9 Major Steps That Should Be In Your UDI Implementation Plan

1 Comment / Unique Device Identification (UDI) / By / , , ,


steps udi 9 Major Steps That Should Be In Your UDI Implementation PlanIn the last blog, I started the discussion on UDI implementation and how it will impact nearly every area of your company. Successful implementation will take careful planning and coordination throughout the organization and, in some cases, outside your company. As with every other FDA regulation, you will need to have resources available to maintain and update your systems; plus, you will need resources to update and maintain the Global UDI Database (GUDID). 

 What Comes Next?

The UDI regulation is a maze. In trying to solve a maze, it is often easier to start at the end. This same philosophy should be used to implement UDI in your company. Start your implementation process with the outcome in mind. It is more than simply meeting a timeline. UDI implementation should be viewed as a way to improve your business with the daily processes you use. It should help you standardize your daily processes, especially regarding data gathering, label design, and communication with your trading partners. This process will yield helpful marketing information, one of the most outstanding values resulting from implementing a UDI system.

Create an Implementation Playbook

Creating a playbook or strategic plan is a necessary step. Without one, your hope of successfully implementing UDI requirements will be severely reduced. Your playbook should focus on solving real business problems within your organization. Issues such as how will you collect missing data? Create a “label brand” through standardization. Are you able to develop a cross-functional team for implementation and beyond? Can you streamline your labeling and packing functions? What can other processes be improved? The playbook you create must be tailored to solve your organization’s issues.

Now the Specifics

Implementing the strategic plan for your organization requires coordination of UDI-related activities from all impacted areas identified in your plan. In addition to having an overall UDI leader, each area should have a designated person responsible for ensuring the tasks assigned to their area are completed. The significant steps of each plan should include:

1. Acquire missing data attributes and create a data management process

o   Develop a protocol for obtaining missing attributes

o   Determine who is responsible for compiling the information

o   Determine who is responsible for managing the collected information

    • Enter into Excel spreadsheet

o   Establish a verification and validation process

o   Determine who is responsible for validating the information

    • Review source documents against gathered information

2. Amend label/packaging composition and components; order by the device compliance date

o   Develop label template for the entire organization

o   Develop a label sign-off process to include all impacted areas

o   ADIC Technology will work for you? Concatenated, Stacked, 2-D Matrix? What are the technical capabilities of your trading partners? 

o   What packaging changes are required to accommodate new labels?

o   Determine what the global considerations for label changes are. Do other regulatory agencies need to approve label changes? Will amend or new device submissions be required?

3. Compose, create, administer, and verify/validate software system changes and integrations

o   Does 21 CFR Part 11 apply to these changes?

4. Acquire new or upgrade existing labeling and packaging equipment and verify/validate

o   Does 21 CFR Part 11 apply?

5. Rehearse connectivity with GUDID and verify all systems are functioning correctly

o   Does 21 CFR Part 11 apply?

6. If required, plan for Direct Marking requirements

     o   Obtain etching equipment appropriate for your devices

7. Create/revise Quality System SOPs as needed and conduct process validation

8. Determine if, as part of your strategic plan, your company should invest in building inventory levels – using the three (3)-year extension period for inventory labeled before the compliance date – to create a buffer in case implementation is delayed.

9. Develop training programs to train staff on new responsibilities in maintaining the UDI system. Whether the outcome of your implementation is successful or not is directly tied to how well your team plans and executes. Validation of the changes becomes a significant aspect of the implementation process and cannot be taken lightly. Remember the adage – “Garbage in, garbage out.” But in this case, there are serious ramifications for “Garbage in.”

UDI – the Forever Project

UDI is not a “one-and-done” project. The entire system will need continual maintenance. Computer systems will need constant updating as changes to devices or new ones are developed. It would be best to appoint someone with clear responsibility for maintaining your information in GUDID. Postmarket surveillance activities also feed into the post-implementation process, as device changes are made due to tracking and reporting activities. And you will find that you will continually need to train your staff on UDI requirements, especially with staff turnover.

The actual value is not in the barcode; it is the DATA that will be generated from using barcodes.   Finally, identify the appropriate value proposition for your organization, and remember that in healthcare, there is no single answer for all situations.       

9 Major Steps That Should Be In Your UDI Implementation Plan Read More »

How Are EU Device Regulations Changing and When?

1 Comment / CE Marking / By / , , ,

Screen Shot 2014 04 15 at 3.01.52 PM 238x300 How Are EU Device Regulations Changing and When?

This blog, “How Are EU Device Regulations Changing and When?” includes 9 of the most significant proposed changes and compliance deadlines. 

The CE Marking process for medical devices is currently defined by three directives:

  1. Medical Device Directive (MDD), 93/42/EEC (http://bit.ly/M5MDD)
  2. Active Implantable Medical Devices (AIMD) Directive, 90/385/EEC (http://bit.ly/AIMDDirective)
  3. In Vitro Diagnostics Directive (IVDD), 98/79/EC (http://bit.ly/currentIVDD)

The EU Commission proposed revising the system from three directives requiring transposition by member states to two regulations: 1) http://bit.ly/EUIVDProposal, and 2) http://bit.ly/EURegs. The most significant proposed changes are:

  1. The Commission will have the opportunity to review recommendations for CE Marking before approval (i.e., the Scrutiny Process)
  2. The ability to create Common Technical Specifications will be expanded from IVDs to all devices
  3. A new class of “Special” Notified Bodies will be created
  4. Notified Bodies will be audited jointly by Competent Authorities
  5. Unannounced audits will be enforced
  6. Spinal implants, devices that control and monitor active implants, nanomaterials, apheresis machines, and combination products will be reclassified as Class III devices requiring a Design Dossier.
  7. Most IVD products will require Notified Body involvement
  8. A Unique Device Identifier (UDI) system will be required for labeling, and the Eudamed database will be expanded
  9. Formatting of Declarations and Technical Files will be revised

When Will the Final EMDR be Approved?

The EU Commission took from February 2012 to September 2012 to write a proposal for new European device regulations. Parliament took 13 months (i.e., September 2012 to October 2013) to revise and fast-track its version of the new European device regulations, and the Council will probably take a year to finish its version of the regulations. Therefore, negotiations between Parliament and the Council will begin after the 2014 summer holiday. The final approval date is unknown, but my current guess is October 2015.

On September 12, 2013, Eucamed released the results of an industry survey (http://bit.ly/CostofEURegs) stating that the proposed regulations are expected to increase the cost of regulatory approvals by 17.5 billion Euros for medical device manufacturers collectively. The survey details indicate that implementing the UDI system, which improves labeling and clinical performance data, will require a 7.5 billion Euro investment to implement new software systems to comply with the UDI regulations. Also, industry survey respondents indicated that an additional 2.5 million Euro investment would be required for each new Class III device that is required to undergo the proposed Scrutiny Process in Article 44. Financial implications and political pressures could force the Council and Parliament to make significant revisions to the proposed regulations to reduce the cost of implementation.

Some key elements need to be in place before implementation of the proposed regulations can reasonably begin. First, Notified Bodies need more staff to conduct audits and review technical documentation–especially for high-risk devices. Second, the European Databank of Medical Devices (i.e., Eudamed) must be ready to implement UDI labeling and other documentation required by the EMDR (Eudamed). Third, the European Commission plans to build a new centralized organization that is responsible for overseeing the Notified Bodies. These three elements will take more than a year, and planning has only begun.

What Is The Compliance Deadline?

The original proposal, released in September 2012, indicated that there would be a three-year transition period for implementation of the EMDR from 2014 to 2017. This transition period would begin with the highest-risk Class III devices first, and lower-risk devices would be phased in over three years. However, if the EMDR were finalized in October 2015, the implementation period would end at the end of 2018.

A complete review of the new regulations can be found at MDDI-article-EU-Device-Reg-Changes.

How Are EU Device Regulations Changing and When? Read More »

4 Ways to Make the Best Use of Medical Device Remote Audits

2 Comments / ISO Auditing / By / , , , , , , , ,

This blog identifies how to use medical device remote audits effectively, save time and resources, and when you should not conduct audits remotely.remote audits blog 4 Ways to Make the Best Use of Medical Device Remote AuditsMost audits ISO 13485 are performed onsite at the location where the processes are being performed, and are the most effective approach to internal and supplier audits. But conducting an audit from your desk makes more efficient use of your time as an auditor. A large percentage of audits are conducted from conference rooms where the auditor spends an excessive amount of time reviewing documents and records, or waiting for documents and records to be delivered. 

In 2006, the first edition of the ISO 17021 standard for certification of quality systems by certification bodies was released. ISO 17021 requires that initial certification audits be conducted in two stages. Stage 1 has several requirements, but the first element of Stage 1 is reviewing quality system documentation. In most cases, Stage 1 and Stage 2 audits are conducted onsite. Still, if the auditee is located in a remote location (such as New Zealand), Stage 1 audits will sometimes be conducted via conference call. 

Prior to ISO 17021, a review of quality system documentation was the only task performed before the initial certification audit, and the documentation review was typically conducted remotely as a “desktop” audit. Desktop audits have been used for decades as a way of auditing quality system documentation without traveling. However, desktop audits can be much more than a review of quality system documentation. You can interview auditees on the phone, review records, even ask auditees to demonstrate activities in real-time using a web camera.

Documentation can also consist of much more than text. Raw data, statistical analysis, and photos can be used to communicate additional information. The more multimedia content provided to auditors remotely, the closer a remote audit becomes to auditing on site. The same requirements as certification bodies do not bound internal auditors and supplier auditors, and audits may be conducted onsite or remotely. The most recent version of ISO 19011 (2011), includes a comparison table for onsite and remote auditing in Annex B.

Medical Device Remote Supplier Audits

The use of remote audits to qualify suppliers is not recommended for four reasons:

  1. onsite visits facilitate the building of supplier-customer relationships
  2. touring facilities and watching a demonstration of processes improves understanding of a supplier’s processes better than reading documents and records can
  3. Cleanliness and capabilities of suppliers are best evaluated onsite, where camera angles can be used to crop out important details
  4. sometimes suppliers misrepresent their capabilities by showing photographs on their website of other companies.

After you have qualified a supplier, however, you may not need to audit them onsite regularly. If a supplier’s performance is good and risks associated with nonconforming components supplied are minimal, then you have a justification for conducting a remote audit. However, if a supplier’s performance is poor, you may want to use a remote supplier audit as a precursor to an onsite supplier audit to investigate the reasons for nonconforming components (i.e., a “for cause” audit). Regardless of the situation, the amount of time spent in your supplier’s conference room should always be by reviewing documents and records remotely. This will reduce the amount of time required at each supplier, and enables you to audit two suppliers during the same trip.

Medical Device Remote Internal Audits

It might not occur to you that there would be any need for remote internal audits. However, not all internal audits are performed by a person working at your location. Larger companies have multiple sites, and many of the internal audits are performed by auditors from corporate headquarters and other locations. In the case of internal audits performed by auditors from other locations, travel time can be minimized by performing part or all of the internal audits remotely. This approach can also work for consultants hired to conduct internal audits. There is no need to spend money on the cost of travel for a consultant if the consultant is only going to be auditing documents and records. The following are great examples of processes that can be audited remotely:

  1. CAPA
  2. Management Review
  3. Internal Auditing
  4. Supplier Controls
  5. Complaint Handling
  6. Adverse Event Reporting

Medical Device Remote Re-audits

21 CFR 820.22 indicates that re-audits may be required where corrective actions have been taken to verify the effectiveness of the actions taken: “Corrective action(s), including a re-audit of deficient matters, shall be taken when necessary.” However, if nonconformities identified during an audit are categorized as “high-risk,” it may be essential to conduct a verification of corrective action effectiveness as soon as possible.

Sometimes, effectiveness can be determined by reviewing quantitative metrics. Still, if a re-audit is needed, then a remote re-audit may allow the auditor to verify the effectiveness of corrective actions without the necessity of being onsite. If verification of corrective action effectiveness can be performed by reviewing documents and records, a remote re-audit is appropriate. Other corrective actions, especially those involving production and process controls, typically require onsite verification.

Remote Audit Team Members

Most medical device companies have a limited number of qualified auditors, and auditing is almost always a secondary job duty. However, audits often require specific technical knowledge that only one or two auditors may possess. Therefore, it may be extremely difficult to schedule a team audit when all the required auditors and auditees are available. There is another option to postponing your audit. You might consider having some of your auditing team members audit remotely from their desks, while the rest of the team conducts an onsite audit. For example, most lead auditors can conduct a process audit of incoming inspection, storage, and shipping. However, auditing surface mount assembly lines for the fabrication of printed circuit boards requires more technical knowledge of this type of process. Technical expertise is also needed to audit sterilization or CNC machining.

By working together, onsite audit team members can take directions from a technical subject matter expert working remotely and gather information needed to audit any process properly. This approach minimizes time requirements for subject matter experts, and remote audits by team members reduce the cost of travel.

If you are interested in learning more about Turtle Diagrams and the process approach to auditing, please register for our webinar on the process approach to auditing. If you are interested in learning more about how you can use remote audits to save time and money, please contact us. We can help you identify immediate opportunities.

4 Ways to Make the Best Use of Medical Device Remote Audits Read More »

5 Classic blunders that result in an fda warning letter from CDRH

1 Comment / FDA / By / , , ,

FDA Warning 5 Classic blunders that result in an fda warning letter from CDRHThis blog reviews 5 of the most common reasons for why CDRH issues FDA warning letters and preventive actions are suggested for each of the five reasons.

The following is a quote from an interview I conducted with a former FDA inspector:

“You’re in deep trouble if the [FDA 483] response is excellent, and the corrective actions are excellent, but when the FDA comes back, you never bothered to implement those corrective actions. Now you know that you have that warning letter coming at you.”

#1 – No actions implemented for CAPAs

The former inspector describes one of the most common reasons for FDA warning letters. If an FDA investigator issues an FDA 483, you must respond with a corrective action plan (FDA-483). However, you must implement your plan to close the FDA 483 inspection observation(s) during the next FDA inspection. CDRH’s QSIT inspection manual (http://bit.ly/QSITManual) requires that the CAPA process be evaluated during every inspection–even during abbreviated inspections, where only two of the four major quality subsystems are sampled (i.e., “CAPA + 1”). Therefore, the FDA investigator will notice if no actions have been taken for CAPAs that were initiated since the last inspection. If the CAPAs are specific to the FDA 483–CDRH requires the FDA investigator to review those records first. To ensure that corrective actions are being implemented and documented, I recommend three ways of controlling the process:

  1. monitor the “aging” of CAPAs and establish a quality objective for average days aging
  2. have an independent expert perform a desktop audit of your CAPA process
  3. ensure that you carefully review each CAPA that is behind schedule during Management Reviews (which should be at least quarterly)

#2 – FDA 483 response submitted late

A second common reason for receiving an FDA warning letter is a failure to submit an FDA 483 response to the district office within 15 business days. The FDA has always involuntarily required a medical device firm to respond to an FDA 483 within 15 business days, but in 2009, a post-inspection review program (http://bit.ly/15Dayresponse) was initiated where it became mandatory that a response from any FDA 483 must be received by the Agency within 15 business days, or FDA warning letters are automatically issued. This is an automatic issuance that results in a very quick response from your CDRH district office. Therefore, you need to respond aggressively to FDA 483s with corrective actions and submit your response early.

Note: The FDA warning letters are only issued when inspection observations result in an “Official Action Indicated” (OAI). However, inspectors will not tell you if the outcome is OAI or Voluntary Action Indicated (VAI). This determination is made by the District Office of the FDA. Therefore, all device manufacturers should assume that the outcome may be OAI.

#3 – Submitting a response without evidence of implementing changes

This past Saturday, I recorded a webinar on the “7 Steps to Respond to an FDA 483 Inspection Observation” (http://bit.ly/FDA-483-response-webinar). The title of the third slide in that presentation is “The FDA may be late…”. I mentioned that it is not uncommon for FDA warning letters to be issued six months after the actual inspection occurred. The following warning letter is an example (http://bit.ly/fda-warning-letters-example1).

I don’t personally know this firm, but I found this example by searching through the FDA warning letters database: http://bit.ly/fda-warning-letter-search. The company received an FDA 483 with multiple inspection observations on November 4, 2010. The company was non-compliant in the following areas: CAPA (21 CFR 820.100), complaint handling (21 CFR 820.198), and design controls (21 CFR 820.30). The company responded to CDRH on November 23. This was 13 business days after the FDA 483 was received, and with FedEx shipping, it probably arrived at the FDA barely in time–November 29 (the Monday after Thanksgiving).

Unfortunately, the response did not include evidence of correcting the existing procedure deficiencies. The plan indicated changes were going to be made, but the FDA expects you to revise procedure deficiencies quickly (i.e. before you mail the response to the FDA 483). If it is impossible to make corrections in this timeframe, a risk-based approach is recommended. For example, the complaint handling process is the most critical of the three processes identified as deficient in the warning letter. Therefore, the company should have enclosed a revised complaint handling procedure and promised to revise the CAPA and design control procedures within a few weeks.

The FDA warning letter was not issued for this example until April 6, 2011–almost six (6) months from the date of the FDA 483 issuance. CDRH offices are ghost towns in December. Therefore, it was important for the company to contact CHRH early in November to identify an email address and contact to send documentation regarding implementing corrective actions. The company could have revised the other two procedures in December and implemented all three procedures in December. Evidence of thorough implementation of corrections and corrective actions by email is often adequate to prevent FDA warning letters.

This is extremely important for international firms because a second warning letter for an international firm results in a warning letter with automatic detention (i.e., the company cannot import a product into the USA). In this example, the second warning letter was issued on November 26, 2012 (http://bit.ly/fda-warning-letters-example2).

#4 – Failure to remove objectionable marketing communications

The FDA does not routinely visit companies that only manufacture Class 1 (i.e., low-risk) devices. However, they routinely visit companies that manufacture medium-risk, Class 2 devices. The FDA reviews websites and other marketing communications for marketing claims that are not within the scope of an issued 510k. Typically, the claims that are allowed are almost verbatim from 21 CFR (i.e., Title 21 Code of Federal Regulations). Therefore, many companies receive an FDA 483 indicating that they are claiming an indication for the use of which the device does not have clearance (i.e., a 510k). The company is expected to remove the claims and/or submit a 510k in these cases. In these cases, CDRH will often wait a year or more before taking additional action to give the firm ample time to obtain clearance for the indications. Here is a link to an example of a warning letter of this type: http://bit.ly/fda-warning-letters-example3.

#5 – Design controls are not implemented at all

Design controls are the most common reason for the issuance of an FDA 483 (483-Data-Analysis). If you read the blog, Medical Device Academy wrote on the data analysis of FDA 483 inspection observations issued in FY2013 by CDRH, and you may have wondered how design controls are the #1 most common FDA 483. Still, the highest individual clause reference is #8 [i.e., 21 CFR 820.30(i)]. Reviewing this next warning letter example (http://bit.ly/fda-warning-letters-example4), it should become clear that some companies do not have a design control process implemented. In this situation, the FDA investigator is likely to issue a separate FDA 483 against each of the required elements:

  1. 21 CFR 820.30(e) – design reviews
  2. 21 CFR 820.30(f) – design verification
  3. 21 CFR 820.30(g) – design validation
  4. 21 CFR 820.30(h) – design transfer
  5. 21 CFR 820.30(i) – design changes

In this specific example, the FDA investigator issued the FDA 483 on August 16, 2012, and the warning letter was issued immediately after the FDA returned from the holidays–January 4, 2013. This firm had a narrow window of time between August and November to submit an FDA 483 response and then follow up with documentation of completing the CAPA plan. The warning letter indicates that the corrective action plan was inadequate, but the FDA still took several months to issue the warning letter.

If you recently had an FDA inspection and received an FDA 483, ensure you don’t make any of the above mistakes. You might also want to take the webinar on this topic: http://bit.ly/FDA-483-response-webinar.

If it’s been a year since you received an FDA inspection, you might want to watch the video on this webpage: regulatory-compliance-services

5 Classic blunders that result in an fda warning letter from CDRH Read More »

7 Steps to writing an FDA 483 response

4 Comments / FDA / By / , , , , ,

Responding in 15 business days is one of 7 steps on how to write an FDA 483 response, but do you know what should be in your response?7 steps fda 483 blog 7 Steps to writing an FDA 483 responseWhen an FDA investigator has an inspection observation, the investigator issues an FDA 483. “Form 483” is the FDA form number. If your company receives an FDA 483, it is critical to understand how to write your FDA 483 response in order to avoid a Warning Letter. In the words of a former FDA investigator, “Many, many times I have seen an [Official Action Indicated (OAI)] classified inspection that had been recommended for a Warning Letter by the compliance branch be set aside based upon the response of the firm.”

The best way for your company to write a FDA 483 response is to provide a brief cover letter and to use your CAPA process. Every 483 inspection observation needs to be addressed in the FDA 483 response as a separate CAPA. Make sure that your response includes the following seven steps below:

  1. respond within 15 business days (earlier is better)
  2. use your CAPA form and a cover letter–instead of a memo
  3. document the investigation that was conducted with a concisely stated root cause
  4. identify containment measures and corrections to address each specific observation by the FDA inspector
  5. identify corrective actions planned and the date(s) you expect to complete implementation
  6. Include documentation of containment, corrections and corrective actions that are completed at the time you submit the response
  7. follow-up with a memo confirming that all the corrective actions are complete and include all related documentation–including training for any new procedures or any new corrective actions that warranted training

Your FDA 483 response is required in less than 15 business days

The FDA has always involuntarily required a medical device firm, or any firm under FDA jurisdiction that received an FDA 483, to provide a written FDA 483 response to the District Office within 15 business days. As of two years ago (http://www.gpo.gov/fdsys/pkg/FR-2009-08-11/pdf/E9-19107.pdf), it became mandatory that the Agency must receive a FDA 483 response within 15 business days, or an automatic Warning Letter is issued. You need to respond aggressively to FDA 483s with corrective actions, and submit your response early. The FDA has also modified the format of the response to require email responses.

Use your CAPA forms instead of a memo.

I have asked several former FDA investigators whether they would prefer to see firms submit responses in memo format, or by using their CAPA forms and a cover letter. Some told me that they prefer to see firms use their CAPA forms, while others don’t seem to have a preference. Nobody from the FDA has ever indicated a preference for a memo. I see no point in doubling your work and risking transcription errors. If you have an electronic system that does not have an easy-to-follow output format, go ahead and copy-and-paste the information from your electronic database to your memo. If the CAPA system output is easy to follow, just use a cover letter and copies of the forms.

Document the investigation and root cause

This is definitely my pet-peeve, but a one-sentence “root cause” is not enough for an FDA 483 response. Regardless of whether I am doing a mock-FDA inspection, an internal audit, or a supplier audit–I expect you to document how you determined the root cause (http://robertpackard.wpengine.com/five-tools-for-conducting-root-cause-analysis/). If it’s trivial and obvious, then it must have been something important, or I would not have written a nonconformity. Therefore, you should be looking beyond the immediate scope of the FDA 483 to ensure that a similar problem cannot occur elsewhere. In the language of the FDA, this is a preventive action, because you are preventing occurrence with another process or product. Most ISO certification auditors are purists, and they won’t accept this as a preventive action. You will have to show the purists something special–maybe from your data analysis.

Don’t forget containment and correction

For every 483 observation, including the subparts, you need to identify if immediate containment is necessary and how you can correct the problem. Whenever possible, you should attempt to implement the containment and corrections during your FDA inspection. It would be fantastic to give the FDA inspector a copy of the new CAPA you initiated during the audit. The new CAPA would identify containment and corrections that have been or will be implemented–including any nonconformity(s) you initiated to quarantine product. You may still get an FDA 483 inspection observation, but you are likely to convert a possible Official Action Indicated (OAI) into a Voluntary Action Indicated (VAI). You can also modify the CAPA wording later in your FDA 483 response to include a cross-reference to the FDA 483 and quote the exact wording the inspector uses.

Explain the corrective action plans and timelines

Clarity, brevity, and realistic plans are critical in this section of your response. I prefer a table that looks like the example shown below.

7 steps 483 chart 7 Steps to writing an FDA 483 response

Show the FDA you have already taken action in your FDA 483 response

Whenever possible, you want to show the FDA that you are taking action without delay. If you revised the SOP for MDRs and scheduled a group training for July 15, then you should provide the FDA a copy of the revised procedure and a copy of the agenda for your planned training session. The only caution is to only commit to actions you are certain you will implement. You can always do more, but it will be much harder to explain why you did not implement an action you submitted in your FDA 483 response.

Follow-up with a second FDA 483 response before the FDA asks for it

The FDA’s compliance office will be looking for a response when an FDA 483 is issued, and they will review your response. The investigator will get a copy of the FDA 483 response, and the investigator will comment on the response. The compliance office and the investigator enter their comments into a CDRH database. Still, the comments are only general, as to whether the response is adequate or inadequate and will require additional review.

If you do not hear back from the FDA, do not assume that the compliance office or the investigator was satisfied. You should also follow-up several months later (earlier if possible) with a letter that includes evidence of the completed corrective actions, and your verification of effectiveness. If the verification is compelling and received in less than six months of the inspection, you may convince the compliance office to hold off a planned Warning Letter.

If you are interested in root cause analysis and improving your CAPA process, we have two related webinars:

7 Steps to writing an FDA 483 response Read More »

The First 4 Steps of Unique Device Identification Implementation

1 Comment / Unique Device Identification (UDI) / By / , , ,

fda udi clock The First 4 Steps of Unique Device Identification Implementation

In this blog, the author explains the first four steps of the Unique Device Identification system implementation and why they are essential.

UDI implementation will impact nearly every area of your company. Successful implementation will require careful planning and coordination throughout the organization and, in some cases, outside your company. You will need to assign resources to update and maintain your systems and the Global UDI Database (GUDID).

The Commitment to Begin is Step 1

The first implementation step is committing to begin. Unique Device Identification (UDI) systems have been used in healthcare for many years, especially for over-the-counter products (commonly known as “UPCs”). Many companies have already implemented UDI systems using one or more of the Issuing Agencies’ protocols. They understood the benefits of moving forward with developing UDI capabilities in advance of any regulatory requirements. Customers also played a role in influencing early adopters of UDI. Customers told companies to employ standardized methods, such as UDI. Otherwise, they would stop buying their products. The fear of losing a customer is a powerful incentive, but early adopters also understood the additional benefits of being an early adopter of UDI–including:

  • Ability to control the pace of implementation without having to be concerned with mandated timelines
  • Becoming “easy to do business with.”
  • Reduction in transaction errors
  • Decreased order-to-cash process time
  • Help customers ensure patients receive the correct products
  • Reduce costs associated with product recalls and other business processes
  • Increase patient safety and satisfaction
  • Reduce waste through better inventory management throughout the supply chain.
  • Increase revenue through greater product line exposure to the customer base.
  • Increase the speed-to-market of new devices.

FDA regulation has now mandated UDI implementation for most medical device labelers. Compliance dates are established. If you miss the date(s) relevant to your devices, you can no longer legally sell your medical devices. Why wait? Start the implementation process now.

Now what? The second step…

Since UDI implementation is a significant undertaking for any company, a UDI champion and implementation team should be created with members from all impacted departments before beginning the planning process. It is also important to involve top management because obtaining management support is critical to a successful implementation.

Step 3: Selecting an Issuing Agency

The next step of the UDI implementation process is to select an Issuing Agency that best meets your needs and your customers’ needs. The FDA accredited three organizations that assign Labeler IDs you can choose from: GS1, the Health Industry Business Communications Council (HIBCC), and the International Council for Commonality in Blood Banking Automation (ICCBBA). GS1 and HIBCC assign Labeler IDs to “labelers) of medical devices, while ICCBBA is for medical devices of human origin (blood, cell, tissue, and organ products), also known as HCT/P. GS1 assigns Global Location Numbers (GLN), HIBCC uses Health Industry Numbers (HIN), and ICCBBA issues Facility Identification Numbers (FIN).

If your company is not already partnered with one of the Issuing Agencies or still needs to select an Issuing Agency, you should survey your key customers to determine if they are implementing UDI systems or already have UDI systems. You may find customers using all three versions of UDI labeling (GTIN from GS1, HIBC from HIBCC, and ISBT-128 from ICCBBA). If you don’t label blood, cell, tissue, and organ (HCT/P) devices, then you can rule out ICCBBA. Conversely, if you only sell HCT/P devices, you can rule out GS1 and HIBCC. Ultimately, selecting an Issuing Agency is your company’s to make–and remember that you can enter two different Issuing Agencies for each medical device in the GUDID.

Step 4: Unique Device Identification Implementation Planning

Analyzing, strategizing, and planning are essential to determining if you will successfully implement UDI and the related GUDID submission. You need to fully understand your devices, labeling/manufacturing locations, and packaging requirements. Study the UDI Regulation to comprehend which aspects you must comply with as you develop your plan. Specifically, these undertakings should be completed as part of the planning process:

  • Start with the end in mind. Understand the UDI maze. What outcomes do you want?
  • Create a playbook to focus on solving business problems. Standardize procedures as much as possible and tailor solutions to your company’s needs.
  • Group your products by Device Class, Manufacturing Location, Packaging Requirements (sterile, kit, etc.), and any other criteria you need.
  • Perform a gap analysis between the device information you have and what you need for submission to GUDID.
  • Determine if your data management system(s) can maintain GUDID information and communicate UDI or DI information as required (sales orders, purchase orders, labeling, etc.).
  • Determine what changes need to be made to your existing quality system procedures.
  • Will revalidation of electronic records be required to comply with 21 CFR Part 11? (Note: Companies or third parties using HL7 SPL for data submission to GUDID will need to validate the software used for this purpose.)
  • Determine early on what additional resources are needed (FTE or consultants).

This information gathering should be used to create a strategic plan and budget. The plan should include timelines and assignments and identify strategic partners (outside vendors and customers). The plan should address changes required in your product lifecycle management (PLM), enterprise resource planning (ERP), supply chain systems, labeling/packaging equipment, and procedures. It should define the gateway to GUDID submission and create action plans for validation and compliance.

In my next blog post, I will discuss implementation and ongoing maintenance.

The First 4 Steps of Unique Device Identification Implementation Read More »

5 Common Mistakes Related to Compliance with FDA Recalls (21 CFR 806)

Leave a Comment / FDA / By / , , , ,

FDA Recall 01 5 Common Mistakes Related to Compliance with FDA Recalls (21 CFR 806)This article identifies five common mistakes that occur when companies conduct FDA recalls, as required by 21 CFR 806.

As an experienced FDA medical device investigator, at one time or another, many firms I inspected struggled with deciphering FDA regulations and would misinterpret 21 CFR 806 (http://bit.ly/21CFR806-Recall). Fortunately, FDA 483 inspection observations can be easily avoided by doing two things. First, personnel responsible for corrections and removals need proper training—not just “read and understand.” Second, your forms and procedures need to comply fully with 21 CFR 806. The following is a list of 5 common mistakes made that are related to 21 CFR 806:

  1. incorrect interpretation of recall exemptions
  2. misinterpretation of reporting and documentation requirements
  3. failure to comply with recall reporting timelines
  4. failure to properly classify a recall
  5. insufficient recall training for quality personnel

21 CFR 806.1(b) – Recall Exemptions

The section of the regulations that deal with recall exemptions, 21 CFR 806.1(b), is the most widely confused interpretation. There are four categories of exemptions from correction and removal reporting:

  1. “actions were taken by device manufacturers or importers to improve the performance or quality of a device, but that does not reduce a risk to health posed by the device or remedy a violation of the act caused by the device.

  2. Market withdrawals as defined in 806.2(h).

  3. routine servicing as defined in 806.2(k), and

  4. stock recoveries as defined in 806.2(l).”

The risk to health is referenced in 21 CFR 806.1(b)(1) and has two definitions. The first is easily interpreted when there is a reasonable probability that the use or exposure of a medical device could cause serious adverse health consequences or death. Part 2 is confusing in that the definition states that a risk to health can be considered a temporary or medically reversible adverse health consequence, or the possibility of serious adverse health consequences is remote. The second part of the definition of “risk to health,” is not clarified in the recall regulations. Still, you can refer to 21 CFR 803.3 (Medical Device Reporting definitions) for the definition of “serious injury”:

  1. an injury or illness that is life-threatening,
  2. results in permanent impairment of a body function or permanent damage to a body structure, or
  3. necessitates medical or surgical intervention to preclude permanent impairment of a body function or permanent damage to a body structure.

21 CFR 806.10 – Reporting & Documenting FDA Recalls

This section, 21 CFR 806.10 (http://bit.ly/Reporting-FDA-Recalls), is frequently misinterpreted. Corrections and removals by manufacturers and importers require reporting to CDRH, but there are two conditions. Either of the following conditions requires reporting if the correction or removal was initiated:

  1. “To reduce a risk to health posed by the device; or.”
  2. “To remedy a violation of the act caused by the device which may present a risk to health unless the information has already been provided as outlined in paragraph (f) of this section or the corrective or removal action is exempt from the reporting requirements under 806.1(b).”

It is usually better to err on the side of caution and report the correction and removal, but in all cases, properly document your rationale for reporting or not reporting.

21 CFR 806.10(b) – Recall Timelines

Reporting of corrections and removals requires the firm to report these recalls to FDA within ten days. Timeframes are important, so the information can be disseminated to the Regional and District Office after notifications are made to the FDA. 

21 CFR 7.3(m) – Recall Classification

Even when manufacturers and importers file a recall report within the specified timeframes, many times, the recall is improperly classified. Many manufacturers fail to classify their correction and removal based on severity properly. As reported by the FDA in 2013, a study (http://bit.ly/CDRH-Recall-Report) was conducted by CDRH on reported recalls, and this explanation of recall classifications was provided:

“As defined at Title 21, Code of Federal Regulations (CFR), 7.3(g), ‘Recall means a firm’s removal or correction of a marketed product that the Food and Drug Administration considers being in violation of the laws it administers and against which the agency would initiate legal action, e.g., seizure.’

  • A Class I recall is a situation in which there is a reasonable probability that the use of or exposure to a violative product will cause serious adverse health consequences or death.
  • A Class II recall is a situation in which the use of or exposure to a violative product may cause temporary or medically reversible adverse health consequences or where the probability of serious adverse health consequences is remote.
  • Also, a Class III recall is a situation in which the use of, or exposure to, a violative product is not likely to cause adverse health consequences.”

Insufficient Training on FDA Recall Procedures

Each year, the FDA emphasizes the need for investigators to determine that each firm under the FDA area of jurisdiction properly maintains “Recall SOPs,” provides training on these procedures, and fully implements them. When your company performs an initial review of a recall procedure, or the recall procedure is re-written, a systematic review of each element in the regulations is needed. When you perform this review for your Recall SOP, ensure that you verify each of the first four common mistakes are addressed. You should also consider creating an exam to verify the effectiveness of training (http://bit.ly/TrainingExams). If your company manufactures or imports radiologic devices, ensure that the special requirement below is included in your procedure.

Special Requirement: Radiation Emitting Devices

Radiation emitting devices, such as medical lasers, X-Ray, and UV emitting devices, hold another special requirement seldom observed by the CDRH Compliance officers and FDA investigators that are not fully trained in radiation-emitting devices. If a medical device manufacturer or importer becomes aware of a defect in any radiation-emitting device that could cause serious injury, death, or require medical intervention to preclude serious injury or death, this defect must be reported to FDA under 21 CFR 1003. This regulation is one of the few FDA regulations that have significant teeth to mandate each manufacturer or importer to “Repair, Replace or Refund the purchase price” of the device when the manufacturer becomes aware of a major defect in their device (21 CFR 1004). This applies to medical and non-medical radiation-emitting devices, both of which are under FDA jurisdiction.

In some extreme cases, when I observed major defects in a medical device that also included a radiation-emitting device as well, if the CDRH Office of Compliance was unwilling to require a recall of the device, the recall could be mandated by the CDRH Division of Enforcement B (http://bit.ly/CDRH-Divisions-and-Offices). Division of Enforcement B has responsibility for enforcement of medical device regulations to radiologic devices.

Medical Device Academy recorded a webinar on the topic of FDA recalls. You can purchase the webinar by clicking on the following link: http://bit.ly/FDA-recalls-webinar.

5 Common Mistakes Related to Compliance with FDA Recalls (21 CFR 806) Read More »

UDI Costs: Long-Term Expenditures May Not Be Obvious

1 Comment / Unique Device Identification (UDI) / By / , , , ,

jon money UDI Costs: Long Term Expenditures May Not Be Obvious Our author says to expect UDI costs to be as much as 1%+ of annual sales. Ongoing costs and post-market surveillance factors are also discussed. This new regulation is not without its costs. Some are significant, especially to small medical device labelers. There are the obvious implementation costs and ongoing maintenance. There are also “Post-market Surveillance Factors,” which may be a cost or benefit, but Post-Market Surveillance Factors certainly have long-term implications for your company.

UDI Costs to Industry

“The [UDI] final rule may have a significant economic impact on a substantial number of small entities that label medical devices.” (Federal Register – Cost and Benefits) Eastern Research Group, Inc. (ERG), under contract to FDA, “…estimated present value of the costs to domestic labelers is $620.4 million using a 7 percent discount rate and $713.2 million using a 3 percent rate…” over 10 years. Over the same time period, the annualized costs for domestic labelers are estimated to be $82.6 million at a 7 percent discount rate and $81.2 million at 3 percent. Medical device labelers will incur most of these costs. Labelers include manufacturers, reprocessors, specification developers, repackagers, and re-labelers that induce a label to be affixed to a medical device. ERG estimated costs would not eclipse 1% of revenues annually, except for a small percentage of companies required to mark specific devices directly. Some multi-use device manufacturers required to direct mark their Class I devices could benefit from reduced total costs if all of their device labels only need static barcodes, rather than more costly variable barcodes (DI +PI).  ERG also estimated 32 firms out of 5,234 domestic medical device labelers (5,010 are small businesses) will bear costs greater than 1% of revenues, due to needing costly laser direct marking equipment. Interestingly, all 32 firms are all considered small businesses.

Implementation Costs

Most of the costs associated with UDI are related to implementation. The following is a list of examples:

  • planning and integration of UDI throughout information systems
  • creation, review, and approval of labeling changes
  • digital printers to print the new barcodes and date formats
  • increased printing due to variable barcodes
  • joining issuing agency and obtaining labeler ID
  • requesting Global Medical Device Nomenclature (GMDN) Preferred Term (PT) codes
  • registering new barcodes
  • laser-etching of UDI barcodes on devices for direct marketing
  • compliance with the FDA’s UDI data uploading requirements
  • review and approval of procedure changes

The first item on the above list, planning, and integration, will be the highest cost of UDI implementation. The price of planning and integration includes installation, testing, and validation of barcode printing software. You will also need to retrain almost every department to understand how UDI is being integrated with existing processes. You may also need to temporarily increase your workforce to help ensure timely implementation to ensure compliance with the data attributes required for each device entered into the Global UDI Database (GUDID).

Ongoing Costs

The highest annual ongoing cost includes labor, operating, and maintenance associated with equipment for printing labels, and labor related to software maintenance and training needed to maintain the GUDID system. Other ongoing costs include paying initial and annual fees to the Issuing Agencies and/or the  GMDN agency (http://bit.ly/GMDN-Agency) for ongoing maintenance of the system. You will need to have additional personnel in most cases to manage these other requirements.

Post-market Surveillance Factors

Post-market Surveillance Factors are either a cost or benefit to the labeler, and are directly related to the Patient Safety and transparency aspects of the UDI Regulation. The goals of the FDA in enacting the UDI Regulation are:

  • reduce medical errors
  • simplify assimilation of device use information into database systems (such as Electronic Health Records and Personal Health Records)
  • provide for quicker identification of medical device adverse events; improve the speed of the development of solutions to reported problems
  • hasten and improve the efficient closure of device recalls
  • more focused and effective FDA Safety Communications
  • allow professionals and end-users access to additional product information via GUDID

In my opinion, there are other factors just as important which companies should pay attention to as they complete UDI requirements, including the ability to:

  • develop complete safety and effectiveness profiles for devices
  • reduce waste by helping to eliminate duplicate inventory at healthcare facilities
  • identify new uses for devices, which will help increase value for shareholders, customers, and end-users

Today, the identity of labelers is hidden from users and patients. Tomorrow, when the FDA’s goals are realized, labelers will be faced with increased transparency. You will need to address increased transparency by acting quickly to product performance trends. In today’s world of instant communication, you cannot afford to ignore safety issues brought to light by post-market surveillance factors. Anyone who does does so at their peril.

UDI Costs: Long-Term Expenditures May Not Be Obvious Read More »

5 Criteria for a Certified Internal Auditor Program

1 Comment / ISO Auditing / By / , , , , ,

5 criteria 5 Criteria for a Certified Internal Auditor ProgramFive criteria for a certified internal auditor program of medical device lead auditors for ISO 13485 quality systems auditing and supplier auditing.  Five criteria are essential to a certified internal auditor program:

  1. formal training by a qualified trainer
  2. an exam to demonstrate the effectiveness of training
  3. practical experience
  4. observation of actual audits by an experienced lead auditor
  5. documentation

Internal auditors do not need a certificate from a third party (i.e., someone other than your company or customers), and training programs do not need to be accredited. Your company can save money and develop an in-house certification program. The only reason why third-party certification and accreditation are needed is 1) if your internal auditor procedure requires it or 2) if you are training to become a third-party auditor working for a certification body or registrar. Therefore, I don’t recommend writing a procedure that requires a certificate from a third party or an accredited program. Write your internal auditor training requirements to allow flexibility, but ensure you include each of the five elements listed above.

1. Formal training by a qualified trainer

Formal training is planned and has a documented curriculum. The curriculum can consist of one long course over several days, or you can limit the duration of each class to an hour over several months, and you can develop a schedule to fit individual needs. Training should be customized to a certain extent for each internal auditor, but most programs have at least one primary lead auditor course that everyone must complete. A qualified trainer must also deliver formal training.

2. An exam to demonstrate the effectiveness of training

I have written about the use of exams to document training effectiveness. You can use a combination of multiple-choice questions, fill-in-the-blank, short answer, and essay questions for an exam. However, to demonstrate the effectiveness of auditor training, one evaluation method is superior to all others: writing nonconformities. If you provide a hypothetical scenario to an auditor, the auditor should be able to write a complete nonconformity. This exercise tests the auditor’s ability to identify the applicable regulatory requirements, assess conformity, grade nonconformities, and select the appropriate wording of the nonconformity and associated objective evidence. The only downsides to writing nonconformities are: 1) they are more challenging for instructors to grade, and 2) the grading is subjective.

3. Practical experience

The most common way to document the previous experience of internal auditors is to include a copy of the person’s resume in their training record. However, I recommend using a tracking log for all audits to identify which auditors conducted which audit. Ideally, you want to use an electronic database that allows you to search the database using the auditor’s name as a search field. Your database should also indicate which role the auditor was fulfilling: 1) lead auditor, 2) team member, 3) trainee, or 4) observer. Sometimes, the person may have multiple roles (e.g., team member and trainee or lead auditor and observer).

4. Observation of actual audits by an experienced lead auditor

It doesn’t matter if training is remote and recorded or live and in-person, but remote and recorded training needs to be balanced with an observation of actual audits by an experienced medical device quality system auditor. “Observation” needs to be defined, but I recommend using a controlled form to document observations. Attached to this form is a completed observation form, a copy of the audit notes, and a copy of the audit report, which creates a complete record to demonstrate the trainee’s observation of each audit. Just don’t make your controlled form overly burdensome. A single page is fine–as long as it consists of more than yes/no checkboxes.Experienced” also needs to be defined, but I recommend the following combination of qualitative and quantitative experience. First, an experienced lead auditor must have documented formal training, but formal training does not need to be third-party training. Second, an experienced lead auditor should have completed at least 100 audits. One hundred is an arbitrary number, but that number represents more than 1,000 hours of audit preparation, auditing, and report writing. Anything less than 1,000 hours is inadequate to be qualified to begin training others.

5. Documentation

Documentation must include all of the above elements. You need to document the training plan for each internal auditor, and it must meet minimum training requirements–which should be documented in your internal auditing procedure. Your documentation should include the minimum criteria for qualification of a trainer–often a resume, and adding the person to your approved supplier list is sufficient. You should document the results of any formal quizzes and exams for training effectiveness. Auditing experience for each person should be documented. Specifically, you should have a form listing a description of the scope and dates for each audit during the certification process. Auditors’ Observations need to be documented, and any corrections or recommendations for improvement should include documented follow-up. If an auditor already has extensive experience before joining your company, your procedures should allow for a written justification instead of repeating the training. If your company uses a software tool to manage training, I recommend creating a separate training group for internal auditors rather than incorporating internal auditing into another job description and/or training curriculum.

What Really Matters

Whether your internal auditor training is effective and internal auditors are competent matters. Certificates make pretty training records to post on the wall of your cubicle. Competent internal auditors identify quality issues before you receive an FDA 483 or a nonconformity from your certification body. Competent auditors also add value by identifying ways to make processes more efficient and opportunities to save money. If you are looking for a qualified trainer to provide formal training in a public venue or in-house, please visit the following webpage: http://bit.ly/Lead-Auditor-Course.

5 Criteria for a Certified Internal Auditor Program Read More »

510k Submissions for Electrosurgical Devices-FDA’s 2 New Guidance Docs

1 Comment / 510(k) / By / , , , ,

imgres 2 510k Submissions for Electrosurgical Devices FDAs 2 New Guidance Docs

For 510k submissions for electrosurgical devices, the author provides insight into FDA’s two new guidance documents, including how to document compliance.

A colleague asked me if I had noticed any changes to the FDA webpage summarizing the content requirements for a 510(k) submission (http://bit.ly/510k-Content). The page was last updated on March 18, 2014. However, when I compared the current page with a version I had saved in August 2013, I was able to confirm that there were no changes to the page, except for hyperlinks to the content referenced on the page. FDA released six new guidance documents in March, but two of these were specific to electrosurgical devices:

  1. Premarket Notification [510(k)] Submissions for Electrosurgical Devices for General Surgery (http://bit.ly/Electrosurgical-510k)
  2. Premarket Notification [510(k)] Submissions for Bipolar Electrosurgical Vessel Sealers for General Surgery (http://bit.ly/Bipolar-510k)

For those of you that are preparing 510(k) submissions, you may find the draft guidance documents for electrosurgical devices and bipolar electrosurgical vessel sealers to be quite helpful–even if you are are not submitting a 510(k) for these types of devices. These two draft guidance documents include specific recommendations for the content and format of the substantial equivalence table and performance data presented. Also, labeling requirements for the device include a long list of warnings that should be included in the IFU for this type of device.

Electrosurgical Devices for General Surgery

This guidance was released on March 24, 2014, and provides an update to the 510(k) submission requirements for electrosurgical devices in general. If you are preparing a 510(k) submission for this type of device, you should systematically verify and document how your submission complies with this guidance. Compliance with this guidance is not instead of but in addition to FDA guidance on the format and content of a 510(k) submission. Specifically, you should incorporate a table into one of the sections of the submission that lists each of the recommendations of the product-specific guidance document.

Bipolar Electrosurgical Vessel Sealers

This guidance was also released on March 24, 2014, and provides an update to the 510(k) submission requirements of bipolar electrosurgical vessel sealers for general surgery. This guidance includes all the same requirements as the guidance for Electrosurgical Devices, but the bipolar vessel sealing draft guidance also has one additional requirement. The draft guidance provides a prescriptive outline for a preclinical chronic animal study, including the minimum number of animals and the number of weeks post-procedure that the animals should be studied. In the past, the FDA has requested clinical studies in humans to demonstrate the long-term safety of the sealed vessels. Still, this draft guidance specifically states that human clinical studies are not required unless the device being submitted uses different “device technology and/or mechanism of action is significantly different when compared to the predicate.”

How to Document Compliance in Your 510(k) Submission

Medical Device Academy’s consulting team created a template for Section 9 of a traditional 510(k) submission that includes an overview document with the following sub-sections:

  1. FDA Special Controls
  2. FDA Device-Specific Guidance
  3. Voluntary Product Safety Standards
  4. FDA Recognized Standards

Sub-Section 1 of Medical Device Academy’s template for Section 9 of a traditional 510(k) submission includes a brief statement that there is no Special Controls guidance document for the product being submitted. For sub-section 2, we use a table identifying where each of the requirements of product-specific guidance documents can be located. If one of these two draft electrosurgical guidance documents is applicable to your device, we recommend including a table in Section 9 of your submission. For sub-sections 3 and 4, FDA requires that manufacturers complete a Standards Data Report for 510(k)s (FDA Form 3654, http://bit.ly/Form-FDA-3654) for each of the applicable test standards FDA recognizes. Failure to complete Form 3654 for 100% of the applicable standards FDA recognizes results in an immediate Refusal to Accept (RTA, http://bit.ly/FDA-RTA-Policy) letter.

58% of 510(k) submissions were rejected in 2013 during the initial 15-day administrative review. If you received already “Refusal to Accept” (RTA) letter, or you need help preparing your submission, please contact Glenn Melvin, Director of Business Development; by phone at (561) 308-3093 or by email at glenn@robertpackard.wpengine.com; to learn more about our consulting services, to schedule a call or to request a proposal.

510k Submissions for Electrosurgical Devices-FDA’s 2 New Guidance Docs Read More »

Scroll to Top