This article provides an IVDR checklist for updating your ISO 13485 quality system to comply with EU Regulation 2017/746.
Why I created an IVDR checklist?
Hundreds (if not thousands) of IVD manufacturers are currently updating their ISO 13485:2016 certified quality system from compliance with the In Vitro Diagnostic Directive (i.e. Directive 98/79/EC) or IVDD to the new EU In Vitro Diagnostic Regulation (i.e. Regulation 2017/746). Revision of technical files and the associated procedures for creating your technical files is a big part of these updates. However, there is much more that needs to be updated than just the technical documentation. Therefore, IVD manufacturers are asking Medical Device Academy to conduct remote internal audits of their quality system to identify any gaps. Usually, we conduct internal audits using the process approach to auditing, but this is one of the scenarios where the element approach and an audit checklist are invaluable.
If you would like to download our IVDR checklist for FREE, please fill in the form below.
How do you use an audit checklist?
An audit checklist is used by quality system auditors to collect objective evidence during an audit. This objective evidence verifies compliance with regulatory requirements or internal procedural requirements. If the auditor is unable to find supporting evidence of compliance, the auditor may continue to search for data or identify the requirement as a nonconformity. Typically the checklist is in four columns using a tabular form. The left-hand column lists each requirement. The next column is where the auditor documents records sampled, procedures reviewed, and personnel interviewed. In the third column, the auditor indicates what they were looking for in the records, procedures, or during the interview. Some of the information in the second and third columns can often be entered prior to starting the audit by reviewing audit preparation documents (e.g. procedures and previous audit reports). In the fourth column the auditor will enter the objective evidence for conformity collected during the audit.
How to create an IVDR quality plan
Most of the companies that are preparing for an IVDR audit by their notified body already have ISO 13485:2016 certification and they are using the self-declaration pathway for CE Marking under the IVDD. Under the IVDR, a notified body must now review and approve the technical file. The notified body must also confirm that their quality system has been updated to include the IVDR requirements. The Technical File requirements are found in Annex II and III; while most of the quality system requirements are found in the Articles. The quality system requirements include:
a risk management process in accordance with Annex I – deviations from ISO 14971:2019 will be necessary)
conduct a performance evaluation–including a post-market performance follow-up (PMPF). This requirement is defined in Article 52 and Annex XIII
create and maintain a technical file in accordance with Annex II & III
create and maintain a Declaration of Conformity in accordance with Article 17
CE Mark the product in accordance with Article 18
implement a UDI system in accordance with Article 24, 26, and 28
record retention requirements for the technical file, Declaration of Conformity, and certificates shall be increased from 5 years to 10 years
set-up, implement, and maintain a post-market surveillance system in accordance with Article 78
document a procedure for communication with Competent Authorities, Notified Bodies, Economic Operators, Customers, and/or other Stakeholders
update procedures for reporting of serious incidents and field safety corrective actions in the context of vigilance to require reporting within 15 calendar days
update the product labeling to comply with Annex I, section 20
revise the translation procedure to ensure translations of the instructions for use are available in all required languages of the member states, and make sure these translations are available on the company website
create a procedure for utilization of the Eudamed database for registration, CE Marking applications, UDI data entry, and vigilance reporting
Which IVDR requirements are already met by your quality system?
Some companies also manufacture medical devices that must comply with Regulation (EU) 2017/745. For those companies, many of the above requirements are already incorporated into their quality system. In this case, you should still include all of the IVDR checklist requirements in your plan, but you should indicate that the requirement has already been met and audited previously.
Content related to our IVDR checklist
On Friday, April 1, 2022 @ 11 am EDT (8 am Pacific), Rob Packard will be Joe Hage’s guest speaker on the weekly MDG Premium Live video (please click on the link to register). The topic of the live presentation will be “How to create an IVDR quality plan.” #MedicalDevices#MDGpremium
You are familiar with design and process risk analysis, but do you know all four types of risk analysis?
Last week’s YouTube live streaming video answered the question, “What are the four different types of risk analysis?” Everyone in the medical device industry is familiar with ISO 14971:2019 as the standard for medical device risk management, but most of us are only familiar with two or three ways to analyze risks. Most people immediately think that this is going to be a tutorial about four different tools for risk management (e.g. FMEA, Fault Tree Analysis, HAZOP, HACCP, etc.). Instead, this article is describing the four different quality system processes that need risk analysis.
What are the four different types?
The one most people are familiar with is risk analysis associated with the design of a medical device. Do you know what the other three are? The second type is process risk management where you document your risk estimation in a process risk analysis. The third type is part of the medical device software development process, specifically a software hazard analysis. Finally, the fourth type is a Use-Related Risk Analysis (URRA) which is part of your usability engineering and human factors testing. Each type of risk analysis requires different information and there are reasons why you should not combine these into one risk management document or template.
Design Risk Analysis
Design risk analysis is the first type of risk analysis we are reviewing in this article. The most common types of design risk analysis are the design failure modes and effects analysis (dFMEA) and the fault-tree analysis (FTA). The dFMEA is referred to as a bottom-up method because you being by identifying all of the possible failure modes for each component of the medical device and you work your way backward to the resulting effects of each failure mode. In contrast, the FTA is a top-down approach, because you begin with the resulting failure and work your way down to each of the potential causes of the failure. The dFMEA is typically preferred by engineers on a development team because they designed each of the components. However, during a complaint investigation, the FTA is preferred, because you will be informed of the alleged failure of the device by the complainant, but you need to investigate the complaint to determine the cause of the failure. Regardless of which risk analysis tool is used for estimating design risks, the risk management process requires that production and post-production risks be monitored. Therefore, the dFMEA or the FTA will need to be reviewed and updated as post-market data is gathered. If a change to the risk analysis is required, it may also be necessary to update the instructions for use to include new warnings or precautions to prevent use errors.
Process Risk Analysis
Process risk analysis is the second type of risk analysis. The purpose of process risk analysis is to minimize the risk of devices being manufactured incorrectly. The most common method of analyzing risks is to use a process failure modes and effects analysis (i.e. pFMEA). This method is referred to as a bottom-up method because you begin by identifying all of the possible failure modes for each manufacturing process step. Next, the effects of the process failure are identified. After you identify the effects of failure for each process step, the severity of harm is estimated. Then the probability of occurrence of harm is estimated, and the ability to detect the failure is estimated. Each of the three estimates (i.e. Severity, Occurrence, and Detectability) are multiplied to calculate a risk priority number (RPN). The resulting RPN is used to prioritize the development of risk controls for each process step.
As risk controls are implemented, the occurrence and detectability scores estimated again. This is usually where people end the pFMEA process, but to complete one cycle of the pFMEA the risk management team should document the verification of the effectiveness of the risk controls implemented. For example, if the step of the process is sterilization then documentation of effectiveness consists of a sterilization validation report. This is the last step of one cycle in the pFMEA, but the risk management process includes monitoring production and post-production risks. Therefore, as new process failures occur the pFMEA is reviewed to determine if any adjustments are needed in the estimates for severity, occurrence, or detectability. If any of the risks increase, then additional risk controls may be necessary. This process is continuously updated with production and post-production information to ensure that process risks remain acceptable.
Software Hazard Analysis
Sofware hazard analysis is becoming more important to medical devices as physical devices are integrated with hospital information systems and with the development of software as a medical device (SaMD). Software risk analysis is typically referred to as hazard analysis because it is unnecessary to estimate the probability of occurrence of harm. Instead, it is only necessary to identify hazards and estimate harm. Examples of these hazards include loss of communication, mix-up of data, loss of data, etc. For guidance on software hazard identification, IEC/TR 80002-1:2009 is a resource. FDA software validation guidance indicates that software failures are systemic in nature and the probability of occurrence cannot be determined using traditional statistical methods. Therefore, the FDA recommends that you assume that the failure will occur and estimate software risks based on the severity of the hazard resulting from the failure.
Use-Related Risk Analysis
The fourth and final type of risk analysis is use-related risk analysis (URRA). Most development teams assume that they are able to use traditional hazard identification techniques to identify the potential use-related risks. However, use-related risks are inextricably linked to the experiences of the user. The development team has unique knowledge of the device they are developing, and therefore it is likely that use-related risks associated with a lack of knowledge about the device will result in use errors that the development team would not realize. For this reason, formative testing is necessary to identify unforeseen use-related risks. Once formative testing identifies these risks, additional formative usability testing can be used to create and refine the instructions for the use of a medical device. Finally, formative testing can be used to develop user training programs that prevent potential use errors. Once the development team has completed the necessary formative testing, then summative usability testing is used to validate the effectiveness of the risk controls that were implemented.
In the past, I believed that the FDA’s focus on usability was the review of summative usability testing. However, I have learned that the FDA feels it is equally important to begin the human factors testing process by first performing a use-related risk analysis and then identifying the critical tasks. Without identifying these critical tasks, it is not possible for the FDA to determine if the moderator of the summative testing has observed all of the critical tasks being performed correctly. An example of a Use-Related Risk Analysis (URRA) was provided by the FDA in a 510(k) AI deficiency letter that we received. The example is provided below.
Example of a URRA Table provided by the FDA
Can you use only the IFU to prevent use-related risks?
Instructions for use (IFU) are required to include warnings and precautions. This information provided by the manufacturer explains how to use a medical device correctly and identifies the residual risks. This is a form of risk control, but it is the least effective form of risk control and should be the risk control of last resort. Not everyone reads the IFU, and you cannot guarantee that everyone will understand the instructions. You certainly can’t be sure that users will remember all your warnings or precautions when they are tired, stressed, or acting in an emergency situation. Design controls and protective measures should be implemented as the first and second priority for risk controls, and the IFU should be your lowest priority.
This is the reason why we have color-coding, design features that eliminate the possibility of a use error, we provide training to users, and we are required to monitor use-related risks for medical devices. Formative usability testing is intended to identify use errors we did not anticipate, to help us develop instructions for use (IFU), and help us develop training for users. Summative testing is intended to validate that the design, training, and IFU are effective at preventing use errors. All three of these aspects work together–not the IFU alone. In fact, there is an entire alarms standard that identifies protective measures that shall be used for electromedical devices to prevent use errors (i.e. – IEC 60601-1-8).
Facilitating Risk Management Activities – An Interview with Rick Stockton
I listened to our YouTube video about the four different types of risk analysis, you may have heard my reference to Rick Stockton’s interview that we posted on our YouTube channel and embedded above. In our interview with Rick Stockton, we discussed how to facilitate risk management activities during the design and development of medical devices. If you are interested in learning more about Rick and facilitating risk management activities, please watch the video of our interview with Rick.
The FDA and Health Canada both have executive-level orders requiring medical device shortage reporting or supply-chain disruptions.
In a previous article, we discussed supply-chain disruptions and mentioned that there might be medical device shortage reporting requirements if that disruption causes a market shortage of the manufactured device. Both the United States and Canada have reporting requirements for supply disruptions or the market’s ability to meet the demand of specific types of devices.
Both the U.S. FDA and Health Canada have executive-level orders that require reporting of shortages or disruptions to the supply of medical devices deemed necessary for the COVID-19 Health Emergency. There is some overlap, but each country is monitoring and experiencing shortages and disruptions of different devices.
Where did medical device shortage reporting responsibilities come from?
Check 21 CFR 820, ISO 13485:2016, and even peek at SOR 98-282 and see if you can find your obligations for reporting. Go ahead. I’ll wait… Not much in there, right? Adverse events, complaints, etc., but not market shortages. Medical device shortage reporting is specific to health emergencies. The U.S. FDA and Health Canada happen to be two authorities having jurisdiction with reporting requirements for shortages concerning the COVID-19 Health Emergency. However, there may be others, so having your organization’s regulatory affairs manager verify the reporting requirements for the markets in which you are engaged might not be bad.
U.S. FDA 506J reporting-
U.S. FDA logo
In the United States, an Amendment to the U.S. Food, Drug, and Cosmetics Act requires regulatory reporting by medical device manufacturers to the U.S. FDA. It is sometimes called 506J reporting for the Section of the U.S. FD&C Act where it is located.
You will find the statutory requirements outlined within 21 USC 356J.
21 USC 356J Discontinuance or interruption in the production of medical devices
For the full text read, 21 USC 356j: Discontinuance or interruption in the production of medical devices. (Interestingly enough, the website where this information is available is not an HTTPS site, so visit at your own discretion).
There are two types of devices that the FDA is monitoring. “Critical” devices and an FDA-published list of devices for which COVID-19 is causing a higher than expected demand.
The FDA has released a guidance document that contains criteria for what is considered to be a “Critical Device”. This includes devices such as those used during surgery, emergency medical care, and those intended to treat, diagnose, prevent, or mitigate COVID-19.
Screenshot of the Critical Device Criteria for 506J reporting
There is also a published list of concerned devices that the FDA is specifically monitoring. The FDA website lists these devices by product code, but include the following device types;
Clinical Chemistry Products
Dialysis-Related Products
General ICU/Hospital Products
Hematology Products
Infusion Pumps and Related Accessories
Microbiology Products
Needles and Syringes
Personal Protective Equipment (PPE)
Sterilization Products
Testing Supplies and Equipment
Ventilation-Related Products
Vital Sign Monitoring
Screenshot of the FDA Shortage List
Understandably this process may not be intuitive, and for this, the FDA has released a guidance document that addresses;
Who must make the notification
When you should make a notification
What information needs to be included within your 506J notification
How to make a notification, and
Penalties for failure to make a notification
The referenced product codes may not be an all-inclusive list or entirely up to date. The best suggestion for full compliance is to go straight to the source of the regulation, in part because noncompliance can result in enforcement action from the FDA. If you think that your device might require notification to the FDA but isn’t in the reference table, you should contact the FDA for notification clarification. Below is the quote from the FDA website, and it includes the contact email for asking these specific questions to ‘the agency.’
“If a device type is not included in this table, but you believe it requires a notification under section 506J of the FD&C Act, or if you have questions regarding the device types in this table, you should contact FDA at CDRHManufacturerShortage@fda.hhs.gov and include “Question” in the subject line of the email.”
Link to the FDA Guidance Document for 506J Reporting- HERE
How to make a 506J report to the U.S. FDA?
The FDA accepts 506J reports in multiple ways. For example, you may use the 506J Reporting web form or submit a notification by email directly to (Include Email Here). In addition, Medical Device Academy has developed a Work Instruction and Form to determine if your company is experiencing a reportable discontinuance or meaningful disruption in manufacturing a medical device as well as compiling the report for submission.
There are a few methods of notification, a web form for individual notifications and spreadsheet options for multiple notifications at once, or emailing a report directly to the FDA reporting email included below;
CDRHManufacturerShortage@fda.hhs.gov
Screenshot of the FDA 506J reporting Webforms from https://fdaprod.force.com/shortages
It is for this process that Medical Device Academy developed WI-010 506J Shortage Reporting to the U.S. FDA. This work instruction and associated form, FRM-053 506J Reporting Form are designed to walk you through the process of determining reportability and compiling the information necessary to either complete the webform or email the report directly to the shortage reporting email.
Medical Device Shortage Reporting to Health Canada
Health Canada logo
Rather than discontinuance and disruption of manufacture, Health Canada is monitoring for shortages of specific devices. Therefore, Health Canada wants Medical Device Shortage Reports regardless of the reason for the shortage. It also shows that this is not identical reporting of the same conditions to two different authorities. Health Canada will also accept reports from Importers because the frame of reference is Canada’s supply of medical devices concerning Canada’s needs.
As an Authority Having Jurisdiction, Health Canada also has reporting requirements for medical device shortage reporting of specific types of medical devices. Health Canada is also an independent authority that uses a different device classification system than the U.S. FDA.
The table below shows the device types by their classification level that HC requires supply chain disruption notifications for. This information is current as of September 5th, 2021, and the link below will take you to the HC website page for the most up-to-date list.
List of ‘Specified Devices’ that Health Canada is monitoring for shortage reporting
One of the things that Health Canada does an excellent job of is defining its expectations. In the Second Interim Order Respecting Drugs, Medical Devices and Foods for a Special Dietary Purpose in Relation to COVID-19, it is explained the Manufacturers or Importers should report to the Minister actual or expected shortages of the device, OR components, accessories, or parts. These notifications must be made within 5-days of becoming aware of the shortage or the anticipated shortage date. Update reports must be made within 2-days of becoming aware of new information regarding the shortage, and a closing report must be made within 2-days of the end of the shortage.
(This link is to the HC website for the 2nd Interim Order referenced above)
These reports are submitted online through the Health Canada Website. They have an entire section dedicated to medical device shortages, and the reporting links can be found there (Link here). If you have any questions or are on the fence about notification, you can email Health Canada at MD.shortages-penurie.de.IM@canada.ca.
Health Canada Webforms for reporting a shortage and the end of a shortage
The webform for reporting a shortage is the same webform that is used for providing update reports to Health Canada as well. This is both for manufacturers of specified medical devices as well as importers.
A profound realization was made while performing a routine MDR gap analysis of Medical Device Academy’s technical documentation procedure.
In this article I wanted to discuss the functional effect that a gap analysis can have on your entire quality system. Everything mentioned below is because I performed a MDR gap analysis against a single procedure which resulted in the addition of three words to a single sentence. This small modification was made simply for clarification of a sentence that was already compliant without the change. Those three words made me reexamine the entire procedure. Then I tried to identify possible interpretations of that one sentence both before and after the modification. Finally, I questioned how adding three words might affect quality systems as a whole.
What was the section reviewed in the MDR gap analysis?
The MDD (i.e. 93/42/EEC) did not include a section that defined the requirements for technical documentation. The MDD does not include the phrase “device description,” or “intended patient population.” Therefore, when the MDR came into force, companies were forced to update their technical documentation procedure to comply with the new Annex. The section of the regulation that I was performing the MDR gap analysis against was Annex II. Specifically, subsections 1.1a) and 1.1c):
1.1(a) “product or trade name and a general description of the device including its intended purpose and intended users“;
1.1c) “the intended patient population and medical conditions to be diagnosed, treated and/or monitored and other considerations such as patient selection criteria, indications, contra-indications, warnings;“
There are only two places in the MDD where the phrase “intended users” is found: Article 11(14) and Annex I(1). In Annex I(1) of the MDD, the Directive clarified that design of devices shall include: “consideration of the technical knowledge, experience, education and training and where applicable the medical and physical conditions of intended users (design for lay, professional, disabled or other
users).” The introduction of the phrase “intended patient population” in the MDR forced me to reevaluate the wording we were using in our SYS-025 Technical Documentation Procedure. The wording we were using was: “users and patients.” Therefore, first I added the word “intended” before “users” and “patient”, and second I added the word “population” after “patient.”
Why would the MDR require these specific changes?
These are very small changes but the changes were meant to more clearly explain that documentation was needed for very specific areas. Previous versions of the procedure left more room for interpretation that intended users may not have been differentiated as strongly from intended patients, especially for cases where they are one in the same. These two subsections of Annex II, 1.1 (a) and 1.1 (c), outline that there are two specific populations of real people that must be taken into account within the device description and design specification areas of your technical documentation:
the intended users, and
the intended patient.
Even if the user and the patient represent the same person, these are two separate areas that require technical documentation. Intended users, whom may or may not be within the “intended patient population” that the device was designed for, should be entirely separate on your technical documentation.
Take for example, a home use lancet device included within a glucometer kit. The intended user is probably going to be the diabetic patient who wishes to check their blood glucose levels at home. In this case the intended user would also be a member of the intended patient population.
However, because this is not always the case there should be a clear separation of the documentation between the intended users of 1.1(a) and the intended patient population in 1.1(c). An example of this would be something like a surgical scalpel. A medical device that would probably be intended to be used by a physician within the controlled environment of a surgical procedure. In this example scenario the intended patient population would differ from the user because the patient would be the population of people who would need to undergo the above mentioned surgical procedures, but the user of the device is the physician or surgeon actually performing the procedure.
Considerations going beyond my MDR gap analysis
Everything that we are talking about is for intended patient populations or intended users. Documentation regarding these areas is important for several reasons and strong record keeping early on in the device development stages will help with things like statistical analysis, tracking and trending, and even possible modifications to Instructions For Use or labeling in the future. Most people performing a gap analysis would just make the changes and move forward without a second thought. However, the phrase “intended patient population” was introduced to the MDR for a reason, and it forced me to think beyond the task at hand.
Let us look back at our diabetic patient with the home use glucometer kit. I like fleshing my characters out, and providing a back story really helps me mentally associate these fictitious characters with the potential real-life patients they may represent.
I am going to name him Matthew D. Mellitus Jr. He is 28 years old. A morbidly obese type II diabetic, and a married father of two. Beyond the extraordinary play on words with Mr. D. Mellitus, II is I promise that there is a purpose behind this.
Matt is the intended user of the specific glucometer kit that he has. It contains within it, a glucometer, alcohol prep pads, a lancet device, spare lancets, and a container of test strips. He is also a member of the intended patient population because he is a diabetic with orders from his primary care physician to check his blood glucose levels at home.
One day while at home his spouse finds that it appears he is sleeping at an odd time of day and is rather unarousable. Knowing that he is diabetic she checks his blood sugar using that same glucometer kit. Now this is a broad made up but plausible scenario. Is his spouse an “intended user”? Sure, Matt the diabetic is still a member of the “intended patient population”, but ask yourself some of these follow up questions:
Did the manufacturer of the glucometer kit design and document the intended user to include caretakers of the “intended patient population”?
If not, does this mean that Matt’s spouse was using the glucometer in an off-label manner?
If both caretakers and patients are intended users, are the Instructions For Use written in such a manner that they are clearly understood when applied to testing blood glucose levels on others as well as yourself?
Perhaps this was an unforeseen human factor when designing the glucometer kit that needs further study?
I promise that questions like these are better asked and incorporated into the design and development of a medical device early on rather than having to address them post-market release and have to consider recalls, notifications, corrective actions, etc. in the future.
Do the questions end with my MDR gap analysis?
All of the above discussion resulted from a single sentence, being tweaked just a little bit, in order to make a procedure more clear and leaving less room for interpretation.These are just theoretical questions that should be asked. As the ‘rabbit hole’ always seems to go deeper and branch off so do some of these theoretical situations. This was just a bit of a back and forth conversation with myself regarding a very specific section of Annex II. As we delve deeper into the proverbial rabbit hole, consider again the situation where Matt’s spouse used the device. If she was not an “intended user,” does this qualify as “misuse of the device”? Maybe, or maybe not, but each situation will result in different answers to these questions.
If you go back to Annex I, Chapter 1, Section 3(c) it states, “estimate and evaluate the risks associated with, and occurring during, the intended use and during reasonably foreseeable misuse.” If that is considered misuse, is it ‘reasonably foreseeable’ (taken from the English Version of Regulation EU 2017/745 on 08/31/2018)? What is considered misuse? The EU MDR does not have misuse in its definitions. In fact, the term misuse is only even used three times. To narrow down whether or not this is reasonably foreseeable misuse we need to find a working definition within an accepted harmonized standard or other regulation that applies to the governance of medical devices within the same manner that the EU MDR does.
That same thoroughness needs to be applied to how misuse may be considered foreseeable. Maybe through human factors studies? Maybe through post market surveillance it is discovered that the device is sometimes used by someone other than an intended user, or for something other than the intended purpose. Should misuse be discovered, or suspected does it fall under the realm of it being ‘reasonably foreseeable?’ Ask these questions early, ask them often and then don’t be afraid to ask if they still apply in the future. Have regulations or standards changed? Proactive measures can help discover issues sooner. This lets risks be addressed sooner and ultimately could prevent negative outcomes and experiences from the patients these devices are meant to help.
Conclusions of this MDR gap analysis
I had these thoughts while updating Medical Device Academy’s procedures. First, procedures should always be living documents that can grow and change as standards and regulations metamorphasize to meet the needs of the ever evolving medical device community. This MDR gap analysis applies largely to technical documentation and as such we updated our technical documentation procedure. Every time we analyze quality system documents and technical documentation through the lens of a new standard or regulation, we are certain to expand our appreciation for the complexity of medical device design and development.
What can you do to stay ahead of medical device supply chain disruptions and comply with reporting requirements of possible device shortages?
Supply chain issues can be somewhat cyclical. As we approach the holiday season, we also approach the shipping season. Public shipping services such as FedEx and UPS see an increase in freight as the holiday seasons approach. Manufacturers need raw materials and components to stock the shelves with all of those holiday gifts. Since we are still living under pandemic conditions, I would be willing to bet there will be more care packages and mailed gifts in place of traditional gatherings. On top of the approaching increase in demand, staffing shortages can very quickly exacerbate supply chain bottlenecks. All the while importers are still expected to… well, import! If transportation affects all general industry you can bet it can also cause medical device supply chain disruptions.
So what does an overburdened mail service have to do with medical devices and quality systems?
Consider, how are your customers getting your product in their hands? How are you receiving raw materials and components? How about your contract manufacturer? Do they have supply chain redundancies? Does your supplier quality agreement address notifications for shipping disruptions?
Do you have a regulatory obligation to report a shortage/supply chain disruption or interruption of manufacturing to the FDA, or Health Canada? The FDA monitors for discontinuance and meaningful disruption of manufacturing certain devices and similarly Health Canada monitors their own list of devices for market shortages. Supply chain disruptions either through difficulty sourcing of raw materials and components, or through transportation breakdown of finished devices to market are just one way you could experience a reportable disruption or shortage.
Matthew did not choose the topic of medical device supply chain disruptions randomly. His signature brand of pessimistic cynicism is the reason we have him tasked with keeping his fingers on the pulse of global concerns and potential threats and risks. Potential supply chain disruptions will involve your quality staff in developing preventive actions and contingency plans in case there is an issue. Then, your regulatory team will be in charge of reporting and AHJ notification if you are an affected manufacturer (or importer in Canada!). Understaffed and overloaded shipping and transportation suppliers are about to be bombarded with seasonal freight. This makes them an attractive target for ransomware because, just like healthcare facilities, they will not be in a situation where they can afford any downtime.
Regulatory responsibilities related to device supply chain disruptions – Organized by Jurisdiction
U.S. FDA
The FDA requires reporting shortages and supply chain disruptions to CDHR of permanent discontinuance or interruption in manufacturing of a medical device in Section 506J of the FD&C Act. Especially so in response to the COVID-19 public health emergency. In part, the general public’s need for healthcare during the pandemic guides what devices the FDA needs notification about.
Currently, the FDA is concerned about specific device types by product code or any devices that are critical to public health during a public health emergency. For the most up to date list, the URL to the FDA website will show the specific product codes of the monitored device types;
Health Canada
As an Authority Having Jurisdiction, Health Canada also has reporting requirements for supply chain disruptions of specific types of medical devices. Health Canada is also an independent authority that uses a different device classification system than the U.S. FDA.
The table below shows the device types by their classification level that HC requires supply chain disruption notifications for. This information is current as of September 5th, 2021, and the following link will take you to the HC webpage for the most up-to-date list.
Class I Medical Devices
Masks (surgical, procedure or medical masks) – Level 1, 2, 3 (ATSM)
N95 respirators for medical use
KN95 respirators for medical use
Face shields
Gowns (isolation or surgical gowns) – Level 2, 3 and 4
Gowns (chemotherapy gowns)
Class II Medical Devices
Ventilators (including bi-level positive airway pressure or BiPAP machines, and continuous positive airway pressure or CPAP machines)
Infrared thermometers
Digital thermometers
Oxygen Concentrators
Pulse Oximeters (single measurement)
Aspirators/suction pumps (portable and stationary)
Laryngoscopes
Endotracheal tubes
Manual resuscitation bags (individually or part of a kit)
Medical Gloves – Examination and Surgical (Nitrile, Vinyl)
Oxygen Delivery Devices
Class III Medical Devices
Ventilators (including bi-level positive airway pressure or BiPAP machines)
Harden your supply chain with redundancies. Now is the time to qualify a second supplier as a contingency plan before it is too late…. Maybe even consider opening a Preventive Action? (HINT HINT for those ISO 13485 manufacturers that need to beef up their Clause 8.5.3. operations!)
Supply chains have both up and downstream functions. First, you likely need to source raw materials and components for production. Then you also need to ship those finished devices to distribution centers and your customers. Disrupt either of those and your ability to sell your devices is compromised or even completely halted.
Ask yourself, “Do I have a backup option for shipping?”, and “Do I have a backup option for raw materials and components?”.
Why?
Why go through all of that effort? Well, if you lose UPS and have to use FedEx instead, are their shipping procedures identical? Likely you will need a WI level document for each shipper to explain the process. It is easier to pre-qualify a contingency supplier and establish a WI now rather than in December when holiday shipping is at its peak. Consider if you also need to open accounts, etc. Scheduling pickup online may not be intuitive.
Just identifying a backup is important, but you can take that a step further and pre-qualify them. If they are a shipping and transportation supplier then give them a shipment or two in order to evaluate them. Hold them to the same standards you would for your primary supplier.
Did your shipment arrive on time? Was it damaged during transit? This is provisional, or pre-qualification. Did they perform adequately enough to use as a tentative supplier in the event the primary supplier is unable to perform? This is designed to make a full qualification of this supplier simple and easy… If you need to utilize them that is. Maintaining this pre-qualification should also be simple and easy as well. Once a year or so have them deliver a shipment for you.
That is just for importing or shipping finished devices. Do you have backup raw material or components suppliers identified? If not identifying or even pre-qualifying secondary suppliers might not be a bad idea either. You are probably tied down to a specific geographic area for shipping and transportation. You may not be for raw materials. If you need barrels of silicone consider a backup supplier from a different area than your primary supplier. Natural disasters create havoc for shipping. If your silicone comes from Company A, and they are closed down because of a hurricane then Company B ten miles away is likely affected as well.
For example, if you are in the U.S. and your primary supplier is in the Northeast then a backup supplier in the Southeast may be strategically important. Whereas a backup supplier from the Southwest may be cost-prohibitive.
What about your suppliers? Is your device high-risk enough that if your supply chain is disrupted, you have an obligation to report it to the FDA? In that scenario, if you use a contract manufacturer, it may be worth requiring supply chain contingencies and clearly identifying who owns what reporting responsibilities within your quality agreement with them.
There is an element of proactive responsibility in reporting these shortages, or projected shortages. In order to be able to predict medical device supply chain disruptions, there should be metrics that your quality system is monitoring. What is your monthly production capacity? How much raw material or components does your warehousing have on hand? How many units could you manufacture if the transport industry stopped right this second?
Determine what you need to track in order to identify a disruption before it occurs.
Prepare for notification now. This article looked at the problem from the point of view that transportation issues were the root cause of the supply chain disruption. However, many other things could be disruptive, such as natural disasters and supply availability. Therefore, develop a WI level document for conducting these types of regulatory reporting activities and train personnel before a disruption happens. It is easier to tackle these kinds of problems if you already have process controls in place and trained competent staff than if you wait until the reporting timeline clock is already ticking.
In the near future, we will be posting a new blog about 506J and Shortage Reporting. We will also have a work instruction and training webinar available soon.
Future blogs about device supply chain disruptions…Shortage Reporting
About the Author
Matthew came to us with a regulatory background that focused on OSHA and NFPA regulations when he was a Firefighter/EMT. Since we kidnapped him from his other career, he now works in Medical Device Quality Management Systems, Technical/Medical Writing, and is a Lead Auditor. Matthew has updated all of our procedures for He is currently a student in Champlain College’s Cybersecurity and Digital Forensics program, and we are proud to say that he is also a member of both the Golden Keys and Phi Theta Kappa Honor Societies! Matthew participates as a member of our audit team and has a passion for risk management and human factors engineering. Always the mad scientist, Matthew pairs his professional life in regulatory affairs with hobbies in the culinary arts as he also holds a Butchers/Meat Cutters certificate from Vermont Technical College.
Before you complete FDA forms for your 510k submission, you need to made sure you have the most updated FDA forms.
How do you know if the FDA form you are using is current?
The FDA assigns numbers to each FDA form and the document control number is found in the bottom left footer of the document. In addition, the top right-hand header of the document will have an expiration date for the form (see the picture below). Often the changes to FDA forms are minor, but you should only submit the current version of the FDA form which has not expired.
What happens if you are using an expired FDA form?
In the past, if you included an obsolete document in your submission the FDA would often ignore this an proceed with the review of your submission anyway. Now FDA reviewers will identify the obsolete form and require you to resubmit the document on the current version of the form. If the reviewer is conducting an initial Refusal to Accept (RTA) screening, and one of the required items in the RTA screening are identified, then you will receive an RTA Hold letter and the RTA checklist will include a comment that you have used an obsolete version of an FDA Form.
If there are no deficiencies identified in the RTA checklist, the reviewer may still send you an email asking you to submit the document on the correct form. This could be a formal amendment (e.g. K123456/A001) or it could be as an informal email of the corrected document. This type of request could also be identified after the substantive review is complete in the form of a comment in an Additional Information (AI) Request or as part of an Interactive Review Request. An AI Request must be responded to with a formal supplement submitted to the Document Control Center (DCC) as a supplement to the original submission (e.g. K123456/S001) or as an informal ammendment submitted by email.
Examples of updated FDA forms for your 510k submission
Expired forms are frequently submitted to the FDA because submitters are using templates that have not been properly maintained or the submitter modified a form that was submitted in a previous 510k submission. The most common examples include: FDA Form 3514 (i.e. Submission Coversheet), FDA Form 3881 (i.e. Indications for Use), and the RTA Checklist.
Where can you find updated FDA forms?
Recently one of our clients noticed that the 510k template folder we share with people that have purchased our 510k courseincluded obsolete templates for Financial Disclosure. There are three financial disclosure forms that can be used for a 510k submission or De Novo Classification Request:
FDA Form 3454, Certification: Financial Interest and Arrangements of Clinical Investigator (PDF)
FDA Form 3455, Disclosure: Financial Interest and Arrangements of Clinical Investigators (PDF)
FDA Form 3674, Certification of Compliance, under 42 U.S.C. , 282(j)(5)(B), with Requirements of ClinicalTrials.gov (PDF)
We normally update these FDA forms as soon as the new form is released, but this financial disclosure forms are only used in about 10-15% of 510k submissions.
The current version of most FDA forms can usually be found by simply conducting an internet search for the form using your favorite browser. However, sometimes you may find a copy of the document that was editted by a consultant to facilitate completion of the document as an unsecured PDF or Word document. Although this is convenient, you should not use these “bastardized” forms. You should use the original secured form provided by the FDA. These native forms require Adobe Acrobat to complete the form and save the content. The most current version of the FDA form can be found using the FDA’s Form search tool.
Editing and Signing FDA Forms
Most of the FDA forms are secured and you can only enter information in specific locations. If there is a location for a signature, usually the signature cannot be added in Adobe to the secured form. In these situations, our team will save the document as a “Microsoft Print PDF” format. Once the document has been saved in this “non-native” format, you can manipulate almost anything in the document. Then we will add signatures using the “Fill and Sign” tool in Adobe Acrobat or we will use the “Edit” tool. Editing also gives us ability to make corrections when the document has incorrect information filled in the form somewhere.
Another option for adding dates and signatures is for you to save the document as a non-secure PDF. Then using an electronic signature software tool like Docusign, you can request that another person add their electronic signature or you can add your own electronic signature. Some companies prefer to do this to ensure the electronic signature meets 21 CFR Part 11 requirements, but the FDA accepts scanned images of a signature that was added to the document without certification in a 510k submission. This is even true for the Truthful and Accuracy Statement for a 510k. That document can be attached as a PDF in an FDA eSTAR template or you can electronically sign the eSTAR template if the person preparing the eSTAR is also the person signing the Truthful and Accuracy Statement.
Tips and Tricks for maintaining templates
Our company is a consulting firm, and we do not have a formal document control process that would be typical of our clients. However, we do have a shared Dropbox folder where we maintain the most current version of 510k templates. Any obsolete versions we move to an archive folder. However, there are ways to improve this informal system. You can include a date of the document in the file name. For example, “Vol 4 001_Indications for Use (FDA Form 3881) rvp 2-7-2022.” This indicates that this file is the FDA Form 3881 which is the indications for use form used in Volume 4 of the 510k submission. The document is the first document in that volume. The date the form was revised and saved is February 7, 2022 and the author’s initials are “rvp.”
If you are saving 510k templates you might consider adding an expiration date to the file name. For example, “Vol 4 001_Indications for Use (FDA Form 3881) exp 06-30-2023.” This file name indicates that the form’s expiration date is June 30, 2023. The inclusion of an expiration date in the file name is a visual reminder of when you will need to search for an updated FDA form.
A third way to manage your FDA Forms is to include them in your documents of external origin. ISO 13485:2016, Clause 4.2.4, requires that you maintain control of documents of external origin. Therefore, if your company has a formal quality system, a list or log of documents of external origin is the best way to manage FDA forms. Your log should indicate the date the updated FDA form was created, any parent guidance documents should be cross-referenced, and the expiration date of the FDA form should be identified. By using a log of this type, you can sort the list by expiration date or by the date of creation if there is no expiration date identified. Sorting the list will help your team prioritize which documents need to be reviewed next for new and revised versions.
Additional 510k submission resources
The FDA will be updating the 510k guidance for the new FDA eSTAR template by September 2022. Medical Device Academy will be systematically updating all of our templates and training webinars related to preparation of 510k submissions. We will also be preparing for the transition from FDA eCopy submissions to electronic submissions via a Webtrader Account.
You can keep up-to-date on template revisions in one of two ways:
Purchase our 510k course, and you will receive access to the updated templates as they are created. We will send email notifications each time a template is updated.
Register for our New Blog email subscription for automated email notifications of when a new blog is released about updated FDA forms, templates, and webinars.
Register for our New Webinar email subscription for automated email notifications of when a new or revised webinar is scheduled and for email notification of our newest live streaming YouTube videos.
You can conduct multiple individual process audits or you can conduct one full quality system audit, but which solution is better?
What are individual process audits?
There are 25 processes that require procedures for compliance with the US FDA quality system regulations and ISO 13485:2016 has 28 required procedures. Individual process audits focus on one of these procedures, the process it controls, the equipment and software used by that process, the work environment where the process is performed, the people responsible for the process, the records resulting from that process, and any metrics or quality objectives associated with that process. An individual process audit can be completed in remotely or on-site, and these audits will be much shorter in duration than a full quality system audit. Another way to think of an individual process audit is to realize that a full quality system audit is comprised of many individual process audits scheduled back-to-back. Auditing one process might be as short in duration as 30 minutes (e.g. control of records) but individual process audits can take as long as four hours (e.g. design controls and technical file audits).
What is a full quality system audit?
A full quality system audit is typically a single audit conducted annually to address all the requirements for conducting an internal audit of your quality system. In this type of audit, all of the procedures and processes should be covered. Therefore, full quality system audits are necessarily longer. If the person assigned to conduct the full quality system audit is an employee, that person cannot audit their own work. This can be addressed in two ways: 1) the audit can be a team audit, and the other team members can audit areas the lead auditor was responsible for; and 2) the process(es) that the lead auditor is responsible for can be audited as individual process audits by another auditor at another time.
If the person assigned to conduct the full quality system audit is a consultant from outside the company, there is still potential for conflicts regarding independence. If the consultant audited the company in the previous year, then the auditor cannot audit last year’s internal audit. In our consulting firm we address this issue in two ways: 1) we rotate who is assigned to audits so that the same auditor does not conduct a full quality system audit two years in a row, or 2) we assign another auditor in our company to conduct the audit of internal auditing as a team member.
How do you evaluate auditing effectiveness?
Some companies perceive that auditing is a necessary evil and they want to put as little effort and resources into the audit as possible. In this situation, auditing might be evaluated based upon whether it was completed on-time, by how much the audit cost the company, and the fewer nonconformities identified the better the perceived outcome. This perspective typically results in a single full quality system audit that is three days in duration or shorter if an auditor can manage to complete the audit in less time. Of course the shorter the audit is, the fewer records that an auditor has time to review. Therefore, shorter audits typically have fewer findings and management is pleased at the outcome because the audit required fewer resources and had little or no nonconformities.
The better approach is to look at auditing as a method for identifying areas that need improvement. Identifying areas where your quality system needs improvement is the intent of requiring internal audits. Therefore, the amount of time your company allocates to auditing should reflect the benefits for improvement that are identified. Top management of your company needs to identify which process areas they feel needs improvement. Only then can the audit program manager design an audit schedule that will focus on identifying opportunities for improvement and nonconformities in the process areas where management feels improvement is most needed. Ideally, this approach to auditing will focus on looking for inefficiency and metrics with negative trends. These findings result in preventive actions instead of corrective actions, because the process is not yet nonconforming. In general, the more opportunities for CAPAs that are identified the more valuable the audit was.
What advantages do one full quality system audit present?
Sometimes a single full quality system audit is easier to schedule, because it is only once per year. The rest of the year your company will not need to spend much time discussing audits or even thinking about them. If your company perceives audits as a necessary evil, then the less disruption caused by scheduling an audit the better.
Another advantage of conducting full quality system audits is that you can more easily afford to use external consultant auditors, because the travel costs for auditing are limited to one trip per year. If you had more than twenty individual process audits each year, and external consultant auditors conducted all of the audits, then you would have to pay for travel costs twenty times each year. Unless the consultant lives locally, these travel costs can be substantial.
What advantages exist for individual process audits?
Individual process audits are much easier for the auditor to complete within the time established in the audit agenda, because the auditor does not have another audit process immediately proceeding or immediately after the process they are auditing. There are also fewer people that need to attend an opening or closing meeting for an individual process audit, because only one process is being audited. Managers from other departments are seldom needed for participation in the opening or closing meeting. The combined benefits result in the auditor being more likely to start the opening meeting on-time and to start the closing meeting on-time.
The shorter duration of individual process audits is also an advantage. There are very few times in a year when none of your department managers will be traveling, sick, or on vacation. These rare weeks only happen a few times each year, and sometimes auditors must proceed with an audit even if someone is absent because they have no alternative. If you are preparing for an audit remotely, you face-to-face audit time is only 90 minutes, and your report writing time is also conducted remotely, then finding 90-minutes of available time in an department manager’s schedule is usually quite easy.
Can both approaches to internal audit scheduling coexist?
You can combine both approaches to audit scheduling in several possible ways. First you can schedule one full quality system audit each year in order to make sure that the minimum audit requirements are met, and then top management can review the results of the full quality system audit to decide which processes would benefit from individual process audits.
A second strategy would include conducting individual process audits for each process that resulted in a nonconformity during 3rd party certification audits or during the one full quality system audit. In this scenario, you might have a 3rd party audit in November, a full quality system audit in May, and top management might select 10 other individual processes to audit during the other 10 months of the year.
A third strategy would be to alternate between individual process audits and single full quality system audits each year. During “odd” years the audit program manager would only schedule one full quality system audit, and during “even” years the audit program manager would schedule multiple individual process audits.
A fourth strategy would be for top management to select a few processes that they would like the audit program manager to focus on with individual process audits, and all of the remaining processes would be incorporated into a single audit that covers the remaining 70% of the quality system.
Each of these four strategies for combining the two approaches to audit scheduling is viable and may result in multiple opportunities for improvement being identified. There is no regulation that favors one approach over another, but all four strategies require more time an effort on the part of the audit program manager and top management to discuss and plan the annual audit schedule.
Next steps if you would like to try individual process audits
If your company has always scheduled a single full quality system audit each year, you can test the concept of conducting an individual process audit by selecting just one process to audit. The best choice for this approach is to pick a process that has one or more CAPAs that are in progress or to select a process that top management feels is performing efficiently. The more frustration that top management experiences with a process, the greater the need is to identify opportunities for improvement. If the company has not already identified CAPAs to initiate for that process, you might just need an outsider to state the obvious: “I think we need a CAPA in this department.” The outsider might be a consultant, but it could also be a person from another department. If you would like a quote for an individual process audit, please visit our audit quote webpage.
About the Author
Rob Packard is a regulatory consultant with 25+ years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Robert was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certification. From 2009-2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Robert’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone 802.258.1881 or email. You can also follow him on Google+, LinkedInor Twitter.
I hated the the FDA eSubmitter template which was discontinued May 30, 2021. Finally we have eSTAR draft guidance for the new eSTAR template. Note: the final FDA eSTAR guidance was released on October 2, 2023 and we published a new blog the day of release.
History of 510k electronic submissions
The FDA has experimented with a multitude of pilot 510k submission programs over the years to streamline and improve the 510k submission content, formatting, and to facilitate a faster review process. The Turbo 510k program was one of the first successful pilot programs. In 2012, I wrote one of my first blogs about how to improve the 510k process. In September 2018, the FDA launched the “Quality in 510k Review Program Pilot” for certain devices using the eSubmitter electronic submission template. The goal of the this pilot program was to enable electronic submissions instead of requiring manufacturers to deliver USB flash drives to the FDA Document Control Center (DCC). I hated the eSubmitter template, and the FDA finally discontinued availability of the eSubmitter template on May 30, 2021. During the past 15 years, the FDA gradually streamlined the eCopy process too. Originally we had to submit one complete hardcopy, averaging 1,200 pages per submission, and one CD containing an electronic “eCopy.” Today, the current process involves a single USB flash drive and a 2-page printed cover letter, but today’s eCopy must still be shipped by mail or courier to the DCC.
eSTAR Pilot Program is Launched
During the 15-year evolution of the FDA eCopy, CDRH was trying to develop a reliable process for electronic submissions of a 510k. CBER, the biologics division of the FDA, has already eliminated the submission of eCopy submissions and now 100% of biologics submissions must be submitted through an electronic submissions gateway (ESG). In February 2020, CDRH launched a new and improved 510k template through the electronic Submission Template And Resource (eSTAR) Pilot Program. The eSTAR templates include benefits of the deceased eSubmitter template, but CDRH has incorporated additional benefits:
the templates use Adobe Acrobat Pro instead of a proprietary application requiring training;
support for images and messages with hyperlinks;
support for creation of Supplements and Amendments;
availability for use on mobile devices as a dynamic PDF;
ability to add comments to the PDF; and
the content and logic mirrors checklists used by CDRH reviewers.
Medical Device Academy’s experience with the eSTAR Templates
Every time the FDA has released a new template for electronic submissions we have obtained a copy and tried populating the template with content from one of our 510k submissions. Unfortunately, all of the templates have been slower to populate that the Word document templates that our company uses every day. On May 16 we conducted an internal training for our team on the eSTAR submission templates, and we published that training as a YouTube Video (see embedded video below). Then nine days later the FDA released updates to the eSTAR templates (version 0.7). The new eSTAR templates are available for non-IVD and IVD products (ver 0.7 updated May 27, 2021).
Sharon Morrow submitted our first eSTAR template to the FDA in August and we experienced no delays with the 510k submission during the initial uploading to the CDHR database, there was no RTA screening process, and CDRH did not identify any issues during their technical screening process. Shoron’s first eSTAR submission is now in interactive review, which is a better outcome than 95%+ of our 510k submissions. I have several other eSTAR submissions that are almost ready to submit as well. The other 510k consultants on our team are also working on their first eSTAR submissions.
Finally the CDRH releases an FDA eSTAR draft guidance
On September 29, 2021 the FDA released the new eSTAR draft Guidance for 510k submissions. This is a huge milestone because there have not been any draft guidance documents created for pilot programs. The draft indicates that the comment period will last 60 days (i.e. until November 28, 2021). However, the draft also states that the guidance will not be finalized until a date for requiring electronic submissions (i.e. submission via an ESG) is identified. The draft indicates that this will be no later than September 30, 2022. Once the guidance is finalized, there will be a transition period of at least one year where companies may submit via an ESG or by physical delivery to the FDA DCC.
Are there any new format or content requirements in the FDA eSTAR draft guidance?
There are no new format or content requirements in the eSTAR draft guidance, but the eSTAR template itself has several text boxes that must be filled in with summary information that is not specified in the guidance for format and content of a 510k. The information requested for the text boxes is a brief summary of non-confidential information contained in the attachments of the submission. Therefore, these boxes can information that would normally be in the overview summary documentst that are typically included at the beginning of each section of a 510k. If your overview documents do not already have this information, then you may have some additional work to do in order to complete the eSTAR templates. An example of one of these text boxes is provided below:
Another example of additional content required by the eSTAR templates is references to page numbers. Normally the FDA reviewer has to search the submission for information that is required in their regulatory review checklist. In the new templates the submitter is now asked to enter the page numbers of each attachment where specific information can be found. The following is an example of this type of request for a symbols glossary:
Are there any changes to the review timelines for a 510k in the eSTAR draft guidance?
The eSTAR draft guidance indicates that a technical screening will be completed in 15 calendar days instead of conducting a RTA screening. I believe that the technical screening is less challenging than the RTA screening, but the FDA has not released a draft of the technical screening criteria or a draft checklist. I would imagine that the intent was to streamline the process and reduce the workload of reviewers performing a technical screening, but we only have guesses regarding the substance of the technical review and so far our performance is 100% passing (i.e. 1 of 1). The next step in the 510k review process is a substantive review. Timelines for the substantive review are not even mentioned in the new draft guidance, but the FDA usually has the review clock details in Table 1 (MDUFA III performance goals) and Table 2 (MDUFA IV performance goals) of the FDA guidance specific to “Effect on FDA Review Clock and Goals.” In both tables, the goal is 60 calendar days, and our first eSTAR submission completed the substantive review in 60 days successfully. The 180-day deadline for responding to an additional information (AI) request has not changed in the eSTAR draft guidance, but our first submission is now interactive review. I believe this suggests that companies may have a higher likelihood of having an interactive review with their CDRH lead reviewer instead of being placed upon AI Hold, but we won’t have enough submissions reviewed by the FDA to be sure until the end of Q1 2022.
Register for our new webinar on the FDA eSTAR draft guidance
We hosted a live webinar on Thursday, October 21, 2021 @ Noon EDT. The webinar was approximately 37 minutes in duration. In this webinar we shared the lessons learned from our initial work with the eSTAR template. Anyone that registers for our webinar will also receive a copy of our table of contents template that we updated for use with the eSTAR templates. Unlike a 510k eCopy, an eSTAR template does not require a table of contents but we still use a table of contents to communicate the status of the 510(k) project with our clients. Finally, we reviewed the eSTAR draft guidance in detail. If you would like to receive our new eSTAR table of content template and an invitation to our live webinar, please complete the registration form below.
About the Instructor
Rob Packard is a regulatory consultant with ~25 years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Rob was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certifications. From 2009 to 2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Rob’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone at +1.802.258.1881 or by email. You can also follow him on YouTube, LinkedIn, or Twitter.
What is your company’s approach to qualifying a software service provider and managing software-as-a-service (SaaS) for cybersecurity?
The need for qualifying and managing your software service provider
Most of the productivity gains of the past decade are related to the integration of software tools into our business processes. In the past, software licenses were a small part of corporate budgets, and the most critical software tools helped to manage material requirements planning (MRP) functions and customer relationship management (CRM). Today, there are software applications to automate every business process. Failure of a single software service provider, also known as “Software-as-a-Service” or (Saas), can paralyze your entire business. In the past, business continuity plans focused on labor, power, inventory, records, and logistics. Today our business continuity plans also need to expand for the inclusion of software service providers, internet bandwidth, websites, email, and cybersecurity. This new paradigm is not specific to the medical device industry. The medical device industry has become more dependent upon its supply chain due to the ubiquity of outsourcing, and what happens to other industries will eventually filter its way into this little collective niche we share. With that in mind, how do we qualify and manage a software service provider?
Threats to software service providers (Kaseya Case Study)
Two years ago the WannaCry ransomware attack affected 200,000 computers, 150 countries, and more than 80 hospitals.
Kaseya isn’t a hospital. Kaseya is a software service provider company. So why is this example relevant to the medical device industry?
The ransomware attack on Kaseya was severe enough that both CISA and the FBI got involved, and it compromised some Managed Service Providers (MSPs) and downstream customers. This supply chain ransomware attack even has its own Wikipedia page. The attack prompted Kaseya to shut down servers temporarily. None of this is a critique of Kaseya or their actions. They were merely the latest high-profile victim of a cyberattack in the news. Now cybercriminals are attacking your supply chain. We want to emphasize the concepts and considerations of this type of attack as it pertains to your business.
What supplier controls do you require for a software service provider?
If you are a manufacturer selling a medical device under the jurisdiction of the U.S. FDA, you need to comply with 21 CFR 820.50 (i.e. purchasing controls). The FDA requires an established and maintained procedure to control how you are ensuring what your company buys meets the specified requirements of what you need. Many device manufacturers only consider suppliers that are making physical components, but a software service provider may be critical to your device if your device is software as a medical device (SaMD), includes software, or interacts with a software accessory. A software service provider may also be involved with quality system software, clinical data management, or your medical device files. Do you purchase software-as-a-service or rely upon an MSP for cloud storage?
You need to determine if your software service provider is involved in document review or approval, controlling quality records, Protected Health Information (PHI), or electronic signature requirements. You don’t need a supplier quality agreement for all of the off-the-shelf items your company purchases. For example, it would be silly to have Sharpie sign a supplier quality agreement because you occasionally purchase a package of highlighters. On the other hand, if you are relying upon Docusign to manage 100% of your signed quality records, you need to know when Docusign updates its software or has a security breach. You should also be validating Docusign as a software tool, and there should be a backup of your information.
21 CFR 820.50 requires that you document supplier evaluations to meet specified and quality requirements per your “established and maintained” procedure. The specified requirements for this supplier might include the following:
How much data storage do you need?
How many user accounts do you need?
Do you need unique electronic IDs for each user?
Do you need tech support for the software service?
Is the software accessed with an internet browser, is the software application-based, or both?
How much does this software service cost?
Is the license a one-time purchase? Or is it a subscription?
The quality requirements for a supplier like this may look more like these questions;
How is my information backed up?
Can I restore previous file revisions in the case of corruption?
How can I control access to my information?
Can I sign electronic documents? If yes, is it 21 CFR Part 11 compliant?
Does this supplier have downstream access to my information? (can the supplier’s suppliers see my stuff?)
Do I manage PHI? If so, can this system be made HIPAA compliant? What about HITECH?
What cybersecurity practices does this supplier utilize?
How are routine patches and updates communicated to me?
A risk-based approach to supplier quality management
ISO 13485:2016 requires that you apply a risk-based approach to all processes, including supplier quality management. A risk-based approach should be applied to suppliers providing both goods and services. For example, you may order shipping boxes and contract sterilization services. Both companies are suppliers, but in this example, the services provided by the contract sterilizer are associated with a much higher risk than the shipping box supplier. Therefore, it makes sense that you would need to exercise greater control over the sterilizer. Software service providers are much like contract sterilizers. SaaS is not tangible but the service provided may have a high level of risk and potential impact on your quality management system. Therefore, you need to determine the risk associated with SaaS before you can evaluate, control, and monitor a software service supplier.
First, you need to document the qualification of a new supplier. It would be nice if your cloud service provider had a valid ISO 13485:2016 certification. You would then have an objectively demonstratable record of their process controls and know that they are routinely audited to maintain that certification. They would also understand and expect to undergo 2nd party supplier audits because they operate in the medical device industry. Alternatively, a software service provider may have an ISO 9001:2015 certification. This is a general quality system certification that may be applied to all products or services. In the absence of quality system certification, you can audit a potential supplier. For some suppliers, this makes sense. However, many companies that are outside of the medical device industry do not even have a quality system because it is not required or typical of their industry. For the ones that do, though, you can likely leverage their existing certifications and accreditations.
Cybersecurity standards you should know
Most cloud service providers will not have ISO 13485 certification, because it is a quality management standard specific to the medical device industry. However, you might look for some combination of the following ISO standards that may be relevant to a software service provider:
ISO/IEC 27001 Information Technology – Security Techniques – Information Security Management Systems – Requirements
ISO/IEC 27002:2013 Information Technology. Security Techniques. Code Of Practice For Information Security Controls
ISO/IEC 27017:2015 Information Technology. Security Techniques. Code Of Practice For Information Security Controls Based On ISO/IEC 27002 For Cloud Services
ISO/IEC 27018:2019 Information Technology – Security Techniques – Code Of Practice For Protection Of Personally Identifiable Information (PII) In Public Clouds Acting As PII Processors
ISO 22301:2019 Security And Resilience – Business Continuity Management Systems – Requirements
ISO/IEC 27701:2019 Security Techniques. Extension to ISO/IEC 27001 and ISO/IEC 27002 For Privacy Information Management. Requirements And Guidelines
Does your software service provider have SOC reports?
The acronym “SOC” stands for Service Organization Control, and these reports were established by the American Institute of Certified Public Accountants. SOC reports are internal controls that an organization utilizes and each report is for a specific subject. SOC reports apply to varying degrees for SaaS and MSP Suppliers
The SOC 1 Report focuses on Internal Controls over Financial Reporting. Depending on what information you need to store on the cloud, this report could be more applicable to the continuity of your overall business than specifically to your quality management system.
The SOC 2 Report addresses what level of control an organization places on the five Trust Service Criteria: 1) Security, 2) Availability, 3) Processing Integrity, 4) Confidentiality, and 5) Privacy. As a medical device manufacturer, these areas would touch on control of documents, control of records, and process validation, among other areas of your quality system. Some suppliers may not share a SOC 2 report with you, because of the amount of confidential detail provided in the report.
The SOC 3 Report will contain much of the same information that the SOC 2 Report contains. They both address the five Trust Service Criteria. The difference is the intended audiences of the reports. The SOC 3 is a general use report expected to be shared with others or publicly available. Therefore, it doesn’t go into the same intimate level of detail as the SOC 2 report. Specifically, information regarding what controls a system utilizes is very brief if identified at all compared to the description and itemized list of controls in the SOC 2 Report.
Other ways to qualify and manage your software service provider
SOC reports will help paint a picture of the organization you are trying to qualify for. You will also need to evaluate the supplier on an ongoing basis. It is essential to know if the supplier is subject to routine audits and inspections to maintain applicable certifications and accreditations. For example, if their ISO certificate lasts for three years, you should know that you should follow up with your supplier for their new certificate at least every three years. On the other hand, if they lose certification, it may signify that the supplier can’t meet your needs any longer and you should find a new supplier.
There is a long list of standards, certifications, accreditations, attestations, and registries that you can use to help qualify a SaaS or MSP supplier. One such registry is maintained by Cloud Security Alliance (i.e. the CSA STAR registry). “STAR” is an acronym standing for Security, Trust, Assurance, and Risk. CSA describes the STAR registry in their own words:
“STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM) and CAIQ. Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires.”
Some of the questions your supplier qualification process should be asking about your SaaS and MSP suppliers include:
Why do I need this software service?
Which standards, regulations, or process controls need to be met?
What is required for qualifying suppliers providing SaaS or an MSP?
How will you monitor a software service provider?
ISO certification, SOC reports, and the CSA STAR registry are supplier evaluation tools you can use for supplier qualification and monitoring. When you use these tools, make sure that you ask open-ended questions instead of close-ended questions. Our webinar on supplier qualification provides several examples of how to convert your “antique” yes/no questions into value-added questions.
Your software service provider should be able to provide records and metrics demonstrating the effectiveness of their cybersecurity plans. Below are three examples of other types of records you might request:
Cloud Computing Compliance Controls Catalogue or “C5 Attestation Report”
System Security Plan for Controlled Unclassified Information in accordance with NIST publication SP 800-171
Privacy Shield Certification to EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield
The privacy shield certification may be especially important for companies with CE Marked devices in order to comply with the European Union’s General Data Protection Regulation (GDPR) orRegulation 2016/679.
A final consideration for supplier qualification is, “Who are the upstream suppliers?” It is essential to know if your new supplier or their suppliers will have access to Protected Health Information (PHI). Since you have less control of your supplier’s subcontractors, you may need to evaluate how your supplier manages their supply chain and which general cybersecurity practices your supplier’s subcontractors adhere to.
Additional cybersecurity, software validation, and supplier quality resources
For more resources on cybersecurity, software validation, and supplier quality management please check out the following resources:
We desperately need to find a way to get more customer feedback and suggestions for product improvement, but what is the best way to do that?
Surveys rarely have a high response rate, but we need to gather customer feedback. Therefore, we created this blog posting as a living document of how we are trying to gather customer feedback. Specifically, we are looking for more customer feedback and better engagement with us. We don’t just want YouTube subscribers to like our videos, we want you to share our videos with other people in your company so they can learn about quality and regulatory too. We don’t just want you to register for a free webinar and watch the recording when you get a chance. We want to you to add a question when you register and please interrupt us during our live webinars to clarify anything you don’t understand. Finally, we want you to give us suggestions for improving our procedures, writing new blogs, and recording new training webinars and videos. Tell us what you want.
Using the headline analyzer to attract more customer feedback
We have a page on our website for a “suggestion portal” where we are asking people to provide suggestions for new and improved procedures, blogs, webinars, and videos. But the last time someone filled in the form on that page is October 16, 2019. We desperately need to find a way to get more engagement from you in the form of suggestions. The first approach to gathering feedback is to send out email notification to our current 1,057 blog subscribers by posting this blog. To improve our chances for you to open an email about this blog, we optimized the headline using the CoSchedule Headline Analyzer. The first version of the headline scored a 75, while 70 is the minimum threshold for a worthy title. Our second attempt included the emotional word “exciting” and the new result scored an 83 (see below). Normally it requires 20+ tries before we achieve a headline score higher than 80, but today was a good day. We decided to stop at 83 and focus on other elements of this posting.
How can you encourage more customer feedback? (75)
How can you encourage more customer feedback and exciting engagement? (83)
A picture says 1,000 words
A great thumbnail or featured picture often helps improve click through rates for video, but pictures also communicate more information than words alone. Pictures can communicate the temperature, directions, speed you are moving, and even emotions. Ideally, a combination of a picture with a short caption does the most. The layout of your picture matters too. For example, the featured image above originally had just 6 images grouped together. To communicate that we were trying to decide which icon best communicated the concept of a suggestion box, we separated each icon image with a blue border. To help people identify the different images, we used letters under each icon image. We could have used numbers, but then people might have replied with phrases like “#2 was my 1st choice,” instead of “B was my 1st choice.” To make it clear that the far right icon image was our current icon, we used the word “current” instead of a letter. Finally, we used a bright yello text box at the top of the featured image to communicate instructions for polling of the various icon images.
In the end, we didn’t feel that the suggestion box icons were very attractive. In fact, icons in general are boring. Therefore, we hired an artist to create some concept sketches for other ideas that would communicate “please take the opportunity to give us your suggestion.” The three concepts we liked most were a wishing well, a coffee filter, and an open door with a suggestion doormat that opens into space. We selected the door as our favorite and added some details to create the final image you see now on our webpage. Specifically, we wanted the doormat to appear more three-dimensional, we wanted to incorporate Medical Device Academy’s logo, and we wanted a better focal point in the space beyond the door. Therefore, the artist created three different versions of a moon (crescent, partial, and full). The partial moon was our final choice.
A video is 1,000+ pictures
Full-frame video typically ranges from 24-60 frames per second (FPS). Therefore, there are at least 1,000 pictures in 42 seconds of video. Therefore, the five-and-half-minute video below is giving you much more information than you read above in a lot less time. The video walks you through the evolution of our suggestion box (all 24 versions). This is why we recommend recording a training video to every single medical device company we work with. This is also why our website has steadily been increasing the number of videos we procedure and publish on our YouTube channel.
A call to action increases customer feedback and engagement
Gathering customer feedback requires just as much marketing as selling a medical device. Typically, near the end of your presentation you will include a call to action. The call to action is intended to persuade customers to take immediate action. The call to action will create a sense of urgency. Sometimes a series of small calls to action will precede a final larger call to action. In our case, we are just trying to get suggestions from you regarding what quality and regulatory training materials we should develop next. We are asking you for advice on what our customers want to learn. In return we will develop the training materials you want. The better your questions are, the better our training materials will become. This strategy of offering valuable information to customers develops trust, and this has been our company’s primary marketing strategy since the beginning.
Click on the button above.
Try using a call-to-action button
If you want more engagement, you need to increase your click-through rate (CTR) first. Campaign Monitor conducted a test to which call-to-action performs best. They found a call-to-action button helped increase the CTR by 28%. We took this concept one step further, we used the headline analyzer tool to optimize the wording of the call-to-action button. The wording we used in the call-to-action button above scored an 86, while “click here” scored a dismal 28 and “click the button” only scored 31. We are also trying a contrarion approach to the design of the button. Instead of using bright colors that modern advertisers have trained us to ignore, we used a light grey background with Palatino Linotype font to optimize readability. We also used a small caption to make sure your subconscious knows what to do.
