Blog

FDA Advice for Regulatory Submissions

This blog reviews the importance of planning and communication with the FDA related to firms’ regulatory submissions. For the past two days, I was fortunate enough to attend a training seminar hosted by the FDA in Washington, DC. This was a “free” seminar (i.e., – travel expenses only). The session was split into two rooms. One room focused on drug regulations, and the other focused on device regulations. As my strength is a device, I spent most of my time listening to the speakers on the drug-side. Throughout the training, there was one common theme that was repeated by the speakers: Come Early, Be Loud, and Stay Late.

“Come Early”

The speakers recommend that companies plan their submissions well in advance and talk to the appropriate FDA project manager about their plans before starting clinical studies.

“Be Loud”

The speakers recommend that companies communicate with as many people as they can at FDA to ensure they have identified all the critical issues to address in the study design.

“Stay Late”

The speakers recommend that companies think ahead so that if (or when) things don’t go as planned, the clinical study results can be salvaged. In simple and more practical terms, every speaker emphasized the importance and value of consulting with the FDA, instead of guessing what type of data will be needed for submission. One of the other participants brought this up at lunch on the first day. He mentioned an example where the FDA agreed with a company on specific data that would be required for acceptance of an NDA. The company did exactly what the FDA said, and then the FDA requested more data. He later described another case where the FDA specified data, and the company refused to comply—but the FDA granted approval. This other participant and I both agreed that most companies are afraid to ask the FDA for agreement on what data is required because the company may not like the FDA’s answer.

My personal belief is that the FDA is better at identifying what data will be required than most companies because they have a broader perspective than companies do. There will always be exceptions, but my recommendation is to ask FDA’s opinion whenever you have a question—just ensure you do your homework before you ask an inane question that is already in their guidance documents. I believe this advice also applies to every regulatory agency in the world.

Posted in: FDA

Leave a Comment (0) →

How to request FDA Device Classification information – 513(g) Alternative

This blog provides a five-step process on how to request FDA device classification information. A screenshot of the FDA website for each step is included.

If your company is currently registering with the US FDA, you are probably reviewing the guidance document this month for the FY2013 user fees. On pages six and seven, there is a table of these fees, but you might have overlooked 513(g). Section 513(g) is a provision in the law that allows companies to request device classification information from the FDA.

For example, if your company was developing a new product, and you were having difficulty identifying the regulatory pathway, 513(g) is your friend. In my opinion, these fees are modest: $5,061 = Standard Fee, and $2,530 = Small Business Fee (updated for FY 2022). Most consultants will charge at least ten hours of consulting to identify the regulatory pathway for a company. I would charge quite a bit less because it takes me a lot less than ten hours. I still think the FDA’s pricing is a good deal because getting information directly from the source is always more valuable than an “expert.”

The US FDA has published a guidance document explaining the process for 513(g) requests. This guidance document was released on April 6, 2012 (updated in 2019). The guidance explains what information companies need to provide in order to submit a 513(g) request. The guidance also has a fantastic list of FDA resources on page five. These are the very same resources that the “experts” use—including yours truly.

Just as any good lawyer tries to avoid asking questions that they don’t already know the answer to, I recommend that you first try using these resources yourself. Once you think you know the answer, your request for classification information will be easier to organize.

Here’s how I would proceed to request FDA device classification information: 

Step 1 – Are there similar devices on the market?

Identify another device similar to yours. If you can’t do this, you need serious help. You need a similar device that is already sold on the market to use as a predicate device. If you cannot identify a predicate, then you can’t use the 510(k) process—or you don’t know your competition. Either way, there are challenges to overcome. For example, if you are trying to launch a new topical adhesive made from cyanoacrylate—”Dermabond” might be the first predicate device that comes to mind.

registration and listing How to request FDA Device Classification information   513(g) Alternative

Step 2 – Search the Registration Database for FDA Device Classification

Use the registration and listing database on the FDA website to find the company that manufacturers the device. The link for this is #4 on my helpful links page (updated). This link also will provide you with connections to the classification database—which you can use to find the classification for any device. However, the registration and listing database is less likely to lead you astray. When I type “Dermabond” into the field for the proprietary device name, I get a list of five different product listings.

5 listings for dermabond How to request FDA Device Classification information   513(g) Alternative

Step 3 – Select one of the competitor links to identify the FDA Device Classification

Clicking on any one of these five will take you to a listing page for the corresponding company. On that page, you will find the three-letter product code that identifies the device classification and the applicable regulations for that device.

device listing for dermabond1 How to request FDA Device Classification information   513(g) Alternative

Step 4 – Your found the FDA Device Classification

Clicking on the three-letter product code (i.e., – “MPN” in our Dermabond example) takes you to the Product Classification page. This is where you will find that Dermabond, and other tissue adhesives, are Class II devices that require a 510(k) submission. Also, the Product Classification page identifies an applicable guidance document to follow for design verification and validation testing. This is also called the “Special Controls Document.”

mpn product classification How to request FDA Device Classification information   513(g) Alternative

Step 5 – TheTPLC Report lists all the recent 510(k) submissions

Click on the “TPLC Product Code Report” link. This link will provide you with a report of all the 510(k) ‘s recently granted to your competitors, problems customers have experienced with their products, and recalls for the past five years. This is extremely valuable information as a design input—as well as competitive information for your marketing team.

tplc total product life cycle report for mpn How to request FDA Device Classification information   513(g) Alternative

TPLC Report for Product Code “MPN” – Topical Adhesive

Posted in: FDA

Leave a Comment (1) →

10 FDA Inspection Strategies that DON’T Work

If you were just notified of an FDA inspection and you don’t think you are ready, using tricks to hide your problems is a huge mistake. I have heard a few recommendations over the years for “secrets” to hide those problems. In this post, I share my favorite “secrets”–and why they DON’T work.

Here are my top 10 ways to make an FDA inspection worse:

10. Stalling when the investigator makes a request – This just irritates investigators. At best, the investigator will use the waiting time to identify additional documents to sample or to review the information you have provided more closely. At worst, the investigator will accuse the company of not cooperating with the inspection, and the investigator may return the following week with several more team members to help them. Whenever this occurred during a third-party audit that I conducted, I would move onto another area and interview someone. However, before I left the person that was slow to respond, I provided the person with a list of documents and records that I expected to be waiting for me upon my return. In extreme cases, I had to bluntly tell the management representative that I needed documentation more quickly. As an instructor, I teach auditors techniques for coping with this tactic.

9. Suggesting records for the investigator to sample – This is specifically forbidden in the case of third-party inspections and audits. The FDA has work instructions for identifying sample sizes, and samples are supposed to be selected randomly. In reality, samples are rarely random, and usually, the investigator is following a trail to a specific lot, part number, etc. When clients offered me samples, I tried to be polite and review the record they provided. However, I also would request several other records or follow a trail, as I have indicated above. Another approach I often use is to focus on high-risk items (i.e., – a risk-based approach to sampling). In general, you can expect the FDA investigators to sample more items than a registrar–and sample sizes are often statistically derived if the number of records is sufficiently large. When sample sizes are quite small, I recommend sampling 100% of the records since the previous inspection/audit. This is not always possible for third-party auditors, but internal auditors often can achieve this.

8. Outsourcing processes to subcontractorsThe FDA recently reinstated the requirement for contract manufacturers and contract sterilizers to be registered with the FDA by October 1, 2012. Therefore, hiding manufacturing problems from the FDA by outsourcing manufacturing is increasingly more difficult to do. In addition, the FDA focuses heavily on supplier controls and validation of outsourced processes. Therefore, an investigator will identify high-risk processes performed by subcontractors and request documentation of process validation by that supplier. If the company does not have the validation reports, this could quickly escalate to a 483, and possibly a visit to the subcontractor.

7. Trying to correct problems during the inspection – This is what I like to call the document creation department. At one company I worked for, we noticed a mistake across several of the procedures and made a change overnight between the first and second days of the audit. When the auditor asked for the procedures in the morning, he asked, “Is the ink dry yet?” The auditor then proceeded to request records that demonstrated compliance with the newly minted procedures. As you might have guessed, this resulted in several nonconformities. When clients attempt to correct problems found by an investigator, the investigator typically will respond with the following statement, “I applaud you for taking immediate action to contain and correct the problem. However, you still need to perform an investigation of the root cause and develop a corrective action plan to prevent a recurrence. To do this investigation properly may take several days.” I also teach auditors to memorize this phrase.

6. Writing a letter to file – When companies make minor design changes, one of the most common approaches is to “write a letter to file.” This phrase indicates that the design team is adding a memo to the Design History File (DHF) that justifies why design validation is not required or why regulatory notification/approval is not required. The FDA used to publish a decision tree to help companies make these decisions. In fact, such a decision tree is still part of the Canadian significant change document. The FDA recently withdrew a draft document that eliminated many perceived opportunities to utilize the “letter to file” approach. However, the FDA will still issue a 483 to a company if the investigator can identify a change that required validation that was not done, or a 510(k) that was not submitted for a design change. In fact, the FDA looks explicitly for these types of issues when an investigator is doing a “for cause” inspection after a recall or patient death.

5. Shut it down – Not running a production line that has problems is an ideal strategy for hiding problems. However, the FDA and auditors will simply be forced to spend more time sampling and reviewing records of the problematic production line. If you need to shut a line down, ensure everything is identified as nonconforming, and carefully segregate rejected product from good product. You should also use these problem lines as an opportunity to show off your investigation skills and your ability to initiate CAPAs. If you simply forgot to validate a piece of equipment, or do some maintenance, take your lumps and keep production running. If you are a contract manufacturer, never shut it down without notifying the customer. If you do not tell your customer, you will get a complaint related to on-time delivery and a 483.

4. Storing all records off-site – I first heard about this tactic during an auditor course I was co-teaching. During the course, we had many reasons why the company should be able to provide the records in a timely manner. However, I have experienced this first-hand as a third-party auditor. When this happens, I do three things: 1) increase my sampling of records that are available, 2) carefully review supplier controls and supplier evaluation of the storage facility (assuming it is outsourced), and 3) verify that the company has a systematic means for tracking the location (i.e., – pallet and box) for every record sent to storage. FDA investigators will simply move along to another record and follow-up on their earlier request with a second visit, or a request to send a copy of the document to them after the inspection.

3. Identifying information as confidential – A company can claim information is confidential and may not be shared with the public. Still, very little information is “confidential” concerning the FDA or Notified Bodies. Therefore, this strategy rarely works. In fact, this will enrage most FDA investigators. In training courses, I train auditors to ask the auditee to redact confidential information. For example, a CAPA log may have confidential information in the descriptions, but the trend data on opening and closing dates are never confidential.

2. The FDA is not allowed to look at those records – Although this statement is technically true for internal audit reports and management reviews, the FDA always says that they can access this information through the CAPA system. What the FDA means is that there should always be evidence of CAPAs from internal audits and management reviews. If there is not, then this will quickly become a 483. Another person I met tells the story that when they agreed to share the management review records with the investigator, the inspector rarely issued a 483. When they refused to share the management review with the FDA, the inspection went quite badly from that point forth. I don’t agree with being vindictive, but it happens.

1. Show me where that is required – This is just silly. Investigators and auditors are trained on the regulations, while you are educated on your procedures. Spend your time and effort, figuring out how your procedures meet the regulations in some way. Challenging the investigator excites the investigator. We all like a challenge–and we rarely lose. One auditee tried this approach with me in front of their CEO. This experience allowed me to show off that I had memorized the clause in question–and the corresponding guidance document sections. I think the CEO realized quickly that the management representative was not qualified.

My final advice is to do your best to help the investigator do their job, and treat every 483 as “just an opportunity to improve.” Just ensure you submit a response in 14 days, or you will receive a Warning Letter too!

Posted in: FDA

Leave a Comment (4) →

Using a Wiki for Document Control

The author read an article on using Wiki’s for document control, and he shares a “genius idea that is coming of age.”

Procedures can always be improved, but our goal is to make better products—not better procedures. So what could possibly be so exciting about document control that I feel compelled to write another post about “blah, blah, blah?”

I read an article about using Wiki’s for document control.

A Wiki is just a collaborative environment where anyone can add, delete, and edit content. All changes are saved, and Wiki’s can be controlled—while simultaneously being available to everyone. The most famous of all Wiki’s is Wikipedia.

In 2009, Francisco Castaño (a.k.a. – Pancho) began a discussion thread to explain how his company was using a Wiki to manage their documentation system. In the last month, ASQ published an update on the status of Pancho’s Wiki process for document control.

Writing Procedures

In most companies, the process owner writes procedures, and other people in the company rarely comment on minor errors. In the most dysfunctional companies, the Quality Department writes the procedures for the rest of the company or outsources it to consultants. Reviewing and editing procedures should be the responsibility of everyone in the company. Still, I never considered the possibility of having everyone within the company edit procedures simultaneously—until I saw Pancho’s thread. Throughout the discussion, others have indicated that they also tried using Wiki’s to optimize content. This is a genius idea that is coming of age.

Many QMS consultants, including myself, have written procedures for clients. Sometimes this is part of the consulting business model. In these cases, the consultant writes a procedure once and edits it forever—while getting paid a modest fee each time a client asks for a “new” procedure. I often think that it would make more sense to do something like Linux developers have done—use the collaboration of QMS experts around the world to create a general procedure that is free to everyone. This is possible using Wiki’s that are publicly available.

Very soon (hopefully 2013), the responsibilities section of our procedures will fundamentally change. Instead of reading and understanding, everyone will be responsible for writing and editing (oh no, I’ll have to create a new learning pyramid).

Quality will no longer be responsible for writing procedures. Instead, the quality function can focus on monitoring, measuring, data analysis, and improvement of processes and products. The downside is that we will need fewer personnel in document control.

If you want to learn more about Wiki for document control, follow this thread I found on Elsmar Cove. It’s rich in content, and even the moderators have been forced to rethink their preconceptions.

You should also read two articles by Pancho:

  1. Using a Wiki for Document Control
  2. Using a Wiki to Implement a Quality Management System

Posted in: ISO Certification

Leave a Comment (3) →

Do you need to purchase the latest EN ISO 14971 version?

It is not necessary to purchase the EN ISO 14971 version because you should already be compliant and amendments are sold separately.

Discussion about a risk management standard 1024x664 Do you need to purchase the latest EN ISO 14971 version?

If the above conversation sounds familiar, hopefully, this blog will help.

Note: This is a 2012 blog that will be updated and/or consolidated soon, but here’s a link for risk management training.

Question 1: What is the current version of EN ISO 14971?

Answer 1: EN 14971 was revised to 2012 on July 6, 2012. The previous 2009 version was withdrawn. The ISO version is not changing–just the EN version.

Question 2: What’s new in 2012?

Answer 2: Only the three Annexes related to harmonization with the three directives (MDD, AIMDD, and IVDD) were updated. The content of the Standard itself has not changed.

Question 3: Do I need to buy EN ISO 14971… which really hasn’t changed since 2007?

Answer 3:  No…unless you still have the 2000 version. (just my personal opinion … not anyone else necessarily agrees)

Why you don’t need to buy the  EN ISO 14971 version…

Historically, Annex ZA was the annex at the back of a Standard that would explain how it is harmonized with the European Directives. However, in 2009, Annex ZA was separated into ZA, ZB, and ZC. Each of these Annexes explained how the current version of ISO 14971  (then ISO 14971:2007) differs from each of the three directives. In addition, there was a correction to Figure 1 (i.e., – arrow in the wrong location). Neville Clarke provided a good summary of these minor changes that occurred in 2009. The European Commission was concerned with some of the differences between the 2009 Standard and the Directives. Therefore, the Standard has been updated to clarify these differences.

There are seven technical deviations from the Standard that are required for compliance with the European Directives. Marcelo Antunes is an expert on Standards, and he accurately describes these deviations as “weird” in a discussion thread on Elsmar Cove’s Forum. The deviation that seems to have caught the most attention is the requirement to reduce ALL risk to “as low as possible” (ALAP) rather than to a level that to “as low as reasonably practicable” (ALARP concept). The “ALAP” acronym was a joke, but it wouldn’t be the first time that something like this stuck (i.e., – SWAG).

An alternative approach to verifying compliance with EN ISO 14971

If you sleep with a label maker under your pillow, you should buy the new BS EN 14971:2012 version,  so you can ensure that you are staying in compliance with each of these seven deviations and that you have considered the implications fully in your procedure for Risk Management. However, if you are a practical person that prefers not to upset the entire development team, I recommend a different approach.

1. Download a copy of the relevant Directive from the Europa Website

2. Using Adobe, search the entire Directive for the word “risk”:

AIMDD = 24 times

MDD = 55 times

IVDD = 34 times

3. Systematically review where the word “risk” is used to determine if you need to make adjustments for your CE Marked products. If you already have a CE Mark, there should be no changes required to your risk management documents. Your procedures might need clarification to observe the requirements of the Directive when there is a difference between the Standard and the Directive.

Last Question: What is your Notified Body auditor going to do?

Final Answer: I’m not sure, because every auditor is a little different in their approach. However, as an instructor, I would teach an auditor to ask open-ended questions, such as: “How did you determine if there is an impact upon your procedures and design documentation with regard to the updated Standard?” (i.e., – impact analysis). If the company provides an impact analysis and explains why the existing risk documentation and procedure should not change, I believe this meets the requirements for “equivalency with the State of the Art.”

Honestly, I haven’t seen one single company that was 100% in compliance with the “letter” of the Directives or the Standard. Sometimes, rational thought must overcome political compromises and irrational behaviors.

On the other hand, it’s always possible that these seven deviations, and the information on corrective action, will fundamentally change the way your company approaches risk management (I just dare you to bring it up in your next management review).

If you would like a second opinion, the Document Center’s Standard Forum says, “As you can see, this material is essential to conformance with the EN requirements and will make the purchase of the EN edition (BS EN ISO 14971 is the official English language edition) mandatory for medical device manufacturers certifying to the standard for sales in Europe.” FYI…Document Center’s Standard Forum sells Standards. You can buy this one from them for $324.

 

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (11) →

ISO 19011 – Guidelines for Auditing Quality Management Systems

This blog reviews the additions and changes to the ISO 19011 guidance for auditing quality management systems.

If you have ever taken a lead auditor course for ISO 13485, or one of the other quality management system standards, one of the critical handouts for the class should have been ISO 19011. The title is “Guidelines for Auditing Quality Management Systems.” In November 2011, this Standard was updated, and the changes were not superficial.

ISO 19011 covers the topic of quality management system auditing. This Standard provides guidance on managing audit programs, conducting both internal and external audits, and determining auditor competency. Improvements to the 2011 Version of the Standard include:

  1. Broadening the scope to all management systems
  2. Clarifying the relationship between ISO 17021 and ISO 19011
  3. Introduction of remote audit methods
  4. Introduction of risk as an auditing concept
  5. Confidentiality is a “new” principle
  6. Clause 5, Managing an audit program, was reorganized
  7. Clause 6, Performing an audit, was reorganized
  8. Clause 7, Competence and evaluation of auditors, was reorganized & strengthened
  9. Annex B is new, and the contents of the help boxes were moved to this Annex
  10. Annex A now includes examples of discipline-specific knowledge and skills

One of the most common points of confusion in the lead auditor course is the difference between first, second, and third-party audits. In the previous revision of this Standard, this was just a note at the bottom of page one and the top of page two. The note was not very clear either. In the new version of 19011, in Table 1 (reproduced below), the difference between these three types of auditing is crystal clear:

19011 table 11 ISO 19011   Guidelines for Auditing Quality Management Systems

The above table is just an example of the improvements made to ISO 19011, and of course, there is a little value-add to clarifying a definition. Figure 1 from the new version, “Process flow for the management of an audit program”, is a better example of a “value-add.” This vertical flow chart is reminiscent of Figure 1 from ISO 14971:2007. It categorizes the various stages of audit program management into the Plan-Do-Check-Act (PDCA) cycle. I highly recommend this style for presenting any process in your internal procedures as an example of best practices in writing an SOP. The flow chart even references each of the clauses in the Standard. Unfortunately, Figure 2, “Typical audit activities,” does not categorize the stages of audit activities (Clauses 6.2 – 6.7 of the revised Standard) into the PDCA cycle. I guess they needed to leave some improvement for the next revision.

The new version retained the opening meeting checklist that was in the previous revision (Clause 6.4.2), and Clause 6.4.9 has a brief closing meeting checklist. Figure 3, “Overview of the process of collecting and verifying information,” is a poor example of a flow chart. Should I make a better one? (Send me an email if you think I should.)

The most valuable changes in this revision are Clause 5.3.2, “Competence of the person managing the audit program,” and all of Clause 7. Most of the audit procedures I read neglect to define the qualifications and methods for determining the competency of the audit program manager. Clause 5.3.2 tells you how. Put it in your own procedure. Most of the procedures I read include qualifications for a “Lead Auditor,” but I seldom see anything regarding competency. Unfortunately, this Standard only specifically addresses the “Lead Auditor” competency in a two-sentence paragraph—Clause 7.2.5. When I teach people how to be a lead auditor, I spend more than an hour on this topic alone. 

ISO 19011 Standard

The Standard would be more effective by providing an example of how third-party auditors become qualified as a Lead Auditor. Third-party accreditation requires the auditor to be an “acting lead” for audit preparation, opening meetings, conducting the audit, closing meetings, and final preparation/distribution of the audit report. This must be performed for 15 certification audits (i.e., – Stage 2 certification or re-certification), and another qualified lead auditor must evaluate you and provide feedback.

The last significant additions to this Standard were the Appendices. Annex A provides examples of discipline-specific knowledge and skills of auditors. This section is a little on the dull side. I prefer to tell a story about the internal auditor that was auditing an incoming inspection—but they had no idea how to check for calibration, or how to measure components.

Appendix B, the finale, has a table (Table B.1) that provides some guidance on how to conduct remote audits (i.e. desktop audits). I was pleased to see that conducting interviews is a significant part of remote auditing in this table. Section B.7 provides some suggestions concerning conducting interviews. Still, if you exhibit all 13 of the professional behavior traits found in Clause 7.2.2, then you don’t need any advice on how to speak with people. For the rest of us mortals, we could use a five-day course on interviewing alone.

Posted in: Auditing

Leave a Comment (1) →

The UDI: FDA Requirement

The UDI is an FDA requirement. The author reviews how the UDI will enable faster and more accurate product recalls and medical device reporting.

Unique Device Identifiers (UDIs) are nothing new. MASH tents in the military use 2-D barcoding to track the use of instruments in mobile operating rooms in the field. Just imagine how hard it is to count forceps and vascular clamps during a wave of shelling from a nearby front. That’s just one way UDI’s can be used to benefit patients and healthcare providers. Click here for the proposed rule. I am positive that some companies, and their lobbyists, will fight the latest regulations from the FDA regarding labeling requirements. However, this makes even more sense than electronic medical records. UDIs will enable faster and more accurate product recalls and MDRs. Click here for more information (I have copied the example provided by the FDA).

%name The UDI: FDA Requirement

This is the unique device identifier example provided by the US FDA.

If you are trying to recall a product, the last thing you want is to continue to send out letters three and four times to medical facilities that have no idea when or if your product was used. They want to close out these requests for information quickly too. UDIs present a solution for assuring correct and complete responses by hospitals the first time.

How UDI Helps with Recalls
  • Locating devices in inventory
  • Locating product in distribution centers
  • Identifying product after it is removed from the outer box
  • Tracking product to each patient
How UDI Helps with MDRs

If you’ve been in the business long enough, you have seen more than one complaint about a product that you don’t even make. When this happens, the company is obligated to open an investigation to ensure the complaint gets recorded in the complaint files. The proposed rule includes the identification of the manufacturer. Therefore, 100% of the complaints should go to the correct company. Also, the company should always receive a lot number—something that almost never occurs. What do you think about UDIs? Has your company already taken steps to implement UDIs?

Posted in: FDA

Leave a Comment (3) →

Three Ways to Streamline the 510k Process

The author proposes three ways to streamline the 510k process through self surveys, scorecards, and modular submissions.

Modular submissions are already used for PMA submissions. Self-surveys and scorecards are tools that most companies utilize to evaluate vendors. Why not implement these solutions to make 510k reviews more efficient?

A few weeks ago, I posted a blog about the Triage pilot program at the FDA. I received some great comments by email, and this blog discusses this subject more in-depth with some specific ideas for streamlining the 510k process. Here’s the argument for considering these three proven methods:

Self-Surveys

In my previous posting about the Triage pilot program, I suggested using the existing FDA traditional 510k screening checklist and converting this into a similar “SmartForm.” Another way to think of this concept is by comparing it with a “Self-Survey.” Companies send Self-surveys to suppliers to gather information about the supplier as justification for approving them; Elsmar Cove has some discussion threads specific to the supplier self-surveys if you are unfamiliar with this method of torture. The critical step in the design of surveys is to require the submitter to provide references to procedures and forms, or to explain why something is not applicable. BSI uses this same strategy for its auditor combined checklists. Instead of checking “yes/no,” the auditor must reference a page in their audit notes where the objective evidence of conformity or nonconformity can be found. A submitter should fill in the checklist, rather than an FDA reviewer because this forces the submitter to verify that everything required is included. Canada has a similar requirement called a “submission traceability table” for Medical Device License Applications (see Appendix A). Self-surveys also replace some of the tedious searchings by a reviewer with cross-referencing work by the submitter. 

Scorecards

Another tool that supplier quality uses for supplier evaluations is the Scorecard: Elsmar Cove has a few discussion threads, including one with an example to download. For the 510 processes, I suggest developing scorecards for both the reviewer AND the submitter. The primary metrics for these scorecards would be on-time delivery and completeness of the submission for a submitter. “On-time delivery” requires advanced planning and communication of the submission with the FDA. This is important so that the FDA has adequate time before submission to identify the best reviewer(s) for the submission. The completeness of the submission should be 100% of a self-survey, SmartForm, or checklist used to prepare the submission. The primary metrics for the reviewer would be on-time completion and accuracy of the review.

The FDA already has target turn-around timescales for decisions (i.e., – 90 days), but there are different phases of review and multiple people the are involved in the reviews. Therefore, the measurement of reviewer time should be more granular. The accuracy of the reviewers should be validated by requiring all deficiencies to be re-evaluated by a peer or superior before involving the company. Submission sections without any findings should also be reviewed on a sampling basis as a double-check. Over time, the FDA should be able to use these scorecards to match up a reviewer with a submitter. It is critical that at least one of the parties is experienced, so we don’ t have the “blind leading the blind” situation. For those that are offended by the concept of a required second reviewer–get over it. Radiologists are periodically graded with images that are “red herrings.”

Modular Submissions

My third suggestion is to consider adopting some of the Premarket Approval (PMA) processes for the 510k process. In particular, pre-IDE meetings and modular submissions seem to be logical process improvements. There is typically one component of the submission that is a little behind the rest and can delay a submission. Under the current system, nothing is submitted or reviewed for a 510k, unless it is complete. However, it would enable companies to get new and improved products to market faster if submissions were modular. Validation, such as shelf-life and sterilization validation, is rarely the cause for a “Not Substantially Equivalent” (NSE) letter, but these tests are routinely the last few reports completed for submission.

Adopting a modular submission process for 510k would allow companies to submit sections of the submission as they are completed. This modular approach would alleviate the time pressure on both sides, and this proposed change should result in earlier product launch dates for the industry. The other component of this process is the pre-IDE Meeting. Before initiating a clinical study, companies will submit a plan for the study to the FDA. The intent is to obtain agreement on the validation testing that will be performed by the company–including the number of patients and the design of the clinical study. These meetings would also be valuable for 510k submissions where the company and the FDA need a forum to discuss what verification and validation testing will be required–especially for mixed-predicate devices and devices that are significantly different from a predicate device.

What do you think about these proposed changes to the 510k process?

Please share your own ideas for streaming the 510k process–including any comments regarding the FDA’s plans for change.

Posted in: 510(k)

Leave a Comment (0) →

Auditing Design Controls – 7 Step Process

This blog reviews seven steps for effectively auditing design controls utilizing the ISO 13485 standard and process approach to auditing.

turtle diagram for design controls Auditing Design Controls   7 Step Process

Third-party auditors (i.e., – a Notified Body Auditor) don’t always practice what we preach. I know this may come as a huge shock to everyone, but sometimes we don’t use the process approach. Auditing design controls is a good example of my own failure to follow was it true and pure. Instead, I use NB-MED 2.5.1/rec 5 as a checklist, and I sample Technical Files to identify any weaknesses. The reason I do this is that I want to provide as much value to the auditing client as possible without falling behind in my audit schedule.

Often, I would sample a new Technical File for a new product family that had not been sampled by the Technical Reviewer yet. My reason for doing this is that I could often find elements that are missing from the Technical File before the Technical Reviewer saw the file. This gives the client an opportunity to fix the deficiency before submission and potentially shortens the approval process. Since NB-MED documents are guidance documents, I could not write the client up for a nonconformity, unless they were missing a required element of the M5 version of the MDD (93/42/EEC as modified by 2007/47/EC). This is skirting the edge of consulting for a third- party reviewer, but I found it was a 100% objective way to review Technical Files. I also found I could review an entire Technical File in about an hour.

What’s wrong with this approach to auditing design controls?

This approach only tells you if the elements of a Technical File are present, but it doesn’t evaluate the design process. Therefore, I supplemented my element approach with a process audit of the design change process by picking a few recent design changes that I felt were high-risk issues. During the process audit of the design change process, I sampled the review of risk management documentation, any associated process validation documentation, and the actual design change approval records. If I had time, I looked for the following types of changes: 1) vendor change, 2) specification change, and 3) process change. By doing this, I covered the following clauses in ISO 13485:2016: 7.4 (purchasing), 7.3.9 (design changes), 7.5.6 (process validation), 7.1 (risk management), and 4.2.5 (control of records).

So what is my bastardized process approach to auditing design controls missing? Clauses 7.3.1 through 7.3.10 of ISO 13485:2016 are missing. These clauses are the core of the design and development process. To address this, I would like to suggest the following process approach:

Step 1 – Define the Design Process

Identify the process owner and interview them. Do this in their office–not in the conference room. Get your answers for steps 2-7 directly from them. Ask lots of open-ended questions to prevent “yes/no” responses.

Step 2 – Process Inputs

Identify how design projects are initiated. Look for a record of a meeting where various design projects were vetted and approved for internal funding. These are inputs into the design process. There should be evidence of customer focus, and some examples of corrective actions taken based upon complaints or service trend analysis.

Step 3 – Process Outputs

Identify where Design History Files (DHF) are stored physically or electronically, and determine how the DHF is updated as the design projects progress.

Step 4 – What Resources

This is typically the step of a process audit where their auditor needs to identify “what resources” are used in the process. However, only companies that have software systems for design controls have resources dedicated to Design and Development. I have indicated this in the “Turtle Diagram” presented above.

Step 5 – With Whom, Auditing Training Records

Identify which people are assigned to the design team for a design project. Sometimes companies assign great teams. In this case, the auditor should focus on the team members that must review and approve design inputs (see Clause 7.3.2) and design outputs (see Clause 7.3.3). All of these team members should have training records for Design Control procedures and Risk Management procedures.

Step 6 – Auditing Design Controls Procedures and Forms

Identify the design control procedures and forms. Do not read and review these procedures. Auditors never have the time to do this. Instead, ask the process owner to identify specific procedures or clauses within procedures where clauses in the ISO Standard are addressed. If the process owner knows exactly where to find what you are looking for, they’re training was effective, or they may have written the procedure(s). If the process owner has trouble locating the clauses you are requesting, spend more time sampling training records.

Step 7 – Process Metrics

Ask the process owner to identify some metrics or quality objectives they are using to monitor and improve the design and development process. This is a struggle for many process owners–not just design. If any metrics are not performing up to expectations, there should be evidence of actions being taken to address this. If no metrics are being tracked by the process owner, you might review schedule compliance.

Many design projects are behind schedule, and therefore this is an important metric for most companies. Now that you have completed your “Turtle Diagram,” if you have more time to audit the design process, you can interview team members to review their role in the design process. You could also sample-specific Technical Files as I indicated above. If you are performing a thorough internal audit, I recommend doing both. To learn more about using the process approach to auditing, you can register for our webinar on the topic.

Posted in: Design Control, ISO Auditing

Leave a Comment (1) →

Auditing Medical Device Software Vendors

This blog presents some thoughts related to auditing medical device software companies.

Software medical devices are used to assist medical professionals. For example, radiologists use software with identifying areas of interest for medical imaging. Do you know how to audit a software company?

As a third-party auditor, I have had the pleasure of auditing software companies for CE Marking. When you audit a software company for the first time, this forces you to re-learn the entire ISO 13485 Standard. For example, if a company only produces software (i.e. software as a medical device or SaMD) there is very little to sample for incoming inspection and purchasing records. This is because the product is not physical—it’s software. Clauses of ISO 13485 related to sterility, implants, and servicing are also not applicable to software products. If the software is web-based, the shipping and distribution clauses (i.e., – 7.5.5) might present a challenge to an auditor as well.

The aspects of the ISO 13485 Standard that I found to be the most important to auditing software products were design controls and customer communication. Many auditors are trained in auditing the design and development of software, but very few auditors have experience auditing technical support call centers. When auditing a call center, most of the calls represent potential complaints related to software “bugs,” system incompatibilities with the operating system or hardware, and use errors resulting from the design of the user interface.

In most technical support call centers, the support person tries to find a work-around for problems that are identified. The problem with a “work-around” is that it is the opposite approach to the CAPA process. To meet ISO 13485 requirements, software companies must show evidence of monitoring and measuring these “bugs.” There must also be evidence of management identifying negative trends and implementing corrective actions when appropriate.

As an auditor, you should focus on how the company prioritizes “bugs” for corrective actions. Most software companies focus on the severity of software operations and the probability of occurrence. This is the wrong approach. Failure to operate is not the most severe result of medical device software failure. Medical device software can result in injury or death to patients. Therefore, it is critical to use a risk-based approach to the prioritization of CAPAs. This risk-based approach should focus on the severity of effects upon patients—not users. This focus on safety and performance is emphasized throughout the EU Medical Device Regulations and it is a risk management requirement in ISO 14971.

Posted in: ISO Auditing

Leave a Comment (0) →
Page 26 of 29 «...10202425262728...»