Medical Device Academy Blog Archive Medical Device Academy

510k Electronic Submission Guidance for FDA 510k Submissions

Posted by Rob Packard on November 8, 2022

This article provides an overview of the new 510k electronic submission guidance document that the FDA released in September 2022.

What’s included in the 510k electronic submission guidance?

As with any FDA guidance, there is an introduction and background regarding the reason for the new 510k electronic submission guidance document (i.e., eSTAR guidance). In the scope section, the FDA specifies that this document is specific to 510k submissions using the eSTAR template. The FDA has plans to release a similar De Novo submission guidance for using the eSTAR template. In the “Significant Terminology” section of the guidance, the FDA provides definitions for each of the different types of submissions: eCopy, eSubmitter, etc. Then the next to last section of the electronic submission guidance, the FDA provides a table outlining all of the sections of the new eSTAR template. The table is reproduced later in this article. If you are interested in a tutorial on completing each section outlined in the table, we recommend purchasing Medical Device Academy’s 510(k) Course. The last section of the eSTAR guidance indicates the timing for compliance with the new guidance.

What is the deadline for compliance with the guidance?

In this new 510k electronic submission guidance document, the FDA indicates that using the eSTAR template and compliance with the eSTAR guidance is voluntary until October 1, 2023. Therefore, after FY 2023, all 510k submissions must be submitted as an eSTAR submission instead of using the older traditional 510k submission format. The FDA also provides a hyperlink for requesting a Customer Collaboration Portal (CCP) account.

What’s missing from this 510k submission guidance?

The new 510k electronic submission guidance does not provide information regarding the receipt date for electronic submissions made through the new customer collaboration portal (CCP) created by CDRH. The image below is a screen capture of the current CCP upload webpage. It includes the following statement, “Send your submission before 16:00 ET on a business day for us to process it the same day.” This statement was added sometime in August or September, but the FDA has not released a detailed explanation. This statement makes it clear that the FDA is not promising to process a submission the “same day” if the submission is received after 4:00 pm ET. However, “processed” does not have the same meaning as “receipt date.”

Another element missing from this new guidance is a reference to human factors documentation. For any devices that have a user interface that is different from the predicate device, and for software devices, the FDA requires documentation of your human factors process to make sure that differences in the user interface do not result in new or different risks when compared to the predicate device. The 2016 FDA guidance for human factors has not been updated, but FDA reviewers continue to issue deficiencies related to the objective evidence provided in a 510k for human factors validation.

CCP screen capture 1024x619 510k Electronic Submission Guidance for FDA 510k Submissions

The FDA must be consistent in the wording for “Hours for Receipt of Submission” because this affects submissions at the end of the fiscal year, but it also affects any submissions with a deadline for response to an RTA Hold, AI Response, and IDE submissions. The CDER and CBER divisions of the FDA address the need for defining the date of receipt in a guidance document specific to this topic, “Providing Regulatory Submissions in Electronic Format–Receipt Date.” Below is a screen capture copied from page 4 of the guidance.

Electronic Submission 510k Electronic Submission Guidance for FDA 510k Submissions

What are the new sections for a 510k submission?

In 2019, the FDA released a guidance document on the “Format of Traditional and Abbreviated 510(k)s.” That guidance outlines the 20 sections of a traditional 510k submission that have been used for decades. However, the new 510k electronic submission guidance has no numbering for the sections of the eSTAR template, and there are 22 sections instead of 20 sections. Several of the new sections are elements of the current FDA submission cover sheet (i.e., FDA Form 3514), and some sections exist in the 2019 guidance that were eliminated, such as: “Class III Summary and Certification.” Therefore, Medical Device Academy is recreating 100% of our 510k training webinars to explain how our 510k templates are used with the 510k eSTAR template and how to fill in the PDF form. To prevent confusion between the two formats, we are using letters for each section in the eSTAR template instead of numbers (i.e., A-V instead of 1-20). Table 1 from the new eSTAR guidance is reproduced below for your information.

	Information Requested	Description
A	Submission Type	Identification of key information that may be useful to FDA in the initial processing and review of the 510(k) submission, including content from current Form FDA 3514, Section A.
B	Cover Letter / Letters of Reference	Attach a cover letter and any documents that refer to other submissions.
C	Submitter Information	Information on submitter and correspondent, if applicable, consistent with content from current Form FDA 3514, Sections B and C.
D	Pre-Submission Correspondence & Previous Regulator Interaction	Information on prior submissions for the same device included in the current submission, such as submission numbers for a prior not substantially equivalent (NSE) determination, prior deleted or withdrawn 510(k), Q-Submission, Investigational Device Exemption (IDE) application, premarket approval (PMA) application, humanitarian device exemption (HDE) application, or De Novo classification request.
E	Consensus Standards	Identification of voluntary consensus standard(s) used, if applicable. This includes both FDA-recognized and nonrecognized consensus standards.
F	Device Description	Identification of listing number if listed with FDA. Descriptive information for the device, including a description of the technological characteristics of the device including materials, design, energy source, and other device features, as defined in section 513(i)(1)(B) of the FD&C Act and 21 CFR 807.100(b)(2)(ii)(A). Descriptive information also includes a description of the principle of operation for achieving the intended effect and the proposed conditions of use, such as surgical technique for implants; anatomical location of use; user interface; how the device interacts with other devices; and/or how the device interacts with the patient. Information on whether the device is intended to be marketed with accessories. Identification of any applicable device-specific guidance document(s) or special controls for the device type as provided in a special controls document (or alternative measures identified that provide at least an equivalent assurance of safety and effectiveness) or in a device-specific classification regulation, and/or performance standards. See “The 510(k) Program: Evaluating Substantial Equivalence in Premarket Notifications [510(k)].”
G	Proposed Indications for Use (Form FDA 3881)	Identification of the proposed indications for use of the device. The term indications for use, as defined in 21 CFR 814.20(b)(3)(i), describes the disease or condition the device will diagnose, treat, prevent, cure, or mitigate, including a description of the patient population for which the device is intended.
H	Classification	Identification of the classification regulation number that seems most appropriate for the subject device, as applicable.
I	Predicates and Substantial Equivalence	Identification of a predicate device (e.g., 510(k) number, De Novo number, reclassified PMA number, classification regulation reference, if exempt and limitations to exemption are exceeded, or statement that the predicate is a preamendments device). The submission should include a comparison of the predicate and subject device and a discussion why any differences between the subject and predicate do not impact safety and effectiveness [see section 513(i)(1)(A) of the FD&C Act and 21 CFR 807.87(f)]. A reference device should also be included in the discussion, if applicable. See “The 510(k) Program: Evaluating Substantial Equivalence in Premarket Notifications [510(k)].”
J	Design/Special Controls, Risks to Health, and Mitigation Measures	Applicable to Special 510(k) submissions only. Identification of the device changes and the risk analysis method(s) used to assess the impact of the change(s) on the device and the results of the analysis. Risk control measures to mitigate identified risks (e.g., labeling, verification). See “The Special 510(k) Program.”
K	Labeling	Submission of proposed labeling in sufficient detail to satisfy the requirements of 21 CFR 807.87(e). Generally, if the device is an in vitro diagnostic device, the labeling must also satisfy the requirements of 21 CFR 809.10. Additionally, the term “labeling” generally includes the device label, instructions for use, and any patient labeling. See “Guidance on Medical Device Patient Labeling.”
L	Reprocessing	Information for assessing the reprocessing validation and labeling, if applicable. See “Reprocessing Medical Devices in Health Care Settings: Validation Methods and Labeling.”
M	Sterility	Information on sterility and validation methods, if applicable. See “Submission and Review of Sterility Information in Premarket Notification (510(k)) Submissions for Devices Labeled as Sterile.”
N	Shelf Life	Summary of methods used to establish that device performance is maintained for the entirety of the proposed shelf-life (e.g., mechanical properties, coating integrity, pH, osmolality), if applicable.
O	Biocompatibility	Information on the biocompatibility assessment of patient contacting materials, if applicable. See “Use of International Standard ISO 10993-1, ‘Biological evaluation of medical devices – Part 1: Evaluation and testing within a risk management process.’”
P	Software/Firmware	Submission of applicable software documentation, if applicable. See “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices.”
Q	Cybersecurity/Interoperability	Submission of applicable information regarding the assessment of cybersecurity, if applicable. See “Content for Premarket Submissions for Management of Cybersecurity in Medical Devices” and “Design Considerations and Premarket Submission Recommendations for Interoperable Medical Devices.”
R	Electromagnetic Compatibility (EMC), Electrical, Mechanical, Wireless and Thermal Safety	Submission of the EMC, Electrical, Mechanical, Wireless and Thermal Safety testing for your device or summarize why testing is not needed. See “Electromagnetic Compatibility (EMC) of Medical Devices” and “Radio Frequency Wireless Technology in Medical Devices.”
S	Performance Testing	For non-in vitro diagnostic devices: Provide information on the non-clinical and clinical test reports submitted, referenced, or relied on in the 510(k) for a determination of substantial equivalence. See “Recommended Content and Format of NonClinical Bench Performance Testing Information in Premarket Submissions.” For in vitro diagnostic devices: Provide analytical performance, comparison studies, reference range/expected values, and clinical study information.
T	References	Inclusion of any literature references, if applicable.
U	Administrative Documentation	Inclusion of additional administrative forms applicable to the submission, including but not limited to a general summary of submission/executive summary (recommended), a Truthful and Accuracy Statement, and a 510(k) Summary or statement.
V	Amendment/Additional Information (AI) response	Inclusion of responses to Additional Information requests.

Important information in the eSTAR guidance

In Table 1 above, there are 14 hyperlinks to various FDA guidance documents. These links are extremely helpful when you have questions about a specific question. Unfortunately, the 510k electronic submission guidance document will quickly become out-of-date as guidance documents are updated and are made obsolete. In particular, one of the A-list final guidance documents planned for FY 2023 is the FDA cybersecurity guidance. We expect that guidance to be updated and released any day.

Posted in: 510(k), eSTAR

Auditing Risk Management Files

Posted by Rob Packard on November 1, 2022

What do you look at and look for when you are auditing risk management files to ISO 14971 and the new Regulation (EU) 2017/745?

Your cart is empty

Next week, November 15th @ Noon EST, you will have the opportunity to watch a live webinar teaching you what to look at and what to look for when you are auditing risk management files to Regulation (EU) 2017/745 and ISO 14971. Risk Management Files are one of the essential requirements of technical documentation required for CE Marking of medical devices. Most quality system auditors are trained on how to audit to ISO 13485:2016 (or an earlier version of that standard), but very few quality system auditors have the training necessary to audit risk management files.

Why you are not qualified to audit risk management files

Being a qualified lead auditor is not enough to audit the risk management process. When you are auditing a risk management file, you need risk management training and lead auditor training. To audit the risk management process, you will also need training on applicable guidance documents (i.e., ISO/TR 24971:2020) and applicable regulations (i.e., Regulation 2017/745 and/or Regulation 2017/746). There may also be device-specific guidance documents that specify known risks and risk controls that are considered state-of-the-art.

Creating an audit agenda

Once you have scheduled an audit of risk management files, and assigned a lead auditor, then the lead auditor needs to create an audit agenda. The audit can be a desktop audit that is performed remotely, or it can be an on-site audit. Regardless of the approach, the audit should include interviewing participants in the risk management process documented in the risk management file. As a rule of thumb, I expect a minimum of 30 minutes to be spent interviewing the process owner and one or more other participants. Then I spend an additional 60 minutes of auditing time reviewing documents and records.

Your audit agenda should specify the following items at a minimum:

the method of auditing to be used,
date(s) of the audit,
the duration of the audit,
the location of the audit, and
the auditing criteria.

The auditor(s) and the auditee participants should be identified in the audit agenda. Finally, you should specify which documents and records are required for audit preparation. These documents will be used to help identify audit checklist questions and to determine a sampling plan for the audit. At a minimum, you will need a copy of the risk management procedure and a list of the risk management files that are available to audit. You may also want to request the audit plan for each of those risk management files.

What did you look at and look for during your risk management audit?

When you audit the risk management process, you could take any of the following approaches or a combination of more than one. You could audit the process according to the risk management procedure. You could audit the process according to the risk management plan(s) for each risk management file. You could audit using the process approach to auditing. Finally, you could audit in accordance with specific requirements in the ISO 14971:2019 standard and applicable regulations (i.e., Regulation 2017/745). Regardless of which approach you take, your audit notes and the audit report should identify which documents and records you sampled and what you looked for in each document. Providing only a list of the documents is not enough detail.

Creating an auditing checklist for risk management files

Auditors with limited experience are taught to create an audit checklist by creating a table that includes each of the requirements of the audit criteria. For a risk management file, this would include a list of each of the requirements in ISO 14971 for a risk management file (i.e., Clause 9???). However, this approach is more like the approach that you should be using for a gap analysis. The better approach for creating an audit checklist for risk management files is to start by creating a turtle diagram. In the “process inputs” section (i.e., step 2 of 7), you would add questions derived from your review of the risk management plan(s). In the “process outputs” section (i.e., step 3 of 7), you would add questions specific to the risk management report and other records required in a risk management file. In the “with whom” section (i.e., step 5 of 7), you would add questions related to training and competency. You might also identify additional people involved in the risk management process, other than the process owner, to interview as a follow-up trail. In the “how done” section (i.e., step 6 of 7), you would add questions specific to the procedure and forms used for the risk management process. Finally, in the “metrics” section (i.e., 7 of 7), you would verify that the company is conducting risk management reviews and updating risk management documentation in accordance with the risk management procedure and individual risk management plan(s).

Audits are just samples

Just because you can generate a lot of questions for an audit checklist does not mean that you are required to address every question. Audits are intended to be a “spot check” to verify the effectiveness of a process. You should allocate your auditing resources based on the importance of a process and the results of previous audits. I recommend approximately three days for a full quality system audit, and approximately 90-minutes should be devoted to a process unless it is the design control process (i.e., Clause 7.3 of ISO 13485) which typically requires three to four hours due to the importance and complexity of the design controls process. Therefore, you should schedule approximately 30 minutes to interview people for the risk management process and approximately 60 minutes should be reserved for reviewing documents and records. With this limited amount of time, you will not be able to review every record or interview everyone that was involved in the risk management process. This is why auditors always remind auditees that an audit is just a sampling.

Which records are required in a risk management file?

The contents of a risk management file is specified in ISO 14971:2019, Clause 4.5. There are only four bullets in that section, but the preceding sentence says, “In addition to the requirements of other clauses of this document.” Therefore, your risk management file should address all of the requirements in ISO 14971:2019. What I recommend is a virtual risk management folder for each risk management file. As the auditor, you should also request a copy of the risk management policy and procedure. An example of what this would look like is provided below. The numbers in front of each subfolder correspond to the sub-clause or clause for that requirement in ISO 14971:2019.

Risk Management File Example Auditing Risk Management Files Which records are most valuable when auditing risk management files?

As an auditor, I typically focus on three types of targets when auditing any process. First, I will sample any corrective actions implemented in response to previous audit findings. Second, will sample documents and records associated with any changes made to the process. Changes would also include any changes that were made to individual risk management files or the creation of a new risk management file. Finally, my third target for audit sampling is any item that I feel is at risk for safety or performance failures. The severity of the safety or performance failure is also considered when prioritizing audit sampling. In the context of a risk management file, I always verify that production and post-production activities are being conducted as planned. I try to verify that risk analysis documentation was reviewed for the need to update the documentation in response to complaints and adverse events.

More auditor training on risk management files

We are recording a live webinar intended to teach internal auditors and consultants how to perform a thorough audit of risk management files against the requirements of the new European Regulation (EU) 2017/745 and ISO 14971.

Auditing Risk Management Files

In this new webinar, you will learn how to conduct a process audit of risk management files. You will learn what to look at and what to look for in order to verify compliance with Regulation (EU) 2017/745 and ISO 14971:2019. The webinar will be approximately one hour in duration. Attendees will be invited to participate in the live webinar and receive a copy of the native slide deck. Anyone purchasing after the live event will receive a link to download the recording of the live event and the native slide deck.

Price: $64.50

In addition to this webinar on auditing risk management files, we also have other risk management training webinars available. The webinar on auditing risk management files will be hosted live on November 15, 2022 @ Noon EST (incorrect in the live video announcement).

Tags: Audit, ISO 14971

Posted in: Auditing, CE Marking, ISO 14971:2019 (Risk Management), ISO Auditing, Remote Auditing

Leave a Comment (0) →

What is an FDA Breakthrough Device Designation?

Posted by Rob Packard on October 25, 2022

The FDA Breakthrough Device Designation was created in 2015 to expedite device access for life-threatening and debilitating diseases.

What is the FDA Breakthrough Device Designation?

The FDA Breakthrough Device Designation is a formal identification by the US FDA that a device in development should be expedited for patient access because it has a reasonable chance of providing more effective treatment than the standard of care for the treatment or diagnosis of life-threatening or irreversibly debilitating human disease or conditions.

To be granted breakthrough status, your device must also meet at least one of the following four secondary criteria:

Represents Breakthrough Technology
No Approved or Cleared Alternatives Exist
Offers Significant Advantages over Existing Approved or Cleared Alternatives
Device Availability is in the Best Interest of Patients

Once the FDA has designated your device as a breakthrough device, all future communications with the FDA related to that device should be identified with the Q-sub reference number assigned to your breakthrough request.

What are the benefits of receiving the designation?

The breakthrough designation helps the FDA identify new technology to focus on in order to expedite access to novel devices that will save lives and treat debilitating diseases. It takes the FDA longer to review these devices because they may raise novel scientific and regulatory issues. Therefore, the FDA prioritizes 510k and De Novo submissions for breakthrough devices over other 510k and De Novo submissions, and the FDA’s senior management is involved in the review process. The average review time for the seventeen 510k cleared breakthrough devices was 155 days*. This may not seem like an expedited review, but the average review time for 510k cleared devices that require additional testing data is almost 270 days. The average review time for the twenty De Novo Classification Requests designated as breakthrough devices was 251 days*. This represents a significant improvement compared to the average De Novo Decision timeline of 338 days for 2019-2022.

*Metrics updated on 10/31/2022 with data through 9/30/2022

Breakthrough Device Designation by the FDA also has a benefit concerning reimbursement. Typically new technology is not covered by CMS for the first two years. Specifically, the Centers for Medicare and Medicaid Services (CMS) typically takes two years to establish qualification for public reimbursement coverage in the USA. In contrast, private insurers are inconsistent in their coverage because Medicare Administrative Contractor (MAC) is divided into 13 different US regions, each making independent coverage decisions case-by-case. When you receive Breakthrough Device Designation, you receive immediate coverage through CMS until traditional coverage takes effect. This interim coverage period allows your company to establish the clinical benefits of your device so that you can apply for payment and coding to establish long-term reimbursement coverage.

Mechanisms of Expedited FDA Review

In addition to identifying breakthrough devices for priority review and involving the FDA’s senior management, the FDA also offers four other mechanisms for improving the review time. First, the FDA offers “Sprint discussions.” A “Sprint” discussion allows the FDA and the company to discuss a single topic and reach an agreement in a set time period (e.g., 45 days). The FDA provides an example of a Sprint discussion similar to a pre-submission meeting, but the overall timeline is half the duration of the FDA’s target MDUFA V decision goals.

The second mechanism for improving the review time is a Data Development Plan (DDP). Using this mechanism, the FDA will work with the company to finalize the non-clinical and clinical testing plans for the breakthrough device. This may include starting clinical testing earlier while deferring certain non-clinical testing.

The third mechanism for improving the review time is Clinical Protocol Agreement. In this scenario, the FDA will interactively review changes to clinical protocols rather than conducting a protocol acceptance review first. Therefore, the time required to review and approve a clinical protocol change is less, and the sponsor can complete their clinical studies in less time.

The fourth mechanism for improving the review time is a prioritized pre-submission review. If a company prefers to discuss multiple issues in one meeting rather than conducting Sprint discussions on single topics, then the FDA will prioritize pre-submission review. The prioritized pre-submission will be tracked as an interactive review with a shorter timeline than other pre-submission meeting requests.

How do you apply to the FDA for Breakthrough Designation?

To receive the designation, you must prepare a Breakthrough Device Designation request and submit it to the FDA Document Control Center (DCC) as an eCopy. The eCopy can be done via FedEx or through the new Customer Collaboration Portal (CCP) launched by the FDA in 2022. Your application could consist of a single document, but we recommend at least three documents: 1) a formal request outlining how your device meets the criteria for breakthrough designation, 2) a detailed device description, and 3) preliminary clinical data demonstrating the feasibility of your device delivering performance claimed in your request for designation. There are no user fees associated with the application for breakthrough designation, and you are not prevented from submitting other types of submissions in parallel with the breakthrough designation request, such as a pre-submission or investigational device exemption (IDE).

When should you apply to the FDA?

If the FDA denies an initial breakthrough designation request, the company may re-submit a request at a later date. Therefore, companies should submit requests as soon as they can provide preliminary clinical data to demonstrate the feasibility of the device’s claimed performance. Therefore, a breakthrough designation request would typically be submitted at the conclusion of an Early Feasibility Study (EFS), which allows a maximum of ten clinical subjects.

How many companies have received Breakthrough Designation from the FDA?

of Breakthrough Designations vs. Year 2 What is an FDA Breakthrough Device Designation?

Since the start of the Breakthrough Designation program in 2015, the FDA has granted 728 devices Breakthrough Device Designation*. CDRH, the device division of the FDA, granted 722, while CBER, the biologics division of the FDA, granted 6*. The breakthrough designation, however, does not guarantee FDA market authorization. Only 56 of the breakthrough designations have resulted in market authorization so far. Two of the 56 devices were reviewed by CBER. Of the remaining 54 devices, 16 devices received 510k clearance, 18 De Novo Classification Requests were granted, and 20 PMAs were approved*. Given the number of submissions received each year, only 10-15% of De Novo and PMA submissions are also Breakthrough Devices. In contrast, only about 0.1% of 510k submissions are also Breakthrough Devices.

*Metrics updated on 10/31/2022 with data through 9/30/2022

Tags: Breakthrough Device Designation

Posted in: De Novo, FDA

Leave a Comment (0) →

How long does it take FDA to review De Novo submissions?

Posted by Rob Packard on October 18, 2022

The new FDA goal is to review De Novo submissions within 150 days for 70% of De Novo submissions, but how long does it take now?

What is an FDA De Novo submission?

An FDA De Novo submission is an application submitted to the FDA for creating a new device product classification. There are three classifications of devices by the FDA: Class 1, Class 2, and Class 3. Class 1 devices are the lowest-risk devices, and they only require general controls. Class 2 devices are moderate-risk devices that require “Special Controls,” and Class 3 are high-risk devices that require Pre-Market Approval (i.e., PMA). De Novo applications can only be submitted for Class 1 and Class 2 devices, and most of the De Novo submissions require clinical data to demonstrate that the clinical benefits of the new device classification outweigh the risks of the device to patients and users.

What is the FDA’s goal for a decision timeline?

Initially, the FDA required that Class 2 devices must be first submitted as a 510k submission. If the device did not meet the criteria for a 510k, then the company could re-submit a De Novo Classification Request to the FDA. On July 9, 2012, the regulations were revised to allow companies to submit De Novo Classification Requests directly. This makes sense because some devices have novel indications for use, and submission of a 510k would be a complete waste of time in money. For example, the first SARS-COV-2 test had to be submitted as a De Novo by Biofire to obtain permanent approval for the test instead of emergency use authorization (EUA).

On October 4, 2021, the FDA published a final rule for the review timeline of De Novo Classification Requests. This new regulation identified the review clock for a De Novo as 120 calendar days. Even though 120 days is 30 days longer than the FDA review clock for a 510k, the actual timeline to review De Novo submissions was much longer.

Every five years, when Congress reauthorizes user fee funding of the FDA, new MDUFA goals are established. The draft MDUFA performance goals (which impact FDA funding) were published recently. The specific performance goal to review De Novo submissions is:

FDA will issue a MDUFA decision within 150 FDA Days for 70% of De Novo requests.

There are two problems with this goal. First, the term “FDA Days” is based on calendar days minus the number of days the submission was placed on hold, and we don’t have any visibility into the number of days submissions are placed on hold. In the past, submissions could be placed on hold multiple times during the Refusal to Accept (RTA) screening process, and the “FDA Days” is reset to zero days each time the company receives an RTA hold letter. In addition, even after the submission is finally accepted, the FDA places the submission on hold when they request additional information (i.e., AI Hold). RTA and AI Hold periods can last up to 180 days, and during the Covid-19 pandemic, companies were allowed to extend this up to 360 days.

The second problem with the MDUFA goal is that we only have visibility into the outcome of De Novo submissions that were granted. More than 60 De Novo submissions are submitted each year, but the number of De Novo Classification Requests granted ranged between 21 and 30 over the past three years. Therefore, the 50%+ of De Novo applications denied could skew the % of De Novo that meets the MDUFA goal.

What is the FDA track record in reviewing a De Novo?

Every CEO I speak with asks the same question: “How long does the FDA review take?” In preparation for a webinar I taught about De Novo Classification Requests in 2019, I researched the latest review timelines for De Novo submissions. I expected the review timelines to be close to 150 calendar days because the FDA decision goal was 150 FDA days. The 150-day goal was set in 2018 when Congress approved MDUFA IV. The 2019 data held two surprises:

only 21 De Novo requests were granted in 2019, and
the average review timeline was 307 calendar days (i.e., the range was 108 days to 619 days).

FDA days are not the same as calendar days. Only 23.8% of De Novo submissions were reviewed within 150 calendar days. The FDA doesn’t calculate the number of FDA days as calendar days, but there is no way to know how much time each De Novo spent on hold publicly. Upon seeing the announcement of a new decision goal for MDUFA V on October 5, 2022, I decided to revisit my previous analysis.

De Novo review timeline How long does it take FDA to review De Novo submissions?

*Only 9+ months of data for 2022, because data was collected on October 17, 2022.

We can blame the Covid-19 pandemic for the slower review timelines during the past few years, but you would expect a longer average duration in 2020 if that was the root cause of the FDA’s failure to achieve the MDUFA IV target of 150 calendar days. You would also expect 2021 to have the longest review timelines. Instead, the review timelines are the slowest for 2022. The number of De Novo submissions remains small, and therefore it is hard to be conclusive regarding the root cause of the failure to reach the 150-day decision goal. In addition, the percentage of De Novo applications granted within 150 calendar days was lowest in 2021, as you would expect if the reason for delays is primarily due to the Covid-19 pandemic.

Is there any good news?

The FDA is allowing the new eSTAR templates to be used for De Novo Classification Requests. These new electronic submission templates standardize the format of all 510k and De Novo submissions for FDA reviewers. The eSTAR also forces companies to answer all questions in the FDA reviewer’s checklist to ensure the submission is complete and accurate before the new submission is submitted to the FDA.

The new eSTAR templates were first used in 2021, and our firm has observed shorter overall review timelines and fewer deficiencies identified by FDA reviewers when they submit an “Additional Information Hold” (AI Hold) to companies.

How can the FDA improve De Novo timelines?

The FDA, industry, and Congress seem to be taking the same approach pursued five years ago to improve the review timeline for De Novo submission. MDUFA V authorized additional user fees for De Novo submissions (i.e., 17.8% increase), and the FDA will be authorized to hire additional employees each year during MDUFA V if the performance goals are met. However, there are three other options that the FDA and industry should have seriously considered during the FDA-industry negotiations.

The first option that should have been considered is to allow third-party reviewers to review the elements of a De Novo that are identical to a 510k submission:

sterilization validation
shelf-life testing
biocompatibility testing
software validation
electrical safety testing
EMC testing
wireless testing
interoperability testing
benchtop performance testing
animal performance testing
human factors engineering

The above approach would require blended pricing where the FDA charges a smaller user fee than a Standard De Novo user fee, and the third-party reviewer charges a smaller fee than a 510k. The combined cost would be higher than the FDA Review of a De Novo, but this would reduce the number of hours the FDA needs to complete their review of a De Novo, and it would allow for pricing that is much lower than the De Novo standard user fee for qualified small businesses.

A second approach would be to pilot a modular review approach. A modular review would be similar to modular reviews for PMA submissions. In a modular review, the FDA can review most submission sections and provide feedback before the human clinical performance data is available. This would not help the few De Novo submissions that do not include human clinical performance data, but this would have a profound positive impact on most De Novo projects. First, the FDA would be able to complete the review of all sections in the submission except the human clinical performance data without delaying the final De Novo decision. Second, a successful review of non-clinical data by the FDA would give investors more confidence to fund pivotal clinical studies required to complete the De Novo submission.

A third approach would be for the FDA to force manufacturers to submit testing plans and protocols as pre-submissions to the FDA. This approach would give the FDA more familiarity with each device and the testing plan before reviewing the data. This approach would also reduce the hours FDA reviewers spend reviewing data that doesn’t meet the requirements and writing deficiencies. This approach would also give investors more confidence to fund De Novo projects for all V&V testing.

Posted in: De Novo

What is MDUFA V?

Posted by Alysha Bellarouse on October 10, 2022

MDUFA V is the agreement between the FDA and the medical device industry to fund the review of medical device submissions by the FDA.

What is MDUFA V?

The Medical Device User Fee and Modernization Act (MDUFMA or MDUFA) is a set of agreements between the Food and Drug Administration (FDA) and the medical device industry to provide funds for the Office of Device Evaluations (ODE) to review medical device submissions. FDA user fees were first authorized via MDUFMA in 2002 for FY 2003. Each MDUFA reauthorization has lasted five years, and FY 2023 will be the 21st year.

How are the MDUFA V user fees decided?

Section 738A(b)(1) of the FD&C Act requires that FDA consult with a range of stakeholders, including representatives from patient and consumer advocacy groups, healthcare professionals, and scientific and academic experts, in developing recommendations for the next MDUFA five-year cycle. The FDA initiated the reauthorization process by holding a public meeting on October 27, 2020, where stakeholders and other public members were allowed to present their views on the reauthorization. The following is a list of the four industry groups represented in the MDUFA V negotiations with the FDA:

The FD&C Act further requires that FDA continue meeting with the representatives of patient and consumer advocacy groups at least once every month during negotiations with the regulated industry to continue discussions of stakeholder views on the reauthorization and their suggestions for changes.

What are FDA user fees?

At the very core of it, the FDA user fees fund the FDA Office of Device Evaluation (ODE) budget. Without these user fees, the FDA cannot begin reviewing a medical device submission. This includes 510k, PMA, and De Novo submissions. Before the FDA assigns a reviewer to your submission, you must pay the appropriate device user fee in full unless eligible for a waiver or exemption. If you pay the user fee by credit card, you will need to allow a few extra days for the user fee to clear. Otherwise, your submission will be placed on “User Fee Hold.” Small businesses may qualify for a reduced fee. The FDA will announce the user fees for FY 2024 in a Federal Register notice next August 2023.

When does MDUFA V take effect?

Our team regularly checked the announcement of the MDUFA V user fees from August until last week’s announcement. The announcement of the FY 2023 user fees was delayed because Congress did not approve the MDUFA reauthorization until the last week of September. The new user fees were originally expected to take effect on October 1, 2022, but the announcement of actual user fees for 2022 was announced on October 5, 2022. This was two months later than expected.

Why was MDUFA V delayed, and will it happen again?

MDUFA V was delayed because the user fee reauthorization requires an act of Congress. The House of Representatives approved the Food and Drug Amendments of 2022 on June 8, 2022. However, the Senate did not file a bill until after the August recess. There were also differences between the legislation proposed by the House and the Senate. Therefore, to ensure that the FDA did not have to furlough employees when MDUFA IV funding expired, a temporary reauthorization was approved and signed by the President on September 30, 2022. The short-term continuing resolution is a temporary stopgap to continue funding the FDA until December 16, 2022. However, the continuing resolution covers funding for medical device user fees through September 30, 2027. Therefore, the device industry can expect the FDA to continue to operate regardless of the outcome of temporary policies that expire this December. Still, similar delays occurred with previous MDUFA reauthorization, and we expect more of the same US partisan politics between August 2027 and the November 2027 election.

How much did MDUFA V user fees increase?

The increase is dependent upon the fee type. Annual registration fees are increasing by 14.47% (i.e., $5,672 to $6,493). The MDUFA V user fees increased by a stupendous amount (+55.90%) from $12,745 to $19,870 for the 510k user fees. Yikes! De Novo Classification Requests increased by 17.79% from $112,457 to $132,464. Other submissions increased by similar amounts. For more details, check out the table below (also posted on our homepage).

20190810 075548 300x225 What is MDUFA V?

FDA User Fee FY 2023 represents a 55.90% increase in the 510(k) user fee

FY 2023 User Fees 1024x587 What is MDUFA V?

Do user fees ever decrease?

If we lived in a magical world where gas prices dropped and stayed low, the inflation-adjusted pricing would decrease for FDA user fees. That has happened once, but I fit into skinny jeans once too.

Why is August 1st important?

August 1st is the first day the FDA starts to accept Small Business Certification Requests for the new fiscal year. That means any small business that wants to keep small business status needs to reapply, and any new business that qualifies for small business status must also apply. The importance of applying for small business status is how much you could save on your submission. The FDA will complete its review of the Small Business Certification Request within 60 calendar days of receipt. Upon completion of the review by the FDA, the FDA will send you a decision letter with your small business designation number or a justification for denial.

Does small business status expire?

Yes, small business status expires. The small business status expires on September 30 of the fiscal year it is granted. A new MDUFA Small Business Certification Request must be submitted and approved each fiscal year to qualify as a small business. If you forget to reapply for small business status on August 1, you can reapply anytime during the year. Still, you will temporarily lose small business status from October 1 until the qualification is renewed. The good news is there is no fee associated with the submission of a Small Business Certification Request. For more information, please visit our webpage dedicated to small business qualifications.

Tags: FDA User Fees, MDUFA V

Posted in: 510(k), De Novo, FDA

FDA Registration and Listing for Medical Devices

Posted by Rob Packard on August 26, 2022

Do you need help completing your initial FDA registration and listing for a medical device? Watch our video to learn how.

The two most common situations for when a company needs to register its establishment with the FDA are 1) when the company is a contract manufacturer and producing a finished device for the first time, and 2) when the company is a specifications developer that recently received a 510k and is about to begin distribution of the newly cleared product. If your company is a specification developer, and you have not yet submitted your first 510k, then you must complete your Medical Device User Fee Cover Sheet first. If you have already received 510k clearance, or your device is exempt from 510k clearance, this article and the associated video will help you complete your FDA registration and listing.

Small Business Status does not apply to FDA registration

Most first-time 510k submissions are from small companies. If your company has gross receipts of less than $100 million, you should apply for status as a small business by completing FDA Form 3602 (for US-based companies) or FDA Form 3602A (for foreign companies)–along with your company’s tax return for the previous year. You should apply every year on August 1^st. The qualification process takes 60 days, and you never know when you might need to submit a 510k for a device modification. Qualifying for small business status saves substantially on FDA submission fees. The FDA’s review and decision regarding your application for small business status require 60 days, and the status expires each year on September 30^th. If you want additional information about small business qualifications, we created a webpage dedicated to this topic.

Medical Device User Fee Amendment (MDUFA)

A few weeks before you submit your first 510k to the FDA, it is recommended that you create a new account for the user fee website and make your Device Facility User Fee (DFUF) payment. This is the website you must access to pay the 510k submission fee. If you are taking advantage of small business status, you will need the Small Business Decision Number you received in the FDA decision letter in response to FDA Form 3602A. Small and large businesses should follow the directions in the guidance document to set up a new MDUFA account.

DFUF Website FDA Registration and Listing for Medical Devices

Once the user fee account has been created, you need to complete a 510k user fee cover sheet. The FDA provides instructions on how to complete the cover sheet. Payment must be submitted to the FDA as well, and the FDA offers multiple ways to pay the user fee for FDA registration.

After you submit your 510k and receive your 510k clearance letter, you may now begin the marketing and distribution of a product. Once a company starts distributing a new product, the company has 30 days to register the facility and list each device with the FDA. Before registering with the FDA, you must also make a second DFUF payment for the establishment registration fee of $5,672 (the Establishment Registration User Fee increases annually). There is no discount for small business status when paying the FDA registration fee, and the fee is not prorated. Discounts are only available for submission fees (e.g., the 510k user fee). The FDA registration fee must be paid for each facility registered between October 1 and December 31. Your registration will become inactive if renewal fees are not paid on time.

FDA Registration and Listings System (FURLS) Database

The FURLS database is a separate database where companies register facilities and list devices with the FDA. The FURLS account ID and password used for FDA registration of your facility is separate from the user name and password for the user fee website used for the DFUF payment. After you pay the annual registration user fee, you will receive the following information via email: Payment Identification Number (PIN) and Payment Confirmation Number (PCN). You will need this information to complete the registration in the FURLS database.

FURLS Website FDA Registration and Listing for Medical Devices

To create a new FURLS account, you access the following website. This new account should only be created if your company does not already have an account, and the person creating the account should be a trusted manager with the authority to designate sub-accounts when needed. Creating a new account will result in issuing an account ID, and you will need to select a password during the process. You need this information for logging into the system in the future. The FDA also has an account management page if you already have an FDA registration and listing account and need help managing it or making changes.

FDA Registration and Listing – Additional Resources

The FDA created a webpage explaining medical device FDA registration and listing, but the following page is the place I recommend that most companies begin reading. If you want Medical Device Academy to help you with FDA registration, we offer this free of charge to our 510k submission clients and turnkey quality system clients. New clients, and clients that have not hired us for a 510k or quality system, can hire us as a US Agent and/or help with registration and listing by using our calendly link for registration and listing assistance.

If you want additional training on registering and listing your facility with the FDA, please visit the updated CDRH Learn webpage: (Click on “Start Here/The Basics”). The FDA offers a “post-test” and certificate for anyone completing the post-test. I recommend completing this training before setting up a new account and anyone responsible for updating the FDA registration and listing information.

Tags: FDA establishment registration, FDA medical device establishment registration and listing, Medical device establishment registration

Posted in: FDA

FDA CCP now accepts FDA eSTAR & eCopy

Posted by Rob Packard on July 24, 2022

Finally, we can use the new FDA CCP to eliminate FedEx shipments, and 100% of your submissions will be electronic through the portal.

July 2022 Update for the FDA eCopy process

The FDA created a Customer Collaboration Portal (CCP) for medical device manufacturers. Originally, the portal’s purpose was to provide a place where submitters can track the status of their submissions and verify the deadlines for each stage of the submission review process. Last week, on July 19, the FDA emailed all active FDA CCP account holders that they can upload both FDA eCopy and FDA eSTAR files to the portal 100% electronically. Since our consulting team sends out submissions daily, everyone on the team was able to test the new process. If you have a CCP account, you no longer need to ship submissions via FedEx to the Document Control Center (DCC).

FDA CCP step-by-step uploading process

When you are uploading an FDA eCopy for medical device submission to the Document Control Center (DCC), using the new FDA CCP, the following steps are involved:

Confirm your eCopy complies with FDA’s eCopy guidance.
Compress your eCopy into a “.zip” file.
Sign in to the portal on the login page
Click on the “+” symbol on the left panel of the webpage (if you hover over the “+” symbol, you will see “Send a submission”)
Select your desired upload format (pre-submissions, meeting minutes, breakthrough device designations, and withdrawal letters must be submitted as an eCopy)
Click on the “Next” button that appears below the selection formats once a format is selected
Drag & drop your single “.zip” file here, or browse for it.
Click on “Send” button to complete the uploading process.
Verify that the FDA CCP site gives you a confirmation for the successful uploading of your submission.

FDA Q&A about the new FDA CCP Submission Uploading Process

Medical Device Academy Question: Who will be permitted to use the FDA CCP to upload submissions for the DCC? FDA Response: We will first offer this feature in batches to people like you who already use CCP so we can study its performance. We will then refine it and make it available to all premarket submitters.
Medical Device Academy Question: What do you need to use the FDA CCP? FDA Response: You don’t need to do anything to participate since you already use CCP. We will email you again when you can start sending your next submissions online.
Medical Device Academy Question: Suppose another consultant asks me to submit an eSTAR or eCopy for them, or I do this for a member of my consulting team. Is there any reason I cannot upload the submission using my account even though the other person is the official submission correspondent and their name is listed on the cover letter? FDA Response: The applicant and correspondent information of the submission is still used when logging the submission in. The submitter (i.e., the person uploading the submission) is not used in any part of the log-in process. The submission portal is essentially replacing snail mail only; once the DCC loads the submission, whether it be from a CD or an online source, the subsequent process is identical to what it used to be, for now.
Medical Device Academy Question: Is there any type of eCopy that would not be appropriate for this electronic submission process (e.g., withdrawal letters, MAF, or breakthrough device designations)? FDA Response: You can use the eCopy option to submit anything that goes to the DCC, so all your examples are fair game, though interactive review responses would still be emailed to the reviewer.
Medical Device Academy Question: How can I get help from the FDA? FDA Response: If you have questions, contact us at CCP@fda.hhs.gov.

Tags: Customer Collaboration Portal, eCopy, FDA CCP

Posted in: 510(k), De Novo

CAPA procedure, How do you improve quality and prevent nonconformity?

Posted by Rob Packard on June 29, 2022

Your CAPA procedure is the most important SOP. It forces you to investigate quality problems and take actions to prevent nonconformity.

Your cart is empty

CAUTION: Read the story in the next few paragraphs before you implement any purchased procedure

During a recent internal audit, I noticed that the client was not meeting one of the requirements of their CAPA procedure. Specifically, the procedure indicated that all CAPA plans must be written within seven calendar days of initiating the CAPA. Despite this requirement in their procedure, the client was indicating that CAPA plans were due within 30 calendar days on their CAPA form.

This example is a minor nonconformity, but the reason why this client was not following their procedure is more interesting. The procedure was 100% compliant with FDA regulations, but the procedure did not match how the company performed the process. The procedure and the process MUST match.

This client purchased their CAPA procedure from another consultant, changed the title, and had everyone in the company “read and understand” the procedure for training.

Make sure your CAPA procedure is clear and concise

Procedures are often unclear because the author is more familiar with the process than the intended audience for the procedure. An author may abbreviate a step or skip it altogether. As an author, you should use an outline format and match your CAPA form exactly. There should be nothing extra in the procedure, and nothing left out. Medical Device Academy’s updated CAPA procedure is only six pages and the CAPA form is four pages.

Corrective and Preventive Action CAPA Procedure CAPA procedure, How do you improve quality and prevent nonconformity?

SYS-024 Corrective and Preventive Action (CAPA) Procedure, Form, and Log

SYS-024 – Medical Device Academy’s newly updated CAPA procedure is a 6-page procedure. Your purchase will also include our CAPA form (FRM-009), and our CAPA log (LST-005). The procedure is compliant with ISO 13485:2016, 21 CFR 820.100, SOR 98/282, and the EU MDR. You will also receive free updates in the future. We are currently distributing our 16th version of the procedure.

Price: $299.00

CAPA procedure writing recommendations

Procedures are often unclear because the author is an expert with more experience than the intended audience. An author may abbreviate a step or skip it altogether. As an author, you should use an outline format and match your CAPA form exactly. There should be nothing extra in the procedure, and nothing left out. Before writing your own CAPA procedure, consider following these 7 steps:

Design your CAPA form first
Identify which steps in your process are most important and specify how these steps will be monitored (i.e., risk-based approach)
Write a procedure that follows your CAPA form and includes instructions for monitoring and measuring your CAPA process
Conduct group CAPA training using the draft version of your form and procedure
Make revisions to the form and procedure to clarify steps the trainees had difficulty with
Ask the trainees to review the revised form and procedure
Make final revisions and route the procedure for approval

The specific order of steps is essential to creating a CAPA procedure—or any procedure. Writing a procedure that matches the form used with that procedure helps people understand the tasks within a process. Throughout the rest of this article, we describe each of the nine steps of Medical Device Academy’s CAPA procedure (SYS-024). The actual CAPA form (FRM-009) sold with SYS-024 is more complex than 9 steps, but a more complex form is needed to make sure every sub-task is documented in your CAPA records.

Review nonconformities, including complaints, to determine if a CAPA is needed (Step 1)

If I am auditing a CAPA process, and almost all the CAPAs are resulting from auditor findings, then I know the client is not adequately reviewing other sources of potential quality issues. When I took my first CAPA training course, the image below was drawn on a flip chart by Kim Trautman. I have used this image in all of my CAPA training for other people since. I think this provides a good visual representation of the most common sources of new CAPAs. Although the number of CAPAs from each source will never be equal, you should review all of these data sources for quality issues periodically.

Risk based CAPA Process Diagram 1024x465 CAPA procedure, How do you improve quality and prevent nonconformity?

CAPA procedure step 2 – Describe and reference the quality issue

The next step is to copy and paste your quality issue directly into the CAPA record and add a reference to the source. This step of the CAPA procedure is not a specific requirement of the ISO 13485 standard or the FDA regulations. However, describing and referencing quality issues in your CAPA record is a practical requirement. The person assigned to investigate the root cause of the quality issue needs to know what the source of the quality issue is, and when you are trying to close a complaint or audit report you will find it helpful to cross-reference the two records. For example, the CAPA might be related to the fifth nonconformity in your second internal audit report for 2022 (e.g. IA 220205).

Copy and Paste 300x146 CAPA procedure, How do you improve quality and prevent nonconformity?

Copy & Paste into your CAPA Record

Attribution: Icons were copied and pasted from Flaticon.com.

Step 3 – Perform a root cause analysis

Why can’t we fix our mistakes the first time? We are doomed to repeat mistakes when we fail to identify the root cause or causes. The person you assign to investigate a quality issue must be trained to perform a thorough root cause analysis. Successful root cause analysis depends upon four things:

Courage to admit that your process is broken
Learning more than one tool for analyzing problems
Practicing the use of root cause analysis tools
Sampling enough records (or testing enough product)

The common belief is that people fail to identify the root cause because they need root cause training (#2) or more practice (#3). However, most people fail because they stop sampling or testing too soon. I typically recommend that companies sample at least twice as many records as the suspected problem frequency. For example, if a complaint occurs 1% of the time, you should review 200 records before you can be sure you identified that root cause. If you are correct, you will only find the quality issue twice in the 200 records. However, a review of 200 records often reveals that the quality problem is more common than you originally estimated and there is more than one cause of device malfunction.

CAPA procedure step 4 – Do you need a new CAPA?

After you have successfully completed a root cause analysis, you now need to determine if a new CAPA is needed. If there is already a CAPA that is open for the same quality issue, you can use the existing CAPA as justification for not conducting corrective actions. In this case, you should include a cross-reference in the new CAPA record to the existing CAPA record. You should also document containment measures and corrections.

In both the existing CAPA record and your new CAPA record you should also be documenting your risk evaluation of your CAPA. In the latest update to our CAPA procedure, we changed the method of risk evaluation to match the MDSAP grading process for nonconformities. A copy of this section is provided in the image below.

CAPA Procedure Risk Evaluation Section 1024x231 CAPA procedure, How do you improve quality and prevent nonconformity?

In the CAPA procedure, we state that any risk score of 4 or 5 requires the implementation of a CAPA. If any of the escalation rules apply to the risk score, you should implement a CAPA regardless of the total risk score. This is our recommendation for a method of risk evaluation, but there is no standard telling you that you must do it this way. However, we believe this method of calculation is more likely to be consistent because it is based on the MDSAP grading guidelines.

If no escalation rules apply to your risk score, it may be possible to implement containment and corrections only. If your action plan includes only containment and corrections, we recommend that you monitor the quality issue as a process metric or quality objective to identify future occurrences. If you are evaluating a new CAPA that appears to have the same root cause as an existing CAPA, you may need to update the risk score of the existing CAPA to a higher number based on the escalation rules. Escalation may impact your corrective action plan, and it should certainly affect the prioritization of your existing CAPA.

Plan and document your corrective actions, including updating documentation (Step 5)

The biggest mistake you can make in this stage of the CAPA process is to spend too much time planning your corrective actions. “Take action and document it” is the essence of this step in the CAPA procedure. If you spend all of your time planning, then you will never take action. The CAPA plan can and should be edited. Therefore, if you know a procedure needs revision, start revising the procedure immediately. You can always add more corrective actions to your corrective action plan after you write the procedure, but you need to start writing. The second biggest mistake you can make during this stage is failing to document the actions you take. If you don’t document your actions, it’s a rumor, not a record.

Take Action and Document It 1024x121 CAPA procedure, How do you improve quality and prevent nonconformity?

Do your planned actions adversely affect regulatory compliance or safety and performance? (Step 6)

One of the required actions for a CAPA is to update your procedure(s) to reflect any process improvements to eliminate the root cause. When you update procedures, you need to make sure procedural changes do not create a regulatory compliance issue. We do this by inserting a cross-reference to each regulatory requirement in our procedures. The cross-reference is then color-coded and we add a symbol for people that are color blind. Symbols also facilitate electronic searches for regulatory requirements.

If corrective actions you implement involve design changes you will need to repeat design verification and design validation to make sure design changes do not impact safety and performance. If corrective actions change your manufacturing or service processes, you will need to repeat process validation to make sure that the process changes do not impact compliance with your design specifications. These recertification and revalidations steps are frequently forgotten, and they represent the biggest challenge for review and approval of design and process changes (described in the video below).

Perform an effectiveness check – Step 7 of your CAPA procedure

Most people verify CAPA effectiveness by verifying that all the actions planned were completed, but this is not a CAPA effectiveness check. An effectiveness check should use quantitative data from your investigation of the root cause as a benchmark. Then you should verify that the performance after corrective actions is implemented resulted in a decrease in the frequency of the quality problem, a decrease in the severity of the quality problem, or both. Ideally, a process re-validation was performed because validation protocols are required to include quantitative acceptance criteria for success.

Step 8 – Record your CAPA results

You are required to record each step of your CAPA procedure in a CAPA record (FRM-009). Therefore, we created a form that is organized in the order of the CAPA process, and then we wrote the CAPA procedure to match the organization of the form. The biggest mistake we see is that the CAPA owner does not update the record to include all of the details until the CAPA plan is completely implemented. This is a mistake. You should be documenting actions when they are taken. When you gather new information, and you need to update your root cause investigation or your corrective action plan, you are allowed to modify the record. You just need to have a system that allows you to keep track of revisions. This is often referred to as an “audit trail.” If you have a paper-based system, you will need to sign and date the document each time you make an addition. If you revise previous entries, you will need to revise and reprint the CAPA record, and then you will need to sign and date the revised and reprinted CAPA record. Ideally, you will have an electronic system with an audit trail, but software budgets are not infinite.

CAPA procedure step 9 – Close the CAPA record

The last step in the CAPA procedure is to close your CAPA record. As with most quality system records, the person responsible for the process should review and approve each record for closure with a signature and date. If the person assigned to the CAPA left sections incomplete or made mistakes in completing the CAPA form, the person that made the mistake should be instructed to correct the mistake, identify that they made a correction, and identify the date of the correction. If a CAPA is not effective, then a cross-reference to the new CAPA that is opened should be documented in the older CAPA record.

CAPA Training

If you are interested in more training on CAPA, you might be interested in purchasing Medical Device Academy’s Risk-Based CAPA webinar. 99% of companies hold off on their training until a procedure is officially released as a controlled document. In my experience, however, these procedures seem to have a lot of revisions made immediately after the initial release. New users ask simple questions that identify sections of procedures that are unclear or were written out of sequence. Therefore, you should always conduct at least one training session with users prior to the final review and approval of a procedure. This will ensure that the final procedure is right the first time, and it will give those users some ownership of the new procedure.

After you train your initial group, and after you make the edits they recommended, ask those trainees to review and edit your changes to the procedure. Sometimes we don’t completely understand what someone is describing, and sometimes maybe only half-listening. Going back to those people to verify that you accurately interpreted their feedback is the most important step for ensuring that users accept your new procedure.

After you approve your new CAPA procedure, make sure everyone in your company is trained on the final version of the procedure. CAPA is a critical process (i.e., “the heart”) in your quality system. Everyone should understand it. You should also provide extra CAPA training for department managers, such as root cause analysis training because they will be responsible for implementing CAPAs assigned to their department. You can use this 7-step process for any procedure, but ensure you use it for the most important process of all—your corrective and preventive action process. Spaz helping with the CAPA video 1024x576 CAPA procedure, How do you improve quality and prevent nonconformity?
Thank you for reading to the end of this article. Spaz and I thank you for your support.

Posted in: CAPA

Leave a Comment (0) →

Risk management policy – Do you have one?

Posted by Rob Packard on May 31, 2022

ISO 14971:2019 includes a requirement for top management to define and document a risk management policy, but do you have one?

Screen capture for POL 005 1024x542 Risk management policy Do you have one?

Your risk management procedure is not your risk management policy

ISO 14971:2019 includes a requirement for a risk management policy and a risk management procedure. The word procedure is defined (Clause 3.13), a “specified way to carry out an activity or a process,” but there is no definition for policy. Both of these words begin with the letter “p,” but they are not the same. There is no guidance for a risk management policy in either of the European device regulations for CE Marking and there is no guidance in the US FDA’s regulations. In fact, there is not even a specific cause of the international risk management standard that is specific to the requirement for a risk management policy. The word “policy” only appears in ISO 14971 seven times, but the last occurrence provides the best explanation:

Appendix A2.4.2 states that “because [ISO 14971] does not define acceptable risk levels, top management is required to establish a policy on how acceptable risks will be determined.”

If someone responsible for risk management activities does not understand this distinction, this shows that risk management training may not be adequate.

Can you have a different policy for each product family?

The purpose of the policy is to establish how the acceptability of risks will be determined. However, not all devices have the same benefit-risk ratio. Therefore, if you have product families with high and low risks, then you should address this in your policy with specific criteria for each device family or create a separate risk management policy for each product family. For example, if your company is focused on designing and developing products for diabetics, you will not have the same benefit-risk profile for a Class 2 glucose reader and lancet for Type 2 diabetics that you have for an automated Class 3 insulin pumps for Type 1 diabetics. In general, separate criteria within one policy are preferred over separate policies to reduce the number of documents that must be managed.

Is there a required format for a risk management policy?

The ISO 14971:2019 standard does not include a specific format or content requirement for your risk management policy. Instead, information about the format and content of a risk management policy is provided in Annex C of ISO/TR 24971:2020. This is a guidance document, and therefore you can choose an alternate approach if you provide a justification for its equivalence. If you choose the approach recommended in Annex C, the following elements should be included:

purpose;
scope;
factors and considerations for determining acceptable risk;
approaches to risk control;
requirements for approval and review.

You can download Medical Device Academy’s template for a risk management policy (POL-005) by completing the form below.

What are the factors for determining acceptable risk?

There are four possible factors to consider when determining your risk management policy:

Applicable regulatory requirements;
Relevant international standards;
State-of-the-Art;
And stakeholder concerns.

An example of regulatory requirements being applied to the determination of acceptable risks is the special controls defined in 21 CFR 880.5730 for insulin pumps. The special controls requirements outlined by the FDA specify design inputs as well as verification and validation requirements. The requirements are also organized into systems that comprise an insulin pump. For the digital interface requirements, the regulation specifies:

secure pairing to external devices;
secure data communication between the pump and connected devices;
sharing of state information between devices;
ensuring the pump continues to operate safely when receiving data that is outside of the boundary limits that are specified as inputs;
a detailed process and procedure for sharing pump interface specifications with connected devices.

The hazard implied by the fourth requirement above is that the pump will stop without warning or deliver the incorrect amount of insulin if the data from a continuous glucose sensor is outside of the input specifications. This design input is then addressed by a software design specification established by your company. To verify that your software risk controls are adequate, you will need to execute a verification protocol that automatically inputs a series of values that are outside of the boundary limits specified. Every time a change is made to the software, these boundary limits will need to be re-verified as part of your automated regression analysis to make sure software changes did not have an unintended effect on the device.

For software and use-related hazards, you will not be able to estimate the probability of occurrence of harm. Therefore, you shall assess the acceptability of risks based upon the severity of harm alone. Risk acceptability criteria shall be recorded in your risk management plan and the criteria shall align with your risk management policy. Ideally, these criteria are based upon international standards. For the example of an interoperable insulin pump, the following international standards are applicable:

ISO 14971, application of risk management to medical devices
IEC 62366-1, application of usability engineering to medical devices
IEC 62304, medical device software – software lifecycle processes

For the state-of-the-art, there are three examples provided in the ISO/TR 24971 guidance for how to this relates to your risk management policy:

“Leakage currents of the medical device are state of the art, demonstrated by compliance to the limits and tests regarding leakage current of IEC 60601-1.
Dose accuracy of the delivery device are state of the art, as demonstrated by compliance to the limits and tests regarding dose accuracy of ISO 11608-1.
Protection against mechanical failure caused by impact is on the same level as or better than a similar medical device, as demonstrated by comparative test such as drop test.”

Stake holder concerns is the fourth factor to consider when creating your risk management policy. Stakeholder concerns may be identified in clinical literature. However, the current trend is an emphasis on patient-reported outcome (PRO) data and post-market surveillance. Post-market surveillance is a requirement in ISO 13485, Clause 8.2.1. However, the new European MDR and IVDR have new requirements for post-market surveillance data in the technical documentation. Health Canada updated the medical device regulations to include post-market surveillance summary reports, and even the FDA is trying to develop methods for using real-world data and real-world evidence to make regulatory decisions.

Approaches to risk acceptability

The European device regulations require that a benefit/risk analysis be conducted for all risks and the overall residual risk of your device. The EU regulations also do not permit risk acceptability to consider economic impact. The EU regulations also require that risks are reduced as far as possible. Therefore, if your company is seeking CE Marking, there is only one acceptable approach suggested in ISO/TR 24971, Annex C.2: “reducing risk as far as possible without adversely affecting the benefit-risk ratio.” This is also the approach specified in our risk management procedure (SYS-010).

Requirements for review and approval of the risk policy

Requirements for approval and review of the risk management policy should be specified in the policy itself. This should specify who needs to approve that the policy is acceptable and how often the policy needs to be reviewed. Section 4.2.2 of ISO 14971 also requires that top management review the risk management process for its effectiveness. In general, we recommend that this review of the risk management process be incorporated into the management review process. Therefore, we also believe that this would be the ideal time to review the risk management policy. Generally, this is more frequently than is typically required, but if your risk management process is being reviewed for effectiveness then you have all of the necessary inputs available to review the policy as well.

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (0) →

What is a CAPA Board? and Do you need one?

Posted by Rob Packard on May 24, 2022

A CAPA Board is a team responsible for making sure that all CAPAs are completed on time and the actions taken are effective.

Many of the medical device companies we work with have to open a CAPA for their CAPA process because they fail to implement all the actions that were planned, they fail to implement corrective actions as scheduled, or the actions implemented fail to be effective. When we investigate any process, we typically see one of five common root causes:

top management is not committed to the CAPA process (we can’t fix this)
procedures and/or forms are inadequate
people responsible do not have sufficient training
management oversight of the process is neglected
there are not enough resources to do the work

Creating a CAPA Board can address four of these potential root causes, but the CAPA Board needs to understand how to work effectively.

Creating a CAPA Board shows a commitment to quality

Sometimes top management only pays lip service to quality. Top management’s actions demonstrate that quality is a cost-center, and they do not view quality as contributing to the revenue of the company. Instead, quality is viewed as a “necessary evil” like death and taxes. If this describes your company, sharpen your resume and find a new job. Quality is essential to selling medical devices and quality is the responsibility of everyone in the company. The Management Representative is responsible for “ensuring promotion and awareness” (see Clause 5.5.2c of ISO 13485) of regulatory and quality system requirements. This person should be training others on how to implement best practices in quality system management. One person or one department should never be expected to do most of the work related to the quality system.

A CAPA Board should be a cross-functional team of managers that help each other maintain an effective CAPA process. This means: 1) corrections are completed on time, 2) corrective and preventive actions are completed on time, and 3) each CAPA is effective. In order to do this consistently, the CAPA Board needs to work together as a team on the CAPA process. The CAPA Board doesn’t look for someone to blame. Instead, the CAPA Board rotates their responsibilities regularly, everyone is cross-trained on the roles within the CAPA Board, and the team passes tasks from one person or department that is overloaded to another person or department that has the resources to complete the tasks effectively and on time. A professional team must anticipate holes in task coverage, and someone on the team needs to communicate to the rest of the team which hole they are addressing. You can’t wait until the coverage gap is obvious and then have everyone jump into action. If you do this, your effectiveness will resemble a soccer team of 9-year-olds.

Is your CAPA procedure the root cause?

In most companies, the problem is not the CAPA procedure. Clauses 8.5.2 and 8.5.3 of ISO 13485 are quite specific about each step of the CAPA process, and therefore it is easy to write a procedure that includes all of the required elements. The CAPA procedure is also one of the first procedures that auditors and inspectors review, and therefore any deficiencies in your procedure are usually addressed after one or two audits. If you feel that your CAPA procedure needs improvement, the above link explains how to write a better CAPA procedure. You might also consider asking everyone that is responsible for the CAPA process to provide suggestions on how to improve your procedure to streamline the process and clarify the instructions. The best approach is to have a small group (i.e. 3 to 5 people) of middle-level managers, from different departments, assigned to a CAPA Board with the responsibility of improving the CAPA process and procedure. If you have a large company, you might consider rotating people through the CAPA Board each quarter instead of having a larger group.

Does your CAPA Board have sufficient training?

Everyone can benefit from more training–even instructors will periodically engage in refresher training. Before someone is assigned to work on a CAPA, that person needs to be trained. Nobody should be assigned to a CAPA Board unless they are prepared to become an expert in the CAPA process. Some companies will only require people to sign a training record that states they read and understood the CAPA procedure. However, you must also demonstrate that your training was effective and the person is competent at the task assigned. Therefore, we recommend training people on CAPAs by training them with a CAPA training webinar and evaluating the effectiveness of the training by having each person complete a quiz. The use of a training webinar will ensure that each employee receives the same training, and the quiz will provide objective evidence that they understood the training (i.e. it was effective). If you have a CAPA Board, each person on the board should be involved in your CAPA training, and it is their responsibility to make sure people in their department have been trained effectively.

Competency is the hardest thing to demonstrate for any task. You can do this by verifying that the person has performed this task in one or more prior jobs (e.g. resume). If the person does not have evidence of working on CAPAs in their previous employment, then you will need someone that is already competent in the CAPA process to observe each person completing CAPAs and providing feedback. Once each person has demonstrated successful completion of multiple CAPAs, then the expert can attest to their competency in a training record with references to each of the successful CAPAs that were completed. If you are the person assigning a CAPA or individual tasks to people, do not assign the role of investigation, or writing the CAPA, to anyone that has not already demonstrated competency unless you are assessing them for competency. Everyone on the CAPA Board should either already be competent in the CAPA process or another expert on the CAPA Board should be in the process of training them to become a CAPA expert.

CAPA Boards are responsible for management oversight of the CAPA process

The most common method for management oversight of the CAPA process is to discuss the status of CAPAs at a Management Review. This information can be presented by the Management Representative, but assigning the presentation of CAPA status to another person on your CAPA Board will delegate some of the Management Review tasks and gives other people practice at presenting to a group. Some companies only conduct a Management Review once per year, but this makes it impossible to review CAPAs that were initiated immediately after a Management Review unless the CAPA takes more than a year to implement. Even if your company conducts quarterly Management Reviews, the review of CAPA status during a Management Review should focus on the most important issues rather than discuss every CAPA in detail. The impact on safety, the impact on product performance, and the economic impact of a specific CAPA are all criteria for deciding which CAPAs to discuss during a Management Review.

The CAPA Board needs a metric or metrics for monitoring the effectiveness of the CAPA process. The simplest metric is to monitor the average aging of CAPAs. If that average is steadily rising week after week, then new CAPAs are not being initiated, and existing CAPAs are not being closed. You can also measure the time to write a CAPA plan and the time to perform an investigation or monitor the on-time completion of tasks. The most important thing is for someone to take action when these metrics are not aligned with your quality objectives for the CAPA process. Taking action after 90 days of neglect is not good enough. You need to be monitoring the CAPA process weekly, and you need to take action proactively. Therefore, your CAPA Board needs to meet weekly and you need to show evidence in your CAPA records of what actions were taken by the CAPA Board.

Who should be assigned to the CAPA Board?

Top management does not need to be directly involved in the CAPA Board. Top management already reviews the status of CAPAs during Management Reviews. In a small company (i.e. < 20 people) you might have no choice but to have the same people that are assigned to your CAPA Board also be members of top management. As your company gets larger, you should assign middle-level managers and people that are new to management as members of the CAPA Board. Participating in the CAPA Board will teach those managers to work together as a team to achieve shared company goals and to persuade their peers to help them. The experience of working on a CAPA Board will also expose less experienced managers to other departments outside of their expertise. Ideally, participation in the CAPA Board will build friendships between peers that might not speak to one another. Each CAPA represents a team-building opportunity. The team needs to find a way to pool its resources to complete CAPAs on time and effectively. It is also important to rotate the assignment to the CAPA Board so that eventually all of your middle-level managers are trained in the CAPA process and each of them has been evaluated on their demonstration of team leadership and effectiveness in working with peers cooperatively. In large companies, it is common to assign one member of top management to the CAPA Board to show that top management is supportive of the CAPA process and to provide authorization for additional resources and funding for actions when needed. The top management representative should also be rotated to make sure that all of the top management remains competent in the CAPA process.

How does the CAPA Board manage the CAPA process?

The CAPA Board should never be blaming an individual or department for the lack of CAPA success. The CAPA Board should be anticipating when a CAPA is falling behind schedule or might not be as effective as it should be. Nobody on the team should be afraid to voice their opinion or to make a suggestion. Each member of the team has the responsibility of asking for help when they need it and asking for help as early as possible. The CAPA assignments should be shared between the team members, and one person should be responsible for chairing the meetings. If everyone is experienced in participating in CAPA Boards, then the role of the chairperson can be rotated each week. If one or more team members are inexperienced, the person on the CAPA Board assigned to training them should be teaching them how to participate in the meetings and prepare them for acting as chairperson.

Every CAPA Board meeting should have a planned agenda and meeting minutes. Every open CAPA should be discussed during the meeting, but the amount of time devoted to each CAPA should be adjusted for the risk of the CAPA failing to be completed on time or failing to be effective. If a CAPA is going smoothly, the discussion might only last seconds. Any discussion or actions planned that are specific to a CAPA should be documented in the individual CAPA record as well as the meeting minutes. This will ensure that the CAPA records are maintained as required by the ISO 13485 standard and the regulations.

Posted in: CAPA

Leave a Comment (0) →

Page 2 of 29 123 4 5...»