5 Common Mistakes Related to Compliance with FDA Recalls (21 CFR 806)

FDA Recall 01 5 Common Mistakes Related to Compliance with FDA Recalls (21 CFR 806)This article identifies five common mistakes that occur when companies conduct FDA recalls, as required by 21 CFR 806.

As an experienced FDA medical device investigator, at one time or another, many firms I inspected struggled with deciphering FDA regulations and would misinterpret 21 CFR 806 (http://bit.ly/21CFR806-Recall). Fortunately, FDA 483 inspection observations can be easily avoided by doing two things. First, personnel responsible for corrections and removals need proper training—not just “read and understand.” Second, your forms and procedures need to comply fully with 21 CFR 806. The following is a list of 5 common mistakes made that are related to 21 CFR 806:

  1. incorrect interpretation of recall exemptions
  2. misinterpretation of reporting and documentation requirements
  3. failure to comply with recall reporting timelines
  4. failure to properly classify a recall
  5. insufficient recall training for quality personnel

21 CFR 806.1(b) – Recall Exemptions

The section of the regulations that deal with recall exemptions, 21 CFR 806.1(b), is the most widely confused interpretation. There are four categories of exemptions from correction and removal reporting:

  1. “actions were taken by device manufacturers or importers to improve the performance or quality of a device, but that does not reduce a risk to health posed by the device or remedy a violation of the act caused by the device.

  2. Market withdrawals as defined in 806.2(h).

  3. routine servicing as defined in 806.2(k), and

  4. stock recoveries as defined in 806.2(l).”

The risk to health is referenced in 21 CFR 806.1(b)(1) and has two definitions. The first is easily interpreted when there is a reasonable probability that the use or exposure of a medical device could cause serious adverse health consequences or death. Part 2 is confusing in that the definition states that a risk to health can be considered a temporary or medically reversible adverse health consequence, or the possibility of serious adverse health consequences is remote. The second part of the definition of “risk to health,” is not clarified in the recall regulations. Still, you can refer to 21 CFR 803.3 (Medical Device Reporting definitions) for the definition of “serious injury”:

  1. an injury or illness that is life-threatening,
  2. results in permanent impairment of a body function or permanent damage to a body structure, or
  3. necessitates medical or surgical intervention to preclude permanent impairment of a body function or permanent damage to a body structure.

21 CFR 806.10 – Reporting & Documenting FDA Recalls

This section, 21 CFR 806.10 (http://bit.ly/Reporting-FDA-Recalls), is frequently misinterpreted. Corrections and removals by manufacturers and importers require reporting to CDRH, but there are two conditions. Either of the following conditions requires reporting if the correction or removal was initiated:

  1. “To reduce a risk to health posed by the device; or.”
  2. “To remedy a violation of the act caused by the device which may present a risk to health unless the information has already been provided as outlined in paragraph (f) of this section or the corrective or removal action is exempt from the reporting requirements under 806.1(b).”

It is usually better to err on the side of caution and report the correction and removal, but in all cases, properly document your rationale for reporting or not reporting.

21 CFR 806.10(b) – Recall Timelines

Reporting of corrections and removals requires the firm to report these recalls to FDA within ten days. Timeframes are important, so the information can be disseminated to the Regional and District Office after notifications are made to the FDA. 

21 CFR 7.3(m) – Recall Classification

Even when manufacturers and importers file a recall report within the specified timeframes, many times, the recall is improperly classified. Many manufacturers fail to classify their correction and removal based on severity properly. As reported by the FDA in 2013, a study (http://bit.ly/CDRH-Recall-Report) was conducted by CDRH on reported recalls, and this explanation of recall classifications was provided:

“As defined at Title 21, Code of Federal Regulations (CFR), 7.3(g), ‘Recall means a firm’s removal or correction of a marketed product that the Food and Drug Administration considers being in violation of the laws it administers and against which the agency would initiate legal action, e.g., seizure.’

  • A Class I recall is a situation in which there is a reasonable probability that the use of or exposure to a violative product will cause serious adverse health consequences or death.
  • A Class II recall is a situation in which the use of or exposure to a violative product may cause temporary or medically reversible adverse health consequences or where the probability of serious adverse health consequences is remote.
  • Also, a Class III recall is a situation in which the use of, or exposure to, a violative product is not likely to cause adverse health consequences.”

Insufficient Training on FDA Recall Procedures

Each year, the FDA emphasizes the need for investigators to determine that each firm under the FDA area of jurisdiction properly maintains “Recall SOPs,” provides training on these procedures, and fully implements them. When your company performs an initial review of a recall procedure, or the recall procedure is re-written, a systematic review of each element in the regulations is needed. When you perform this review for your Recall SOP, ensure that you verify each of the first four common mistakes are addressed. You should also consider creating an exam to verify the effectiveness of training (http://bit.ly/TrainingExams). If your company manufactures or imports radiologic devices, ensure that the special requirement below is included in your procedure.

Special Requirement: Radiation Emitting Devices

Radiation emitting devices, such as medical lasers, X-Ray, and UV emitting devices, hold another special requirement seldom observed by the CDRH Compliance officers and FDA investigators that are not fully trained in radiation-emitting devices. If a medical device manufacturer or importer becomes aware of a defect in any radiation-emitting device that could cause serious injury, death, or require medical intervention to preclude serious injury or death, this defect must be reported to FDA under 21 CFR 1003. This regulation is one of the few FDA regulations that have significant teeth to mandate each manufacturer or importer to “Repair, Replace or Refund the purchase price” of the device when the manufacturer becomes aware of a major defect in their device (21 CFR 1004). This applies to medical and non-medical radiation-emitting devices, both of which are under FDA jurisdiction.

In some extreme cases, when I observed major defects in a medical device that also included a radiation-emitting device as well, if the CDRH Office of Compliance was unwilling to require a recall of the device, the recall could be mandated by the CDRH Division of Enforcement B (http://bit.ly/CDRH-Divisions-and-Offices). Division of Enforcement B has responsibility for enforcement of medical device regulations to radiologic devices.

Medical Device Academy recorded a webinar on the topic of FDA recalls. You can purchase the webinar by clicking on the following link: http://bit.ly/FDA-recalls-webinar.

UDI Costs: Long-Term Expenditures May Not Be Obvious

jon money UDI Costs: Long Term Expenditures May Not Be Obvious Our author says to expect UDI costs to be as much as 1%+ of annual sales. Ongoing costs and post-market surveillance factors are also discussed. This new regulation is not without its costs. Some are significant, especially to small medical device labelers. There are the obvious implementation costs and ongoing maintenance. There are also “Post-market Surveillance Factors,” which may be a cost or benefit, but Post-Market Surveillance Factors certainly have long-term implications for your company.

UDI Costs to Industry

“The [UDI] final rule may have a significant economic impact on a substantial number of small entities that label medical devices.” (Federal Register – Cost and Benefits) Eastern Research Group, Inc. (ERG), under contract to FDA, “…estimated present value of the costs to domestic labelers is $620.4 million using a 7 percent discount rate and $713.2 million using a 3 percent rate…” over 10 years. Over the same time period, the annualized costs for domestic labelers are estimated to be $82.6 million at a 7 percent discount rate and $81.2 million at 3 percent. Medical device labelers will incur most of these costs. Labelers include manufacturers, reprocessors, specification developers, repackagers, and re-labelers that induce a label to be affixed to a medical device. ERG estimated costs would not eclipse 1% of revenues annually, except for a small percentage of companies required to mark specific devices directly. Some multi-use device manufacturers required to direct mark their Class I devices could benefit from reduced total costs if all of their device labels only need static barcodes, rather than more costly variable barcodes (DI +PI).  ERG also estimated 32 firms out of 5,234 domestic medical device labelers (5,010 are small businesses) will bear costs greater than 1% of revenues, due to needing costly laser direct marking equipment. Interestingly, all 32 firms are all considered small businesses.

Implementation Costs

Most of the costs associated with UDI are related to implementation. The following is a list of examples:

  • planning and integration of UDI throughout information systems
  • creation, review, and approval of labeling changes
  • digital printers to print the new barcodes and date formats
  • increased printing due to variable barcodes
  • joining issuing agency and obtaining labeler ID
  • requesting Global Medical Device Nomenclature (GMDN) Preferred Term (PT) codes
  • registering new barcodes
  • laser-etching of UDI barcodes on devices for direct marketing
  • compliance with the FDA’s UDI data uploading requirements
  • review and approval of procedure changes

The first item on the above list, planning, and integration, will be the highest cost of UDI implementation. The price of planning and integration includes installation, testing, and validation of barcode printing software. You will also need to retrain almost every department to understand how UDI is being integrated with existing processes. You may also need to temporarily increase your workforce to help ensure timely implementation to ensure compliance with the data attributes required for each device entered into the Global UDI Database (GUDID).

Ongoing Costs

The highest annual ongoing cost includes labor, operating, and maintenance associated with equipment for printing labels, and labor related to software maintenance and training needed to maintain the GUDID system. Other ongoing costs include paying initial and annual fees to the Issuing Agencies and/or the  GMDN agency (http://bit.ly/GMDN-Agency) for ongoing maintenance of the system. You will need to have additional personnel in most cases to manage these other requirements.

Post-market Surveillance Factors

Post-market Surveillance Factors are either a cost or benefit to the labeler, and are directly related to the Patient Safety and transparency aspects of the UDI Regulation. The goals of the FDA in enacting the UDI Regulation are:

  • reduce medical errors
  • simplify assimilation of device use information into database systems (such as Electronic Health Records and Personal Health Records)
  • provide for quicker identification of medical device adverse events; improve the speed of the development of solutions to reported problems
  • hasten and improve the efficient closure of device recalls
  • more focused and effective FDA Safety Communications
  • allow professionals and end-users access to additional product information via GUDID

In my opinion, there are other factors just as important which companies should pay attention to as they complete UDI requirements, including the ability to:

  • develop complete safety and effectiveness profiles for devices
  • reduce waste by helping to eliminate duplicate inventory at healthcare facilities
  • identify new uses for devices, which will help increase value for shareholders, customers, and end-users

Today, the identity of labelers is hidden from users and patients. Tomorrow, when the FDA’s goals are realized, labelers will be faced with increased transparency. You will need to address increased transparency by acting quickly to product performance trends. In today’s world of instant communication, you cannot afford to ignore safety issues brought to light by post-market surveillance factors. Anyone who does does so at their peril.

5 Criteria for a Certified Internal Auditor Program

5 criteria 5 Criteria for a Certified Internal Auditor ProgramThis article identifies five criteria for a certified internal auditor program of medical device lead auditors for ISO 13485 quality systems auditing and supplier auditing.  Five criteria are important to a certified internal auditor program:

  1. formal training by a qualified trainer
  2. an exam to demonstrate the effectiveness of training
  3. practical experience
  4. observation of actual audits by an experienced lead auditor
  5. documentation

Internal auditors do not need a certificate from a third-party (i.e., someone other than your company or your customers), and training programs do not need to be accredited. Your company can save money and develop an in-house certification program. The only reason why third-party certification and accreditation are needed is 1) if your internal auditor procedure requires it, or 2) if you are training to become a third-party auditor working for a certification body or registrar. Therefore, I don’t recommend writing a procedure that requires a certificate from a third party or an accredited program. Write your internal auditor training requirements to allow flexibility, but ensure you include each of the five elements listed above.

1. Formal training by a qualified trainer

Formal training is planned and has a documented curriculum. The curriculum can consist of one long course over several days, or you can limit the duration of each class to an hour over several months, and you can develop a schedule to fit individual needs. Training should be customized to a certain extent for each internal auditor, but most programs have at least one primary lead auditor course that everyone must complete. A qualified trainer must also deliver formal training.

2. An exam to demonstrate the effectiveness of training

I have written about the use of exams to document training effectiveness. You can use a combination of multiple-choice questions, fill-in-the-blank, short answer, and essay questions for an exam. However, for demonstrating the effectiveness of auditor training, there is one method of evaluation that is superior to all others–writing nonconformities. If you provide a hypothetical scenario to an auditor, the auditor should be able to write a complete nonconformity. This exercise tests the auditor’s ability to identify the applicable regulatory requirements, assess conformity, grade nonconformities, and select the appropriate wording of the nonconformity and associated objective evidence. The only downsides to writing nonconformities are: 1) they are harder for instructors to grade, and 2) the grading is subjective.

3. Practical experience

The most common way to document the previous experience of internal auditors is to include a copy of the person’s resume in their training record. However, I recommend using a tracking log for all audits to identify which auditors conducted which audit. Ideally, you want to use an electronic database that allows you to search the database using the name of the auditor as a search field. Your database should also indicate which role the auditor was fulfilling: 1) lead auditor, 2) team member, 3) trainee, or 4) observer. Sometimes, the person may have more than one role (e.g., team member and trainee or lead auditor and observer).

4. Observation of actual audits by an experienced lead auditor

It doesn’t matter if training is remote and recorded or live and in-person, but remote and recorded training needs to balanced with an observation of actual audits by an experienced medical device quality system auditor. “Observation” needs to be defined, but I recommend using a controlled form to document observations. Attaching a completed observation form to a copy of auditing notes and a copy of the audit report creates a complete record to demonstrate observation of each audit by a trainee. Just don’t make your controlled form overly burdensome. A single page is fine–as long as it consists of more than yes/no checkboxes.Experienced” also needs to be defined, but I recommend the following combination of qualitative and quantitative experience. First, an experienced lead auditor must have documented formal training, but formal training does not need to be third-party training. Second, an experienced lead auditor should have completed at least 100 audits. One hundred is an arbitrary number, but that number represents more than 1,000 hours of audit preparation, auditing, and report writing. Anything less than 1,000 hours is inadequate to be qualified to begin training others.

5. Documentation

Documentation must include all of the above elements. You need to document the training plan for each internal auditor, and it must meet minimum training requirements–which should be documented in your internal auditing procedure. Your documentation should include minimum criteria for qualification of a trainer–often a resume, and adding the person to your approved supplier list is sufficient. You should document the results of any formal quizzes and exams for training effectiveness. Auditing experience for each person should be documented. Specifically, you should have a form listing a description of the scope and dates for each audit during the certification process. Observations of auditors need to be documented, and any corrections or recommendations for improvement should include documented follow-up. If an auditor already has extensive experience before joining your company, your procedures should allow for a written justification, instead of repeating the training. If your company uses a software tool to manage training, I recommend creating a separate training group for internal auditors, rather than incorporating internal auditing into another job description and/or training curriculum.

What Really Matters

What matters is whether your internal auditor training is effective and internal auditors are competent. Certificates make pretty training records to post on the wall of your cubicle. Competent internal auditors identify quality issues before you receive an FDA 483, or a nonconformity from your certification body. Competent auditors also add value by identifying ways to make processes more efficient and opportunities to save money. If you are looking for a qualified trainer to provide formal training, in a public venue or in-house, please visit the following webpage: http://bit.ly/Lead-Auditor-Course.

510k Submissions for Electrosurgical Devices-FDA’s 2 New Guidance Docs

imgres 2 510k Submissions for Electrosurgical Devices FDAs 2 New Guidance Docs

For 510k submissions for electrosurgical devices, the author provides insight into FDA’s two new guidance documents, including how to document compliance.

A colleague asked me if I had noticed any changes to the FDA webpage summarizing the content requirements for a 510(k) submission (http://bit.ly/510k-Content). The page was last updated on March 18, 2014. However, when I compared the current page with a version I had saved in August 2013, I was able to confirm that there were no changes to the page, except for hyperlinks to the content referenced on the page. FDA released six new guidance documents in March, but two of these were specific to electrosurgical devices:

  1. Premarket Notification [510(k)] Submissions for Electrosurgical Devices for General Surgery (http://bit.ly/Electrosurgical-510k)
  2. Premarket Notification [510(k)] Submissions for Bipolar Electrosurgical Vessel Sealers for General Surgery (http://bit.ly/Bipolar-510k)

For those of you that are preparing 510(k) submissions, you may find the draft guidance documents for electrosurgical devices and bipolar electrosurgical vessel sealers to be quite helpful–even if you are are not submitting a 510(k) for these types of devices. These two draft guidance documents include specific recommendations for the content and format of the substantial equivalence table and performance data presented. Also, labeling requirements for the device include a long list of warnings that should be included in the IFU for this type of device.

Electrosurgical Devices for General Surgery

This guidance was released on March 24, 2014, and provides an update to the 510(k) submission requirements for electrosurgical devices in general. If you are preparing a 510(k) submission for this type of device, you should systematically verify and document how your submission complies with this guidance. Compliance with this guidance is not instead of but in addition to FDA guidance on the format and content of a 510(k) submission. Specifically, you should incorporate a table into one of the sections of the submission that lists each of the recommendations of the product-specific guidance document.

Bipolar Electrosurgical Vessel Sealers

This guidance was also released on March 24, 2014, and provides an update to the 510(k) submission requirements of bipolar electrosurgical vessel sealers for general surgery. This guidance includes all the same requirements as the guidance for Electrosurgical Devices, but the bipolar vessel sealing draft guidance also has one additional requirement. The draft guidance provides a prescriptive outline for a preclinical chronic animal study, including the minimum number of animals and the number of weeks post-procedure that the animals should be studied. In the past, the FDA has requested clinical studies in humans to demonstrate the long-term safety of the sealed vessels. Still, this draft guidance specifically states that human clinical studies are not required unless the device being submitted uses different “device technology and/or mechanism of action is significantly different when compared to the predicate.”

How to Document Compliance in Your 510(k) Submission

Medical Device Academy’s consulting team created a template for Section 9 of a traditional 510(k) submission that includes an overview document with the following sub-sections:

  1. FDA Special Controls
  2. FDA Device-Specific Guidance
  3. Voluntary Product Safety Standards
  4. FDA Recognized Standards

Sub-Section 1 of Medical Device Academy’s template for Section 9 of a traditional 510(k) submission includes a brief statement that there is no Special Controls guidance document for the product being submitted. For sub-section 2, we use a table identifying where each of the requirements of product-specific guidance documents can be located. If one of these two draft electrosurgical guidance documents is applicable to your device, we recommend including a table in Section 9 of your submission. For sub-sections 3 and 4, FDA requires that manufacturers complete a Standards Data Report for 510(k)s (FDA Form 3654, http://bit.ly/Form-FDA-3654) for each of the applicable test standards FDA recognizes. Failure to complete Form 3654 for 100% of the applicable standards FDA recognizes results in an immediate Refusal to Accept (RTA, http://bit.ly/FDA-RTA-Policy) letter.

58% of 510(k) submissions were rejected in 2013 during the initial 15-day administrative review. If you received already “Refusal to Accept” (RTA) letter, or you need help preparing your submission, please contact Glenn Melvin, Director of Business Development; by phone at (561) 308-3093 or by email at glenn@robertpackard.wpengine.com; to learn more about our consulting services, to schedule a call or to request a proposal.

What is the GUDID?

This blog, “What is the GUDID?” reviews the basics of the database, do we need a GUDID account? How data is submitted, what information is needed, and more. 

What is the GUDID?

FDA, in creating the Unique Device Identifier (UDI), was looking to improve the postmarket surveillance process, which included developing a database to be used by the healthcare community and the public to obtain critical information on the medical devices they use. The Global UDI Database (GUDID – pronounced Good-I-D) is a repository for key device identification information. It will not include any patient information. This key information – 62 different data elements (see below) – is limited to Device Identifiers (DI) and Labeler information. Every Labeler of medical devices is required to have a UDI and submit this information to the GUDID.

Changes from the proposed rule impacting GUDID

In the proposed rule, FDA did not want to use Global Medical Device Nomenclature (GMDN) Preferred Term (PT) codes. Unfortunately, the GMDN PT codes are not free, and a subscription is required to access the GMDN Database. FDA was able to negotiate an agreement with the GMDN Agency to allow Labelers access to the GMDN PT codes. These codes will only be accessible to Labelers who enter device information using FDA’s Web Interface submission process. A word of caution; the GMDN Agency is continually adding and updating these codes. Companies submitting data via HL7 SPL (see below) will need to subscribe to the GMDN Agency to gain access to these codes.

what is GUDID What is the GUDID?

Another change deals with MRI compatibility. If you claim your device is MR Safe, MR Conditional, or MR Unsafe, then this information is now required as part of the submission to GUDID.

A new version of the GUDID Implementation Specification (Version 1.2.1, released April 11, 2014) is now available. FDA Global UDI Database Web Site 

Do we need a GUDID account?

To submit medical device key information, Labelers need to request an account through the FDA GUDID website. The Labeler Organization may have more than one GUDID account. A Duns and Bradstreet (DUNS) number for the company location is used to identify each GUDID account. The labeler must also be registered with the FDA as an establishment.

There are three (3) levels – Organization (which may also be a Labeler), Labeler, and Third-Party (entity authorized to submit GUDID information on behalf of Labeler). Each GUDID account must have:

  • One (1) Regulatory Contact
  • One (1) Coordinator (manages Labeler Data Entry users)
  • One (1) Labeler Data Entry user (day-to-day data entry)
  • One (1) Labeler DUNS number

Labeler DUNS number must match name and address on the device label.

Production Identifiers (PI) are not entered into the Database (just PI flags to indicate which PI are on the label). 

How data is submitted to GUDID

There are two standard-based methods to submit data: 1) structured input via a web interface, and 2) the Health Level 7 Structured Product Labeling (HL7 SPL) process. The first method, using a web-based interface, will work well for up to 200 total records. If you attempt to input more than 200 records, the input becomes overwhelming, and you will need to use the HL7 SPL process. HL7 SPL is in XML format and uses the FDA Electronic Submission Gateway (ESG) as the pathway to upload data into GUDID. Both submission methods are one DI record at a time. There is no batch option available.

You are also able to use third-parties to submit data. GS1 GDSN (Global Data Synchronization Network) is one example; there are others as well. Or you could build your submission tool.

There are three (3) states of entry –

  • Draft DI – only available via Web interface (Draft DI will be available for 180 days)
  • Unpublished – has passed all the business rules
  • Published – is now searchable

Currently, the GUDID search and retrieval options are not currently operational, as FDA is waiting until sufficient data has been entered to turn this feature on.

What information do I need?

There are 60-plus data attributes that need to be provided. Some of the fields are automatically filled in by the GUDID system, based on information that is entered. For instance, the Labeler Name and Address are pulled from the DUNS database, based on the DUNS number entered. An entry can have more than one Device Identifier. This is usually the case if you have used different Issuing Agencies. Attributes on label/package and the values submitted should match. GUDID also has controlled vocabulary and built-in business rules that will continually check what data is input.

A controlled vocabulary is DUNS #, GMDN code, and FDA Product Codes. 

Examples of Business Rules are:

  • All required data elements must be provided
  • Validating specific elements – FDA Listing #, etc.
  • Data constraints on specified elements – Publish date must always be >= TODAY
  • There are other additional business rules

Also, a DI can never be reused, even if it is discontinued. It will remain in GUDID, but marked as “Not in Commercial Distribution.”

Complaint Management Auditing

This article explains how to use the process approach to auditing to ensure more effective complaint management auditing.

inbound link building Complaint Management Auditing

Auditors typically focus on the requirements of how to handle complaints, but what do you do with complaints after the investigation? If the only reason why you “handle” complaints is that it is a requirement, you are extremely unlikely to gain product benefits from reviewing complaints. When you conduct complaint management auditing, you need to focus on linkages to other processes.

Disadvantages of checklists for complaint management auditing

Are you using an audit checklist when you conduct complaint management auditing? This will verify that your complaint handling process includes all eight requirements of 21 CFR 820.198(e), but it will tell you nothing about whether the process is effective.

Audit checklists encourage auditors to ask close-ended (i.e., yes/no) questions. For example:

  1. Did you document your investigation?
  2. Did you document corrective actions taken?

What is the Process Approach to Auditing?

The process approach to auditing is a seven-step process where the auditor interviews the process owner and individuals performing the process being audited:

  1. What is the process?
  2. What are the inputs to the process?
  3. What are the outputs of the process?
  4. With what resources is the process performed?
  5. With whom is a process performed?
  6. How is the process done?
  7. Which process metrics are important?

Each step of the process systematically gathers information about the process. More importantly, however, the process approach identifies how the process being audited interacts with other processes. Evaluating the effectiveness of linkages is one of the primary benefits of the process approach. For example:

  1. Which records are used as inputs to the complaint handling process?
  2. How many corrective actions were initiated in response to complaints?

Sometimes, an auditor using the process approach will find a “broken link.” If there is no connection between the servicing of devices and the complaint handling process, this is a link that needs to be “repaired.”

The Most Valuable Step in the Process Approach to Auditing

Of the seven steps to the process approach, the last step frequently provides the most proactive suggestions for process improvements. The final step is when the auditor asks the process owner, “Which metrics do you gather for this process?” Often, this question is met with a blank stare. If the process is not being measured, then the process owner cannot proactively make adjustments before mistakes are made. Instead, the process becomes reactionary.

A reactionary process for post-market surveillance and monitoring of complaints allows the number of complaints to increase and cause additional problems. Therefore, each complaint should be categorized, and data analysis should be performed. Ideally, each complaint category should have a maximum threshold established for the frequency of complaints and the severity of complaints. The frequency and severity would be documented in your risk management file. You may even establish quality objectives for the length of time it takes to process complaints and the number of actual complaints.

Adjacent Link Auditing for Complaint Management Auditing

Adjacent Link Auditing is an extension of the process approach to auditing. The principle behind Adjacent Link Auditing is that each process has adjacent processes in the process workflow. The process owners managing the previous process step (i.e., “upstream”) are internal suppliers because they provide the records and physical product that is used in the process being audited. Process owners managing the subsequent process step (i.e., “downstream”) are internal customers because they receive records and physical product from the process being audited. Internal “Suppliers” and “Customers” have a stronger connection to the process than other departments, because they are directly connected to the process. Adjacent processes are intimately involved in creating process inputs or using the process outputs for the next adjacent step in the process. If you are interested in learning more about Adjacent Link Auditing Theory, please click here to read an article in OrthoWorld’s BoneZone magazine.

If you are interested in downloading an example of a complaint handling procedure, please visit our webpage for SOP-018. For learning more about the process approach to auditing, please visit our YouTube channel.

6 UDI Implementation Deadlines You Need to Remember

The first of the UDI implementation deadlines for the FDA’s Unique Device Identifier (UDI) Regulation is approaching fast. Do you know when your medical devices must be labeled with a UDI?  Read on to find out.

Screen Shot 2014 04 29 at 7.25.40 PM 6 UDI Implementation Deadlines You Need to Remember

FDA requires higher risk devices to be brought into compliance with the UDI regulations first. Compliance starts with Class III devices and devices licensed under the Public Health Service (PHS) Act (http://bit.ly/PHS-Act).  Lower risk devices will follow.

1. June 23, 2014, is the compliance deadline for Class III and PHS Act device labelers to file a one-year extension. FDA requires extension requests be written (§801.55), documenting the number of labelers and devices subject to the request and explaining why an extension would be in the best interest of public health. FDA may also request additional information to help the Agency make a decision on this request. Federal Register – Class III Compliance Dates

2. September 24, 2014, is the first compliance deadline for labels and packages of Class III devices, Class III Stand-alone Software and devices licensed under the PHS Act to be “compliant.” These devices must have a UDI on its packages and labels, and human-readable dates must be formatted as YYYY-MM-DD (§801.18) and information submitted to the Global UDI Database (GUDID) (§830.300) by this date.

3. September 24, 2015, is the compliance deadline required for labels and packages of Implantable, Life-Sustaining, and Life Supporting Devices to have a UDI and corresponding data submitted to GUDID.  Life-Sustaining and Life-Supporting devices are also required to have UDI as a permanent direct mark if they are to be used more than once and reprocessed before each use (§801.45). Stand-alone software that is life-sustaining or life-supporting must have a UDI per §801.50(b). Human readable dates on these labels must be formatted as YYYY-MM-DD.

4. September 24, 2016, is the compliance deadline required for Class II devices and Class II Stand-alone Software to be compliant. As with the device classes above, this means having the UDI on the device label and package (human-readable date in YYYY-MM-DD format) and data submitted to GUDID.  Class III devices intended to be used more than once and reprocessed between uses must have their UDI permanently marked on the device by this date.

5. September 24, 2018, is the compliance deadline for Class I devices and Class I Stand-alone Software, as well as devices not classified into Class I, Class II, or Class III. This date requires devices to have a UDI on their labels and packages, and the human-readable dates on labels must be in YYYY-MM-DD format. Class II devices intended to be used more than once and reprocessed between uses must be directly marked with their UDI.

6. September 24, 2020, is the compliance deadline for Class I devices, and devices that have not been classified as Class I, II, or III intended to be used more than once and reprocessed between uses, must be directly marked with their UDI.

FDA’s UDI final rule will be phased in over time to ensure that labelers would have adequate time to build and test systems and create the infrastructure needed to implement the regulation’s many requirements. FDA believes a phased approach will spread the cost and burden of implementation over a number of years.  This approach, according to the FDA, should promote “the efficient and effective implementation of the final rule.”

On-hand inventory labeled and packaged prior to the above deadlines has been extended a 3-year grace period in the Final Rule.  This inventory does not need to be relabeled/repackaged with their UDI until three (3) years past the compliance date of their product Class compliance date. FDA considers consignment inventory to fall under this provision. This requires companies to track consignment inventory, ensuring it is used before the three-year grace period expiring. Any inventory – on-hand or consignment – remaining past the grace period will need to be relabeled and/or repackaged to be compliant. Federal Register – Existing Inventory

European Medical Device Regulations-4 Key Eucomed Recommendations

Screen Shot 2014 04 23 at 10.19.29 AM 300x244 European Medical Device Regulations 4 Key Eucomed RecommendationsEuropean Medical Device Regulations-4 Key Eucomed Recommendations,” reviews why the Eucomed position paper will help draft the new European Medical Device Regulations.

Eucomed, the medical technology industry representative group for Europe, released a new position paper on April 1, 2014, http://bit.ly/Eucomed-April-2014. This paper was created in response to the proposed European Medical Device Regulations, and focuses on four industry concerns:

  1. 1. Introduction of a pre-market “scrutiny process”
  2. 2. Revised clinical requirements
  3. 3. Restriction of hazardous substances
  4. Re-use of single-use devices


The original draft of the proposed regulations (i.e., the proposal) was released by the European Commission on September 26, 2012 (http://bit.ly/EUProposal). Europe’s Parliament Committee for Environment, Public Health and Food Safety (ENVI) voted on the Commission’s proposed regulations on September 25, 2013–after three postponed votes. The ENVI Committee made several revisions to the proposed EMDR (i.e., draft legislation), but in general, the ENVI Committee recommended the proposed EMDR. The European Parliament voted on the proposed regulations on October 22, 2013 (i.e., Plenary Vote). Parliament made additional revisions to the draft legislation and mandated negotiation by Parliament representatives (i.e., rapporteurs) with the European Council.

There were three versions of the new EU regulations for the Council to consider:

  1. A proposal by the EU Commission
  2. Draft legislation by the ENVI Committee
  3. Revised draft legislation by Parliament

Eucomed published a position paper on January 30, 2013 (http://bit.ly/EucomedPositionPaper) in response to the original proposal by the Commission, but Eucomed did not respond to the draft legislation until April 1, 2014. Now, the Council has a fourth version to consider–the 2014 Eucomed position paper.

I expected Eucomed to criticize Parliament’s revised draft before the 2013 holidays, but there was no further public response from Eucomed. Instead of being critical of Parliament’s revised draft, Eucomed focused on four industry concerns and made its recommendations for each issue. The Eucomed position paper is specially addressed to the EU Council with the hope of influencing the Council’s version of the new EMDR.

Pre-market “Scrutiny Process” (Article 44)

The EU Commission introduced the concept of the “Scrutiny Process” in Article 44 of the proposed EMDR. Still, the EU Parliament replaced the “Scrutiny Process” with Article 44a in the Parliament Amendment from the Plenary Vote. Article 44a involved a review by the European Medicines Agency for high-risk submissions. Both of these solutions are unpopular with industry. In the April 2014 position paper, Eucomed does not endorse either version. Instead, Eucomed proposed its process for review of premarket submissions, which is referred to as a “Reinforced Control Procedure.”

The Reinforced Control Procedure is a process that is built into the existing Notified Body process. Eucomed outlined the new procedure in detail as an Annex to the position paper.

Revised Clinical Requirements (Articles 49-60)

Eucomed’s April 2014 position paper endorses the proposed regulations by the EU Commission and does not support the stricter legislation proposed by Parliament that mandates Randomized Control Trials (RCTs). In addition, Eucomed listed the following seven points below that the Council should address to ensure that the new Clinical Requirements are “fit-for-purpose”:

  1. Ensure no “one-size-fits-all” approach
  2. Include appropriate elements from pharmaceutical legislation
  3. Consider that effectiveness is measured across the full lifecycle
  4. RCTs are not always practically possible or ethical
  5. Utilize the power of big data and scientific literature
  6. Consider a balanced concept of equivalence
  7. Importance of intellectual property and know-how for medtech companies

Restriction of Hazardous Substances

Eucomed’s position paper encourages the EU Council to support the European Commission’s proposal on the use of hazardous substances in medical devices–not the Parliament version. Eucomed cites the existing horizontal legislation that is in place (i.e., Reach Legislation, http://bit.ly/REACH-Legislation; and RoHS 2, http://bit.ly/RoHS-2). The position paper points out that Parliament’s proposed ban has the following flaws:

  • Proposed ban disregards potential benefits offered by these substances
  • Scope of the proposed ban is broader than can be practically implemented at this time
  • The three-year implementation period is too short of a timeline
  • Four-year period for applying for exemptions is too short a timeframe for industry subject matter experts to submit the required requests
  • The proposed ban is not consistent with the existing REACH and RoHS legislation

Re-use of Single-use Devices

The Eucomed position paper recommends that the EU Council support the EU Commission proposal for addressing the re-use of single-use devices. The Parliament approach stated that all devices should be considered re-usable unless the manufacturer can demonstrate that the device cannot be re-used. The industry response to Parliament’s approach can be summarized in one phrase from the Eucomed paper: “Medical device industry believes that Parliament’s amendments create a potential threat to patient safety.” The Eucomed paper goes on to identify specific deficiencies in the Parliament amendments:

  • Amendment presents a potential threat to patient safety
  • The approach is generic and cannot be applied to all products
  • The process proposed is unclear and may create delays
  • An amendment is not required by other countries and would increase the cost of products to Europeans
  • Roles and responsibilities of manufacturers and reprocessors are unclear
  • Standardization is not feasible


The Eucomed position paper should be helpful to the European Council in framing a more moderate draft for the new European Medical Device Regulations. However, the Council is likely to create a few solutions of its own that will require additional review. I expect to see a draft from the Council this Fall and do not expect Parliament or the Council to reach an agreement on a final version in 2015.

What is UDI and Why It Matters

udi 2 300x162 What is UDI and Why It MattersIn this blog, “What is UDI and Why It Matters,” the author reviews the fundamentals of UDI, FDA’s Final Rule applications, and its global significance. 

FDA’s Final Rule (Federal Register – UDI Definition) states a Unique Device Identifier (UDI) is a code that sufficiently identifies a medical device throughout its distribution and use. The UDI is comprised of a static component, “Device Identifier” (DI), and a dynamic component, “Production Identifier” (PI). 

The DI itself is made up of your Labeler Identification Code and a code that pinpoints the specific version or model of that device. PI, on the other hand, includes manufacturing information for that specific device, such as lot or batch number, serial number, expiration date, or manufacturing date (both in YYYY-MM-DD format).

Human cells, tissues, or cellular or tissue-based product (HCT/P) regulated as a medical device requires the use of the ISBT-128 format UDI. The UDI Final rule requires medical device labels to contain a UDI, unless exempt or provides for an exception or alternative placement. The UDI must be both human-readable and in a form that uses automatic identification and data capture (AIDC) technology. 

Reprocessed and Single-Use Devices

Medical devices that are both used more than once by intention and reprocessed by intention must have the UDI directly marked on the device. The Final Rule details exceptions to this requirement (Federal Register – Direct Marking Requirement). UDI does not need to be on individual single-use devices. Instead, it needs to be located on the next higher package. For example, non-sterile exam gloves would require a UDI on the box label, not each glove. 

This section of the rule stipulates individual single-use devices, all of which are the same version or model, must be distributed together in a single device package, is intended to be stored in that device packaging until removed for use, and is not intended for individual sale.  However, it does not apply to implanted devices, which require a UDI on the package of the individual device. Federal Register – Single-use Device 

Stand-Alone Software

Stand-Alone Software that is regulated as a medical device, must also bear a UDI. The software version should be included in the production identifier. If the software is downloaded from a website, the UDI must be in plain text (i.e., not in AIDC format) and displayed whenever the software is started and/or in the plain text displayed through a menu command, such as the “About” screen. If Stand-Alone Software is sold in a package, the package must have the UDI on its label. However, the DI of packaged software may be identical to the downloaded version. Federal Register – Stand-Alone Software

Why Now? Why Does It Matter?

Some medical device companies, especially distributors, obscure manufacturers’ names and item codes on device labels. Different devices might have the same item code, while the same device might have different item codes. These inconsistencies confuse healthcare professionals—especially during recalls and adverse event reporting. Therefore, FDA and other regulatory agencies are implementing UDI regulations to:

  • Improve patient safety by reducing medical errors.
  • Strengthen the Electronic Medical Records initiative by providing a standard method for recording the identity of each device during use in clinical information systems, claim data sources, and registries.
  • Address counterfeiting and diversion
  • Prepare for medical emergencies and disasters
  • Provide a foundation for a global, secure distribution chain. 

The most important reason for UDI regulations is the need to improve the accuracy and timeliness of Post-Market Surveillance (PMS) data. More accurate and timely PMS data will indirectly improve patient safety by helping facilitate more accurate reporting, reviewing, and analyzing of adverse event reports, so problem devices can be pinpointed, corrected, and removed faster. 

Impact of UDI Regulations Globally

FDA hopes the UDI regulations will lead to the development of a globally harmonized medical device identification system that is recognized around the world. The European Union and regulatory agencies around the globe are drafting their versions of a UDI regulation. In addition to the benefits of implementing a UDI system in general, a global UDI system would:

  • Allow companies to create globally harmonized labeling with a single UDI worldwide
  • Promote worldwide tracking and tracing of devices for easier recalls
  • Provide another risk control to prevent counterfeiting and diversion of medical devices

To that extent, the International Medical Device Regulators Forum (IMDRF) published their UDI Guidance document IMDRF UDI Guidance Document, which has many similarities to the FDA Final Rule.

The Unique Device Identifier Final Rule is more than just a new FDA regulation—it is also good business practice. Healthcare customers are embracing the use of unique identifiers. In past experiences with implementing GTINs (another form of UDI from the UDI issuing agency GS1), customers demanded implementation of GTINs, or they would find a new supplier. Manufacturers may choose to ignore one or two customers. Still, eventually the number of customers demanding UDI will be significant, and they will need to act quickly—regardless of FDA deadlines.

Medical Device Regulation: FDA Pilot Programs for Global Harmonization

international harmonization Medical Device Regulation: FDA Pilot Programs for Global HarmonizationThis blog provides an overview of global harmonization efforts by the FDA that were implemented for medical device regulation.

Harmonization of international regulatory requirements for medical devices began in 1992 with the founding of the Global Harmonization Task Force (GHTF). There were five founding regulatory bodies: 1) US FDA, 2) Health Canada, 3) European Commission, 4) Therapeutics Goods Administration of Australia, and 5) Ministry of Health, Labour and Welfare in Japan. The organization created many guidance documents for the medical device industry, and members of the GHTF organization also participated in the development of ISO 13485 that was released in 1996. GHTF was disbanded in late 2012, and it has been replaced by the International Medical Device Regulators Forum (IMDRF) (http://bit.ly/IMDRFDoc), and IMDRF maintains the documentation created by GHTF.

In 1996, when ISO 13485 was released, Health Canada made certification to ISO 13485 mandatory for all medical device manufacturers that wanted to distribute in Canada. Health Canada’s requirement for ISO 13485 certification resulted in the widespread adoption of ISO 13485 certification throughout the world. At the same time, the US FDA chose to publish its Quality System Regulations (http://bit.ly/21CFR820-compliance). The QSR is very similar to ISO 13485, but there are minor differences beyond the obvious reorganization of the requirements.

FDA Modernization Act of 1997

Under the FDA Modernization Act of 1997, the FDA implemented a 3rd party review program for 510(k) reviews and inspections (http://bit.ly/3rd-party-implementation). This program involves “Accredited Persons” (AP) that have been trained by the FDA and work for a third-party consulting firm, registrar, or Notified Body. The FDA expanded the pilot program for 510(k) reviews to include most 510(K) devices (http://bit.ly/3rd-Party-Review-List). Unfortunately, even though there was great interest from third-parties to participate in the program, there was little interest from manufacturers. After more than a decade, only the following seven third-party organizations have managed to get an Accredited Person (AP) to complete the qualification process so that they can perform inspections independently:

  1. BSI
  2. LNE/G-MED
  4. Orion Registrar
  5. SGS
  6. TUV SUD
  7. TUV Rheinland

The FDA continues to experiment with different approaches to international harmonization. In 2003, Health Canada (HC) signed a memorandum of understanding between Health Canada (HC) and the U.S. In 2006, the FDA launched the pilot, Multi-purpose Audit Program (pMAP) (http://bit.ly/HC-FDA-pMAP). Third-party auditors performed ten combined audits. The conclusions and recommendations resulting from the pMAP were posted on the FDA website in 2010. One of the recommendations was to develop a guidance document for the format and content of regulatory reports. Therefore, in 2011, GD211 (http://bit.ly/GD211-report) was released by HC, and several videos were posted on the FDA website by HC and the US FDA for training (http://bit.ly/CDRH-Learn-Course-list).

Once the 14 recognized registrars had managed to train their CMDCAS auditors (http://bit.ly/CMDCAS) on the GD211 report format, the FDA announced the Voluntary Audit Report Submission Pilot Program (http://bit.ly/Voluntary-Audit-Report). For eligible companies, they may submit a regulatory report in the GD211 format, and the FDA will remove the manufacturer from the routine workload for FDA inspections. A few companies have taken advantage of this and successfully avoided a routine inspection for 12 months.

FDA’s New Pilot Program

Recently, the FDA announced a new Voluntary Compliance Improvement Program Pilot (http://bit.ly/FDA-VCIP). This new program is a small pilot that will allow 3-5 manufacturers to select a third party (to be approved by the FDA) to help them identify areas for compliance improvement and initiate corrective actions. Identification of areas for improvement would presumably be determined during a mock-FDA inspection performed by the third party, but this is not explained in the FDA announcement. This program is available by invitation only, but it appears to be a significant departure from the AP program and voluntary submission of GD211 audit reports.

IMDRF is finally starting to have an impact on the harmonization of medical device inspections. In January 2014, the FDA began accepting inspection reports from the Medical Device Single-Audit Program Pilot (MDSAP) as a substitute for routine agency reports. Kim Trautman at the FDA is the IMDRF representative chairing the program, and her presentation announcing the program can be downloaded at the following website link: http://bit.ly/IMDRF-MDSAP. This program should be extremely popular with manufacturers because the MDSAP reports can also be used to meet requirements for inspections by Japan’s MHLW and Brazil’s ANVISA. ANVISA has a massive backlog of inspections due to a strike by government workers, and many companies were forced to file a lawsuit against ANVISA to accelerate the inspection prioritization. The challenge with the MDSAP will be to train and qualify third parties to conduct the audits correctly.

Scroll to Top