Blog

Implementing Design Controls – 10 Steps

The article explains ten steps of implementing design controls, including design plans, design inputs, design review, verification protocols, and risk management.
waterfall fda Implementing Design Controls   10 Steps

FDA Guidance for Implementing Design Controls

The diagram above is called the “Application of Design Controls to Waterfall Design Process.” The FDA introduced this diagram in 1997 in the design controls guidance document. However, the original source of the diagram was Health Canada.

This diagram is one of the first slides I use for every design control course that I teach because the diagram visually displays the design controls process. The design controls process, defined by Health Canada and the US FDA, is equivalent to the design and development section found in ISO 13485 and ISO 9001 (i.e., – Clause 7.3). Seven sub-clauses comprise the requirements of these ISO Standards:

  • 7.3.1 – Design Planning
  • 7.3.2 – Design Inputs
  • 7.3.3 – Design Outputs
  • 7.3.4 – Design Reviews
  • 7.3.5 – Design Verification
  •  7.3.6 – Design Validation
  • 7.3.7 – Design Changes

In addition to the seven sub-clauses found in these ISO Standards, the FDA Quality System Regulation (QSR) also includes additional requirements in the following sub-sections of 21 CFR 820.30: a) general, h) design transfer, and J) Design History File (DHF).

Implementing Design Controls: A Complex Process

Even though the requirement for Design Controls has been in place for 16 years, there are still far too many design teams that struggle with understanding these requirements. Medical device regulations are complex, but design controls are the most complex process in any quality system. The reason for this is that each of the seven sub-clauses represents a mini-process that is equivalent in complexity to CAPA root cause analysis. Many companies choose to create separate work instructions for each sub-clause.

Medical Device Academy’s training philosophy is to distill processes down to discrete steps that can be absorbed and implemented quickly. We use independent forms to support each step, and develop training courses with practical examples, instead of writing a detailed procedure(s). The approach we teach removes complexity from your design control procedure. Instead, we rely upon the structure of step-by-step forms completed at each stage of the design process.

10 Ways for Implementing Design Controls

1. Design plans are just a plan. You can and should change that plan. This is stated in both Clause 7.3.1 of the ISO Standards, and Section 21 CFR 820.30b of the FDA QSR. You can make your plan as detailed as you need to, but I recommend starting simple and adding detail. Your first version of a design plan should include the following tasks: 

  • Identification of the regulatory pathway-based upon the device risk classification and applicable harmonized standards.
  • Development of a risk management plan
  • Approval of your design plan (1st design review) 
  • Initial hazard identification
  • Documentation and approval of design inputs (2nd design review) 
  • Risk control option analysis
  • Reiterative development of the product design
  • Risk analysis 
  • Documentation and approval of design outputs (3rd design review) 
  • Design verification and validation and risk control verification 
  • Clinical evaluation and risk/benefit analysis
  • Development of post-market surveillance plan with a post-market risk management plan
  • Development of a draft Device Master Record(DMR) /TF Index
  • Commercial release (4th and final design review)
  • Regulatory approval and closure of the Design History File (DHF
  • Review lessons learned and initiate actions to improve the design process 

2. Design inputs need to be requirements verified through the use of a verification protocol. If you identify external standards for each design input, you will have an easier time completing the verification activities, because verification tests will be easier to identify. Medical Device Academy has written more on this topic in a previous blog posting.

3. Design outputs are drawings and specifications. Ensure you keep them updated and control the changes. When you finally approve the design, this is the “design freeze.” 

4. Design reviews should have defined deliverables. I recommend designing a form for documenting the design review, which identifies the deliverables for each design review. The form should also define the minimum required attendees by function. Other design review attendees should be identified as optional—rather than required reviewers and approvers. If your design review process requires too many people, this will have a long-term impact upon review and approval of design changes. 

5. Design verification protocols should be standardized instead of being project-specific. Information regarding traceability to lots of calibrated equipment ID and test methods should be included as a variable that is entered manually into a blank space when the protocol is executed. The philosophy behind this approach is to create a protocol once and repeat it forever. This results in a verification process that is consistent and predictable, but it also eliminates the need for review and approval of the protocol for each new project. 

6. Design validation should be more than bench testing. Ensure that animal models, simulated anatomical models, finite element analysis, and human clinical studies are considered. 

7. Design transfer is not a single event in time. Transfer begins with the release of your first drawing or specification to purchasing and ends with the commercial release of the product. 

8. Do not keep the DHF open after commercial release. All changes after that point should be under production controls, and changes should be documented in the (DMR)/Technical File (TF). 

9. Your DMR Index should perform a dual function of also meeting technical documentation requirements for other counties, such as Canada and Europe. 

10. Audit your design control process to identify opportunities for improvement and preventive actions. Audits should include a review of the design process metrics, and you may consider establishing quality objectives for the improvement of the design process. This last step, and the standardization of design verification protocols in step five (5), are discussed in further detail in another blog by Medical Device Academy.

More Information Regarding Implementing Design Controls

If you are interested in design control training, Rob Packard will be teaching a Design Controls Training Webinar on November 2, 2018.

Posted in: Design Control

Leave a Comment (6) →

What Does the CE Mark Mean, and What is its Purpose?

CE Marking Examples What Does the CE Mark Mean, and What is its Purpose?

The author answers the question of what does the CE Mark means, what its purpose is related to medical devices and regulatory requirements, if applicable.

To facilitate trade throughout the European Economic Area (EEA), products need to be identified as compliant with regional and national regulations. In the EEA, this identification is the CE Mark. “CE” is not an acronym. The mark indicates compliance of your product with the essential requirements in the applicable directive. In the case of medical devices, there are three directives:

  1. Medical Device Directive, 93/42/EEC (http://bit.ly/M5MDD),
  2. Active Implantable Medical Devices Directive, 90/385/EEC (http://bit.ly/AIMDDirective)
  3. In Vitro Diagnostics Directive, 98/79/EC (http://bit.ly/currentIVDD).

Prior to the existence of these three directives, medical devices were compliant with the regulations of individual member states. These regulations were extremely detailed and created a barrier to the transport of products between the member states. With the implementation of the new approach directive (http://bit.ly/Resolution85), companies were able to CE Mark medical devices in accordance with one of the three device directives, and medical device products began to flow smoothly throughout the EEA.

Notified Body Numbers

The images at the top of this blog posting are examples of CE Marks from two of the largest medical device Notified Bodies. The four-digit numbers identify the Notified Body (NB) that issued the CE Certificate for the medical device. This number is only used for medical devices requiring NB involvement. Therefore, non-sterile Class I medical devices that do not have a measurement function are required only to have the “CE” on their labeling. All other medical devices are required to have the “CE” with the NB four-digit number. If one of the Competent Authorities (CAs), the equivalent to the U.S. FDA in each member state, wants to determine which Notified Body is authorizing the CE Marking of a medical device, the CA will look-up the four-digit number on the following NB database (http://bit.ly/NBDatabase).

How to Reproduce the Mark

It is the legal manufacturer’s responsibility to design their labeling with the CE and NB number—if applicable. This labeling is included in the company’s Technical File, and the NB reviews the Technical File for compliance with the essential requirements in one of the three device directives. For medical devices, the instructions for CE Marking are defined in Annex XII of 93/42/EEC. For active implantable devices, the requirements are found in Annex 9 of 90/385/EEC. For in vitro diagnostic devices, the requirements for CE Marking are found in Annex X of Directive 98/79/EC.

These three Annexes are identical and provide a graduated drawing showing the exact proportions of the “C” and “E” relative to one another. These Annexes also state that “”The various components of the CE marking must have substantially the same vertical dimension, which may not be less than 5 mm.”” You can obtain a free download of the mark on the Europa website (http://bit.ly/DownloadCE).

The four-digit NB number is intended to be the same boldness and font as the “”CE”” characters. Therefore, NBs have interpreted the requirement to specify numbers that are at least half the height of the “C” and “E”—or at least 2.5 mm. Each NB also provides instructions to legal manufacturers on how to present the CE characters with their four-digit NB number. Usually, there are a couple of different orientations that are allowed by the NB. For small products, it may not be possible to mark the device with a “C” and “E” that is at least 5 mm. Therefore, the directives waive this minimum dimension for small-scale devices. Most companies, however, will place a “C” and “E” on their labeling that is at least 5 mm in height, instead of marking parts with a “CE” that is illegible.

Use and Misuse of CE Marking

Most companies want to use CE Marking on all product labeling, even for products sold outside the EEA, because other countries recognize it and associate it with safety and performance. It is also acceptable to use the “CE” in product literature. However, it is important that it appears next to product images or descriptions that have a valid CE Certificate. It is not acceptable to use the “CE” in a way that it might imply that other products have a CE Certificate when the products do not. It is also not acceptable to use the “CE” in a way that it might imply a corporate entity is “CE Marked.” CE Certificates are for products—not for companies.

Please join us on Social Medialinkedin 1 What Does the CE Mark Mean, and What is its Purpose?googleplus What Does the CE Mark Mean, and What is its Purpose?twitter What Does the CE Mark Mean, and What is its Purpose?

Posted in: CE Marking

Leave a Comment (0) →

Risk Classification Process for Health Canada Device Licensing

Author reviews considerations of the risk classification process for Health Canada device licensing, including a review of Health Canada guidance documents.

Last week, I was visiting a client who was told that their device is a higher risk device classification (i.e., – Class IV) in Canada than it is in Europe (i.e., – Class IIa). Although Canada has its own device classification rules, there are many similarities with European Classifications for CE Marking. A few months ago, I posted a gap analysis (http://bit.ly/gapanalysiscmda) comparing the classification rules in the current MDD (http://bit.ly/M5MDD) to the new classification rules in the proposed European Device Regulations (http://bit.ly/EUProposal). Now, let’s review the Canadian classification rules versus the current European classification rules.

Overview of the European and Canadian Medical Device Classification Rules

There are four European and Canadian medical device classifications. Class I, IIa, IIb, and III are the European classifications, while Class I, II, III, and IV are the Canadian classifications. The Canadian classification rules are located on pages 54-57 of the Canadian Medical Device Regulations (http://bit.ly/FindCMDR).

canada class blog Risk Classification Process for Health Canada Device Licensing

There are 16 risk-based classification rules, with a similar format and organization to the 18 risk-based classification rules in the MDD. Just a glance at the table above reveals that the classification rules for Europe and Canada are similar. However, a closer comparison between the two regulations shows that Rules 1-14 in the CMDR match-up with part or all of a corresponding European classification. Only rules 15 and 16 do not have a corresponding European classification rule.

How to Write a Classification Rationale for Health Canada

Two weeks ago, I wrote a blog (http://bit.ly/riskclass) on how to write a classification rationale for CE Marking of Medical Devices. That blog made use of the European guidance document for the classification of medical devices (http://bit.ly/EUClassification). For Canadian Medical Device License Applications, there is a different guidance document (http://bit.ly/CMDRClassificationGuidance). However, if you already have a European device classification, I recommend the following strategy:

  1. Identify the equivalent classification rule in the CMDR
  2. Write a classification rationale using the rule you identified in the CMDR
  3. Send your classification rationale to the Canadian Medical Device Licensing Division for verification (http://bit.ly/CanadianMDL)

If you have any trouble with step 1, you might try doing a keyword search of an electronic version. For example, the word “gases” in rule 2 of Annex IX in the MDD only appears once in the CMDR classification rules—in rule 5. An alternate approach to identifying the classification is to search Health Canada’s MDALL (http://bit.ly/CanadianMDALL) medical device licensing database for a competitor’s equivalent product. If you don’t know the name of competitor products, you can also use Health Canada’s keyword index (http://bit.ly/CanadianKeywordIndex).

Get Health Canada’s Input

Once you have written your classification rationale, then you should email the classification rationale to Health Canada’s licensing division (http://bit.ly/CanadianMDL). Help with identifying the proper device classification in the CMDR does not require paying a consultant thousands of dollars, because Health Canada will not charge you for this service, and they typically respond within 7-10 days. Their response will confirm you have identified the correct classification for your product, or you will receive an explanation of why another rule is a better choice.

Regulatory Pathway Identification

Medical Device Academy offers a standardized service for identifying the regulatory pathway for device submissions to the United States, Europe, and Canada. We recommend that companies prepare a regulatory pathway document during the initial design planning stage (ISO 13485, Clause 7.3.1) because the harmonized standards identified will become your design inputs (ISO 13485, Clause 7.3.2). The Canadian pathway is always the easiest and least expensive of the three markets mentioned.

Do Not Ask Your CMDCAS Registrar

Your company’s ISO 13485 registrar should NOT attempt to participate in the above classification process. Health Canada specifically tells all CMDCAS (http://bit.ly/CMDCAS) auditors to instruct companies to contact Health Canada directly. The CMDCAS auditor is only supposed to verify that the company has a documented licensing process and documented classification rationale. Health Canada’s Device Licensing Division assesses the accuracy of the rationale.

You may also be interested in joining the LinkedIn Group I manage on this topic (i.e.,- CMDCAS): http://bit.ly/CMDCASLinkedInGroup.

Please join us on Social Medialinkedin 1 Risk Classification Process for Health Canada Device Licensinggoogleplus Risk Classification Process for Health Canada Device Licensingtwitter Risk Classification Process for Health Canada Device Licensing

Posted in: Health Canada

Leave a Comment (1) →

Benefit-Risk Analysis – Deviation #4 in ISO 14971

Review of ISO 14971 Deviation #4 specific to the requirement for benefit-risk analysis. This blog is the fourth in a seven-part series.

%name Benefit Risk Analysis   Deviation #4 in ISO 14971

This blog is the fourth installment in our seven-part series, which reviews each of the content deviations between the three device directives for Europe and international risk management standard (ISO 14971:2007). The deviations were identified in the new European National version of the Standard released in 2012. There was no change to the content of Clauses 1 through 9 in ISO 14971, but then there were seven deviations from the directives identified by the European Commission.

Discretion as to Whether a Benefit-Risk Analysis Needs to Take Place

The fourth deviation is specific to the requirement for risk-benefit analysis. Clauses 6.5 and 7 of the 14971 Standard both imply that a risk/benefit analysis is only required if risks exceed a threshold of acceptability, and Annex D.6.1 indicates that “This International Standard does not require a benefit-risk analysis for every risk.” However, essential requirements 1 and 2 require that you perform a risk/benefit analysis for each risk and overall residual risk. Essential requirement 6a also requires a risk-benefit analysis as part of the conclusion in your Clinical Evaluation Report (http://bit.ly/ER6aMEDDEV).

Your company may have created a risk management procedure, which includes a matrix for severity and probability. The matrix is probably color-coded to identify red cells as unacceptable risks that require a benefit-risk analysis, yellow cells that are ALARP, and green cells that are acceptable. Based upon the guidance provided in ISO 14971, your company probably identified that a benefit-risk analysis is only required for a risk that falls in the red zone of the matrix where the risk is “unacceptable.”

Deviation 4 Benefit Risk Analysis   Deviation #4 in ISO 14971

Unfortunately, this approach is not compliant with the European Directives, because the Directives require that a benefit-risk analysis be performed for each risk and all residual risks—not just the risks you identify as unacceptable. The fourth deviation between the ISO 14971 Standard and the Essential Requirements of the European Directives is relatively simple to address with a change to your risk management process. To comply with EN ISO 14971:2012, the “red zone” should not be labeled as a benefit-risk analysis, because even risks in the “green zone” require benefit-risk analysis.

Impact of this Deviation

In a previous blog about deviation #2, we determined that the implementation of risk controls must reduce all risks. In this blog, we established that after the implementation of risk controls, all residual risks must be subject to a benefit-risk analysis. Your company will need to eliminate the use of a risk evaluation matrix like the one shown above. Instead of relying on a risk management policy for evaluating the acceptability of risk, your company should be performing a benefit-risk analysis to determine the acceptability of risks.

The best way to integrate benefit-risk analysis for the evaluation of the acceptability of all risks is to integrate this with the clinical evaluation process. In addition to using clinical literature, clinical study data, and post-market surveillance as inputs for your clinical evaluation, your company should also be using residual risks as inputs to the evaluation. The clinical evaluation should be used to assess the significance of these residual risks, and verify that there are not any risks identified in the clinical evaluation that were not considered in the risk analysis.

In order to document that your company has performed a benefit-risk analysis for each residual risk, you will need to reference the risk management report in the clinical evaluation and vice-versa. Both documents will need to provide traceability to each risk identified in the risk analysis, and conclusions of risk acceptability will need to be based upon the conclusions of the clinical evaluation.

Once the product is launched, you will need to update the clinical evaluation with adverse events and other post-market surveillance information. As part of updating clinical evaluations, you will need to determine the acceptability of the risk when weighed against the clinical benefits. These conclusions will then need to be updated in the risk management report—including any new or revised risks.

If you are interested in ISO 14971 training, we were conducting a risk management training webinar on October 19, 2018.

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (7) →

CE Marking Routes to Regulatory Approval

ce marking routes CE Marking Routes to Regulatory ApprovalThe author reviews the conformity assessment process contained in Annexes VII, II, V, and III related to a company seeking CE Marking regulatory approval.

CE Marking of medical devices requires technical documentation (i.e., – a Technical File or Design Dossier)—regardless of the device classification. However, the classification of the device has a significant impact on the regulatory approval pathways available to your company. Therefore, the first step in the process of CE Marking of medical devices is to determine the risk classification (http://bit.ly/riskclass). There are four device classifications: Class I, IIa, IIb, and III.

Once your company has determined the risk classification of the device, then you must determine which conformity assessment procedure you will follow to receive CE Marking approval. The conformity assessment procedures available for each classification are identified in Article 11 of the Medical Device Directive (http://bit.ly/M5MDD), and additional detail is provided in the various Annexes (i.e., – Annex II, III, IV, V, VI, and VII). The following table below summarizes the options for each classification:

ce marking chart CE Marking Routes to Regulatory Approval

If your product is a Class I device that is non-sterile and non-measuring, then you will not require a Notified Body (NB). However, all other products will require your company to select a NB (http://bit.ly/SelectingRegistrar).

Annex VII – Declaration of Conformity

If your company does not require NB involvement, then you will be able to issue a Declaration of Conformity In accordance with Annex VII. You will also need to register your product with one of the Competent Authorities (CA) in Europe. CAs are the U.S. FDA equivalent in each EU member state. The following is a list of contact information for all the CAs: http://bit.ly/ContactPoints. If your company does not have a physical presence in Europe, you will also need to select a European Authorized Representative (AR). My recommendation is to select an AR that is one of the 15 members of the European Association of Authorized Representatives (http://bit.ly/EAARMembers).

Annex II – Full Quality Assurance

Most companies use the Annex II conformity assessment process to achieve CE Marking. In this process, the NB reviews your Technical File for conformity and also reviews your quality system for conformity with regulatory requirements in the applicable directives. As part of the Annex II process, the NB will audit your design process to ensure that you have adequate design controls and that your process for establishing and maintaining a Technical File is adequate. Once your company has adequately addressed any findings from the audit, the NB will issue your company a Full Quality Assurance (FQA) CE Certificate in accordance with Annex II.3. Once you have the Certificate, your company will be able to launch new products without prior approval from the NB. The only requirement is that the new products are within the scope of the Annex II.3 certificate.

Annex V – Production Quality Assurance

The Annex V conformity assessment process is the most common route to CE Marking for companies that outsource product design to a third-party. If your company outsources design, Clause 7.3 is excluded from your ISO 13485 Certification, and you cannot demonstrate “Full Quality Assurance.” Therefore, the NB will issue an Annex V certificate for “Production Quality Assurance.” Annex IV and Annex VI are alternate conformity assessment procedures, but these are used less frequently for medical devices and are outside the scope of this blog.

Annex III – Type Examination

The Annex III conformity assessment process is a type of examination that is performed for higher risk devices where the company does not have an Annex II certificate. This type of examination involves a review of your company’s design dossier, and the NB issues a Type Examination CE Certificate. This Certificate cannot be used alone for CE Marking. Type Examination Certificates must be used in conjunction with another CE Certificate, such as the Annex V certification for Production Quality Assurance. This combination would be used for Class IIb and Class III devices in place of an Annex II CE Certificate.

If your company needs help with CE Marking, including training on the medical device directive, please contact Medical Device Academy at rob@13485cert.com. We are also developing a webinar series for this purpose. If you interested in more services, try viewing the following blog category page: http://bit.ly/CEMarking.

Posted in: CE Marking

Leave a Comment (2) →

Selecting an ISO Certification Body for CE Marking and Health Canada

 

Guest Blogger,  Susan Christie, Regulatory Consultant

Cropped Front of Card Selecting an ISO Certification Body for CE Marking and Health Canada

Which Certification Body should you select?

The author reviews considerations for selecting an ISO Certification Body for CE Marking in Europe and Canadian Medical Device Licensing with Health Canada.
What is a Certification Body?

A certification body is a third-party company who is accredited by an organization like the ANSI-ASQ National Accreditation Board (ANAB) (http://bit.ly/ANABorg), United Kingdom Accreditation Service (UKAS) (http://bit.ly/UKASorg) or Standards Council of Canada (SCC) (http://bit.ly/SCC-org) to perform certification audits against ISO Standards, such as ISO 9001 or ISO 13485. Accreditation bodies verify the conformity of certification audits to the ISO/IEC 17021 Standard (http://bit.ly/IEC-ISO17021). Some certification bodies are not accredited or maybe self-accredited. Still, you will need a certification body that is accredited to meet the regulatory requirements of Health Canada and European Competent Authorities.

Selecting the right certification body for your company is a critical step on the journey towards ISO 13485 certification. When I first joined one of my previous companies, I was assigned the task of implementing ISO 13485 to comply with the Canadian Medical Device Regulations (CMDR, http://bit.ly/FindCMDR) under the Canadian Medical Device Conformity Assessment System (CMDCAS, http://bit.ly/CMDCAS). First, I discovered that the company already had two certification bodies. The company initially received an ISO 9001 certificate from one certification body, and then a few years later, an ISO 13485 certificate was issued by another certification body. Unfortunately, neither certification body was recognized by Health Canada (http://bit.ly/RecognizedRegistrars). Therefore, when I joined the company, and we were seeking a Canadian Medical Device License, we had to find a third certification body. This time, I selected a registrar recognized by Health Canada. Then I was able to transfer our ISO 9001 certificate to the new registrar and eliminate the other two certification bodies.

When searching for a certification body, you will find that there are different names for the term, depending on the country to which you are seeking your certificate. For some of the biggest markets, they are named as follows:

  • Europe – notified bodies
  • Canada – registrars
  • Japan – registered certification bodies
  • Australia – conformity assessment bodies
9 Points to Consider When Selecting a Certification Body
  1. Refer to the official Europa page that helps you identify the complete list of “possible” candidates based upon the product category (http://bit.ly/NBDatabase).
  2. Consider choosing a Notified body that has endorsed the Code of Conduct (COC) v3.0 as your short-list. The COC has set the bar high, and you will want to utilize a notified body that is aligned with this document. The last time I checked, there were only 12, but the expectation is that this will be mandatory (http://bit.ly/CoCNBV3).
  3. The size and reputation of the notified body can have an impact on your customer’s confidence in your QMS. If they are savvy, they know who the key players are, and who has the more credible reputations in the medical device field. Before transitioning to BSI, I experienced “eye-rolling” during customer audits when asked for the name of our notified body.
  4. Consider the level of risk associated with the classification of the medical devices that are currently marketed and those that may be planned for future distribution. The EU Commission and Competent Authorities (US FDA equivalent in European member states) throughout Europe are currently re-evaluating all the Notified Bodies to determine if they will continue to be allowed to issue CE Design Examination Certificates (Annex II.4) and CE Type Examination Certificates (Annex III) for the highest risk devices (i.e., – Class IIb and Class III).
  5. Identify all your regulatory needs unless you want to contract multiple certification bodies (not recommended). Certification bodies are not created equal, and some may not be qualified to provide all the services needed. A certification body qualified to issue a certificate for ISO 13485 may not be able to provide a CE certificate for CE Marking required by the EU, and only 15 certification bodies are recognized by Health Canada as CMDCAS registrars (http://bit.ly/RecognizedRegistrars). To avoid the need for additional certification bodies in the future, you need to identify your long-term certification requirements for the international markets you will be distributed in.
  6. Compare price quotes from each certification body you are considering and make sure that you provide the same criteria to each potential certification body to ensure that you are getting a fair quote. This is also the time to determine ALL costs associated with audits, certificates, and any other fees. Be sure to include any travel costs, as they are part of the fees that will be included in the contract. If you have multiple sites, consider the benefit of utilizing the same auditor for each site for consistency. However, using one auditor can also incur higher travel costs.
  7. Evaluate each certification body’s customer service before the initial certification audits by asking for “360-degree” evaluations by everyone in your organization that will interact with the certification body directly. This includes planners scheduling the certification audits, the accounts receivable department handling invoices for the certification body, and your sales team that may be able to represent a customer’s opinion of the various certification bodies you are considering. Responsiveness is one of the best criteria to evaluate this customer service against. If the certification body is difficult to work with before certification, it won’t get better.
  8. What is your regulatory strategy? Are you looking for a certification body that will conduct an audit that barely meets requirements? Or maybe you want a certification body that will work with you as a partner to build a QMS made up of best practices. I recommend a “picky” certification body. This will ensure that you choose a partner that forces you to improve your QMS and remain competitive with other medical device companies that have embraced the principles of an ISO QMS.
  9. Finally, if your medical devices or the manufacturing process is complex or innovative, you should select a certification body with auditors that have the technical expertise to understand your product and processes. For example, if your company makes special plastic implants that require “gas plasma,” or vapor-hydrogen peroxide sterilization, you want to ensure that the certification body has auditors that understand this sterilization process.
Strategic Decision-Making

To evaluate each certification body, a spreadsheet may help keep track of information. However, the best practice for making this type of strategic supplier decision is a “Proposal A3 Report”. This special type of A3 Report is explained in Dan Matthew’s workbook (http://bit.ly/A3Workbook). Rob Packard, the founder of the Medical Device Academy, used this approach for the selection of a new Notified Body to transfer to for a recent client.

If you need assistance with ISO 13485 Certification or are interested in training on medical device regulations for the United States, Europe, or Canada, please email the Medical Device Academy at rob@13485cert.com, or contact Rob Packard by phone @ +1.802.258.1881. For other blogs on the topic of “ISO Certification,” please view the following blog category page: http://robertpackard.wpengine.com/category/iso-certification/.

Posted in: ISO Certification

Leave a Comment (3) →

Medical Device CE Marking: Writing a Classification Rationale

%name Medical Device CE Marking: Writing a Classification RationaleThe author reviews considerations in “how to” write a classification rationale for medical device CE marking (i.e., questions for applying classification rules).

 CE Marking of medical devices requires technical documentation (i.e., – a Technical File or Design Dossier). One of the requirements of this technical documentation is to establish the risk class of a device in accordance with the classification rules in Annex IX. The requirement to include this classification rationale in the Technical File is not well defined in Article 9, Classification, of the Medical Device Directive (http://bit.ly/M5MDD), but the guidance document for Technical Documentation (http://bit.ly/NBMED251Rec5) clearly defines this requirement in Section 3.2 (viii). Establishing a classification rationale is the first step to establishing the regulatory pathway that will be required to CE Mark your medical device.

What are the Classifications?

There are four different classifications of medical devices in Europe: Class I, Class IIa, Class IIb and Class III. These four classifications are also referred to as “risk class.” The lowest risk classification is Class I, and the highest risk classification is Class III. Class IIa is considered a “medium risk,” while Class IIb is considered a “high risk” medical device. Notified Body involvement and a CE Certificate from the Notified Body is required for almost all medical devices distributed in Europe, however, Class I devices that are non-sterile and do not perform a measurement function do not require Notified Body involvement. Class I devices that are sterile are often referred to as “Class I-S,”but this is not a term used in the Directive. The same is true of “Class I-M” for Class I devices with a measurement function.

Applying the Rules for Medical Device CE Marking

In order to apply the classification rules as defined in Annex IX of the MDD, the following questions must be answered for the device or device family:

  1. Is the device invasive? –  Invasiveness of a device is an important criterion, because non-invasive devices are generally Class I, and there is typically no Notified Body involvement required for these devices.
  2. Is the device surgically invasive, or invasive with respect to body orifices?  If a device is surgically invasive with respect to a body orifice, Rule 5 is the most likely classification rule. For all other devices that are surgically invasive, the duration of use is important
  3. How long is the device used inside the body? The primary difference between Rules 6, 7 and 8 is the duration of use. In general, permanent implants are subject to Rule 8, and are Class IIb devices. The other surgically invasive devices are generally Class IIa devices. Devices under Rule 6 are for “transient” use (i.e., – intended for continuous use for less than 60 minutes). Devices under Rule 7 are for “short-term” use (i.e., – intended for continuous use for between 60 minutes and 30 days.). There are multiple exceptions to each rule, and these exceptions should all be considered.
  4. Is the device electrically powered (i.e., – an active device)? Active devices are subject to rules 9, 10, 11 and 12.
  5. Do any of the “Special Rules” apply? It is recommended to actually start with Rules 13-18 to ensure that one of the special rules do not apply. For example, if you are making blood bags, there is no need to read anything in Annex IX except Rule 18.
Guidance Document for Classification

Annex IX defines the classification rules for Europe, but there is also a guidance document (http://bit.ly/EUClassification) published that helps to explain the classification rules with examples. This guidance document is extremely important, because it provides clarification of rules based upon interpretations that have been made by Competent Authorities with Notified Bodies and companies. For example, critical anatomical locations are defined in Section 3.1.3: “For the purposes of the Directive 93/42/EEC, ‘central circulatory systemmeans the following vessels:…”.

When you write a classification rationale for your technical documentation, it is important to reference this document—as well as Annex IX of the MDD. Your rationale should address each of the questions above for applying the classification rules. In addition, your rationale should indicate that none of the “Special Rules” (Rules 13-18) are applicable to your device or device family.

Mixed Classifications

It is possible to have a device family, contained within one Technical File or Design Dossier, that has more than one Classification. For example, you could choose to group a family of vascular grafts together in one Technical File that are permanent implants and non-absorbable. Normally, these devices would be Class IIb in accordance with Rule 8. However, if one or more of the grafts is intended for vessels included in the central circulatory system, then these grafts would be Class III devices. If a graft can be used for either indication, then the higher classification should be applied.

Proposed EU Regulations

On September 26, 2012, the European Commission released a draft proposal for a new medical device regulation. The expected implementation transition period for these proposed regulations is 2015-2017. In Annex II of the proposed regulations (http://bit.ly/EUProposal), it specifies that the risk class and applicable classification rationale shall be documented in the technical documentation. This appears as item 1.1e) under the heading of “Device description and specification.”

The MDD defines the classification rules for medical devices in Annex IX, while in the proposed EU regulations classification, rules are now in Annex VII. The MDD also has 18 rules, while the proposed regulations have 21 rules. In order to download a Gap Analysis of the Classification Rules for CE Marking, please visit the following page on this website: http://bit.ly/gapanalysiscmda.

If you need assistance with medical device CE Marking, or you are interested in training on CE Marking, please contact Medical Device Academy at: rob@13485cert.com. Medical Device Academy is developing a webinar series specifically for this purpose. You can also call Rob Packard by phone @ 802.258.1881. For other blogs on the topic of “CE Marking,”please view the following blog category page: http://robertpackard.wpengine.com/category/ce-marking/

Posted in: CE Marking

Leave a Comment (0) →

ALARP vs As far as possible – Deviation #3

This third blog in a seven-part series reviews deviation #3, ALARP vs. “As far as possible,” with regard to risk reduction.

chart dev 3 ALARP vs As far as possible   Deviation #3In 2012, the European National (EN) version of the Medical Device Risk Management Standard was revised, but there was no change to the content of Clauses 1 through 9. Instead, the European Commission identified seven content deviations between the 14971 Standard and the requirements of three device directives for Europe. This seven-part blog series reviews each of these changes individually and recommends changes to be made to your current risk management policies and procedure.

Note: This is 2013 blog that will be updated in the near future, but the following link is for our current risk management training.

Risk reduction: “As Far As Possible” (AFAP) vs. “As Low As Reasonably Practicable” (ALARP)

The third deviation is specific to the reduction of risk. Design solutions cannot always eliminate risk. This is why medical devices use protective measures (i.e., – alarms) and inform users of residual risks (i.e., – warnings and contraindications in an Instructions For Use (IFU). However, Essential Requirement 2 requires that risks be reduced “as far as possible.” Therefore, it is not acceptable to only reduce risks with cost-effective solutions. The “ALARP” concept has a legal interpretation, which implies financial considerations. However, the European Directives will not allow financial considerations to override the Essential Requirements for the safety and performance of medical devices. If risk controls are not implemented, the justification for this must be on another basis other than financial.

There are two acceptable reasons for not implementing certain risk controls. First, risk control will not reduce additional risk. For example, if your device already has one alarm to identify a battery failure, a second alarm for the same failure will not reduce further risk. The redundant alarms are often distracting, and too many alarms will result in users ignoring them.

The second acceptable reason for not implementing a risk control is that there is a more effective risk control that cannot be simultaneously implemented. For example, there are multiple ways to anchor orthopedic implants to bone. However, there is only enough real estate to have one fixation element at each location. If a femoral knee implant is already being anchored to the femur with metal posts and bone cement, you cannot also use bone screws at the same location on the femur to anchor the implants in place.

ALARP does not reduce risk “As far as possible”

Annex D.8 in ISO 14971, recommends the ALARP concept in Clause 3.4 of the 14971 Standard. Therefore, the risk management standard is contradicting the MDD. This contradiction is the primary reason why medical device companies should discontinue the use of phthalates and latex for most medical devices. Even though these materials are inexpensive solutions to many engineering challenges presented by medical devices, these materials present risks that can be avoided by using more expensive materials that are not hazardous and do not pose allergic reactions to a large percentage of the population. The use of safer materials is considered “state-of-the-art,” and these materials should be implemented if the residual risks, after implementation of the risk control (i.e., – use of a safer material) are not equal to, or greater than, the risk of the cheaper material.

Recommendation for eliminating ALARP

Your company may have created a risk management procedure that includes a matrix for severity and probability. The matrix is probably color-coded to identify red cells as unacceptable risks, yellow cells that are ALARP, and green cells that are acceptable. To comply with EN ISO 14971:2012, the “yellow zone” should not be labeled as ALARP. A short-term solution is to simply re-label these as high, medium, and low risks. Unfortunately, renaming the categories of risk high, medium, and low will not provide guidance as to whether the residual risk is reduced “as far as possible.”

Resolution to this deviation

As companies become aware of this deviation between the 14971 Standard and the Essential Requirements of the device directives, teams that are working on risk analysis, and people that are performing a gap analysis of their procedures will need to stop using a matrix, like the example above. Instead of claiming that the residual risks are ALARP, your company will need to demonstrate that risks are reduced AFAP, by showing objective evidence that all possible risk control options were considered and implemented. Your procedure or work instruction for performing a risk control option analysis may currently state that you will apply your risk management policy to determine if additional risk controls need to be applied, or if the residual risks are ALARP.

This procedure or work instruction needs to be revised to specify that all risk control options will be implemented unless the risk controls would not reduce risks further, or the risk controls are incompatible with other risk controls. Risk control options should never be ruled out due to cost.

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (3) →

Why the FDA 510k Process Needs to Change Now: A Proposed Solution

The author says three factors are accelerating the need for change to the current FDA 510k process and offers a proposed solution.

%name Why the FDA 510k Process Needs to Change Now: A Proposed SolutionWhen a company’s marketing literature tells you how a new device is different from competitor products, and the 510k summary for the same new device states that it is “substantially equivalent,” you can understand why the FDA may not fully support the 510k process for innovative, medium-risk devices.

There are many things wrong with the FDA 510k process, but the concept of using a predicate device and demonstrating equivalence is inherently a wrong approach for innovative devices. A preliminary report about the 510k process was released in 2010 (http://bit.ly/510kreport). The report states, “While the concept of ‘substantial equivalence to a predicate’ is generally reasonable, CDRH’s application of this standard has, in some instances, raised concerns.” Specifically, the use of predicate devices that were withdrawn from the market due to issues of safety or effectiveness, and the use of so-called “split predicates” may not ensure patient safety or device efficacy.

The FDA attempted to address issues identified in the report by issuing a draft guidance document for 510k submissions, but the industry hated it. The FDA has also gradually requested more clinical study data to demonstrate that the new device is substantially equivalent to the predicate device. This practice results in unexpected delays and much higher costs of regulatory approval. The FDA’s published guidance for 510k content (http://bit.ly/510kContent) indicates that “Clinical data is not needed for most devices cleared by the 510(k) process.” However, more than 10% of 510k submissions now require clinical data because the 510k for predicate devices included clinical data to demonstrate safety and effectiveness.

More recently, the FDA issued a draft guidance document for the De Novo process (http://bit.ly/DeNovoGuidance). The De Novo process allows the FDA to reset the submission requirements for devices that are not substantially equivalent and specify new requirements. The process has been used most for new In Vitro Diagnostic (IVD) products, and it is quite similar to the concept of Common Technical Specifications (CTS) introduced for IVD products in Europe.

Why the FDA 510k Process Needs to Change Now

The simultaneous confluence of three factors is accelerating the need for change in the 510k process. First, the cost of healthcare is skyrocketing. Therefore, patients and healthcare providers are desperately searching for less expensive treatment solutions. Second, insurance providers are demanding clinical evidence that new products are more effective than existing products that cost less. Third, evidence-based medicine is becoming mainstream. Physicians are no longer accepting the word of salespeople and marketing literature. Instead, physicians demand clinical data demonstrating that products are safe and effective. Users also want detailed information regarding patient selection criteria.

The collision of these three factors has exponentially increased the value and importance of clinical data. Still, only 10%+ of the 510k cleared devices to have clinical data at the time of product launch. Regulatory clearance to market a product is nearly useless if the product is not reimbursed, and users will not adopt its use. The modular Premarket Approval (PMA) process supports (http://bit.ly/PMAmethods) the need for preliminary safety data before clinical use, followed by a clinical study to demonstrate efficacy. However, 510k products are lower in risk and efficacy and can often be demonstrated with simulated use, animal testing, and cadavers.

As medical devices become more complex and innovative, bench-top testing and pre-clinical testing is not always adequate to demonstrate safety and efficacy for 510k products. Complex and innovative devices are extremely difficult to predict how the devices will interact with a broader population of users and patients, and it is difficult to predict the long-term effects of the devices—beyond the duration of a premarket, clinical study.

The PMA process requires premarket clinical data, but PMAs requires exponentially greater amounts of data than a 510k submission, and the FDA requires supplemental approval of almost every minor change (e.g., – changing a component supplier, or changing a test method). If the PMA process is too burdensome for most devices, and the 510k process is not adequate, what is the right process for the next generation of devices?

The De Novo process offers one solution, but it is still a premarket notification process. For the De Novo process to be useful for innovative devices, a Special Controls Guidance Document needs to include a requirement for both premarket clinical studies and Post-Market Surveillance (PMS).

Pilot Parallel FDA-CMS Review Process

In 2011, the FDA initiated a pilot program to allow companies to have PMA and CMS (http://bit.ly/Medicare-Medicaid) review processes occur in parallel (http://bit.ly/ParallelReview). The concept behind this pilot program is that the same clinical data must be reviewed for PMA approval and CMS reimbursement. If the pilot program is effective, products will be approved and reimbursed at the same time. However, this pilot program is only applicable to PMA products at this time. This program could be expanded to 510k products, where clinical data is presented as part of the application, but most 510k products do not warrant a clinical study.

Another Solution

The best tool to measure the safety of a new device is a clinical study, but U.S. clinical studies focus on demonstrating efficacy. Therefore, the FDA should consider using smaller clinical studies, without comparisons to predicate devices, to demonstrate safety rather than efficacy. This is the approach used by European Notified Bodies for medium and high-risk, innovative devices. This approach can also be integrated with a Special Controls Guidance Document for De Novo products.

For complex, innovative devices, the efficacy of the device is not reliably measured by clinical studies, because outcomes are highly dependent upon users. Premarket clinical studies can only estimate efficacy due to the small number of users. The lack of accurate efficacy predictability is why the FDA requires PMS for many PMA products. The best tool to measure efficacy is Post-Market Clinical Follow-up (PMCF) studies—not the premarket clinical studies the FDA uses to evaluate PMA applications. This is also the type of data that is required for CMS reimbursement and physician adoption.

Innovative devices are forcing regulations to evolve. The goal of regulators should be to produce a best-in-class method of evaluating which devices should be approved, reimbursed, and adopted as the standard of care.

Posted in: 510(k)

Leave a Comment (0) →

Effective Management Solutions for 10 CAPA Program Blunders

The author provides effective management solutions for ten real-life CAPA program blunders., (i.e., procedures, root cause analysis, closing CAPAs, etc.)

%name Effective Management Solutions for 10 CAPA Program Blunders

Effective Management Solutions for 10 CAPA Program Blunders

I am always looking for new and creative ways to help people understand the importance of maintaining an effective Corrective and Preventive Action (CAPA) program. If my last dozen CAPA blogs were not convincing enough, maybe this list of suggestions will help.

  • 1. If someone doesn’t follow procedures, just fire them. The employee in question is obviously the root cause. Management cannot be held responsible for the actions of employees. Once, I read a corrective action plan that indicated termination was the correction for a missing training record. The QA Manager clarified this statement by saying that the employee resigned for personal reasons, and there was no opportunity to train the employee. The CAPA record also indicated that 100% of the training records for manufacturing employees were reviewed for completion. There were a few records identified as incomplete, and those employees were trained—not terminated. The company also implemented a tracking tool to monitor training records. As a general rule, termination is not an acceptable corrective action or correction.
  • 2. If CAPAs are open longer than your procedure allows, close the existing CAPAs the day before the CAPAs become overdue, and open new CAPAs. CAPAs are not “closed” until all nonconformities have been corrected, corrective and preventive actions are implemented, and effectiveness checks are done. If the corrective and preventive actions were not completely effective, some companies chose to reopen the record and expand the plan of corrective and/or preventive actions. Other companies chose to open a new CAPA record, and reference the new record in the effectiveness check section of the previous CAPA record. Either approach works, but you cannot close an incomplete record and remain compliant.
  • 3. To verify the effectiveness of corrective actions, just include a copy of your document change order. Documenting changes to procedures meets part of the CAPA requirements, but this verifies implementation—not effectiveness. To verify the efficacy, you need to confirm that a nonconformity, or a potential nonconformity, will not recur. Low-frequency defects are often hard to demonstrate directly. The best approach is to validate the process parameters to demonstrate quantitatively that the process capability has improved. For manual processes, you may need to test the new process to verify that the error will not occur or will be detected.
  • 4. If you can’t finish tasks on schedule, revise your plan. If you still can’t finish tasks on schedule, revise your plan again—and again. It’s appropriate to revise your plan if you discover additional causes that your initial investigation missed. You should not, however, be revising target completion dates—except in rare cases. You also should not need to revise your plan multiple times.
  • 5. When you’re unsure why a problem occurred, identify the root cause as an unclear procedure, and make a minor change to the appropriate SOP. Making changes to procedures is quick and easy to verify. Unfortunately, this approach is seldom effective in preventing recurrence. You need to develop new process controls to make errors impossible. Eliminate variation in raw materials, eliminate subjectivity in inspections, and provide tools and fixtures to make manual processes capable of more consistent results. After you have reduced all three of these sources for process defects, then you are ready to revise your procedures and retrain employees.
  • 6. Whenever an employee fails to follow a procedure, just change the procedure to require another person to verify that they did it right. If one employee fails to follow procedures 100% of the time, a second person manually inspecting will also not be 100% effective. Another method of process control should be used to ensure that your process results in a conforming product. Adding more people provides a false sense of confidence. The use of objective measurement and go/no go fixtures offer a higher degree of certainty.
  • 7. Write a justification for an extension of the implementation timeline if a CAPA is about to become overdue. Justifications for extension provide objective evidence that management is aware that a CAPA plan is not meeting the target completion times. This is necessary on rare occasions, but extensions should never become routine. Also, if the progress of a CAPA is slow, monitoring should be frequent enough that management can release additional resources, or re-prioritize assignments in order to catch-up with the target completion date.
  • 8. Use the “5 Why” technique for root cause analysis to identify a user error to blame for complaints. The “5 Why” technique is effective at investigating the depth of a problem to ensure that the root cause is identified—instead of a symptom. If the reason for a problem is recognized as a supplier, then it is necessary to ask why the supplier’s error was not prevented or detected. Sometimes this requires asking “Why” more than five times, but identifying a cause you have no control over will fix nothing
  • 9. To monitor your CAPA program, conduct weekly CAPA board meetings where a person is asked to explain why the CAPA they were assigned is overdue. Anyone can make an excuse, but excuses will not complete CAPAs. CAPA boards and weekly meetings can be extremely valuable, but your CAPA board should rely on three rules: 1. Managers need to be present to re-allocate resources and re-prioritize tasks. 2. CAPAs that are on schedule or ahead of schedule requires no further discussion. 3. Anyone assigned to a CAPA that is behind schedule should request help and suggest solutions before the CAPA becoming overdue.
  • 10. Do not assign other departments the responsibility for CAPAs, because only QA has the training and competency to conduct an investigation of the root cause, and write a CAPA plan.  One of the most effective CAPA management tools I observed was a visual communication board that used color-coded paperclips, which identified resources assigned to CAPAs. By limiting the number of paperclips to equal the number of resources allocated to CAPAs, the company was able to level the workload of CAPA assignments to match the available resources in each department. You can only achieve this level of efficiency and effectiveness if multiple people in multiple departments are trained and competent to investigate the root cause and write CAPA plans. CAPA should be a core competency for every department because it’s the best process for fixing and preventing problems.

Disclaimer: If you missed my sarcasm, these are ten ways to mismanage a CAPA program. The brief paragraph after each numbered example is intended to provide the actual recommendation for effective management of your CAPA program.

%name Effective Management Solutions for 10 CAPA Program BlundersIf you are interested in learning more about CAPA, please register for the Medical Device Academy’s CAPA Workshop on October 3 in San Diego. Click here to register for the event: http://bit.ly/MDAWorkshops.

Posted in: CAPA

Leave a Comment (2) →
Page 22 of 29 «...102021222324...»