is downloaded from a website, the UDI must be in plain text (i.e., not in AIDC format) and displayed whenever the software is started and/or in the plain text displayed through a menu command, such as the “About” screen. If Stand-Alone Software is sold in a package, the package must have the UDI on its label. However, the DI of packaged software may be identical to the downloaded version. Federal Register – Stand-Alone Software

Why Now? Why Does It Matter?

Some medical device companies, especially distributors, obscure manufacturers’ names and item codes on device labels. Different devices might have the same item code, while the same device might have different item codes. These inconsistencies confuse healthcare professionals—especially during recalls and adverse event reporting. Therefore, FDA and other regulatory agencies are implementing UDI regulations to:

  • Improve patient safety by reducing medical errors.
  • Strengthen the Electronic Medical Records initiative by providing a standard method for recording the identity of each device during use in clinical information systems, claim data sources, and registries.
  • Address counterfeiting and diversion
  • Prepare for medical emergencies and disasters
  • Provide a foundation for a global, secure distribution chain. 

The most important reason for UDI regulations is the need to improve the accuracy and timeliness of Post-Market Surveillance (PMS) data. More accurate and timely PMS data will indirectly improve patient safety by helping facilitate more accurate reporting, reviewing, and analyzing of adverse event reports, so problem devices can be pinpointed, corrected, and removed faster. 

Impact of UDI Regulations Globally

FDA hopes the UDI regulations will lead to the development of a globally harmonized medical device identification system that is recognized around the world. The European Union and regulatory agencies around the globe are drafting their versions of a UDI regulation. In addition to the benefits of implementing a UDI system in general, a global UDI system would:

  • Allow companies to create globally harmonized labeling with a single UDI worldwide
  • Promote worldwide tracking and tracing of devices for easier recalls
  • Provide another risk control to prevent counterfeiting and diversion of medical devices

To that extent, the International Medical Device Regulators Forum (IMDRF) published their UDI Guidance document IMDRF UDI Guidance Document, which has many similarities to the FDA Final Rule.

The Unique Device Identifier Final Rule is more than just a new FDA regulation—it is also good business practice. Healthcare customers are embracing the use of unique identifiers. In past experiences with implementing GTINs (another form of UDI from the UDI issuing agency GS1), customers demanded implementation of GTINs, or they would find a new supplier. Manufacturers may choose to ignore one or two customers. Still, eventually the number of customers demanding UDI will be significant, and they will need to act quickly—regardless of FDA deadlines.

Posted in: Unique Device Identification (UDI)

Leave a Comment (0) →

Medical Device Regulation: FDA Pilot Programs for Global Harmonization

international harmonization Medical Device Regulation: FDA Pilot Programs for Global HarmonizationThis blog provides an overview of global harmonization efforts by the FDA that were implemented for medical device regulation.

Harmonization of international regulatory requirements for medical devices began in 1992 with the founding of the Global Harmonization Task Force (GHTF). There were five founding regulatory bodies: 1) US FDA, 2) Health Canada, 3) European Commission, 4) Therapeutics Goods Administration of Australia, and 5) Ministry of Health, Labour and Welfare in Japan. The organization created many guidance documents for the medical device industry, and members of the GHTF organization also participated in the development of ISO 13485 that was released in 1996. GHTF was disbanded in late 2012, and it has been replaced by the International Medical Device Regulators Forum (IMDRF) (http://bit.ly/IMDRFDoc), and IMDRF maintains the documentation created by GHTF.

In 1996, when ISO 13485 was released, Health Canada made certification to ISO 13485 mandatory for all medical device manufacturers that wanted to distribute in Canada. Health Canada’s requirement for ISO 13485 certification resulted in the widespread adoption of ISO 13485 certification throughout the world. At the same time, the US FDA chose to publish its Quality System Regulations (http://bit.ly/21CFR820-compliance). The QSR is very similar to ISO 13485, but there are minor differences beyond the obvious reorganization of the requirements.

FDA Modernization Act of 1997

Under the FDA Modernization Act of 1997, the FDA implemented a 3rd party review program for 510(k) reviews and inspections (http://bit.ly/3rd-party-implementation). This program involves “Accredited Persons” (AP) that have been trained by the FDA and work for a third-party consulting firm, registrar, or Notified Body. The FDA expanded the pilot program for 510(k) reviews to include most 510(K) devices (http://bit.ly/3rd-Party-Review-List). Unfortunately, even though there was great interest from third-parties to participate in the program, there was little interest from manufacturers. After more than a decade, only the following seven third-party organizations have managed to get an Accredited Person (AP) to complete the qualification process so that they can perform inspections independently:

  1. BSI
  2. LNE/G-MED
  3. CMS/ITRI
  4. Orion Registrar
  5. SGS
  6. TUV SUD
  7. TUV Rheinland

The FDA continues to experiment with different approaches to international harmonization. In 2003, Health Canada (HC) signed a memorandum of understanding between Health Canada (HC) and the U.S. In 2006, the FDA launched the pilot, Multi-purpose Audit Program (pMAP) (http://bit.ly/HC-FDA-pMAP). Third-party auditors performed ten combined audits. The conclusions and recommendations resulting from the pMAP were posted on the FDA website in 2010. One of the recommendations was to develop a guidance document for the format and content of regulatory reports. Therefore, in 2011, GD211 (http://bit.ly/GD211-report) was released by HC, and several videos were posted on the FDA website by HC and the US FDA for training (http://bit.ly/CDRH-Learn-Course-list).

Once the 14 recognized registrars had managed to train their CMDCAS auditors (http://bit.ly/CMDCAS) on the GD211 report format, the FDA announced the Voluntary Audit Report Submission Pilot Program (http://bit.ly/Voluntary-Audit-Report). For eligible companies, they may submit a regulatory report in the GD211 format, and the FDA will remove the manufacturer from the routine workload for FDA inspections. A few companies have taken advantage of this and successfully avoided a routine inspection for 12 months.

FDA’s New Pilot Program

Recently, the FDA announced a new Voluntary Compliance Improvement Program Pilot (http://bit.ly/FDA-VCIP). This new program is a small pilot that will allow 3-5 manufacturers to select a third party (to be approved by the FDA) to help them identify areas for compliance improvement and initiate corrective actions. Identification of areas for improvement would presumably be determined during a mock-FDA inspection performed by the third party, but this is not explained in the FDA announcement. This program is available by invitation only, but it appears to be a significant departure from the AP program and voluntary submission of GD211 audit reports.

IMDRF is finally starting to have an impact on the harmonization of medical device inspections. In January 2014, the FDA began accepting inspection reports from the Medical Device Single-Audit Program Pilot (MDSAP) as a substitute for routine agency reports. Kim Trautman at the FDA is the IMDRF representative chairing the program, and her presentation announcing the program can be downloaded at the following website link: http://bit.ly/IMDRF-MDSAP. This program should be extremely popular with manufacturers because the MDSAP reports can also be used to meet requirements for inspections by Japan’s MHLW and Brazil’s ANVISA. ANVISA has a massive backlog of inspections due to a strike by government workers, and many companies were forced to file a lawsuit against ANVISA to accelerate the inspection prioritization. The challenge with the MDSAP will be to train and qualify third parties to conduct the audits correctly.

Posted in: FDA

Leave a Comment (2) →

Unique Device Identifier Final Rule-FAQs-Part II

Screen Shot 2014 04 03 at 10.24.33 PM Unique Device Identifier Final Rule FAQs Part II

Did you know that September 24, 2014, is the first UDI DEADLINE for Class III devices, Stand-Alone Software, and devices licensed under the PHS Act? 

Who is an Issuing Agency?

FDA has accredited three (3) agencies for the operation of a system to issue unique device identifiers. They are GS1 (www.gs1.org), Health Industry Business Communications Council (HIBCC) (www.hibcc.org), and International Council for Commonality in Blood Bank Automation (ICCBBA) (www.iccbba.org).  GS1 and HIBCC are for medical devices, while ICCBBA is for medical products of human origin that are regulated as medical devices.

We sell single-use devices; do we need to label these products?

A UDI does not need to be placed on each single-use device (i.e., primary packaging). Instead, the UDI is to be placed on the secondary packaging (e.g., outer box). For example, exam gloves. The UDI label goes on the box, not each glove. This rule requires the package:

  • Have a single version or model
  • Be distributed together in a single device package
  • Are intended to stored in that device packaging, and
  • Are not intended for individual sale

Placement of the UDI on the secondary packaging for single-use devices does not apply to implanted devices. While implants are technically “single-use” devices, implants (defined as devices placed in the body for 30 days or longer) must have a UDI on the primary packaging.  Federal Register – Single-use Devices

I understand there are implementation deadlines; what are they?

There are several deadlines related to this new regulation based on device Class. For example, Class III devices, Stand-Alone Software, and devices licensed under the PHS Act must be “compliant” and have a UDI on its package label, and information submitted to the Global UDI Database (GUDID) by September 24, 2014. There is an opportunity to file for a 1-year extension for these classes of devices under §801.55. The deadline for filing this extension is June 23, 2014.

Other implementation deadlines are (includes submitting data to GUDID):

September 24, 2015,           Implantable, Life-Sustaining & Life Supporting Devices

September 24, 2016            Class II devices and Stand-Alone Software

Class III devices intended to be used more than once and reprocessed between uses must be directly marked with UDI

September 24, 2018            Class I devices and Stand-Alone Software

Devices not classified into Class I, II or III

Class II devices intended to be used more than once and reprocessed between uses must be directly marked with UDI

September 24, 2020            Class I devices, and devices that have not been classified as Class I, II or III, intended to be used more than once, and reprocessed between uses, must be directly marked with UDI

On-hand inventory labeled before the deadline does not need to be relabeled with a UDI for up to three (3) years past the deadline. FDA considers consignment inventory to fall under this rule. This requires that you track consignment inventory, as well as ensure the inventory is used before this three-year exception expiring. Federal Register – Implementation Dates

Our device is packaged one unit per package; do we need to label the device itself?

This is a “unit of use” issue. If you sell ten individually packaged devices ONLY in an outer pack, the individual devices do not require a UDI. Generally, labeling the outer pack with the UDI is sufficient. This assumes the device is stored and used that way.

I heard the information on our devices needs to be submitted to a “database.” Please explain?

UDI has been implemented to facilitate postmarket surveillance activities, including the identification of medical devices through its distribution and use. FDA believed a significant part of this was the ability for healthcare professionals and users to “search” a database to locate information about devices. This resulted in the creation of the Global Unique Device Identification Database (GUDID) system, which is a repository for 60-plus attributes for each Device Identifier and its corresponding Labeler information.  Federal Register – GUDID Information

How do we submit data to the Global UDI Database?

There are two standard-based methods to submit date to the Global UDI Database (GUDID) – structured input via an FDA web interface, or using the Health Level 7 Structured Product Labeling (HL7 SPL) process. HL7 SPL is in XML format and uses the FDA electronic submission gateway as the pathway to input data into GUDID. To submit data to GUDID, you first need to request a GUDID user account from the FDA. Data is submitted one record at a time for both methods. There is no batch process.  Federal Register – GUDID Submission

What additional information needs to be printed on a label under this new rule?

Medical devices must also follow labeling requirements detailed in Title 21, Subchapter H, §801, in addition to the new requirements per the UDI rule. Required information printed on the labels is also dictated by other regulatory agencies, such as the EU. Specifically, the UDI regulation requires a UDI be printed in easy-to-read plain text, and an Automatic Identification and Data Capture (AIDC) format and placed on the device label. The AIDC format is dictated by the format of the issuing agency you have chosen. The other label element FDA requires is the date format when a date is used on a label. The date format is YYYY-MM-DD, and a day must always be used.  Federal Register – UDI Format

When do I need a new Device Identifier?

A new UDI is required when there is a change to a version or model. If you are calling the device a new version or model, and the users think the same, then it is a new device and requires a new Device Identifier (DI) and label changes. If the number of units in a device package changes – for instance, going from 5 to 10, then a new DI is required. This aspect often confuses people, as they think it has to do with changes in package artwork.  Federal Register – New UDIs

Need More Information on how to design and implement a compliance plan for the Unique Device Identifier Rule? 

FDA UDI Regulation on Medical Device Labelers is a complimentary webinar and PowerPoint training presented by subject matter expert, Jon Bretz. To access – CLICK HERE

Posted in: Unique Device Identification (UDI)

Leave a Comment (0) →

Are MEDDEVs Required or Optional for CE Marking of Medical Devices?

Excuse me. Are you sure this MEDDEV is required Are MEDDEVs Required or Optional for CE Marking of Medical Devices?This blog answers the question of whether compliance with MEDDEV guidance documents is required or optional for CE marking of medical devices.

MEDDEVs are guidance documents (http://bit.ly/Whats-a-MEDDEV) written by competent authorities—not law. As it states on the Europa website (http://bit.ly/MEDDEV), “The guidelines are not legally binding.” However, the Competent Authorities (http://bit.ly/ContactPoints) take an active role in developing these guidance documents. Therefore, enforcement of the guidance documents by Notified Bodies depends upon which competent authorities helped to develop the specific MEDDEV. MHRA. For example, is the competent authority for the United Kingdom (UK). MHRA has taken an active role in developing many of the MEDDEVs. Therefore any manufacturer that uses a Notified Body in the UK is more likely to consider the MEDDEVs that MHRA helped create to be “required” rather than “recommended”. The following Notified Bodies are under the jurisdiction of MHRA, but each member states’ competent authority has Notified Bodies that could be affected, including:

British Standards Institute (BSI) – NB # 0086
Lloyd’s Register Quality Assurance (LRQA) – NB # 0088
SGS United Kingdom Limited (SGS) – NB # 0120
AMTAC Certification Services – NB # 0473
UL International (UK) LTD – NB # 0843

There are 32 MEDDEVs divided into 15 categories. The most recent revision to a MEDDEV was in January 2013 when MEDDEV 2.12/1, Medical Device Vigilance System, was updated. This particular MEDDEV is the European equivalent to 21 CFR 803 for Medical Device Reporting, but reporting of adverse events is called “vigilance” in the EU. It is essential to keep current with changes to MEDDEVs (http://bit.ly/New-Revised-EU-Regulations) because Competent Authorities require vigilance reporting using the most current version of the MEDDEV form. In the case of the vigilance MEDDEV, the guidance is de facto law. However, the French Competent Authority recently indicated that trend reporting requirements will be required in the future for high-risk devices, and the French Competent Authority refused to accept the form associated with MEDDEV 2.12/1. Instead, France has its form that is preferred for vigilance submissions.

MEDDEV Enforcement

Other MEDDEVs are not as consistently enforced. For example, MEDDEV 2.5/10 (http://bit.ly/ECREPMEDDEV) provides guidance with regard to the roles and responsibilities of European Authorized Representatives. In some cases, Competent Authorities audit Authorized Representatives for compliance with this MEDDEV. Notified Bodies are also auditing agreements between manufacturers and Authorized Representatives. Unfortunately, many manufacturers still rely upon European distributors that are not compliant with MEDDEV 2.5/10, and Notified Body auditors are merely verifying that an Authorized Representative agreement exists.

Another example of inconsistencies between Notified Bodies is demonstrated by how MEDDEV 2.7/1 (http://bit.ly/ER6aMEDDEV) is enforced. This document guides manufacturers on how to perform clinical evaluations. Some Notified Bodies, especially the Notified Bodies under MHRA’s jurisdiction (see the list above), are systematically reviewing the content of clinical evaluations against the MEDDEV guidance. However, other Notified Bodies continue to verify only that a clinical evaluation exists. Differences between Notified Bodies in how they enforce this MEDDEV is less pronounced for Class III devices, where clinical studies are expected. However, this may be due to the lack of clinical expertise at some Notified Bodies.

The European Commission began a pilot program in 2013 for conducting joint audits by Competent Authorities of Notified Bodies to ensure that there is consistency between the Notified Bodies, and how the Competent Authorities enforce regulations (http://bit.ly/Europa-press-release-24-9-2013). Some of the other changes, such as conducting unannounced audits of manufacturers and their supply chains, are being implemented this year (http://bit.ly/Unannounced-Audits).

Due to the ongoing debate between the European Council and the European Parliament over the draft of the proposed European Medical Device Regulations (http://bitly.com/EMDR-Frankenstein), the issuance of new and revised MEDDEVs has essentially stopped. When the European Medical Device Regulations (EMDR) are finally approved, the medical device industry can expect to see the content of the MEDDEV guidance documents to be superseded by new requirements in the EMDR.

Posted in: CE Marking

Leave a Comment (0) →

Unique Device Identifier Final Rule-FAQs-Part I

Screen Shot 2014 04 03 at 10.23.51 PM Unique Device Identifier Final Rule FAQs Part IThis blog, “Unique Device Identifier Final Rule-FAQs-Part 1,” answers questions, such as, what is a UDI? Who is responsible for applying the UDI label? Etc. 

What is a “UDI?”

The Unique Device Identifier (UDI) adequately identifies a device throughout the supply chain and while in use. It is constructed of two main sections – a device identifier and a production identifier. The device identifier is comprised of a permanently assigned product code (model or version) and a labeler identification code. The production identifier is a dynamic component and made up of a lot number, serial number, manufacturing date, expiration date, etc. The device identifier and production identifier together make up the UDI.  Federal Register – Unique Device Identifier definition

Who is responsible for applying the UDI label? 

FDA has defined the “Labeler” to be the entity responsible for applying the UDI label. This entity may or may not be the actual manufacturer. The Labeler is defined as the entity that causes a label to be secured to a device and who places the device into commercial distribution with the expectation the label will not be replaced or modified in any way. Additionally, should an entity replace or substantially modify the original label, and then place the device into commercial distribution with the expectation the label will not be replaced or modified in any way is also a Labeler. Distributors who simply add their name and address to the package are not defined as a Labeler under this definition. 

Private label devices present a situation where the actual manufacturer or brand name holder can be the Labeler. This would be a business decision between the manufacturer and the brand name holder. The Labeler may also be the specification developer, a single-use device reprocessor, a convenience kit assembler, a repackager, or a relabeler.  Federal Register – Labeler definition

What does a “standardized” date format mean? 

FDA has decided for all human-readable dates (manufacturing date, expiration date, etc.) printed on labels must follow a YYYY-MM-DD format. The DAY is an absolute requirement. For example, March 31, 2014, must be presented as 2014-03-31. This requirement applies to ALL medical device classes that use a date on their label. Federal Register – Date format definition

I have kits that are comprised of several devices; how does this rule apply to me?

There are many types of kits. Kits can be made up of one or more medical devices, packaged together with one or more combination products, drugs, or biologics, to expedite a single surgical or medical procedure. §801.30(a)(11) states when a device is packaged within the “immediate container of a combination product or convenience kit, the label of the device will not be required to bear a UDI,” as long as the label on the kit has a UDI. Should your kit have a National Drug Code (NDC) number on its label, it does not also need to have a UDI.  §801.30(b)(3) clearly states devices that are included in a combination product with an NDC number on its label and does not have a UDI; the device components must bear a UDI on its label. Federal Register – Kits Exemption

What does reprocessing mean? 

FDA uses the term “reprocessing” in conjunction with a direct marking of a unique device identifier. Devices intended to be used more than once must have the UDI permanently marked directly on the device (with a few exceptions), and will be reprocessed between each use. However, the FDA has not yet defined what “reprocessing” means. I have asked FDA this question, with their response being they will “shortly” issue additional guidance on this matter. When they do, I will let you know via this blog. Until they do, use the following definition of “reprocessing” – clean, clean plus disinfected, or clean plus sterilized. Federal Register – Direct Marking and Device Reprocessing

We sell software that is considered a medical device; how do I label these devices?

Stand-Alone Software (SAS) regulated as a medical device must also have a UDI. SAS that is downloaded from the web and/or sold packaged must use the version number (as the lot number) in its production identifier. The full version of the UDI must be displayed in easy-to-read plain text, following the rules of the issuing agency you have selected, on the start-up screen and/or a menu command screen, such as the “About” screen. The UDI on the SAS packaged form may have the same device identifier. Federal Register – Stand-Alone Software

What is a device package? 

A device package is a package that contains a fixed number of a specific version or model of a device. The use of this term has often confused people who think it has something to do with the package design. Federal Register – Device Package definition

Do I need to label our shipping containers? 

A shipping container, for this regulation, is defined as a container used to ship or transport devices in which the items within may change from one shipment to another. The rule does not require a UDI label for any shipping container. Federal Register – Shipping Container

The author, Jon Bretz (guest blogger), can be contacted at 617-356-7776, or jbretz@rsqmassociates.com

Posted in: Unique Device Identification (UDI)

Leave a Comment (0) →

Complaint Handling and Medical Device Reporting Common Mistakes

complaints Complaint Handling and Medical Device Reporting Common MistakesThis blog, “Complaint Handling and Medical Device Reporting Common Mistakes,” reviews complaint investigations, MDR procedures, and adverse event reporting.  

You should already be well aware that deficiencies in complaint handling and Medical Device Reporting are two of the most common reasons why the FDA issues 483 inspection observations and Warning Letters (http://bit.ly/FY2013-483-Data-Analysis). Recently, I posted a blog about “Where to Focus your Medical Device Complaint Handling Training” (http://bit.ly/Complaint-Training). The following is a summary of my responses to reader questions.

Complaint Investigations

What criteria do you think should be used to determine whether a complaint should be investigated or not?

There is only one acceptable rationale for not conducting an investigation of a complaint. If you don’t investigate complaints when required, then you might receive an FDA Form 483 observation worded like this…

21 CFR 820.198(c) – Complaints involving the possible failure of labeling to meet any of its specifications were not investigated where necessary. Specifically, a missing IFU was reported in customer complaints, but no investigation was conducted. The rationale documented in the complaint record was “the missing IFU presented no patient risk.”

A missing IFU is “failure of labeling to meet any of its specifications.” Therefore, 21 CFR 820.198(c) requires you to conduct an investigation “unless such investigation has already been performed for a similar complaint, and another investigation is not necessary.” This is the only rationale that is acceptable for skipping your investigation. To ensure that no one forgets to investigate a complaint, make sure you include a space in your complaint handling form that is specifically labeled as “Summary of Complaint Investigation.” This space should also include an option to cross-reference to a previous complaint record where a similar investigation is already documented.

A missing IFU is also considered a misbranded product that requires correction (e.g., sending the customer a replacement IFU) or removal (i.e., recall). The FDA expects a Health and Hazard Evaluation (HHE) form to be included in your recall records (http://bit.ly/HHE-Form), and the HHE should indicate the potential risk of a “delay in treatment.” This is the FDA’s conclusion in their evaluation of risk, and therefore your HHE must identify a delay in treatment is a patient risk too. The FDA also expects a CAPA to be initiated to prevent the recurrence of this type of labeling error. You can make a “risk-based” determination that reporting a specific recall to the FDA is not required as per 21 CFR 806.20. However, you need to maintain records of your determination not to report a recall. If you already received a Warning Letter, you should err on the side of reporting anyway.

Note: References to “recall” in the above paragraph are meant to include field corrections.

Intended Use

If a complaint consists of a medical device being used for something other than its intended use, is an MDR required for this user error?

The answer is yes. If you don’t report adverse events involving “user error,” then you might receive an FDA Form 483 observation worded like this…

21 CFR 803.17(a)(1) – The written MDR procedure does not include an internal system which provides for the timely and effective evaluation of events that may be subject to medical device reporting requirements.  Specifically, several incidents where a death or serious injury occurred were “caused by a user error,” and the procedure did not identify this as an event requiring Medical Device Reporting.

In 21 CFR 803.3 (http://bit.ly/21CFR803-3), the FDA defines “caused or contributed” to include events occurring as a result of:

  1. Failure
  2. Malfunction
  3. Improper or inadequate design
  4. Manufacture
  5. Labeling, or
  6. User error

It is important to understand that the definition of complaints and the requirement to report adverse events should not be “risk-based.” The need for remediation and the need to report corrections and removals can be “risk-based,” but whether something is a complaint, and whether it is reportable should be “black-and-white.” For example, “Did the death or serious injury occur due to auser error’-including use other than the intended use?” If the answer is yes, then it is a complaint and reportable.

Adverse Events

Do incidents that occurred outside the United States need to be reported to FDA?

The answer is yes. If you don’t report adverse events that occur outside the United States, then you might receive an FDA Form 483 observation worded like this…

21 CFR 820.50(a)(1) – An MDR report was not submitted within 30 days of receiving or otherwise becoming aware of information that reasonably suggests that a marketed device may have caused, or contributed to, a death or severe injury. Specifically, several instances were identified where the device caused or contributed to a death or serious injury, and the event was not reported to the Agency. The rationale documented in the complaint record was that the “event occurred outside the United States.”

This type of mistake is most likely due to a lack of training on 21 CFR 803–Medical Device Reporting. Some manufacturers that distribute products internationally are more familiar with the European Vigilance requirements (http://bit.ly/MEDDEV2-12-1rev8). The European Medical Device guidelines indicate in the scope section that “the guidelines are relevant to incidents occurring within the Member States of the European Economic Area (EEA), Switzerland, and Turkey…”.  Therefore, standard industry practice is not to report these events unless the events occurred in Europe.

The FDA Part 803 requirements are worded differently. Part 803 does not indicate that the event had to occur in the United States. By not stating that MDR’s are to be filed for events in the United States only, the FDA expects that manufacturers shall report events occurring outside the U.S. if the devices are “similar” to devices marketed in the U.S. Unfortunately, the FDA’s expectations have not become “Standard Practice” for all manufacturers. Therefore, the FDA is currently circulating new guidance in draft form to clarify this requirement (http://bit.ly/2013-MDR-Draft-Guidance).

If you need help with training on complaint handling or Medical Device Reporting, please download our free webinar: (http://bit.ly/chvg_mda).

Posted in: Complaint Handling

Leave a Comment (0) →

Stage 2 audit preparation for ISO 13485 certification – Part 2

In this article, you will learn what ISO 13485 stage 2 audit preparation you should complete specific to training records and practice interviews.
ISO Stage 2 Cert Stage 2 audit preparation for ISO 13485 certification   Part 2
Create a training matrix to prepare for the Stage 2 audit

If you aren’t sure what is ISO 13485? please visit our 2-part training webinars. During your Stage 1 ISO 13485 Certification audit, the auditor verifies that your company has all 28 procedures required in ISO 13485:2016. During the Stage 2 audit preparation, however, the auditor will be reviewing training records for each employee. A training matrix is one of the best tools for verifying that your training records are completed. First, you create a table of all 28 required procedures in Excel (this is your far left column). Across the top of the table, you need to list each of the employees in your organization. This would be difficult for a large organization, but most companies seeking initial ISO 13485 certification have less than 20 employees. In your training matrix, you need to identify which procedures each employee must be trained on. This is one of the most common ways to identify training requirements, and color-coding the matrix works is helpful.

Once you have defined your training requirements, review and approve this document as a controlled document that you will maintain as the company grows. However, as the company grows, you may convert specific names to job functions. Once the training requirements matrix is reviewed and approved, you should enter the date that training was completed for each employee. This is a more effective check than the “checkbox” approach, and it enables you to verify that everyone was trained since the last revision of any procedure. Now, you have a summary document to prove that 100% of your employees have current training on each of the 28 required procedures.

Interview employees as part of your Stage 2 audit preparation

During the Stage 2 audit, any of the employees could be interviewed by the auditor. As part of your Stage 2 audit preparation, you should interview each employee on your training matrix by asking them the following open-ended questions:

  1. Can you show me where I can find the company’s quality policy?
  2. Please explain how the quality policy is relevant to your job?
  3. Can you show me a copy of the training procedure?
  4. What quality objectives do you or your department monitor?

The first question is typical of auditors. You don’t have to have the policy memorized, but every employee should know where to find it. My favorite location is the back of employee ID badges, but the quality policy needs to be updated periodically. If everyone has the policy on their ID badge, you might consider handing out updated stickers with the revised quality policy when you hand out paychecks. The second question is related to the first, and it verifies that each person understands the importance of their job function as it relates to quality.

The third question is a test to ensure every employee can locate procedures. Don’t help them, because the auditor won’t. After each employee answers the question, make sure you explain the correct answer concerning where the most current version of every procedure is. Redlined copies in a drawer do not exist. The person should also have read each procedure in their training matrix so that they can answer a question. It’s ok to say “I don’t remember,” but they shouldn’t guess.

The fourth question verifies that top management has established quality objectives for all functions and at all levels within the company. Every manager should have at least one quality objective they are tracking, and progress toward the quality objective should be visibly communicated to everyone in the department. Employees, especially managers, should also be aware of where quality objectives for the company as a whole are posted. Ideally, each employee will know how their job function contributes to one or more of these objectives.

Stage 2 audit preparation – How to handle “stage fright”

Anyone can get nervous when they are being interviewed by an auditor–even the most experienced managers. In particular, a large entourage of observers following an auditor can make the situation worse. Therefore, you should anticipate this and discuss this with every employee in your company when you are doing practice interviews. Tell them this is normal, and it’s ok to be nervous. Remind them to take a deep breath to settle their nerves. Assure employees that they will not get in trouble for being nervous, and the company will not fail and audit just because someone has difficulty answering a question. At worst, you will need to initiate a CAPA and do some more training. The best-case scenario for a certification audit is that you will need to initiate a CAPA and do some more training. Either way, the outcome is the same. 

Congratulations on your successful Stage 2 audit preparation

Do not stress everyone out the day before your Stage 2 certification audit. You had six months to prepare, and everyone worked hard to help prepare the company. Now is the time to celebrate with your family. Everyone should go home on time and get a good night’s rest. Positive attitudes and relaxing are as crucial as all the work that has been completed. I learned this lesson the hard way during my first ISO 13485 Certification in 2004. We received certification, but I don’t recommend letting your boss turn purple with rage during the audit–it might be career limiting.

I have only made the mistake of staying up late the night before on one other occasion–and the client was not recommended for certification at the end of the Stage 2 audit. Fortunately, the auditor was able to schedule a follow-up audit within a few weeks, and we were able to address all the open issues at that time. The client received their ISO 13485 certificate and CE Certificate within three months of starting the project, and the certificates were just in time for an important trade show in Germany.

Additional training resources to prepare for ISO 13485:2016 certification

If you are interested in learning more about ISO Certification, please download Medical Device Academy’s whitepaper and watch our six-part webinar training certification course for ISO 13485:2016 certification preparation.

Posted in: ISO Certification

Leave a Comment (0) →

Stage 2 Audit – How to Prepare for an ISO 13485 Certification – Part 1 of 2

This blog teaches you how to prepare for a stage 2 audit on your pathway to ISO 13485 certification, and this blog is part 1 of 2.last prep Stage 2 Audit   How to Prepare for an ISO 13485 Certification   Part 1 of 2

If you are not sure what is ISO 13485? please consider our 2-part training webinar on the topic. Health Canada requires ISO 13485 certification as a requirement for all Medical Device License Applications, and most companies choose ISO 13485 certification as their method for demonstrating conformity to the requirements of the Medical Device Directive (MDD)–instead of a special MDD audit.

To achieve ISO 13485 certification, you must successfully complete a Stage 1 and Stage 2 certification audit with your chosen certification body. If you are interested in an overview of this certification process, you can download Medical Device Academy’s white paper on this topic, or you can watch a webinar we recorded recently on 6 steps to ISO 13485 Certification.

Management Processes are covered during the Stage 1 and Stage 2 audit

The Stage 1 audit is typically a one-day audit where the auditor is evaluating your readiness for the Stage 2 audit. The auditor will review your Quality Manual, and your procedures (19 are required) to ensure compliance with ISO 13485. Also, the auditor will sample records from critical processes to assess your readiness for the Stage 2 audit. Typically, these processes will be:

  1. Management Review
  2. CAPA
  3. Internal Auditing

After you complete the Stage 1 audit, you may have a few nonconformities identified by the auditor. Responding to these nonconformities is the first step in preparing for your Stage 2 certification audit. You need to initiate a CAPA for each of the auditor’s findings and begin implementation before the Stage 2 audit. Typically, you will have about six weeks to implement these actions. This is not usually enough time to complete your CAPAs because you need more time before you can verify the effectiveness of corrective actions.

Preparing CAPA Records is critical for your Stage 2 audit

In preparation for your Stage 2 audit, prepare for the auditor to review any CAPAs that you completed since the Stage 1 audit–especially if you have evidence of completing an effectiveness check. You may think this is unnecessary because the auditor previously reviewed CAPAs during Stage 1. However, you probably received a nonconformity related to your CAPA process (almost everyone does), and you should expect auditors to review your CAPA process during every audit.

CAPA Effectiveness Graph 300x218 Stage 2 Audit   How to Prepare for an ISO 13485 Certification   Part 1 of 2Each CAPA record you present should be provided in a separate folder as a paper, hardcopy. The paper, hardcopy makes it easier for the auditor to review. The folder should include documentation of the investigation, a concise statement of the root cause, and copies of records for all corrections and corrective actions implemented. Corrective actions include procedure revisions and training records. If there is a quantitative measurement of effectiveness, include a graph of current progress with the record. Ideally, the graph will be one of your quality objectives. The graph to the right is an example.

Production Process Controls will get the auditor out of the conference room 

Every company has at least some production and process controls implemented before the Stage 2 certification audit. Most auditors and inspectors spend too much time in conference rooms reviewing paperwork and too little time interviewing people that are performing work. However, many companies also outsource production activities. Therefore, unless you have a software product, you can expect your auditor to review incoming inspection activities. The auditor is also likely to review the finished device inspection, storage, and distribution. If the auditor is thorough, they will also follow the trail from inspection activities to calibration activities, nonconforming materials, and data analysis.

Design Controls

If your company is a contract manufacturer, then you probably are excluding design controls (ISO 13485, Section 7.3) from the scope of your Quality System. However, if you are a manufacturer that performs design and development, then it is an element of the quality system that warrants special attention. During the Stage 1 certification audit, the auditor reviewed only your Design Control procedure. During Stage 2, the auditor will look for evidence of implementing design controls. Therefore, even if your company has not completed your first design project, the auditor will still want to see some evidence of implementation. The auditor will expect at least one design plan to be written, and at least one design review should be completed.

If you are familiar with the FDA Quality System Inspection Technique (QSIT) process for inspection, you might have noticed that this blog is divided into the same subsections identified in the QSIT Manual.

Posted in: ISO Certification

Leave a Comment (0) →

21 CFR 820.80: 3 Ways to Record Inspection Results

6 inch caliper 21 CFR 820.80: 3 Ways to Record Inspection ResultsThis blog reviews the FDA requirements within 21 CFR 820.80 for recording acceptance of a product, including three suggestions for streamlined, value-added inspection. 

If you are inspecting a lot of material at incoming inspection, and the inspection plan calls for inspecting ten samples for length, what is the best way to record the results?

The person that sent me this question also provided three options (read on for better suggestions from Medical Device Academy):

  1. Record the maximum and minimum dimensions
  2. Record all ten measurements in a data collection table
  3. Circle “pass” or “fail” next to each sample number

21 CFR 820.80 Requirements

The first method fails to meet the requirement as specified in 21 CFR 820.80(b) (http://bit.ly/21CFR820-80) because recording only the maximum and minimum dimensions of the ten samples do not include the inspection results for the eight samples in between the extremes. The second method meets the requirements, but this method takes the most amount of time. The third method appears to meet the requirements. However, if you read the FDA requirements more carefully, 21 CFR 802.80(e)(3) states that “[Inspection] records shall include…the results.” If the test method is pass/fail, circling pass or fail makes sense, but if the test is a measurement of a dimension, then the result should be a measurement. Also, if you have to perform an investigation for a complaint or non-conforming product, then this dimensional information might be critical to the analysis.

The FDA has provided an official interpretation of these requirements in the preamble: http://bit.ly/QSR-preamble. “Comment # 147: One comment stated that recordkeeping is a significant cost factor in the operation of a total quality system and that the revised CGMP regulation should not add cost through duplication of documentation. The comment said recording all quantitative data is inappropriate and of little value.

FDA agrees that unnecessary duplication of documentation should be avoided. They also believe that the Quality System Regulation requires the minimum documentation necessary to ensure that safe and effective devices are designed and produced. FDA similarly believes that maintaining records of results of acceptance activities is imperative to ensure that non-conforming product is not inadvertently used or distributed. FDA has, however, deleted from Sec. 820.80(a) the requirement for recording the results of inspections and testing, because Sec. 820.80(e) requires that the results of acceptance activities be recorded. The requirement in Sec. 820.80(a) was, therefore, unnecessary. Further, the regulation does not specify quantitative data, but simply requires that the results be recorded.

The FDA believes that it is essential for the manufacturer to maintain records which provide evidence that required acceptance activities were completed. These records must clearly show whether the product has passed or failed the acceptance activities according to the defined acceptance criteria. If a product fails to pass acceptance activities, you must identify the product as a non-conforming product and conduct an investigation. If the acceptance records are not clear about how the product failed, then the manufacturer may end up duplicating the acceptance to perform appropriate investigations.

Here are three other methods that can save you time and add value.

Method 1: Run Charts

If you create an inspection form that is in the form of a “Run Chart,” then you can put an “X” on the appropriate location of the Run Chart for each sample (see Chart 1 below). It is less time consuming to write an “X” than the actual value. However, if you need to conduct an investigation, you can convert the “X” into a quantitative number and enter the values into a spreadsheet or statistical analysis software (e.g., Minitab). Also, inspectors and supervisors can visually glance at a Run Chart and determine if the measurement is “in control” or “out of control.” This is done by marking the upper and lower specifications on the Run Chart. Over time, alert limits can be established as a preventive action, as well. You can also use this data as a rationale for eliminating certain inspections, reducing sampling, qualifying suppliers, and even converting a part from statistical sampling to a “dock-to-stock” inspection.

Chart 1 for Inspection Blog 21 CFR 820.80: 3 Ways to Record Inspection Results

One disadvantage of Method 1 is that it takes time to create inspection forms, and the forms need to be maintained as a controlled document, with the drawings for each part–as paper records or electronically. Therefore, I recommend that companies create a quality plan that calls for creating one of these charts every time an NCR is initiated for a part. That way, you only are creating this type of chart for parts that are found to be out of specification. This approach allows you to implement the work over a reasonable period of time.  You can also get into the habit of automatically reviewing historical data when you have an NCR that does not already have a Run Chart created.

Method 2: Automation

If you have critical inspection activities and a high volume of parts to inspect, you may want to automate the process of recording measurements and performing data analysis. This can be done by purchasing digital inspection devices with the ability to automatically send the values to a computer system. Devices with this capability only require pressing a button to record the value, and the computer system will often provide the inspector with the sampling plan for each lot automatically. These are sophisticated software systems that require validation, but this gives manufacturers extensive real-time data on supplier performance, in-process inspection, and final acceptance of the product. The primary disadvantage of this method is the cost of installation and set-up.

Method 3: Pass/Fail with Go/No-Go Gauges

If a supplier is capable of making good parts with a high degree of certainty, you may not need routine monitoring of part dimensions. In this case, you can reduce your inspection time by using a “go/no-go” gauge for critical attributes instead of measuring the dimensions. This type of gauge would be ideal if the tolerance for a part with a tolerance of +/- 3 mm. The length of a part can be verified to be between two lines, representing the upper and lower specification for the tolerance. This method can also be used for precise tolerance if magnification is used. Still, it is recommended to perform a gauge R&R study of any go/no-go gauge for parts with known dimensions (both conforming and non-conforming products). If this type of inspection is used, you can use an inspection record that only records pass/fail. This inspection method is not recommended, however, for parts that occasionally are out of conformity, because re-measurement of parts will be necessary as part of the investigation of non-conforming product.

Statistical Techniques

The biggest advantage of method one and method 2 is that they facilitate conducting a statistical analysis of data. Chart 1 shows that there is too much variation for the tolerance of 6.50 mm to 6.60 mm. Some companies qualify suppliers for a new part by establishing a threshold for a minimum Cpk value (i.e., process capability coefficient). A typical Cpk minimum is 1.33. Often the company will require that the supplier provide the data for 100% inspection of the initial production lot. This data is then used to create a sampling plan based on the likelihood of parts being out-of-specification. High-risk dimensions might require 99.5% confidence; medium risk dimensions might require 99% confidence, and lower risk dimensions might require 95% confidence. Each confidence level corresponds to a different Cpk value. It is not possible to do this type of analysis for Method 3.

Posted in: Supplier Quality Management

Leave a Comment (2) →

Where to Focus Your Medical Device Complaint Handling Training

%name Where to Focus Your Medical Device Complaint Handling Training

Medical Device Academy performed data analysis of FDA 483s for 2013 and identified four areas of focus for your medical device complaint handling training. 

One of the challenges of creating a strong training curriculum is the need for practical examples. This is why there are lots of stories about real-life companies and products in every Medical Device Academy training event. We learn more from our painful mistakes than we do from our success stories. When you recall a product, report deaths involving a product your company made, or if you receive a Warning Letter—these are events that we will never forget.

Medical Device Academy recently posted a blog (http://bit.ly/outsourcing-complaints) about complaint handling, because this is one of the most common areas identified in FDA Form 483s and Warning Letters. Therefore, if you are trying to develop training on the topic of complaint handling (i.e., 21 CFR 820.198), then you should look for examples from your competitor’s mistakes. The following is a list of places you should look:

  1. Past inspection reports issued to your company by the FDA
  2. Any inspection reports or Warning Letters about your competitors that become public
  3. Other Warning Letters that mention complaint handling as an issue

Here’s an example of the type of 483 observation you might find: “Failure to adequately establish and maintain procedures for receiving, reviewing, and evaluating complaints by a formally designated unit, as required by 21 CFR 820.198(a).”

The example above identifies five different problems with a complaint process:

  1. You need a procedure 
  2. You need to designate a complaint handling unit
  3. You need to define the process for receiving complaints
  4. You need to define the process for reviewing complaints
  5. You need to define the process for evaluating complaints

21 CFR 820.198 is a prescriptive requirement in the regulations. Therefore, you not only need to create a procedure specifically for complaint handling, but you also need to ensure each element of the requirement is satisfied. This is important because FDA inspectors will verify that your procedure includes each element.

Medical Device Academy performed data analysis of FDA inspection reports for FY2013 (http://bit.ly/Form483-FY2013) to identify other common mistakes related to complaint handling. The data analysis of FDA inspection reports for FY2013 identified that there are 15 individual citations related to complaint handling that the FDA identified using the TURBO EIR System (http://bit.ly/FDA483s). The table below summarizes the frequencies of these 15 sub-sections that were referenced in citations during FY2013 under the complaint handling category: 

483 Where to Focus Your Medical Device Complaint Handling Training

Medical Device Complaint Handling Training: 4 Critical Areas of Focus

The above table identifies several other sub-sections that present problems for companies. Based on the data analysis, your company should also be training your complaint handling unit in the following four critical areas:

  1. Maintaining complaint files
  2. Reviewing and evaluating complaints for the need to perform an investigation
  3. Documenting complaint investigations in your complaint files
  4. Determining whether a complaint is reportable under 21 CFR 803

The fourth area is one of the most important because these complaints involve injury, death, and product malfunction. Therefore, you might consider reviewing the TPLC database (http://bit.ly/FDATPLC) for MDRs. The best data to review is data for the same product codes that your company distributes, but reviewing any MDRs can teach your employees which types of incidents need to be reported. This area will also receive increased scrutiny with the recent changes to 21 CFR Part 803 (http://bit.ly/udpated-21CFR803).

Posted in: Complaint Handling

Leave a Comment (0) →
Page 18 of 29 «...101617181920...»