Unique Device Identifier Final Rule-FAQs-Part II

Screen Shot 2014 04 03 at 10.24.33 PM Unique Device Identifier Final Rule FAQs Part II

Did you know that September 24, 2014, is the first UDI DEADLINE for Class III devices, Stand-Alone Software, and devices licensed under the PHS Act? 

Who is an Issuing Agency?

FDA has accredited three (3) agencies for the operation of a system to issue unique device identifiers. They are GS1 (www.gs1.org), Health Industry Business Communications Council (HIBCC) (www.hibcc.org), and International Council for Commonality in Blood Bank Automation (ICCBBA) (www.iccbba.org).  GS1 and HIBCC are for medical devices, while ICCBBA is for medical products of human origin that are regulated as medical devices.

We sell single-use devices; do we need to label these products?

A UDI does not need to be placed on each single-use device (i.e., primary packaging). Instead, the UDI is to be placed on the secondary packaging (e.g., outer box). For example, exam gloves. The UDI label goes on the box, not each glove. This rule requires the package:

  • Have a single version or model
  • Be distributed together in a single device package
  • Are intended to stored in that device packaging, and
  • Are not intended for individual sale

Placement of the UDI on the secondary packaging for single-use devices does not apply to implanted devices. While implants are technically “single-use” devices, implants (defined as devices placed in the body for 30 days or longer) must have a UDI on the primary packaging.  Federal Register – Single-use Devices

I understand there are implementation deadlines; what are they?

There are several deadlines related to this new regulation based on device Class. For example, Class III devices, Stand-Alone Software, and devices licensed under the PHS Act must be “compliant” and have a UDI on its package label, and information submitted to the Global UDI Database (GUDID) by September 24, 2014. There is an opportunity to file for a 1-year extension for these classes of devices under §801.55. The deadline for filing this extension is June 23, 2014.

Other implementation deadlines are (includes submitting data to GUDID):

September 24, 2015,           Implantable, Life-Sustaining & Life Supporting Devices

September 24, 2016            Class II devices and Stand-Alone Software

Class III devices intended to be used more than once and reprocessed between uses must be directly marked with UDI

September 24, 2018            Class I devices and Stand-Alone Software

Devices not classified into Class I, II or III

Class II devices intended to be used more than once and reprocessed between uses must be directly marked with UDI

September 24, 2020            Class I devices, and devices that have not been classified as Class I, II or III, intended to be used more than once, and reprocessed between uses, must be directly marked with UDI

On-hand inventory labeled before the deadline does not need to be relabeled with a UDI for up to three (3) years past the deadline. FDA considers consignment inventory to fall under this rule. This requires that you track consignment inventory, as well as ensure the inventory is used before this three-year exception expiring. Federal Register – Implementation Dates

Our device is packaged one unit per package; do we need to label the device itself?

This is a “unit of use” issue. If you sell ten individually packaged devices ONLY in an outer pack, the individual devices do not require a UDI. Generally, labeling the outer pack with the UDI is sufficient. This assumes the device is stored and used that way.

I heard the information on our devices needs to be submitted to a “database.” Please explain?

UDI has been implemented to facilitate postmarket surveillance activities, including the identification of medical devices through its distribution and use. FDA believed a significant part of this was the ability for healthcare professionals and users to “search” a database to locate information about devices. This resulted in the creation of the Global Unique Device Identification Database (GUDID) system, which is a repository for 60-plus attributes for each Device Identifier and its corresponding Labeler information.  Federal Register – GUDID Information

How do we submit data to the Global UDI Database?

There are two standard-based methods to submit date to the Global UDI Database (GUDID) – structured input via an FDA web interface, or using the Health Level 7 Structured Product Labeling (HL7 SPL) process. HL7 SPL is in XML format and uses the FDA electronic submission gateway as the pathway to input data into GUDID. To submit data to GUDID, you first need to request a GUDID user account from the FDA. Data is submitted one record at a time for both methods. There is no batch process.  Federal Register – GUDID Submission

What additional information needs to be printed on a label under this new rule?

Medical devices must also follow labeling requirements detailed in Title 21, Subchapter H, §801, in addition to the new requirements per the UDI rule. Required information printed on the labels is also dictated by other regulatory agencies, such as the EU. Specifically, the UDI regulation requires a UDI be printed in easy-to-read plain text, and an Automatic Identification and Data Capture (AIDC) format and placed on the device label. The AIDC format is dictated by the format of the issuing agency you have chosen. The other label element FDA requires is the date format when a date is used on a label. The date format is YYYY-MM-DD, and a day must always be used.  Federal Register – UDI Format

When do I need a new Device Identifier?

A new UDI is required when there is a change to a version or model. If you are calling the device a new version or model, and the users think the same, then it is a new device and requires a new Device Identifier (DI) and label changes. If the number of units in a device package changes – for instance, going from 5 to 10, then a new DI is required. This aspect often confuses people, as they think it has to do with changes in package artwork.  Federal Register – New UDIs

Need More Information on how to design and implement a compliance plan for the Unique Device Identifier Rule? 

FDA UDI Regulation on Medical Device Labelers is a complimentary webinar and PowerPoint training. To access – CLICK HERE

Are MEDDEVs Required or Optional for CE Marking of Medical Devices?

Excuse me. Are you sure this MEDDEV is required Are MEDDEVs Required or Optional for CE Marking of Medical Devices?This blog answers the question of whether compliance with MEDDEV guidance documents is required or optional for CE marking of medical devices.

MEDDEVs are guidance documents (http://bit.ly/Whats-a-MEDDEV) written by competent authorities—not law. As it states on the Europa website (http://bit.ly/MEDDEV), “The guidelines are not legally binding.” However, the Competent Authorities (http://bit.ly/ContactPoints) take an active role in developing these guidance documents. Therefore, enforcement of the guidance documents by Notified Bodies depends upon which competent authorities helped to develop the specific MEDDEV. MHRA. For example, is the competent authority for the United Kingdom (UK). MHRA has taken an active role in developing many of the MEDDEVs. Therefore any manufacturer that uses a Notified Body in the UK is more likely to consider the MEDDEVs that MHRA helped create to be “required” rather than “recommended”. The following Notified Bodies are under the jurisdiction of MHRA, but each member states’ competent authority has Notified Bodies that could be affected, including:

British Standards Institute (BSI) – NB # 0086
Lloyd’s Register Quality Assurance (LRQA) – NB # 0088
SGS United Kingdom Limited (SGS) – NB # 0120
AMTAC Certification Services – NB # 0473
UL International (UK) LTD – NB # 0843

There are 32 MEDDEVs divided into 15 categories. The most recent revision to a MEDDEV was in January 2013 when MEDDEV 2.12/1, Medical Device Vigilance System, was updated. This particular MEDDEV is the European equivalent to 21 CFR 803 for Medical Device Reporting, but reporting of adverse events is called “vigilance” in the EU. It is essential to keep current with changes to MEDDEVs (http://bit.ly/New-Revised-EU-Regulations) because Competent Authorities require vigilance reporting using the most current version of the MEDDEV form. In the case of the vigilance MEDDEV, the guidance is de facto law. However, the French Competent Authority recently indicated that trend reporting requirements will be required in the future for high-risk devices, and the French Competent Authority refused to accept the form associated with MEDDEV 2.12/1. Instead, France has its form that is preferred for vigilance submissions.

MEDDEV Enforcement

Other MEDDEVs are not as consistently enforced. For example, MEDDEV 2.5/10 (http://bit.ly/ECREPMEDDEV) provides guidance with regard to the roles and responsibilities of European Authorized Representatives. In some cases, Competent Authorities audit Authorized Representatives for compliance with this MEDDEV. Notified Bodies are also auditing agreements between manufacturers and Authorized Representatives. Unfortunately, many manufacturers still rely upon European distributors that are not compliant with MEDDEV 2.5/10, and Notified Body auditors are merely verifying that an Authorized Representative agreement exists.

Another example of inconsistencies between Notified Bodies is demonstrated by how MEDDEV 2.7/1 (http://bit.ly/ER6aMEDDEV) is enforced. This document guides manufacturers on how to perform clinical evaluations. Some Notified Bodies, especially the Notified Bodies under MHRA’s jurisdiction (see the list above), are systematically reviewing the content of clinical evaluations against the MEDDEV guidance. However, other Notified Bodies continue to verify only that a clinical evaluation exists. Differences between Notified Bodies in how they enforce this MEDDEV is less pronounced for Class III devices, where clinical studies are expected. However, this may be due to the lack of clinical expertise at some Notified Bodies.

The European Commission began a pilot program in 2013 for conducting joint audits by Competent Authorities of Notified Bodies to ensure that there is consistency between the Notified Bodies, and how the Competent Authorities enforce regulations (http://bit.ly/Europa-press-release-24-9-2013). Some of the other changes, such as conducting unannounced audits of manufacturers and their supply chains, are being implemented this year (http://bit.ly/Unannounced-Audits).

Due to the ongoing debate between the European Council and the European Parliament over the draft of the proposed European Medical Device Regulations (http://bitly.com/EMDR-Frankenstein), the issuance of new and revised MEDDEVs has essentially stopped. When the European Medical Device Regulations (EMDR) are finally approved, the medical device industry can expect to see the content of the MEDDEV guidance documents to be superseded by new requirements in the EMDR.

Unique Device Identifier Final Rule-FAQs-Part I

Screen Shot 2014 04 03 at 10.23.51 PM Unique Device Identifier Final Rule FAQs Part IThis blog,Unique Device Identifier Final Rule-FAQs-Part 1,” answers questions, such as, what is a UDI? Who is responsible for applying the UDI label? Etc. 

What is a “UDI?”

The Unique Device Identifier (UDI) adequately identifies a device throughout the supply chain and while in use. It is constructed of two main sections – a device identifier and a production identifier. The device identifier is comprised of a permanently assigned product code (model or version) and a labeler identification code. The production identifier is a dynamic component and made up of a lot number, serial number, manufacturing date, expiration date, etc. The device identifier and production identifier together make up the UDI.  Federal Register – Unique Device Identifier definition

Who is responsible for applying the UDI label? 

FDA has defined the “Labeler” to be the entity responsible for applying the UDI label. This entity may or may not be the actual manufacturer. The Labeler is defined as the entity that causes a label to be secured to a device and who places the device into commercial distribution with the expectation the label will not be replaced or modified in any way. Additionally, should an entity replace or substantially modify the original label, and then place the device into commercial distribution with the expectation the label will not be replaced or modified in any way is also a Labeler. Distributors who simply add their name and address to the package are not defined as a Labeler under this definition. 

Private label devices present a situation where the actual manufacturer or brand name holder can be the Labeler. This would be a business decision between the manufacturer and the brand name holder. The Labeler may also be the specification developer, a single-use device reprocessor, a convenience kit assembler, a repackager, or a relabeler.  Federal Register – Labeler definition

What does a “standardized” date format mean? 

FDA has decided for all human-readable dates (manufacturing date, expiration date, etc.) printed on labels must follow a YYYY-MM-DD format. The DAY is an absolute requirement. For example, March 31, 2014, must be presented as 2014-03-31. This requirement applies to ALL medical device classes that use a date on their label. Federal Register – Date format definition

I have kits that are comprised of several devices; how does this rule apply to me?

There are many types of kits. Kits can be made up of one or more medical devices, packaged together with one or more combination products, drugs, or biologics, to expedite a single surgical or medical procedure. §801.30(a)(11) states when a device is packaged within the “immediate container of a combination product or convenience kit, the label of the device will not be required to bear a UDI,” as long as the label on the kit has a UDI. Should your kit have a National Drug Code (NDC) number on its label, it does not also need to have a UDI.  §801.30(b)(3) clearly states devices that are included in a combination product with an NDC number on its label and does not have a UDI; the device components must bear a UDI on its label. Federal Register – Kits Exemption

What does reprocessing mean? 

FDA uses the term “reprocessing” in conjunction with a direct marking of a unique device identifier. Devices intended to be used more than once must have the UDI permanently marked directly on the device (with a few exceptions), and will be reprocessed between each use. However, the FDA has not yet defined what “reprocessing” means. I have asked FDA this question, with their response being they will “shortly” issue additional guidance on this matter. When they do, I will let you know via this blog. Until they do, use the following definition of “reprocessing” – clean, clean plus disinfected, or clean plus sterilized. Federal Register – Direct Marking and Device Reprocessing

We sell software that is considered a medical device; how do I label these devices?

Stand-Alone Software (SAS) regulated as a medical device must also have a UDI. SAS that is downloaded from the web and/or sold packaged must use the version number (as the lot number) in its production identifier. The full version of the UDI must be displayed in easy-to-read plain text, following the rules of the issuing agency you have selected, on the start-up screen and/or a menu command screen, such as the “About” screen. The UDI on the SAS packaged form may have the same device identifier. Federal Register – Stand-Alone Software

What is a device package? 

A device package is a package that contains a fixed number of a specific version or model of a device. The use of this term has often confused people who think it has something to do with the package design. Federal Register – Device Package definition

Do I need to label our shipping containers? 

A shipping container, for this regulation, is defined as a container used to ship or transport devices in which the items within may change from one shipment to another. The rule does not require a UDI label for any shipping container. Federal Register – Shipping Container

Complaint Handling and Medical Device Reporting Common Mistakes

complaints Complaint Handling and Medical Device Reporting Common MistakesThis blog, “Complaint Handling and Medical Device Reporting Common Mistakes,” reviews complaint investigations, MDR procedures, and adverse event reporting.  

You should already be well aware that deficiencies in complaint handling and Medical Device Reporting are two of the most common reasons why the FDA issues 483 inspection observations and Warning Letters (http://bit.ly/FY2013-483-Data-Analysis). Recently, I posted a blog about “Where to Focus your Medical Device Complaint Handling Training (http://bit.ly/Complaint-Training). The following is a summary of my responses to reader questions.

Complaint Investigations

What criteria do you think should be used to determine whether a complaint should be investigated or not?

There is only one acceptable rationale for not conducting an investigation of a complaint. If you don’t investigate complaints when required, then you might receive an FDA Form 483 observation worded like this…

21 CFR 820.198(c) – Complaints involving the possible failure of labeling to meet any of its specifications were not investigated where necessary. Specifically, a missing IFU was reported in customer complaints, but no investigation was conducted. The rationale documented in the complaint record was “the missing IFU presented no patient risk.”

A missing IFU is “failure of labeling to meet any of its specifications.” Therefore, 21 CFR 820.198(c) requires you to conduct an investigation “unless such investigation has already been performed for a similar complaint, and another investigation is not necessary.” This is the only rationale that is acceptable for skipping your investigation. To ensure that no one forgets to investigate a complaint, make sure you include a space in your complaint handling form that is specifically labeled as “Summary of Complaint Investigation.” This space should also include an option to cross-reference to a previous complaint record where a similar investigation is already documented.

A missing IFU is also considered a misbranded product that requires correction (e.g., sending the customer a replacement IFU) or removal (i.e., recall). The FDA expects a Health and Hazard Evaluation (HHE) form to be included in your recall records (http://bit.ly/HHE-Form), and the HHE should indicate the potential risk of a “delay in treatment.” This is the FDA’s conclusion in their evaluation of risk, and therefore your HHE must identify a delay in treatment is a patient risk too. The FDA also expects a CAPA to be initiated to prevent the recurrence of this type of labeling error. You can make a “risk-based” determination that reporting a specific recall to the FDA is not required as per 21 CFR 806.20. However, you need to maintain records of your determination not to report a recall. If you already received a Warning Letter, you should err on the side of reporting anyway.

Note: References to “recall” in the above paragraph are meant to include field corrections.

Intended Use

If a complaint consists of a medical device being used for something other than its intended use, is an MDR required for this user error?

The answer is yes. If you don’t report adverse events involving “user error,” then you might receive an FDA Form 483 observation worded like this…

21 CFR 803.17(a)(1) – The written MDR procedure does not include an internal system which provides for the timely and effective evaluation of events that may be subject to medical device reporting requirements.  Specifically, several incidents where a death or serious injury occurred were “caused by a user error,” and the procedure did not identify this as an event requiring Medical Device Reporting.

In 21 CFR 803.3 (http://bit.ly/21CFR803-3), the FDA defines “caused or contributed” to include events occurring as a result of:

  1. Failure
  2. Malfunction
  3. Improper or inadequate design
  4. Manufacture
  5. Labeling, or
  6. User error

It is important to understand that the definition of complaints and the requirement to report adverse events should not be “risk-based.” The need for remediation and the need to report corrections and removals can be “risk-based,” but whether something is a complaint, and whether it is reportable should be “black-and-white.” For example, “Did the death or serious injury occur due to auser error’-including use other than the intended use?” If the answer is yes, then it is a complaint and reportable.

Adverse Events

Do incidents that occurred outside the United States need to be reported to FDA?

The answer is yes. If you don’t report adverse events that occur outside the United States, then you might receive an FDA Form 483 observation worded like this…

21 CFR 820.50(a)(1) – An MDR report was not submitted within 30 days of receiving or otherwise becoming aware of information that reasonably suggests that a marketed device may have caused, or contributed to, a death or severe injury. Specifically, several instances were identified where the device caused or contributed to a death or serious injury, and the event was not reported to the Agency. The rationale documented in the complaint record was that the “event occurred outside the United States.”

This type of mistake is most likely due to a lack of training on 21 CFR 803–Medical Device Reporting. Some manufacturers that distribute products internationally are more familiar with the European Vigilance requirements (http://bit.ly/MEDDEV2-12-1rev8). The European Medical Device guidelines indicate in the scope section that “the guidelines are relevant to incidents occurring within the Member States of the European Economic Area (EEA), Switzerland, and Turkey…”.  Therefore, standard industry practice is not to report these events unless the events occurred in Europe.

The FDA Part 803 requirements are worded differently. Part 803 does not indicate that the event had to occur in the United States. By not stating that MDR’s are to be filed for events in the United States only, the FDA expects that manufacturers shall report events occurring outside the U.S. if the devices are “similar” to devices marketed in the U.S. Unfortunately, the FDA’s expectations have not become “Standard Practice” for all manufacturers. Therefore, the FDA is currently circulating new guidance in draft form to clarify this requirement (http://bit.ly/2013-MDR-Draft-Guidance).

If you need help with training on complaint handling or Medical Device Reporting, please download our free webinar: (http://bit.ly/chvg_mda).

Stage 2 audit preparation for ISO 13485 certification – Part 2

In this article, you will learn what ISO 13485 stage 2 audit preparation you should complete specific to training records and practice interviews.
ISO Stage 2 Cert Stage 2 audit preparation for ISO 13485 certification   Part 2
Stage 2 Audit Preparation

If you aren’t sure what ISO 13485 is, please visit our two-part training webinar series. During your Stage 1 ISO 13485 Certification audit, the auditor verifies that your company has all 28 procedures required in ISO 13485:2016. During the Stage 2 audit preparation, however, the auditor will be reviewing training records for each employee. A training matrix is one of the best tools for verifying that your training records are completed. First, you create a table of all 28 required procedures in Excel (this is your far left column). Across the top of the table, you need to list each of the employees in your organization. This would be difficult for a large organization, but most companies seeking initial ISO 13485 certification have less than 20 employees. In your training matrix, you need to identify which procedures each employee must be trained on. This is one of the most common ways to identify training requirements, and color-coding the matrix works is helpful.

Once you have defined your training requirements, review and approve this document as a controlled document that you will maintain as the company grows. However, as the company grows, you may convert specific names to job functions. Once the training requirements matrix is reviewed and approved, you should enter the date that training was completed for each employee. This is a more effective check than the “checkbox” approach, and it enables you to verify that everyone was trained since the last revision of any procedure. Now, you have a summary document to prove that 100% of your employees have current training on each of the 28 required procedures.

Interview employees as part of your Stage 2 audit preparation

During the Stage 2 audit, any of the employees could be interviewed by the auditor. As part of your Stage 2 audit preparation, you should interview each employee on your training matrix by asking them the following open-ended questions:

  1. Can you show me where I can find the company’s quality policy?
  2. Please explain how the quality policy is relevant to your job.
  3. Can you show me a copy of the training procedure?
  4. What quality objectives do you or your department monitor?

The first question is typical of auditors. You don’t have to have the policy memorized, but every employee should know where to find it. My favorite location is the back of employee ID badges, but the quality policy needs to be updated periodically. If everyone has the policy on their ID badge, you might consider handing out updated stickers with the revised quality policy when you hand out paychecks. The second question is related to the first, and it verifies that each person understands the importance of their job function as it relates to quality.

The third question is a test to ensure every employee can locate procedures. Don’t help them, because the auditor won’t. After each employee answers the question, make sure you explain the correct answer concerning where the most current version of every procedure is. Redlined copies in a drawer do not exist. The person should also have read each procedure in their training matrix so that they can answer a question. It’s ok to say “I don’t remember,” but they shouldn’t guess.

The fourth question verifies that top management has established quality objectives for all functions and at all levels within the company. Every manager should have at least one quality objective they are tracking, and progress toward the quality objective should be visibly communicated to everyone in the department. Employees, especially managers, should also be aware of where quality objectives for the company as a whole are posted. Ideally, each employee will know how their job function contributes to one or more of these objectives.

Stage 2 audit preparation – How to handle “stage fright”

Anyone can get nervous when they are being interviewed by an auditor–even the most experienced managers. In particular, a large entourage of observers following an auditor can make the situation worse. Therefore, you should anticipate this and discuss this with every employee in your company when you are doing practice interviews. Tell them this is normal, and it’s ok to be nervous. Remind them to take a deep breath to settle their nerves. Assure employees that they will not get in trouble for being nervous, and the company will not fail and audit just because someone has difficulty answering a question. At worst, you will need to initiate a CAPA and do some more training. The best-case scenario for a certification audit is that you will need to initiate a CAPA and do some more training. Either way, the outcome is the same. 

Congratulations on your successful Stage 2 audit preparation

Do not stress everyone out the day before your Stage 2 certification audit. You had six months to prepare, and everyone worked hard to help prepare the company. Now is the time to celebrate with your family. Everyone should go home on time and get a good night’s rest. Positive attitudes and relaxation are as crucial as all the work that has been completed. I learned this lesson the hard way during my first ISO 13485 Certification in 2004. We received certification, but I don’t recommend letting your boss turn purple with rage during the audit–it might be career-limiting.

I have only made the mistake of staying up late the night before on one other occasion–and the client was not recommended for certification at the end of the Stage 2 audit. Fortunately, the auditor was able to schedule a follow-up audit within a few weeks, and we were able to address all the open issues at that time. The client received their ISO 13485 certificate and CE Certificate within three months of starting the project, and the certificates were just in time for an important trade show in Germany.

Additional training resources to prepare for ISO 13485:2016 certification

If you are interested in learning more about ISO Certification, please download Medical Device Academy’s whitepaper and watch our six-part webinar training certification course for ISO 13485:2016 certification preparation.

Stage 2 Audit – How to Prepare (Part 1 of 2)

This blog teaches you how to prepare for a stage 2 audit on your pathway to ISO 13485 certification, and this blog is part 1 of 2.last prep Stage 2 Audit   How to Prepare (Part 1 of 2)

Stage 2 Audit

If you are not sure what ISO 13485 is, please consider our 2-part training webinar on the topic. Health Canada requires ISO 13485 certification as a requirement for all Medical Device License Applications, and most companies choose ISO 13485 certification as their method for demonstrating conformity to the requirements of the European Medical Device Regulations (MDR)–instead of a special MDD audit.

To achieve ISO 13485 certification, you must successfully complete a Stage 1 and Stage 2 certification audit with your chosen certification body. If you are interested in an overview of this certification process, you can download Medical Device Academy’s white paper on this topic, or you can watch a webinar we recorded recently on 6 steps to ISO 13485 Certification.

Management Processes are covered during the Stage 1 and Stage 2 audit

The Stage 1 audit is typically a one-day audit where the auditor is evaluating your readiness for the Stage 2 audit. The auditor will review your Quality Manual, and your procedures (19 are required) to ensure compliance with ISO 13485. Also, the auditor will sample records from critical processes to assess your readiness for the Stage 2 audit. Typically, these processes will be:

  1. Management Review
  2. CAPA
  3. Internal Auditing

After you complete the Stage 1 audit, you may have a few nonconformities identified by the auditor. Responding to these nonconformities is the first step in preparing for your Stage 2 certification audit. You need to initiate a CAPA for each of the auditor’s findings and begin implementation before the Stage 2 audit. Typically, you will have about six weeks to implement these actions. This is not usually enough time to complete your CAPAs because you need more time before you can verify the effectiveness of corrective actions.

Preparing CAPA Records is critical for your Stage 2 audit

In preparation for your Stage 2 audit, prepare for the auditor to review any CAPAs that you completed since the Stage 1 audit–especially if you have evidence of completing an effectiveness check. You may think this is unnecessary because the auditor previously reviewed CAPAs during Stage 1. However, you probably received a nonconformity related to your CAPA process (almost everyone does), and you should expect auditors to review your CAPA process during every audit.

CAPA Effectiveness Graph 300x218 Stage 2 Audit   How to Prepare (Part 1 of 2)Each CAPA record you present should be provided in a separate folder as a paper, hardcopy. The paper, hardcopy makes it easier for the auditor to review. The folder should include documentation of the investigation, a concise statement of the root cause, and copies of records for all corrections and corrective actions implemented. Corrective actions include procedure revisions and training records. If there is a quantitative measurement of effectiveness, include a graph of current progress with the record. Ideally, the graph will be one of your quality objectives. The graph to the right is an example.

Production Process Controls will get the auditor out of the conference room 

Every company has at least some production and process controls implemented before the Stage 2 certification audit. Most auditors and inspectors spend too much time in conference rooms reviewing paperwork and too little time interviewing people that are performing work. However, many companies also outsource production activities. Therefore, unless you have a software product, you can expect your auditor to review incoming inspection activities. The auditor is also likely to review the finished device inspection, storage, and distribution. If the auditor is thorough, they will also follow the trail from inspection activities to calibration activities, nonconforming materials, and data analysis.

Design Controls

If your company is a contract manufacturer, then you probably are excluding design controls (ISO 13485, Section 7.3) from the scope of your Quality System. However, if you are a manufacturer that performs design and development, then it is an element of the quality system that warrants special attention. During the Stage 1 certification audit, the auditor reviewed only your Design Control procedure. During Stage 2, the auditor will look for evidence of implementing design controls. Therefore, even if your company has not completed your first design project, the auditor will still want to see some evidence of implementation. The auditor will expect at least one design plan to be written, and at least one design review should be completed.

If you are familiar with the FDA Quality System Inspection Technique (QSIT) process for inspection, you might have noticed that this blog is divided into the same subsections identified in the QSIT Manual.

21 CFR 820.80: 3 Ways to Record Inspection Results

6 inch caliper 21 CFR 820.80: 3 Ways to Record Inspection ResultsThis blog reviews the FDA requirements within 21 CFR 820.80 for recording acceptance of a product, including three suggestions for streamlined, value-added inspection. 

If you are inspecting a lot of material at incoming inspection, and the inspection plan calls for inspecting ten samples for length, what is the best way to record the results?

The person that sent me this question also provided three options (read on for better suggestions from Medical Device Academy):

  1. Record the maximum and minimum dimensions
  2. Record all ten measurements in a data collection table
  3. Circle “pass” or “fail” next to each sample number

21 CFR 820.80 Requirements

The first method fails to meet the requirement as specified in 21 CFR 820.80(b) (http://bit.ly/21CFR820-80) because recording only the maximum and minimum dimensions of the ten samples do not include the inspection results for the eight samples in between the extremes. The second method meets the requirements, but this method takes the most amount of time. The third method appears to meet the requirements. However, if you read the FDA requirements more carefully, 21 CFR 802.80(e)(3) states that “[Inspection] records shall include…the results.” If the test method is pass/fail, circling pass or fail makes sense, but if the test is a measurement of a dimension, then the result should be a measurement. Also, if you have to perform an investigation for a complaint or non-conforming product, then this dimensional information might be critical to the analysis.

The FDA has provided an official interpretation of these requirements in the preamble: http://bit.ly/QSR-preamble. “Comment # 147: One comment stated that recordkeeping is a significant cost factor in the operation of a total quality system and that the revised CGMP regulation should not add cost through duplication of documentation. The comment said recording all quantitative data is inappropriate and of little value.

FDA agrees that unnecessary duplication of documentation should be avoided. They also believe that the Quality System Regulation requires the minimum documentation necessary to ensure that safe and effective devices are designed and produced. FDA similarly believes that maintaining records of results of acceptance activities is imperative to ensure that non-conforming product is not inadvertently used or distributed. FDA has, however, deleted from Sec. 820.80(a) the requirement for recording the results of inspections and testing, because Sec. 820.80(e) requires that the results of acceptance activities be recorded. The requirement in Sec. 820.80(a) was, therefore, unnecessary. Further, the regulation does not specify quantitative data, but simply requires that the results be recorded.

The FDA believes that it is essential for the manufacturer to maintain records which provide evidence that required acceptance activities were completed. These records must clearly show whether the product has passed or failed the acceptance activities according to the defined acceptance criteria. If a product fails to pass acceptance activities, you must identify the product as a non-conforming product and conduct an investigation. If the acceptance records are not clear about how the product failed, then the manufacturer may end up duplicating the acceptance to perform appropriate investigations.

Here are three other methods that can save you time and add value.

Method 1: Run Charts

If you create an inspection form that is in the form of a “Run Chart,” then you can put an “X” on the appropriate location of the Run Chart for each sample (see Chart 1 below). It is less time consuming to write an “X” than the actual value. However, if you need to conduct an investigation, you can convert the “X” into a quantitative number and enter the values into a spreadsheet or statistical analysis software (e.g., Minitab). Also, inspectors and supervisors can visually glance at a Run Chart and determine if the measurement is “in control” or “out of control.” This is done by marking the upper and lower specifications on the Run Chart. Over time, alert limits can be established as a preventive action, as well. You can also use this data as a rationale for eliminating certain inspections, reducing sampling, qualifying suppliers, and even converting a part from statistical sampling to a “dock-to-stock” inspection.

Chart 1 for Inspection Blog 21 CFR 820.80: 3 Ways to Record Inspection Results

One disadvantage of Method 1 is that it takes time to create inspection forms, and the forms need to be maintained as a controlled document, with the drawings for each part–as paper records or electronically. Therefore, I recommend that companies create a quality plan that calls for creating one of these charts every time an NCR is initiated for a part. That way, you only are creating this type of chart for parts that are found to be out of specification. This approach allows you to implement the work over a reasonable period of time.  You can also get into the habit of automatically reviewing historical data when you have an NCR that does not already have a Run Chart created.

Method 2: Automation

If you have critical inspection activities and a high volume of parts to inspect, you may want to automate the process of recording measurements and performing data analysis. This can be done by purchasing digital inspection devices with the ability to automatically send the values to a computer system. Devices with this capability only require pressing a button to record the value, and the computer system will often provide the inspector with the sampling plan for each lot automatically. These are sophisticated software systems that require validation, but this gives manufacturers extensive real-time data on supplier performance, in-process inspection, and final acceptance of the product. The primary disadvantage of this method is the cost of installation and set-up.

Method 3: Pass/Fail with Go/No-Go Gauges

If a supplier is capable of making good parts with a high degree of certainty, you may not need routine monitoring of part dimensions. In this case, you can reduce your inspection time by using a “go/no-go” gauge for critical attributes instead of measuring the dimensions. This type of gauge would be ideal if the tolerance for a part with a tolerance of +/- 3 mm. The length of a part can be verified to be between two lines, representing the upper and lower specification for the tolerance. This method can also be used for precise tolerance if magnification is used. Still, it is recommended to perform a gauge R&R study of any go/no-go gauge for parts with known dimensions (both conforming and non-conforming products). If this type of inspection is used, you can use an inspection record that only records pass/fail. This inspection method is not recommended, however, for parts that occasionally are out of conformity, because re-measurement of parts will be necessary as part of the investigation of non-conforming product.

Statistical Techniques

The biggest advantage of method one and method 2 is that they facilitate conducting a statistical analysis of data. Chart 1 shows that there is too much variation for the tolerance of 6.50 mm to 6.60 mm. Some companies qualify suppliers for a new part by establishing a threshold for a minimum Cpk value (i.e., process capability coefficient). A typical Cpk minimum is 1.33. Often the company will require that the supplier provide the data for 100% inspection of the initial production lot. This data is then used to create a sampling plan based on the likelihood of parts being out-of-specification. High-risk dimensions might require 99.5% confidence; medium risk dimensions might require 99% confidence, and lower risk dimensions might require 95% confidence. Each confidence level corresponds to a different Cpk value. It is not possible to do this type of analysis for Method 3.

Where to Focus Your Medical Device Complaint Handling Training

%name Where to Focus Your Medical Device Complaint Handling Training

Medical Device Academy performed data analysis of FDA 483s for 2013 and identified four areas of focus for your medical device complaint handling training. 

One of the challenges of creating a strong training curriculum is the need for practical examples. This is why there are lots of stories about real-life companies and products in every Medical Device Academy training event. We learn more from our painful mistakes than we do from our success stories. When you recall a product, report deaths involving a product your company made, or if you receive a Warning Letter—these are events that we will never forget.

Medical Device Academy recently posted a blog (http://bit.ly/outsourcing-complaints) about complaint handling, because this is one of the most common areas identified in FDA Form 483s and Warning Letters. Therefore, if you are trying to develop training on the topic of complaint handling (i.e., 21 CFR 820.198), then you should look for examples from your competitor’s mistakes. The following is a list of places you should look:

  1. Past inspection reports issued to your company by the FDA
  2. Any inspection reports or Warning Letters about your competitors that become public
  3. Other Warning Letters that mention complaint handling as an issue

Here’s an example of the type of 483 observation you might find: “Failure to adequately establish and maintain procedures for receiving, reviewing, and evaluating complaints by a formally designated unit, as required by 21 CFR 820.198(a).”

The example above identifies five different problems with a complaint process:

  1. You need a procedure 
  2. You need to designate a complaint handling unit
  3. You need to define the process for receiving complaints
  4. You need to define the process for reviewing complaints
  5. You need to define the process for evaluating complaints

21 CFR 820.198 is a prescriptive requirement in the regulations. Therefore, you not only need to create a procedure specifically for complaint handling, but you also need to ensure each element of the requirement is satisfied. This is important because FDA inspectors will verify that your procedure includes each element.

Medical Device Academy performed data analysis of FDA inspection reports for FY2013 (http://bit.ly/Form483-FY2013) to identify other common mistakes related to complaint handling. The data analysis of FDA inspection reports for FY2013 identified that there are 15 individual citations related to complaint handling that the FDA identified using the TURBO EIR System (http://bit.ly/FDA483s). The table below summarizes the frequencies of these 15 sub-sections that were referenced in citations during FY2013 under the complaint handling category: 

483 Where to Focus Your Medical Device Complaint Handling Training

Medical Device Complaint Handling Training: 4 Critical Areas of Focus

The above table identifies several other sub-sections that present problems for companies. Based on the data analysis, your company should also be training your complaint handling unit in the following four critical areas:

  1. Maintaining complaint files
  2. Reviewing and evaluating complaints for the need to perform an investigation
  3. Documenting complaint investigations in your complaint files
  4. Determining whether a complaint is reportable under 21 CFR 803

The fourth area is one of the most important because these complaints involve injury, death, and product malfunction. Therefore, you might consider reviewing the TPLC database (http://bit.ly/FDATPLC) for MDRs. The best data to review is data for the same product codes that your company distributes, but reviewing any MDRs can teach your employees which types of incidents need to be reported. This area will also receive increased scrutiny with the recent changes to 21 CFR Part 803 (http://bit.ly/udpated-21CFR803).

Labeling risk controls – Deviation #7 in EN ISO 14971:2012

Requirements for the Instructions for Use and labeling as labeling risk controls for medical devices in ISO 14971.

Residual Risks Labeling risk controls   Deviation #7 in EN ISO 14971:2012This article reviews the requirements for Instructions for Use and labeling as risk controls in the risk management standard for medical devices: ISO 14971. Specifically, the impact of the seventh deviation identified in the EN ISO 14971 Standard is reviewed. This is the 7th and final blog in our EN ISO 14971:2012 risk management series. If you would like additional, risk management training, we have a training webinar.

Why are labeling risk controls not effective?

Labeling, instructions, and warnings are required for medical devices. Unfortunately, the information provided by manufacturers is not effective at preventing hazardous situations and foreseeable misuse–especially if the user throws the paper leaflet in the garbage 10 seconds after the box is opened. Since the information provided to the user and patients is not effective in preventing harm, the European Commission indicated that this information (i.e. labeling risk controls) should not be attributed to risk reduction.

Labeling risk controls do not quantitatively reduce risks

The European Commission is not suggesting that your company should stop providing directions or warning users of residual risks. This deviation intends to identify incorrect risk estimation procedures. For example, if you are using Failure Mode And Effects Analysis (FMEA), (see Annex G.4 of the risk management standard) to estimate risk for a new product, you should not be listing labeling risk controls as the primary risk control. Clause 6.2 of the ISO 14971 Standard correctly identifies “information for safety” provided by the manufacturer as risk controls. Still, the effectiveness of labeling risk controls is so poor that you should not estimate that the implementation of labeling and IFUs reduces risks.

In Clause 2.15 of the ISO 14971 Standard, residual risk is defined as “risk remaining after risk control measures have been taken.” However, I prefer the following definition, which incorporates the concept of clinical evidence, design validation, and post-market surveillance:

“Residual risks are risks that remain: 1) after implementation of risk controls, 2) when products are used for new indications for use, 3) when products are used for wider user and patient populations, 4) when products are misused, and 5) when products are used for periods of time longer than the duration of pre-market clinical studies.”

The second essential requirement (ER2) states that users shall be informed of residual risks, but the conclusion that “information about residual risks cannot be a risk control” is incorrect. The most important wording in the deviation is “the information given to the users does not reduce the (residual) risk any further.” Failure to reduce risks any further is due to the lack of effectiveness of risk controls. Validation of risk control effectiveness should be performed during design validation, but validation will be limited to a small group of users and patients.

Risk management reports & post-market surveillance planning

In your risk management report, risk control options analysis should be summarized. Instead of evaluating risk acceptability before implementing risk controls, risk controls should be implemented, and any residual risks should be identified. A benefit/risk analysis must be performed for each residual risk and the overall residual risks. If the conclusion is that the benefits of the device outweigh the residual risks, then the device can be commercially released.

At the time of the final design review and commercial release, a Post-Market Surveillance (PMS) plan should be developed that includes an updated risk management plan. The updated risk management plan should specifically address how to estimate residual risks and verify the effectiveness of information provided to users and patients. Verification of risk control effectiveness should be part of the design verification and validation activities, but verification of effectiveness should also be part of ongoing PMS.

To facilitate future updates of your risk management report, you may want to organize risk controls into the following categories (in this order):

  1. Design elements (highly effective)
  2. Materials of construction (highly effective)
  3. Methods of manufacture (highly/moderately effective)
  4. Protective measures & alarms (moderately effective)
  5. Information provided to users & patients (least effective)

Each of the above risk controls will need to be addressed by your PMS plan.

A Gap Analysis Tool for Updating Your Medical Device Reporting Procedure

new 803 A Gap Analysis Tool for Updating Your Medical Device Reporting ProcedureThis blog shows you where to find the new FDA regulation for medical device reporting (http://bit.ly/udpated-21CFR803) and the associated guidance document (http://bit.ly/Part803-Guidance). There is also an explanation of how to perform a gap analysis to compare your procedure for medical device reporting against the new 21 CFR 803 (http://bit.ly/Old-21CFR803).

On January 22, 2014, Medical Device Academy posted a blog about how to create your own FDA medical device regulatory updates: http://bit.ly/4Ways-to-Follow-CDRH. That post identified a number of sources on the FDA website where you can locate information about new and revised FDA regulatory requirements. One suggestion was to register for receiving the RSS feeds from the following page: http://bit.ly/CDRH-news-updates. This page is where the FDA’s Center for Devices and Radiological Health (CDRH – http://bit.ly/FDA-CDRH) posts news and updates.

If you registered for the RSS feed from CDRH, then you received an update on February 13, 2014, announcing the new Part 803 regulation for medical device reporting. This is NOT a cause for alarm. The fundamental change is simple:

Medical device manufacturers will no longer be allowed to submit FDA Form 3500A in paper form. It will need to be submitted electronically through the Electronic Submissions Gateway (ESG) (http://bit.ly/ESG-FDA).

ESG Sign-up

This is just another small step for the FDA to move toward digital records, and to integrate with electronic medical records from healthcare providers. The FDA even created a presentation explaining the process for electronic Medical Device Reporting (eMDR). This 8 minute and 45-second presentation are available on the CDRH Learning page: http://bit.ly/CDRH-Learn. Slide 5 of the FDA’s presentation identifies the six steps for obtaining an account for an ESG:

  1. Get a test account with the ESG
  2. Send a letter to authenticate your digital identity (http://bit.ly/Non-repudiation-Letter)
  3. Get a digital certificate
  4. Contact CDRH (eMDR@fda.hhs.gov)
  5. Test sending an MDR to CDRH
  6. CDRH approves production account with the ESG

I have been recommending that my clients switch from submission of the paper FDA Form 3500A to eMDR since 2010 when this training became available. Now, you have 18 months to switch over to eMDR before the August 14, 2015 deadline for implementation. Alternatively, you can also outsource your eMDR reporting to a  service provider that already has an ESG (http://bit.ly/outsourcing-complaints).

Comparison of Current & New Regulations

The first step in understanding the specific changes to the regulation is to compare the old and new versions. The new Part 803 regulation for MDR was released as a PDF document, and therefore it does not lend itself to a direct comparison with the previous version of the regulation. Therefore, Medical Device Academy downloaded the new regulation (http://bit.ly/udpated-21CFR803), and copied and pasted each section into a Word document. We also did this for the current version (http://bit.ly/Old-21CFR803). Then, we compared the two Word documents electronically. Finally, we wrote a gap analysis to summarize the differences between the two documents. If you would like to download this gap analysis, please visit the following webpage: http://bit.ly/21_cfr_803_gapanalysis.

Gap Analysis of Your Medical Device Reporting Procedure

After you download the gap analysis tool that Medical Device Academy created, then you need to perform your gap analysis of your current MDR procedure against the changes in Part 803. You should create a table with one column identifying the section of the regulations, a second column identifying the section(s) of your current MDR procedure that meets the requirements, and a third column to identify changes that need to be made. You might consider adding additional columns for delegating the responsibility of revising various sections of your procedure, and implementing other tasks listed below (e.g., obtaining an account for ESG).

Next Steps

  1. Download the gap analysis of the new and old versions of 21 CFR 803
  2. Review and update your MDR procedure to address the changes to 21 CFR 803 which are identified in the gap analysis
  3. Apply for an ESG WebTrader account for Low Volume/Single Reports
  4. Revise your training requirements for anyone responsible for MDRs:
    1. Complete all four applicable CDRH online training (http://bit.ly/CDRH-Learn)
    2. Pass a quiz demonstrating training effectiveness (http://bit.ly/TrainingExams)
    3. Review the draft procedure for potential errors or sections that are unclear
    4. Make any final revisions to the procedure based upon feedback from trainees
    5. Implement your revised procedure

If you need help completing the above steps, please contact Medical Device Academy by emailing Rob Packard, or by visiting the webpage for Medical Device Academy’s Complaint Handling and Vigilance group (http://bit.ly/chvg_mda).

Scroll to Top